Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
A hacker who discovered a potentially devastating security hole in Microsoft's Internet Explorer says he has found himself in the undesired position of providing technical support to people who cannot install the patch that Microsoft released to fix the flaw.
Hacker Juan Carlos Garcia Cuartango discovered a dangerous hole that allows attackers to remotely access and control any computer running any version of the Windows operating system and Internet Explorer.
Cuartango reported the problem to Microsoft on Feb. 14 and waited for the company to release a patch before going public with his discovery.
Microsoft released the fix on March 30, but some people have had problems with the patch. Cuartango said he received hundreds of e-mails on Monday from people who could not install the patch and were also unable to reach Microsoft for technical support.
Cuartango said that the patch's installation is unnecessarily complicated and claims that users "almost need to be computer consultants" in order to be able to successfully install it.
Many users who attempted to download the security patch over the weekend reported receiving the following message during installation: "This update does not need to be installed on this system."
Microsoft officials admitted Sunday that the message is an error and urged everyone who received it to return to the company website, download either Microsoft Internet Explorer 5.01 Service Pack 1 or Microsoft Internet Explorer 5.5 Service Pack 1, and then reinstall the patch.
The patch works only with those specific versions of Internet Explorer (IE).
"Most people do not know a lot about things like software versions or service packs," Cuartango said.
"Twenty-first century software technology does allow for patch design to be much more user-friendly," he added. "But installing this patch seems to require the help of an entire technical support team."
Cuartango also said he has received many e-mails from people who say the patch will not work no matter on what version of IE they are trying to install it.
Scott Culp, program manger at Microsoft's Security Response Center, said that Microsoft has had no reports of anyone being unable to install the patch on either of the two supported versions of IE.
The security flaw can probably affect many older versions of Explorer, but Microsoft said that previous versions of Explorer are "no longer supported, have not been tested, and may or may not be affected by this vulnerability," Culp said.
Most users who are experiencing problems are trying to install the patch over an unsupported version of Internet Explorer, Culp said.
Some users disagree.
"Microsoft is talking out of their serial ports," one user wrote in an e-mail. "To get very specific, I am trying to install the patch over IE version 5.50.4134.0600 and I still get the message 'This update does not need to be installed on this system.'
"So, this critical patch does not work, the public is put at risk and all the publicity increases the number of possible abusers of this security hole. I guess everyone should just duck and cover."
Some security consultants also say they have heard from users who said they are having problems with the patch despite following Microsoft's installation instructions.
"I had several dozen e-mails from people whose network we support, saying they couldn't install the patch on their home machine and insisting they were using the 'right' version of IE," said George Davos, from Toronto's TechServ.
"I advised them to download a new version of IE 5.5 Service Pack 1, uninstall their old version of IE, and then install IE again and apply the patch. This seemed to work for everyone," said Davos. "So maybe they weren't originally using the right version of IE."
Valerie Versan, who works at Chicago's Computer Support Services, said that company representatives had also received "a significant number" of queries about installing the patch.
"What surprised us is that some of our very computer savvy users are having problems," she said. "Some people can not seem to install the patch, no matter how carefully they follow Microsoft's instructions."
But Microsoft's Culp insists that the process for eliminating the vulnerability is "quite easy."
Users can safeguard their systems by taking any one of the following three actions:
- Install IE 5.01 Service Pack 2. This version of Explorer comes complete with the patch.
- Install the patch over either IE 5.01 Service Pack 1 orIE 5.5 Service Pack 1.
- Circumvent the entire issue by disabling File Downloads. Choose Tools from the IE menu, then Internet Options, then click the Security tab. Click the Internet Sites icon, then Custom Level. Scroll to the Downloads section and disable File Downloads. Some IE users who depend on Microsoft's automatic Window's Update service to protect their systems were also dismayed to discover that the patch was not automatically applied to their systems.
"This supposedly 'critical patch' does not appear on the Windows Update page! Neither do other security patches dated February of this year," a user wrote in an e-mail.
"I religiously check Windows Update to keep my system free of security holes, and run Microsoft's Critical Update Notification tool to do the same. But apparently, unbeknownst to me, Microsoft decided that they would post some security patches on Windows Update and others on a well-hidden IE security page."
Microsoft's Culp said that the patch for the hole will be available shortly on the Windows Update site.
"All customers will need to do is visit the site, and it will install the patch automatically."
Meanwhile, Cuartango is not a happy hacker.
He has been besieged with requests for help from people who cannot install the patch, and is frustrated by what he sees as Microsoft's unresponsiveness to people's requests for help.
He posted a Web page that guides Spanish-speaking users through the process of installing the patch, and also offers two "home-made" workarounds for those who can still not get the patch to install properly.
A note on Cuartango's website also begs people not to e-mail him asking how to contact Microsoft's technical support.
"No, we don't know how to reach them either ... so please just don't ask us."
Cuartango has discovered over a dozen security holes in Microsoft products.
And this isn't the first time he's had problems with Microsoft's patches.
In 1998, Cuartango discovered the infamous "Cuartango Hole," a security flaw that allowed wicked website owners to steal files off a user's hard disk.
That discovery was quickly followed by the "Son of the Cuartango Hole," a new exploit that was created by Microsoft's patch for the Cuartango hole.
"Son" was followed by "The Grandson of the Cuartango Hole," which was –- yes, you guessed it -- caused by a second fix that Microsoft issued to plug the original Cuartango hole.
