Home > 2006
December 29, 2006
Watch out for end-of-year exploits
The week between Christmas and New Year's Day, when Microsoft and many security companies take several days off, is a time when some hackers think they can take advantage of the season. I'm sending out today's short news update solely to alert you in case some threat starts spreading rapidly on the Internet this week. Read more »
Beware of unexpected holiday gifts
now you've opened your presents and you're playing with your new tech toys — but don't let the Grinch spoil your holiday season. Let's take a quick look at some flaws that Microsoft hasn't yet patched, and which people may use to try to scam you this season. Read more »
December 14, 2006
What to do when a DLL goes missing
There's an easy way and a hard way to replace missing or corrupted DLLs. As you can probably guess, I'll show you the fast and easy way! Then I'll discuss a free "ultra-high security password generator," continue our coverage of AOL's antivirus tool, and more. Read more »
Fix your PC's broken bootup behavior 
Frustrated with a broken Windows boot sequence? Before you give your PC the heave-ho, try some alternative methods of recovering a PC that won't boot up. This week, we present two more ways to deal with particular Windows boot issues. One tip helps you correct potentially bad data on your disk. The other helps you build an alternative boot device, just in case your Windows installation CD isn't available. Read more »
Microsoft leaves several Word holes unfixed
Well, here we are, another monthly patch day has come and gone this week. After the smoke clears, as usual, we have to figure out what holes are left that weren't patched this time around. Read more »
Patches leave fewer zero day vulnerabilities
The last batch of official patches for 2006 leaves us with a few unpatched vulnerabilities, as Chris Mosexplains, above. But we're rid of a few "zero day" headaches. Microsoft's December patch batch also includes a number of confusing, nonsecurity patches, but I hope to make everything clear for you. Read more »
December 7, 2006
Should you use AOL's free antivirus?
Are you ready to trust products from the "new" AOL? I'm not. A careful reading of an AOL software license reveals all-too-familiar patterns that set off my alarm bells. Read more »
Show Microsoft Outlook who's boss
Outlook has improved over the years but still has some rough edges. Here are some ways to smooth out your Outlook application and make it work the way you want it to. Read more »
Vista and Office patching — are you ready?
Steve Ballmer was at NASDAQ on Nov. 30 to announce that businesses are now able to purchase Vista. For the rest of us, it'll be after the New Year before we start to see the patching changes that will impact us the most — but that doesn't mean they'll be small. Read more »
Small holes make big trouble for MySpace
There are whole classes of security holes that are frequently ignored because they don't appear useful for any big, sexy attacks. But when attackers chain these small problems together, and get a big social-networking site involved, you've got critical mass. Read more »
November 30, 2006
When your Recovery Console goes bad
Software and hardware are supposed to help us. But sometimes our tools turn against us, causing more problems than they solve and leading to frustration, delays, and costly failures. Today, I look at some normally docile, usually helpful tools — such as Windows' Recovery Console, which is software, and laptop batteries, which are hardware — to see how they can run amok, and what you can do about it. Read more »
What to do when downloads disappear
Complaints with Internet Explorer 7 abound, but IE 6 isn't perfect, either. If you're having download problems with your browser, you need to go into troubleshooting mode. I'll give you a few key steps that may point the way to a solution. Read more »
The Vista/Office 'kill switch' conundrum
With Windows Vista launching in New York City today — and Office 2007 hot on its heels — scorching arguments run up and down the Web. Will Microsoft "kill" your copy of Office 2007 if you don't cough up a valid activation key? The Softies say no. But there's more to the story... Read more »
Updated info on Java, Vista, and Blink
I'm bringing you today some updates on Java software, the new Vista operating system, and the Blink intrusion prevention system. If you're one of our new LangaList readers, I invite you to check the links I provide to my previous columns to catch up on the background of these important security topics. Read more »
November 16, 2006
Free antivirus, a new firewall, and IP sniffing
Welcome to the first issue of the new, combined Windows Secrets & LangaList! Although the newsletter format is different (and better!) than the old LangaList, I'm still getting the same kind of great reader questions and tips as always. This week, I discuss new products from the makers of two immensely-popular software utilities — AVG AntiVirus and Ad-Aware — plus a concern about IP data-mining. Read more »
Gathering the strands of a tangled Web
The Web changes almost as fast as the spidery versions in my basement. How do you pin down this constantly changing maze of information? Readers provide us with different ways to preserve bits of World Wide Wisdom. Read more »
Black Tuesday leaves several flaws unpatched
Another Microsoft Patch Tuesday has come and gone this week, leaving us with several known vulnerabilities unpatched. Hopefully, keeping you all informed, we can protect you from the flaws that Microsoft left behind. Read more »
Vista's next, but for now we're patching XP
Windows Vista was released to manufacturing last week and is expected on the MSDN download site this weekend. But it's not yet on our Patch Watch radar — our steadfast Windows 2000 and XP SP2 machines are. We said goodbye last month to Microsoft support for XP SP1. Unless you have a patch support contract, you'll no longer get any patches for that version. Read more »
November 7, 2006
LangaList joins with Windows Secrets
Here's my new look! As I announced in the Oct. 30 issue of the LangaList, I'm merging with the Windows Secrets Newsletter to bring you even better content. The combined newsletter will reach more than a quarter million subscribers. And it gives me access to features that my newsletter didn't previously have. Read more »
November 2, 2006
LangaList is merging with Windows Secrets
I have important news for everyone who uses Windows. The LangaList — a respected e-mail newsletter that's uncovered the tips and tricks of Microsoft's operating system for nine years — is merging with the Windows Secrets Newsletter. Read more »
October 26, 2006
IE 7 needs tweaking for safety
Microsoft's new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6. I'll show you an easy way to "harden" IE 7 so you're protected against hacker threats that haven't even been invented yet. Read more »
Do you have HIPS in your future?
One of the newer buzzphrases in the security industry is Host-based Intrusion Prevention System, or HIPS, which is something you may want to look at. It can be difficult, however, to separate the actual innovation from the traditional vendors trying to ride the buzzword wave. Read more »
Top timesaving tips in IE 7 and Firefox 2
With IE 7 out the door and Firefox 2 being released this week, it's time to retrain your fingers and teach those old dogs new tricks. Check out my favorites — these are the tricks I use every day. Read more »
Old flaws still plague Internet Explorer
The Internet is buzzing about the release of Internet Explorer 7. The Internet is also buzzing about flaws in IE 7 that are left over from IE 6. I first wrote about one IE 6 flaw in the May 11, 2006, issue of the newsletter — and it still hasn't been patched yet. I wonder how many other holes remain active in Microsoft's "new" browser? Read more »
Patches have problems as IE 7 seeks deployment
While everyone was in a tizzy over IE7 hitting the streets, the rest of us mortals were still tracking issues with the patches we got earlier this month. There are times IT folks overreact to technology changes, such as IE 7 — but I guess that's what makes us human. Read more »
October 23, 2006
The battle over the Vista kernel
I'm publishing a special news update today. Why? Because Microsoft substantially changed the debate over the security of Windows Vista just after our Oct. 12 issue appeared. Read more »
Vista changes lock out antivirus makers
Microsoft is making statements claiming it's going to let security vendors such as Symantec and McAfee have access to the Vista kernel. I don't believe it. Read more »
October 12, 2006
MS OneCare halts flow of antivirus info
When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields. But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think? Read more »
You'll love IE 7's tabs or hate 'em
Microsoft's updated browser, Internet Explorer 7.0, is about to go gold and the debate about its behavior is just beginning. Besides IE 7, this week I have readers' comments on Spy Sweeper, NetChk Protect, AVG Antivirus, and how to speed up browsing in the beta of Windows Vista. Read more »
Is Vista locking out security competitors?
Security vendors are complaining about what they call anticompetitive features coming up in Vista. Are their complaints valid, or are they simply worried about competition?. I also have additional advice for those of you who are still experiencing Java install troubles. Read more »
Microsoft skips some critical IE patches
The "squeaky wheel gets the grease" seems to be Microsoft's motto lately, as several patches for Internet Explorer (and components used IE) were released out-of-cycle last month and on this week's Patch Tuesday. Meanwhile, flaws in IE that are equally severe — but were getting less media attention — were left unpatched. Read more »
Goodbye old friends, hello Office patches
This month, we say a fond farewell to MS support for Windows XP SP1, pay tribute to Ray Noorda, and get ready for IE 7. We also find that the servers at Microsoft Update have taken a page out of Woody Leonhard's "you should wait to patch" handbook and decided to make you do just that. Read more »
September 28, 2006
Readers reveal the secrets of IE 7
Microsoft's new browser, Internet Explorer version 7.0, will ship sometime soon with updated features and better security — so of course our contributing editor Woody Leonhard explained on Sept. 14 how to prevent version 7 from automatically downloading to your PC. It's not that there's anything wrong with IE 7, mind you. Woody just thinks other people, not you, should be the first to get bitten any point-oh bugs. Read more »
Protect yourself before and after patching
I'm flattered when folks say they don't patch their systems until they read my column, but this month I'd rather you read Chris Mosby's column first. With all the unpatched issues that arise with IE, it's not enough to be "fully patched" with Microsoft's latest fix (MS06-055), you also need to install workarounds when you hear of them. Fixing recent Microsoft patches — for example, the two-week-old MS06-049 — is also essential, as I describe below. Read more »
Keep your PCs running smoothly
Until we all have Star Trek computers — which operate perfectly on incomplete information when the captain simply barks, "Speculate!" — staying on top of the latest conflicts is part of our jobs. In today's column, I bring you the latest on Microsoft's Live OneCare, concerns about wininet.dll, more glitches with the IE 7 beta, and yet another way to get around Windows Genuine Advantage. Read more »
Sun plans fixes for Java update problems
My Sept. 14 column on the broken Java update process has generated the biggest response I've received while writing for Windows Secrets. I'm happy to report that I've gained some useful info from Sun about some of the Java issues I documented. Read on. Read more »
Phishing filters can hurt your privacy
Internet Explorer 7, due out later this year, sports a new phishing filter that effectively blocks bogus sites from tricking you into entering personal information. One little problem. If you enable the phishing filter, Microsoft keeps records about you and every single Web site you visit. Read more »
IE flaws are back in the spotlight
It didn't take long before IE was back in my sights, and as usual the flaws that have come up are serious. I'm rather tired of Microsoft acting like newfound flaws in IE are no big deal, no matter how critical the holes may be. I wish the company would quickly admit the problem, take responsibility, and just fix it. Read more »
September 22, 2006
Workaround needed for IE hole
Microsoft acknowledged this week a new weakness that allows hacked Web sites to infect PCs merely displaying specific images in the Internet Explorer browser. Read more »
September 14, 2006
Internet Explorer 7 looms — be prepared
Long the poster boy of Microsoft complacency, Internet Explorer 6 has finally reached the end of the line. the end of this year, Internet Explorer 7 will be "pushed" onto tens of millions of desktops. You'd better be ready. Read more »
Don't ignore two critical, reissued patches
I thought all I needed to worry about this Patch Tuesday was a Windows patch or two and an Office patch. But it turns out to be essential that you redo August's critical Internet Explorer and Server Service patches on Windows 2003 and XP SP1. Read more »
Java update process is broken
I've been researching some problems with Java updates. It turns out that the issues are so extensive that they're going to take up my entire column. I wrote in my Dec. 15, 2005, column about some Java update issues. Those don't even come close to the collection of mistakes I've just spent an entire evening dealing with. Read more »
How bad are Microsoft's patch lead times?
How long does it take Microsoft to fix holes in its programs? Three months? Six months? Two years? When a music-file-cracking program called FairUse4WM surfaced a few weeks ago, Microsoft patched the hole in just nine days. There's a good reason why. Money. Read more »
Yes, Firefox has some flaws, too
If you're a frequent reader of my column, then you know that I usually have a lot to say about the security of Microsoft's Web browser, Internet Explorer. This time, my focus will include Mozilla's Firefox. Even though I still consider Firefox to be a much safer browser than IE, I wouldn't be doing my job if I just ignored flaws that affect the Mozilla browser and didn't report them. Read more »
September 7, 2006
All readers get Dilbert free
Allnewsletter subscribers, free and paid, are eligible to download a free Dilbert e-book. Read more »
August 24, 2006
Watch for our new logo
Our newsletter and Web site will sport a new logo, shown above, beginning with our next regular issue on Sept. 14. We wanted to surprise you, but we figured we'd better give you some warning. We didn't want you to open your e-mail next month and think unknown people were sending you some new, weird newsletter. Nope, it's just the same old weird newsletter. Read more »
How fast does Windows Update update?
Readers have asked me, "How quickly is my computer protected after Patch Tuesday, if I have auto-updates turned on?" The question arises because most of the patches that Microsoft posted on Aug. 8 took a lot longer than usual to download. It appears that Windows Update, when configured to download and install patches automatically, didn't start downloading most patches until three days after Patch Tuesday. Some PCs didn't auto-install all of the security patches until nine days had passed. Read more »
Be careful what you discover
In a hilarious film short, a prisoner makes a surprising discovery — one that may turn out to be life-changing. Read more »
August 10, 2006
Questions arise on PC World tests
A sweeping review of 10 security suites published in a major computer magazine last month featured some very unlikely rankings for this crucial category of products. After examining the evidence, I've found that some material facts were omitted from the article, rendering its ratings useless. Read more »
PowerPoint is still a big security risk
Even with a barrage of patches coming out from Microsoft this month, computer users are still vulnerable to exploits of PowerPoint. Microsoft did make an effort to address flaws that are actively being exploited, but left others unpatched that could be exploited later. Read more »
Install MS06-040 to avoid the Next Big One
I feel like telling everyone to print out today's Windows Secrets Newsletter and read it while you're deploying this month's patches. Not only do we have a busy patch month, but the very first patch has many in the industry thinking that we might see a full-scale, MSBLAST-like incident again. Read more »
MS software leads to new headaches
As though we didn't have enough to worry about with viruses and worms, my readers are reporting all kinds of trouble with the IE7 beta, Windows Update, and Microsoft's little-known dumprep.exe program. I'll show you how to get over these and other software gotchas in the tips below. Read more »
The report from Black Hat and Defcon
I just got back from my annual trip to Las Vegas to attend the Black Hat Briefings and Defcon conferences. This is my tenth year in a row for both. In this relatively small amount of space, I can't possibly cover everything that went on. So I'll stick to the topics that I think are of the most interest to Windows Secrets readers. Read more »
The best ways to surf anonymously
"You have zero privacy anyway. Get over it." Scott McNealy, chairman of Sun Microsystems, uttered those infamous words in 1999. Incredibly smart people have been working overtime since then to prove him wrong. Read more »
July 27, 2006
Should you use Windows Live Messenger?
Windows Live Messenger — the successor to MSN Messenger — hit the stands a week ago on Wednesday. That was version 8.0.0787. Ancient history. Less than two days later, Microsoft released a new version, 8.0.0792. Hooo boy. Here we go again. Read more »
IE bugs not fun for users
As I mentioned in my last column, the Metasploit project has been holding a Month of Browser Bugs. Every day, a new vulnerability is published, the majority affecting Internet Explorer. Releasing these flaws may be fun for Metasploit, but it certainly isn't for the rest of us, who are forced to wait while Microsoft catches up on its patches. Read more »
Patching isn't just about Microsoft
There are products that need major patching this week, but they aren't all from Microsoft. We're so used to Microsoft programs having security implications if we don't patch that we forget the many other software programs that can impact our systems. Read more »
Readers review alternatives to Windows Update
The shock waves caused Microsoft's decision to quietly install Windows Genuine Advantage through its security update mechanism are still being felt my readers. The marketplace for non-Microsoft antivirus packages, security suites, and the like is crowded with well-known competitors. contrast, the field of Windows Update alternatives is new and the players are little-known. Until more reviews have been published major test labs, I'll keep bringing you my findings and the comments of Windows users who are doing their own analyses. Read more »
A bad month for Microsoft products
This is, of course, a Windows-centric newsletter. That means that sometimes it can be difficult writing about security issues without picking on Microsoft. Drive-downloads still mostly affect Internet Explorer, not other browsers, and Microsoft Office products are showing cracks in the foundation.I'll explain below. Read more »
July 20, 2006
Shavlik will lift download restrictions
I announced in the July 13 newsletter that Shavlik Technologies, a well-known patch-management vendor, had released a free and capable replacement for Microsoft's Windows Update (WU) service. The Shavlik program, known as NetChk Protect, is free for up to one year, can remotely update 1 to 10 PCs from a single PC on a network, and supports far more programs than Microsoft's offering does. Read more »
Human space invaders geek the place up
You've seen the old Space Invaders arcade game — but have you seen it played with live bodies? Read more »
July 13, 2006
Free Windows Update alternative is released
In my last issue, I reported that Microsoft's in-house Windows Update routine is now likely to download marketing gimmicks such as Windows Genuine Advantage to your PC. I advised all Windows users, other than novices, to turn off Automatic Updates. Read more »
Internet Explorer back under the microscope
With all of the Microsoft Office vulnerabilities that have been popping up lately, I almost missed the discovery of more holes in my favorite insecure browser. With that in mind, let's jump right in and get started. It looks like Internet Explorer needs another good once-over. Read more »
Two patches you should jump on
If I were a gambler, there are two July 11 announcements (MS06-035 and MS06-036) that I'd bet will bite people who fail to patch, generating headlines that you'll start seeing soon. This month is also our last chance to say goodbye to Windows 98, 98SE, and Me. As of July 11, these Windows versions are no longer supported Microsoft. Read more »
Readers write a book on WGA problems
I can't remember a time when the newsletter has received more heartfelt tips from readers than the controversy of the last two months over Microsoft's automatic downloading of Windows Genuine Advantage, which phoned home every 24 hours. More than 300 well-thought-out comments streamed in. We'll never be able to respond in full to everyone individually, but we hope this section will serve to recognize everyone's help while giving you the useful info you need. Read more »
Live Safety Center: does it work?
My last column explained why Microsoft needs the free Windows Live Safety Center to keep antitrust lawyers off its butt. A few days ago I tested Windows Live Safety Center on a real zero-day Excel exploit. Does it work? Or is Microsoft blowing smoke? Frankly, I was amazed. Read more »
New-style rootkits are on the horizon
Portions of the security community have been abuzz lately with talk of a new rootkit technology dubbed "Blue Pill." The name is an obvious Matrix reference, especially given that the same researcher named an earlier rootkit detector that she wrote "Red Pill." The latest buzz started with an eWeek article on her work. Read more »
June 29, 2006
Dump Windows Update, use alternatives
The Internet interprets Microsoft as damage and routes around it. My apologies to John Gilmore for tweaking his famous 1993 quote about censorship. But the above statement just happens to sum up the alternatives Windows users are adopting ever since Microsoft's "Windows Genuine Advantage" (WGA) debacle. Read more »
Live Safety Center is good and free
When Microsoft first announced Windows Live OneCare, I figured Redmond had a lot of cojones to charge consumers for protection against flaws in its own products. In OneCare's first month, however, it appears to my jaundiced eye that MS has responded admirably to two real, in-the-wild, zero-day attacks — first in Word, then in Excel — via a little-known free service called the Windows Live Safety Center. Never heard of it? Read on. Read more »
How to disable unexpected attacks
There are a lot of ways your machines can be attacked. Not all of them are via the Internet. Some attack vectors require physical access, but many others can hit you without notice when you do something as simple as accessing an external device. Read more »
Excel flaws pose a triple threat
The last few weeks haven't been good for Microsoft Excel. Three serious vulnerabilities affecting the popular spreadsheet program have been revealed. Two of these are already being actively exploited in the wild. This is a serious concern, as there currently isn't a patch for any of the three holes. But I'll arm you with workarounds that should keep hackers from storming your computer. Read more »
June patches break dial-up scripts, etc.
With the June patches being so numerous this month, even some folks who ordinarily patch quickly are just now getting around to patching. But with proof-of-concept code and live exploits already on the Net for many of the flaws announced on June 13, if you haven't yet updated, now's the time to test and patch. Read more »
June 15, 2006
Genuine Advantage is Microsoft spyware
Windows Genuine Advantage — the controversial program Microsoft auto-installed as a "critical security update" on many PCs starting on Apr. 25 — not only causes problems for many users but has now been proven to send personally identifiable information back to Redmond every 24 hours. This behavior clearly fits any plausible definition of "spyware." Some tech writers have said categorizing WGA as spyware is arguable. But I have no hesitation in calling the program a security nightmare that Microsoft should never have distributed in its present form. Read more »
Just say no to one patch this month
I believe in patching, sometimes even if things get broken — because it points out that the software that broke was probably written poorly in the first place. But this time, there's one patch I want you to make sure you select not to install this month. Read more »
User Account Control: Vista cries, 'Wolf!'
Windows Vista Beta 2 may be the most-downloaded program in history — but heaven help ya if you use it for real work. Bugs and lock-ups come with the territory — it's beta software, after all, and you'd be crazy to run Vista Beta 2 on a production machine. (Or go crazy trying.) Having spent months struggling with various incarnations of the Vista beast, I'm worried about something more fundamental than bugs. More insidious. One Vista feature, User Account Control, just keeps getting in the way. Read more »
MS updates and a new USB threat
With the large number of Microsoft patches this week, I don't want you to forget about the third-party programs that you and probably all of your users have. These apps need updates too, and there are some security updates that need to be installed. I've also taken note of what I think is a novel "attack" based on USB Flash drives. I thought I was too smart to fall for this one, but I was wrong. Read more »
IE patches are close but not complete
If you're like me and the other writers of this newsletter, you were probably overwhelmed the number of patches Microsoft released on Patch Tuesday. Microsoft released yet another cumulative rollup for IE, which fixed eight open holes — but once again, there are plenty left open to talk about. I wrote about the last IE patch in my Apr. 13th column. Comparing that column to what was patched in Tuesday's release shows that only 1 out of the 3 flaws I talked about then have been patched in the latest IE rollup. Read more »
May 25, 2006
To auto-update or not to auto-update
I published a Woody Leonhard column as the top story last issue while I was traveling, knowing that he's opinionated and always gets strong reactions. Well, he didn't disappoint me. Reacting to several mistakes Microsoft made in its Automatic Updates downloads in April, Woody railed against Redmond's patching strategy, saying, "Windows auto-update is for chumps." Read more »
Recovering from the April patches
After our battle scars from the April patches, Microsoft's May patches were a bit of a breather for consumers. While the Exchange patch meant homework for administrators, home users at least had a break after the "double patch" bout we had in April. But lest you think everything is rosy on the other side of the operating system, even Apple folks had to deal with their share of patch pain this month. Read more »
WinXP networking — too much, too little
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was... Nawww... It was just Windows XP playing tricks. This past week, Windows XP networking surprised me twice. The first shocker magically solved a long-standing problem (dare I say a "bug"?) in my office peer-to-peer network. The other event scared the, uh, Dickens out of me. Read more »
The exploit market is heating up
There's more evidence to suggest that vulnerabilities are going back underground. Or at least, going to the highest bidder. I believe it's fortunate that there are a few above-board high bidders that are snapping up these exploits and keeping them off the market. Otherwise, I think things could be much worse. Read more »
Word zero-day exploit causes concern
It used to be that the term "zero-day" exploit was just a concept that companies like Microsoft treated as a myth. The idea of a vulnerability being found in one of their products and the exploit for that vulnerability coming out at the same time is something that no one wanted to believe could happen. Now, however, zero-day exploits do happen — but only sporadically. When these exploits do surface, it's a cause for concern for everyone. There is usually no defense against them until they can be understood and patches or workarounds can be made available. Such is the case with the Word zero-day vulnerability that was discovered recently. Read more »
May 11, 2006
When Automatic Updates can be harmful
For years I've been advising Windows consumers to disable Automatic Updates: Keep Microsoft's mitts off your machine until you're darn sure the proffered patches do more good than harm. I've taken a lot of flak for that heretical stance, vilified for intimating that Microsoft's patching process leaves consumers in the lurch. Bah. Recent events have proved my point conclusively: Windows auto-update is for chumps. Read more »
Patch one and find two more
That's the way it seems to go these days: Microsoft — or any software vendor for that matter — patches a piece of software, and someone goes and finds some other flaw that can be exploited. I guess that's become the price we all have to pay for working with technology; we all have to try to be one step ahead of the hackers out there. While Microsoft is no means perfect in the area of security, it is at least trying to do better. This has become clear to me after attending the Microsoft Management Summit a few weeks ago — at the same time as I've just start scratching the surface in my role as a newly awarded MVP. Don't think you can get rid of me anytime soon, though; there are still plenty of unpatched vulnerabilities out there to tell you about. Read more »
Flash causes headaches for home patchers
Last month was rough for home patchers — and this month isn't looking much better. It seems like only a few days ago we were dealing with issues with Outlook Express and Windows Shell. Here we are this month with another patch that so far looks a bit tricky to get on our boxes, especially for home users without a patch-management adminstrator. Read more »
Some excellent reasons to update Firefox
There are some interesting issues with Firefox this time around. While they do represent genuine problems with Mozilla's open-source browser, some of the details still make me happy with my decision to recommend Firefox. Read more »
April 27, 2006
April 11 patch re-released with fixes
Microsoft re-released on Apr. 25 a security patch that had been issued 14 days earlier in the company's monthly Patch Tuesday schedule. The original version of security bulletin MS06-015 causes problems with Microsoft Office and other apps when you try to open or save files in the My Documents folder; with Internet Explorer when you type Web addresses into the Address Bar; and with an untold number of other programs. The Redmond company says the problems are being caused older versions of HP Share-to-Web software, nVidia graphics drivers, and Kerio Personal Firewall. But I believe there may be other conflicts at work, as I discuss below. Read more »
Were you a victim of Patch Tuesday?
Here I was, looking for fallout from Microsoft's Eolas/Internet Explorer patch -- but most of the issues came instead from other patches. Just like everyone else, I was expecting most of the problems from Patch Tuesday would be from 06-013. This is the cumulative Internet Explorer patch, which changes the way Active X works. I wasn't expecting to see issues in the Window Shell patch, the Outlook Express patch, nor in OE's Junk Mail Filter. These issues, because they mostly affect consumers, have raised a concern about online communities and self-help sites. I think they're masking the real magnitude of issues. Read more »
How to check that sites are safe
I don't gush over new software very often. Most of what I see looks like same-old, same-old, maybe with a burnished bell here or a twisted whistle there. But I recently found something new — something exciting — on the Web, and it's saved my tail a couple of times. If you haven't seen SiteAdvisor, you should look. If you don't use SiteAdvisor, you should try. Read more »
There they go again — slipstreaming patches
For as long as people have been finding security vulnerabilities, software vendors have been trying to "slipstream" security fixes. What's surprised me in the past few weeks is that a couple of big vendors have admitted to it and are trying to justify the practice. Read more »
Deeper problems emerge with April patches
As you've seen in the top story in this issue, the patches Microsoft released via its regular Patch Tuesday schedule on April 11 caused serious grief for many people. Unfortunately, I believe there are still other software conflicts that Microsoft hasn't yet confirmed. I've seen reports of problems with AOL, the Windows version of iTunes, and other popular software — all related somehow to the April 11 patches. Read more »
April 13, 2006
More ways to use disposable addresses
I described in the Mar. 30 newsletter how to use "disposable" e-mail addresses. These are unique addresses that you give to Web sites and other people who want to send you mail. If they happen to reveal your address to spammers, you simply turn off that one address rather than trying to filter out a wave of spam. My readers, it turns out, have a lot of ideas about using disposable addresses. Follow along with me as we hear about some great tricks, many of which cost little or nothing. Read more »
Fix Outlook daylight savings time headaches
It's amazing how Microsoft finds ways to get us to spend a little extra time with Windows now and then. If it isn't a patch we have to install, it's a workaround for the change to daylight savings time. Susan Bradley provided some good tips on dealing with DST pains-in-the-butt in her Mar. 30, 2006, column. Apparently, that wasn't the end of it. Follow along as my readers provide tips on this and other topics from the last issue. Read more »
Internet Explorer still has holes left
Microsoft did a pretty good job of patching some serious security holes in Internet Explorer with the release of MS06-013 on Patch Tuesday. (See Susan's Patch Watch column, below.) It's been a while since I've seen that many security fixes in an IE patch. If it weren't for the file size, I'd almost think this was a service pack. While Microsoft eliminated some serious holes this month, the job is far from done. There are several older IE holes that are yet to be taken care of. Read more »
April showers bring April patches
The Pacific Coast has been showered on this week and now we're being showered with security patches. While the total number of security patches is not that large, it's still a bit of a downpour. This month's patch release includes not only a cumulative Internet Explorer patch, but a change in browser behavior due to a patent dispute. Read more »
Pinning a tail on the Start menu donkey
You're a savvy Windows XP insider. You already know that you can pin programs on the Start menu. Cool. Hanging your most-used programs on Start makes it easy to get them cranked up, even when you're bleary-eyed and blue-toothed, and your mouse has a mind of its own. But did you know that you can also pin folders, files, documents — even Web pages — to the Start menu? Check out these tricks to make the most of that prime piece of real estate. Read more »
Do virtual machines make you safe?
I've been thinking a lot this week about virtual machine technology. I have to admit it's because of the Mac. As you're no doubt aware, the new Apple Macs have Intel x86-family processors. This makes them, just about any measure, PCs. It's not just the CPU, but also the chipset. Apple is using an Intel chipset, like almost every motherboard vendor who makes Intel-compatible motherboards. That's not to take any style points away from Apple; they still win big in that area. It's not like Apple is shipping putty-colored plain boxes all of a sudden. Read more »
March 30, 2006
Get a disposable e-mail address
Every time you give out your e-mail address, you take a risk that your address will get on spammers' lists and you'll be bombarded with junk mail. As a test (which I'll describe in my Datamation column in a few weeks), I entered an e-mail address into a signup box at one of those "get a free laptop" promotional sites. In less than six weeks, the address I provided was hit with more than 1,000 junk messages — over 23 per day — and they show no sign of slowing down. Read more »
Unsafe at any speed?
Are you an Internet Explorer user? that I mean, do you use it for your daily Web browsing? I like Internet Explorer, I think it's a very capable browser. But, as you are probably aware, there seem to be some safety issues. What do you do when there's blood on the information superhighway? Alright, I'll stop with the car analogies. But I do want to discuss what to do, now that it looks like we're in for a long road of unpatched IE vulnerabilities. This last week, two unpatched IE vulnerabilities were published. And at least one of them has been proven to be highly exploitable. Read more »
Internet Explorer has triple security threat
This month has been pretty rough on the people at the Microsoft Security Response Center (MSRC). There've been three new vulnerabilities discovered for my favorite insecure browser — Internet Explorer — in just the last two weeks. Of those three vulnerabilities, one will cause IE to crash at worst. But the others are severe enough to allow infected code to run that could very well take over your computer. Here we go again. The race for a patch begins. Read more »
Gentlemen, and women too, start your testing
Normally before there's a patch, we don't get quite the advance notice that we did this time. An Internet Explorer upgrade is coming that can impact your Web-based applications. You need to know now how this may affect you, well before Microsoft releases the patch on Apr. 11. Why is this patch different? Because it's not a security patch — it's a reaction to a patent lawsuit. Read more »
Changing registered owner in Windows and Office
Does Office think your name is "Satisfied Dell Customer"? When you install new programs, do they want to send a confirmation e-mail to "OEM User"? Or — raise your hand if this sounds familiar — when you first installed Windows, did you misspell your own name? Hey, it's happened to me. More than once. If you've ever wanted to turn back the clock and tell Windows or Office that the name or organization permanently emblazoned in your PC's memory is all wet, this secret's for you. Read more »
March 16, 2006
Readers respond on controlling reboots
Patching Windows is good, and rebooting right after you've patched is good, too. But if you're right in the middle of something, seeing Windows reboot when you didn't expect it can be very bad. Read more »
Vista 5308: through a glass, darkly
I've spent most of the past three weeks slogging through the "February Community Technology Preview" of the next version of Windows — Vista Build 5308, to the tech-savvy.For the first time in a very, very long time, I'm excited about a new product from Microsoft. Vista holds tremendous promise. Whether the final product will live up to the promise, though, is anyone's guess. Read more »
Perfect your patch process
If you're responsible for more computers than you can personally lay hands on in a short period of time, then you probably have a patching process that includes some kind of cost/benefit analysis. This doesn't necessarily require a spreadsheet with salaries and downtime costs. It can be as simple as answering the question, "How much trouble am I in if I crash the server in the middle of the day?" The answer to that last question is probably, "I guess I'll be staying late, and applying the patches after everyone goes home. That's a perfectly acceptable strategy — if you can get all the machines done manually in a reasonable amount of time. But it doesn't scale well at all. I'd like to present some tips that I've learned to make your life easier when dealing with patches and updates. Most of these tips come from my co-moderation of the patchmanagement.org mailing lists, and my job at BigFix, a company that sells a patch-management product. Read more »
Windows flaws from server to client
We all know that using a computer is a dangerous business these days. Design flaws and vulnerabilities can come from anywhere, from any server, all the way down to the client accessing it — and everywhere in-between. The best we can do these days is to be aware of what is out there, protect your computer as best you can, and practice safe computing practices. The only thing else you can do is hope that a hacker doesn't think you're a tempting target. Read more »
More than just two patches this week
The bulletins came to my inbox. Two patches. One for Office, one for DACLs. (What's a DACL?) But that isn't all. Microsoft Update has a few more patches it wants me to install. In addition to the ever-present Windows Malicious Software Removal Tool for March (KB 890830), and the monthly update for the Outlook 2003 Junk E-Mail Filter (KB 913161), we have a few other patches in Microsoft Update's "high priority patches" list. It reminds me that it's not just security patches that are up there in the top section. Read more »
March 2, 2006
Stop Windows' 10-minute reboot reminders
A raging controversy over whether Windows patches ever reboot a PC without permission has been solved. Reboots can happen when you're not expecting it — but you can minimize the problem or eliminate it entirely. This subject sparked a debate when reader Evan Katz wrote in to ask whether Microsoft patches had started rebooting Windows automatically, even when the Automatic Updates control panel is configured to notify the user of downloads instead of installing them without notice. His comments were printed in the paid version of our Dec. 15, 2005, newsletter. Read more »
Has Microsoft's patching earned your trust?
With the patch issues that arose last week, and folks asking if Microsoft tests patches before releasing them, it reminds us that Redmond still has a long way to go in the trust department. But Redmond wasn't the only one with vulnerability and software issues this time around. Apple has joined in the browser vulnerability battle with its Safari browser this week. Sophos didn't help much with its software giving off false positives. It's been more of a battle to clean up after our security tools than it was to deal with patching issues this month. Read more »
My list of must-have Windows utilities
I've seen (and reviewed) enough Windows XP utilities to bust a billion bottomless bit buckets. The world's full of 'em. But when a good friend recently asked, "What utilities do you really use, Woody?", I had to stop for a while and think. You see, truth be told, I keep very few utilities on my main machine. Too much headache. Too little benefit. Hard to keep them all straight. Read more »
Exploiting the discovery of exploits
What's the exploit you've found worth? Have you ever stumbled across a security problem in a major software vendor's product? You weren't just going to tell them for free, were you? Read more »
More flaws emerge in Internet Explorer
In this column, I once again tackle security in Microsoft's Internet Explorer browser. It never ceases to amaze me how Microsoft praises the security of its flagship browser, while at the same time ignoring obvious flaws that go unpatched. Read more »
February 16, 2006
Readers respond on Deep Six spamwall
Our tests of antispam appliances in the Jan. 26 newsletter made a definite impression on our readers. The article received a reader rating of 4.15 out of a possible 5, our highest-rated article so far (well, in all two of the issues that've supported reader ratings to date). And several subscribers sent us their own results from testing the least-expensive appliance in our review: the Deep Six Technologies DS200 Spamwall, which we found to be highly effective. Read more »
I'm a little 0x80242006 today
The date on the calendar as Microsoft's patches came out this week said St. Valentine's Day, the day for love and romance. But if you're a patchaholic like me, a guy who offered to patch my computers for me would be even more romantic than roses and chocolate. Especially in a week like this, when he'd have to use some extra manual labor to get my machines fully patched. Read more »
How to restore with confidence
Windows XP's System Restore can save your bacon. But it wallows in disk space like a hog. If you understand the secrets of System Restore, you can save yourself untold headaches when things inevitably go bump in the night. And you can reclaim a few zillion megabytes of pure Windows pork while you're at it. Read more »
Judging third-party patch practices
What does a vendor's patch-release schedule tell you? Have you thought much about how and when your software providers release their patches? Are patches provided in a convenient format for centralized updates? Do patches take years, months, or only weeks to deliver? If you're paying attention, this will help your security stance in the future. Read more »
Unpatched flaws threaten Windows users
Microsoft didn't have a very good Valentine's Day this week. Even after releasing seven patches for various security vulnerabilities this month, Microsoft still has plenty of flaws that the company could profitably spend some time fixing. Read more »
January 26, 2006
Connection scoring beats spam filtering
A simple device that prevents spammers from delivering junk to your mail server outperforms complex spam filtering appliances costing up to seven times as much, according to tests the Windows Secrets Newsletter. If your company is suffering from onslaughts of spam, our tests indicate that this new approach can halt more than 99% of your unwanted flow without blocking legitimate e-mail. Best of all, the new technology does this without creating a large "quarantine" of suspected spam that you or your employees must manually comb through. Read more »
Wireless 'flaw' could leave computers open
There's been a lot of talk about the Windows Wi-Fi "flaw" that was revealed recently. Some security professionals call it a high-risk vulnerability. Meanwhile, Microsoft and other security professionals call it a feature — one that can only be exploited under the right circumstances. Let's take a closer look, so you can be the judge. Read more »
When does 'not critical' mean 'critical'?
You are at risk. No, seriously. Every time you turn on any kind of technology, you turn on risk. The question for today is this: Exactly how do you know what risk you are taking when you use that technology? Some argue that "old code" is secure code, under the assumption that the older the code, the more "eyes" have reviewed it. But is that true? Let's revisit the Windows Metafile issue with this in mind, shall we? Read more »
How to slim down your porky pics
Those 8-megapixel cameras take great pictures, don't they? Faaaaaaat. In more ways than one. The top complaint I've heard since the holidays has nothing to do with rootkits, WMF files, or patches of patches. Nope. The people I know who scream the loudest got expensive new cameras, and they've learned that they can't do much with their pictures. Read more »
When is a flaw really a back door?
How quickly do your vendors release patches? If they take 15 years, does that mean the problem was an intentional backdoor? There are, to be sure, some still-outstanding questions regarding how the now-infamous Windows Metafile flaw affects the Windown 9x/Me platform (as discussed my fellow columnist, Susan). One bit of controversy that arose over this problem since our last newsletter deserves clarification here. Read more »
January 12, 2006
WMF hole still reverbrates with users
What a way to start the year! The now-well-known WMF vulnerability, which allows an infected image to silently take over your PC, was first publicized just before New Year's Eve. It resulted in a frantic week for Microsoft and millions of Windows users who wanted to protect themselves. I considered the risk of infection from hacked Windows metafiles (.wmf files) to be so dire that I published an unprecedented two news updates in the same week. (In the past 12 months, I'd felt the need to release only 5 news updates.) Read more »
New Year brings new security woes
The year 2006 started with a bang for security professionals as we scrambled to deploy patches for zero-day exploits. Even as old security holes were closed software vendors, more holes were discovered with exploits-to-go. They seem to be arriving at an ever-increasing rate. Read more »
Malicious pictures, fonts, and attachments
The ball dropped in New York, ushering in the New Year. But we network admins were scrambling because of a zero-day exploit for which no patch was available, other than hoping our antivirus vendors would catch it. Little did we know at that time that the 'bug' was perhaps a wakeup call for us to have better procedures to handle a zero-day event in the future (as InfoWorld's Roger Grimes reports). Read more »
How to protect yourself against autoplay discs
If your holiday season was anything like mine, you probably received a fair amount of software, either off the shelf, or bundled with a new PC. Seems that CDs have replaced silk ties as the gift of choice when trying to buy for someone who has everything. But CDs and DVDs today can hold dangers that you should avoid. Let's look at how one simple change can make you immune to those headaches. Read more »
MS patch doesn't end WMF issues
When there's blood in the water, don't go swimming. I hope you didn't think we were all done with our WMF problems. I'm not going to go over all the details of the WMF vulnerability and patch here. My fellow columnists have that well covered. I do wish to point out that it's an important example of what the patch lifecycle now looks like for a special case. Read more »
January 6, 2006
Install Microsoft's WMF patch
Microsoft released on Jan. 5 an emergency patch, named MS06-001, which corrects Windows' so-called WMF (Windows metafile) vulnerability. A WMF exploit can silently infect a PC when it merely displays an image in any browser, instant messaging, P2P, e-mail, or in a directory listing in Windows Explorer; when desktop-search applications index an infected image file; and in other ways. I published a special news update earlier in the week urging readers to install an unofficial patch for this problem. This workaround was also strongly recommended F-Secure, the SANS Institute's Internet Storm Center (ISC), and several other security sites. Read more »
January 4, 2006
Windows metafile hole requires unofficial patch
A weakness in the way Windows renders images is being exploited on the Internet and affects any browser you may be using, not just Internet Explorer. Microsoft has no patch for the problem at this writing. An official patch may appear at any time, or it may take days or weeks. I recommend that you immediately run a small, unofficial patch that was developed white-hat security researchers to make your PCs immune to the problem. Read more »