|
We guarantee your privacy: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy 
|
|
INTRODUCTION — news about your newsletter Get our Business Blog bonus At least four times a year, we license a special bonus download for our paying subscribers. This issue's bonus is:
The e-book is a printable PDF file that's 4 MB in size. Your download time will range from 3 minutes on a cable modem to approximately 16 minutes on a 56 Kbps dial-up modem. The 122-page e-book includes two full chapters that explain in detail how businesses can profitably use Web logs. Also included are five partial chapters with case studies of small to mid-sized businesses, nonprofit organizations, and large enterprises that are publishing blogs. The authors are Bill Ives, a former lead for knowledge management and portals at Accenture, and Amanda Watlington, an independent business consultant. Both are Ph.D.s with years of Internet marketing experience and extensive backgrounds in blogging. In a sign of how influential blogs have become, "Blogs Will Change Your Business" was the top story featured on the cover of Business Week earlier this month. "Blogs are a phenomenon that you cannot ignore, postpone, or delegate," Business Week writes. "Given the changes barreling down upon us, blogs are not a business elective. They're a prerequisite." The Windows Secrets Newsletter is planning to introduce its own blog and/or RSS feed later this year. I've found the book Business Blogs to be a phenomenal tool in planning that project. I think you'll find it very useful for your own interests, too. To upgrade your subscription, use the following link: How to upgrade The full, printed book is not yet stocked in any store. If you wish to obtain the full version, it currently can only be ordered directly from the authors. A printed copy with CD costs $99.95 USD. The CD alone (which includes a PDF copy of the full book) is $69.95, while the PDF downloaded by itself is $49.95. For more info, visit the Business Blog Guide site. We hope you'll enjoy our exclusive excerpt of Business Blogs. We look forward to bringing you even more secrets of Windows, and even more bonus content, in the year to come. —Brian Livingston, Editor ^ |
 Windows Secrets Newsletter Issue 53 — 2005.05.12 • Get our Business Blog bonus • Top Story: Is Firefox still safer than IE? • IE users were exposed for 200 days in 2004 • Firefox fixes take days, IE takes months • How to keep Firefox upgraded • Portable devices that support you on the go • Burn images to CD/DVD without a PC • Send and receive e-mail while you travel • Run PowerPoint and Media Player remotely • Devices to carry at work and play • PSP is unbeatable handheld, says T3 Mag • Dell's widescreen monitor impresses testers • Two Canons tie for CNET's top camera rating • Laptop Mag names Hauppauge best TV tuner • Another win for Canary's hotspot sniffer • LinkStation is CNET's drive of choice • RCA DVD is sharp, says Laptop Mag • MS mouse & keyboard click with PC Mag • BenQ mouse makes cutting the cord easy • Cordless headphones are maturing, CPU Mag says • CounterSpy wins another 3 reviews • Take back Windows: the best readers' tips • How to control your startup options • How to get better performance and convenience • How to find the best utilities • Hackers may be profiting from your computer • Black hats have hijacked thousands of sites • There's no 'safe haven' on the Web • How you can protect yourself • Do few patches mean few issues? • Hotfix re-released, new MS05-019 coming, too • Details on Snap Server and Mac write problems • MS releases one patch rated "Important" • Microsoft is changing its alert mechanism • New 'security advisories' start this month • XP SP2 gets WPA2 Wi-Fi upgrade • Windows Installer is missing in action • Firefox 1.0.4 adds to browser vulnerability wars • Reducing your rush to patch • All it takes is hardening • Vulnerabilities can be foreseeable • Can you live without patches? • Replicator duplicates gold, now only $250,000 at eBay • Useful Links NEWSLETTER CONTROL PANEL • Windows Secrets home page • How to subscribe • Change your delivery address • Change your preferences • Access past free issues • Access past paid issues • Upgrade to paid version • Search for info (WinFind) • Submit a Windows tip • Get subscription help • How to unsubscribe CIRCULATION: over 147,000 |
|
TOP STORY — info you need to make Windows work Is Firefox still safer than IE? By Brian Livingston The popular Firefox browser received a security upgrade, known as version 1.0.4, when the Mozilla Foundation released the new code on May 11. This upgrade closes a security hole that could allow a hacker Web site to install software without a visitors' knowledge or approval. This is the fourth minor update to Firefox since the open-source browser's 1.0 release on Nov. 9, 2004. That doesn't seem like very many patches to me, compared with Firefox's dominant competition, Microsoft's Internet Explorer (IE), which is included in every copy of Windows. But I've heard a surprising amount of comment that Firefox might no longer be as secure as IE. At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in Seattle April 25-27, for example, an IE product manager made this case explicitly. Firefox had had (at that time) "three major releases," she said, while Internet Explorer 6.0 had had none. This statement was presented as though a lack of upgrades to IE was a benefit. In fact, Microsoft has released at least 20 major security patches for Windows or Internet Explorer since November 2004. Most of these patches were rated "Critical," Microsoft's most severe security alert level. The evidence I've seen so far indicates that Firefox remains much more secure than IE. But it's worth our time to take a closer look. IE users were exposed for 200 days in 2004 Some remarkable statistics comparing the major Web browsers have been developed by Scanit NV, an international security firm with headquarters in Brussels, Belgium, and Dubai, United Arab Emirates. The company painstakingly researched the dates when vulnerabilities were first discovered in various browsers, and the dates when the holes were subsequently patched. The firm found that IE was wide open for a total of 200 days in 2004, or 54% of the year, to exploits that were "in the wild" on the Internet. The Firefox browser and its older sibling Mozilla had no periods in 2004 when a security flaw went unpatched before exploits started circulating on the Net. With the latest 1.0.4 upgrade, Firefox has retained its "patch-before-hackers-can-strike" record so far in 2005, as well. These statistics are so important to understanding the "attack surface" of the major browsers that we should break down this study into its individual findings: • IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year. • Attacks on IE weaknesses circulated "in the wild" for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit "stopped the clock" on the period of vulnerability. • Mozilla and Firefox patched all vulnerabilities before hacker code circulated. Scanit found that the Mozilla family of browsers, which share the same code base, went only 26 days in 2004 during which a Windows user was using a browser with a known security hole. Another 30 days involved a weakness that was only in the Mac OS version. Scanit reports that each vulnerability was patched before exploits were running on the Web. This resulted in zero days when a Mozilla or Firefox user could have been infected. The Opera browser also experienced no days during which unpatched holes faced actual exploits, but Scanit began keeping statistics on Opera only since September 2004. To see Scanit's visual timeline of these holes, exploits, and fixes, visit the firm's Internet Explorer page. On that page, click "Next Page" to see the timelines for Mozilla, Firefox, and Opera. Firefox fixes take days, IE takes months From the record to date, the Mozilla/Firefox team has shown that new security discoveries typically result in a patch being released in only a week or so. This was certainly true in the case of Firefox version 1.0.4. The primary security hole that was closed by that version was unexpectedly publicized by the French Security Incident Response Team (FrSIRT) on May 5. The Firefox patch was released only six days later. (The apparent discoverer of the flaw, the Greyhats Security Group, had been working responsibly with Firefox's development team and criticized the leak.) Perhaps the responsiveness of the Mozilla development group will shame Microsoft into fixing security holes much faster in the future. The situation has become so bad that eEye Digital Security, a respected consulting service, maintains an "upcoming advisories" page showing how much time Microsoft is allowing critical problems that are reported to the Redmond company to go uncorrected. At present, eEye's count reveals that three critical unpatched issues currently affect Microsoft's products. None of these have gone unpatched longer than 60 days, the period after which eEye considers a patch to be "overdue." But some critical, widely-known security holes went as long as six months in 2003 and 2004 without an official fix being made available by Microsoft. Another security firm that tracks security holes in IE, Firefox, and many other applications is Secunia, based in Copenhagen, Denmark. As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only 4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has none. Microsoft officials often excuse their tardiness in fixing security holes in IE by saying that the code is so complex that any fix has a high likelihood of breaking something else. Well, who integrated IE so tightly into the operating system that the browser is so delicate? It's Microsoft's own poor programming that causes much of the software giant's very visible problems. Microsoft employs some of the best software developers in the world. The company enjoys a cash reserve of $35 billion and is highly profitable. Yet a tiny company that builds open-source browser software is making the Redmond giant look foolish and incompetent in securing its products. I have no particular attachment to the Mozilla Foundation or its products. If the foundation's browser software was a threat to Windows users, I'd say so. At the present time, several serious unpatched holes are known to exist in IE, while few or none plague Firefox. This isn't a religious issue, it's just a fact. The foundation announced two weeks ago that they'd surpassed 50 million downloads of the free Firefox browser. The application is largely responsible for knocking down IE from a 94% market share in May 2004 to 87% in April 2005, according to OneStat. That's a remarkable accomplishment, considering that IE is free and comes preinstalled with Windows. Sites with a base of expert Windows users report much higher levels of Firefox usage. How to keep Firefox upgraded No matter how fast Firefox's developers update it, it doesn't do you any good unless you've got the browser configured to notify you of updates. This is a simple matter, but it's worth making sure you have it right: • Enable update checking. In Firefox, click Tools, Options, Advanced. Ensure that the selection for Periodically check for updates is on, both for Firefox and for My Extensions and Themes. This is the default setting, so most Firefox users will automatically get notices of updates. • Check for upgrades manually, if desired. You should see a dialog box informing you of new updates as the Mozilla Foundation releases them. There's a random delay, however, so every user doesn't try to download a new version on the same day. To check whether there's an update that applies to you, click the red up-arrow that's in the upper-right toolbar of the Firefox menu area. • Download the latest version. If a dialog box tells you an update is available, close the window, then open Firefox's download page. If you want a version other than Windows U.S. English, click the Other Systems and Languages link and select your preferred version. Download the executable file to a temporary area of your hard disk, then close all apps (including Firefox itself) and run the installer. It's no longer necessary or recommended that you uninstall Firefox before upgrading to a new version. A few glitches affected upgrades to versions 1.0.1 and 1.0.2, but this has been corrected since 1.0.3. It's unfortunate that hackers are so attracted to browsers as a way to take over users' computers. But that's where the money is, as bank robber Willie Sutton once said. We have to accept a certain amount of upgrading as the price of using complex Windows applications. But we can reduce the threat to ourselves and others by using browsers that have a proven record of rapid, responsible development. I'd like to thank reader Terry Engles for his help researching this topic. To send us more information about the browser wars, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print. Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. ^ |
|
WINDOWS GIZMOS — our product reviews of new stuff Portable devices that support you on the go
|
|
FORWARDING INSTRUCTIONS — news gains value when it's shared Please share this information with your friends You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/comp/050512. ^ |
|
INDEX OF REVIEWS — our directory of product shootouts Devices to carry at work and play
|
|
THE SECURITY BASELINE — the minimum you need for safe computing CounterSpy wins another 3 reviews By Brian Livingston (Note: Every PC needs a complete set of the building blocks shown below for protection against hacker attacks. In this section, which appears in every issue, we summarize the highest ratings from trusted reviewers.) New info: I can't recall the last time I've seen an emerging product take 1st place in so many different computer reviews. CounterSpy, the antispyware application from Sunbelt Systems, has probably set some kind of record. After being judged the best available product in recent months by PC World and eWeek (as described in item 5, below), it's just scored three more wins in the past two weeks. For individual users, Laptop Magazine's May 2005 issue gave CounterSpy 1.0 an Editors' Choice award and a perfect score of 5.0 out of 5.0. The magazine gave lower ratings to Microsoft's AntiSpyware 1.0 beta (4.5), Webroot Spy Sweeper (4.0), McAfee AntiSpyware (3.0), and StopZilla (2.5). The editors didn't bother to test Lavasoft Ad-Aware and Spybot Search & Destroy, which used to be everyone's favorites but have poor detection rates of late. For businesses, Windows IT Pro Magazine's April 2005 issue gave its Editors' Choice to CounterSpy Enterprise, a version of the program that adds centralized management features. CounterSpy received a rating of 4.0 out of a possible 5.0, losing a point largely for omitting support for Windows 9x clients. Other business products tested were eTrust PestPatrol Anti-Spyware Corporate Edition (3.5), DynaComm i:scan (3.0), Omniquad Antispy Enterprise Edition (3.0), and SpyCatcher Enterprise (2.0). Not tested were competing products from Microsoft, Symantec, McAfee, Webroot, Intermute, and X-Cleaner. These companies didn't have their enterprise editions ready or were between revisions. CounterSpy and Microsoft AntiSpyware were re-tested head-to-head by PC World in its June 2005 issue. The magazine had tested different builds of the two products in its April 2005 antispyware roundup, making direct comparison meaningless. When the two apps were put up against each other using spyware databases of the same date, PC World found that Counterspy was once again the champ, detecting "an excellent 92%" of the target spyware. MS AntiSpyware detected 89%, missing two major adware programs CounterSpy caught, the magazine said. These findings reinforce the four elements of the Security Baseline that currently make up a top-rated set. They are the Linksys or Belkin hardware firewalls, the ZoneAlarm Security Suite, CounterSpy, and an update-management tool of your choice. See details below.
|
|
HERE'S A TIP — you'll get a better newsletter if you choose the paid version You're reading the free version of the Windows Secrets Newsletter Subscribers to the paid version receive additional information in each issue. Some of the extras this week are:
Paid subscribers gain access to all past paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. Get our bonus e-book download When you become a paying subscriber, you'll also be eligible to get this issue's exclusive e-book download — Business Blogs. See the intro section for details. To upgrade, simply make a contribution of any amount you choose If you do this by May 25, 2005, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of Windows Secrets, please visit WindowsSecrets.com/upgrade. Thanks in advance. ^ |
|
ELECTRONIC BOOKSHELF — new e-books from the editors
WACKY WEB WEEK — playing for you the Internet's greatest bits
USEFUL LINKS — more stuff that's good to know Microsoft Metro threatens Adobe Acrobat (part 1 of 2) After months of speculation, Microsoft unveiled its new document format, code-named Metro. It's considered by many to be aimed at the heart of Adobe Acrobat, today's ubiquitous view-and-print standard. (By Brian Livingston, Datamation) More info Can Microsoft's Metro replace PDF? (part 2 of 2) With its upcoming output format, Microsoft is taking on Adobe's de facto PDF standard. However, it's hard for me to see any advantages that the Metro format will have over PDF. (By Brian Livingston, Datamation) More info A preview of Microsoft Office 12 Microsoft has developed a high-level "vision" for Office 12, and this time, it's all focused on the enterprise. In this showcase, I detail the Office 12 delivery schedule and examine early Office 12 prototypes and plans. (By Paul Thurrott, SuperSite for Windows) More info ^ ABOUT YOUR SUBSCRIPTION — we're here to serve you The Windows Secrets Newsletter (formerly Woody's Windows Watch and Brian's Buzz on Windows) is published twice a month, except for breaks in August and December. The newsletter is published on the first and third Thursdays after Patch Tuesday (the 2nd Tuesday of each month, when Microsoft generally releases new Windows patches). Publisher: The newsletter publisher is WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editor: Brian Livingston is the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Associate Editor: Paul Thurrott is the author of Windows XP Home Networking and Great Digital Media with Windows XP and the author or coauthor of several other books. Contributing Editors: Susan Bradley, Mark Burnett, Chris Mosby. Research Director: Vickie Stevens. Program Director: Ian Maddox. Trademarks: Windows is a registered trademark of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Index of Reviews, Briefing Session, Windows Patch Watch, and Wacky Web Week are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. How to subscribe: Anyone may subscribe to this newsletter by visiting WindowsSecrets.com/info. Our Ironclad Privacy Guarantee: (1) We will never sell, rent, or give away your address to any outside party, ever; (2) We will never send you any unrequested e-mail, besides newsletter updates; and (3) All unsubscribe requests are always honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter, Copyright © 2005 by WindowsSecrets.com LLC. All rights reserved. ^ |
