|
We guarantee your privacy: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy 
|
|
TOP STORY — info you need to make Windows work SPECIAL REPORT: Podcasts can infect your PC By Brian Livingston You wouldn't think that playing an audio file or a short video clip on your PC could infect your machine with a virus or spyware. But the growing popularity of downloadable files called "podcasts" can do just that. A podcast is a new form of homegrown radio or television program that's delivered directly to your PC, iPod, or portable media player. Apple Computer released new iTunes 4.9 software on June 28 that supports "podcatching." You subscribe to certain podcasts, and iTunes automatically downloads new episodes when they're posted. Not to be outdone, Microsoft has announced that its new Internet Explorer 7.0 browser, due this fall, will support RSS feeds. These feeds can include podcasts as "enclosures," somewhat similar to the way e-mail messages have attachments. All of this big-time support is making podcasting hot, hot, hot. Glowing articles have appeared in the mainstream press. PodcastAlley — which lets visitors rate their favorite programs — lists more than 5,000 podcasters who've produced 80,000 episodes, all of them free of charge. That's up from zero as little as one year ago. To give you some idea of the scorching growth rate, Wikipedia reports that Google showed only 24 hits on the search term podcasts on Sept. 28, 2004. There are 13.7 million hits today. I'm glad that everyone's so excited, but all this happy talk has ignored the fact that podcasts threaten to become another automated way hackers can put viruses and spyware onto your computer. As we all know only too well, Microsoft Word begat macro viruses, Microsoft Outlook begat e-mail viruses, and Internet Explorer begat ActiveX viruses. After all that, I was hoping the computer industry had learned its lesson and would avoid creating yet another attack vector via podcasting. Making podcasts a safe and trouble-free technology requires a single principle from Computer Science 101: Software developers must enforce a separation of code and data. Podcatching applications and media players are code. Podcasts must always be treated as data. Podcasts must not be allowed to run scripts on a computer, install executable files, or anything of the sort. My investigation this week shows a potential threat from podcasts. Fortunately, no reports of malicious podcasts that have spread viruses or spyware "in the wild" have yet been reported. It's not too late for us to ensure both safety and ease of use in this exciting technology. With a few simple steps, you can protect yourself. More important, software developers can easily make podcasts safe enough for even children to use without fear. The good news: podcatchers can protect you For this special report, I asked the experts at eEye Digital Security to examine podcasts and podcatching apps. Dozens of podcatching programs are listed at iPodder.org, a podcast resource site, but for an overview it was necessary to test only a small sample. As part of eEye's research mission (and without any compensation from me), security product manager Steve Manzuik selected two browser-based RSS readers and two client-based apps to test: • Sage RSS Feeds Sidebar for Firefox • Diodia RSS Feeds Toolbar for Internet Explorer • Primetime Podcast Receiver • Podfeeder Manzuik then created RSS feeds using XML, the language of RSS feeds. He added enclosures that contained nasty stuff, including .exe files and other executables that you definitely don't want running on your computer. His preliminary tests went fairly well: |
 Windows Secrets Newsletter Issue 58 — 2005.07.28 TOP STORY • Podcasts can infect your PC • The good news: podcatchers can protect you • FeedStation rejects executables by design • The bad news: players can bite you WINDOWS GIZMOS • New devices make you truly mobile • Portable hard disk is fingerprint-safe • VOIP adapter offers two phone lines • High-definition video at half the price INDEX OF REVIEWS • Three reviewers rate high-def camcorders • PC World names Sony camcorders best • CNET picks three HDs For Editors' Choice • American Photo picks best 2005 camcorders • Jabra rises to top of Bluetooth headsets • Samsung, Cowon tie for CNET Editors' Choice • Wired Mag rates Rio top sporty player • iPod uncontested in Ultimate Mobility list • PC World crowns new Plextor DVD • Fuji, Canon compact cameras win in PC Mag SECURITY BASELINE • ZASuite 6 adds antispyware function HOT TIPS • New uses for "netsh" command • Agp440.sys problems defy easy solutions • Support two or more VPNs per router • Problem with patch 901214 — and a fix! • Great tips on setting up a free VPN • WSUS works fine for most SBS users OVER THE HORIZON • MSJVM patch = good, IE JPEG flaws = bad • MSJVM Removal Tool is still downloadable • MSJVM viruses already in the wild • Microsoft acknowledges patch needed for RDP • New JPEG problems in IE discovered WINDOWS PATCH WATCH • Can you trust your patch tools? • Step one—a little ActiveX • Yes, you can go back to WU • One Care Beta enters the ring • RSS security feeds for the paranoid • Windows 2000 rollup stops Office floppy saves • Exploits in the wild for Firefox and Windows • Exchange 2003 crashes after SP1 installed • MBSA 2.0, XP SP2, and firewall issues • Know thy system WACKY WEB WEEK • Widgets go wild with new Yahoo backing USEFUL LINKS • Picking the best RSS client • Microsoft unveils Windows Vista details • Michigan, Utah impose dreaded e-mail tax NEWSLETTER CONTROL PANEL • Windows Secrets home page • How to subscribe • Change your delivery address • Change your preferences • Access past free issues • Access past paid issues • Upgrade to paid version • Search for info (WinFind) • Submit a Windows tip • Get subscription help • How to unsubscribe CIRCULATION: over 147,000 |
|
1. The browsers gave warnings. When presented with executables, such as
.exe files, the browser-based podcatchers benefited from both Internet Explorer and Firefox displaying
built-in security-warning dialog
boxes. (This level of protection requires IE 6.0 SP1 or higher or any version of Firefox.) 2. All apps saved to disk. Rather than simply streaming a potentially harmful file, all four podcatchers first wrote enclosures to disk. This step allows antivirus and antispyware programs to scan the files and quarantine infected ones. (You need both antivirus and antispyware protection, because antivirus programs generally don't detect spyware.) 3. The players didn't run executable files. When the podcatchers routed, for example, .exe enclosures to Windows Media Player to play them, nothing happened. The Play button was actually greyed out, because the file wasn't in one of the media formats the player expects. These results are promising, but the tests suggest at least two means of infection that podcatcher developers must guard against. First, podcatching apps might download executable files. When run, these executables would play ordinary audio or video files. But, silently, they would install a Trojan horse that would run or download further adware or spyware. Second, podcatching apps might download "malformed" or hacked multimedia files. Such files would appear normal, bearing a typical audio or video extension. But, when played, the files would exploit security weaknesses in widely-installed media players. The weaknesses would allow the hacked files to quietly install Trojans, with the same effect as in the first case. In both cases, the victimized PC users might never know that a particular media file had installed anything unusual. When the PCs started running slowly, displaying pop-up ads, or broadcasting spam surreptitiously, the users might not realize the origin of the malware. The victims, as a result, wouldn't realize they should unsubscribe from a particular podcast, which had perhaps accepted a money-per-install deal from adware promoters. Even if such users unsubscribed en masse from a popular but adware-financed podcast, millions of Trojan horses (and anything the malware subsequently downloaded) would continue operating until physically rooted out. FeedStation rejects executables by design Security researcher Manzuik told me in an interview subsequent to his tests that malicious podcasts with active content could become problems soon. "If it's going to happen," Manziuk said, referring to infectious podcasts, "it's going to be a [malformed] file format issue, or it's going to be through one of these applications that doesn't warn you what the extension is." What to do: Your best protection against podcasts that are actually executable files is to get a podcatcher that downloads only known multimedia file types. FeedStation, a free podcatcher designed for users of the FeedDemon and NewsGator RSS readers, limits its downloads to a list of expected extensions, such as .mp3 and .wmv. (For more information, see Microsoft's description of multimedia file formats.) Nick Bradbury, the developer of FeedStation and FeedDemon, says this common-sense protective feature is still rare. "When I first looked at all of the podcatching applications, none of them were doing that," he said in an interview. "All of them were downloading any kind of file." For this reason and others, I recently recommended FeedStation, FeedDemon, and NewsGator in a review of RSS readers published by Datamation on July 19. FeedStation, to its credit, allows users to add permitted podcast file types if any new formats arise. But users are protected by default against rogue files disguised as podcasts. The potential for spyware-infected podcasts isn't just theoretical. Bradbury has publicly stated that he's already rejected financial offers to circulate adware. Other content providers might not be able to resist the temptation. While not all developers of podcatchers limit downloads to safe media formats, the applications do generally block "active content" that can appear in XML. "Most RSS readers already block scripts in RSS," Bradbury says. By a sort of programmers' consensus, RSS readers and podcatchers usually do strip out ActiveX, Visual Basic, OnLoad events, and other tricks hackers could use to hide malware inside podcasts. (Developers: The correct way to do this has been described by Simon Willison, Jeremy Smith, and Michael Radwin's blog.) The bad news: players can bite you The weak link in protecting users from podcasts that could carry viruses or spyware, therefore, is generally not the podcatchers but the media players. The major offerings — Windows Media Player, iTunes, Quicktime, RealNetworks, and WinAmp — have all suffered from serious security holes. These weaknesses have allowed multimedia files to quietly install malware, while the user sees or hears only the expected video or audio clip. Millions of PC users have already been negatively affected by malicious media files that were downloaded manually. It's important to prevent podcasts from being able to automatically exploit media players in the same way. In the next issue of the newsletter, to be published on Aug. 11, I'll show you simple steps you can take to protect yourself against media players that might stab you in the back. It's not difficult, and it means your PC can download all the podcasts you like with little or no danger. To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print. Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. ^ |
|
WINDOWS GIZMOS — our product reviews of new stuff New devices make you truly mobile
|
|
INDEX OF REVIEWS — our directory of product shootouts Three reviewers rate high-def camcorders
|
|
THE SECURITY BASELINE — the minimum you need for safe computing ZASuite 6.0 adds antispyware function By Brian Livingston ZoneLabs, the maker of the popular and highly rated ZoneAlarm software firewall, released this week a new version of its all-in-one suite, which now prevents spyware infections and removes installed spyware. ZoneAlarm Security Suite 6.0, as the new product is called, received a glowing review posted on July 13 by PC Magazine. It also was given an Editors' Choice award at the same time — another in a long series the security firm has earned over the years. The suite's antispyware features join the product's existing firewall, antivirus, and antispam capabilities. Neil Rubenking, the author of the latest PC Mag review, said the new suite blocked 10 out of 11 spyware programs that attempted to install themselves, and prevented them from performing any malicious actions, even if some files did manage to get installed. ZASuite 6 also prevented three out of four keyloggers from logging keystrokes, blocking one from installing at all, he said. As far as removing installed spyware, the suite ranked "just a bit below the top standalone antispyware products," Rubenking wrote. In an interview, the technical product manager for the ZoneAlarm product line, Jon Orbeton, emphasized that the new suite also adds an "OSFirewall" that stops malware from taking suspicious actions. Although not specifically written to stop rootkits (programs that are invisible to antivirus software), "we believe a generalized solution is the answer" to help Security Suite 6 prevent rootkits and other kinds of malware from installing, he said. The product is too new for head-to-head comparisons against other security suites to have appeared in computer magazines. But I have no problem updating the Security Baseline, shown below, to include ZASuite 6, and recommending that users of older versions upgrade to 6.0 immediately. CounterSpy missing from PC Mag review The new ZASuite raises the question of whether Windows users still need a separate antispyware product. The top-rated offering, CounterSpy, has been in the Security Baseline for months. There's additional confusion because the most recent PC Mag roundup of antispyware products — published in the magazine's Aug. 9, 2005, issue — did not include CounterSpy. Furthermore, the Editors' Choice in that roundup went to Spyware Doctor 3.2, a product that hasn't been top-rated by any other reviewer I know of. In an interview, Alex Eckelberry — president of Sunbelt Software, the maker of CounterSpy — said his product's absence from the Aug. 9 review was his fault. He had given the magazine a beta version of CounterSpy 1.5, not the latest, stable version of CounterSpy 1.0. The 1.5 beta turned out to have a scanning error that prevented it from completing the tests, Eckelberry said. In my opinion, PC Mag should have obtained and tested a copy of CounterSpy 1.0 on its own initiative. The review emphasized that the ten products in the roundup were shipping products, not beta versions. Alternately, the magazine should have mentioned that CounterSpy 1.0 had been excluded because an imperfect beta had been used for testing. Until apples-to-apples tests of the new ZASuite 6 against CounterSpy and all similar products becomes available, I'll continue to recommend both Zone Labs' and Sunbelt's software in the Security Baseline. Users should install both applications and let both of them scan a PC's hard drive for malware at separate times. The only conflict, Eckelberry says, involves real-time antispyware prevention. "It's always a good idea to turn off real-time scanning by more than one," he says. Asked which one should be turned off, Eckelberry unsurprisingly recommended that CounterSpy's be left on. Referring to a beta of ZASuite 6 that he tested within the past four weeks, "My testing indicated a very high rate of false positives," Eckelberry said. "That's always a problem with these new kinds of databases." Orbeton declined to comment on which product's real-time scanning should be disabled, if both are installed. "We haven't tested that, to say for sure whether both enabled would work," he said. "Our protection seemed to be more functional or deeper into the system," he added. Since CounterSpy has taken top honors in reviews by four major computer magazines (listed below), and Spyware Doctor has done so in only one (PC Mag), CounterSpy remains the champ for now. If the majority of trusted reviewers top-rank a new product, the Security Baseline will change to reflect this fact. The Security Baseline as it stands Based on the latest published tests, therefore, the four products a PC needs for comprehensive protection against hackers are (1) a Linksys hardware firewall, (2) ZoneAlarm Security Suite 6.0, (3) CounterSpy antispyware, and (4) an update-management tool of your choice. See details below.
|
|
FORWARDING INSTRUCTIONS — news gains value when it's shared Please share this information with your friends You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/comp/050728. ^ |
|
HERE'S A TIP — you'll get a better newsletter if you choose the paid version You're reading the free version of the Windows Secrets Newsletter Subscribers to the paid version receive additional information in each issue. Our expert contributors have packed their premium content with vital info this week:
Paid subscribers can access all old and new paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade, simply make a contribution of any amount you choose If you do this by Aug. 10, 2005, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of Windows Secrets, please visit WindowsSecrets.com/upgrade. Thanks in advance. ^ |
|
WACKY WEB WEEK — playing for you the Internet's greatest bits
USEFUL LINKS — more stuff that's good to know Picking the best RSS client It's not too hard to choose a good Web-based reader for RSS, because there are only three major online players. But if you want a reader that runs as an application on your PC, there are dozens to choose from. (By Brian Livingston, Datamation) More info Microsoft unveils Windows Vista details Windows' upcoming 2006 release (formely code-named Longhorn) is an all-encompassing major upgrade with a new security architecture, a hardware 3D-enabled user interface, and many other new features. (By Paul Thurrott, SuperSite for Windows) More info Michigan, Utah impose dreaded e-mail tax Two states have imposed an e-mail tax, and more states may pass such laws soon. The two states that have enacted these e-mail laws, Michigan and Utah, can potentially collect millions of dollars per year from e-mail senders. (By Brian Livingston, Datamation) More info ^ ABOUT YOUR SUBSCRIPTION — we're here to serve you The Windows Secrets Newsletter (formerly Woody's Windows Watch and Brian's Buzz on Windows) is published twice a month, except for breaks in August and December. The newsletter is published on the Thursday after Microsoft Patch Tuesday (the 2nd Tuesday of each month) and two Thursdays after that. A short "newsletter update" is sometimes published between regular newsletters, if breaking news occurs. Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editor: Brian Livingston is the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Associate Editor: Paul Thurrott is the author of Windows XP Home Networking and Great Digital Media with Windows XP and the author or coauthor of several other books. Contributing Editors: Susan Bradley, Mark Burnett, Chris Mosby. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Windows is a registered trademark of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Index of Reviews, Briefing Session, Windows Patch Watch, Update Management, and Wacky Web Week are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. How to subscribe: Anyone may subscribe to this newsletter by visiting WindowsSecrets.com/info. Our Ironclad Privacy Guarantee: (1) We will never sell, rent, or give away your address to any outside party, ever; (2) We will never send you any unrequested e-mail, besides newsletter updates; and (3) All unsubscribe requests are always honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter, Copyright © 2005 by WindowsSecrets.com LLC. All rights reserved. ^ |
