For links to every subtopic in this issue, scroll down to the Index

Speed up your computer Run our free Optimize scan to find out how to fine-tune Internet and System settings. Identify clutter from your registry and hard drive. PC Pitstop Optimize can make your computer faster and more stable. www.pcpitstop.com

1Click PC Fix — solve PC problems Are you tired of your computer crashing, slowing down or freezing when you least expect it? Download our free PC health check and instantly solve PC problems with an advanced PC Registry cleaner. www.1ClickPCFix.com

Backup your data with ZipBackup Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off. www.zipbackup.com

See your ad here

By Brian Livingston Microsoft's new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6. I'll show you an easy way to "harden" IE 7 so you're protected against hacker threats that haven't even been invented yet.

IE 7 suffers from some IE 6 weaknesses

IE 7 does benefit from some significant updates over IE 6. For example, the so-called Phishing Filter in IE 7 warns you if a page you're about to visit is in a real-time database of hacked sites. (You must turn on this filter for it to work. Hopefully, most users will do so because IE 7 asks for the filter to be enabled the first time you use the new browser.)

Also, IE 7's new Protected Mode, which only works in Windows Vista, will prevent Web sites from modifying system files or settings. I described several of these new features in my Executive Tech column on Oct. 24.

Unfortunately, IE 7 still contains some security weaknesses that were present in IE 6 — and which Microsoft still hasn't fixed in that older browser. The most publicized example since IE 7 went gold is the so-called MHTML hole. This problem allows a hacked site to read information from the window of a different site you're visiting, such as an online banking service.

The respected security firm Secunia published an advisory on Oct. 19 publicizing a free test for the weakness in IE 7. The problem in IE 7 is almost identical to the one described by Secunia in an April 2006 advisory that affects IE 6. (Contributing editor Chris Mosby has more in his column in today's paid newsletter, below, about this and other flaws that IE 7 has inherited from IE 6.)

Neither the IE 6 nor the IE 7 problems are considered severe. Secunia rates them only 2 on a scale of 5 in severity, mainly because a hacker must first get you to visit a rogue Web site before being able to read information from other sites you may visit. You can close the holes in both browser versions by changing Active Content to a setting of Disable in the Security tab of IE's Internet Options dialog box. (See Figure 1.)


Figure 1: You can easily disable active scripting using IE 7's Internet Options dialog box.

But why stop there? If other weaknesses loom in IE 7 — and you can easily close these holes without waiting for a threat to attack you first — why not protect yourself proactively?

Changing IE's profile from weak to strong

I contacted Arie Slob (pronounced "slobe"), a Dutch citizen who lives in Malta but works for a U.S. company named Infinisource. Arie runs Web servers for the company and, more importantly, has analyzed the inner workings of most of IE's Internet Options settings.

After a telephone discussion with me, Arie completed an analysis of IE 7's Internet Options and posted it on Oct. 25. Back in 2004, I used his findings to recommend changes to 19 of the options in IE 6 SP1. (A link is shown at the end of this article.)

Arie told me in a telephone interview that only a couple of IE 6's Internet Options settings had been changed in a more secure direction in IE 7 by Microsoft. He's particularly concerned that, in his words: "There are new settings for XAML and they're all enabled by default."

XAML — Extensible Application Markup Language, pronounced "zammel" —  is a Microsoft-specific technology designed for corporate developers who wish to deliver simple but striking user interfaces, similar in some ways to Flash animations. There's a risk, however, that XAML might some day be used by hackers to deliver infected code to unsuspecting users.

Why would Microsoft enable such technologies by default in IE 7? At Microsoft's Professional Developers' Conferences in recent years, company officials have stated that technologies won't be enabled in Windows by default unless 90% of users would use a technique. (Printing is an example of a technology that should be "on" while macros and other active content should be "off" unless enabled by users or administrators.) Since corporate admins could easily enable XAML companywide using Group Policy, why turn XAML on for all IE 7 users? Why create yet another code monoculture for hackers to take advantage of?

The answer is that XAML is built on Microsoft's Windows Presentation Foundation (WPF), a key feature of .NET Framework 3.0. This technology is aimed at corporate developers who Microsoft wants to build Windows-only applications. Rather than ask these large enterprises to flip a simple switch to enable XAML in IE 7, Microsoft apparently decided that compiled .xaml files should run in the browser by default for every Windows user in the world.

How to configure IE 7 to protect yourself

Just because certain features are enabled in IE 7, that doesn't mean you have to leave them on and expose yourself to rogue examples of such code in the future. Shown below is a concise list of the way Arie recommends that you configure Internet Options in IE 7 to protect your system.

In IE 7, click Tools, Internet Options, and then select the Security tab. With the Internet zone selected, the security level by default should be set to Medium-High. Click the Custom Level button. Set the following choices:

• .NET Framework
  • Loose XAML: Disable
  • XAML browser applications: Disable
  • XPS documents: Disable
  

• ActiveX controls and plug-ins
  • Binary and script behaviors: Disable
  • Run ActiveX controls and plug-ins: Disable
  • Script ActiveX controls marked safe for scripting: Disable
  
  

• Downloads
  • Font download: Disable
  • Enable .NET Framework setup: Disable
  

• Enable .NET Framework setup: Disable
  

• Miscellaneous
  • Allow META REFRESH: Disable
  • Allow Web pages to use restricted protocols for active content: Disable
  • Display mixed content: Disable
  • Drag and drop or copy and paste files: Disable
  • Installation of desktop items: Disable
  • Launching applications and unsafe files: Disable
  • Launching programs and files in an IFRAME: Disable
  • Navigate sub-frames across different domains: Disable
  • Software channel permissions: Maximum Safety
  • Submit non-encrypted form data: Disable
  • Userdata persistence: Disable
  • Web sites in less privileged Web content zone can navigate into this zone: Disable
  

• Scripting
  • Active scripting: Disable
  • Allow programmatic Clipboard access: Disable
  • Scripting of Java applets: Disable
  

Contents  Index

	1. Hardware firewall. For small-office networking, the most affordable secure firewall is the Linksys Wireless-G WRT54GL router (left, about $70 USD street), which offers 802.11g Wi-Fi and also includes four wired Ethernet ports. To cover more than a few adjacent rooms, consider the Linksys WRT54GX ($160), which doubles the usual "g" range. Be sure to enable WPA or WPA2, either of which provide strong Wi-Fi security. The WRT54GL (previously named WRT54G) and the WRT54GX are PC Magazine Editors' Choice winners.
	2. Security suite. ZoneAlarm Internet Security Suite (left, $60 street) has long been rated as the best all-in-one software firewall, antivirus program, and antispam filter — now with antispyware scanning and Windows OS kernel protection. It has Editors' Choice awards from PC Magazine and CNET as well as being rated "the best all-around protection" by Consumer Reports Magazine. (Turn off ZA's real-time spyware protection so this can be handled by your antispyware program, shown below.)
	3. Antispyware program. For individual PC users, the most effective remover of spyware is Webroot Spy Sweeper (left, under $35 per year), according to comparative tests published by PC Magazine and PC World. (Note: PC Mag has also given an Editors' Choice to Encore's PC Tools Spyware Doctor.) For businesses that are looking for a centrally managed solution for 10 or more seats, Webroot's Spy Sweeper Enterprise ($240 per year for 10 users) has won the latest comparative review by Windows IT Pro and was rated a Best Buy by SC Magazine.
	4. Update management. Windows Update and Microsoft Update are no longer recommended. To protect against questionable Microsoft downloads, knowledgeable users should configure Automatic Updates to Notify me but don't automatically download or install. Then read our free and paid newsletters to learn which patches not to select. Home users and small-business networks should deploy critical patches using Shavlik's NetChk Protect (free with registration for one year for up to 10 PCs). The technology has won top honors from Redmond Magazine and SC Magazine. The product is complex, so be sure to read our tutorial and workarounds. For larger businesses, GFI LANguard Network Security Scanner ($495 for 32 machines) is top-rated by WindowSecurity.com and MCSE World. —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere Brian Livingston is the editor of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books. The Security Baseline section appears in every issue. It summarizes the top ratings of trusted reviewers in four categories of products that every PC needs for protection against threats.

Contents  Index

	Woody Leonhard / Woody's Windows. You get a pointed look at Microsoft's operating system through our guru's flat screen:   • Top timesaving tips in IE 7 and Firefox 2   • The best tweaks for your tabs   • Some old and new tricks in both browsers   • How to customize things in Firefox 2
	Chris Mosby / Over the Horizon. The steps you need to take NOW to protect yourself, because patches aren't yet available for some known threats:   • Old flaws still plague Internet Explorer   • Redirection flaw in IE 6 and 7 discloses information   • Pop-up spoofing inherited in IE 7 from IE 6   • IE frames can still be injected
	Susan Bradley / Patch Watch. We tell you which official patches have problems and, more importantly, how you can work around them:   • Patches have problems as IE 7 seeks deployment   • .NET patch has some issues installing   • Hotfix stops Microsoft Update's 100% CPU usage   • Remove IE 7 before repairing XP SP2
	Ryan Russell / Perimeter Scan. How you can use free or commercial software to automate patching and upgrading, whether you're responsible for 5 PCs or 50,000:   • Do you have HIPS in your future?   • What is HIPS?   • How code execution prevention works   • A brief survey of HIPS products

Contents  Index

Contents  Index

Contents  Index

Microsoft thinks that hiring an attractive woman in a low-cut top is a good way to get you to try its Live.com search engine. So far, it seems to be working. The actress who plays "MSDewey.com" is Janina Gavankar, a mixture of Indian and Dutch ancestry. Besides taping riffs for various search terms — in clips directed by the music-video shop Sausage Films — she also plays the Papi character on The L Word, a program on U.S. cable channel Showtime. The service has only been up for a week, but there's already a page of insider photos on Flickr showing, for example, a technician handing over props and so forth. Standing in front of a stylized Seattle skyline, your hostess responds amusingly to queries like microsoft, bill gates, xbox 360, channel 9, and boxing. If you search on bondage, she pulls out a whip from under her anchor desk. (One blogger claimed that the whip segment had been killed after the first day, but in fact there are several different scenes that are rotated for certain queries.) Since videos are constantly running, searches are slower than molasses. But with distractions like this, you may not care. Try a search

Contents  Index

Contents  Index

• Visit our Unsubscribe page.
  

Contents  Index