|
|
|
|
Windows Secrets Newsletter • Issue 120 • 2007-08-16 • Circulation: over 270,000 |
|
Contents INTRODUCTION: Next issue Sept. 6 — take a break! TOP STORY: Media players more dangerous than Windows KNOWN ISSUES: Restrict application privileges for greater security WACKY WEB WEEK: Is there a movie idea on your Start Menu? WOODY'S WINDOWS: Here's the real Start Menu entry PC TUNE-UP: How to get private, anonymous Web surfing OVER THE HORIZON: Internet Explorer flaw exposes FTP credentials PATCH WATCH: Malware cocktails sure to hit unpatched PCs YOUR SUBSCRIPTION: How to change your address or unsubscribe |
|
For links to every topic in this issue, scroll down to the
Index |
|
ADS
|
|
INTRODUCTION Next issue Sept. 6 — take a break!
Fred Langa returns on Sept. 27 
Our editor-at-large, Fred Langa (in helmet at left) takes his vacations the
hard way. He's spent the entire summer riding his motorcycle around the U.S.
and Canada, visiting Windows Secrets readers who won a personal Housecall
from the Great One. I announced the contest in the
Apr. 19
newsletter, and listed the winners on
June 7.Fred has finished his visits now and is busily writing a series of columns about the problems our readers had and what the solutions were. In addition, he learned many lessons in his travels that didn't necessarily involve cleaning up a PC. (Like what it takes to ride a cycle more than 6,000 miles.) Fred's new series of columns will start in our Sept. 27 newsletter. Until then, enjoy the rest of your summer! (In the southern hemisphere, have a great winter instead.) Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. |
|
ADS
|
|
TOP STORY Media players more dangerous than Windows
Readers' systems are rife with outdated add-ons In two of our recent issues, subscribers to the paid version of the Windows Secrets Newsletter were asked to scan their computers using the Software Inspector, a service of Secunia.com. The scan reveals versions of Windows and builds of applications that have security flaws for which a vendor patch is available. Contributing editor Ryan Russell, whose columns appeared in the July 26 and Aug. 9 issues of the newsletter, described how we affiliated with Secunia.com, a respected security firm that conducts the tests. We've found that Secunia's service provides such important information that we want all of our free subscribers to take the test as well. A link to the test is provided near the end of this article. The tests of our paid subscribers showed which applications are the most likely to be installed but unpatched on users' PCs. In the following list, number 1 represents the unpatched application that was found on the greatest number of readers' machines, with higher numbers representing fewer machines: 1. Adobe Flash Player 9.x 2. Sun Java JRE 1.6.x/6.x 3. Macromedia Flash Player 6.x 4. Macromedia Flash Player 8.x 5. Macromedia Flash Player 7.x 6. Apple QuickTime 7.x 7. Macromedia Flash Player 5.x 8. Mozilla Firefox 2.0.x 9. Macromedia Flash Player 4.x 10. Adobe Reader 7.x All of these applications are media players, browser plug-ins that play media files, or a browser itself (i.e., Firefox). All of these programs can be attacked across the Internet — for example, if you play an infected Flash video you find on a Web site or that you received via e-mail. Consequently, using an older version of these program poses a real security risk. Indeed, it isn't hard to find reports of security holes for any of these applications. Numerous public advisories describe serious flaws in Adobe Flash Player, Sun Java, Apple QuickTime, Mozilla Firefox, and Adobe Reader — all of which should be updated at least monthly by users. I found warnings about these five programs from, respectively, US-CERT, Australia CERT, Apple, Mozilla, and Adobe. Windows Secrets readers appear to be conscientious about keeping Windows itself patched. No version of Windows appeared in any of the top 10 lists that Secunia provided to us. Perhaps because of this, hackers have turned to applications that allow Trojan horses to silently infect PCs. Now we all need to learn to keep our add-ins updated, too. Keep your Web tools up to date Fortunately, all of the applications mentioned above support automatic updating. In addition, they allow you to choose to update them manually, if you prefer to run monthly updates on your own. Here are the steps to take to update each program: To update Adobe Flash Player: The update settings for Adobe Flash Player are stored on your computer but are accessed via the Web. Step 1. Launch a Web browser and navigate to the Global Notification panel of the Settings Manager using this Macromedia link. Step 2. Use the checkbox to turn automatic updating on (checked) or off (unchecked). Configure the drop-down list to determine how frequently the program will check for updates. If you prefer to update the Flash Player manually, you'll need to visit Adobe's download page periodically. To update Sun Java: Step 1. In the Windows Control Panel, launch the Java applet. You can also right-click the Java icon in the Taskbar tray and choose Open Control Panel. Step 2. Click the Update tab. Use the controls there to customize the update notification. Click OK. If you prefer to update Java manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click Update Now at the bottom of the Update tab. To update Apple QuickTime: Step 1. In the Windows Control Panel, launch the QuickTime applet. You can also right-click the QuickTime icon in the Taskbar tray and choose QuickTime Preferences or Check for QuickTime Updates. Step 2. If necessary, click the Update tab. Use the checkbox to determine whether the software checks for updates automatically. Click OK. If you prefer to update QuickTime manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click the Update button. If an update is found, click OK to proceed. To update Mozilla Firefox: Step 1. In Firefox, choose Tools, Options. Step 2. Click the Update tab. Use the Firefox checkbox to set your preference for automatic updating. When checked, it enables additional options for customizing how updates occur. Click OK. If you prefer to update Firefox manually, uncheck the Firefox box in this dialog box. Then periodically choose Help, Check for Updates. To update Adobe Reader: Step 1. In Adobe Reader, choose Help, Check for Updates. Step 2. If the dialog title reads simply "Adobe Updater," click Preferences. Step 3. Use the controls in the Adobe Updater Preferences dialog box to customize update notification. Click OK. Use the Software Inspector on your own PC Now it's time to check your own system using the free Software Inspector at Secunia.com. This online utility requires Java to run, so you should use the Java update procedure described above to make sure you have the latest version of Java before proceeding. If you use the special link shown here, Secunia.com will provide the Windows Secrets Newsletter with aggregate information about which applications are the most nonupdated among our free readers. We'll publish the results in a future issue. However, Secunia.com does not ask for and will not provide us with any personal information whatsoever. Use this link to test your PC with Software Inspector What it does: This scan will find software (including the operating system) with known security flaws for which patches exist. The on-screen report lists your updated apps (with a green checkmark) and nonupdated apps (with a red X). If you have multiple copies of a single application installed, the report will list each version. Click the "+" icon to the left of each item for more information, including the specific path to each file. What it doesn't do: Software Inspector does not flag applications for which no update exists. Consequently, you may still have applications with security holes that aren't mentioned in the report. In addition, the program can't detect any workarounds you may have put in place to avoid security problems with existing applications. What should you do if the scan finds multiple versions of software? That depends. Sometimes older versions represent a security risk to your system. But in some cases (such as Java), you may need an older version to keep other application software running properly. Before doing anything, make a backup of your system, or at least create a restore point using System Restore. (To do this in XP and later, choose Start, All Programs, Accessories, System Tools, System Restore, and follow the instructions there.) That gives you a chance to get back to your former state if removing old software causes problems. Secunia's Software Inspector is especially valuable for those of us who prefer to use manual updating, rather than letting programs check and download patches automatically. The scan not only tells you what updates to look for, but it checks all your software in a single step without having to use each application's update feature one at a time. Your most difficult task will be remembering to use Software Inspector periodically. To automate that chore, click the reminder service link on the Software Inspector page. This will send you an e-mail notification every time a new update or version is available. It's disturbing that, even when Windows is fully patched, our application software can represent an even greater vulnerability. To reduce your risk, consider running Software Inspector once a month, just after you've installed the Windows patches that Microsoft typically releases on Patch Tuesday (the 2nd Tuesday of the month). Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant. |
|
KNOWN ISSUES Restrict application privileges for greater security By Scott Dunn In recent columns, including in the Aug. 9 issue, I've told you how to limit user and application permissions in XP for greater security. Our readers have responded with their own questions and suggestions on running programs with greater or fewer privileges. Use PsExec with nonstandard Office shortcuts In my Aug. 9 article, I explained how to use the free PsExec utility to run applications in a low-privilege state even when you're logged in as an administrator. But reader Tim McGowan ran into a problem when he tried to customize his shortcuts to Microsoft Office:
First, find the folder where you installed Office. A common place to look is: C:\Programs\Microsoft Office\Office If necessary, you can search for winword.exe, the executable for pretty much any version of Word for Windows. Once you've found the right .exe file, use the right-mouse button to drag it to your desktop or your desired Start Menu location. When you release the mouse button, choose Create Shortcuts Here. You can right-click this new shortcut and choose Properties to edit its command line (for use with PsExec), modify the icon, and so on. Advanced tools solve permissions issues The Aug. 2 issue explained how to run XP as a standard user as a security precaution to limit the access that most programs have to your system. If you encounter problems running applications in such an account, you may find reader Alan Kobb's advice useful:
More information on CPAU is found in today's column by Mark Edwards in the paid section of the newsletter. Details on encrypting files on flash drives In the Aug. 2 issue, I told readers they could use the freeware tool TrueCrypt to encrypt data on a flash drive. However, reader John Aspinall points out some important details:
Both Cybershredder and Ultrashredder can be run from a flash drive. You can find TCExplorer at the CodeProject site. Readers McGowan, Kobb, and Aspinall will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page. |
|
EDITOR'S BOOKSHELF
|
|
WACKY WEB WEEK Is there a movie idea on your Start Menu?
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, plus the week of Thanksgiving and the last two weeks of August and December. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
