By Brian Livingston Numerous Windows geeks and I have brought you a lot of secrets since I first started publishing an e-mail newsletter called “Brian’s Buzz on Windows” back in February 2003.
After switching to, ahem, a better name (Windows Secrets) — and merging the old newsletter with Woody Leonhard’s in 2004, Fred Langa’s in 2006, and Gizmo Richards’s in 2008 — we’ve put out 200 newsletters, and now we’re celebrating by giving away for free my $9.95 antispam e-book, newly revised.
Insider tips, how-tos, best security practices, and more
Subscribe to Windows Secrets — free!
The Windows Secrets Newsletter brings you essential tricks for running Windows XP, Vista, 7, Internet Explorer, Firefox, Windows Update, and more — weekly, free.
Bonus: get this free download when you subscribe
Interested in Windows 8 but don't know where to start? You have a friendly guide in My Windows 8 Consumer Preview: A Sneak Peek at the Windows 8 Public Beta, by Katherine Murray. This month, all subscribers can download Chapter 1 and Chapter 5. In this excerpt you will learn about the new look of Windows 8, how to make things happen in it, how to use the apps that come with it, and how to get more apps.
We guarantee your privacy: We will never sell, rent, or give away your address to any outside party, ever. We will never send you any unrequested e-mail. Unsubscribe requests are honored within one business day. Privacy Policy
Actually, “revised” is stretching it. Spam-Proof Your E-Mail Address, 3rd Edition (photo, left) has been tweaked to bring some references up-to-date and add a new color cover. But there’s just a single important change to the book’s recommendations: one very useful free service bounced around among Web sites, and the service’s new name and URL needed to be edited in throughout.As most Windows Secrets readers know by now, spammers use “harvester bots” to scrape e-mail addresses from Web sites. My e-book, based on studies by nonprofit research organizations, shows you how easy it is to protect your e-mail address inside images and encoded scripts whenever you really need to post your contact information.
The most useful free service I know of for encoding e-mail addresses into Web-friendly (but not harvester-friendly) scripts is Hivelogic’s Enkoder Form. I want all readers to have Enkoder’s new URL:
http://hivelogic.com/enkoder/form
From now through July 1, every Windows Secrets subscriber can download my revised e-book for free. To get yours, simply use the following link to visit your preferences page, make sure the information there is up-to-date, and a download link will subsequently appear:
All subscribers: Set your preferences and download your bonus
Thanks for your support — we promise to keep digging up more secrets for you in the years to come.
MS uses patch channel to install Firefox add-on
It’s been widely blogged that Microsoft can silently add an extension to Firefox when users install .NET Framework 3.5 Service Pack 1 and certain other updates. Readers asked us about this last week because of a May 29 article by Brian Krebs of the Washington Post.
I enjoy Krebs’s writing, but in this case he was apologizing for telling his readers earlier this year to install the .NET service pack. He didn’t realize until later that Microsoft’s Assistant 1.0 extension exposes Firefox to any .NET security holes that may be discovered. Even worse, Microsoft wrote the add-in in such a way that its Uninstall button was grayed out and unusable in Firefox.
WS contributing editor Susan Bradley warned our paying subscribers on Feb. 5 and Feb. 12 not to install .NET 3.5 SP1 (and explained, if need be, how to uninstall it). I tip my hat to her excellent advice.
No holes currently affect the latest .NET software, according to Secunia.com’s .NET Framework 3.x advisory and Assistant 1.x advisory. But the security firm published in 2006, 2007, and 2008 four security warnings about flaws in the earlier .NET Framework 2.x. The most severe hole was rated “highly critical.” A weakness that’s currently undiscovered in .NET Framework 3.x might be exploited in the future.
The extension that MS adds to Firefox implements a technology called ClickOnce. It allows .NET apps to be downloaded and executed within browsers other than Internet Explorer. Unfortunately, this technology can also allow hacked Web sites to infect PCs.
Many Windows Secrets readers use Firefox because it suffers from fewer security holes than IE — and most people don’t need .NET features — so I’m publishing in my free column today the following steps to remove Assistant 1.0 from Firefox:
Step 1. Check whether the .NET Framework Assistant is installed. You may or may not have Assistant 1.0, even if you installed .NET Framework 3.5 SP1, so check this first. In Firefox, pull down the Tools menu and select Add-ons. In the Add-ons dialog box that appears (as shown in Figure 1), if you don’t see .NET Framework Assistant, the add-on is not installed. In that case, you don’t need to do anything further (except close the dialog box).
Figure 1. The Uninstall button is grayed out and unusable due to the way Microsoft implemented the original version of Assistant 1.0.
Step 2. Remove or disable the add-on. If you do find the extension, I recommend that you remove it to reduce your vulnerability to possible security flaws. Choose one of the options shown below.
• Best option: Install the Microsoft fix. On May 6, with little publicity, Microsoft posted an update for .NET Framework 3.5 SP1. Installing this update enables Firefox’s Uninstall button for the add-on. To install the official update, visit Microsoft’s download page.
• Another option: Temporarily disable the extension. Using the Add-ons dialog box to disable the extension prevents it from running and protects Firefox from potential security flaws. You might disable the extension instead of uninstalling it if your company insists that you use Firefox to run a .NET app, but you don’t wish to be vulnerable when visiting random Web sites. To disable Assistant 1.0 (or any Firefox extension), pull down Firefox’s Tools menu and select Add-ons. In the Add-ons dialog box that appears, select the unwanted extension and click the Disable button. Close the dialog box.
• Not recommended: Edit the Registry. Before Microsoft’s official patch was released, several sites published a procedure to manually delete entries from the Windows Registry to disable the Firefox extension. I don’t recommend this, because it’s easier and safer to use the options shown above. But if you need the full details, .NET Framework product unit manager Brad Abrams posted the Registry procedure in an MSDN blog entry.
Step 3. Install the third-party extension FFClickOnce, but only if necessary. If you really need ClickOnce functionality in Firefox, consider installing FFClickOnce, a Mozilla-approved extension developed by James Dobson. This third-party extension poses some of the same risks as Microsoft’s add-on. But at least Dobson’s extension prevents downloaded apps from running without first making the user click OK twice. For more info, see Dobson’s SoftwarePunk site and the extension’s Mozilla Add-ons page.
That’s it. More information on .NET problems — and what to install and not install — will appear in future columns by Susan and our other contributors.
Write 50 words and enter to win 1,000 pages
From April 16 to May 6, Windows Secrets offered subscribers an exclusive bonus: a free download of “The Final Chapter,” the thrilling conclusion to Stealing the Network, a book that hadn’t yet shipped. The new hardcover volume is a collection of four previous books describing fictional high-tech security capers.
Now its publisher, Syngress (an imprint of Elsevier), is promising to send copies of the 1,000-page book — complete with a DVD of author interviews — free to 10 lucky Windows Secrets readers.If you were one of the thousands who downloaded “The Final Chapter” and you’d like the whole book for free, e-mail a 50-word review of the chapter to info (at) syngress.com. The publisher will display some of the reviews on its site and select 10 winners at random to receive the hardcover collector’s edition. (By entering the contest, you agree to allow Syngress to e-mail you.)
If you’d simply like to buy the collection, Syngress is also offering Windows Secrets readers a 20% discount — a U.S. $18 savings off the $90 list price. Enter the promotional code secrets at ElsevierDirect.com. (At the site, you may select one of nine fulfillment centers around the world.) Or use the company’s special Stealing the Network link, and the promotional code will be entered for you. Offer expires July 15, 2009.
Here’s an even-better price break: anyone can get approximately 37% off the list price — a $33 savings — at Amazon.com. More info: United States / Canada / Elsewhere.
Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
Related posts:
