Avoid the security risk of shortened URLs

Windows Secrets Newsletter • Issue 266 • 2010-11-25 • Circulation: over 400,000

Table of contents

Introduction: Windows Secrets content goes social!
Top Story: Avoid the security risk of shortened URLs
Patch Watch: Patch Watch leftovers include Outlook fixes
Wacky Web Week: Slippery Thanksgiving turkey wins round one
Bonus: Last chance for Word 2010 Inside Out!

Windows Secrets content goes social!

By Andy Boyd

As some of our readers have already noticed, Windows Secrets is now on Facebook and Twitter. We are starting small but plan to expand our presence on the popular sites in the coming months. We hope to see you there.

Finding us on Facebook and Twitter is easy. Just look for the Facebook and Twitter icons in future columns, or cut and paste these links into your browser:

Facebook: http://www.facebook.com/pages/Windows-Secrets/44445913847

Twitter: http://www.twitter.com/windowssecrets

Now that you’ve been reading Windows Secrets for a while, why not let your friends know what you think about it? Click the link below to send out a preformatted tweet — or send your own creation.

Twitter (requires Twitter sign-in): Windows Secrets: Essential tips & tricks for running Windows, IE, Firefox, and more — weekly. Check it out: http://windowssecrets.com
Andy Boyd is the product manager for Windows Secrets.

Top Story

Avoid the security risk of shortened URLs

By Fred Langa

The compact URLs produced by services such as TinyURL, bit.ly, is.gd, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites.

Fortunately, there are several ways to peek behind a shortened URL to see exactly where the link will take you — before you click it!

In fact, every URL-shortening service I’m aware of offers one or more ways to preview the real destination of a shortened link.

For example, here’s a typical bit.ly URL that I created. All it does is take you to the windowssecrets.com home page, but there’s no way to know that in advance — it’s a blind link:

http://bit.ly/10Sjt

Let’s say that (gasp!) you don’t trust me, so you want to see where the link really goes before you click it.

It’s easy: all you have to do is copy the link, paste it into the address bar of any browser window or tab, and add a plus sign to the end, like this:

http://bit.ly/10Sjt+

Adding a plus sign to the end of any bit.ly URL brings you to a special bit.ly page that shows you information about the link, including the full, expanded URL. Using the information on that bit.ly page, you can decide whether the link is safe and worth following.

TinyURL has a similar option. But instead of adding a plus sign at the end of a link, you prepend the word preview. For example, here’s a regular TinyURL link to the Windows Secrets home page:

http://tinyurl.com/6u5ba

Copy that link into the address bar of your browser and add the word preview:

http://preview.tinyurl.com/6u5ba

Now the link will bring you to a preview page that displays the full, expanded URL. (See Figure 1.)

TinyURL preview feature

Figure 1. Like all the other major URL-shortening services, TinyURL offers an easy way (circled in yellow) to preview the true destination of a shortened link.

TinyURL also offers a cookie-based option that makes previewing automatic for every TinyURL link you click. To set the (harmless!) preview cookie on your PC, click here:

http://tinyurl.com/preview.php?enable=1

All the major URL-shortening services have similar ways of letting you preview what’s behind their URLs. Security researcher Joshua Long has compiled an excellent free guide, “How to preview shortened URLs (TinyURL, bit.ly, is.gd, and more).”

Of course, if you’re checking lots of links, it can be clunky to manually copy, paste, and edit URLs. Several sites offer automated scripts to make things a bit easier. For example, when you encounter a suspicious short URL, you can click to Longurl, ExpandMyURL.com, or Long URL Please.com.

Paste the suspect short URL into these sites’ dialog boxes, and they’ll show you the full, expanded link.

You also can Favorite or Bookmark those sites to further automate the process of link-checking.

Going a step further, Firefox users can install the bit.ly preview add-on (download site) to allow previewing of short URLs without needing to leave the page you’re on. Despite the name, the add-on works for many URL-shorteners — not just bit.ly.

Chrome users can download (page) a similar extension for that browser.

I know of no fully automated preview tools for Internet Explorer, although several URL-shortening apps are available in the Microsoft IE Add-ons Gallery. Just type url into the search bar.

Note that this level of link-checking usually isn’t needed when you’re clicking on normal links from sites and people you know and trust. But it’s smart to be wary of suspicious links or links with unknown provenance.

When in doubt, check it out!

Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.

Fred Langa’s full LangaList Plus column is published weekly in the paid section of the newsletter. A senior editor of the Windows Secrets Newsletter, Fred was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Patch Watch

Patch Watch leftovers include Outlook fixes

By Susan Bradley

While most of us in the U.S. are washing up after turkey or tofu, I’m also cleaning up some leftover Patch Watch items.

We’ll undoubtedly have fresh helpings of patches in mid-December. But in the meantime, here are a few that might need your attention.

2412273
Ongoing Outlook printing problem finally fixed

This past September, several Windows Secrets readers complained that the MS10-064 security update broke Outlook 2007 — specifically, their ability to print the end times for Outlook calendar appointments.

This has been an ongoing problem with Microsoft’s e-mail client. As reported in an outlook-tips.net story, a problem of bad text wrapping and lost end times popped up in a July Outlook update containing a flawed hotfix originally released in April.

► What to do: The hotfix in MS Support article 2412273 should squash this nasty bug plus several others. Make sure you have Office 2007 SP2 installed before applying the patch. Clicking the “View and request hotfix downloads” link at the top of the article will take you to the hotfix download page.

2445403
Custom add-ins may crash after Outlook patch

September was apparently a difficult month for Outlook updates. After installing the Outlook 2003 patch described in MS10-064, many users reported that Adobe’s PDFMaker add-in had stopped working. More complaints showed up in Adobe’s support forum. After users removed Microsoft’s patch, the converter worked again.

► What to do: Outlook 2003 users can find more information in Support article 2458807, and they can download a hotfix in MS Support article 2445403.

MS10-079 (2344993)
Word patch leads to e-mail failures

I’m tracking a problem with the patch in MS10-079 (2344993), an MS Word update released in October. I’m getting reports from some Outlook 2007 users that, after the patch is installed, e-mail address formatting is corrupted. Replied or forwarded mail gets changed to “mailto” and, when sent, bounces back. Several folks have commented on this issue in Microsoft’s MS Exchange Server admin forums.

► What to do: If you are not affected by this problem, there’s no need to do anything. But if it does appear, consider uninstalling the update. Microsoft is working on the flaw, and I’ll update you when it’s fixed.

Adobe 9 gets an out-of-cycle fix

Adobe Reader and Acrobat version 9.4 (and earlier) users will soon see an update to version 9.41, which fixes a zero-day attack vulnerability. The patch is rated critical and applies to Windows, Mac, and UNIX systems.

As mentioned in an Adobe blog, the next scheduled round of updates will come next February — unless, of course, another unexpected vulnerability should appear.

► What to do: For more details, see Adobe security bulletin APSB10-28. And when updating, don’t forget to uncheck any toolbar offerings that might come with the update’s installation.

Apple’s iPhone, iPad, and iPod get iFixes

Apple released its much anticipated iOS 4.2 this week, and already there’s lots of chatter on an Apple forum about lost music. After installing the update, some iPad and iPhone users got the scary screen shown in Figure 1. Talk about inducing instant panic!

Lost music after ios update

Figure 1. “No Content” is not what you want to see after updating your iPhone. Fortunately, the fix is usually quick and easy.

► What to do: Stay calm. The solution that worked for me — and many of the folks posting on the forum — is to re-synch your device after installing the update. All of your music should be back as it was before the update. Always make sure you back up your iPhone, iPad, or iPod before adding updates.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

Wacky Web Week

Slippery Thanksgiving turkey wins round one

By Revia Romberg

Ahhh, Thanksgiving in the U.S.! Outside, the leaves are changing, and we’re starting to feel that holiday spirit. It’s a time of family, friends, and gratitude — and lots of yummy food. For one day, life seems simple and uncomplicated.

Unless, of course, you’re the one hosting Thanksgiving dinner. Cooking the traditional turkey can be a painstaking process — especially if you’re wrestling an enormous bird. Watch as this exasperated cook gets her Thanksgiving feast under way with a thud. Play the video

Bonus

Last chance for Word 2010 Inside Out!

Our free bonus download of Microsoft Word 2010 Inside Out is coming to an end. Katherine Murray’s detailed look at Word 2010 goes beyond the basics — it provides hundreds of expert insights, troubleshooting tips, workarounds, and more.

Exclusively for Windows Secrets subscribers, O’Reilly Media is providing — free — Chapter 1, Spotlight on Microsoft Word 2010. It explores what’s new in Word 2010, how to use the Ribbon, what you need to know about the status bar, plus many other handy tips.

If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear.

All subscribers: Set your preferences and download your bonus
Info on the printed book: O’Reilly’s online store

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech