Windows Secrets
Signed in: chuck1@chuckstr89134.com  |  Upgrade  |  Sign Out
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Control ill-behaved apps with DEP in IE

Windows Secrets Newsletter • Issue 214 • 2009-09-17 • Circulation: over 400,000

Table of contents 
  • Bonus: Learn Windows 7 by pictures, not words
  • Top Story: Control ill-behaved apps with DEP in IE
  • Known Issues: Some keyloggers can read the Clipboard, too
  • Wacky Web Week: Humans will eat almost anything … if it’s pizza
  • LangaList Plus: Best way to clean a PC with multiple accounts
  • Best Software: What to do when a program installation fails
  • Perimeter Scan: Success in digging malware from my own back yard
 
Bonus

Learn Windows 7 by pictures, not words

This month’s bonus is a two-chapter excerpt from Teach Yourself Visually Microsoft Windows 7 by Paul McFedries. The book uses illustrations and screen shots instead of straight text to help make the transition to Windows 7 easier than ever for computer users. The printed volume isn’t yet available in most stores. But all paid subscribers can receive our exclusive download now through Sept. 23.

Free subscribers can get the bonus by upgrading to paid. You’ll see a download link afterwards. Paid subscribers can simply visit their preferences page, save any changes, and see the download link. Thanks for your support! —Brian Livingston, editorial director

Free subscribers: Upgrade to paid and get the bonus
Paid subscribers: Set your preferences and then download
Info on the printed book: United States / Canada / Elsewhere

 
Top Story

Control ill-behaved apps with DEP in IE

Susan bradley By Susan Bradley

Internet Explorer 8 includes a security feature that shuts down misbehaving applications before they can harm your system.

This capability, known as Data Execution Prevention (DEP), runs by default when IE 8 is installed on XP SP3 and Vista SP1 or later, but it may not always be clear to you why DEP has put the brakes on one of your PC’s applications.

DEP is the best reason I know for updating to Internet Explorer 8 and Vista SP1. For many years, Microsoft has included DEP — which is also called No-Execute (NX) — only in parts of Windows. For example, DEP is available in IE 7 but is off by default to avoid conflicts with old, incompatible programs.

DEP is now a key part of Vista and Internet Explorer 8. When I try to install older software on newer machines, I must configure Data Execution Prevention to allow the software installer to run with DEP disabled. (See Figure 1.)

Data execution prevention dialog
Figure 1. You can configure Data Execution Prevention to create an exception for an application.

To open the Data Execution Prevention dialog in XP, open Control Panel, choose System, and then select the Advanced tab. Click the Settings button in the Performance section and select the Data Execution Prevention tab. In Vista, choose Performance Information and Tools, click Advanced Tools in the left pane, select Adjust the appearance and performance of Windows, and click the Data Execution Prevention tab.

For instance, when I install QuickBooks 2007 on Windows Server 2008, I have to exclude under the DEP tab the QuickBooks updating tool in order to install it on the server.

Keep in mind that the only reason I’m doing so is because I trust Intuit, the publisher of QuickBooks. If I didn’t change the settings, DEP would prevent me from installing an older version of this software on the newer system.

If I didn’t already trust the vendor, I’d look for valid reasons why DEP was blocking the installation before I took the step of changing any DEP settings. In most instances, good, up-to-date software shouldn’t need to be excluded from DEP.

DEP helps block malware in Internet Explorer

Since IE 7, Microsoft has used DEP to help thwart online attacks in the browser itself. What the company didn’t do until IE 8, though, was to enable DEP by default.

Prior to IE 8, DEP was disabled by default for compatibility reasons, as documented on the IE blog. Many older IE add-ons were built using earlier versions of the Active Template Libraries (ATL). They aren’t compatible with DEP, therefore, and crash when IE loads them.

When DEP is enabled and combined with Address Space Layout Randomization (ASLR), IE’s ability to protect against Web-based attacks improves considerably. In a nutshell, ASLR is designed to make it harder for automatic attacks to occur. You can read more about ASLR in the MSDN blog.

Specifically, ASLR helps prevent exploits both in IE and in any add-ons that are loaded. Even with the new security protections in IE 7 and 8, the browser is still targeted more often by malware authors than other browsers. This has caused security pundits to state, as Wired’s Brian X. Chen does on the Gadget Lab blog, that Apple’s new Snow Leopard operating system is “less secure than Windows, but safer.”

(If you use Snow Leopard, I encourage you to update your system to OS X version 10.6.1. This includes a patch for the insecure Adobe Flash Player that Snow Leopard shipped with, as documented in an Apple security update.)

There are many protections built into Internet Explorer 8 that may be considered just another annoying browser crash when seen in action. (See Figure 2.)

DEP alert in notification area
Figure 2. When DEP prevents bad code from executing in IE, it closes the browser and pops up an alert.

Unfortunately, it’s not always obvious that IE is actually protecting you when in fact it is.

Find the source of DEP-related browser crashes

Some PC support sites, such as the Tech Support Forum, recommend that you disable DEP to prevent it from closing IE whenever an unauthorized memory access is detected. However, once you understand why the browser is shutting down, it becomes clear why disabling DEP is a bad idea.

Generally, DEP errors in IE are due to an add-on, a hardware conflict, or a corrupted IE installation. If DEP continually shuts down IE on your system, find the cause of the failures instead of disabling DEP. For example, there are reports that stealthy toolbars from the Chinese search engine Baidu are the source of many DEP closures.

If DEP is closing IE 8 on a regular basis, first try opening the browser with all add-ons disabled. To do so, click Start, All Programs, Accessories, System Tools, Internet Explorer (No Add-ons).

If the DEP closures stop, this indicates that an add-on is causing the problem. Disable each add-on and then enable them one by one until the crashes return. At that time, you’ve found the culprit.

To review the processes DEP has enabled by default, press Ctrl+Alt+Del and click Start Task Manager. Click the Processes tab, select View, and choose Select Columns. Scroll to the bottom of the resulting dialog box, check the Data Execution Prevention option, and click OK.

UPDATE 2009-09-22: The instructions for viewing the Data Execution Prevention column under Task Manager’s Processes tab apply only to Vista, not to XP.

A new column appears in the Processes window that shows which processes on your PC are natively protected by DEP. The more processes for which DEP is enabled, the better your system is protected from buffer overflows and the other memory-related vulnerabilities DEP shields you from.

If you decide that you must disable DEP, you can easily do so in the 32-bit versions of IE 7 and IE 8.

To find this setting in IE 7, click Tools, Internet Options, Advanced, and scroll to the Security section, as shown in Figure 3. (Press the Alt key if IE’s standard menu isn’t visible.)

In IE 8, first right-click the IE shortcut, select Run as administrator, and then enter the browser’s Advanced options.

In both IE 7 and IE 8, uncheck Enable memory protection to help mitigate online attacks to disable DEP.

DEP setting in ie's advanced options
Figure 3. On 32-bit systems, DEP is enabled by the “Enable memory protection” option, which is fourth from the bottom in this screen shot.

The 64-bit version of IE 8 lacks a DEP option on the Advanced tab. The reason it’s not visible in the 64-bit version of IE is that DEP is enabled automatically and can’t be disabled. If you’re running a 64-bit operating system, you probably want the protections that DEP gives you.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
 
Known Issues

Some keyloggers can read the Clipboard, too

Dennis o'reilly By Dennis O’Reilly

Several dozen readers responded to WS contributing editor Scott Dunn’s Sept. 10 Top Story on keeping your passwords out of the hands of sneaky keyloggers on untrusted PCs you may be forced to use while traveling.

The most frequent suggestion was to copy passwords from a text file and paste them into password boxes, but many keyloggers — unfortunately — capture any text you paste from the Clipboard.

Crooks with computers are experts at raiding online bank accounts and making a profit from personal information. Every time you think you’ve outsmarted them with a new defense, hackers find a way around or through it.

Scott described the “revised Vesik method,” which involves typing nonsense characters and mousing them into place to form a real password. It’s admittedly a convoluted way to hide data from keyloggers when you need to sign in to a Web site using a PC that might be infected. Scott acknowledged that the trick is time-consuming and prone to error.

Many readers recommended other programs and techniques to thwart either hardware or software keyloggers. Chris Miller points out the advantages of authentication techniques used by banks in Europe:
  • “I don’t know the position in the U.S., but here in Europe, sensitive Web sites such as [those for] Internet banking are usually configured to defeat keyloggers.

    “The best way is for the bank to supply a token — similar in concept to the SecurID or Vasco two-factor authentication systems that readers working in IT departments may be familiar with — that requires you to insert a bankcard and enter your usual PIN number before it generates a unique key that will allow logon.

    “Even if this is read by a keylogger, it won’t work for any subsequent logon attempts. The drawback is obviously that you need to carry it with you and be able to attach it (via USB) to any public computer you want to use.

    “Alternatively, banks require you to select a long password — say, 12 characters — and then ask at logon for a random subset: e.g., ‘Please enter the 8th, 3rd, and 10th character of your password.’

    “For further protection, these characters may be selected by using drop-down menus, which should defeat most keyloggers.

    “The drawback is a slight weakening against brute-force guessing — you have a chance of guessing correctly if you can make many tens of thousands of attempts — but there are strong limitations on the number of incorrect logon attempts that are allowed before the account is locked (typically three), requiring a phone call to reset the procedure.

    “Simpler still is for the bank to issue a ‘one-time pad’ of randomly generated passwords that you use once and then discard. Obviously, a written pad can be lost, but as long as you don’t keep it with other identifying information — e.g., your account number — this should not be a problem.

    “I think one of the reasons for the different systems in Europe is that here the onus is on the banks to provide security. If your bank account or credit card is ‘hacked,’ any resultant loss is the responsibility of the bank, unless they can demonstrate collusion on the account holder’s part. I understand this doesn’t apply in the U.S.”
Some keylogger software can, in fact, record the choices in drop-down menus. And there are reports of man-in-the-middle attacks that exploit one-time passwords only momentarily, as explained in a blog item by the Washington Post’s Brian Krebs.

But it’s clear that European banks, due to tighter regulation, are ahead of American financial institutions in security practices that defeat run-of-the-mill keyloggers. In the U.S., the Electronic Funds Transfer Act limits consumer liability when someone is the victim of an online theft. There remains little uniformity, however, in online banking.

Scott will discuss additional password-management utilities and techniques in a follow-up article about keyloggers on Sept. 24. Stay tuned!

Chris will receive a gift certificate for a book, CD, or DVD of his choice for sending a comment we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

Humans will eat almost anything … if it’s pizza

Domino's steak pizza By Stephanie Small

Everyone — well, practically everyone — enjoys a slice of pizza now and then. Be it cheese, meat, veggies, or some weird combination of them all, pizza is the perfect all-inclusive and delicious meal!

Domino’s, however, kicks that claim up a notch with its latest offerings. People consuming things like “cheese burst pizza” and “crispy nacho platter pizza” may make you think there’s a genetic predisposition to eat unhealthy foods. Now pizza is even being offered as a dessert, with a strawberry-like substance on one and a cookie look-alike on the other. Are you brave enough to give these a try? Play the video
 
LangaList Plus

Best way to clean a PC with multiple accounts

Fred langa By Fred Langa

Yes, one tool can optimize a Windows setup comprising many different user accounts.

PC cleanup tools take various approaches to removing junk from every account — from standard to administrator — without damaging or deleting files a user may require.

System-wide cleanup help for multiuser PCs

A reader calling himself “Net Star” asks a savvy question about PCs with several user accounts:
  • “What’s the best way to clean a computer with multiple accounts? Should you install and run [the cleanup] software on each account? If you install the software on one account, will it clean the entire computer, including each account?

    “For example, programs like CCleaner will install on only one account and don’t offer the option for all users. Does this mean the program will clean the entire computer, including other accounts, or do I have to install CCleaner on each account to clean up each user’s account?”

Most reputable cleanup software does clean system-wide but may not do so in an obvious way. Remember, tools such as Piriform’s free CCleaner are not only junk-file deleters but also potentially dangerous Registry cleaners and editors. (CCleaner is available on the vendor’s site.)

Although it’s handy for all users on a PC — including non-administrators — to have easy access to junk-file removers, it might not be safe or wise to allow users with standard accounts to modify the system’s Registry.

Different tools address this safety issue in different ways. For example, CCleaner automatically installs to all accounts, but the program does so in a nonstandard way that might lead you to think it’s not present. Instead of listing itself normally in each user’s All Programs menu, CCleaner inserts itself into the context menu that appears when each user right-clicks the Recycle Bin.

This article is part of our paid content. Upgrade your account to see the rest of this article!

 
Best Software

What to do when a program installation fails

Ian richards By Ian “Gizmo” Richards

One of the most frustrating experiences for a Windows user is when an installation fails — you often can’t delete the fragments or restart the install process, leaving you with nowhere to go.

Don’t give up hope; I’ll show you how to overcome this sticky stalled-installation situation.

The causes of software-installation quagmires

There are many reasons why a program installation may fail. It could be due to a fault in the installation program itself, or perhaps the user didn’t properly read the installation instructions.

A common cause of a balky install is that some required component, such as a Windows DLL file, is missing on the user’s PC. Another likely source of the installation glitch is that a security app is preventing the installation of one or more of the program’s components.

When a software installation fails to complete, there’s usually a residue of information written by the installation program to the Windows Registry and other parts of the computer before the install failed. This leftover detritus can prevent the user from installing the program a second time. In the worst case, this orphan data may leave the user’s PC unstable or even unusable.

When an install fails, most people go to the Windows uninstall applet in Control Panel. (Windows XP’s uninstall applet can be found in Add or Remove Programs, while in Vista it’s located in Programs and Features.) Unfortunately, the program you were attempting to install probably won’t be listed — or it is listed but with the uninstallation option inoperable.

This article is part of our paid content. Upgrade your account to see the rest of this article!

 
Perimeter Scan

Success in digging malware from my own back yard

Ryan russell By Ryan Russell

It took more than one security tool for me to rid a Vista installation of a nasty virus infection.

And once the malware was jettisoned, another several hours were required to ensure that Vista was up-to-date.

Using multiple tools to clean infections

In my May 28 column, I wrote about the free anti-malware tool SUPERAntiSpyware, which you can download from the vendor’s site. Well, there’s nothing like a real-world problem to test out a tool.

A short while ago, a family friend brought by a laptop and claimed it was infected with “viruses.” It was a Dell machine running an OEM version of Vista Home Premium.

Without bothering to see what the actual symptoms were, I downloaded a copy of SUPERAntiSpyware onto a USB drive and got to work. The program wasn’t able to update itself once I had installed it on the laptop, so I downloaded the utility’s signature updates manually.

The inability of security programs to update is not uncommon on infected machines. Often, the malware will hijack Internet connections, which prevents access to tools and updates.

This article is part of our paid content. Upgrade your account to see the rest of this article!

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb