Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Internet Explorer 7 looms — be prepared

Windows Secrets Newsletter • Issue 82 • 2006-09-14 • Circulation: over 400,000

Table of contents 
  • Top Story: Internet Explorer 7 looms — be prepared
  • Patch Watch: Don’t ignore two critical, reissued patches
  • Perimeter Scan: Java update process is broken
  • Woody's Windows: How bad are Microsoft’s patch lead times?
  • Over the Horizon: Yes, Firefox has some flaws, too
 
Top Story

Internet Explorer 7 looms — be prepared


 Try rebooting yourself cover
As we announced in our Sept. 7 news update, all newsletter subscribers, free and paid, are eligible to download a free Dilbert e-book.

Try Rebooting Yourself is an 8-page PDF e-book that contains the funniest strips from the new Dilbert collection. The printed, 128-page bound book won’t be available in stores until October. But Andrews McMeel Universal, Scott Adams’s publisher, let us pick out the best cartoons so you can have them immediately.

To get your e-book bonus, simply use the following link to update your preferences:

Update your preferences
You can also get the free e-book by using your e-mail address and reader number to login manually at WindowsSecrets.com/prefs.

Every reader whose preferences page shows a valid country and ZIP or postal code is eligible to download the bonus. In just the past seven days, our 140,000 subscribers have generated more than 33,600 visits to their preferences pages and downloaded the e-book. People must like Dilbert.

We’re planning a series of free seminars in early 2007 in conjunction with the new book, Windows Vista Secrets. Places with the most readers will get the free seminars. The free download ends on Oct. 6, 2006.

If you’d like to preorder the printed book, it’s available from Amazon and will ship whenever possible next month: United States / Canada / Elsewhere

Woody leonhard By Woody Leonhard

Long the poster boy of Microsoft complacency, Internet Explorer 6 has finally reached the end of the line.

By the end of this year, Internet Explorer 7 will be “pushed” onto tens of millions of desktops. You’d better be ready.

How did we get into this mess?

Microsoft hasn’t changed Internet Explorer’s internal plumbing since version 4.0, back in September 1997. That version effectively wiped out competition in the browser market, destroyed Netscape, incurred the wrath of the U.S. Department of Justice, and led to legal battles that reverberate to this day. Microsoft exercised its desktop monopoly illegally, took over the market, then sat on its laurels for almost a decade.

We get to see the effects of that complacency on the second Tuesday of almost every month. Microsoft’s Patch Tuesday exercise has slapped dozens of fixes and re-fixes and post-re-pre-ex-hot-cold-fixes on the tired old IE 6 carcass. Stick a fork in it. It’s done.

Microsoft extols the new, enhanced security on offer in IE 7. Of course, the ‘Softies have been doing that for years: Internet Explorer 3.01 sported three advanced security levels that rode herd on ActiveX controls; IE 4 introduced Security Zones, which still figure prominently in IE 7, ten years later.

It remains to be seen whether the cracking community will be able to break IE 7 with the dexterity and alacrity currently applied to IE 6. One thing’s for sure. It couldn’t get much worse.

The inevitability of upgrading to IE 7

Lest you think otherwise, one simple fact stands out: you will upgrade to Internet Explorer 7. It isn’t a question of "if." Only of "when."

You and I can debate late into the night about the relative merits of IE 7 and Firefox 2 (which is currently available in beta). It isn’t a question of whether Firefox 2′s features surpass IE 7′s; which flavor of tabbed browsing works better; which group provides superior phishing filters, or how many angels can dance on the head of a Mozilla pin.

Even if you use Firefox religiously (and I do), even if you have absolutely no intention of using Internet Explorer (and I don’t), you still need to give IE 6 the heave-ho. Why? IE is so intertwined with Windows that leaving the old version intact simply begs for problems. You might as well hang a sign on your monitor that says, "Kick me."

The automatic IE 7 push is coming

Microsoft’s caught between a rock and a hard place. The ‘Softies know that IE 6 sucks. (That’s a technical term, by the way.) Patching and supporting IE 6 costs a fortune, even by Microsoft standards. It’s an eyesore, an embarrassment, and a constant thorn in the technological side — in other words, it’s bad for business. It’s bad for you, too.

That’s why Microsoft announced that, sometime in the fourth quarter of this year, IE 7 will be “pushed” onto any Windows computer that has Automatic Updates enabled. Unlike most auto-updates, though, Microsoft does intend to notify its customers and request their explicit approval prior to installing IE 7. The company plans to use a message similar to Figure 1.


Figure 1: Microsoft’s planned notification message when IE 7 is about to be installed.

As of today, Microsoft insists that it will only allow IE 7 to install itself on computers that pass "Windows Genuine Advantage" (WGA) certification. Given the simmering controversy that surrounds WGA — and the obvious tech-support benefits that Microsoft would gain by having the more-secure IE 7 on all PCs, "genuine" or not — I can’t help but wonder if Microsoft isn’t going to relax that requirement. It seems incongruous that Microsoft would require customers to install WGA, which contacts the mother ship in Redmond regularly, before people could receive the security benefits of IE 7.

Auto-update isn’t your only possible road to IE 7 enlightenment. The new browser will also be available for download via Windows Update, Microsoft Update, and Microsoft’s download center. If you turn off Automatic Updates (as editor Brian Livingston and I recommend for all but novice users), you can wait a few weeks or months until the inevitable hue and cry over IE 7 surprises dies down. Then you can unceremoniously yank IE 6 out by the roots.

How to forestall the inevitable

Those responsible for maintaining many machines can avail themselves of Microsoft’s IE 7 Blocker Toolkit. This 104 KB download contains a Group Policy template and a script that flips a bit in the Registry. This Registry tweak effectively prevents Automatic Updates, Windows Update, and Microsoft Update from offering IE 7 as a high-priority update.

Unlike previous update blockers, this toolkit doesn’t expire. Once you set the Group Policy or flip the Registry bit, Automatic Updates and the update sites will turn a blind eye to IE 7.

That doesn’t prevent your users, of course, from downloading IE 7 from the MS Download Center and installing it themselves (assuming they have administrator accounts to do so). But it does give you some breathing room and some time to assess the potential damages, before taking the risk of converting all your machines.

One interesting note: Microsoft promises that you’ll be able to uninstall IE 7 and revert to IE 6 should the need arise. A simple trip to Control Panel’s Add/Remove Programs will do the trick. Supposedly.

The wise will wait and see

My recommendation: Wait. Even though Microsoft has been beta testing Internet Explorer 7 since July, 2005, you can bet that some skeletons will saunter out of the closet when IE 7 goes into wide distribution.

Disable automatic updates. Take care with any updates you allow Microsoft to install on your machine. And let those tens of millions of unwitting beta testers go first. Cannon fodder.

(Note: To send us more information about IE 7, or to send us a tip on any other subject, visit the Windows Secrets contact page. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.)

Woody Leonhard‘s Web site posts MS-DEFCON reliability ratings for Microsoft patches. His recent books include Windows XP Hacks & Mods For Dummies.
 
 
Patch Watch

Don’t ignore two critical, reissued patches

Susan bradley By Susan Bradley

I thought all I needed to worry about this Patch Tuesday was a Windows patch or two and an Office patch.

But it turns out to be essential that you redo August’s critical Internet Explorer and Server Service patches on Windows 2003 and XP SP1.

MS06-040 (921883)
Troublesome ‘Server Service’ patch is reissued

Those who use Navision accounting software on their servers found themselves in a pickle last month. Install MS06-040 (921883) and your accounting application fails. Remove it and your network is at risk.

Hotfix 921883, which fixes Navision-style issues, has been now been rolled into a full rerelease of the August security patch. If you haven’t installed this patch, and you have any XP macines running SP1 or earlier, let me stress again how important this is. I’ve personally heard of several firms that have been very detrimentally impacted by this security hole.

If MS06-040 is not installed (including installing the Sept. 12 version), your company risks being taken over by Trojans that will use your network in nefarious ways. If you haven’t yet patched, or you installed only the older, August version, now is the time to update.

We still haven’t seen a patch for the denial-of-service issue that affects MS06-040, which was described in the MSRC blog back in August. You should expect to be soon patching 040 yet again. Both the reissued Server Service patch and this week’s reissued IE patch (MS06-042, described below) will be properly supported by Shavlik and other patch-management engines as though they were new patches.

MS06-042 (918899)
Now let us reinstall the IE Patch

The Aug. 8 Internet Explorer patch for XP SP1 and earlier, MS06-042 (918899), was reissued by Microsoft on Sept. 12 because the original release actually introduced a critical security flaw of its own.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Perimeter Scan

Java update process is broken

Ryan russell By Ryan Russell

I’ve been researching some problems with Java updates. It turns out that the issues are so extensive that they’re going to take up my entire column.

I wrote in my Dec. 15, 2005, column about some Java update issues. Those don’t even come close to the collection of mistakes I’ve just spent an entire evening dealing with.

Which one is the ‘real’ latest JRE?

The origin of the problem that first brought this to my attention is a Java vulnerability. This flaw allows an attacker to choose which version of the Java Runtime Environment (JRE) to use. In other words, newer JREs may not have a particular security problem that an attacker wishes to exploit. However, they will allow an attacker to ask for an earlier version that does have the problem. And, yes, you probably have many versions of Java installed on your system. (It’s worse than you think. Keep reading.)

The problem exists in JRE versions 1.5.0.5 and earlier. You want to have at least version 1.5.0.6. Easy enough. Java has a self-update feature. Just go to your Control Panel, find the applet named Java, and run it. The second tab is the Update tab, and there’s a button that says Update Now. Just follow the instructions after that. If your experience is like mine, it should upgrade you to version 1.5.0.6.

Note that it’s possible that you have an old enough version of Java that it doesn’t support this feature. If so, you can visit the Java.com Verify Installation page. This will tell you what version you have. It should also prompt you to update if you’re out of date. If you have 1.5.0.6, it will report: “CONGRATULATIONS, you have the Latest version of Java!” (You may have to restart your browser to see the new version, even though the installer doesn’t tell you that.)

But don’t actually do any of the above steps, because the verify page is lying. The latest version is actually 1.5.0.8. Why do both the automatic update tool and the Web page claim that 1.5.0.6 is the latest version? I have no idea.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Woody's Windows

How bad are Microsoft’s patch lead times?

Woody leonhard By Woody Leonhard

How long does it take Microsoft to fix holes in its programs? Three months? Six months? Two years?

When a music-file-cracking program called FairUse4WM surfaced a few weeks ago, Microsoft patched the hole in just nine days. There’s a good reason why. Money.

Months-long delays are patching pariahs

Earlier this year, Brian Krebs dug through publicly available data and came to the conclusion (in his Washington Post Security Fix blog) that it typically takes Microsoft three to four months to issue a "critical" security patch. In the case of zero-day exploits — "full disclosure" flaws, in which crackers openly post working exploit code with no advance warning to Microsoft — the fix typically comes out a little faster, in six to eight weeks.

How do you spell M-O-T-I-V-A-T-I-O-N?

To be sure, Microsoft can get a patch out quickly when it wants to. In January of this year, the company managed to deliver a patch for bogus WMF files (MS06-001) in a little over a week. That was over the New Year’s weekend, to boot. But we still seem to be looking at, by and large, a three-to-four month timeframe.

The benefits of partial disclosure

Not long ago, several legitimate Web sites maintained lengthy detailed lists of unpatched Microsoft security holes. These lists were particularly concentrated on Internet Explorer, but also on Windows itself.

Those lists are now gone. Why? The tide of opinion has changed. Whistleblowing sites arose because the folks maintaining the sites believed (rightly or wrongly) that they could shame or scare Microsoft into cleaning up its software. It didn’t work.

Now, most people feel that lists of exploitable security holes invite miscreants to try their hand at building a better rootkit. You can still find lists of exploits, of course, but they’re mostly confined to warez and cracker sites.

Mostly.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Over the Horizon

Yes, Firefox has some flaws, too

Chris mosby By Chris Mosby

If you’re a frequent reader of my column, then you know that I usually have a lot to say about the security of Microsoft’s Web browser, Internet Explorer. This time, my focus will include Mozilla’s Firefox.

Even though I still consider Firefox to be a much safer browser than IE, I wouldn’t be doing my job if I just ignored flaws that affect the Mozilla browser and didn’t report them.

DNS manipulation can redirect Firefox and IE

I had to read the details of this vulnerability several times before I understood it completely. Though it’s obviously a feasible exploit from a technical standpoint, if an attacker can pull off all the steps shown below, securing your browser will be the least of your worries.

According to a description of the attack on the blog of Martin Johns, an attacker must first control the DNS entry for a Web server to host the attack. This sounds hard, but it really isn’t. Services such as DynDNS can make your dynamic IP address act like one that’s static. Johns shows that a site can force browsers to refresh their DNS entries for domains whenever necessary. This allows the attack to work. The procedure is described as follows (quoting from the blog post):

  • The victim loads the script from www.attacker.org;
  • The attacker changes the DNS entry of www.attacker.org to 10.10.10.10;
  • The attacker quits the Web server that was running on www.attacker.org’s original IP;
  • The script uses a timed event (setIntervall or setTimeout) to load a Web page from www.attacker.org;
  • The Web browser tries to connect to the IP, which is bound to www.attacker.org from the previous request. As the Web server there is shut down now, this connection attempt is rejected;
  • Because of this (and probably because of the DNS entry’s short lifetime), the browser drops the DNS pinning and does a new DNS lookup request, resulting in 10.10.10.10 (sometimes it takes more than one loading attempt to trigger the lookup request);
  • The script is now able to access the intranet server’s content and to leak it to the outside.
Note that Johns says he successfully tested this exploit on IE 6 and Firefox 1.5.0.6 running on XP SP2. He notes that a securely configured server can reject such traffic if it inspects HTTP headers.

What to do: Even though this attack sounds difficult to protect yourself against, I recommend installing a few extensions to Firefox that can help the browser fend off such script-based attacks.

NoScript and Adblock help defend Firefox

The first extension is NoScript. This will block all scripts from all sites from running unless you specifically say that they’re OK. This is always one of the first things I install after installing Firefox on a computer.

The second, which is actually a pair of extensions, is Adblock and Adblock Filterset.G Updater. These two add-ins give you a head start by blocking ad images in Web pages, just in case rogue images have been planted on an unsuspecting site by hackers.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb