Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Media players more dangerous than Windows

Windows Secrets Newsletter • Issue 120 • 2007-08-16 • Circulation: over 400,000

Table of contents 
  • Introduction: Next issue Sept. 6 — take a break!
  • Top Story: Media players more dangerous than Windows
  • Known Issues: Restrict application privileges for greater security
  • Wacky Web Week: Is there a movie idea on your Start Menu?
  • Woody's Windows: Here’s the real Start Menu entry
  • PC Tune-Up: How to get private, anonymous Web surfing
  • Windows Secrets: Internet Explorer flaw exposes FTP credentials
  • Patch Watch: Malware cocktails sure to hit unpatched PCs
 
Introduction

Next issue Sept. 6 — take a break!

Brian livingston By Brian Livingston

Like a lot of people, we need a week or two off in the summer to recharge our batteries and then come back to work rejuvenated.

That’s why our next newsletter won’t appear until Sept. 6. If any important developments occur that can’t wait, we’ll send you a brief “news update” to let you know.

Fred Langa returns on Sept. 27

Fred langa in motorcycle helmet Our editor-at-large, Fred Langa (in helmet at left) takes his vacations the hard way. He’s spent the entire summer riding his motorcycle around the U.S. and Canada, visiting Windows Secrets readers who won a personal Housecall from the Great One. I announced the contest in the Apr. 19 newsletter, and listed the winners on June 7.

Fred has finished his visits now and is busily writing a series of columns about the problems our readers had and what the solutions were. In addition, he learned many lessons in his travels that didn’t necessarily involve cleaning up a PC. (Like what it takes to ride a cycle more than 6,000 miles.)

Fred’s new series of columns will start in our Sept. 27 newsletter. Until then, enjoy the rest of your summer! (In the southern hemisphere, have a great winter instead.)

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Media players more dangerous than Windows

Scott dunn By Scott Dunn

Windows users face the greatest security risks today not from flaws in Windows itself but from unpatched media players.

That’s because many Windows Secrets readers, according to an online test we sponsored, are running versions of Flash, Java, and QuickTime that are unpatched against the latest security threats.

Readers’ systems are rife with outdated add-ons

In two of our recent issues, subscribers to the paid version of the Windows Secrets Newsletter were asked to scan their computers using the Software Inspector, a service of Secunia.com. The scan reveals versions of Windows and builds of applications that have security flaws for which a vendor patch is available.

Contributing editor Ryan Russell, whose columns appeared in the July 26 and Aug. 9 issues of the newsletter, described how we affiliated with Secunia.com, a respected security firm that conducts the tests. We’ve found that Secunia’s service provides such important information that we want all of our free subscribers to take the test as well. A link to the test is provided near the end of this article.

The tests of our paid subscribers showed which applications are the most likely to be installed but unpatched on users’ PCs. In the following list, number 1 represents the unpatched application that was found on the greatest number of readers’ machines, with higher numbers representing fewer machines:

1. Adobe Flash Player 9.x
2. Sun Java JRE 1.6.x/6.x
3. Macromedia Flash Player 6.x
4. Macromedia Flash Player 8.x
5. Macromedia Flash Player 7.x
6. Apple QuickTime 7.x
7. Macromedia Flash Player 5.x
8. Mozilla Firefox 2.0.x
9. Macromedia Flash Player 4.x
10. Adobe Reader 7.x

All of these applications are media players, browser plug-ins that play media files, or a browser itself (i.e., Firefox). All of these programs can be attacked across the Internet — for example, if you play an infected Flash video you find on a Web site or that you received via e-mail. Consequently, using an older version of these program poses a real security risk.

Indeed, it isn’t hard to find reports of security holes for any of these applications. Numerous public advisories describe serious flaws in Adobe Flash Player, Sun Java, Apple QuickTime, Mozilla Firefox, and Adobe Reader — all of which should be updated at least monthly by users. I found warnings about these five programs from, respectively, US-CERT, Australia CERT, Apple, Mozilla, and Adobe.

Windows Secrets readers appear to be conscientious about keeping Windows itself patched. No version of Windows appeared in any of the top 10 lists that Secunia provided to us. Perhaps because of this, hackers have turned to applications that allow Trojan horses to silently infect PCs. Now we all need to learn to keep our add-ins updated, too.

Keep your Web tools up to date

Fortunately, all of the applications mentioned above support automatic updating. In addition, they allow you to choose to update them manually, if you prefer to run monthly updates on your own. Here are the steps to take to update each program:

To update Adobe Flash Player:

The update settings for Adobe Flash Player are stored on your computer but are accessed via the Web.

Step 1. Launch a Web browser and navigate to the Global Notification panel of the Settings Manager using this Macromedia link.

Step 2. Use the checkbox to turn automatic updating on (checked) or off (unchecked). Configure the drop-down list to determine how frequently the program will check for updates.

If you prefer to update the Flash Player manually, you’ll need to visit Adobe’s download page periodically.

To update Sun Java:

Step 1. In the Windows Control Panel, launch the Java applet. You can also right-click the Java icon in the Taskbar tray and choose Open Control Panel.

Step 2. Click the Update tab. Use the controls there to customize the update notification. Click OK.

If you prefer to update Java manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click Update Now at the bottom of the Update tab.

To update Apple QuickTime:

Step 1. In the Windows Control Panel, launch the QuickTime applet. You can also right-click the QuickTime icon in the Taskbar tray and choose QuickTime Preferences or Check for QuickTime Updates.

Step 2. If necessary, click the Update tab. Use the checkbox to determine whether the software checks for updates automatically. Click OK.

If you prefer to update QuickTime manually, uncheck the box for automatic updating. Then return to this dialog box periodically and click the Update button. If an update is found, click OK to proceed.

To update Mozilla Firefox:

Step 1. In Firefox, choose Tools, Options.

Step 2. Click the Update tab. Use the Firefox checkbox to set your preference for automatic updating. When checked, it enables additional options for customizing how updates occur. Click OK.

If you prefer to update Firefox manually, uncheck the Firefox box in this dialog box. Then periodically choose Help, Check for Updates.

To update Adobe Reader:

Step 1. In Adobe Reader, choose Help, Check for Updates.

Step 2. If the dialog title reads simply “Adobe Updater,” click Preferences.

Step 3. Use the controls in the Adobe Updater Preferences dialog box to customize update notification. Click OK.

Use the Software Inspector on your own PC

Now it’s time to check your own system using the free Software Inspector at Secunia.com. This online utility requires Java to run, so you should use the Java update procedure described above to make sure you have the latest version of Java before proceeding.

If you use the special link shown here, Secunia.com will provide the Windows Secrets Newsletter with aggregate information about which applications are the most nonupdated among our free readers. We’ll publish the results in a future issue. However, Secunia.com does not ask for and will not provide us with any personal information whatsoever.

Use this link to test your PC with Software Inspector

What it does: This scan will find software (including the operating system) with known security flaws for which patches exist. The on-screen report lists your updated apps (with a green checkmark) and nonupdated apps (with a red X). If you have multiple copies of a single application installed, the report will list each version. Click the “+” icon to the left of each item for more information, including the specific path to each file.

What it doesn’t do: Software Inspector does not flag applications for which no update exists. Consequently, you may still have applications with security holes that aren’t mentioned in the report. In addition, the program can’t detect any workarounds you may have put in place to avoid security problems with existing applications.

What should you do if the scan finds multiple versions of software? That depends. Sometimes older versions represent a security risk to your system. But in some cases (such as Java), you may need an older version to keep other application software running properly.

Before doing anything, make a backup of your system, or at least create a restore point using System Restore. (To do this in XP and later, choose Start, All Programs, Accessories, System Tools, System Restore, and follow the instructions there.) That gives you a chance to get back to your former state if removing old software causes problems.

Secunia’s Software Inspector is especially valuable for those of us who prefer to use manual updating, rather than letting programs check and download patches automatically. The scan not only tells you what updates to look for, but it checks all your software in a single step without having to use each application’s update feature one at a time.

Your most difficult task will be remembering to use Software Inspector periodically. To automate that chore, click the reminder service link on the Software Inspector page. This will send you an e-mail notification every time a new update or version is available.

It’s disturbing that, even when Windows is fully patched, our application software can represent an even greater vulnerability. To reduce your risk, consider running Software Inspector once a month, just after you’ve installed the Windows patches that Microsoft typically releases on Patch Tuesday (the 2nd Tuesday of the month).

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
 
Known Issues

Restrict application privileges for greater security

By Scott Dunn

In recent columns, including in the Aug. 9 issue, I’ve told you how to limit user and application permissions in XP for greater security.

Our readers have responded with their own questions and suggestions on running programs with greater or fewer privileges.

Use PsExec with nonstandard Office shortcuts

In my Aug. 9 article, I explained how to use the free PsExec utility to run applications in a low-privilege state even when you’re logged in as an administrator. But reader Tim McGowan ran into a problem when he tried to customize his shortcuts to Microsoft Office:
  • “In Windows XP Home SP2, I was trying to modify the shortcuts for Word 2000 and Excel Viewer 2003. These two shortcuts don’t have a path that can be copied. It’s grayed out, and it lists only the application name: Microsoft Word 2000 SR-1 and Microsoft Office Excel Viewer 2003, respectively.”

    “I tried using PSExec to launch the *.lnk file that starts these programs, but the utility is designed to run executables, not shortcuts. Can you write a follow-up piece, showing us how to obtain paths for these shortcuts?”
No problem, Tim. Although Microsoft Office uses nonstandard shortcuts to launch programs from the Start menu, you can create the more conventional kind if you know the right .exe file.

First, find the folder where you installed Office. A common place to look is:

C:ProgramsMicrosoft OfficeOffice

If necessary, you can search for winword.exe, the executable for pretty much any version of Word for Windows.

Once you’ve found the right .exe file, use the right-mouse button to drag it to your desktop or your desired Start Menu location. When you release the mouse button, choose Create Shortcuts Here. You can right-click this new shortcut and choose Properties to edit its command line (for use with PsExec), modify the icon, and so on.

Advanced tools solve permissions issues

The Aug. 2 issue explained how to run XP as a standard user as a security precaution to limit the access that most programs have to your system. If you encounter problems running applications in such an account, you may find reader Alan Kobb’s advice useful:
  • “Since most of the users in my company run as non-admin, occasionally you come across a mission-critical legacy program that only works as an administrator. I have two tools that I use to fix that.

    “First is a program from Aaron Margosis called LUA BugLight. Aaron works with Microsoft Consulting Services and wrote this program to help you determine why a program won’t run as a non-administrator. Most of the time, a simple tweak of file or registry key permissions is all that it takes to run a program as a non-administrator. This program, along with hints on his blog, tells you how.

    “Another useful program is called CPAU from a Web site called Joeware.net. The developer, Joe, is a Microsoft MVP who has written a ton of useful utilities (Joeware) such as this one.

    “On the surface, CPAU is simply a clone of the Run As command. But behind that is a lot of functionality. For example, for the occasional program that cannot run under a non-administrator account, you can use CPAU to embed an encrypted user ID and password in a file along with a command to start up the program. Running CPAU and specifying that file will start the program as an administrator, without the user having to know an administrative password.”
Thanks, Alan! Both of these programs are for the serious system administrator. As such, neither is particularly user friendly, especially CPAU, which is entirely command-line based (i.e., no graphical user interface). But if you’re having problems running a program in your low-privileged account, these tools may prove useful.

More information on CPAU is found in today’s column by Mark Edwards in the paid section of the newsletter.

Details on encrypting files on flash drives

In the Aug. 2 issue, I told readers they could use the freeware tool TrueCrypt to encrypt data on a flash drive. However, reader John Aspinall points out some important details:
  • “The recommended TrueCrypt used in ‘traveler mode’ still requires administrator privileges, unless TrueCrypt is installed on the PC on which the flash drive is being used.

    “However, a utility by Yap Chun Wei named TCExplorer overcomes this issue. TCExplorer is portable software to import, export, delete, and rename files in TrueCrypt containers and works very well if used in conjunction with a shredder such as Cybershredder or UltraShredder (I prefer the former).

    “The process is very simple; you explore the TrueCrypt volume on the flash drive and drag the required file to free space on the flash drive, where it can be worked on as required. On completion, you drag the file back to the TCExplorer window, encrypting it when the volume is closed. Then shred the copy of the file on the unencrypted portion of the flash drive using your preferred shredder utility. All the software is free.”
Thanks for the information! As John implies, removing encryption from a sensitive file and working on it using a public or other non-secure computer involves risks. John’s solution is to use freeware to “shred” (delete in an unrecoverable way) the work copy after it has been saved and copied back to the encrypted container.

Both Cybershredder and Ultrashredder can be run from a flash drive. You can find TCExplorer at the CodeProject site.

Readers McGowan, Kobb, and Aspinall will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.
 
Wacky Web Week

Is there a movie idea on your Start Menu?

Minesweeper: the movie Where does Hollywood get its ideas for those summer blockbusters? Producers don’t just borrow from novels, plays, TV, and comic books, but also from major computer games like Tomb Raider, Mario Brothers, Wing Commander, and Doom.

But what about the little computer games that come free with Windows, the ones millions of people enjoy every day? The folks at CollegeHumor.com found some inspiration there and crafted a hilarious trailer for Minesweeper: The Movie. Watch the video
 
Woody's Windows

Here’s the real Start Menu entry

Woody leonhard By Woody Leonhard

In last week’s article, I explained a Registry change you can make if you inadvertently “improve” the Start Menu delay time, making menu items flash by so fast you can hardly click them.

I made a mistake. I said that the Registry entry you should change was:

HKEY_CURRENT_USERDesktop

In fact, I should’ve told you to navigate to:

HKEY_CURRENT_USERControl PanelDesktop

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
PC Tune-Up

How to get private, anonymous Web surfing

Mark edwards By Mark Edwards

Many public proxy services exist that let you both surf the Net anonymously and bypass overly restrictive content filtering systems.

This week, I tell you how to easily build an entirely private, anonymous proxy service that you control at your own leisure.

PHProxy brings anonymity to your desktop

Two weeks ago, in the Aug. 2 edition of this newsletter, I described a few ways to bypass overly restrictive Web filters by using a few search engine tricks. Even better, if you have a Web server that supports PHP scripts (most do these days), you can easily install a full-blown Web-based proxy service that you can use from any Web browser.

The script, PHProxy, is a free anonymizing Web-surfing proxy tool. Since the script runs on a server to retrieve content and deliver it to your browser, your PC remains relatively invisible to the site that you’re surfing. Even images and multimedia content, such as Shockwave files, are retrieved by the proxy and delivered to your browser!

If you’ve never used PHP scripts before, don’t worry, because this one is easy to install and use. Just download the .zip archive, unzip it to a temporary directory on your local desktop system, and then upload all the files to a directory on your Web server. That’s basically all there is to it. Then you can access it directly from your Web browser.

For example, if your Web site is located at Mysite.nul, you upload the script to a subdirectory called /secret. You can then access the proxy by directing your browser to Mysite.nul/secret.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Windows Secrets

Internet Explorer flaw exposes FTP credentials

Chris mosby By Chris Mosby

Among the patches Microsoft released on Patch Tuesday this week is yet another cumulative rollup for the company’s Internet Explorer browser.

But an IE flaw that’s been present at least since 2004 is still unpatched, because Microsoft never released a patch for IE 6 and allowed the flaw to remain in IE 7.

IE feature reveals usernames and passwords

Brian Krebs, who writes a computer security blog for the Washington Post, recently reported a flaw in IE that he learned about while attending the recent DEFCON hacker conference in Las Vegas.

Krebs says he learned that IE 6 and 7 cause your FTP (File Transfer Protocol) username and password to be saved into any .htm, .html, or .mht file that you download to your local computer.

If you modify and then upload that file from your computer back to the FTP server, all someone has to do is view the source of that file and your FTP credentials are in plain sight. With that information, a hacker could do just about anything to your Web site that he or she wanted.

According to Krebs, his source says Microsoft was informed about this problem in IE 6, way before IE 7 was released. Microsoft allegedly told Krebs’ source that it would take a rebuilding of the entire feature to fix the problem.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Malware cocktails sure to hit unpatched PCs

Susan bradley By Susan Bradley

Microsoft ranks 6 of the 9 patches released on Aug. 14 as “Critical,” and only 3 as “Important” — but I’m rating all 9 of them as critical if you use the platforms that are affected.

We must patch once again for three XML, GDI, and VML threats, along with the usual Malicious Software Removal Tool updates and a new fix for 64-bit kernel protection.

MS07-042 (936227, 933579, 936021, 936181, 936048, 936960, 936056)
XML must be patched again, and it’s crucial

I read on Aug. 14 that this week’s XML patches in MS07-042 are replacing the patches in the MS06-061 and MS06-071 bulletins, which were released last year and earlier this year. I was a bit surprised that we’ve been patching these components repeatedly since 2006.

I guess it’s because XML is one of a technology that’s seemingly in everything, as Knowledge Base article 269238 showcases.

It’s also a piece of technology that’s not easy to explain, other than the fact that it’s a foundation that’s used in many applications. I know that it’s included with several of the programs my office uses.

The hole fixed by MS07-042 looks like an easy “malware cocktail” ingredient that can easily be used by malicious Web sites. I’m placing this patch on a fast track to install. I urge you to do so as well.

MS07-046 (938829)
Fix GDI now before exploits appear

A new fix for Windows’ graphical interface is patch two of my “Here we go again!” patches that first came out in 2006. Bulletin MS07-046 this week replaces MS06-061.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb