Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Microsoft patches IE, but Firefox is still safer

Windows Secrets Newsletter • Issue 178 • 2008-12-17 • Circulation: over 400,000

Table of contents 
  • Introduction: Give your friends secrets as free holiday gifts
  • Top Story: Microsoft patches IE, but Firefox is still safer
 
Introduction

Give your friends secrets as free holiday gifts

Brian livingston By Brian Livingston

In celebration of the holiday season, we’re letting you send all of your friends the paid version of the Windows Secrets Newsletter absolutely free for the next three full months.

The other writers here say I’m crazy, but with the global economic slowdown we’re in, I want to spread a little cheer and let you treat as many people as you like.

Here’s how our holiday giveaway works:
  • Step 1. Send the following URL in the text of an e-mail message to everyone you’d like to give, as a free gift, the paid version of the newsletter:

    http://WindowsSecrets.com/holidaygift

    You can include any text you like that will explain to your friends that they can get the paid version of this newsletter absolutely free as a gift. Please don’t spam a bunch of strangers — just send your message to your friends, people who regularly receive e-mail from you.

  • Step 2. The holiday gift is only for people who’ve never had a subscription before.

  • Step 3. People who visit the link and enter a valid e-mail address by Dec. 31, 2008, will receive a confirmation message. They must click a link in that message to verify their address and begin their subscription.
What do you get out of this holiday giveaway?

Just the satisfaction of knowing you gave something of value to people you care about. That’s the true spirit of the holiday season.

This crazy idea is a one-time thing. We may never repeat it. It’s just a spur-of-the-moment response to the economic times we’re living in.

I hope you’ll enjoy giving this away as much as I’ve enjoyed ignoring everyone who told me it would never work. Please have a happy and safe holiday season.

Special news update for MS patch; no paid version

We’re bringing you today a special report by Windows Secrets contributing editor Mark Edwards on a crucial Microsoft patch for Internet Explorer. The security threat that this patch is designed to correct has already affected millions of people.

Our next regularly scheduled newsletters will be published on Dec. 18 and Jan. 8. We skip publication during the last two weeks of December, so there won’t be any newsletters on Dec. 25 or Jan. 1.

News updates have no paid content, and all subscribers receive the same short message.

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Microsoft patches IE, but Firefox is still safer

Mark edwards By Mark Joseph Edwards

Microsoft recently announced that a special, out-of-cycle patch would be released on Dec. 17 for Internet Explorer’s latest security vulnerability, the so-called XML exploit.

If you’d like to avoid similar weaknesses that are certain to be discovered in IE in the future, the simple solution is to use a different browser, such as Firefox, with a few easy customizations that allow you to switch to Microsoft’s browser only for sites that absolutely require IE.

If you haven’t yet patched IE to protect against the XML exploit, visit Microsoft’s December 2008 security advisory. This Web page, which began as an announcement of the Redmond company’s planned patch, changes automatically to information about installing the patch as soon as the fix is released.

WS contributing editor Susan Bradley reported on the dangerous zero-day exploit in her Dec. 11 Patch Watch column (paid content). The security hole affects many different builds of IE 5, 6, and 7 as well as the beta version of IE 8. Every recent version of Microsoft’s operating system is potentially affected: Windows 2000, XP, Vista, Server 2003, and Server 2008.

The Redmond software giant acknowledged on Dec. 16 that more than two million Windows users had already become infected via the IE flaw, according to an article by the Press Association. How many more people will get hit before the patch is widely distributed is anyone’s guess.

Microsoft published a security advisory on Dec. 10, listing nine potential workarounds, before the patch became available. Many people, myself included, felt that the explanation did a poor job of clarifying which combination of fixes a particular user should implement. The company’s Security Vulnerability Research and Defense blog attempted to clarify matters on Dec. 12. But the information there still left most people wondering how to determine the best combination of workarounds for their systems.

IE zero-day flaws cry out for switch to Firefox

There’s no easy way to secure IE against similar flaws that will inevitably be discovered and used by hackers to their advantage in the future. For this reason — and in response to pleas for help by many Windows Secrets readers — here’s my recommendation on the best way to surf the Web more securely:
  • Step 1: Switch to Firefox, Opera, Chrome, or another contender and configure it to be your default browser. Use IE only to visit sites that require Microsoft-specific technology — probably because they rely on ActiveX to function. (For example, you need to use IE to download patches at the Windows Update site.) I recommend Firefox because of the numerous add-ons available for that browser, some of which I describe in Steps 2 and 3.

  • Step 2: Install the Firefox add-ons known as User Agent Switcher (see UAS’s download page) and IE Tab (download page).

    User Agent Switcher lets you change your browser’s identity. If a Web site demands the use of IE but actually works fine with other browsers, you can change the name of the operating system and browser the site thinks you’re using. Many “IE only” sites render perfectly well in Firefox and other browsers.

    IE Tab lets you open a site in a new Firefox tab that’s driven by IE’s rendering engine. This allows sites requiring ActiveX or other IE-only components to work in the same way they do in IE itself.

    Unfortunately, using the IE rendering engine in a Firefox tab leaves your PC just as susceptible as it would be if you’d opened an IE window in the first place. Use this technique with caution and only with sites you feel are very unlikely to be hacked, such as Microsoft.com.

  • Step 3: For added security, install the NoScript plug-in, which disables JavaScript, Flash, Silverlight, and other “active content” (see NoScript’s download page). Because most Web sites of any complexity use JavaScript for menus and other functions, place in the utility’s “whitelists” sites such as Microsoft.com and WindowsSecrets.com that are unlikely to try to run malicious scripts on you.

    WS associate editor Scott Dunn wrote more about NoScript and other Firefox security add-ons in his Apr. 17, 2008, lead story.

  • Step 4: Open an Internet Explorer window and set the security level of IE’s Internet zone to High. To do this, click Tools, Internet Options, Security. Choose the Internet zone in the box at the top of the dialog and move the slider control below it to High. Note that this setting will cause many sites you haven’t added to IE’s Trusted Sites zone to render incorrectly or display error messages.

  • Step 5: If for some reason you can’t install Microsoft’s Dec. 17 IE patch, refer to Microsoft’s Dec. 10 and Dec. 12 advisories for workarounds, as I mentioned above. The latter page, for example, describes how to adjust Access Control Lists by using Registry scripts in an oledb32.zip file you can download from Microsoft. (The download link is at the end of that page.)

    Be aware that some of the workarounds Microsoft recommends can have unexpected side-effects. For example, a comment posted by the Internet Storm Center on Dec. 16 stated that Microsoft’s “Disable XML Island” workaround prevents users from sending e-mail using Exchange 2003 and Outlook Web Access.
If you need any more evidence that weaknesses in IE can be rapidly used by hackers, take a look at a wiki page provided by the Shadowserver Foundation, a security group that lists sites known to be infecting unsuspecting visitors. IMPORTANT: Do not visit any of the sites on the list, even if you think your browser is secure — these sites are or were infectious.

The point is that thousands of sites became carriers within days. (The Press Association quotes Trend Micro as saying more than 10,000 sites were compromised by Dec. 16.) If you use a URL filtering system or block list, you should add the sites cited by Shadowserver to prevent access — at least until all your machines are patched or a specific site is proved to be clean.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.
YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb