Windows Secrets
Signed in: chuck1@chuckstr89134.com  |  Upgrade  |  Sign Out
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Patch arrives for IE hole targeted by Chinese

Windows Secrets Newsletter • Issue 228 • 2010-01-21 • Circulation: over 400,000

Table of contents 
  • Top Story: Patch arrives for IE hole targeted by Chinese
  • Wacky Web Week: This vending machine gives and gives and gives
  • LangaList Plus: Extend the life of your laptop’s battery
  • Insider Tricks: Five productivity-enhancing Registry tweaks
  • Perimeter Scan: Browser forensic tools find malware entry points
 
Top Story

Patch arrives for IE hole targeted by Chinese

Yardena arar By Yardena Arar

As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

The sophisticated “Aurora” exploit is delivered through common file attachments or links — typically in e-mail or other messages that appear to come from trusted sources — but proven security measures and a little common sense can negate all such threats.

The first reports of the cyberattacks that prompted Google to threaten withdrawal from China were alarming indeed. So was Microsoft’s first official response, in MS security bulletin 979352, which described the scope of the newly discovered IE vulnerability.

The flaw permits remote code execution by what Microsoft describes as a “specially crafted attack” that affects most versions of Internet Explorer:
  • IE 6 SP1 on Windows 2000 SP4

  • IE 6, 7, and 8 on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and Server 2008 R2
Not vulnerable, according to the security bulletin, is Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4.

Microsoft’s advance notification of the out-of-cycle patch was released on Jan. 20 and was scheduled to be replaced on Jan. 21 by security bulletin MS10-002, which includes a link to the patch itself. To install the update once it’s been posted, visit the Microsoft Update site, choose the Custom option, and select the patch in the list of high-priority updates.

Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.

Google declined a WS interview request, saying it would have no comment while it continues its investigation.

Exploiting an IE vulnerability, the malicious code directs victims to sites with scripts capable of accessing data from their PCs and otherwise controlling the machines, according to Andrew Brandt, lead threat research analyst at the security software company Webroot. “It was a pretty nasty hybrid scripting and malware attack against the people who were targeted,” Brandt added.

Nasty, yes. But novel? While any unpatched vulnerability is bad news, this attack scenario isn’t unfamiliar to security veterans. Paul Roberts, enterprise security analyst at the 451 Group, says the attack reminds him of last year’s reports about GhostNet, a cyber-spying operation also believed to be based in China that allegedly targeted various government and political entities — including the offices of the Dalai Lama.

“What’s new is, there’s a very explicit link and overt suggestion from Google and others that this is state-sponsored,” Roberts said. But on a technical level, he added, “this is just a summation of many of the trends that companies have been talking about for some time now — advanced persistent threats.”

Microsoft downplays the threat, releases a patch

Still, the level of sophistication in the attacks — as well as their high-profile targets — has generated widespread publicity. Microsoft responded with a series of TechNet blog posts that sought to reassure IE users that the attacks have been limited and a fix was imminent.

For example, in a Jan. 19 post on the Microsoft Security Response Center blog, George Stathakopoulos, general manager for Trustworthy Computing Security, announced that an out-of-cycle patch for the vulnerability was forthcoming.

Prior to the patch’s release, the MS posts recommended various security measures. Jonathan Ness’s Jan. 15 post on the MS Security Research & Defense blog includes a chart laying out the real-world risk of attack for various versions of IE and Windows. The post also provides detailed instructions for defending against the threat.

The vulnerability, Ness wrote, “is an Internet Explorer memory-corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model (DOM) element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker’s code.”

The post’s risk-assessment chart suggests that the attack’s most-serious threat is to IE 6 on Windows 2000 and XP. IE 7 on Windows XP could be at risk — Microsoft has since acknowledged reports of proof-of-concept code to exploit the vulnerability in IE 7 — but Vista’s built-in Protected Mode can block the exploit automatically.

IE 8 is least threatened because Data Execution Prevention (DEP) is enabled by default in all versions of Windows on which IE 8 runs. DEP keeps code from executing in places it shouldn’t — effectively shutting down the types of malicious codes delivered through the vulnerability. You should make sure DEP is enabled on all your PCs.

Not sure how to do this? Ness’s blog post includes a one-click Fix-it button that enables DEP in versions of XP and Vista where it isn’t enabled by default. (DEP requires both CPU and OS support, however.) If you want to use this solution, be sure to read Ness’s notes regarding version support and settings.

Further details on DEP — including instructions for determining whether it’s available for and enabled on your PC — are available in MS Knowledge Base article 912923. The text of the article suggests the instructions are for XP and Server 2003, but they also work on Vista and Win7.

Find the right mix of preventive measures

Many other security measures also can mitigate the threat. Enabling Protected Mode in IE 7 is imperative. (Protected Mode is on by default in IE 8.) To enable IE Protected Mode in Vista and Win7, click Tools, Internet Options, Security and check the Enable Protected Mode option at the bottom of the window, as shown in Figure 1. Unfortunately, Protected Mode is not available in XP.

Internet explorer protected mode option
Figure 1. Check the box labeled Enable Protected Mode on the Security tab of IE’s Options dialog to guard against malware attacks.

Microsoft’s security advisory suggests that you also can thwart these types of attacks through a number of additional, fairly drastic measures such as disabling JavaScript in IE, configuring IE to prompt before running Active Scripting and Active X controls, or even disabling these features completely.

However, after browsing a short while with ActiveX and scripting disabled, I quickly reverted to my previous security settings. Without those features on, you’re forced to click through a barrage of pop-up prompts, which makes browsing one big annoyance. (Even Microsoft’s Ness admits that disabling JavaScript “significantly impacts usability of many Web sites.”)

The 451 Group’s Roberts says another workaround that’s been suggested — blocking ranges of IP addresses known to be assigned to China — isn’t advisable. “That’s kind of a ham-fisted effort that would not be that effective, ultimately, but would disrupt your business,” he said. Also, these kinds of attacks don’t emanate from China alone.

But here’s an extra deterrent that does work: disabling JavaScript in Adobe Reader, which prevents infected PDFs from delivering code that exploits the vulnerability. This approach is more effective and far less disruptive than shutting down JavaScript, wholesale, in the browser.

To disable JavaScript in Adobe Reader, open Reader and click Edit, Preferences. Choose JavaScript in the left pane, uncheck Enable Acrobat JavaScript in the right pane, and click OK. (See Figure 2.)

Disable javascript in adobe reader
Figure 2. Another way to protect against the recent malware attacks is to disable JavaScript in Adobe Reader by unchecking this option.

Webroot’s Brandt says very few people encounter legitimate PDFs that use JavaScript. If you do — such as a form that permits data entry — you can always enable the feature for that document only.

After disabling Reader’s JavaScript option, you can safely open PDF files that arrive via e-mail. If the file is blank or filled with gibberish, it’s probably infected, but the threat has been neutralized.

Roberts recommends that enterprises use virtualization technologies to isolate the browser from other areas of a PC. This effectively prevents malicious code from gaining a foothold.

The best defense: keep all your apps updated

A Jan. 18 TechNet post by MS senior security manager Jerry Bryant recommends upgrading to IE 8 and ensuring that all your software is up-to-date. Thomas Kristensen, chief security officer for Secunia.com, agrees:
  • “[Aurora] is not at all something that’s different from the risk that almost all users expose their systems to every day, because they don’t install updates in a timely manner.

    “Most users still run old versions of Real Player, Flash, Adobe Reader, Microsoft Office, and so on. There is already a pile of exploits for many of the older vulnerabilities in these programs out there, and thousands of users are being compromised every single day.”
Before Microsoft patched the Aurora vulnerability, Kristensen recommended using an alternative browser. But he adds, “an updated browser can’t protect against a vulnerability in [for example] Adobe Reader.”

Last but not least, heed the advice you’ve heard time and again: don’t blindly click anything that arrives in your inbox unexpectedly — even if it appears to come from a friend or colleague. Everyone I spoke to for this story said it’s better to contact the purported sender with a quick phone call or e-mail to ask about a suspicious link or attachment rather than click blindly and risk having your PC compromised.

Have more info on this subject? Post your tip in the WS Columns forum.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.
 
Wacky Web Week

This vending machine gives and gives and gives

Coke vending machine By Stephanie Small

A refreshing beverage or snack straight from a vending machine is a simple treat that almost everyone enjoys. Whether at work or school, allowing yourself to indulge in a soda or a cookie brings pleasure to even the most ordinary day.

Just imagine having the vending machine in this video at your school or workplace! Giving away everything from flowers to food — as well as cold, refreshing Coca-Colas — this treat dispenser produces more delighted responses than any vending machine you’ve ever dropped a coin into. You never know what it will dispense next! Play the video
 
LangaList Plus

Extend the life of your laptop’s battery

Fred langa By Fred Langa

With proper care and feeding, the expensive lithium-ion batteries in your notebook PCs and other portable gear can run well for many, many years.

On the other hand, common battery-care mistakes will reduce your batteries’ run times and lead to needless and costly early replacement.

The care and feeding of laptop batteries

A reader named Rick got a new laptop for the holidays and is wondering how to maximize the life of its expensive batteries:
  • “I just got a new laptop with Windows 7 for Christmas. The new laptop has a 6-cell lithium-ion battery. How can I get the most life from my new laptop’s battery and make it last the longest?

    “Should I periodically charge and then use/drain the battery? Should I leave the battery in the laptop even when I’m using the AC plug? Will heat from the laptop when it’s plugged into AC affect the lithium battery?”
Excellent questions, Rick!

Heat is the enemy of lithium-ion (Li-ion) batteries. When your laptop runs on AC, it’s smart to remove the battery pack and store it in a cool place. Low temperatures forestall the inevitable and irreversible chemical changes that occur in Li-ion batteries.

In fact — and this will sound odd — if your laptop is mostly run off household AC power, you can greatly extend the life of its Li-ion battery this way: Run the battery down to about 40% of maximum charge, remove it, and store it in a tightly wrapped plastic bag inside your refrigerator! Storage at about 40 degrees F (4 to 5 degrees C) is ideal. Think of it as the 40-40 rule: 40% charge, 40 degrees F.

If you can, avoid running Li-ion batteries all the way down. Early portable electronics used nickel-cadmium batteries, which benefit from full discharge cycles. Conversely, Li-ion batteries last longer when kept in a charge state between 40% and 100%. It’s OK to run Li-ion batteries flat when you have to, but the ideal scenario for longest life is one full discharge cycle for about every 30 or so partial cycles.

Sad to say, even if you’re perfectly careful with your Li-ion batteries, they’ll slowly go bad on their own due to their irreversible and inevitable chemical changes. This is one of the main reasons why cool storage helps preserve Li-ion battery life: the cool temperatures slow the chemical reactions.

Even a well-maintained Li-ion battery will usually show signs of age two or three years after manufacture. That’s why it’s not a great idea to buy a second or spare battery for your laptop unless and until you really need to use one. If you buy a spare you don’t really need, it’ll slowly go bad on its own, giving you no (or reduced) return on your investment.

If you do have a spare battery, store it in the fridge with about a 40% charge when it’s not in use.

When you buy replacement batteries, check the date of manufacture. This will usually be stamped or printed on the battery case. Cut-rate, bargain batteries may have been sitting on a warehouse shelf for a couple years, meaning that a good chunk of their useful life has passed before you ever plug them in.

With careful use, you can get 300 to 500 charge cycles from a new, high-quality Li-ion battery — especially when the battery’s stored in a cool location when it’s not in use. You should get years of good service from such a battery. With just a little luck, by the time the battery no longer holds a useful charge, you’ll be ready for a new laptop, anyway!

These two excellent articles provide more information on Li-Ion battery life:

• How to prolong lithium-based batteries from BatteryUniversity.com

• The care and feeding of Li-ion batteries from TechRepublic.com

What’s causing the ‘event ID 51′ disk errors?

Jack Lavelle’s hard drive is generating tons of “event ID 51″ errors in his system log:
  • “Can you guys take a look at this and tell me whether my XP system’s hard drive is going bad, or what?”
Figure 1 is the screen Jack sent along with his e-mail.

Numerous event id 51 errors
Figure 1. Jack’s system log lists literally dozens of “event ID 51″ errors, a handful of which are shown here.

Unfortunately, “event ID 51″ is nonspecific. Microsoft refers to it as a “generic error” in MS Knowledge Base article 244780, “Information about event ID 51.” Such a mild, generic error message suggests this isn’t a serious problem.

I suspect your disk is powering down when not in use. When the OS makes a call to the sleeping disk, the disk needs to spin up before responding. This timeout delay is probably the cause of the generic errors reported as “event ID 51.”

If my hunch is correct, the solution is to lengthen the time before your hard drives turn off. See the Microsoft article, “Configure Windows XP power management,” for instructions.

If changing the drive’s standby time doesn’t work, Microsoft says, you can troubleshoot event ID 51 errors by following the same steps outlined in KB article 154690, “How to troubleshoot event ID 9, event ID 11, and event ID 15 error messages.”

You can also check more directly on the drive’s mechanical health via the Self-Monitoring Analysis & Reporting Technology (SMART) feature that’s built into most modern drives. SMART data is stored within the hard drive itself and often can alert you to impending problems before they get serious.

Many hard-drive monitoring tools can access and display the SMART data. Two tools I like are PassMark DiskCheckup (info and download) and Active@ DiskMonitorFree (info and download). Both programs are free for personal use and also come in commercial versions for organizations.

Should I use Safe Mode for routine maintenance?

Joe Cervenka sent two questions in one e-mail. Here’s the first one:
  • “I recently came across two tricks and wanted to know whether they’re safe to use on my Windows XP computer. The first involves using Safe Mode to run various scanning programs (AVG antivirus, CCleaner, Smart Defrag, etc.) Do you have any feedback about this?”
Safe Mode is a kind of bare-bones Windows. In Safe Mode, your diagnostic or maintenance activities can proceed without the interruptions or interference that might be caused by the full complement of drivers and software that Windows normally loads.

That said, it’s probably overkill to use Safe Mode for minor maintenance tasks such as routine antivirus scans and normal disk defragmentation. On a healthy PC, tasks such as these run fine in your normal operating environment. But if you run into trouble — say, you have malware you can’t get rid of or your defrags are taking forever — booting into Safe Mode may help set things right.

Need help accessing Safe Mode? The oddly name BleepingComputer.com site has a good Safe Mode tutorial that applies to all versions of Windows.

Does a ReadyBoost flash drive really boost?

Here’s Joe’s second question:
  • “As for the other computer trick, a friend mentioned using a flash drive for ‘paging.’ What is paging? Is using a flash drive better than using the computer’s own HD for paging?”
Your friend is referring to ReadyBoost, a technology built into Vista and Windows 7 that can use a flash drive as a kind of extra scratchpad memory. Windows stores memory in chunks called “pages” — hence the “paging” terminology.

I don’t recommend ReadyBoost. Flash drives wear out after a finite number of write cycles, so it seems questionable to use flash drives in a high-wear activity such as supporting a pagefile. Even worse, real-life tests show little or no speed benefit from ReadyBoost. So why bother?

If you still want to give ReadyBoost a shot, you’ll find more information in my June 25, 2009, column, “Use ReadyBoost and pagefiles on flash drives?”

What’s this about Windows 7′s ‘God Mode’?

Jim Bennett heard about a reputed “God Mode” for Windows 7:
  • “Don’t know if you folks found this already. Came across it on a Facebook post from a friend. Pretty neat way of getting to everything one might need to work on Windows. The trick is posted [on the IThinkDifferent site].”
The “God Mode” trick is real — sort of — but it’s seriously misnamed. All it does is give you a very large, alphabetic list of Control Panel tasks; no more, no less. You can’t do anything in God Mode that you can’t also do by accessing Control Panel the normal way.

There’s a nice explanation of this and other “shell folders” for Win7 and Vista in an article on the Windows Valley site.

Amusingly, the “God Mode” name is actually irrelevant. You can name the folder anything you want, and it will work exactly the same way. If the original posts had called it “Idiot Mode,” it would function identically, but then no one would want to use it!

God Mode might be useful to those who prefer scrolling a large list to using icon-driven navigation. But just realize that this trick is really not in the least godlike. It’s just a different way to access Control Panel tasks!

Have more info on this subject? Post your tip in the WS Columns forum.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.
 
Insider Tricks

Five productivity-enhancing Registry tweaks

Scott dunn By Scott Dunn

You’re just minutes away from faster Start menus and shutdowns, shorter application “hangs,” fewer annoying disk-space popups, and easier encryption.

A few simple Registry changes can quash annoyances, improve performance, and add new features to Windows.

Before you begin, create a restore point

Some of the best Windows improvements come from simple edits you can make in the Registry — the central database that stores configuration settings and options for all the hardware and software in a Windows system.

Editing the Registry is pretty easy — some might say too easy. Change or delete the wrong Registry key, and you may create more problems than you solve. So work carefully, and back up the Registry by setting a restore point before embarking on any Registry revisions.

• In XP, choose Start, All Programs, Accessories, System Tools, System Restore. Check Create a restore point, click Next, and follow the prompts.

• In Windows 7 and Vista, click Start, type SystemPropertiesProtection, and press Enter. Confirm any security prompts, click Create, type a name for the restore point, and click Create again.

This article is part of our paid content. Upgrade your account to see the rest of this article!

 
Perimeter Scan

Browser forensic tools find malware entry points

Ryan russell By Ryan Russell

Malware removal is only the first step in fighting an infection.

Your job isn’t finished until you’ve determined what the malware is, how it breached your defenses, and how to prevent similar infections in the future.

Your browser history tells the malware tale

My past malware-related columns focused on removing an infection. This is usually the immediate goal when working to fix your home PC. But it’s not the only goal.

For example: In a corporate setting, a good IT department will not only remove an infection but also do a forensic analysis to determine how the malware got in, what damage it did, and how to prevent recurrences.

There’s no reason why you can’t do the same on your own PC.

In my experience, when malware infiltrates a PC, it usually comes in through the machine’s browser. Fortunately, browsers maintain extensive logs of your Web activity, and some of these can be the key to a successful forensic investigation of just how the malware got in.

This article is part of our paid content. Upgrade your account to see the rest of this article!

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb