Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Sun, Apple, Microsoft install chaff with patches

Windows Secrets Newsletter • Issue 210 • 2009-08-13 • Circulation: over 400,000

Table of contents 
  • Top Story: Sun, Apple, Microsoft install chaff with patches
  • Known Issues: Gmail activity log helps you detect hijacking
  • Wacky Web Week: Water fights that will make you cry uncle
  • LangaList Plus: Free utilities make Windows smaller, faster
  • In the Wild: Laptop rootkit is widespread but likely harmless
  • Patch Watch: Heavy patch week to block Web-based attacks
 
Top Story

Sun, Apple, Microsoft install chaff with patches

Susan bradley By Susan Bradley

When you apply a security update for one of the programs on your PC, beware of uninvited software that wants to come along for the ride.

Vendors are more and more often going over the line, piggy-backing unsolicited commercial products and services onto crucial security patches.

If you’re like many people, you were tricked into installing Apple’s Safari browser as part of an iTunes or QuickTime update — a marketing tactic the company has been employing for more than a year. (I reported in my March 27, 2008, Patch Watch column that Apple had quietly started installing its browser using a little-noticed check box.)

You may also have succumbed to Microsoft’s incessant offer of Silverlight and Office Live as part of the Microsoft Update service. And you may have tired of saying “no!” to downloading Internet Explorer 8. (I don’t feel IE 8 is a necessary upgrade, due to IE 7′s relative security and IE 8′s incompatibility with some sites, as I describe below.)

Now, the latest Sun Java update shows how cavalier some vendors have become in taking advantage of software updates, including vital security patches.

The latest Sun Java SE Update 16 (6u16), released on Aug. 11, includes seven security updates and fixes a few bugs. What the release notes don’t document, however, is that this update comes with a surprise.

The download process starts out normally enough, with the usual coffee-cup update icon in the notification area of Windows’ taskbar. (See Figure 1.)

Sun java update icon
Figure 1. Sun’s Java icon — the coffee cup at the far left — indicates the availability of an update.

However, after you begin the update, a confusing offer to download and install a 30-day trial of Carbonite Inc.’s commercial backup software appears. A small check box is preselected for download and installation. (See Figure 2.)

Carbonite backup software trial offer
Figure 2. The option to install a trial version of Sun’s Carbonite backup software is prechecked in the Java updater.

Some Java patchers are not offered Carbonite but instead get Microsoft’s Bing search toolbar, which is preselected on many systems. (See Figure 2.)

Bing search toolbar offer
Figure 3. Sun’s Java updater preselects the option to install Microsoft’s Bing search toolbar for IE along with the Java update.

That’s right, ladies and gentlemen. Not only may we have to uninstall random toolbars if we’re not careful with our Java updates, now we have to remove trial versions of commercial software that vendors quietly attached to a security update.

UPDATE 2009-08-20: In the Aug. 20, 2009, Known Issues column, reader Pete Poorman notes that Adobe’s updates for Flash Player and Adobe Reader attempt to install the Google Toolbar by default.


Microsoft pushes IE 8 as ‘critical’ to your PC

Microsoft is one of the biggest offenders in promoting nonsecurity updates via its security mechanism.

First in 2006, and again in 2007, the Redmond company installed its intrusive Windows Genuine Advantage app as though it were a “critical security upgrade,” as I described in a June 14, 2007, column.

In the latest such case, you’ll find that Microsoft has prechecked Internet Explorer 8 when you use Automatic Updates and choose the option to view available updates.

The company argues that IE 8 is a critical update to your operating system. In reality, the program may conflict with other software on your PC.

I’m postponing deployment of IE 8 on my computers, because I continue to encounter compatibility problems in my testing. The glitches are slowly being resolved, but I’m still not ready to give a blanket recommendation to upgrade to IE 8, nor am I comfortable applying it to the production systems I manage. (I described the problems and some solutions in a column on May 28.)

As the person in charge of managing PCs in my company, I need to test the program before it’s installed on production systems. By preselecting the IE 8 installation, Microsoft eliminates my ability to conduct responsible testing.

Even while claiming that IE 8 is a critical update, Microsoft continues to support the hopeless old version 6 of IE, as stated on the company’s IEBlog. IE 6 long ago stopped being a defensible browser and cannot now be considered secure by any stretch of the imagination.

If you’re still running IE 6, you should upgrade to IE 7 immediately. If your company uses a line-of-business app that requires IE 6, isolate that machine from the Internet and use it only until that app is upgraded.

Installing IE 8, however, should be considered optional and should not be associated with security patches.

(In an unrelated move, IE 8 will no longer silently make itself a PC’s default browser when users select the Express installation option. The change was revealed in a U.S. Department of Justice antitrust compliance report, as reporter Grant Gross explains in an IDG News Service article.)

Let’s put a halt to any marketing in updates

I understand that the publishers of “free” software sometimes need to push other programs that generate revenue. Whenever a vendor is offering useful software at no cost, I’m willing to consider some software bundles at the time of original download.

To avoid tricky bundles, you should consult sites offering advice about specific problems. One of the best is the Calendar of Updates’ Installers Hall of Shame, which lists uninvited programs that ride along with various apps.

It’s a completely different matter to use security updates to sneak software onto our PCs — there’s simply no other term for it. Corrupting a vendor’s security channel to promote a marketing opportunity violates our fundamental right to control the programs installed on our systems.

When it comes to bug fixes and security patches, I need to be able to trust that the changes vendors are making to my system are intended only to protect me. I strongly object to attempts to install any nonessential software as part of the update process.

To me, the marketing tie-ins described above step way over the line. I hope you’ll join me in urging software vendors to limit security updates to nothing but security updates.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
 
Known Issues

Gmail activity log helps you detect hijacking

Dennis o'reilly By Dennis O’Reilly

A line at the bottom of the Gmail window indicates when your account was last used and also links to more-complete usage info.

You can use this activity log to determine whether someone has guessed your password and taken over your account.

In the Aug. 6 Top Story, “Gmail flaw shows value of strong passwords,” WS contributing editor Becky Waring explained how to create strong passwords that are easy to remember. Her story was inspired by the disclosure of a Gmail weakness that allows hackers to test thousands of passwords per day and take over poorly defended accounts.

A reader named James points out that the Gmail activity log can alert you to unauthorized use of your account:
  • “As a result of [reading] Becky Waring’s article — which I have rated as superb, by the way — I went back to Scott Spanbauer’s articles about the earlier Gmail flaws. [See Scott's April 23 story, "Gmail accounts hacked via unpatched hole," and his May 7 follow-up, "Google silently corrects Gmail CSRF hole."]

    “I help run a bulletin board that uses the commercial Invision Power IP.Board software. In recent months, we have been bombarded with spammers, mostly coming from Gmail accounts. So I can confirm that these exploits — both patched and unpatched — have been and are being used by the bad guys.

    “If you’re a Gmail user and are concerned as to whether your account password has been compromised, there’s a link at the bottom of the screen that shows when your account was used and from where.

    “At the bottom is a message Last account activity: xx minutes ago at IP xxx.xxx.xxx.xxx [or on this computer] and a link: Details. Click the Details link, and a pop-up window shows all sign-ins over the last couple of days, together with other useful info and a button to Sign out all other sessions.“
Figure 1 shows the information presented in the Gmail account activity log when you click the Details link.

Gmail account activity
Figure 1. View recent activity on your Gmail account to determine whether someone other than you has signed in. (All IP addresses are obscured in this image.)

If you find unfamiliar IP addresses or activity recorded when you weren’t using the account, reset your password immediately and notify Google of the breach.

UPDATE 2009-08-20: In the Aug. 20, 2009, Known Issues column, reader Dan Juroff describes how he used Gmail’s activity log to detect an attack on his company’s network.


Microsoft’s ambiguous advice on strong passwords

When it comes to crafting strong passwords, it can be difficult to know whom to believe, especially when the same source offers conflicting advice. A reader who goes by the name of RockDoc was befuddled by contradictory information on Microsoft’s site:
  • “Waring discussed the usual caveats and solutions to designing better passwords and provided a link to [Microsoft's] Windows password checker, which also links to a document in which Microsoft discusses password design.

    “In that latter document, Microsoft properly notes that passwords with obvious substitutions are less safe than otherwise:

    Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ’1′ or an ‘a’ with ‘@’ as in ‘M1cr0$0ft’ or ‘P@ssw0rd.’ But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

    “In a deliciously ironic (and most certainly inadvertent) piece of engineering, however, Microsoft’s own password checker rates the poorly designed password M1cr0$0ft as strong! Gotta love ‘em!”
Some readers questioned the security of entering passwords for strength testing on Microsoft’s unencrypted Web page. This shouldn’t pose a risk, though, because Microsoft states on the page itself that no information is transmitted to Microsoft’s servers or across the Internet in any way:
  • “Password Checker does not collect, store, or transmit information beyond the computer that you use to access Password Checker. The image works on your computer desktop until you navigate away from the page.”
The page operates by downloading a small JavaScript application to your browser. This app computes each password’s weak/moderate/strong rating locally. You can demonstrate this by temporarily disabling JavaScript in your browser, in which case the password checker no longer functions.

If anyone has evidence that Microsoft transmits across the Internet the passwords entered into this browser app, let us know immediately using the Windows Secrets contact page.

Bill McGarry reports that Microsoft’s app rates an entered password as “strong” if it is merely eight or more characters in length and has two out of three of the following: both uppercase and lowercase letters, one or more numerals, and some punctuation mark. To be sure, those are good rules of thumb, but Password1 (one of the first strings an attacker would try) would receive a “strong” rating.

Several people told us about other password-strength checkers. One that goes to greater lengths than Microsoft in explaining what constitutes a weak or strong password is Password Meter. It’s available as an online password checker and also as a downloadable freeware program. You can find both at the Password Meter site.

No matter how strong a password you select, it won’t remain secret if you enter it on a machine that’s infected with a keylogger. For this reason, you shouldn’t sign in to online banking sites at random Internet cafés or any place without good antivirus protection.

Ensure passwords remain useful to your heirs

Becky’s article recommends that you avoid writing your passwords on sticky notes or saving them in an unencrypted text file on your PC. However, there’s one instance when this otherwise-sound advice doesn’t apply, as Allan Treadwell explains:
  • “Although I agree with the article on strong passwords, there’s one small-but-important thing left out. I had a friend who died recently of a brain tumour (he was 59) and, of course, he had many passwords that were not stored on the computer, only in his head.

    “As his memory went very rapidly, he forgot them, so his wife could not access some sites/programs easily, and others not at all.

    “So I would add to the article: Do write down your passwords and tell your next of kin where they are or how to access them.”
MarketWatch columnist Andrea Coombes offers free advice on this subject in a July 20 article, “Don’t take your passwords to the grave.”

For the ultimate — and I do mean ultimate — in online security, check out a service such as Legacy Locker, which promises to “grant access to online assets for friends and loved ones in the event of loss, death, or disability.” A free trial account lets you protect three assets, assign one beneficiary, and create one “legacy letter.”

For U.S. $30 a year or a one-time fee of $300, you can protect an unlimited number of assets, assign any number of beneficiaries, create as many legacy letters as you wish, back up important documents, and even upload a “good-bye” video.

Can I leave my folder full of corrupted Office files to Steve Ballmer?

Readers James, RockDoc, Bill, and Allan will each receive a gift certificate for a book, CD, or DVD of their choice for sending comments we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

Water fights that will make you cry uncle

Super-duper waterboards By Stephanie Small

Remember when playing with squirt guns was the most fun a kid could have? The little streams of water kept you cool while also providing endless hours of fun. Then Super Soakers reinvented the water fight, blasting water at your foes in torrents!

Now the water fight has been taken to a whole new level with the arrival of super-duper waterboards. Sustained, powerful jets of water pulverize your opponents and make them obey your every command, all while keeping you safe and protected behind a plastic shield. Give it a try this summer at the park, in the yard, or on the beach. Your friends won’t know what hit them! Play the video
 
LangaList Plus

Free utilities make Windows smaller, faster

Fred langa By Fred Langa

Microsoft keeps building more and more into Windows, but sometimes all you want or need is a bare-bones, minimal OS.

If small and fast is what you want, several free programs let you remove unnecessary Windows components to improve your system’s performance and reliability.

Put your Windows installation on a diet

John Casey is looking for a way to streamline his Windows installation by uninstalling the components he doesn’t need:

  • “Have you written articles about which components of Windows are safe to uninstall? I’m already a Firefox/Thunderbird user and I want to migrate to OpenOffice. Can I safely remove IE 8, the .NET Framework, etc.? I’m not a developer, I just use SAAS business applications.”
Many components and tools bundled with Windows can indeed be removed. There are two basic approaches. One technique involves removing Windows components by hand. The second and better of the two techniques takes a little doing but results in a fresh, stable, known-good minimal installation.

In fact, the second of the two approaches uses the same basic technology that OEMs use to produce their customized installations of Windows. (Of course, OEMs are more apt to put extra stuff in rather than take anything out!) This is also the same technology used to produce a “live CD” — a self-contained, bootable CD and repair-disk version of Windows.

1. Perfectly good technique

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
In the Wild

Laptop rootkit is widespread but likely harmless

Robert vamosi By Robert Vamosi

A presentation by two researchers at a recent security conference suggests that one particular rootkit-like program may be present in 60% of all laptops.

The absence of strong authentication in this well-intentioned, widely distributed program has the potential to compromise systems, according to the researchers, but I believe you actually face little risk.

Black Hat bark may be worse than its bite

There was considerable buzz around SMS and SSL vulnerabilities at this year’s Black Hat Briefings July 25–30 in Las Vegas. But the lion’s share of attention went to a 20-minute presentation given by Core Security researchers Alfredo A. Ortega and Anibal Sacco.

In a PDF paper titled “Deactivate the rootkit,” Ortega and Sacco said they were initially interested in showing how rootkits can infiltrate a PC’s BIOS. In the course of their research, however, they said they found that something with the potential to become a rootkit — Absolute Software’s Computrace LoJack for Laptops — was already embedded within their test laptop.

The concept is this: If a laptop with Lojack installed is stolen, the company can recover the device by pinpointing its IP address when the laptop connects to the Internet. Ortega and Sacco said the product may be embedded in as many as 60% of the laptops sold since 2005. Those notebook PCs use a BIOS from Phoenix Technologies that includes the LoJack detection system.

The researchers noted that “the antitheft agent must be stealthy, must have complete control of the system, and most importantly, must be highly persistent.” Specifically, the agent must be buried deep within the BIOS to survive a hard-drive wipe by thieves.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Heavy patch week to block Web-based attacks

Susan bradley By Susan Bradley

The Active Template Library (ATL) glitch in Microsoft’s Visual Studio, which was the subject of last month’s out-of-cycle update, requires yet more application patching this week.

Outlook Express, Windows Media Player, and various ActiveX controls are all vulnerable to the ATL security hole.

MS09-037 (973908)
A single weakness leads to multiple patches

My July 30 news update described Microsoft’s out-of-cycle patches for a problem caused by a single typo in the company’s Visual Studio Active Template Library. Unfortunately, we’re not done patching this glitch.

Released this week on Patch Tuesday were updates for Outlook Express, Windows Media Player, the Windows ATL Component, the DHTML Editing Component ActiveX control, and the MSWebDVD ActiveX control. The patches affect Windows 2000, XP, Vista, Server 2003, and Server 2008. Windows 7 and Windows Server 2008 R2 are reportedly not affected.

There are so many individual patches for this vulnerability that you need to review the list presented in Microsoft security bulletin MS09-037 to find the ones that apply to your system.

In my testing, none of these updates caused any problems.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb