Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Unpatched software abounds on user systems

Windows Secrets Newsletter • Issue 121 • 2007-09-06 • Circulation: over 400,000

Table of contents 
  • Top Story: Unpatched software abounds on user systems
  • Known Issues: How to fix problems Software Inspector finds
  • Wacky Web Week: Danish engineers find low-tech speed limit fix
  • Perimeter Scan: Sony renews rootkit debate with USB drives
  • Patch Watch: MS server error marks PCs as ‘nongenuine’
 
Top Story

Unpatched software abounds on user systems

Scott dunn By Scott Dunn

Readers of the Aug. 16 issue of Windows Secrets took our advice and used the Secunia Software Inspector service in droves.

The results show that — even though our readers are more tech-savvy than the average computer user — thousands of you apparently still use computers with unpatched software.

Software Inspector finds many unpatched apps

After we recommended that our readers use Secunia.com’s Software Inspector, the link we provided was clicked more than 63,000 times. The service scans PCs for applications that lack available security patches.

Secunia.com provides us with aggregate counts of the number of products installed and the percentage that are unpatched. No personal information is collected. Table 1, below, shows the top 20 unpatched applications installed on the systems of Windows Secrets readers. (Several readers ran the scan more than once, which is why some apps show up more than 63,000 times.)

The figures reveal that many people haven’t patched their media players and other run-time software: Java, Flash, QuickTime, Adobe Reader, and RealPlayer. This exposes you to infected media files. I’ll explain below how you can keep these apps patched and your computer safer.

Table 1. Unpatched products on Windows Secrets readers’ systems.


Product
 Number
installed
 Percent
unpatched
 Number
unpatched
Java JRE 1.6.x/6.x
 70,860
 38.08
 26,983
Java JRE 1.5.x/5.x
 60,465
 98.84
 59,764
Flash Player 9.x
 73,256
 62.03
 45,441
Flash Player 8.x
 14,885
 99.84
 14,861
Flash Player 7.x
 14,659
 99.88
 14,641
Flash Player 6.x
 19,179
 76.47
 14,666
Flash Player 5.x
 8,683
 99.85
 8,670
Flash Player 4.x
 3,745
 99.92
 3,742
QuickTime 7.x
 28,752
 33.85
 9,733
QuickTime 6.x
 3,944
 99.87
 3,939
Internet Explorer 7.x
 41,914
 10.16
 4,258
Internet Explorer 6.x
 14,008
 20.33
 2,848
Adobe Reader 7.x
 29,767
 11.89
 3,539
Adobe Reader 5.x
 2,956
 99.90
 2,953
WinZip 8.x
 3,715
 99.87
 3,710
Firefox 2.0.x
 25,981
 14.71
 3,822
RealPlayer 10.x
 16,471
 16.73
 2,756
RealPlayer 6
 2,213
 97.65
 2,161
Yahoo! Messenger 8.x
 4,417
 44.78
 1,978
Winamp 5.x
 5,700
 34.25
 1,952

How to keep your system up to date

Reducing security risks on your system means keeping all of your applications up to date, not just the operating system. To do that, you need a two-pronged approach.

First, if you’re not using Windows’ Automatic Updates feature, run Microsoft Update once a month after Patch Tuesday (the second Tuesday of each month, when Microsoft releases security updates). If possible, install Microsoft’s patches after you read the Windows Secrets Newsletter on the Thursday after Patch Tuesday. We may report glitches you should avoid, while still ensuring that you can install the latest Microsoft Windows and Office security updates within two days of their release.

Second, consider turning on the auto-update feature of your individual applications to make sure they’re updated regularly. See my Aug. 16 story for details on how to do this.

Understandably, many people (particularly in companies with thousands of users) don’t want auto-updating turned on for every user. Companies often prefer to test individual updates before everyone in the organization adopts them.

If you prefer this more cautious approach, use the Secunia Software Inspector once a month to tell you what applications have patches available. Then update the individual applications manually (after running your usual research-and-test regimen).

Enterprises can run Secunia’s Network Software Inspector, a commercial application that has recently emerged from beta testing. The program reportedly scans PCs for more than 4,000 applications and versions.

For information on removing out-of-date software, see this week’s installment of Known Issues.

Get an automatic reminder to check for updates

The biggest challenge in manually checking for reminders is remembering to do it on a regular basis. Fortunately, Windows’ Scheduled Tasks accessory can help out.

How to schedule an update reminder in Windows XP

You can make Scheduled Tasks run a script that launches Internet Explorer 7 with Microsoft Update in one tab and Secunia Software Inspector in another. I use IE 7 in this example because Microsoft Update won’t run in most other browsers, such as Mozilla Firefox. The technique shown below is adapted from a Windows Scripting Host script published by Tony Schreiner in his MSDN blog.

Step 1. Open your favorite text editor, such as Notepad. Type or paste in the following five lines:

var navOpenInBackgroundTab = 0×1000;
var oIE = new ActiveXObject(“InternetExplorer.Application”);
oIE.Navigate2(“http://update.microsoft.com”);
oIE.Navigate2(“http://secunia.com/software_inspector/”, navOpenInBackgroundTab);
oIE.Visible = true;

Step 2: Save the file with a .js extension. For example, I named mine Update-me.js.

Step 3: Choose Start, All Programs, Accessories, System Tools, Scheduled Tasks.

Step 4: In the Scheduled Tasks window, double-click Add Scheduled Task.

Step 5: In the Scheduled Task Wizard, click Next. Then click Browse.

Step 6: Locate and select Wscript.exe in Windows’ System32 folder. (Or just type c:WindowsSystem32Wscript.exe in the File name box; your path may differ.) Click Open.

Step 7: In the next step of the wizard, select Monthly and click Next.

Step 8: Specify a start time. Select the second radio button and specify the second Tuesday. Leave all months checked. Click Next.

Step 9: Enter your account name and password for an administrator account. (Only administrators can install updates.) Click Next.

Step 10: Check the box for opening advanced properties and click Finish.

Step 11: When the Wscript Properties dialog box opens, click at the end of the line in the Run box. Type a space followed by the path to your script (.js) file. If the path includes spaces or long names, put it in quotation marks. For example, when you’re done, the finished command should read something like this:

c:windowssystem32wscript.exe “C:My Documentsupdate-me.js”

Step 12: Click OK. Enter your account name and password again, if prompted. Click OK.

As long as you are logged in as an administrator on the appropriate day, Scheduled Tasks will open a browser with these two sites, reminding you of this important chore.

How to schedule an update reminder in Windows Vista

The Microsoft Update site in Vista has been replaced by a Control Panel applet. To automate the reminder in Vista, you’ll need to set up two automated processes: one for patching Windows, and another for launching a browser showing the Secunia Software Inspector.

Follow these steps to run Windows Update once a month after Patch Tuesday:

Step 1: Choose Start, type Task Scheduler, and press Enter. Click to confirm User Account Control.

Step 2: In the far right pane, click Create Basic Task.

Step 3: In the Create Basic Task Wizard, type the name of your task and (optionally) a description. Click Next.

Step 4: Select Monthly and click Next.

Step 5: Specify a start date. For Months, choose Select All Months in the pop-up menu. Click On and specify the Second Tuesday. Click Next.

Step 6: Leave Start a program selected and click Next.

Step 7: For Program/script, type c:WindowsSystem32Wuapp.exe (your path may differ).

Step 8: Click Next and then click Finish.

Follow these steps to run Software Inspector once a month after Patch Tuesday:

Step 1: Follow steps 1 through 6 above but specify a different task name in Step 3.

Step 2: For Program/script, specify the path to your preferred Web browser. In the Add arguments (optional) box, type http://secunia.com/software_inspector/.

Step 3: Click Next and then click Finish.

Windows will launch these tasks on the appropriate day, reminding you to proceed with your checks.

Protecting your system involves many tools, including antimalware tools and regular system updates. Adding Secunia Software Inspector to your toolbox, you can help ensure that your major add-ins are patched in addition to Windows.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
 
Known Issues

How to fix problems Software Inspector finds

By Scott Dunn

In the Aug. 16 issue, I pointed out that the Secunia Software Inspector may find multiple versions of unpatched products on your system.

Older programs and Web sites may need the older versions of run-time software. But the old run-time code represents a security risk. For the greatest safety, uninstall the older files and then install updated software.

Removing outdated versions of risky applications

A number of readers seemed flummoxed by this situation. Chris Vetter gives us his take:
  • “Scott Dunn’s article brought attention to the outdated versions of Java, Flash Player, QuickTime, and Adobe Reader existing on many people’s computers. He failed to point out this is not necessarily because people fail to update, rather because applying the latest update does not remove the older versions. This helps explain why so many computers tested positive.

    “A step-by-step instruction is needed for the often-required manual removal of the artifacts of Registry entries and old folders.”
In many cases, outdated versions can be eliminated by using the Add or Remove Programs applet in the Control Panel. Because you may need the older version, however, make a backup before continuing, as I advised in the last issue.

When you’re ready to remove the software, open the Control Panel and double-click Add or Remove Programs. In the case of Java, an entry for each version normally appears in the Add or Remove Programs list. Select the version you don’t want, click Remove, and follow any other prompts you see on screen. Repeat for each outdated version.

Note that not all versions have the same name. For example, the name of some entries for Java begin with “Java,” some begin with “J2SE,” and so on. So scan the list carefully to find the version you want to remove.

If the software you want to remove does not appear in the Add or Remove Programs list, you can always delete the outdated file or files listed in the Secunia report. This may not completely uninstall the product (for example, any Registry entries will be unaffected), but at least you will have removed the files that hackers need to cause harm.

For help on removing older versions of Flash Player, see the next section.

Ferreting out old versions of Flash Player

Many readers of the Aug. 16 story on Secunia Software Inspector had the same question as Gordon Pinkham:
  • “When I tell Software Inspector to browse in non-default locations for old media players, it comes up with quite a few, most particularly Macromedia Flash players. Unfortunately, they do not appear in the Control Panel, so they can’t be deleted that way.

    “I have used Adobe’s routine for uninstalling old Flash ActiveX controls. But that apparently doesn’t work on old Macromedia players.

    “Can you tell me how to get rid of old Macromedia players?”
Fortunately for us all, reader Roger Hart sent in a link to an Adobe Web page where you can download an uninstaller that appears to remove a number of versions of Flash Player. (I tested it with versions 5, 7, and 8.) Thanks, Roger!

If that doesn’t work for you, Adobe’s support team has published a TechNote explaining how to manually remove Flash Players version 6 and earlier from your computer. Just follow the steps at the link.

Update Checker points to newest versions

Reader Tom Kustner points out another tool that checks your software for updates:
  • “I have also used the FileHippo.com Update Checker, which will look at your system and determine which packages need updating, including the ones you mentioned (Flash, Java, RealPlayer, WMP, etc). It gives you one-stop shopping for downloads.”
Thanks, Tom. Unlike Secunia.com, Update Checker requires a downloaded utility rather than running from a Web site. In my quick test, Update Checker failed to find an older version of Java that I had on my system. On the other hand, it also found several nonupdated applications and drivers that Secunia did not report. This may be attributable to the fact that Update Checker looks for the latest version of products, while Secunia focuses solely on products that need critical security updates.

As Tom points out, the results page for Update Checker includes a download button for each. But a newer version is not always desirable in these cases — for example, when a product changes from freeware in one version to shareware in another. If you use Update Checker, look into the tradeoffs before you upgrade.

NetChk expiration forces a shift in tactics

In the July 13, 2006, issue, editorial director Brian Livingston recommended Shavlik Technologies’ NetChk Protect. He described it as a way for experienced Windows users to avoid installing Microsoft’s WGA (Windows Genuine Advantage) utility.

As reader Jon Bondy reminds us, NetChk Protect was free for users on up to 10 PCs for one year:
  • “I used Shavlik for most of a year, but it now says my trial version has expired. Many of your other readers are about to encounter the same situation. What do you recommend that we do?”
As Brian announced in a Nov. 30, 2006, article, Shavlik ended the 1-year trial offer and has been withdrawing from the consumer market.

For now, we recommend novices use Microsoft Update, which is an improvement over the built-in Windows Update. Change its setting to Notify me but don’t automatically download or install them. Then keep reading Windows Secrets to learn which updates it may be inadvisable to install.

Advanced users who want a separate patch management system can check out the options listed on the Security Baseline page of the Windows Secrets Web site.

Don’t lose those Office shortcuts

In the Aug. 16 issue, I explained how to create shortcuts to Microsoft Office applications with the PsExec utility. Office’s default Start menu shortcuts do not have editable command lines. But reader Robin Penny points out an advantage of these installer-created shortcuts:
  • “These ‘nonstandard’ shortcuts not only launch the program but also initiate a self-repair process if key files or Registry keys are missing. I would advise users who create a PsExec shortcut for these to also retain a copy of the old shortcut in order to maintain an entry point to this self-repair mechanism.”
Thanks for pointing this out, Robin. According to Microsoft Knowledge Base article 229396, these shortcuts also enable Office’s “installed on first use” feature (for programs that are designated as such during installation). For more information on the repair feature, see KB article 822238. And keep those old shortcuts handy!

Readers Vetter, Pinkham, Hart, Kustner, Bondy, and Penny will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.
 
Wacky Web Week

Danish engineers find low-tech speed limit fix

Traffic controllers
 Making motorists stay within the speed limit is a problem in every country. But not every nation brings the same level of creative problem-solving to the issue as Denmark. With 70% of motorists going over the speed limit, traffic engineers decided that something had to be done.

To the rescue come the Bikini Bandits, who are trained — and dressed — to get motorists to slow down. As a hilarious video by the Danish Road Safety Council shows, the solution is not without problems of its own. Note: Not safe for work, reveals bare torsos. Play the video
 
Perimeter Scan

Sony renews rootkit debate with USB drives

Ryan russell By Ryan Russell

The Sony Corporation seems bound and determined to install copy-protection software, including rootkits, no matter how many different products it has to use.

Read on to find out about Sony software that you may have paid for, but you don’t really want.

Who infected my PC with a rootkit?

I recently taped a podcast for internal distribution at my workplace with Amrit Williams, a former Gartner analyst and the current CTO at BigFix. (He and I work together.) One of the questions he asked me was, “Are rootkits a common threat or are they something exotic you rarely see?” I replied that my opinion was they’re uncommon, because attackers don’t seem to have to bother. Too many PC users still fall for the easy stuff.

There have been a couple of minor examples of malware in the wild that included a rootkit, but nothing significant. So has all my worrying about rootkits been pointless? Unfortunately, no. At least one group is still out to infect you. They call themselves Sony.

Do you remember my Nov. 22 and Dec. 15, 2005, columns about the rootkits on Sony BMG audio CDs? The company is at it again. F-Secure tells us that a rootkit is installed when you use Sony’s MicroVault USM-F software for its fingerprint-reading flash drives. This does appear to me to be a rootkit, albeit a relatively benign one. If you don’t like the term “infected,” substitute the word “affected.”

Have you been ‘affected’ by Sony?

F-Secure used a product called BlackLight to detect the Sony USB drive software. (You can download a free trial that will work until Oct. 1, F-Secure says.)

I myself found out that I had some extra Sony software I didn’t want by using Microsoft’s RootkitRevealer. (This product was originally from SysInternals before MS acquired the company.)

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

MS server error marks PCs as ‘nongenuine’

Susan bradley By Susan Bradley

Windows Genuine Advantage: now more genuinely annoying for genuine users of Vista.

A software failure at Microsoft over the weekend falsely branded thousands of legitimate users’ PCs as “nongenuine” and restricted some capabilities.

WGA wreaks havoc on genuine users

First off, I’d like to say that I’m a business person. In full disclosure, I own about 100 shares of Microsoft stock in my retirement plan. I understand the business needs of Microsoft. I understand that most consumer software is licensed for use on one computer per purchase, although many consumers don’t accept that. (It should be said that certain versions of Microsoft Office do permit multiple installations.)

But normally, when a company deals with customers, it takes a friendlier approach than Microsoft is taking with WGA.

On Aug. 28, WGA program manager Alex Koch explained in the WGA blog a serious software failure that marked legitimate copies of Windows Vista as “nongenuine” on Aug. 24 and 25. While I commend his frankness, this is one area where Microsoft really needs to remember who pays its salaries. You, the genuine customers, do. When you buy Vista, you don’t expect to be called a thief when Microsoft has server problems (see Figure 1).

WGA validation error
Figure 1. The error message that Microsoft’s WGA server wrongly displayed.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb