Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Windows Genuine Advantage is still genuinely bad

Windows Secrets Newsletter • Issue 194 • 2009-04-16 • Circulation: over 400,000

Table of contents 
  • Top Story: Windows Genuine Advantage is still genuinely bad
  • Known Issues: Call to learn whether your Dell or HP is covered
  • Wacky Web Week: Feeling twitterpated? You’re not the only one!
  • LangaList Plus: Solving ‘me first’ software startup conflicts
  • Windows Secrets: There’ll be no easy upgrade from XP to Windows 7
  • Patch Watch: Critical patches released for Internet Explorer
 
Top Story

Windows Genuine Advantage is still genuinely bad

Ryan russell By Ryan Russell

Microsoft’s system for validating Windows before users can download most updates continues to be a problem for legitimate customers and for Internet security as a whole.

Despite claims of offering better security, Windows Genuine Advantage (WGA) serves only Microsoft’s marketing interests — but you can eliminate the need for WGA if you know the trick.

Microsoft has long been considered a marketing bully, but with WGA the company has taken its lack of consideration for its customers to a new low.

Windows Secrets has been tracking the WGA story for years. Editorial director Brian Livingston aptly labeled an earlier version of WGA as “Microsoft spyware” in a June 15, 2006, Top Story.

More recently, Brian remarked in a March 30, 2009, news update that PCs failing WGA validation don’t automatically receive all available patches from Microsoft. That spawned a critique from a Microsoft spokeswoman which was printed, along with Brian’s response, in technical editor Dennis O’Reilly’s Known Issues column on April 2. (There’s also an Office Genuine Advantage program, which you hear less about but has the same problems as WGA.)

We all want Windows systems throughout the world to be patched for security problems as soon as fixes are released. As a result of the fuss raised by the articles mentioned above, I decided to take another look at WGA.

Here’s what happens if a Windows machine fails WGA validation (or the PC’s owner, based on tales of disabled machines, is too frightened to run WGA):
  • Automatic Updates. If the machine is configured with Automatic Updates (AU) enabled, Microsoft installs only those security patches that the company rates as “Critical.” Security patches rated “Important,” “Moderate,” and below are not installed by AU, and no other updates of any kind are installed.

  • Windows Update and Microsoft Update. Microsoft’s on-demand patching programs, known as Windows Update (which updates Windows) and Microsoft Update (which updates Windows and other Microsoft products) will refuse to run.

  • Manual downloads. Security patches of all levels of severity can be downloaded manually from various Microsoft Web pages and installed individually, if you know where to look.
The third point is the trick to updating a Windows system, regardless of whether it passes WGA validation or you run WGA at all.

Let’s examine how various people and companies are using this method.

How companies patch Windows and avoid WGA

An individual who wants to avoid WGA hassles could visit Microsoft’s current security bulletin page and browse every new patch and advisory. However, it’s unreasonable to expect average Windows users to read each bulletin and decide which patches to install.

A better solution is to use patch-management (PM) software. Every day, dozens of third-party vendors obtain patches from known locations that Microsoft hosts on the Internet. Once the patches are downloaded by the vendors, their software can push the patches out to PCs on a LAN with no worries about WGA. (Disclosure: The company I work for, BigFix Inc., sells a patch-management product that does this for large enterprises.)

Corporations should install a PM solution that resides on a server and pushes patches to individual PCs across a LAN. Network Computing publishes a Rolling Reviews page that analyzes several major PM applications.

Individual PC users have several options to install all security patches — whether rated “Critical,” “Important,” or any other level of severity — without WGA hassles. The following are a few examples:
  • The Software Patch. You can do without Automatic Updates and Windows Update/Microsoft Update, which can be hamstrung by WGA, by using The Software Patch. This is a free Web service that WS contributing editor Scott Dunn reviewed — along with a handful of other alternative update services — in his Oct. 4, 2007, Top Story.

  • Online Software Inspector. My Dec. 18, 2008, column described Secunia.com’s Online Software Inspector (OSI). This free service scans your PC on demand. OSI then enumerates the security patches that are needed by your copy of Windows, in addition to patches for dozens of applications from Microsoft and other software vendors.

  • Personal Software Inspector. My previous column on OSI also described Secunia’s Personal Software Inspector (PSI). This is a free download that you install and run on your PC. At present, its primary purpose is to inform you of security updates for hundreds of applications, and you should run PSI in conjunction with Windows Update or Microsoft Update.
It’s beyond the scope of today’s article to rate the pros and cons of every patching alternative. I hope to bring you a new review of the latest products and services in the coming weeks.

The third-party services mentioned above are compelled by Microsoft to get Windows patches directly from Microsoft’s own servers. That means these services can only install security patches and other updates whose files will install without requiring WGA validation.

Fortunately, almost all Windows security patches (of all severity levels) and many other Microsoft updates install fine — regardless of WGA — if you download the files directly or via a third-party service. Microsoft currently lists on a Genuine Software page a few of its apps that do require WGA, such as Windows Defender, Windows Media Player, and Calculator Plus.

In fairness, Microsoft should get credit for posting all of its security patches (of all levels of severity) on publicly available URLs. At least this policy does provide the files to patch-management professionals who know these locations. By contrast, such firms as Red Hat, Sun, and IBM require contracts and log-in credentials before you can obtain some of these companies’ Linux, Solaris, and AIX patches, respectively.

The big question is this: why would Microsoft cripple its consumer patching tools — Windows Update and Microsoft Update — by disabling them if a PC doesn’t pass WGA validation? The only logical reason I can think of is because Microsoft wants to push WGA, and denying updates to users is the best stick the company can come up with. I believe this decision is a huge mistake.

Windows Update is a crucial service that must remain free from chicanery, because Windows Update is the default program for on-demand security checkups. In computing, defaults are everything. Windows Update is installed and available in every recent copy of Windows on the planet, whether those machines are correctly licensed or not.

Many people disable Automatic Updates because it’s intrusive and has been used in the past to install WGA and other nonsecurity updates. If users can’t run Windows Update as an alternative to AU, there’s a massive problem on the Internet. The battle against malware is already bad enough, and we don’t need anything to make the problem worse. When millions of computers become infected, the attacks from these machines become a problem for you, the paying customer of Microsoft.

DRM exists at the expense of paying customers

Call it what you will: WGA, Digital Rights Management (DRM), anti-piracy, or copy protection. It abuses the hospitality of paying customers in an attempt to thwart those who don’t want to pay. I don’t object one bit to paying Microsoft for the software I use. I do object to being forced to help a company in futile efforts to combat copyright violators.

Copy-protection harms legitimate users who are inconvenienced at best and forced to cope with nonfunctional software at worst. The bad guys, by contrast, aren’t harmed much at all. Pirate operations have the money and time to defeat every copy-protection mechanism. Once pirates have broken a DRM scheme, the unlocked software might be salable for months without the pirates’ needing to deal with the protection any further.

Do you dislike having to insert a CD into a drive to update Microsoft Office or play a game? Guess what: users of the pirated versions of those programs generally don’t have to deal with that. Only the legitimate buyers are inconvenienced.

I’ve been analyzing flavors of copy protection since the early 1980s. During those nearly 30 years, it’s always been the same. Copy protection primarily hurts legitimate users while giving bad guys merely a short period of entertainment.

I do recognize the gray area between the two extremes. There are many users who might violate a software publisher’s copyright if it were convenient to do so. But I still believe that the punishment imposed on a software company’s best customers is not worth the tiny impact on the real pirates.

I’m not saying Microsoft has to give away its products for free. I’m saying that a copyright owner’s battle against piracy is not my problem, so please quit making my life hard in a vain attempt to resolve your legal issues.

Microsoft’s lack of support for its best users, in the name of protecting intellectual property, sometimes reaches absurd levels. A recent example of this is Microsoft’s refusal to support its software on virtual machines unless the VM software is Microsoft’s own. (You can read the details about this in my blog entry posted April 2.)

Microsoft has gotten really aggressive about license protection. The pendulum needs to swing back in the direction of making things easier for the company’s customers.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.
 
Known Issues

Call to learn whether your Dell or HP is covered

Dennis o'reilly By Dennis O’Reilly

You can’t rely on the information you find on some vendor Web sites to determine whether your overheating notebook qualifies for a free repair or replacement.

In a case recently publicized by Windows Secrets, you would need to contact the company’s tech-support staff directly to find out whether your system is covered by a special extended warranty.

One of the more-disturbing trends in the computer industry is the silent recall. In such cases, a vendor replaces faulty equipment only after the customer complains about it, rather than actively contacting buyers of the defective products.

This appears to be the approach HP and Dell are taking with notebook computers they sold — computers that use a defective Nvidia GPU (graphics processing unit) that overheats, burning out laptops and tablets.

WS contributing editor Michael Lasky described the problem with these notebooks in a Top Story in last week’s newsletter. He included links to a Dell forum thread and an HP forum thread, both of which describe the problem and provide more information.

However, several readers asked us for specific pages on the vendors’ sites, to determine whether a particular notebook is affected. Unfortunately, the problem seems to affect even more Dell and HP models than are listed by the vendors. Trevor Valentine found out first-hand how difficult it is to find this information:
  • “Interesting article (especially to an owner of a possibly defective Compaq laptop). Curious to see if my wife’s laptop was affected, I went in search of the defective lists that Mr. Lasky mentioned. This proved a tad tedious, as both Dell and HP seem to have done their best to bury any mention of a defective GPU.

    “Here are the lists that I was able to find. I hope that other readers will find these helpful. Interestingly, the second Dell link has this posted:

    Dell will offer a 12-month limited warranty enhancement specific to this issue. For all customers worldwide, we plan to add 12 months of coverage for this issue to the existing limited warranty up to 60 months from the date of purchase for the following systems …

    “HP lists all affected models along with instructions on possible ‘resolutions.’ The only lists I could find from Dell were listed on one of the corporate blogs.”
HP’s site offers document c01087277 with a list of Pavilion and Presario models the company says are affected. Dell hosts a forum post by “chief blogger” Lionel Menchaca that lists 10 Inspiron, Latitude, Precision, Vostro, and XPS models. A later Dell post lists 15 models.

I have personal experience that the HP list is incomplete, because an HP tablet that I owned — a Pavilion TX1100, which used the faulty Nvidia chip and got fried after only 18 months of use — is not included.

Tom Rupsis reminds us of another way to get a replacement for a defective product whose warranty recently expired:
  • “Michael Lasky’s ‘Dell and HP balk at replacing bad Nvidia chip’ article suggested purchasing an extended-service warranty to cover expenses related to the overheating motherboards. As an alternative, look into the features provided with the credit card that may have been used to purchase the laptop.

    “Many cards provide extended warranties at no additional cost to the consumer. I made use of this benefit when an HP laptop keyboard failed after 20 months. My MasterCard World card covered the cost of replacing the keyboard, even though HP’s one-year warranty had expired.”
Several readers pointed out that extended warranties for electronics equipment are often a waste of money, as a Consumer Reports article from November 2007 describes. However, the extended warranties offered by most major credit-card companies are usually free. This may be a good reason for you to charge your next computer purchase.

Tech support likes Malwarebytes’ antispyware

Recommendations continue to pour in from readers in response to Ryan Russell’s March 26 Top Story on programs that should be considered for the WS Security Baseline. A letter from an anonymous Microsoft tech-support staffer caught our attention:
  • “I read your newsletter and was disappointed by the offered antispyware listed. Spybot Search & Destroy was good back in the day, and so was Ad-Aware, but they aren’t what they used to be. They’re no longer effective, as the infection definition isn’t being worked on as passionately as they had been.

    “I work for Microsoft technical support, and 90% of the calls are due to spyware infections, so we ask customers to download Malwarebytes’ Anti-Malware. They have a totally free version. It’s the one we use for clients. It’s so effective, I feel confident the PC you’re using to read this has infections. Are you surprised? Even if it’s just minor adware, it’s an infection still.

    “If it weren’t for Malwarebytes.org, I’d be spending more time per call and asking customers to reload Windows more often, because finding one infection could take forever. … The application is painless to install, isn’t too bulky, and requires no reboot after install. The application is a winner all around.

    “The Internet is full of scams. It’s shocking to see it day in and day out.”
Ryan’s story never discussed Ad-Aware and mentioned Spybot Search & Destroy only because readers nominated it as one of the few options that will run on creaky old Windows 95 systems. But it’s good to be reminded that some programs that were once highly rated are no longer up to par.

The free version of Anti-Malware, the program the MS staffer recommends, allows you to perform manual scans for spyware on your system. For U.S. $24.95, you can unlock the program’s real-time protection, scheduled scanning, and scheduled updating. For more info, see Malwarebytes’ download page.

Readers Trevor and Tom will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

Feeling twitterpated? You’re not the only one!

flying twits By Katy Abby

Unless you’ve been hiding under a rock, you’ve probably been inundated by Twitter, the latest fad to take the social-networking world by storm. The 20-word tweets reflect every nuance of a tweeter’s life, down to the most mundane activity. Celebrities such as Ashton Kutcher and Demi Moore have hundreds of thousands of twits hanging on their every tweet, and the numbers are growing.

Who really needs this much information on their friends and idols? Even more to the point, who wants to broadcast their humdrum existence in such explicit and uninteresting detail to the nit-picking masses? Take a look at this hilarious animated short that explains “The Twouble with Twitters.” Just sit back, relax, and don’t make a peep! Play the video
 
LangaList Plus

Solving ‘me first’ software startup conflicts

Fred langa By Fred Langa

When two or more programs in your list of autostart apps insist on being the first, they can bring the entire startup process to its knees.

There are two ways to change the order in which your startup services and software load: one that’s easy but crude, and another that’s difficult but precise.

Playing referee when apps fight to load first

Hal Allert has several essential programs that need to start very early in the boot process. As a result, they end up stepping on each other’s toes:
  • “When my laptop boots up, I usually get the Red Shield from Windows Alert telling me that my Kaspersky Anti-Virus is turned off and I’m not protected. After closing that warning, Kaspersky AV starts up. It tries to get updates from the Web, but my Internet connection hasn’t completed yet.

    “Everything else is loading when it wants to, so other warnings are popping up. When my computer is finally connected to the Internet, things calm down. It would seem to be easier all around if the boot order were reversed. Is there a way for me to rearrange the order in which the programs are starting up?”

There sure is, Hal. In fact, there are two ways. One is easy and effective but ungraceful: you use a software tool that interrupts the normal startup process and inserts a user-configurable delay before each startup program runs. For example, you could tell your system to start loading your AV tool (or whatever) immediately and to postpone loading anything else for several seconds.

Because this reduces the multitasking load on your system, the AV tool should start faster than it would otherwise. You can set similar delays before each startup item. By carefully choosing startup delays, you can ensure that lower-priority programs on your autostart list don’t even attempt to run until all your top-priority software is up and stable.

Perhaps the best-known tool of this type is Startup Delayer (more info). It’s free and purposely built for this one task.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Windows Secrets

There’ll be no easy upgrade from XP to Windows 7

Mark edwards By Mark Joseph Edwards

XP users who plan to upgrade directly to Windows 7 will have to completely erase their existing installations to do so.

The Windows 7 installer may help you move your XP files and settings, but you’ll still have to reinstall all your applications.

Mainstream support for XP ends with a whimper

Windows XP is officially an orphan. Two days ago — April 14 — Microsoft stopped supporting XP for free. The exception is certain security patches, which will continue to be released until April 8, 2014, according to a schedule posted on Microsoft’s Help and Support site. Other than those patches, the only way to get any other type of XP fix now is by purchasing extended-support contracts, although they will also expire on April 8, 2014.

XP has been on the market since October 25, 2001, so there aren’t likely to be many new problems that will be fixed in the OS, apart from security holes. If you use XP, of course, you’ll probably want to continue to receive security patches.

For example, a devious person on a LAN can exploit a flaw in XP’s Internet Connection Sharing feature, according to an alert by eEye Digital Security. The firm first reported this in October 2006 and says Microsoft still hasn’t patched it in the intervening years. The problem is rather significant in that an untrustworthy user could disable the Windows Firewall on a host machine, possibly leaving it open to other attacks.

If you plan to migrate your XP system to Windows 7, you may be in for a bit of a shock. You’ll have to do a clean install of Windows 7, because Microsoft won’t offer a direct upgrade path from XP.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Critical patches released for Internet Explorer

Susan bradley By Susan Bradley

Two separate updates for all IE versions prevent carpet-bombing attacks that are already targeting the browser.

One of the IE patches blocks remote-code execution on XP and Vista PCs that also have Apple’s Safari browser installed.

MS09-014 (963027) and MS09-015 (959426)
Don’t wait to apply these fixes for IE

Six separate vulnerabilities in Internet Explorer versions 5.01 through 7 are addressed in the cumulative security update described in Microsoft security bulletin MS09-014 and Knowledge Base article 963027. The patches prevent attacks that can be launched from malicious Web pages. These days, merely using a search engine can lead you to such sites.

The vulnerability was first discovered in the Windows version of Apple’s Safari browser. The “carpet bombing” attack is described in Microsoft security advisory 953818, which was initially released in May 2008 and was updated this week. To be fully protected, you must also install the patch described in Microsoft security bulletin MS09-015 and KB article 959426.

Even if you use Firefox, Chrome, Opera, Safari, or another third-party browser, it’s still critical that you patch Internet Explorer. Why? Because IE is a key component of Windows and thus can be used as an attack vector.

(This month’s IE patches also fix nonsecurity issues documented in KB article 963027. These problems cause the browser to loop endlessly when you open a page with a refresh tag or to stop responding when you attempt to remove an image.)

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb