Yearly Archives: 2006
- Date Issue Summaries
Beware of unexpected holiday gifts
The week between Christmas and New Year’s Day, when Microsoft and many
security companies take several days off, is a time when some hackers think they can
take advantage of the season.
I’m sending out today’s short news update solely to alert you in case someRead More »
threat starts spreading rapidly on the Internet this week.
now you’ve opened your presents and you’re playing with your new tech
toys — but don’t let the Grinch spoil your holiday season.
Let’s take a quick look at some flaws that Microsoft hasn’t yet patched,Read More »
and which people may use to try to scam you this season.
- = Paid content
LangaList is merging with Windows Secrets
Here’s my new look! As I announced in the Oct. 30 issue of the LangaList,Read More »
I’m merging with the Windows Secrets Newsletter to bring you even better
content. The combined newsletter will reach more than a quarter million
subscribers. And it gives me access to features that my newsletter didn’t
I have important news for everyone who uses Windows. The LangaList — a respected e-mail newsletter that’s uncovered the tips and tricksRead More »
of Microsoft’s operating system for nine years — is merging with the
Windows Secrets Newsletter.
- = Paid content
IE 7 needs tweaking for safety
Microsoft’s new Internet Explorer 7.0 browser, which was released to the
public last week, includes several security improvements but still has weaknesses
inherited from IE 6.
I’ll show you an easy way to “harden” IE 7 so you’re protected againstRead More »
hacker threats that haven’t even been invented yet.
One of the newer buzzphrases in the security industry is Host-based Intrusion
Prevention System, or HIPS, which is something you may want to look at.
It can be difficult, however, to separate the actual innovation from theRead More »
traditional vendors trying to ride the buzzword wave.
With IE 7 out the door and Firefox 2 being released this week, it’s time to retrain
your fingers and teach those old dogs new tricks.
Check out my favorites — these are the tricks I use every day.Read More »
The Internet is buzzing about the release of Internet Explorer 7. The
Internet is also buzzing about flaws in IE 7 that are left over from IE 6.
I first wrote about one IE 6 flaw in theRead More »
11, 2006, issue
of the newsletter — and it still hasn’t been patched yet. I wonder how many other
holes remain active in Microsoft’s “new” browser?
While everyone was in a tizzy over IE7 hitting the streets, the rest of us
mortals were still tracking issues with the patches we got earlier this month.
There are times IT folks overreact to technology changes, such as IE 7 —Read More »
but I guess that’s what makes us human.
- = Paid content
Vista changes lock out antivirus makers
I’m publishing a special news update today. Why? Because Microsoft substantiallyRead More »
changed the debate over the security of Windows Vista just after our
12 issue appeared.
Microsoft is making
statements claiming it’s going to let securityRead More »
vendors such as Symantec and McAfee
have access to the Vista kernel. I don’t believe it.
- = Paid content
MS OneCare halts flow of antivirus info
announced it was entering the antivirus biz, the usual nattering nabobs of
negativism moaned and groaned about unfair competition and unlevel playing
But several recent events seem to confirm the worst: Microsoft may well be using itsRead More »
desktop monopoly to trump its AV competitors. What do you think?
Microsoft’s updated browser, Internet Explorer 7.0, is about to go gold and
the debate about its behavior is just beginning.
Besides IE 7, this week I have readers’ comments on Spy Sweeper, NetChk Protect,Read More »
AVG Antivirus, and how to speed up browsing in the beta of Windows Vista.
Security vendors are complaining about what they call anticompetitive
features coming up in
Vista. Are their complaints valid, or are they simply worried about
I also have additional advice for those of you who are still experiencing Java installRead More »
The "squeaky wheel gets the grease" seems to be Microsoft’s motto
several patches for Internet Explorer (and components used IE) were released
out-of-cycle last month and on this
week’s Patch Tuesday.
Meanwhile, flaws in IE that are equally severe — but were getting less mediaRead More »
attention — were left unpatched.
This month, we say a fond farewell to MS support for Windows XP SP1, pay tributeRead More »
to Ray Noorda, and get ready for IE 7.
We also find that the servers at Microsoft Update have taken a page out of Woody
Leonhard’s "you should wait to patch" handbook and decided
to make you do just that.
- = Paid content
Readers reveal the secrets of IE 7
Microsoft’s new browser, Internet Explorer version 7.0, will ship sometime
soon with updated features and better security — so of course our contributing
editor Woody Leonhard explained on
Sept. 14 how to
prevent version 7 from automatically downloading to your PC.
It’s not that there’s anything wrong with IE 7, mind you. Woody just thinksRead More »
other people, not you, should be the first to get bitten any point-oh bugs.
I’m flattered when folks say they don’t patch their systems until they read
my column, but this
month I’d rather you read Chris Mosby’s column first.
With all the unpatched issues that arise with IE,Read More »
it’s not enough to be “fully patched” with Microsoft’s latest fix (MS06-055), you also need
to install workarounds when you hear of them. Fixing recent Microsoft patches —
for example, the two-week-old MS06-049 — is also essential, as I describe below.
Until we all have Star Trek computers — which operate perfectly on
incomplete information when the captain simply barks,
“Speculate!” — staying on top of the latest conflicts is part of
In today’s column, I bring you the latest on Microsoft’s Live OneCare, concernsRead More »
about wininet.dll, more glitches with the IE 7 beta, and yet another way
to get around Windows Genuine Advantage.
My Sept. 14 column on
the broken Java update process has generated the biggest response I’ve received
while writing for Windows Secrets.
I’m happy to report that I’ve gained some useful info from Sun about some of the Java issuesRead More »
I documented. Read on.
Internet Explorer 7, due out later this year, sports a new phishing filter
that effectively blocks bogus sites from tricking you into entering personal information.
One little problem. If you enable the phishing filter, Microsoft keepsRead More »
records about you and every single Web site you visit.
It didn’t take long before IE was back in my sights, and as usual the flaws that have come up are serious.
I’m rather tired of Microsoft acting like newfound flaws in IE are no big deal, no matter howRead More »
critical the holes may be. I wish the company
would quickly admit the problem, take responsibility, and just fix it.
- = Paid content
- 2006-09-22 82 Workaround needed for IE hole
Internet Explorer 7 looms — be prepared
Long the poster boy of Microsoft complacency, Internet Explorer 6 has finally
reached the end of the line.
the end of this year, Internet Explorer 7 will be “pushed” onto tens ofRead More »
millions of desktops. You’d better be ready.
I thought all I needed to worry about this Patch Tuesday
was a Windows patch or two and an Office patch.
But it turns out to be essential that you redo August’s critical Internet Explorer and ServerRead More »
Service patches on Windows 2003 and XP SP1.
I’ve been researching some problems with Java updates. It turns out that the
issues are so extensive that they’re going to take up my
I wrote in myRead More »
Dec. 15, 2005, column
about some Java update issues. Those don’t even come close to the collection of
mistakes I’ve just spent an entire evening dealing with.
How long does it take Microsoft to fix holes in its programs? Three months?
Six months? Two years?
When a music-file-cracking program calledRead More »
a few weeks ago, Microsoft patched the hole in just nine days. There’s a good reason
If you’re a frequent reader of my column, then you know that I usually have
a lot to say about the security of Microsoft’s Web browser, Internet Explorer. This time, my focus will
Even though I still consider Firefox to be a much saferRead More »
browser than IE, I wouldn’t be doing my job if I just ignored
flaws that affect the Mozilla browser and didn’t report them.
- = Paid content
How fast does Windows Update update?
Our newsletter and Web site will sport a new logo, shown above,
beginning with our next regular issue on Sept. 14.
We wanted to surprise you, but we figured we’d better give you some warning. We didn’tRead More »
want you to open your e-mail next month and think unknown people were sending you some
new, weird newsletter. Nope, it’s just the same old weird
Readers have asked me, “How quickly is my computer protected after Patch
Tuesday, if I have auto-updates turned on?”
The question arises because most of the patches that Microsoft posted onRead More »
Aug. 8 took a lot longer than
usual to download. It appears that Windows Update, when configured to
download and install patches automatically, didn’t start downloading most
patches until three days after Patch Tuesday. Some PCs didn’t auto-install all
of the security patches until nine days had passed.
In a hilarious film short, a prisoner makes a surprising discovery —Read More »
one that may turn out to be life-changing.
- = Paid content
Questions arise on PC World tests
A sweeping review of 10 security suites published in a major computer magazineRead More »
last month featured some very unlikely rankings for this crucial category of products.
After examining the evidence, I’ve found that some material facts were omitted from
the article, rendering its ratings useless.
Even with a barrage of patches coming out from Microsoft this month, computer
users are still vulnerable to exploits of PowerPoint.
Microsoft did make an effort to address flaws that are actively being exploited, butRead More »
left others unpatched that could be exploited later.
I feel like telling everyone to print out today’s
Windows Secrets Newsletter and read it while you’re deploying this month’s patches.
Not only do we have a busy patch month, but the very first patch has many in theRead More »
industry thinking that we might see a full-scale, MSBLAST-like incident again.
As though we didn’t have enough to worry about with viruses and worms, my
readers are reporting all kinds of trouble with the IE7 beta, Windows Update,
and Microsoft’s little-known dumprep.exe program.
I’ll show you how to get over these and other software gotchas in the tipsRead More »
I just got back from my annual trip to Las Vegas to attend the Black Hat
Briefings and Defcon conferences. This is my tenth year in a row for both.
In this relatively smallRead More »
amount of space, I can’t possibly cover everything that went on. So I’ll stick
to the topics that I think are of the most interest to Windows Secrets
"You have zero privacy anyway. Get over it."
Scott McNealy, chairman of Sun Microsystems, uttered those infamous words inRead More »
1999. Incredibly smart people have been working overtime since then to prove him
- = Paid content
Should you use Windows Live Messenger?
Windows Live Messenger — the successor to MSN Messenger — hit the stands
a week ago on
Wednesday. That was version 8.0.0787. Ancient history.
Less than two days later, Microsoft released a new version, 8.0.0792. Hooo boy.Read More »
Here we go again.
As I mentioned in my last
column, the Metasploit project has been holding a
Month of Browser Bugs. Every day, a new vulnerability is published, the
majority affecting Internet Explorer.
Releasing these flaws may be fun for Metasploit, but it certainlyRead More »
isn’t for the rest of us, who are forced to wait
while Microsoft catches up on its patches.
There are products that need major patching this week, but they aren’t all from Microsoft.
We’re so used to Microsoft programs having security implicationsRead More »
if we don’t patch that we forget the many other software programs that can impact our systems.
The shock waves caused Microsoft’s decision to quietly install Windows Genuine
Advantage through its security update mechanism are still being felt my
The marketplace for non-Microsoft antivirus packages, security suites, and theRead More »
crowded with well-known competitors. contrast, the field of Windows Update alternatives is new and
the players are little-known. Until more reviews have been published major
test labs, I’ll keep bringing you my findings and the comments of Windows users
who are doing their own analyses.
This is, of course, a Windows-centric newsletter. That means that sometimes it can be
difficult writing about security issues without picking on Microsoft.
Drive-downloads still mostly affect Internet Explorer, not other browsers,Read More »
and Microsoft Office
products are showing cracks in the
foundation.I’ll explain below.
- = Paid content
Shavlik will lift download restrictions
I announced in the July 13 newsletter that Shavlik Technologies, a well-known
patch-management vendor, had released a free and capable
replacement for Microsoft’s Windows Update (WU) service.
The Shavlik program, known as NetChk Protect, is free forRead More »
up to one year, can remotely update 1 to 10 PCs from a single PC on a network, and
supports far more programs than Microsoft’s offering does.
You’ve seen the old Space Invaders arcade game — but have you seen it playedRead More »
with live bodies?
- = Paid content
Free Windows Update alternative is released
In my last issue, I reported that Microsoft’s in-house Windows Update routineRead More »
is now likely to download marketing gimmicks such as Windows Genuine Advantage to your
PC. I advised all Windows users, other than novices, to turn off Automatic
With all of the Microsoft Office
vulnerabilities that have been popping up lately, I almost missed the discovery
of more holes in my favorite insecure browser.
With that in mind, let’s jump right in and get started. It looks like InternetRead More »
Explorer needs another good once-over.
If I were a gambler, there are two July 11 announcements (MS06-035 and MS06-036)
that I’d bet will bite people who fail to patch, generating headlines that you’ll
start seeing soon.
This month is also our last chance to say goodbye to Windows 98, 98SE, and Me. As of July 11, these Windows versions are no longer supportedRead More »
I can’t remember a time when the newsletter has received more heartfelt tips
from readers than the controversy of the last two months over Microsoft’s
automatic downloading of Windows Genuine Advantage, which phoned home every 24
More than 300 well-thought-out comments streamed in. We’ll never be able to respond in full to everyone individually, but we hopeRead More »
this section will serve to recognize everyone’s help while giving you the useful info you need.
My last column explained why Microsoft needs the free Windows Live Safety Center to keep antitrust lawyers off its butt.
A few days ago I tested Windows Live Safety Center on a real zero-day Excel exploit. Does it work? Or is Microsoft blowing smoke? Frankly, I was amazed.Read More »
Portions of the security community have been abuzz lately with talk of a
new rootkit technology dubbed “Blue Pill.”
The name is an obvious Matrix reference, especially given that the sameRead More »
researcher named an earlier rootkit detector that she wrote “Red Pill.” The
latest buzz started with an
on her work.
- = Paid content
Dump Windows Update, use alternatives
The Internet interprets Microsoft as damage and routes around it.
My apologies to John Gilmore for tweaking his famous 1993
quote about censorship. But the above statement just happens to sum up theRead More »
alternatives Windows users are adopting ever since Microsoft’s “Windows Genuine
Advantage” (WGA) debacle.
When Microsoft first announced Windows Live OneCare, I figured
Redmond had a lot of cojones to charge consumers for protection against
flaws in its own products.
In OneCare’s first month, however, it appears to my jaundiced eye that MS has respondedRead More »
to two real, in-the-wild, zero-day attacks — first in Word, then in Excel — via a little-known
free service called the Windows Live
Safety Center. Never heard of it? Read on.
There are a lot of ways your machines can be attacked. Not all of them are
via the Internet.
Some attack vectors require physical access, but many others can hit you withoutRead More »
notice when you do something as simple as accessing an external device.
The last few weeks haven’t been good
for Microsoft Excel. Three serious vulnerabilities affecting the popular
spreadsheet program have been revealed. Two of these are already being actively exploited in the
This is a serious concern, asRead More »
there currently isn’t a patch for any of the three holes. But I’ll arm you with
workarounds that should keep
hackers from storming your computer.
With the June patches being so numerousRead More »
this month, even some folks who ordinarily patch quickly are just now getting around to patching.
But with proof-of-concept code and live exploits already on the Net for many of the
flaws announced on June 13, if you haven’t
yet updated, now’s the time to test and patch.
- = Paid content
Genuine Advantage is Microsoft spyware
Windows Genuine Advantage — the controversial program Microsoft
auto-installed as a "critical security update" on many PCs starting on Apr. 25 —
not only causes problems for many users but has now been proven to send
personally identifiable information back to Redmond every 24 hours.
This behavior clearly fits any plausible definition of "spyware." Some techRead More »
writers have said categorizing WGA as spyware is arguable. But I have no
hesitation in calling the program a security nightmare that Microsoft should
never have distributed in its present form.
I believe in patching, sometimes even
if things get broken — because it points out that the software that broke was
probably written poorly in the first place.
But this time, there’s one patch I want you to make sure you select not toRead More »
install this month.
Windows Vista Beta 2 may be the most-downloaded program in history — but
heaven help ya if you use it for real work.
Bugs and lock-ups come with the territory
—Read More »
it’s beta software, after all, and you’d be crazy to run Vista Beta 2 on a
production machine. (Or go crazy trying.) Having spent months struggling with
various incarnations of the Vista beast, I’m worried about something more
fundamental than bugs. More insidious. One Vista feature, User Account Control,
just keeps getting in the way.
With the large number of Microsoft patches this week, I don’t want you to forget about
the third-party programs that you and probably all of your users have. These
updates too, and there are some security updates that need to be installed.
I’ve also taken note of what I think is a novel "attack" based on USBRead More »
drives. I thought I was too smart to fall for this one, but I was wrong.
If you’re like me and the other
writers of this newsletter, you were probably overwhelmed the number of
patches Microsoft released on Patch Tuesday.
Microsoft released yet another cumulative rollup for IE, which fixed eight open holes
— but once
again, there are plenty left open to talk about.
I wrote about the last IE patch in myRead More »
column. Comparing that column to what was patched in Tuesday’s release shows
that only 1 out of the 3 flaws I talked about then have been patched in the latest
- = Paid content
To auto-update or not to auto-update
I published a Woody Leonhard column as the top story
last issue while I
was traveling, knowing that he’s opinionated and always gets strong reactions.
Well, he didn’t disappoint me.
Reacting to several mistakes Microsoft made in its Automatic Updates downloadsRead More »
in April, Woody railed against Redmond’s patching strategy, saying, “Windows
auto-update is for chumps.”
After our battle scars from the April
patches, Microsoft’s May patches were a bit of a breather for consumers.
While the Exchange patch meant homework for administrators, home users at leastRead More »
had a break after the “double patch” bout we had in April. But
lest you think everything is rosy on the other side of the operating
system, even Apple folks had to deal with their share of patch pain this month.
It was the best of times, it was the worst of times, it was the age of
wisdom, it was the age of foolishness, it was… Nawww… It was just Windows XP
This past week, Windows XP networking surprised me twice. The first shockerRead More »
magically solved a long-standing problem (dare I say a “bug”?) in my office
peer-to-peer network. The other event scared the, uh, Dickens out of me.
There’s more evidence to suggest that vulnerabilities are going back
underground. Or at least, going to the highest bidder.
I believeRead More »
it’s fortunate that there are a few above-board high bidders that are snapping
up these exploits and keeping them off the market. Otherwise, I
think things could be much worse.
It used to be
that the term “zero-day”
exploit was just a concept that companies like Microsoft treated as a myth. The
idea of a vulnerability being found in one of their products and the exploit for that vulnerability coming out at the same time is something that no one wanted
to believe could happen.
Now, however, zero-day exploits do happen — but only sporadically. WhenRead More »
these exploits do surface, it’s a cause for concern for everyone. There is
usually no defense against them until they can be understood and patches or
workarounds can be made available. Such is the case with the Word zero-day
vulnerability that was discovered recently.
- = Paid content
When Automatic Updates can be harmful
For years I’ve been advising Windows consumers to disable Automatic Updates:
Keep Microsoft’s mitts off your machine until you’re darn sure the
proffered patches do more good than harm.
I’ve taken a lot of flak for that heretical stance, vilified for intimating thatRead More »
Microsoft’s patching process leaves consumers in the lurch. Bah. Recent events
have proved my point conclusively: Windows auto-update is for chumps.
That’s the way it seems to go these
days: Microsoft — or any software vendor for that matter — patches a piece of
software, and someone goes and finds some other flaw that can be
exploited. I guess that’s become the price we all have to pay for
working with technology; we all have to try to be one step ahead of the hackers
While Microsoft is no means perfect in the area of security, it is atRead More »
least trying to do better. This has become clear to me after attending the
Summit a few weeks ago — at the same time as I’ve just start scratching the surface in my
role as a newly awarded MVP. Don’t think you can get rid of me anytime soon, though; there are still
plenty of unpatched vulnerabilities out there to tell you about.
Last month was rough for home patchers — and this month isn’t looking much
It seems like only a few days ago we were dealing with issues with OutlookRead More »
Express and Windows Shell. Here we are this month with another patch that so far
looks a bit tricky to get on our boxes, especially for home users without a patch-management adminstrator.
There are some interesting issues with Firefox this time around.
While they do represent genuine problems with Mozilla’s open-source browser,Read More »
some of the details still make me happy with my decision to recommend
- = Paid content
April 11 patch re-released with fixes
Microsoft re-released on Apr. 25 a security patch that had been issued 14
days earlier in the company’s monthly Patch Tuesday schedule.
The original version of security bulletin MS06-015 causes problems with Microsoft
Office and other apps when you try to open or save files in the My Documents
folder; with Internet Explorer when you type Web addresses into the Address Bar;
and with an untold number of other programs.
The Redmond company says the problems are being caused older versions of HPRead More »
Share-to-Web software, nVidia graphics drivers, and Kerio Personal Firewall. But
I believe there may be other conflicts at work, as I discuss below.
Here I was, looking for fallout from Microsoft’s Eolas/Internet Explorer patch
— but most of the issues came instead from other patches.
Just like everyone else, I was expecting most of the problems from Patch TuesdayRead More »
would be from 06-013. This is the cumulative Internet Explorer patch, which
changes the way Active X works. I wasn’t expecting to see issues in the Window
Shell patch, the Outlook Express patch, nor in OE’s Junk Mail Filter. These
issues, because they mostly affect consumers, have raised a concern about online
communities and self-help sites. I think they’re masking the real magnitude of
I don’t gush over new software very often. Most of what I see looks like
same-old, same-old, maybe with a burnished bell here or a twisted whistle there.
But I recently found something new — something exciting — on the Web, and it’sRead More »
saved my tail a couple of times. If you haven’t seen SiteAdvisor, you should
look. If you don’t use SiteAdvisor, you should try.
For as long as people have been finding security vulnerabilities, softwareRead More »
vendors have been trying to "slipstream" security fixes. What’s surprised me in
the past few weeks is that a couple of big vendors have admitted to it and are
trying to justify the practice.
As you’ve seen in the top story in this issue, the patches Microsoft
released via its regular Patch Tuesday schedule on April 11 caused serious grief
for many people. Unfortunately, I believe there are still other software conflicts
that Microsoft hasn’t yet confirmed.
I’ve seen reports of problems with AOL, the Windows version of iTunes, and otherRead More »
popular software — all related somehow to the April 11 patches.
- = Paid content
More ways to use disposable addresses
I described in the
newsletter how to use "disposable" e-mail addresses. These are
unique addresses that you give to Web sites and other
people who want to send you mail. If they happen to reveal your address to spammers,
you simply turn off that one address rather than trying to filter out a wave
My readers, it turns out, have a lot of ideas about using disposable addresses.Read More »
Follow along with me as we hear about some great tricks, many of which cost little
It’s amazing how Microsoft finds ways to get us to spend a little extra time
with Windows now and then. If it isn’t a patch we have to install, it’s a
workaround for the change to daylight savings time.
Susan Bradley provided some good tips on dealing with DST pains-in-the-butt in her
Mar. 30, 2006,
Apparently, that wasn’t the end of it. Follow along as my readers provide tips
on this and other topics from the last issue.
Microsoft did a pretty good job of patching
some serious security holes in Internet Explorer with the release of
MS06-013 on Patch Tuesday. (See Susan’s Patch Watch column,
below.) It’s been a while since I’ve seen that many security fixes in an IE patch.
If it weren’t for the file size, I’d almost think this was a service pack.
While Microsoft eliminated some serious holes thisRead More »
month, the job is far from done. There are several older IE holes that are yet
to be taken care of.
The Pacific Coast has been showered on
this week and now we’re being showered with security patches.
While the total number of security patches is not that large, it’s still a bitRead More »
of a downpour. This
month’s patch release includes not only a cumulative Internet Explorer patch,
but a change in browser behavior due to a patent dispute.
You’re a savvy Windows XP insider. You already know that you can pin programs
on the Start menu. Cool. Hanging your most-used programs on Start makes
it easy to get them cranked up, even when you’re bleary-eyed and blue-toothed,
and your mouse has a mind of its own.
But did you know that you can also pin folders, files, documents —Read More »
even Web pages — to the Start menu? Check out these tricks to
make the most of that prime piece of real estate.
I’ve been thinking a lot this week about virtual machine technology. I
have to admit it’s because of the Mac. As you’re no doubt aware, the new Apple
Macs have Intel x86-family processors. This makes them, just about any
It’s not just the CPU, but also the chipset. Apple is using an IntelRead More »
chipset, like almost every motherboard vendor who makes Intel-compatible motherboards. That’s not to take any style points away from Apple;
they still win big in that area. It’s not like Apple is shipping putty-colored
plain boxes all of a sudden.
- = Paid content
Get a disposable e-mail address
Every time you give out your e-mail address, you take a risk that your address will
get on spammers’ lists and you’ll be bombarded with junk mail.
As a test (which I’ll describe in myRead More »
Datamation column in a few weeks), I entered an e-mail address into a signup box at one of
those “get a free laptop” promotional sites. In less than six weeks, the address
I provided was hit with more than 1,000 junk messages — over 23 per day — and they
show no sign of slowing down.
Are you an Internet Explorer user? that I mean, do you use it for your
daily Web browsing? I like Internet Explorer, I think it’s a very capable
browser. But, as you are probably aware, there seem to be some safety issues.
What do you do when there’s blood on the information superhighway?
Alright, I’ll stop with the car analogies. But I do want to discuss whatRead More »
to do, now that it looks like we’re in for a long road of unpatched IE
vulnerabilities. This last week, two unpatched IE vulnerabilities were published.
And at least one of them has been proven to be highly exploitable.
This month has been pretty rough on the people at the Microsoft
Security Response Center (MSRC). There’ve been three new vulnerabilities
discovered for my favorite insecure browser — Internet Explorer —
in just the last two weeks.
Of those three vulnerabilities, one will cause IE to crash at worst. But the othersRead More »
are severe enough to allow infected code to run that could very well take over
your computer. Here we go again. The race for a patch begins.
Normally before there’s a patch, we don’t get quite the advance notice that we did this time. An Internet Explorer
upgrade is coming that can impact your
Web-based applications. You need to know now how this may affect you, well before Microsoft
releases the patch on Apr. 11.
Why is this patch different? Because it’s not a security patch — it’s aRead More »
reaction to a patent lawsuit.
Does Office think your name is “Satisfied Dell Customer”? When you install
new programs, do they want to send a confirmation e-mail to “OEM User”?
Or — raise your hand if this sounds familiar — when you first installedRead More »
Windows, did you misspell your own name? Hey, it’s happened to me. More than
once. If you’ve ever wanted to turn back the clock and tell Windows or Office
that the name or organization permanently emblazoned in your PC’s memory is all
wet, this secret’s for you.
- = Paid content
Readers respond on controlling reboots
Patching Windows is good, and rebooting right after you’ve patched is good,Read More »
too. But if you’re right in the middle of something, seeing Windows reboot
when you didn’t expect it can be very bad.
I’ve spent most of the past
three weeks slogging through the “February
Community Technology Preview” of the next version of Windows — Vista Build
5308, to the tech-savvy.
For the first time in a very, very long time, I’m excited about a new productRead More »
from Microsoft. Vista holds tremendous promise. Whether the final product will
live up to the promise, though, is anyone’s guess.
If you’re responsible for more computers
than you can personally lay hands
on in a short period of time, then you probably have a patching
process that includes some kind of cost/benefit analysis. This doesn’t
necessarily require a spreadsheet with salaries and downtime costs.
It can be as simple as answering the question, “How much trouble am I in if I crash
the server in the middle of the day?”
The answer to that last question is probably, “I guess I’ll be staying late,
and applying the patches after everyone goes home.
That’s a perfectly acceptable strategy — if you can get all the
machines done manually in a reasonable amount of time. But it doesn’t scale well
I’d like to present some tips that I’ve learned to make your lifeRead More »
easier when dealing with patches and updates. Most of these tips come from my
co-moderation of the patchmanagement.org
mailing lists, and my job at BigFix, a company that sells a patch-management product.
We all know that using a computer is a dangerous business these days. Design flaws and vulnerabilities can come from anywhere, from any server, all the way down to the client accessing it — and everywhere in-between.
The best we can do these days is to be aware of what is out there, protect yourRead More »
computer as best you can, and practice safe computing practices. The only thing
else you can do is hope that a hacker doesn’t think you’re a tempting target.
The bulletins came to my inbox. Two patches. One for Office, one for DACLs.
(What’s a DACL?) But that isn’t all. Microsoft Update has a few more patches it wants me to
In addition to the ever-present Windows Malicious Software Removal Tool forRead More »
and the monthly update for the Outlook 2003 Junk E-Mail
913161), we have a few other patches in Microsoft Update’s “high
priority patches” list. It reminds me that it’s not just security patches
that are up there in the top section.
- = Paid content
Stop Windows’ 10-minute reboot reminders
A raging controversy over whether Windows patches ever reboot a PC without
permission has been solved. Reboots can happen when you’re not expecting
it — but you can minimize the problem or eliminate it entirely.
This subject sparked a debate when reader Evan Katz wrote in to ask whetherRead More »
Microsoft patches had started rebooting Windows automatically, even when the
Automatic Updates control panel is configured to notify the user of downloads
instead of installing them without notice. His comments were printed in the paid
version of our Dec. 15, 2005,
With the patch issues that arose last week, and folks asking if Microsoft
tests patches before releasing them, it reminds us that Redmond still has a
long way to go in the trust department.
But Redmond wasn’t the only one with vulnerability and software issues this timeRead More »
around. Apple has joined in the browser vulnerability battle with its Safari browser this
week. Sophos didn’t help much with its software giving off false positives.
It’s been more of a battle to clean up after our security tools than it was to
deal with patching issues this month.
I’ve seen (and reviewed) enough Windows XP utilities to bust a billion
bottomless bit buckets. The world’s full of ’em.
But when a good friend recently asked, “What utilities do you reallyRead More »
use, Woody?”, I had to stop for a while and think. You see, truth be told,
I keep very few utilities on my main machine. Too much
headache. Too little benefit. Hard to keep them all straight.
What’s the exploit you’ve found worth?
Have you ever stumbled across a security problem in a major software vendor’sRead More »
product? You weren’t just going to tell them for free, were you?
In this column, I once again tackle security in Microsoft’s Internet
It never ceases to amaze me how Microsoft praises the security of its flagshipRead More »
browser, while at the same time ignoring obvious flaws that go unpatched.
- = Paid content
Readers respond on Deep Six spamwall
Our tests of antispam appliances in theRead More »
Jan. 26 newsletter made a definite impression on our readers. The article received
a reader rating of 4.15
out of a possible 5,
our highest-rated article so far (well, in all two of the issues that’ve
ratings to date). And several subscribers
sent us their own results from testing the least-expensive appliance in our
review: the Deep Six Technologies DS200 Spamwall, which we found to be highly effective.
The date on the calendar as Microsoft’s patches came out this week said St. Valentine’s
Day, the day for love and romance. But if you’re a patchaholic like me, a guy
who offered to patch my computers for me would be even more romantic than roses
Especially in a week like this, when he’d have to use some extra manual laborRead More »
to get my machines fully patched.
Windows XP’s System Restore can save your bacon. But it wallows in disk space
like a hog.
If you understand the secrets of System Restore, you can save yourself untoldRead More »
headaches when things inevitably go bump in the night. And you can reclaim a few
zillion megabytes of pure Windows pork while you’re at it.
What does a vendor’s patch-release schedule tell you?
Have you thought much about how and when your software providers release theirRead More »
patches? Are patches provided in a convenient format for centralized updates? Do
patches take years, months, or only weeks to deliver? If you’re paying attention,
this will help your security stance in the future.
Microsoft didn’t have a very good Valentine’s Day this week.
Even after releasing seven patches for various security vulnerabilities thisRead More »
month, Microsoft still has plenty of flaws that the company could profitably spend
some time fixing.
- = Paid content
Connection scoring beats spam filtering
A simple device that prevents spammers from delivering junk to your mail server
outperforms complex spam filtering appliances costing up to seven times as much,
according to tests the Windows Secrets Newsletter.
If your company is suffering from onslaughts of spam, our tests indicate that this new approachRead More »
can halt more than 99% of your unwanted flow without blocking legitimate e-mail. Best of all,
the new technology does this without creating a large “quarantine” of suspected spam that you or
your employees must manually comb through.
There’s been a lot of talk about the Windows Wi-Fi “flaw” that was revealed recently.
Some security professionals call it a high-risk vulnerability. Meanwhile, MicrosoftRead More »
and other security professionals call it a feature — one that can only be exploited under
the right circumstances. Let’s take a closer look, so you can be the judge.
You are at risk. No, seriously. Every time you turn on any kind of
technology, you turn on risk.
The question for today is this: Exactly how do you know what risk you are taking whenRead More »
you use that technology? Some argue that “old code” is secure code, under the
assumption that the older the code, the more “eyes” have
reviewed it. But is that true? Let’s revisit the Windows Metafile issue with
this in mind, shall we?
Those 8-megapixel cameras take great pictures, don’t they? Faaaaaaat. In
more ways than one.
The top complaint I’ve heard since the holidays has nothing to do withRead More »
rootkits, WMF files, or patches of patches. Nope. The people I know who scream
the loudest got expensive new cameras, and they’ve learned that they can’t do
much with their pictures.
How quickly do your vendors release patches? If they take 15 years, does that
mean the problem was an intentional backdoor?
There are, to be sure, some still-outstanding questions regarding how the now-infamous WindowsRead More »
Metafile flaw affects the Windown 9x/Me platform (as discussed my fellow columnist, Susan).
One bit of controversy that arose over this problem since our last newsletter deserves
- = Paid content
WMF hole still reverbrates with users
What a way to start the year! The now-well-known WMF vulnerability, which allows an infected
image to silently take over your PC, was first publicized just before New Year’s
Eve. It resulted in a frantic week for Microsoft and millions of Windows
users who wanted to protect themselves.
I considered the risk of infection from hacked Windows metafiles (.wmfRead More »
files) to be so dire that I published an unprecedented
two news updates in the same week. (In the past 12 months, I’d felt the need to
release only 5 news updates.)
The year 2006 started with a bang for security professionals as we scrambled
to deploy patches for zero-day exploits.
Even as old security holes were closed software vendors, more holes wereRead More »
discovered with exploits-to-go. They seem to be arriving at an ever-increasing rate.
The ball dropped in New York, ushering in the New Year. But we network admins
were scrambling because of a zero-day
exploit for which no patch was available, other than hoping our antivirus
vendors would catch it.
Little did we know at that time that the ‘bug’ was perhaps a wakeup call for us
better procedures to handle a zero-day event in the future (as InfoWorld’s Roger
reports).Read More »
If your holiday season was anything like mine, you probably received a fair amount of
software, either off the shelf, or bundled with a new PC. Seems that CDs have replaced
silk ties as the gift of choice when trying to buy for someone who has
But CDs and DVDs today can hold dangers that you should avoid. Let’s look at howRead More »
one simple change can make you immune to those headaches.
When there’s blood in the water, don’t go swimming. I hope you didn’t think we were all done with our WMF problems.
I’m not going to go over all the details of the WMF vulnerability and patch here.Read More »
My fellow columnists have that well covered. I do wish to point out that it’s
an important example of what the patch lifecycle now looks like for a special
- = Paid content
Install Microsoft’s WMF patch
Microsoft released on Jan. 5 an emergency patch, named MS06-001, which corrects
Windows’ so-called WMF (Windows metafile) vulnerability. A WMF exploit can silently infect
a PC when it merely displays an image in any browser, instant
messaging, P2P, e-mail, or in a directory listing in Windows Explorer; when
desktop-search applications index an infected image file; and in other ways.
I published a specialRead More »
news update earlier
in the week urging readers to install an unofficial patch for this problem. This
workaround was also strongly recommended F-Secure, the SANS Institute’s Internet Storm
Center (ISC), and several other security sites.
- = Paid content
Windows metafile hole requires unofficial patch
A weakness in the way Windows renders images is being
exploited on the Internet and affects any browser you may be using, not just
Microsoft has no patch for the problem at this writing. An official patch mayRead More »
appear at any time, or it may take days or weeks. I recommend that you
immediately run a small,
unofficial patch that was developed white-hat security researchers to make
your PCs immune to the problem.
- = Paid content