Windows Secrets Newsletter • Issue 221 • 2009-11-12 • Circulation: over 400,000
Table of contents
- How to get the most from Windows 7
- Clean-install Windows 7 from the upgrade disc
- Readers offer more ways to enhance Windows 7
- Invisible rope trips up unsuspecting passers-by
- Wanted: a free, novice-proof disk wiper
- SSL authentication flaw puts browsers at risk
- XP patch removes threat of malicious Web fonts
The printed volume won’t be available until next month, but all subscribers, free and paid, can receive our exclusive excerpt through Dec. 2. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director
All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere
By Woody Leonhard
Topping the long list of readers’ Windows 7 questions is whether you can use the upgrade disc to perform a clean-install of the new OS.
You may be surprised to discover that in Windows 7 there’s no difference between the “upgrade” and “full” DVDs and — just as with XP and Vista — the cheaper upgrade version can indeed be used to perform a clean-install.
But that’s just one of your many Windows 7 questions. From what’s possible, to what’s legal, to what-on-earth-were-they-thinking, here’s the skinny on the ins and outs of Microsoft’s best OS yet. There’s no way to fit all your Win7 queries into a single column, so you can be sure I’ll have many more Win7 FAQs in the weeks to come.
Will a Win7 upgrade disc install the full OS?
- “It looks like you can use the upgrade version of Windows 7 to install a ‘genuine’ copy of Windows 7 on any PC, whether it already has Windows on it or not. Why would anybody pay way more money and buy a full-install version of Windows 7 instead of an upgrade version?”
The terminology stinks, but as you will see below in my discussion of upgrade pricing, almost everybody qualifies for an upgrade version of Windows 7.
In my experience, most people using the upgrade package find that their new Win7 key validates immediately after the PC connects to the Internet. You can maximize your chances of getting instant gratification (validation), however.
By Dennis O’Reilly
Like pouring hot fudge onto vanilla ice cream, there’s nothing like making a good thing better.
Even with near-universal positive reviews, Windows 7 could still stand some improvements — and Windows Secrets readers know just how to enhance the new OS.
Sure, some hardware vendors have been slow to provide Win7 device drivers for some of their products. And some people attempting to upgrade to Windows 7 are greeted with blue screens and infinite loops. But most Windows 7 users wouldn’t think of reverting to their previous OS.
That doesn’t mean they haven’t found ways to make using Windows 7 even better. For example, Cris DeRaud discovered a script that lets you create a Win7 restore point with a single click:
- “I found today that creating a restore point in Windows 7 takes on a new twist and requires knowledge of the proper paths and security settings. When my computer is running really sweet, I’ll add restore points of my own. I name them ‘smooth sailing.’
“Well, I ran into a snag today trying to make a restore point the Vista way because the option link is all changed in Windows 7. I found an easy alternative from a group of Windows 7 lovers who spell out all the options [on the Windows Seven Forums site].
| By Stephanie Small |
Remember when you were a kid, and playing pranks on people was the thing to do? Whether it was jumping out of the closet to scare someone or making the infamous prank calls during a sleepover, it was fun — usually, anyway — for both parties involved.
Why not resurrect an oldie-but-goodie prank: the invisible rope. Watch as these jokester juveniles trick cars and mall pedestrians into thinking there’s something there when there really isn’t. It will make you look twice the next time you spot someone trying to pull this off! Play the video
| By Fred Langa |
Wiping the data off old drives is a smart thing to do, but secure erasing also must be easy to do.
Powerful software is worthless if it’s too hard to use, but I’ve found a free drive-wiping tool that’s powerful enough for pros yet simple enough for newbies.
In search of a simple, CD-based disk wiper
Kim Boriskin needs a tool that anyone — even unskilled volunteers — can use to reliably wipe the data off hard drives:
- “I do some work for an organization that often processes computers before distributing them to charities, for example. We always wipe the hard drives using a Department of Defense (DoD) wipe. We’ve been using a bootable floppy disk to perform the wipes, but fewer computers than ever have floppy drives, and for reasons I won’t discuss, we won’t use a USB floppy drive to start the process.
“Do you know of any free disk wipers that can be written on a bootable CD and that can accomplish a secure disk wipe? I’ve found only one, Darik’s Boot and Nuke, from DBAN [more info]. But it’s confusing to nontechies, and clumsy even for techies. We could use something simpler.”
You’re dealing with two separate issues: you need a tool that’s easier to use than the one you currently have and one that can run on a bootable CD. I have a solution, but it takes a minute to get there — so bear with me.
Scrub3 is a venerable, free tool that’s widely used for rendering hard disk data all-but-impossible to recover. Scrub3 can overwrite the disk with various patterns, including the original (2001) DoD three-pass overwrite and the newer, National Security Agency–recommended seven-pass overwrite.
| By Robert Vamosi |
A hole discovered recently in Secure Sockets Layer (SSL) HTTP sessions is difficult to exploit but may necessitate a revision of the SSL protocol itself.
The big-name browser vendors are quietly working to patch the vulnerability before the bad guys figure out how to use it to crack secure Web connections.
Transport Layer Security protocol exploitable
Last August, while researching various applications used by two-factor authentication vendor PhoneFactor, researcher Marsh Ray discovered something odd in the way the SSL Transport Layer Security (TLS) protocol handled authentication renegotiation. Ray was able to write an exploit that would, under certain circumstances, allow a man-in-the-middle attack to eavesdrop on SSL sessions used for e-commerce and online banking.
The flaw allows the attacker to join an authenticated SSL session and execute commands. After Ray proved the exploit to his bosses, he chose not to go public and instead followed Dan Kaminsky’s example after he discovered a major DNS flaw in 2008. (WS contributing editor Ryan Russell described the DNS vulnerability in his July 17, 2008, Perimeter Scan column.)
Just as Kaminsky did last year, Ray quietly contacted the vendors most affected by the SSL/TLS flaw and worked in the background to implement a fix before the malware writers got word of it. In September, Google even hosted a meeting at its Mountain View, CA, campus that produced a tentative draft proposal for the Internet Engineering Task Force (IETF). Microsoft had hosted a similar meeting on the DNS flaw for Kaminsky last year.
On Nov. 4 — quite independently — another researcher, Martin Rex of SAP, went public on the IETF TLS mailing list with his discovery of flaws within channel bindings that also affect TLS. A lively and extended discussion ensued.
| By Susan Bradley |
Systems running Windows 2000, Windows XP, or Windows Server 2003 are at risk of infection via fonts used on malicious Web sites.
No attacks exploiting this vulnerability have been recorded yet, but I expect them to begin soon — so apply this patch right away.
Embedded OpenType fonts pose remote-attack risk
Patch MS09-065 (969947) addresses several vulnerabilities in the Windows kernel. One in particular poses serious threats to Windows 2000, XP, and Server 2003. A specific type of Embedded OpenType font allows remote code execution, launching a denial-of-service attack or even taking over your system. The hole will very likely be exploited soon by malicious Web sites.
As frightening as that sounds, the good news is that this week’s patch installed without a hitch on my test XP systems. Apply this update as soon as you can to ensure you’re protected from malicious Web activity. Also, since the exploit requires that you visit a malicious site, think twice before you click a dodgy link in an e-mail or instant message.
While several other November patches are rated “Critical” by Microsoft, this is the only one of this month’s Windows updates that I rate as truly imperative.
| UPDATE 2009-11-19: In the Nov. 19 Patch Watch column, Susan describes a problem the XP kernel patch causes for systems using ATI Radeon HD 2400 and Nvidia GeForce 7050/NForce 610i video adapters.|
MS09-067 (972652) and MS09-068 (976307)
Infected Excel and Word files make the rounds
No doubt you’ve been warned before of the dangers of opening Word and Excel files attached to unexpected e-mails. MS09-067 (972652) and MS09-068 (976307) plug holes that allow a phishing attack to take control of your system when you open an infected Word or Excel file.
The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.
Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).
Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.
HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.
HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
- Visit our Unsubscribe page.