If your software garbles this newsletter, see WindowsSecrets.com/041118
To reply, visit WindowsSecrets.com/contact
| |
You subscribed using the address
gjwbiker@optonline.net If your software garbles this newsletter, see WindowsSecrets.com/041118 To reply, visit WindowsSecrets.com/contact |
TOP STORY — info you need to make Windows work Protect IE without SP2 — part two By Brian Livingston Microsoft's recent release of Service Pack 2 (SP2) for Windows XP protects XP users against a variety of hacker attacks, particularly ones that affect Internet Explorer. SP2 prevents IE users from being subjected to pop-up windows and silent downloads of software from rogue Web sites, among other threats. But what about people who run versions of Windows other than XP? In the previous issue of the Windows Secrets Newsletter, we explained how to give users of Windows 2000 and Me protection from pop-up windows. In this issue, we focus on adding protection against hacked Web sites that can exploit weaknesses in IE to infect your PC. Switching browsers can prevent some but not all problems The serious security problems that lie buried deep within Internet Explorer are becoming more widely known. But most Windows users still do not understand the depth of the danger. The respected security firm Secunia reports in its current advisory on IE 6 that 18 separate security holes — some of them rated "extremely critical" — remain unpatched by Microsoft. An additional 71 issues with IE that Secunia has published alerts about do have patches available now. But security experts widely feel that additional holes will continue to be found. These flaws can be and sometimes have been exploited by hackers before "good guy" researchers find the weaknesses and describe them privately to Microsoft, which then begins developing a patch. One security company, Finjan Software, even reports that it's already found 10 new security flaws in XP SP2 alone. The nature of the claimed flaws, however, has not been publicly revealed, and other observers (including Microsoft) respond that Finjan is using the claims to help sell its security software. All of this hubbub has led millions of former IE users to stop browsing the Web with Microsoft's product. Instead, the new browser of choice is Mozilla Firefox, a free program for Windows and other operating systems, which released its 1.0 gold version last week after a long period of beta testing. More than 1 million people per day were downloading the new release when it was first posted, according to the nonprofit Mozilla Foundation, which develops the software. But the pace has now slowed, making it a good time for you to join the fun, if you haven't already. We'll have a full review of Firefox 1.0 in an upcoming issue of the Windows Secrets Newsletter. Beta versions of Firefox had their share of security weaknesses, as do most new software programs during their development stage. But Secunia, which documented 17 temporary security flaws in those beta versions, reports that none of the issues remain open in Firefox 1.0. In many cases, unfortunately, you may find that you have to run Internet Explorer. Perhaps you're subject to a company policy or certain sites that you depend on have foolishly made their Web technology work only in IE. |
WINDOWS SECRETS NEWSLETTER (formerly Woody's Windows Watch and Brian's Buzz on Windows)  ISSUE 42 — 2004.11.18 • Top Story: Protect IE without SP2 • New MyDoom worms burrow into IE 6 • IFRAME vulnerability threatens browser • "Click and Scroll" problem hacks into XP2 • Microsoft issues ISA Server 2000 security patch • Photo/slide scanners are tested, one is found best • Digital camcorder/cameras rated by two magazines • A new winner zooms to top of high-end camera ratings • Which LCDs have the best refresh for videos and games? • A top-ranking Flash drive lets you pack your preferences • Pocket PC and Palm competitors are rated • SPECIAL REPORT: Secrets of XP Service Pack 2 • Enable better memory protection with DEP • Get the Recovery Console back after installing SP2 • Recover the disk space you lost by adding SP2 • Reduce the buying power of your money? • Useful Links (NOTE: Lotus Notes 5 and 6 and Mozilla Mail 1.5 and lower don't correctly scroll down when the above links are clicked. There's no workaround other than updating these programs.) NEWSLETTER CONTROL PANEL • Windows Secrets home page • How to subscribe • Change your delivery address • Change your preferences • Access past free issues • Access past paid issues • Upgrade to paid version • Submit a Windows tip • Get subscription help • How to unsubscribe CIRCULATION: over 145,000 |
| Merely shunning
Internet Explorer and using Firefox instead when browsing the Web, in
addition, doesn't correct the security holes in Windows. Because Microsoft
long ago integrated IE into the guts of the operating system, the flawed
components are still present and can be taken advantage of by rogue Web
sites, even if you never open an IE window. That's why you need to keep current with Microsoft's latest patches — using Windows Update and Office Update for individual users or patch-management software for multiple PCs — and take the steps described below. This article covers three alternatives: one foolish suggestion, one serious alternative that costs a few dollars, and a third alternative that's free. What Microsoft suggests, which is absurd On its Web site and in its publicity materials, the Microsoft Corp. recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to "High." (To do this in IE, click Tools, Internet Options. Select the Security tab, then click the Custom Level button. In the "Reset To" box, select High, then click the Reset button and click OK to close all dialog boxes.) Setting the Internet Zone to High affects all sites you visit using IE that you haven't manually specified as belonging to a different "zone." Switching to High imposes on the sites you visit all of the same restrictions as IE's Restricted Sites Zone, which disables numerous features of the Web. One problem with this advice is that many Web sites won't work well (or display anything at all) when the Internet Zone is set to High. In a crowning irony, Microsoft's own Windows Update site won't download security updates under this setting. In addition, several Web sites now instruct visitors to turn on dangerous Web features, such as "active scripting." Sites that currently exhort users to turn on certain features in the Internet Zone include Investor's Business Daily and NASA.gov. These sites almost certainly aren't doing anything that would hurt visitors. But they shouldn't be telling their users to lower the security of all sites in their Internet Zone. Instead, they should tell visitors to add the sites to IE's Trusted Sites Zone. In that way, sites such as theirs that use nonsecure Microsoft technologies, such as ActiveX, would continue to work in visitors' browser windows without exposing those users to risks at other sites. (More details on the Trusted Sites Zone is given later in this article.) The worst aspect of Microsoft's advice to set IE's Internet Zone to High is that this does nothing to close one of today's worst security holes. That hole is Windows' so-called Local Machine Zone. The Local Machine Zone consists of Web content that more or less includes any HTML or other file found on a local hard drive. Almost any action that a logged-on user can take on a PC can also be performed by whatever script or Trojan horse a hacker can succeed in planting. There are a seemingly unlimited number of ways that hacked Web sites and infected e-mail attachments can get access to the Local Machine Zone. This breach of security is often one of the first steps that a hacker takes to compromise other local resources and turn a PC into a "zombie," controlled by the hacker from a remote location. In the next section of this article, I'll explain two ways to secure your Local Machine Zone, protecting your PC from attack. But let's first look at why Microsoft isn't protecting this zone by giving out updates for all Windows versions. Microsoft officials have stated that the security improvements in Service Pack 2 for XP will not be made available for download to users of older versions of the operating system, such as Windows 2000 and Me. This decision is inexplicable, since many of the security fixes could easily be re-packaged for users of these Windows versions, who arguably comprise more than half of all Windows users. By withholding these fixes, Microsoft has aligned its interests with those of the worst "black-hat" hackers. The Redmond corporation is using people's legitimate fears of infection as a blunt instrument — a Billy club — to sell more copies of its Windows XP software. This is truly despicable and unethical business behavior. Protecting the Local Machine Zone There are two primary ways to protect the Local Machine Zone, giving it stronger security settings that block silent access by hacker scripts. The commercial software route One method requires the purchase of a commercial software program, one version of which is currently available for $34.95. The other method is free but requires a tweak in the Windows Registry and a manual change in Internet Explorer's settings. One of the leading contenders to "lock down" the Local Machine Zone, both for home PC users as well as enterprise IT administrators, is QwikFix-Pro, a piece of software developed by PivX Inc. Despite the quirky-sounding name, QwikFix-Pro is a serious program that corrects several dangerous weaknesses in Windows. This includes disabling dangerous URL protocols, Local System Account (LSA) anonymous settings, and the Windows Messenger Service (not instant messaging), according to the company's PDF white paper. Qwik-Fix Pro Home Edition can be downloaded for a free 30-day trial, after which the price is $34.95 until Dec. 31, 2004. Corporate versions are available for $500 per server or less in volume. Protecting the Local Machine Zone manually If you can't or don't want to use commercial software to tighten the security of the Local Machine Zone, you should at least lock it down manually, which costs nothing. Although the Local Machine Zone is a security zone used by Internet Explorer, by default it is hidden from users. That means when you click Tools, Internet Options in IE and select the Security tab (as described earlier), the Local Machine Zone doesn't show up as one of the zones you can configure. Microsoft documents in its online Knowledge Base a Registry setting that makes the Local Machine Zone visible. This doesn't affect its security, it simply makes it possible for you to alter the security settings of the zone. Before altering the Registry, first make sure you back it up and know how to restore it if you make a mistake. Then click Start, Run, type regedit and click OK. In the HKEY_CURRENT_USER folder, find the following Registry key: SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0 In that key, the Flags value, which is a DWORD, controls whether or not the Local Machine Zone is visible in IE's Security tab. Set the data value to 47 (in hexadecimal) to display the zone or 21 (in hexadecimal) to hide it. Microsoft's description of this procedure is in KB article 315933. After you've made the change, you can then apply to the Local Machine Zone the same security settings that are recommended below for the Internet Zone. Be aware that this doesn't give you the multiple protections provided by QwikFix-Pro and similar security software. Protecting the Internet Zone Many security experts recommend that you configure IE's Internet Zone so dangerous technologies are not allowed to run. These recommendations don't go as far as setting the zone to "High" but protect you against most security breaches that a hacked Web site could expose you to. Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE's rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways. One set of recommendations is provided by InfiniSource, a Web resource center. To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. (You can also access Internet Options as an applet in the Control Panel.) Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown:
One benefit of changing the above settings manually, rather than simply setting the Internet Zone to High Security, is that you can easily change back any individual setting if it causes you a problem. If a Web site or application complains about a certain setting, you can investigate it and determine whether or not lowering your security settings is justified. If you didn't know about the settings shown above, you'd be tempted in the face of problems to reset the Internet Zone from High to Medium, which would put you back where you started. Microsoft itself has posted a Knowledge Base article about changing some of the above settings manually in IE, going back to version 3.0. The article is primarily oriented toward troubleshooting, rather than security. The description is in KB article 154036. Add legit sites to the Trusted Sites list so they'll run Changing the above-named settings very likely will disable some of the features of some of the Web sites you visit. Unfortunately, in the bad old "anything goes" days of the Internet — which hopefully someday will be "long gone" — these sites adopted nonsecure or proprietary technology to display banner ads, submenus, and the like. Shutting down this stuff is part of the price of making the Internet a more secure place. If a site that you know is legitimate has a problem with your security settings, it's easy to add the site to your Trusted Zone. The site will then benefit from the less-secure settings in that zone, which is by default set to Low Security. You can add a site manually to the Trusted Zone by visiting it using IE, then clicking Tools, Internet Options. Select the Security tab, then select Trusted Zone and click the Sites button. Type http:// and the domain name into the input box and click the Add button to add the domain. To include non-SSL-encrypted sites in the list, turn off the check box labeled "Require server verification (https:) for all sites in this zone." Click the OK button to close all the dialog boxes. There's a much easier way to add a site to your Trusted Zone, though. You can put an item named "Add Site to Trusted Zone" on IE's Tools menu and click it rather than having to go through Internet Options every time. To get this, download and install Power Tweaks Web Accessories from Microsoft's Web site. This 129 KB download is described as being for IE 5, but it works just as well on IE 6. Unfortunately, the utility also places on IE's Tools menu another item named "Add Site To Restricted Zone." You should never visit a site that you think is untrustworthy so you can click this menu item. Instead, always add such a site to the Restricted Zone manually, using the procedure described above, before visiting the site. It's unfortunate that Windows users have to go through all this just to get some peace of mind. Microsoft should simply distribute, free of charge, the fixes necessary to provide this minimal level of protection to all Windows users. Until that time, however, you should take steps to protect yourself. To send us more information about IE security, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print. ^ FORWARDING INSTRUCTIONS — news gains value when it's shared Please share this information with your friends You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/041118. HERE'S A TIP — you'll get a better newsletter if you choose the paid version You're reading the free version of the Windows Secrets Newsletter Subscribers to the paid version receive additional information in each issue. Some of the extras this week are:
Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for them at least once every calendar quarter. To upgrade, simply make a contribution of any amount that you choose If you do this by December 1, 2004, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of Windows Secrets, please visit WindowsSecrets.com/upgrade. Thanks in advance. ^ ELECTRONIC BOOKSHELF — new e-books from the editors  Spam-Proof Your E-Mail
AddressThis 27-page e-book by Brian Livingston gives you step-by-step instructions that can eliminate 97% of the spam that would otherwise clog your e-mail account. You could call it "Livingston's Spam Secrets." The PDF-format e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can actually reduce your volume of spam to practically nothing, not just battle an unstoppable and ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info WACKY WEB WEEK — playing for you the Internet's greatest bits  Reduce the buying power of
your moneyJust for fun, a company called Storeridge Engineering uses powerful electrical bursts to actually shrink coins. This involves putting the currency into a metal coil and then blasting it with more than 100,000 amps. The surge causes the coil to explode violently, leaving a coin that's been compacted at the molecular level. A Kennedy half dollar, illustrated at left in "before" and "after" versions, loses about half its size and gains mysteriously beautiful radial lines. There are even more hilarious results with bimetal coins and coins with a hole in the center, such as Japanese yen. The site has a great explanation and much larger pictures of all this frivolity. More info ^ USEFUL LINKS — more stuff that's good to know Can patch-management companies survive? Who would have thought that a day would come when there are far more companies selling ways to patch PC operating systems than there are companies selling PC operating systems? There are at least 21 major players in the business of providing patch-management software for Windows, Microsoft Office and other programs. (By Brian Livingston, Datamation) More info The road to Windows Longhorn clears somewhat Microsoft now plans to ship the long-awaited Beta 1 release of Windows 2006 (code-named Longhorn) on Feb. 16, 2005, according to internal documents we've seen. In an update, we review what this may mean, leading up to a scheduled May 22, 2006, release date for the entire product. (By Paul Thurrott, SuperSite for Windows) More info Should you disable Windows Scripting Host? Reports are circulating that an e-mail can silently plant a program on your computer using a built-in feature of Microsoft Windows called WSH. Should you be concerned? (By Brian Livingston, Datamation) More info ^ ABOUT YOUR SUBSCRIPTION — we're here to serve you You subscribed using the address gjwbiker@optonline.net. Your reader number is 63025-04881. To upgrade your free subscription to paid, please visit WindowsSecrets.com/upgrade. The Windows Secrets Newsletter (formerly Woody's Windows Watch and Brian's Buzz on Windows) is published twice a month, except for breaks in August and December. The newsletter is published on the Thursday one week before and one week after Microsoft releases its new Windows patches on the 2nd Tuesday of each month. Publisher: The newsletter publisher is WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editor: Brian Livingston is the co-author of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Associate Editor: Paul Thurrott is the author of Windows XP Home Networking and Great Digital Media with Windows XP and the author or co-author of several other books. Research Director: Vickie Stevens. Program Director: Ian Maddox. Trademarks: "Windows" is a registered trademark of Microsoft Corporation. The "Windows Secrets" series of books is published by Wiley Publishing Inc. "The Windows Secrets Newsletter," "WindowsSecrets.com," "WinFind," "Windows Gizmos," "Index of Reviews," and "Wacky Web Week" are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. How to subscribe: Anyone may subscribe to this newsletter by visiting WindowsSecrets.com/signup. How to change your delivery address: To change your delivery address, use this Change Address link or log in at WindowsSecrets.com/prefs/?a=cP. How to change your other preferences: To change from HTML format to a plain-text notification and to set other preferences, use this Change Preferences link or log in at WindowsSecrets.com/prefs. How to get subscription help by e-mail (fastest method): Visit WindowsSecrets.com/contact. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours). How to unsubscribe: To unsubscribe gjwbiker@optonline.net from the Windows Secrets Newsletter, • Use this 2-click Unsubscribe link; or • Send a blank e-mail to w-leave@WindowsSecrets.com with leave gjwbiker@optonline.net as the Subject line; or • Visit WindowsSecrets.com/unsubscribe. All subscribers are covered by our Ironclad Privacy Guarantee: (1) We will never sell, rent, or give away your address to any outside party, ever; (2) We will never send you any unrequested e-mail, besides newsletter updates; and (3) All unsubscribe requests are always honored immediately, period. Privacy policy Copyright © 2004 by WindowsSecrets.com LLC. All rights reserved. ^ |
