Tuesday, October 31, 2006

Beware of Codecs!

It is time to take off the kid gloves: do not download codecs!

The malware writers are having a grand old time introducing one rogue-infesting software after another, all because people fall into their trap -- they *must* watch that video and download the codec, Presto! The result is pop-ups, browser hijacks, and more.

Just take a peek over at the recent postings of the latest rogues over at Security Cadets. Yesterday, jahewi posted about the latest, a "remake" of VirusBurst/VirusBurster as "Virusbursters". The colder October weather has not resulted in a slow-down of variants either. S!Ri, the developer of the SmitfraudFix tool commonly used to remove the rogues has updated his software at least 14 times during October.

Unfortunately, the problem is not limited to codecs. The curious cannot resist and click on the link in an email, they open the e-card. Never mind that they don't know the sender of the e-mail or e-card. Curiosity gets the better of them -- and makes a mess of their computer. As Microsoft MVP Janie Whitty, known as CalamityJane, points out at BroadbandReports:
"Security Forums have been deluged with daily cries of help from victims of the "Smitfraud" desktop hijackers that are using fake codec to infect their prey.

Watch out for the Zlob Trojan that poses as a codec needed to view a video, then installs a fake virus and urges its victims to download a rogue anti-spyware program to remove it. It has been confirmed that this malware also takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update to ensure that you have ALL of the critical Windows security updates!

Other victims have been infected by a fake e-card greeting, or even a spoofed e-mail that claims to be Windows Update (Microsoft never sends updates via e-mail). Still more unassuming victims received an e-mail asking them to open a link to see the message (these can be fake e-mails, intended only to infect), or even a link from your 'buddy' in instant messages - but don't trust it if you aren't expecting it. Even your buddy could be infected without his/her knowledge and the virus on their computer is sending you the link with one purpose, and one purpose only - to infect you!"
Although instructions are available in "Removing Fake Security Programs Like VirusBurst, WinMedia & other Codecs" for obtaining relief from these infections, there may be other lingering problems that need addressing. It would certainly be much easier to avoid the infection in the first place.

Once again, the warning, as so aptly stated by Janie:

"If you receive a link for a video that says you need a certain codec in order to view it, be careful! Today, it could be a fake codec that is actually a Trojan just waiting to infect your system."

Saturday, October 28, 2006

Patrick Jordan's Halloween Tricksters List

There is something about holidays and malware writers picking up on the inclination of people to go searching for screensavers, smilies, videos, cursors and any other images or holiday-related files that can exploited.

Not to be undone at Halloween, the tricksters have targeted sites devoted to Halloween themes. Webhelper (Patrick Jordan) compiled a list of infected sites to avoid at Webhelper4U.

"Remember, there are those who will taunt you with free treats, only to find it is a trick to infect you!"

Webhelper 2006

Tuesday, October 24, 2006

Windows Defender Released!

Including an image of the Magnum XL-200 Roller Coaster from Cedar Point is certainly a departure from the usual "garden" theme of this blog. However, just as the Magnum was the first roller coaster to break the 200 foot height limit and became known as the first hypercoaster, so it seems to me is Windows Defender breaking limits and defining a new category of protection for your computer.

Windows® Defender
Specific features of Windows Defender include:
  • Improved detection and removal – Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.

  • Protection for all users – Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.

  • Support for 64-bit platforms, accessibility and localization - Windows Defender supports accessibility and 64-bit platforms. Microsoft will release localized versions including German and Japanese soon after the availability of the English versions. Please be sure to use WindowsDefenderX64.msi for 64-bit platforms.

  • Delta definition updates - Windows Defender now downloads smaller delta definition updates when possible which reduces the time required to download and install definition updates. Customers can expect shorter download times when updating their definition updates.

  • Free Limited Support - As a part of our commitment to the security of our customers, free support for installation, configuration, definition update, detection and removal errors will be available for a limited time after download and installation. Please refer to the Windows Defender support policy for more information.

  • WGA enforcement - There are significant risks to running non-genuine Windows. Only genuine Windows customers can receive product downloads, Windows updates and special offers. Windows Defender will validate that your copy of Windows is genuine before installation. Furthermore, Windows Defender will only remove Severe threats for machines that are not genuine. Low, Medium and High threats will be detected, but not removed unless your copy of Windows is genuine. For more information, please visit http://www.microsoft.com/genuine

A redesigned and simplified user interface – Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.

Important Notes
  • Windows Defender no longer supports Windows 2000 as it will be out of mainstream support in October 2006. Please refer to the support lifecycle website for more information.
If you haven't downloaded Windows Defender yet because it was still beta software, I encourage you to do so now that it has finally been released in final. You will be pleased at the frequency of definition file updates.


Download Windows Defender
Windows Defender Home
Windows Defender Support and Training
Microsoft's Focus on Spyware

Monday, October 23, 2006

Firefox 2.0 Released Early

I was checking the RSS subscriptions I have set up and certainly am glad that I did. Look what I found at the LangaBlog:

Langa Blog: Mozilla Secretly Posts Firefox 2.0 Early

Sure enough, Firefox 2.0 has been uploaded to the FTP server. You can get the Windows 32 version at this live link: http://ftp-mozilla.netscape.com/pub/mozilla.org/firefox/releases/2.0/win32/en-US/Firefox%20Setup%202.0.exe

See the Release Notes for RC3: Release Notes.

Sunday, October 22, 2006

SunJava Snuck Out Another Update

Sun Java did it again. They snuck out another update, but this time they didn't change the update number, only the build.

From the Release Notes:
"Special Note

This update was originally released as 1.5.0_09-b01. After that release, it became necessary to provide an additional bug fix immediately. In order to simplify deployment, 1.5.0_09-b01 was replaced with 1.5.0_09-b03. This new release contains all the bug fixes contained in the old release, in addition to the new bug fix."

So, what's the big deal, you ask? The deal is that the internal build information is not displayed in logs. Considering that fixing a bug justified a new build how are we to determine which build users have installed and advise appropriate action, particularly when Sun advises:
"Please do make sure to remove the outdated build as soon as you are satisfied the updated build is working as expected."
Taking it a step further, unless the prior Version 9, Build 01 is uninstalled prior to attempting to installation of Build 03, the installer will abort because the Version numbers are the same. Why is it so difficult to change the version number and identify which bug was fixed in the new Build?

The instructions in "SunFlowers and SunJava Update" have been updated to reflect the need to uninstall Version 9, Build 01 prior to update to Build 03.

"NeatNetTricks" REALLY Likes WinPatrol!

Anyone who has been reading this blog for any length of time knows that I am a fan of WinPatrol. Today, as I was revising some sites I like to keep track of but frequently miss due to time constraints, I discovered that the folks at NeatNetTricks recently reviewed WinPatrol.

Here are just a couple tidbits from the review:

"Of all the programs that I have used help one know more about what is going on in your computer (the good, the bad and the ugly), this one is my favorite."
"WinPatrol performs excellently, replacing the need for several programs to accomplish what it does in its easy-to-use manner."
"Interestingly, this is one of the very few third-party software programs that I have ever seen Microsoft Support actually promote on one of its Help and Support pages as a possible cure for a slow-running Windows operating system http://support.microsoft.com/default.aspx?scid=kb;en-us;898583. This in and of itself may speak more favorably of WinPatrol than anything a reviewer can say."
Unlike reviews found in the major online PC Journals, I have found the comments at NeatNetTricks Software Reviews to be completely unbiased. The reviewers receive no compensation for their time, but rather are committed to providing their honest opinion of the software under consideration. I think you'll enjoy what they have to say.
"The Neat Net Tricks Software Review Panel is comprised of eight or nine members who have agreed to the formidable task of putting a selected piece of software to a thorough testing, then writing an in-depth report about the results. Panel members come from all walks of life and share but one common goal: to report on software without bias so that you can be forewarned and forearmed before you choose to try the program.

Our Software Review Panel serves anonymously without compensation, except for the complimentary registered software that they use in performing their evaluation. Companies agree to provide this software at no cost to our Panel in return for the exposure our reports provide their products. There is no guarantee made to the software producer that the review will be flattering. Each report "tells it like it is", or at least how the reviewer sees it. There is often even dissension among Panel members writing about the same product, so in the final analysis it's up to you, the end-user, for the final determination whether the software is worth the price."
NeatNetTricks Software Reviews
WinPatrol Review

Friday, October 20, 2006

IE7 Update and News


Microsoft MVP
Harry Waldron had been using the beta versions of IE7 on both his home and work computers. With the release of IE7 in final, he posted his recommendations in his blog based on his "real life" experience.

Harry's excellent instructions (including his recommended "celebration kit") have been quoted as an addendum in my original "Preparing for and Installing IE7" writeup.

Today's IE7 News:

After the excitement of the past two days with the release, things have calmed down a bit. After you have IE7 up and running, you may want to check out "Must Have Add-Ons for IE7". If you are up to a challenge, "Building Add-Ons for IE could Net you a Trip to Mix07 and $2500".

If you would like to meet the team that brought us IE7, stop over at Channel 9:

Internet Explorer 7: The Browser. The Team. The Tour. Part 1
Internet Explorer 7: The Browser. The Team. The Tour. Part 2
Internet Explorer 7: The Browser. The Team. The Tour. Part 3
Internet Explorer 7: The Browser. The Team. The Tour. Part 4

Not Ready for IE7 yet?

Although it is highly recommended as a security update, there may be reasons why some people are not yet ready to install IE7. Microsoft covered that option in "Automatic Updates Delivery Process":

"If a user selects “Don’t Install”: The notification process will not re-prompt the user to install at a later time; however, any user who is a local administrator will be able to install Internet Explorer 7 at any time as an optional update from the Windows Update and Microsoft Update sites or from the Microsoft Download Center."
"Note If a user has installed Internet Explorer 7 and subsequently removes it, Automatic Updates will re-offer Internet Explorer 7 to that machine using the process above in order to bring it up to date. In this case, a user need only select the "don't install" option at the welcome screen. Internet Explorer 7 will no longer be presented by Automatic Updates."

Thursday, October 19, 2006

IE7 -- "Bits from Bill" and Other Internet Explorer 7 News

There will be a lot of information available on the newly relased Internet Explorer 7 over the coming weeks. I will do my best to consolidate key information here in the Security Garden.

Included at the bottom of this posting are a number of references that you may find helpful.

  • WinPatrol Notes
Bill Pytlovany installed IE7 on his WinPatrol studio computers. For information on the changes you need be alerted to and information from the WinPatrol Plus database see "Bits from Bill: IE7 changes include IEFrame.dll". I suspect we will get further updates in "Bits from Bill".

  • IE 7 First Run Screen
Microsoft MVP Sandi Hardmeier documented what needs to be done if you experience problems with "The new Internet Explorer first run screen". Also keep an eye on Sandi's website, IE-Vista for help in learning about and using the new features in IE7.

  • First IE7 Advisory Issued and Refuted
Although not critical, Secunia issued Advisory 22477 described as follows:
"A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

Secunia has constructed a test, which is available at: Secunia

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected."
Secunia's recommended work-around is to disable active scripting support. Microsoft Security Response Center has addressed this indicating:
"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."
  • IE7 Phishing Filter
One thing is certain, the IE7 phishing filter cannot come too soon. Note, however, that it is not turned on by default. (See IE-Vista Phishing Filter for instructions and information on how the Phishing Filter works.) The Register reported yesterday that a "Trojan download site spoofs IE7 release outlet":
"Hackers have created a bogus Internet Explorer 7 download site that attempts to load Trojan code onto the PCs of visiting surfers.

Traffic to the malicious website is being driven by a spoofed email message, claiming to be from support@microsoft.com, offering a link to download Release Candidate 1 (RC1) of Microsoft Internet Explorer 7."
  • Automatic Updates
As pointed out several times, Internet Explorer 7 will be delivered via Automatic Updates. However, it was with relief when reading reading Canuk's CyberNews4You update on Internet Explorer 7, that I followed a link to Tech Web and happily learned the following:
"The IE 7 update will also not add to the burden of Microsoft's monthly security patch delivery, scheduled for Nov. 14, promised Cobb. 'We won't do it on Patch Tuesday.'"
That in itself is a relief for the 40 percent or so of Americans who are still using a dial-up connection! However, that is not to say that IE7 may be delivered to your computer earlier. As we are reminded in the IE Blog,
"To help you become more secure and up-to-date, we will distribute IE7 via Automatic Updates as a high-priority update. We will start very soon with those of you who are already running IE7 pre-releases and then move onto IE6 users after a few weeks. We will progressively roll out to all IE6 users over a few months, so don’t be surprised if you don’t see the update right away."
  • IE7 Support
The other good news I learned from the Tech Web article is that Microsoft will be establishing toll-free telephone support for IE 7:
"Beginning Thursday, Microsoft will open a free, toll-free support line for IE 7. The help desk will be manned Monday through Friday 5 a.m. to 9 p.m. PDT, and on weekends from 6 a.m. to 3 p.m. PDT."
See Time and Date for converting PDT time to your local time zone.

  • References
IE Blog
Internet Explorer 7 Home
Internet Explorer 7 Support
Internet Explorer 7 Community
IE7 Quick Reference Sheet
IE7 Release Notes
Information Index for IE7
The Microsoft Internet Explorer Developer Center

Microsoft's View of "My Town"

This is a typical view of my area this time of year -- a view that is apparently appreciated by Microsoft. For the second time in a little over a year, Microsoft has selected a local company to partner in the Microsoft Windows Live program.

The first was Pictometry International Inc. for their development of a system for capturing and analyzing aerial digital images. That system is the basis of Windows Live Local (http://local.live.com).

The second, Kirtas Technologies, was announced locally yesterday:

"(October 18, 2006) — Technology giant Microsoft Corp. needed a partner for its massive digital books project and found it in a 5-year-old company in Victor.

Kirtas Technologies, which makes high-speed scanners for books and the software to edit and organize them, will be part of Microsoft's Live Book Search project. The digital books will become available early next year, Microsoft and Kirtas said Tuesday."
See the Democrat and Chronicle article for the full story.

Alert - Security Bulletin MS06-061 Re-Release

Microsoft updated Security Bulletin MS06-061: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) to include information detailed in the Summary section below.


• On Thursday, October 19th, Microsoft issued a targeted re-release of the MS06-061 update for Windows 2000. While the original version of this security update for Windows 2000 did protect against all vulnerabilities discussed in the bulletin, it did not correctly set the kill bit for Microsoft XML Parser 2.6.

• The new version of MS06-061 for Windows 2000 protects against all vulnerabilities discussed in the bulletin and correctly sets the kill bit for Microsoft XML Parser 2.6.

Questions & Answers

  • Why did Microsoft reissue this bulletin on October 19, 2006?
The original version of this security update for Windows 2000 did protect against all vulnerabilities discussed in the bulletin; however, it did not correctly set the kill bit for Microsoft XML Parser 2.6.
  • What is the scope of the vulnerability?
If the vulnerability that was addressed by MS06-061 was successfully exploited, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
  • What systems are primarily at risk from the vulnerability addressed by MS06-061?
Microsoft Windows 2000 is primarily at risk from the vulnerability.
  • What does the update do?
The new version of MS06-061 for Windows 2000 protects against the vulnerabilities discussed in the bulletin and correctly sets the kill bit for Microsoft XML Parser 2.6.
  • What can you tell me about MS06-061?
Today, October 19, 2006, Microsoft issued a targeted re-release of the MS06-061 update for Windows 2000. While the original version of this security update for Windows 2000 did protect against all vulnerabilities discussed in the bulletin, it did not correctly set the kill bit for Microsoft XML Parser 2.6. The new version of MS06-061 for Windows 2000 protects against all vulnerabilities discussed in the bulletin and correctly sets the kill bit for Microsoft XML Parser 2.6. Windows 2000 customers should deploy the new version of this update.
  • What is the nature of the problem?
While the original version of this security update for Windows 2000 did protect against all vulnerabilities discussed in the bulletin, it did not correctly set the kill bit for Microsoft XML Parser 2.6.
  • Are there any active exploits out for MS06-061?
No. Microsoft has not received any information to indicate that this vulnerability had been publicly used to attack customers.

Wednesday, October 18, 2006

Drum Roll: Internet Explorer 7 Released!!!

The long-awaited date has arrived. Internet Explorer 7 has been released! As you have been advised, IE7 will be distributed via Windows Updates, starting in a few weeks.

See what is new in IE7 at the Microsoft Windows
Internet 7 website. Following is the announcement from the IE7 Blog by Dean Hachamovitch, General Manager, IE7 Team:
Internet Explorer 7 for Windows XP Available Now

Today we released Internet Explorer 7 for Windows XP. I encourage everyone to download the final version from http://www.microsoft.com/ie.

We listened carefully to feedback from many sources (including this blog) and worked hard to deliver a safer browser that makes everyday tasks easier. When I first posted publicly about IE7, I wrote that we would go further to defend users from phishing and malicious software. The Phishing Filter and the architectural work in IE7 around networking and ActiveX opt-in will help keep users more secure. IE7 also delivers a much easier browsing experience with features like tabbed browsing (especially with QuickTabs), shrink-to-fit printing, an easily customizable search box, and a new design that leaves more screen real estate for the web site you’re viewing. IE7’s CSS improvements are incredibly important for developers as many of you have made quite clear. I also think IE7’s RSS experience and platform are important, powerful, and innovative.

In addition to our release of IE7, Yahoo! has a customized version of the browser available today and over the next few days partners such as Weather.com and USA TODAY will offer their own customized versions. These versions will tailor the user experience with specific toolbars, additional search engines, favorites, and RSS feeds.

I want to thank everyone who provided feedback as we developed and fine-tuned Internet Explorer 7. Over the 20 months since Bill Gates first announced our commitment to deliver IE7, we released five betas and a release candidate to millions of users worldwide. With each release, your feedback helped us make IE7 better. Your contributions, ideas, and direct comments were crucial in helping us prioritize and focus our work. I can’t imagine delivering this product without the tremendous cooperation we enjoyed from so many of you as well as developers and partners.

That said, we’re not done. Even as we put the finishing touches on Windows Vista and release all the remaining language versions of IE7, we have already started work on the next versions of Internet Explorer. We’ll post more here soon about our plans for the product and our plans for listening to you.


Dean Hachamovitch
General Manager

To make sure you are ready for the installation of IE7, see "Preparing for and Installing IE7".

Microsoft Security Advisory 917021

Microsoft has released Security Advisory 917021 – Description of the Wi-Fi Protected Access 2 support for Wireless Group Policy in Windows XP Service Pack 2 - on 17 October 2006.


Microsoft is releasing this security advisory to inform customers about an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. This update is being released to provide parity between Windows XP Service Pack 2 (before a broad release vehicle, like a service pack, is released) and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2.

Also included in this update are Wireless client behavior changes for non-broadcast and ad-hoc networks. These defense-in-depth changes are intended to help prevent systems from connecting to networks other than those a user intends to connect to.

The reason these defense-in-depth changes are included in this update in addition to the WPA2 support for Wireless network Group Policy is to provide parity between the two Windows versions. This makes it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless Group Policy.

These defense-in-depth changes will be included in Windows 2003 Service Pack 2 as part of the same WPA2 support for Wireless network Group Policy settings. For more information about the upcoming Windows 2003 Service Pack 2 see the Windows Service Pack Road Map: http://www.microsoft.com/windows/lifecycle/servicepacks.mspx. The broad release vehicle is still considered to be a service pack for Windows XP for the defense-in-depth changes included in update 917021.


Review Microsoft Security Advisory 917021 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ) and links to additional resources.

Additional Resources

• Microsoft Security Advisory 917021 – Description of the Wi-Fi Protected Access 2 support for Wireless Group Policy in Windows XP Service Pack 2:

• Microsoft Knowledgebase Article 917021 - Description of the Wireless Client Update for Windows XP with Service Pack 2:

• Windows Service Pack Road Map:

Tuesday, October 17, 2006

Mozilla Firefox 2 Release Candidate 3 Available

It was announced at mozillaZine today that Mozilla Firefox 2 Release Candidate 3 (RC3) is available for download. It contains several bug fixes as well as security and stability updates.

If you used previous release candidates (RC1 or RC2) you can upgrade to RC3 using the software update feature.

Anyone who has not installed Firefox 2 is reminded that, although tagged "release candidate", this is not the final version. There may be additional bugs that need to be worked out. Please do not install on a production-critical machine and, of course, always create a System Restore Point prior to installing any software.

Download Link
Release Notes

Monday, October 16, 2006

Symantec Reports Viruses/Worms "Solved"

According to Larry Greenemeier's report in Symantec Says Viruses And Worms Are 'Solved':
"It's official: The problem It's official: The problem of worms and viruses is "solved"--at least according to Symantec chairman and CEO John Thompson. The more relevant security threats today are phishing and fraud, as well as organized crime's interest in stealing and reselling personal information, Thompson says. Not that Symantec will stop cashing checks made out to it for antivirus software. But the company's "Security 2.0" strategy, detailed for the first time last week, tackles broader threats beyond its popular Norton PC security line, including database, E-mail, and identity-theft protection."
Does that mean that Symantec is going to ignore worms and viruses in favor of phishing and fraud? Does Symantec think that their customers are no longer being infected with worms and viruses? I wonder what rock their management has been sleeping under. Based on the logs I see, most infected users have either Norton or McAfee as their antivirus software. Perhaps that lack of ability to detect and/or remove the current prevelant infections is why Symantec -- and, according to the article, apparently McAfee as well -- no longer see worms and viruses as problems.

Now, why does this bother me:
"As part of Security 2.0, Symantec will partner with security services company VeriSign and IT services firm Accenture. Symantec plans to integrate its Norton Accounts software with VeriSign's Identity Protection Authentication Service, which will let Symantec customers use one-time passwords when conducting online transactions."
Here the choir has been preaching for eons to use a different password for each site, particularly for banking, online bill paying and purchases. This is where I need to put up the stop sign and suggest you go back to my blog post from just yesterday entitled, "Closing the Gates on Phishing" where I quoted Bruce Schneier in "The Failure of Two-Factor Authentication":
  • "Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
Now Symantec is saying only one password for online transactions? What happens when the gullible customer does not recognize the phish and types in that one password, responds to various questions about their account, perhaps even providing information on multiple accounts to what they believe is their trustworthy banking establishment. I need to see this in action before I believe it will work.

"Ask" and you shall . . .

Accept "Ask's" offer for free smilies, screensavers or cursors and you shall also receive a toolbar.

Ben Edelman explains in an interview with Microsoft MVP, Suzi Turner, the acceptance of the toolbar is included in the EULA (End User License Agreement) when clicking through the process of downloading the "free" smilies or cursors. However, in response to Suzi's questions, Ben goes on to explain:
"The problem is that users' "consent" is obtained under false pretenses. Ask gets users' attention with the promise of free tidbits that some users do indeed want. Once it has their attention, it switches them over to something else — namely, free tidbits plus a bundled toolbar."
Through the use of a clear comparison between the unfair and deceptive trade practices of a 1976 FTC case (Federal Trade Commission v. Encyclopaedia Britannica, Inc., 87 F.T.C. 421) , Ben showed the analogy between Ask's methods and those of Encyclopaedia Britannica salesmen, where, as Ben describes:
"The initial offer was so different from the resulting deal that the confusion can't be cured by a subsequent disclosure. which may have bee The initial offer was so different from the resulting deal that the confusion can't be cured by a subsequent disclosure."
Although the cited FTC case was before Ben's time, it wasn't before mine. I remember the Encyclopaedia Britannica salesmen and believe my parents may have purchased a set. Oh, and I remember the Fuller Brush Man too, but that's a bit off topic.


Please read the complete interview and then Ben's full report linked below.
When you read Ben's report, notice in particular how the ads are targeted at teens and preteens who certainly are not likely to read the EULA, or even understand it if they did. They would most certainly miss the information in the license that Ask's toolbars are not to be installed by users under age 13, or by users under 18 unless they obtain parental consent. Remind your children once again about checking with you before agreeing to any installations from the internet.

To help you analyze the EULA, consider installing JavaCool Software's EULAlyzer
1.1. The software will not provide you with legal advice, but it will call your attention to questionable wording. From the website description:

"EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases. Discover if the software you're about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more.

The Benefits

  • Discover potentially hidden behavior about the software you're going to install
  • Pick up on things you missed when reading license agreements
  • Keep a saved database of the license agreements you view
  • Instant results - super-fast analysis in just a second
And with additional features like the EULA Research Center, which optionally allows users to anonymously submit license agreements they scan to help us to further improve the program, everyone can be a part of the effort to make something that used to be so tedious, so easy."


Ben Edelman, "Current Practices of IAC/ASK Toolbars"
Ben Edelman, "Does Jeeves Ask for Permission?"
Suzi Turner, "Edelman on 'Deceptive Door Openers' and Ask toolbars"

Sunday, October 15, 2006

Closing the Gates on Phishing

Hopefully by now you know what phishing is and the sad results of those who have been duped by these scammers into providing personally identifiable information. (If not, see my writeup in "New Anti-Phishing Tool by TippingPoint".) The scariest and most serious phishing is when banking sites are the subject of the phish. According to "Banks give 'phishers' the hook" at azcentral.com, this problem may soon be alleviated in the United States -- or will it?
"Internet banking is about to get a bit more complicated - for legitimate customers as well as for crooks running "phishing" scams.

Federal regulators are requiring banks and thrifts to put systems in place that go beyond the standard security procedure in which customers type in a single password.

Banks, thrifts and credit unions have until the end of the year to implement security systems that include at least two different means of user authentication, a password plus some additional way to prove identity."
Two-factor authentication is a common practice in the corporate environment. It is full-filled by providing a response when logging in to the environment with "something you know" plus "something you have". The something you know is the logon password. The something you have is generally a number generated by a token. One example in the public sector of two-factor authentication is the ATM card. The card itself is what the user has and the pin number is something known.

The problem with online banking is that the information generated from the "something you have", such as a token issued by the bank, can also be obtained via a Man-in-the-Middle Attack or a Trojan Attack, as explained by Bruce Schneier in "The Failure of Two-Factor Authentication":

  • "Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
  • Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants."

As reported in The Register in "Phishers rip into two-factor authentication", a man-in-the middle attack against Citibank has already been used:

"A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. "


See How Not to Get Hooked by a ‘ Phishing’ Scam by the Federal Trade Commission.
Submit Phishing Scams to Castle Cops PIRT
Schneier On Security Trackback

Saturday, October 14, 2006

Security Garden Spotlight - Donna Buenaventura

Like a bee buzzing from flower to flower, Microsoft Most Valuable Professional, Ms. Donna Buenaventura, certainly seems to have endless energy when it comes to keeping the public informed.

In addition to posting product security bulletins and advisories as well as news and alerts in several online communities, Donna, as she is known in the security community, is also an Administrator or Moderator at various sites, providing valuable help and advice behind the scenes.

As if that wasn't enough, Donna maintains two active blogs -- Donna's Security Flash and Internet Security. Donna's Security Flash, active since early in 2004, is regularly updated not only with security advisories and alerts, but also with pertinent general security news.

In contrast, Internet Security contains numerous helpful and educational topics. One of my favorites is System Restore and Infected Files where Donna dispells the myth that System Restore should be disabled or flushed after the antivirus, antitrojan or antispyware has finished cleaning their system.

Some might consider maintaining two blogs and helping at various online communities sufficient contributions in providing help and information. Not for Donna. With the help of contributors and volunteers, Donna is also kept busy at her highly popular website, Calendar of Updates, now in its third year of operation. As I wrote in When Do You Update:
Another option, other than manually checking each software for updates, is to review the listings at Calendar of Updates. You can select multiple views, including A to Z View, Month View, or Week View. While you're at "CoU", check out the site. It is jam-packed with information!
In addition to software update information, at Calendar of Updates you will find tutorials, blogs, help forums and more.

It is no wonder that Donna deserves to be in the spotlight.

Friday, October 13, 2006

Changes at Microsoft - One leads to Another

It started with this reorganization announcement, as reported at Microsoft Watch, by Peter Galli in "Microsoft Gets a New Security Group ",
"Microsoft is bringing its security, Trustworthy Computing and Engineering Excellence teams together in one group, known as the Trustworthy Computing Team."
That was yesterday. Today it was reported that Ben Fathi, who had replaced Mike Nash, will be heading up development of the core components of the Windows operating system. The security unit that he had been runnig will be absorbed into the new Trustworthy Computing Team, reported above. Scot Charney will head up the Trustworthy Computing Team. (See "Microsoft Security Czar Fathi to Focus on Windows OS" for the complete story.)

Follow that reorganization with this announcement about Windows Vista at c|net, "Microsoft changes Vista over antitrust concerns":

"Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said.

Security companies had complained that a kernel protection feature called PatchGuard in 64-bit versions of Vista not only locked out hackers but also prevented some security software from running."

The lock-down was one of the major security features we have been hearing about for some time. Particularly, after reading "McAfee and Symantec get vocal about Vista - but do they *really* have our best interests at heart" co-authored by Microsoft MVPs Sandi and Walter Clayton, I am concerned about what certainly appears on the surface as caving in. As Sandi wrote:

"The bad guys are getting past McAfee and Symantec and others, and if the “Big Two” were *truly* concerned with user security, they would not be fighting this change, which is going to make such a big difference in the malware fight by stopping the bad guys *before* they can do some of their most damaging and difficult to remove tricks. They’d be working on changing their code to work with what is going to be a quantum leap forward in security improvement for users.

Prevention is better than cure. Signature based scanning, heuristics and adding detection for new malware *after* it has already been released and has started infecting machines around the world, isn’t working. I need help to stop the bad guys from getting their tendrils so deep into the OS that it is getting more and more difficult to remove. It is getting to the stage where reformatting is sometimes the only option for systems infected with the worst malware, even with McAfee, Symantec or other security vendor's products installed, and that is simply not good enough."

Consider this quote in Sandi and Walter's article by Jesper Johansson:

"In a sense, [McAfee and Symantec] have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing."

But Ben Fathi is no longer Microsoft's Security Chief. Seems like the security vendors will continue charging for the healing.

Thursday, October 12, 2006

Preparing for and Installing IE7


IE7 is scheduled for release on October 18 and will be delivered via
Automatic Updates:
"Automatic Updates will notify all such users (including those with Automatic Updates configured to automatically download and install updates) when Internet Explorer 7 has been downloaded and is ready to install."
John Hrvatin, Program Manager, wrote that most people have not had any problems with the installation of IE7 but, particularly due to the wide variety of anti-malware applications, explained why it is recommended that anti-virus and anti-malware applications be disabled when installing IE7. He provided some excellent advice. However, in my opinion, his advice falls a bit short of the mark. Let's start with what Mr. Hrvatin posted in the IE Blog in "IE7 Installation and Anti-Malware Applications":

"A few people have asked why we recommend temporarily disabling anti-virus or anti-spyware applications (which I’ll refer to together as anti-malware) prior to installing IE7, so here’s a little insight to the situation.

Along with copying IE7 files to your system, IE7’s setup writes a large number of registry keys. A common way anti-malware applications protect your computer is by preventing writes to certain registry keys used by IE. Any registry key write that fails during setup will cause setup to fail and rollback changes. We work around the problem in most instances by checking permissions at the beginning of setup, but many anti-malware programs monitor the key rather than change permissions. Therefore, setup thinks it has access when it starts, but then fails when it later attempts to write the key."

There you have it. On one hand, Mr. Hrvatin is recommending disabling anti-virus and anti-malware software, but, as I emphasized in the quote above, Automatic Updates will have IE7 already downloaded to your computer and ready to install. So, before clicking "Install" a couple of extra steps are necessary.

Although directed toward corporate and small business users, the IE Team has made available tools for testing application compatibility, extensions, and the like. Additional information and links to the tools can be found in the IE Blog in "IE7 Is Coming This Month . . . Are You Ready".

I suggest you print or copy the instructions below so you will know what to do before clicking the Install option when you are presented with the following:



When presented with the above image, IE7 will already be downloaded to the computer. Following are my recommendations before clicking "Install".

1. Disconnect from the Internet and save any work and close all open programs.

2. Disable your anti-virus software and close your firewall.

3. Create a restore point.
Before installing any software, it is wise to create a restore point. Creating a restore point is easy to do. Just follow these steps:
  • Click on the following: Start > All Programs > Accessories > System Tools > System Restore
  • On the next window that opens, select the option to "Create Restore Point"

  • Click Next. In the next window that opens, type in a description that you will remember.

  • Choose "Create" and then close System Restore.
4. Disable real-time protection
As recommended by Mr. Hrvatin, the next step is to disable real-time protection afforded by any anti-malware applications on your computer. The list is quite long so the main thing to remember is if during or after installation of IE7 you are prompted by the real-time protection software on your computer whether to allow or disallow the changes to the registry, it is important to allow the changes.
With most of the real-time protection applications accompanying anti-malware software programs, merely disabling the software is sufficient. However, for Lavasoft's Ad-Watch, additional steps may be necessary. As written in the Ad-Aware SE manual:
Even if Ad-Watch is turned off and something DOES install onto your system, it will recognize it and will kill the process as soon as it has seen it when turned back on.
Because of the variety of settings that can be selected for Ad-Watch, for this situation, I strongly suggest that anyone using Lavasoft's Ad-Watch take the extra precaution of disabling all blocking prior to the installation of IE7. After the installation is complete, re-enable the settings you had before. In the event you do not elect to take these steps, it is vital that you accept any changes that may be alerted by Ad-Watch.
To disable Ad-Watch:
  • Right-click on the Ad-Watch icon in the system tray
  • Select "Restore Ad-Watch"
  • At the bottom of the screen you will see 2 options -- Active and Automatic.
  • Uncheck both options (red X).
  • Under "Tools and Preferences" turn off all blocking actions:
Instructions for disabling other real-time protection is available in the Castle Cops Wiki. Follow the links below now for any of the listed software installed on your computer so you will know how to disable their real-time protection prior to installing IE7.

Having followed the above safety precautions, the computer is now ready for installing IE7.

Clicking on the install button will start the process, which will require Windows Genuine Advantage validation. A restart will be necessary to complete the install.

Note that installation of Internet Explorer 7 will not override any default browser settings. In addition, all compatible toolbars, home/start page, favorites, and search settings will be transferred to IE7. When Internet Explorer 7 is launched, there will be a presentation offered that highlights new features and changes in IE7.


Microsoft MVP Harry Waldron installed IE7 after it was released in final. Here is what he discovered and posted in his blog:
"IE 7 - Recommended installation approach

* Use only the official download from Microsoft's site
* Reboot PC for fresh start (e.g., advanced users should take a system restore point)
* Shut down all started applications and Disable AV scanner
* Do not run anything else during the complete install process
* Wait patiently as some processes are long-running and might seem to hang, (overall this required about 5 to 10 minutes for me).
* Reboot as prompted (twice)
* Select the "run" to continue the process after 1st reboot.
* Keep lucky charms and a celebration kit handy, e.g., plenty of Mountain Dew "
Thanks, Harry!


IE Blog
Internet Explorer 7 Home
Internet Explorer 7 Support
Internet Explorer 7 Community
IE7 Release Notes
Information Index for IE7