New security release format? It’s about time

Update: I’ve replaced the link at the bottom of this page, which originally contained search results from Microsoft’s support site, with a Knowledge Base article that has permalinks to all monthly security releases in ISO format.

Microsoft has been doing this since the beginning of this year, apparently, but this is the first time I’ve noticed it. Security patches for August 2006 are now available as Bulk Updates in ISO-9660 CD image format. The files can be burned onto blank CDs, used on multiple machines, and archived.

This is good news for people who prefer to do updates manually. No more downloading a dozen or so individual patch files and then saving each one. Just make sure you get the right CD image(s). One is for Windows 2000 and Windows Server 2003; another is for Windows XP; and a third is for IE.

If you want to go back and get earlier releases, try this page, which lists all updates in ISO image format since January 2006.

Sorry about that

I installed a WordPress plug-in yesterday that had the unfortunate side effect of making all pages on the site unreachable. Oops!

Things should be working now.

Piracy doesn’t pay

Over at ZDNet, I’ve posted an account of my attempts (so far in vain) to get busted by Windows Genuine Advantage for installing a bootleg version of Windows XP. (See Another WGA failure for the details.)

In my quest for an illegal Windows product key, I visited a lot of very unsavory sites before I finally found one that actually contained the information I was looking for. It was a case study in how shady searches lead to personal tragedy. During the process, I was presented with multiple opportunities to install spyware and even a Trojan horse program.

One site offered to install an ActiveX control that identified itself as an “Internet Explorer add-on” from Inter Technologies. It turned out to be a toolbar from Dollar Revenue, which McAfee classifies as a Trojan for its “deceptive practices.” According to my ZDNet colleague Suzi Turner, it downloads “a bucketful of other adware.”
Another site offered to install that same set of scumware plus another ActiveX control that was identified only as “Click here to agree” from E.C.S. International. That turned out to be Dollar Revenue again.
One site that claimed to offer cracks and product keys for every imaginable software product had a clever gimmick. Following any of the links generated an executable program with the name of the program you were looking for, ostensibly containing key codes. In reality, every download was the same: a copy of a Trojan that Windows Live OneCare identified as Agent.LM.

Now, the fact that I was running Windows XP with Service Pack 2 or Windows Vista means that I didn’t get any “in your face” prompts for these downloads. I actually would have had to go out of my way to install any of this malware. But the fact that I ran into so many examples of truly awful security threats underscores the problems you’re likely to face when you go looking for underground stuff.

As Bob Dylan once sang, “To live outside the law, you must be honest.” You’d better be careful, too.

IE7+ turns out to be a minus

Back in May, I passed along word that Microsoft was planning to call the Vista version of its new browser IE7+.

Never mind.

Microsoft has reconsidered that decision. Tony Chor, Group Program Manager, says:

Well, the feedback we got on the blog was overwhelming – many of you didn’t like it. So, as we’ve said on our website, we heard you. I’m pleased to announce that we’re switching the name back to “Internet Explorer 7”. No plus. No dot x. Just “Internet Explorer 7”.

Of course, this is Microsoft we’re talking about, so the official names are ridiculously overcomplicated. The official full names are:

For Windows XP: “Windows Internet Explorer 7 for Windows XP”
For Windows Vista: “Windows Internet Explorer 7 in Windows Vista”

I’m just going to call it IE7.

Mozilla says Firefox phishing filter isn’t working yet

Earlier today, I wrote about the new anti-phishing feature in Firefox 2 Beta 1, which was unable to catch a single scam e-mail in my testing. This afternoon, a Mozilla spokesperson sent me an e-mail that said, yes, it doesn’t work yet. In fact, said the spokesperson, this feature “was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites.”

Mozilla really needs to get its act together here, because that’s not the message they’re sending out to people who download the beta version of Firefox 2. Exhibit A is the announcement page for Firefox 2 Beta 1, which provides a bulleted list of 16 “new features and changes to the platform.” The #1 item on that list? See for yourself (yellow highlight added):

See anything there that says the feature isn’t implemented? Me neither.

In fact, if you follow the link to read more about the Phishing Protection feature, you get to Exhibit B, which has this box prominently displayed at the top (again, the highlighter is mine):

“If you encounter a web forgery and don’t see the anti-phishing warning … let us know about the problem and we’ll update our lists…”

Again, nothing to suggest that this feature isn’t working in Firefox 2 Beta 1. In fact, this blurb clearly suggests that the feature is enabled and intended for use today.

Here’s the second item on the FAQ:

2. How does the Phishing Protection feature work in Firefox 2 Beta 1?

Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there’s also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.)

Based on what the PR spokesperson told me, that paragraph is essentially inaccurate. It isn’t until you get nearly to the end of the FAQ that you see this little disclaimer:

7. I tried browsing to some known phishing sites and I didn’t receive a warning. What happened?

At this time we are using a limited list to test the core Phishing Protection framework within the browser. Users are encouraged to verify that the above test links properly display a warning dialogue, but to wait until a future beta release of Firefox 2 to verify the accuracy of the list of web forgeries.

Meanwhile, the Google Safe Browsing feature is available in the Google Toolbar for Firefox, which is shipping now. In my tests so far today, it correctly identified one phishing site and missed two others. IE7 blocked navigation to all three and flagged them as “confirmed phishing sites.”

Hear me talk about Windows Vista

Jon Gordon interviewed me for American Public Media’s Future Tense program. You can listen here, but alas, the clip is in Real format only. Try the podcast feed instead, which delivers the content in standard MP3 format.

You’ve got Windows XP questions, I’ve got answers

A few weeks ago, I asked readers to send along their Windows XP questions. Here are some answers.

Jim Konzak had a tech support question:

My question is how to fix what seems to be a corrupted Windows XP (driver?) file related to USB devices. If I plug in a USB drive, it is recognized and functions fine. But when it is removed, an immediate BSOD results with the message

NO_MORE_IRP_STACK_LOCATIONS

I have Googled this and posted to several sites, including Dell’s forum (the PC is a Dell Inspiron 8200 laptop) to no avail. Thoughts?

I exchanged a bit of e-mail with Jim over this one. I’ve seen similar issues before and my first suspicion was that it was caused by a third-party firewall product. Sure enough, the culprit was the latest release of ZoneAlarm. Disabling ZoneAlarm made the error message go away. Apparently other ZoneAlarm users are experiencing similar problems.

Ken asks a performance-related question:

You have made me a big fan of task manager. But what do you think about the Performance console? Do you use it to monitor performance on a workstation, and if so what performance counters do you recommend tracking? It seems to yield more detailed information than task manager, but that can be a good thing or a bad thing. [Related question: does Vista have a Performance console as well, and how [if at all] is it new and improved from the XP version?]

The Performance console includes two snap-ins to the Microsoft Management Console. System Monitor tracks data from different counters, and Performance Logs and Alerts allows you to set up log files for those counters. You can open the Performance console by typing Perfmon in the Run box and pressing Enter, or use it from the Administrative Tools menu. We have written extensively about Perfmon in Windows XP Inside Out, but I rarely use it in day-to-day operation. It’s a great troubleshooting tool for those times when you’re trying to figure out why something that was working well is suddenly slower. It’s also good for benchmarking new hardware. System Monitor is still around in Windows Vista (although it’s been renamed Performance Monitor). Its interface is cleaned up, but its functionality is essentially the same. But it’s just one part of the new Reliability and Performance Monitor, which you access by typing Perfmon. The new tools include a resource overview that’s like Task Manager on steroids, and there’s also a Reliability Monitor (I’ve written about this new tool here and at ZDNet). If you liked playing with the XP version, you’ll love the new toys in Vista, which provide much more accessible information for easy scanning as well as many more logging options.

Kishore is looking for a Windows utility:

Is there an easy way to backup the device-drivers used by the system. The manufacturer supplies only exe files to install the drivers (along with all those “helpful programs”). I need those when I reinstall my machine.

I ran across something like that years ago, but haven’t seen anything like it lately. Because of the way drivers are installed, I’m a little leery of the concept. (My preference is to save drivers to a known good location and keep them backed up.) But if anyone can point me to something that does this I’ll be happy to take a look.

Sanza reports an annoyance:

Can this be ‘fixed/changed’?

When I’m in a folder (let’s call it MUSIC) that contains 400 other folders and I go into one of those other folders (let’s call it PINK FLOYD – THE DARK SIDE OF THE MOON) and then go back out into the MUSIC folder, I want to be where I was when I left that MUSIC folder. That is, looking at the PINK FLOYD – THE WALL folder, not back at top of the folder list looking at AC/DC – BACK IN BLACK where I have to scroll all the way down to to the PINK FLOYD folder again.

Does this happen in Vista also? It bothers me all the time when I’m seraching through folders I have arranged by date and such.

How are you getting back to the original folder? If you use the Up button, this is the normal behavior. You end up at the default folder in the parent directory. To fix this annoyance, change your habvits. Use the Back button in Windows Explorer (or press the Backspace key) to return to the previous folder. That option remembers your previous settings.

I just tried this on two computers running Windows XP Media Center Edition 2005 and one running Windows XP Home Edition and can reproduce the behavior.

And that’s all for today! If I didn’t get to your question, sorry. Maybe next time.

Firefox phishing filter fails

[Update: Mozilla’s PR agency says the anti-phishing feature isn’t fully enabled in Firefox 2 Beta 1. Details here.]

Over at ZDNet, I’ve just published a lengthy comparison of the security features in the most recent beta releases of Internet Explorer 7 and Firefox 2. (The comparison is entitled IE7 or Firefox 2: Which browser is more secure? It includes a detailed image gallery so you can draw your own conclusions.)

One prominent feature of each new release is technology to detect so-called phishing sites, which try to spoof legitimate sites and deceive visitors into giving up personal information like credit card numbers and banking account login details. Like most people, I was initially skeptical about whether this technology would work, so over the past few months I’ve been putting IE7’s phishing filter to the test. Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.

I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)

Frankly, this is baffling to me. Both Microsoft and Mozilla have been testing this feature for a year. In Mozilla’s case, the testing has been done by Google, which developed the technology as part of its Google Toolbar for Firefox. As a control, I installed Google’s Firefox toolbar on the latest official release of Firefox, 1.5.0.6. It failed to detect two obvious phishing sites as well. (Two other links that I had used for testing yesterday have already been taken down.)

I’m going to begin monitoring this feature a lot more closely and will report my results periodically here.

Some Windows Vista answers

A few weeks ago I invited readers to throw some Windows Vista questions and comnments my way. Here are a few answers.

David writes:

I really dislike the UAC prompt seems to appear in diffrent places of the screen depending on where the action occured that created it. For example, move to a program files folder and select “organize>new folder.” Why am I prompted to continue in the upper left corner, why not the middle of the screen. It should be in the middle, in my book.

As far as I can see, the UAC prompt appears directly over the element you clicked. This makes perfect sense if UAC is acting as it’s supposed to and is immediately displaying a permission dialog box. Some video driver bugs in current builds cause some pretty severe delays, which can be annoying to say the least.

Another question from David:

Ok, so I run with an administrator account, I have no created a limited user. I with the UAC had a bit more flexibility in it’s configuration regarding the prompts I receive. For example. I use an explorer replacement. I’ve checked the box under the shortcut that I want the program to run in admin mode. Why am I still prompted to “allow” it to run. I knew what I did when I checked the box, don’t prompt me.

This behavior is the same as in Wiindows XP. Selecting that checkbox says that you want to be prompted to enter a different set of credentials when you run the program. It sounds like what you’re asking for is the ability to declare certain programs or features as being exempt from UAC; that won’t happen. sorry to say.

Kishore asks:

I read earlier (probably, not from this site) that Vista is going to include symbolic links. Is this feature implemented? Is it exposed in explorer or cmd.exe?

Symbolic links, aka symlinks are also known as aliases (to Mac users) or junction points (in the Windows NT family). They’re similar to shortcuts but much more powerful in that a symbolic link looks and acts as if it were part of the file system instead of being a pointer. You make and manage symlinks with the MKlink command. We’ll have several pages on this in Windows Vista Inside Out.

One more from David:

I’m wondering if you can comment on something I just read. In this document [IT Showcase: Explorer 7 Protected Mode] it says that Protected mode is only available for Windows Vista Enterprise and Windows Vista Ultimate. Everything else I’ve read says Protected mode is available in Vista, implying it would be part Windows Vista Basic.

I just checked with Microsoft and they say that’s a mistake. Protected Mode is part of every Vista version, no differences from one to the other.

From Desert Weary:

Just installed Vista Build 5384 and am wondering why SELECT.EXE process is constantly running at 85 – 94% of CPU in task manager. What’s going on? Is this normal?

No, that’s not normal. That process is not a part of Vista, so it sounds like you’ve got a third-party application that isn’t playing nice.

That’s all the time for questions today. Keep ’em coming and I’ll answer some more next week.

The irony of anti-virus software

Bruce Schneier points out a recent study on the behavior of malware against the top-selling antivirus programs:

The top three antivirus programs — from Symantec, McAfee, and Trend Micro — are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs.

Well, that’s not good news, is it? The original report is here. The money quote:

At a security breakfast hosted by e-mail security firm Messagelabs in Sydney on Wednesday, the general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram, told the audience that popular desktop antivirus applications “don’t work”.

“At the point we see it as a CERT, which is very early on — the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate.

“So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” said Ingram.

And if you think you’re safer because you’re relying on some obscure piece of software, think again:

Although less popular antivirus applications are more likely to pick up new malware, Ingram said that the average level of new malware that is undetected is 60 percent, which is “worrying”.

Indeed. I’ve been a vocal critic of the whole concept of security software for a long time. The business model is flawed and it’s vulnerable to precisely this sort of targeted engineering. Now that malware writers are making serious money off their poison, they have a powerful incentive to write higher-quality code. And it appears that’s exactly what they’re doing.