Author: Ed Bott

Tech journalist. Author of 25+ books. ZDNET Contributing Editor since 2006. Contact info: https://edbott.com/contact-me/

Windows users, don’t let your guard down

The problem with relying on software tools to keep you safe is that a user with administrative privileges and a little knowledge (which, as everyone knows, is a dangerous thing) can defeat or disable those tools. Two examples of this phenomenon appeared this week.

As I’ve mentioned before, I currently am using Microsoft Windows OneCare Live, an all-in-one security suite that’s in beta release right now. On several occasions, I’ve disabled the firewall to troubleshoot problems with my network connection. Whenever I do that, OneCare prompts me to send a quick note to Microsoft explaining why I turned off this essential protection.

Apparently, lots of people have been dutifully filling in that form. Over at the Windows OneCare Team Blog, Microsoft summarizes the results from those submissions:

Based on our investigation, there are four primary reasons people are turning off their firewall.

  1. Do not think a software firewall is necessary
  2. Do not like the (sometimes incessant) pop-up dialogs
  3. An application failed to install with firewall turned on
  4. An application fails to work with firewall turned on

The entire discussion is worth reading, along with the comments. This is one case where I think “nag” dialogs are essential. In fact, I think one commenter’s suggestion of an option to temporarily disable the firewall for a specified period of time (automatically re-enabling it after the time is up) is a good one.

Example #2 comes from George Ou, who reports that Skype 2.0 looks like a virus. The problem? A bug in the latest version of Skype triggers a Data Execution Prevention warning. The most likely reason is that a chunk of memory that contains executable code isn’t properly marked. In that situation, DEP (which uses a setting in the OS in combination with the CPU itself) views this as a potential attack and blocks execution of the code.

DEP is an excellent first line of defense against buffer overflow attacks and other security vulnerabilities. But in this case what’s likely to happen is that the user, because they want Skype to work right now, is going to configure the program as an exception and turn off the warnings. In fact, that’s exactly what Skype recommends on its support pages.

If that happens often enough, it leaves a gaping security hole. The better approach? Skype users should insist that the company fix its code so that it doesn’t load executable code in segments marked as data only.

Those warnings exist for a reason. Turning off the alarm bell doesn’t make the problem go away.

Windows Vista to include two-way firewall

So, for those who’ve been demanding that Microsoft offer a fully functional two-way firewall, your request has been granted. In articles about the December CTP Build 5270, I’ve seen vague references to this new feature, but to my knowledge no one has yet published any details. So consider this a scoop.

After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that the Windows Firewall hasn’t changed at all. To get to the more powerful functionality, the bare-bones Control Panel applet won’t do; you need to create a custom Microsoft Management Console (mmc.exe); load the Windows Firewall with Advanced Security snap-in; and point it at your local computer. When you do, you see a well-organized interface for controlling all firewall settings. Here’s a snippet:

Adv_firewall

Two things jump right out at you: First, you get separate firewall profiles, depending on whether or not your computer is connected to a domain. Second, outbound connections are allowed by default in both profiles. To change these settings, click the Windows Firewall Properties link. That opens this dialog box:

Adv_firewall_3

With one mouse click, as I’ve shown here, you can instantly block all outgoing connections except those you define as exceptions. That list of exceptions appears in the Windows Firewall with Advanced Security console. In a default installation, several dozen exceptions are defined but not enabled. After turning on the Block option for outbound connections, you can go through and enable the exceptions you want and define custom connections as well, with an excruciating level of detail. (In managed environments, you’ll be able to automate all these settings through Group Policy or using the netsh advfirewall from a command prompt.)

The documentation for these new firewall features is sparse at this point. The MMC console contains a half-dozen links that point to non-existent help topics and white papers. I’m betting that a few interface tweaks are yet to come, including a notification feature that allows you to see when an application tries to make an unsolicited outbound connection so you can approve it on the fly. For now, I can confirm that the outbound blocking works very well indeed. After enabling this feature, not a single program I tested, including Internet Explorer, was able to connect to any computer on the local network or on the Internet until an exception was defined.

Of course, we’ll be digging deep into this feature in Windows Vista Inside Out, and I’ll add more details after I receive the next CTP build, due around the end of this month.

Two more years of XP Home support

Last week there was a minor uproar over the possibility that Microsoft might stick to its published product support commitments and terminate support for Windows XP Home at the end of this year. In my comment on the issue, I predicted : “Microsoft has no intention of pulling the plug on Windows XP early.”

And sure enough, as Gregg Keizer at TechWeb discovered today, the official Microsoft Support Lifecycle document was quietly rewritten this week. Now, in the entries for Windows XP Home Edition, Windows XP Tablet PC Edition, and Windows XP Media Center Editions 2002, 2004, and 2005, the notes read:

Mainstream support will end two years after the next version of this product is released.

Windows XP Professional gets the same reprieve, with an additional five years of extended support tacked on as well.

So, XP users, you can relax until late 2008.

Is Vista worth an upgrade?

It’s way, way, way too early to be making decisions about an OS upgrade that’s nearly a year away, but Dwight Silverman has some preliminary thoughts in a well-written review entitled Vista’s nifty, but it’s not irresistible:

I’ve been playing with the latest test version of Vista for several weeks and spent some time at CES getting questions answered by Microsoft. I’ve not yet seen a feature that made me sit up and say, “Wow, I must have that.”

I think it will be the whole of Windows Vista that may be its selling point, rather than one or two killer features. If its value is greater than the sum of its parts, Microsoft will have a compelling product. If not, consumers may just yawn and keep using Windows XP.

Some quick reactions:

I think for a hard core of power users, there will be some compelling features. The most noteworthy is the core set of Media Center capabilities, which will be built into the base operating system. For anyone who owns an Xbox 360, the combination will allow you to stream music, pictures, videos, and TV from the den to the living room with ease.

Also, features aren’t as important as how capabilities of the OS are leveraged in applications. If there are any new programs that leverage Vista features (especially the improved file management and search tools), those could provide a compelling reason to upgrade.

Finally, don’t overestimate the importance of upgrades. Historically, upgrades represent well under 10% of the total market for any Windows version. Within a few months after its release, Vista will be on every new consumer PC. The job of a new OS is to take advantage of new hardware capabilities and to deliver an experience that makes the buyer happy they got that new PC.

Why do new PCs come with so much junkware?

Dwight Silverman links to an excellent post today by Claus Valca, who explains why it takes 4.5 hours to make a new PC usable. Part of the burden is updating drivers, part is installing third-party security software, but at least an hour of it is cleaning up bundled software that comes preinstalled on new consumer PCs, with users having no choice over whether to get this stuff. Dwight adds:

During a meeting with some Dell executives at CES, I asked Sam Burd about why his company loads so much junkware on its PCs. He said Dell is just trying to give people some of the software they need to get started right away.

Bullshit.

The makers of the bundled software pay cash to Dell for every copy of junkware installed on a new PC. (Hmm, where else have I seen that business model?) Pretending that this is some sort of noble customer service is a flat-out lie.

Update: And to be fair to Dwight, who is a bulldog reporter in the best sense of the word, I know that he would have liked to ask a follow-up question about who pays for junkware installations, but the press conference format didn’t allow it. Hope he gets a chance to ask those questions the next time he gets a one-on-one with some Dell execs.

Buried in page proofs

While I was flying back from CES this past weekend, my publisher alerted me that the page proofs for my latest book are ready for final review. Oh, and can we have them by 8:00 AM Thursday?

Until I work my way through the whole stack, posting will be light.