Six steps you can take to block unwanted software

Last week, I published “Ten things you need to know about spyware” and got some great feedback. Today, I’m following up with some advice on how you can prevent unwanted software from ending up on your PC in the first place. This piece, like the last one, is an extremely condensed (and preliminary) version of content that will appear in an updated version of Windows Security Inside Out, which is due to be published this spring.

As I noted last week, trying to remove spyware/adware/viruses is a difficult proposition. You’re much better off if you can prevent an unwanted program from being installed in the first place. This is the advice I give to clients in my consulting practice, and it’s been successful. If you follow this advice, your likelihood of being attacked should drop to nearly zero.

If you have comments or questions, add them in the comments or create an entry on your own site and give me a trackback link. The list appears in the full version of this post. (If you’re reading this in Bloglines or another reader that doesn’t properly handle extended posts, click here to continue.)

Continue reading “Six steps you can take to block unwanted software” →

Is that Internet Explorer add-on safe?

Internet Explorer supports all sorts of add-ons and extensions. The most popular are Browser Helper Objects (BHOs), browser extensions, and toolbars. If you run Windows XP Service Pack 2, you can view a list of all installed add-ons by choosing Tools, Manage Add-ons. From this dialog box you can enable, disable, or update anything on the list.

So how do you tell which add-ons are good and which ones are evil? Start at the CastleCops Master BHO and Toolbar List. The list is currently at 1609 entries and does an excellent job of sorting the good, the bad, and the ugly.

Category-specific RSS feeds

As an experiment, I’ve created two new RSS feeds for this site. The main feed includes every post. The two new feeds provide only posts that are in the Security or Windows Media Center Edition categories. Both feeds are RSS 2.0 with full content.

Full site feed

Security feed

Windows MCE feed

If anyone finds a problem with either of these feeds, let me know in the comments.

New version of Microsoft Baseline Security Analyzer is out

If you’ve never used the Microsoft Baseline Security Analyzer, this might be a good time to give it a try. Version 1.2.1 is now available for download here. The documentation is intimidating (and the accompanying FAQ is only a little less so), but the application itself is pretty straightforward. It scans every version of Windows 2000, Windows XP, and Windows 2003 (sorry, not Windows 9X/Me), and also looks for security problems in Microsoft client and server programs, including Windows Media Player, Internet Explorer, Exchange Server, and IIS. You can also scan multiple computers over a network. It does a much more thorough job than Windows Update — instead of just looking for patches, it also examines your system configuration for common security weaknesses, such as easy-to-crack weak passwords or too many file shares.

Highly recommended for anyone who is serious about Windows Security.

Microsoft to expand Genuine Advantage program

This story in today’s Washington Post is confusing:

Microsoft to Launch Anti-Piracy Initiative:

Microsoft Corp. will combat piracy of its flagship operating system by requiring Windows users to verify that their copy of the software is genuine in order to receive timely updates and security fixes, the world’s largest software maker said on Wednesday.

Under a new verification program, users will have to prove their copy was obtained legitimately to receive “greater reliability, faster access to updates, and richer user experiences” from Windows XP, the latest version of the operating system running on over 90 percent of the world’s personal computers.

Users of pirated copies of Windows will still be able get some updates, such as security patches, but will not be able to get other add-ons for Windows, the Redmond, Washington-based company said in a statement.

The new initiative, called Windows Genuine Advantage, will start in mid-2005.

Microsoft said it will expand in February a trial authentication program it began last fall for English-language users to include 20 more languages. In order to attract more users to the trial, Microsoft is also offering downloads of add-on software and discounts on games and online services.

Authentication will become mandatory in mid-2005 for all users seeking to access software updates, downloads and security fixes for Windows, Microsoft said.

I’ve bold-faced the two most obvious contradictory statements in this report. Will users of unauthenticated copies still be able to get security updates or not? I’m still looking for the original source of this story.

I have no problem with a program that rewards people who have legitimate copies of Windows with add-ons, fun stuff, and even access to the library of signed, certified, updated drivers. But Windows security should not be tied to any anti-piracy efforts. One insecure copy of Windows affects the entire Internet ecosystem. If a patch is available to prevent that computer from becoming a vector for viruses, worms, and spam, then that patch should be freely available, with no restrictions of any kind.

Update: CNET News explains how it will work:

By the middle of this year, Microsoft will make the verification mandatory in all countries for both add-on features to Windows as well as for all OS updates, including security patches. Microsoft will continue to allow all people to get Windows updates by turning on the Automatic Update feature within Windows. By doing so, Microsoft hopes it has struck a balance between promoting security and ensuring that people buy genuine versions of Windows.

“We think that the best foundation for the most secure system is genuine software,” said David Lazar, director of the Genuine Windows program at Microsoft. “We want to urge all of our customers to use genuine software. (At the same time), we want to make sure that we don’t do anything to reduce the likelihood that a user will keep their system up to date.”

OK, I can accept that. Automatic Updates provides a perfectly good mechanism to deliver all Critical Updates and security patches. And most updates are still available for manual download from Microsoft’s FTP servers. Someone using a pirated copy won’t have the option to use the Windows Update site, but they won’t be blocked from installing security patches. That’s fine.

Another update: The press release announcing this change is now up on Microsoft’s site. Here’s a key excerpt:

Microsoft to Implement Worldwide Anti-Piracy Initiative

In the second half of 2005, visitors to the Microsoft Download Center and Windows Update will be required to participate in Windows Genuine Advantage to access all content. To help customers who may require more time to move to genuine Windows software, Microsoft is offering security updates through Automatic Updates in Windows, with or without Windows Genuine Advantage validation.

I really don’t like the sound of that last sentence, which implies that access to Automatic Updates may be cut off in the future for people who are unwilling or unable to prove that their copy of Windows is “genuine.”

Ten things you need to know about spyware

Update: I’ve made some small but significant changes to this list based on excellent feedback from the anti-spyware community. I’ve also published a second installment in this series. See “Six steps you can take to block unwanted software.”

Carl Siechert and I are currently working on an update to our 2002 book Windows Security Inside Out. It’s been only a little over two years, but a lot has changed in the computer security landscape during that time. So much, in fact, that the update is much more extensive than we originally envisioned.

The biggest change, in my opinion, is the explosive growth in what’s commonly called spyware. We spent about four paragraphs on the topic in the first edition, basically telling readers to install a firewall and use Ad-Aware. In this edition, we’re devoting an entire chapter to spyware, and we’ll have significant coverage of related topics in at least four other chapters.

One frustrating aspect of the whole spyware topic is the extraordinary amount of misinformation floating around about what spyware is, how it gets on your computer, and how you can protect yourself most effectively from being a victim. To organize my thinking, I’ve put together the following list of ten essential facts about spyware. This list forms the basis of the spyware coverage in the new edition. I recognize that some of these statements may be controversial, and I’m open to alternative points of view. (If you want to reply, add a comment or create your own blog entry and send me a trackback.)

The list begins after the jump.

Continue reading “Ten things you need to know about spyware” →

Get your own biometric desktop

No, not bionic. Biometric. As in Microsoft’s Optical Desktop with Fingerprint Reader. Amazon is currently selling this package, which includes a keyboard and optical mouse, for $59 with free shipping. A $10 mail-in rebate brings the net price to $49. My co-author Carl Siechert tested this for a chapter in our upcoming revision to Windows Security Inside Out. It has some nice features, but I’d be more impressed if it could integrate with Roboform.

Anyway, if you’ve been lusting after one of these gadgets, this is about as good a price as you’ll get. Until someone comes out with a bargain-basement iris scanner, that is.

Give your security feedback to Microsoft

Steve Lamb is lead Technical Security Advisor for Microsoft’s ITPro community in the UK. He’s in Redmond this week and is soliciting feedback for Microsoft product groups.

I’m working with the product groups for the entire week and am keen to give your feedback regarding security functionality of our products(Windows, Office, Security Business Unit) to the management, technical and product leads.

So now’s your opportunity to get your comments, frustrations and suggestions for improvements to those that can make a difference – I’ll champion your cause providing the feedback is constructive 🙂

If you’ve got something to say, go visit Steve’s blog and post your comments there.

Microsoft: OK, OK, we’ll fix the Windows Media DRM flaw!

Chris Pirillo hears from Matt Calder at Microsoft with an official response to the DRM debacle:

While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers. To help mitigate these problems, Microsoft is committed to providing an update to Windows Media Player in the next 30 days that would allow the end user more control over when and how any pop ups display in the licensce acquisition process.

Chris recommends turning off the option to automatically acquire licenses for protected content. Sadly, that option has zero effect on this flaw. He also says, “ Don’t throw the baby out with the bathwater; Windows Media is still a fantastic format.” I agree.

Update: I have re-read this comment a few times, and I’m not sure what it means. Yes, they’re apparently working on a patch. “Allow the end user more control over when and how any pop ups display”? If the patch doesn’t change the default behavior and prevent Windows Media Player from opening a Web page that can prompt the user to install software, it will be essentially useless.

Someone at Microsoft doesn’t get it

According to a report at eWeek.com, Microsoft has no plans to fix a security flaw that affects Windows Media Player. (I’ve written extensively about this earlier; see this entry and the follow-ups here, here, and here.) This quote, if accurate, is wrong on many levels:

Microsoft officials stressed that the latest attack scenario does not exploit a vulnerability in the software.

“Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources,” said Mike Coleman, lead product manager with Microsoft’s Windows division.

“If strangers are trying to entice you to open a file, chances are they’re setting you up for a bad experience. We need to continue our work on getting people to understand what’s going on and get them to develop better download habits,” Coleman told eWEEK.com.

Mr. Coleman doesn’t get it. In a narrow sense, it is true that this does not represent a vulnerability that can cause software to be automatically installed. However, there are at least two security issues that need to be addressed here:

Windows Media Player 9 is able to bypass crucial protective mechanisms in Service Pack 2 and display ActiveX download dialog boxes that force the user to make a decision about installing software. As Microsoft’s official white paper on changes to functionality in SP2 states: “Providing add-on install prompts in the Information Bar rather than a dialog box reduces the occurrences of users inadvertently installing code on their computer.” As I documented earlier, Windows Media Player 10 behaves properly. This is a bug and should be fixed.
In all versions of Windows, an attacker can misuse a feature of Windows Media Player 9 that is designed to provide information about licenses to the user. The HTML code called by WMP 9 opens in the Internet security zone. This is unsafe. Several years ago, Microsoft redesigned Outlook Express so that all code in HTML-formatted messages runs in the Restricted zone. They should do the same with Windows Media Player. This step wouldn’t restrict the functionality of informational messages or the Windows Media Guide, but it would eliminate the ability of attackers to exploit the connection between the browser and the player.

A reporter from ZDNet UK got a similar response from a Microsoft source:

“This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack,” said Microsoft in an emailed statement.

“There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM.”

But Microsoft didn’t say whether Windows XP SP2 fully protected users from unwanted downloads.

“Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan’s attempt to deliver malicious software,” said Microsoft.

As I noted before, this is incorrect. The pop-up blocker and SP2’s Information Bar don’t work properly if Windows Media Player 9 is installed. People who have chosen not to upgrade to WMP 10 (which is classified by Microsoft as an optional update) are at risk.

I’d like to see a response from someone on the security team at Microsoft. I’m hoping that someone who truly understands this issue is already working on the fix.

Update: It appears that Microsoft may actually be working on this after all. CNET News reports:

A Microsoft representative said the software company was continuing to pursue the problem.

“We are concerned, because it is behavior inconsistent with what we would do with our DRM,” said Mike Coleman, lead product manager for Microsoft’s Windows client consumer division.

Microsoft is planning to release an update to the Windows Media Player that will shut down a file’s ability to automatically pop up a Web page, unless the user turns that function on, a representative said.

Read additional comments by Eric L. Howes at Broadband Reports (“Blaming the User: MS & WMP Adware Installations”) and Suzi at Spyware Warrior (“Microsoft’s Totally Inadequate Response”).