Some people seem really concerned about cookies. The worst offenders, they argue, are so-called “tracking cookies,” which supposedly allow companies like Doubleclick to track your movements on the Internet.

If you think this is a big deal, fine. You don’t need anti-spyware software to get rid of these cookies. Instead, take the following two steps:

1. Delete all currently saved cookies from your computer. In Internet Explorer, click Tools, Internet Options and then click the Delete Cookies button on the General tab. In Firefox 1.0, click Tools, Options. Click the Privacy icon in the sidebar and then click the Clear button to the right of the Cookies heading.
2. Specify that you want to block all third-party cookies. In Internet Explorer, click Tools, Internet Options. On the Privacy tab, click Advanced. Click to select the Override automatic cookie handling check box, and then click Block under the Third-party Cookies heading. In Firefox 1.0, click Tools, Options. Click the Privacy icon in the sidebar and then click the plus sign to the left of the Cookies heading to expand your list of options. Click to select both options: Allow sites to set cookies and for the originating web site only.

There. You’re done. You’re completely protected from “tracking cookies.”

But (I can hear you asking) what about first-party cookies? Well, if you’re visiting a Web site, they already have your IP address, and they have a record of every page you visit on their site and everything you type into a form. If you’re really that concerned about a Web site, you might want to avoid visiting it. But if you’re really worried about first-party cookies, open Internet Explorer’s Advanced Privacy Settings page and then click the Prompt option under the First-party Cookies heading. With Firefox, you can use an extension or set the ask me every time option. After you save these settings, you’re in complete control.

Here’s what your IE options should look like:

And here’s what Firefox options look like:

Now can we agree that there’s no need for an anti-spyware program to do something so simple?

I’ve been getting a lot of search requests today for the new Microsoft Malicious Software Removal Tool. So here it is.

The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

Microsoft will release an updated version of this tool on the second Tuesday of each month. New versions will be made available through this Web page, Windows Update, and the Microsoft Download Center.

You can do a quick online scan at this page. You’ll need to download an ActiveX control or a stand-alone executable file to complete the operation.

As Firefox becomes more and more popular, it faces more and more attacks from bad guys. A new report this morning claims that phishers have found a hole in Firefox:

A security flaw in the increasingly popular Firefox browser is exposing millions of users to phishing scams, security experts have warned.

Jakob Balle, security specialist at Secunia Research, said that the vulnerability in Firefox and Mozilla allows malicious hackers to execute phishing scams by spoofing the source URL displayed in the browser’s Download Dialog box.

“The problem is that long sub-domains and paths are not displayed correctly, which can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box,” he said.

A Secunia Research advisory stated that the “less critical” vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. It added that “other versions may also be affected”.

Reportedly a patch is under development but isn’t ready.

In the comments, Glenn points to a section of today’s press release that I just plain missed. Microsoft Announces Availability of New Solutions to Help Protect Customers Against Spyware and Viruses:

In January 2004 Microsoft released a series of removal tools, each of which targeted a single virus or worm and some of its variants. Collectively, these tools augmented existing antivirus protections by scanning more than 55 million PCs worldwide for viruses such as Blaster, MyDoom and Download.Ject. The new Microsoft Windows malicious software removal tool consolidates these existing removal tools into a single solution. The tool will be updated on the second Tuesday of each month as part of Microsoft’s monthly software security update process to respond to new viruses, worms and variants.
The Microsoft Windows malicious software removal tool will be offered in the following ways:

• As a high-priority update through Windows Update and through Auto Update for the more than 112 million Windows XP-based PCs configured to receive priority updates automatically
• Through a simple, online interface.
• For larger corporate customers, a download through the Microsoft Download Center

Available at no charge, the Microsoft Windows malicious software removal tool is designed to augment traditional antivirus solutions to provide more complete protection against viruses, worms and variants. As with Microsoft’s earlier removal tools, the new solution incorporates the knowledge and technology gained through Microsoft’s acquisition of GeCAD Software in 2003.

Hard to tell what this really means. It isn’t exactly an antivirus program, but it sure sounds like the first step on the road to one.

Joe Wilcox is probably going to think I’m stalking him. I’m not, honest. It just so happens that his beat is identical to mine, so we cover a lot of the same topics. In a new post this afternoon, he reports on evidence that Microsoft may soon restrict access to its new AntiSpyware program to those with “genuine” copies of Windows. Joe writes:

Microsoft pushes product validation before users can get the software. In September, Microsoft started a trial for the Windows Genuine Advantage program, which seeks to curb piracy. The program, which is not yet officially launched, restricts some downloads to users with validated copies of Windows.

So far, at least, Microsoft isn’t restricting access to this beta to users with activated copies of Windows. Unfortunately, Microsoft is doing a lousy job of communicating their policy. When you go to the download page, you have only one choice. Read the wording carefully. Under the heading, “Validation Recommended,” it says “This download is available to customers running genuine Microsoft Windows.” The word only is not in there.

When you click the Continue button, you arrive at a page with TWO choices. You can choose to validate your copy of Windows (using an ActiveX control if you use IE, or by downloading and running a small executable program if you use another browser or prefer not to allow ActiveX downloads). If you don’t want to validate your copy of Windows, you can choose “No, do not validate Windows at this time but take me to the download.” Anyone can choose that option and get to the download page.

I agree with Joe on the main issue:

I fully support Microsoft’s right to protect its software from theft. But I don’t see how restricting a security software download is consistent with Microsoft’s often-stated goal of security being the company’s top priority. I would argue that Microsoft might even be doing itself more a disservice than its customers.

Security should not be an add-on feature. It should not be restricted to people who are willing to jump through a hoop to prove their copy of Windows is “genuine.” And it should not cost a dime. Making every Windows computer safer from spyware and viruses makes the entire Internet safer. Creating a link between new security programs and anti-piracy efforts is contrary to the goal of ensuring that all Internet users are secure. That is the ONLY way to look at this issue. Will whoever is working on this program at Microsoft please get that message?

OK, I uninstalled my old evaluation copy of GIANT AntiSpyware and installed the new Microsoft version. As I suspected, it’s quite similar. Two noteworthy changes:

• In the Advanced Tools section, the System Inoculation item is gone. This appears to be taken care of during initial setup and in the Real-Time Protection settings, so it doesn’t seem like a great loss. The File Shredder utility is also missing in this build.
• The software doesn’t scan cookies or report “tracking cookies” as a spyware threat. The summary screen still shows Cookies as an item on the results list, but I can’t find an option anywhere that allows me to tell this program I want to scan cookies, and although there is a Cookies entry in the Help file, it points to a topic that doesn’t mention cookies at all. I believe that that text was removed from the Help entry but someone forgot to update the Help index.

Removing cookies from the list of things to be detected as spyware is a good move, in my opinion. As I’ve noted before (here and here and here), cookies are not spyware. This software appears to be aimed at removing browser hijackers, pop-up generators, adware, phony search tools, and other forms of deceptive software. Cookies don’t belong in that category. Kudos to Microsoft for making this fundamental change right away.

Update: Microsoft AntiSpyware runs only on Microsoft Windows 2000, Windows XP (including Tablet PC and Media Center Edition 2005), or Windows Server 2003. If you’re using Windows 98 or Windows Me, you’ll have to stick with third-party solutions.

Further update: Don’t install this beta if you are running Windows Media Center Edition 2005 and you have a Media Extender. The “Known Incompatibilities” include this one: “If you install Windows AntiSpyware (Beta) on a computer running Windows XP Media Center Edition 2005, Windows Media Center Extender will not be able to establish a remote connection.” Glad I read the documentation first!

The beta version of Microsoft Windows AntiSpyware is available now. I’ll have more comments after I install it. Given the quick turnaround, I expect it to be essentially identical to the GIANT AntiSpyware product, with the GIANT logos replaced by Microsoft branding. (And who wants to bet that they missed at least one?)

Over at Broadband Reports, Eric L. Howes has some more details on the issue of “poisoned WMA files” that I’ve been writing about for the past few days. (See this entry and the follow-ups here and here.) His post, WMP Adware: A Case Study in Deception is enlightening for its depth, and it gives a real insight into how this sort of infection lands on a user’s machine. I agree with most of Eric’s conclusions, but I think he’s missing the forest for the trees in a few instances. Let’s start with this paragraph:

Contrary to Ed Bott’s assertion that this is not a “new and horrifying security risk” the installation practices that users are forced to deal with when attempting to play these rogue Windows Media Player files are so confusing, deceptive, and coercive that regular users are at high risk for unwittingly consenting to the installation of spyware and adware, with potentially dire consequences for their computers, to say nothing of their privacy and security.

My statement that this is not “new and horrifying” reflects the simple reality that these are the exact same techniques that purveyors of crapware have been using from Web sites for years. The ActiveX dialog boxes Eric posted are identical in every respect to those that users see when they visit Web pages that push the same software. This is merely a new variation on an old theme.

When I read the original PC World article, which was long on breathless assertions and short on detail, I was worried that this was a “zero-day exploit” that used a previously unknown vulnerability to install software on a user’s computer without any action required on their part. A reasonable person reading the original article might assume that their machine could get infected simply by playing a music or video file. Similar exploits have happened in the past, and it would be truly horrifying if this was new exploit that could sneak past even a sophisticated user. But that’s not the case. Everything in this exploit could just as easily be accomplished (and in fact is being done every day) by Web pages that open the exact same ActiveX dialog boxes. I hate the fact that these programs exist, and I’m certainly not defending them. But I don’t see much that’s new here.

Eric goes on to write:

The installation practices combine and exploit a dangerous combination of circumstances and qualities to bamboozle users into believing that they are consenting to the installation of software required to view media files. Among those circumstances and qualities are:

• a legitimate, required Windows Media Player “Security Upgrade” that conditions users to expect the installation of required software;
• ActiveX Security Warning boxes that users find inherently confusing because of the vague and inadequate information provided;
• ActiveX installation prompts for software deliberately named to give the impression that it is yet another required Windows Media Player upgrade;
• repeated, insistent pop-ups designed to coerce users into consenting to the installation of software;
• murky, confusing End User License Agreements that fail to disclose the installation of third-party software as well as the functionality and privacy practices of that software.

With one exception, every item on that list describes exactly how spyware makers push software onto a naive user. The first item on the list is unique to Windows Media Player, but this is a dialog box that appears one time only. As Eric notes, the social engineering tactics that these folks are using are deliberately designed to fool users into thinking that the programs are required updates.

Eric continues:

What we need from Microsoft is a swift fix for the problems summarized here, not attempts to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts. As I stressed in an earlier post here at DSLR, it is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.

Just for the record, I am not trying to minimize this, nor am I blaming this on the user. In fact, I have specifically said the exact opposite. My original remarks were directed at people who regularly visit this site and who read the forums on Broadband Reports. Those people are most likely to be expert users who would be deeply suspicious of dialog boxes like these and who are likely to be running modern, fully patched operating systems. Sadly, they’re the minority in the larger computing world.

The reason that spyware and viruses are epidemic is that older versions of Windows make it easy for people to push this crap, and as Eric correctly notes, the confusing interfaces make it easy for naive users to be fooled by basic social engineering.

I think it’s important that we focus on the forest, not the trees. The biggest problem of all right now is finding a way to protect users of older Windows versions from agreeing to this stuff, regardless of where it comes from. If you fix the ActiveX problem in Internet Explorer, you fix it in Windows Media Player. As I noted, the security features in SP2 worked to prevent this exploit from confusing innocent users. There needs to be an equally effective way to make that protection work for users of older operating systems.

Eric says I’m “blaming the user” because I wrote this:

But really, isn’t that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? … But how likely is it that the type of user Suzi is describing will download and install that patch?

I stand by that remark. Eric is demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try, many people simply don’t install patches after they’re released. I get virus-infected e-mail messages every day. In most cases the people who are infected with those viruses would have been protected if they had installed a patch that was released three or four years ago. If someone hasn’t installed that patch, why would they install a new one to fix this vulnerability?

As I’ve said since Day One, I believe that this is a security flaw and that Microsoft needs to issue a patch to Windows Media Player 9 and release it as a Critical Update. I would hardly call that an “attempt to minimize and pooh-pooh the risk.”

I have also reported this issue to security@microsoft.com. That’s an important first step in getting a patch written and released.

Mary Jo Foley at Microsoft Watch has an interesting report on a rumored security subscription service from Microsoft, code-named “A1”:

Microsoft’s anti-virus/anti-spyware strategy is taking shape. Sources say Redmond’s prepping a fee-based bundle, which could go beta soon.

Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named “A1,” according to developers who requested anonymity.

Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How/when/if it will repackage GeCAD’s technology remains uncertain. Ditto for Giant’s — although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant’s technology this week. Neowin said the anti-spyware beta is code-named “Atlanta.”

Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn’t the ultimate plan, partner sources said.

Well, I’ve said it before and I’ll say it again: Microsoft should make this service as powerful as possible and not charge a dime for it to anyone. It’s part of the cost of doing business. Selling security software is ethically wrong for two reasons: 1) It involves making a conscious decision to expose some of your customers to greater risks than others, based on their ability to pay; 2) It encourages the security software vendor to overhype threats to encourage people so they’ll be stampeded into paying up.

I’m sure someone at Microsoft is saying something like, “Well, we’ll provide a free security offering that will provide basic protection to everyone, and we’ll just charge extra for bells and whistles.” That’s nonsense. Security should be considered a core feature, not an add-on.

Spread the word. Make some noise. Now is the right time to convince the folks who are making these decisions to do it the right way.