When you run Spybot S&D, it may complain that your system is vulnerable to something called a “DSO exploit.” What’s that all about? Maybe a lot less than you think. I stumbled across this excellent article: “dso Exploit” Explained” href=”http://forums.net-integration.net/index.php?showtopic=23930″>”dso Exploit” Explained at the Net-Integration Forums.

In a nutshell, this specific security exploit is old and has long since been fixed. However, a bug in Spybot S&D 1.3 incorrectly detexts this as a problem even if it has been fixed. Bottom line, according to this article’s author, is that you can safely ignore the warning from Spybot S&D if you are current on your Windows security updates.

Bonus: The Net-Integration Forums have a very nice page listing malware removal procedures.

Professor Michael Froomkin of the University of Miami School of Law is one of my favorite bloggers. His insights on civil rights and legal issues are always worth reading. However, when the good professor strays into territory where he’s not an expert, things sometimes go a little wrong. Witness this post from today: Fix a Microsoft Vulnerability

If you read the blog entry in question, it sounds alarming. Unfortunately, the third-party security advisory that Prof. Froomkin references was from February 2002. It has long since been corrected. Any Windows user who is up to date with security patches – a procedure that is required with ALL operating systems, including the Mac OS and all variants of Linux – is protected from this.

It’s also one of the least problematic security issues I know. An attacker who successfully exploited this issue on an unpatched machine could not plant a program on your computer or execute a program from another location. He could only run an existing program on your PC, and then only if he knows the exact location of that program on your PC. It was an interesting proof of concept but it required a lot more work before it could be used for a hostile action.

And in fact, the system worked. GreyMagic published this security advisory in February 2002. On March 28, 2002, Microsoft published Security Bulletin MS02-015, which publicly addressed the problem. A fix was included in an accompanying Internet Explorer Security Update. This fix is included in Windows XP with Service Pack 1 or later.

I promise to chat with Professor Froomkin before I write about complex legal issues here. In exchange, I offer my technical expertise on Windows and Windows security advisories to my favorite law professor the next time he thinks about wrinting another Windows-related post.

Update: Professor Froomkin, in the comments below, notes that he was misled by a false report from Spybot S&D. This is indeed an error in Spybot, as I note in a follow-up post to this one. Click here for details about the phony “DSO exploit” error in Spybot S&D 1.3. Oh, and I meant what I said about his blog, Discourse.net. His work is just excellent, and it’s on my list of essential blogs to follow.

In today’s Seattle Times, Paul Andrews writes Tired of spyware? Try another browser. The trouble is, he appears to know just enough to spread misinformation.

During a recent six-week period, I conducted a small spyware experiment on my Windows computer.

I kept track of days I opened Microsoft Internet Explorer. At the close of each day, I ran Spybot, a detection and prevention program.

Here’s what happened: On nearly every day I used Internet Explorer, I was infected with a new batch of malware — spyware or adware. On days I used Mozilla Firefox for browsing and avoided IE, without exception I remained uninfected.

Oh really? I wonder what sorts of programs were getting installed on Paul’s computer, if any. Because on any computer running Windows XP, there are only two ways a program can be installed:

• You install it yourself. This can be accomplished by clicking OK to a dialog box or by downloading a setup file and running it.
• It installs itself, without your approval. This happens ONLY on a computer that does not have the latest security patches installed. The only way a program can be planted on your computer without your permission is to take advantage of a known security flaw.

Look, I take care of a dozen computers for friends, family, and neighbors. On not one of those computers would the situation that Paul describes be accurate. None of these people are experts, none of them scan their computers for spyware daily. So what’s the difference?

This quote from later in Paul’s story provides a clue:

What drove me to my experiment was sheer desperation at a constant, growing barrage of attacks on my Windows PC. Not only was the computer slowed to a crawl, it was almost impossible to perform any function without being assaulted by pop-ups.

Aha! It sounds like some particularly nasty piece of malware had infected the computer some time ago – the sort that Spybot S&D couldn’t remove. Every day, it was reinstalling itself or some variant of itself. At least that’s my guess.

Paul’s mistake is to assume that this is the normal course of events. It’s not normal, not by a long shot. And to write a story that implies that this is the normal state of affairs that anyone should expect when using Internet Explorer is misleading and inaccurate.

Paul, call someone for help. Once you get that piece of junk off your computer, you’ll find that the experience is completely different.

Update: Reading through the article again, I found another inaccuracy. Paul says that installing another browser (Firefox) is the only cure for spyware and adds: “You need to configure it to block cookies from third-party sites. That means the occasional inconvenience of having to re-enter logins and passwords on certain Web pages.” No, no, and no! First, you don’t need to block third-party cookies, although it can’t hurt and I think it’s a reasonable security precaution. Second, you can easily block third-party cookies with IE as well. The impact on spyware in either case will be nonexistent. Finally, blocking third-party cookies has ZERO effect on login prompts.

This article is horribly, horribly wrong.

Larry Seltzer at eWeek has an interesting new article called Who Wrote Sobig?

Follow the links to read a series of reports that purport to identify the specific individual who wrote this worm and why he did it. Interesting stuff.

As I learned in Journalism school from studying Woodward and Bernstein, just follow the money. I wonder if the Russians would be interested in extraditing this guy…

Adam Gaffin at Network World Fusion gets comments from people demanding to know why his Web site is trying to install spyware on their computer. His reply:

Well, good for you dear sir or madam for running anti-spyware software on your PC. It’s a good idea, and I do it myself. Unfortunately, your software is equating a bit of text with a malicious application.

What we do is use “tracking” cookies from DoubleClick so we can track aggregate site numbers (how many people visit page X, how many articles about topic Y are viewed, etc.)

These are NOT spyware applications. These are simple text files. Text files cannot take over your browser. They can’t screw around with your Windows Registry. They don’t keep you from uninstalling them.

Like I said: Cookies are not spyware.

While doing research for the forthcoming update to Windows Security Inside Out, I stumbled across Jeremy Zawodny’s blog. From a post dated last May, I learned that the Yahoo! Toolbar has anti-spyware features. The fact that Jeremy works for Yahoo makes the following bit of bragging just a little unseemly:

The previously mentioned secret alpha test was for the just announced upgrade to the Yahoo! Toolbar which now contains anti-spyware code.

I have to say, this one of those ideas that was immediately obvious
upon hearing it. “Of *course* we should use the Toolbar as a way to
help poor Windows users get all that crap off their machines.” But at
the same time it’s amazing how many folks never came up with it on
their own, me included.

This is followed by a bit of obligatory Microsoft-bashing, which I guess I should expect. But I have a couple problems with the details in this post. I was able to Google around (oops!) and find a bit of information about the Yahoo Toolbar, starting with this page.

Here’s the problem, though. Yahoo wants me to download the toolbar and install it on Internet Explorer. (Sorry, doesn’t work with Firefox.) But try as I might, I can’t find any details on how this software works, what it does and doesn’t do, who developed it, and what it will do for me. I can take a little Flash tour and see a Fisher-Price version of how the toolbar works. But no technical details. Zero.

So, I’m just supposed to trust Yahoo? No, thank you very much. In fact, the most insulting thing about the whole package is the search box at the very top of Yahoo’s Anti-Spyware Community page. Yahoo has generously provided links to top searches, using phrases like anti spyware, spyware doctor, free spyware, spyware removal, and adware spyware. When I followed the links, I found some good search results, mixed in with an appalling number of phony anti-spyware products. And of course, every search result page starts with three “sponsored results” at the top of the page and a sidebar filled with more ads along the right side of the page. When I viewed the search page at 1024 X 768, I saw 7 links that were paid for and only three that were supplied by Yahoo’s search engine.

I did a little more searching to see if Yahoo had buried the technical details of its spyware toolbar somewhere. Nothing on Yahoo’s site. I found lots of stories in the computer press, most of them slightly rewritten versions of Yahoo press releases. Ironically, the top search result that wasn’t from Yahoo was a negative review from Adware Report. A slightly more complimentary story from eWeek contained the details that the spyware scanner in the Yahoo Toolbar is based on technology from PestPatrol Inc. But the rest of the story is just marketing.

So, if anyone from Yahoo is reading this, tell me please: Why should I trust Yahoo? Why doesn’t Yahoo trust me with the details of this software? And why do I feel like this is really just a way to get me to spend more time on Yahoo’s search pages?

(Full disclosure: I make a few pennies a day from the Google ads served on this site. So I suppose you could say I’m in competition with Yahoo. Still, I do something that Yahoo doesn’t, which is to block ads from companies that I’ve decided are selling fake anti-spyware software. I don’t want their money, but I see those ads on the Yahoo search pages. If Yahoo is really serious about “helping poor Windows users,” they should just say no to those ads.)

An excellent post from Jason Dunn at Digital Media Thoughts today:

I’ve had two emails in the past week from Pocket PC Thoughts asking why we’re distributing “spyware” onto their computers. We’re not – it’s that simple. What people are seeing is over-protective anti-spyware software treating normal cookies like spyware….

In this case, Avenue A (one of the third-party advertisers that serves up banners when we don’t have our own paying ad) is doing nothing more than dropping a cookie on your machine. The cookie is like every other advertising cookie from DoubleClick and other large advertising agencies: it tracks what ads you’ve seen so it doesn’t show you the same ad more than “X” times.

It’s grossly irresponsible for these anti-spyware companies to treat cookies like spyware. REAL spyware is malicious, machine-hijacking junk that throw pop-ups on your computer, resets your start page, and all sorts of other ugly tricks. A cookie is a text file that has some non-personal information what banner ads have shown on certain sites. That’s it.

Go ahead and open the cookie on your computer and you’ll see it’s harmless. Cookies are not spyware, no matter how hard these anti-spyware companies try to make them out to be. You have to realize that these guys are trying to sell their software too, and if they start blocking cookies as well, they give the perception that they’re “protecting” you even more often. They have an agenda too – think about it.

Yes, indeed. Makers of security software have a vested interest in making sure you are afraid, very afraid. They want you to believe that the online world is dangerous and that without their software you are in danger of being mugged (virtually, anyway) every time you open your browser.

This idea is, to put it bluntly, just so much crap. I spend a frightful amount of time online. I look at all sorts of sites, some of them quite disreputable, when I’m researching security-related topics. And yet I’ve never had one of these evildoers plant a piece of so-called spyware on my computer. Why? Because:

• I am conscientious about installing security patches. Any exploit that relies on OS and browser vulnerabilities is unlikely to affect you if you do likewise.
• I do not install untrusted software, including ActiveX controls and browser add-ins, and I do a lot of due diligence before I decide to install a program even when it comes from a trusted source.
• I am alert to the danger signs of possible problems with rogue software – sudden, unexplained deterioration in performance, mysterious pop-ups, crashes – and I work on solving those problems the instant they appear.

Did you notice that I didn’t mention cookies at all? I don’t spend a lot of time worrying about them. Yes, I block third-party cookies, and yes, I have my browsers set to alert me when a site wants to install a new cookie. But most of the time I say yes. Because cookies are not a serious problem. If anyone would care to point to evidence where someone has had their privacy or security attacked in a serious way as the result of a cookie, I’m interested in hearing about it. I watch this stuff for a living, and I’ve never seen anything that fits in that category.

I wish that the makers of anti-spyware programs would stop obsessing about cookies. All they’re doing is distracting us from the real threats.

A little article at Windows IT Pro claims to have the results of a new study that proves Linux is the least secure OS:

According to a study the British security firm mi2g, Linux is the world’s “most breached” OS and is exploited more frequently than Windows. The company recently analyzed more than 235,000 successful attacks against computers that were permanently connected to the Internet during the past year and concluded that Linux was responsible for most of the successful exploits.

“For how long can the truth remain hidden, that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day?” DK Matai, mi2g’s executive chairman, said in a statement. “Busy professionals … don’t have the time to cope with umpteen flavors of Linux or to wait for Microsoft’s Longhorn when Windows XP has proved to be a stumbling block in some well-chronicled instances.”

To which I say, puh-leeze. I’m a Windows guy, but I’m not a hack, and this “study” just smells to the high heavens of hackery.

I’d love to check out the details so I could decide for myself, but the good folks at Windows IT Pro apparently decided that it wasn’t important to provide a link to the original study or to any information about the consulting firm behind the report. In fact, there are no links in this story at all except for the fake links inserted by the execrable Vibrant Media, which lead directly to ads, not real content.

Lame, lame, lame.

A quick Google search leads to a wealth of information about mi2g, much of it unflattering. Like this little blurb from Attrition.org.

You can find the mi2g press release on which the Windows IT Pro article was based here.

For the record, I think security problems in Windows are consistently overstated, especially for server versions, and security problems in Linux are probably understated on average. But articles like this one don’t add to the debate; they just give the /. crowd a big, fat, legitimate target.

Network World has put together an excellent, exhaustive article on the ins and outs of deploying a wireless network, entitled Cracking the wireless security code:

Is it possible to deploy a secure wireless LAN with technology available today? That question preys on the minds of IT executives who are tempted to deploy enterprise WLANs, but are hesitant because of security concerns.

So we assembled 23 wireless products from 17 vendors and ran them through a battery of tests aimed at getting the answer.

The focus is on enterprise networks, so it may be overkill if you’re just trying to keep the guy in the apartment below you from tapping into your Wi-Fi connection. I mean, you’re not about to set up a RADIUS server in your hall closet. But it’s still worth reading, thanks to an excellent glossary, clear explanations of all the wireless technologies out there, and detailed instructions on how to secure your wireless LAN.

Props to Wi-Fi Networking News for the pointer.

News of an encouraging trend in this morning’s headlines. AP: Kazaa losing users:

Kazaa’s long-standing position as the most popular online file-sharing software appears to be over. Last month, the daily average of file-swappers on the FastTrack peer-to-peer network, which includes Kazaa and related programs, was surpassed for the first time by users on the eDonkey/Overnet network, according to online tracking firm BayTSP Inc.

[…]

BayTSP’s monitoring does not encompass all the file-sharing networks, however. Graham cites the BitTorrent network as an example of a file-sharing community that has grown increasingly popular. The company tracks file-sharing on BitTorrent, but cannot tell how many people use it, Graham said.

I’m a big fan of BitTorrent, which represents a way for communities to share ideas and files. I’ve seen too much chaos and misery created by Kazaa to feel anything but pleasure in their demise.