Category: Software

A sleazy QuickTime trick

In a perfect world, we’d be able to choose one media player for everything. In the real world, we need two or three media players to handle the mix of incompatible and proprietary formats available on the Web. So, although I don’t use QuickTime often, I keep a copy installed so that I can see video clips on sites that offer only Apple formats.

If you use QuickTime on Windows or a Mac and you haven’t updated it since January 10, you’re at serious risk. But be careful when you go looking for that security update or you may get more than you bargained for.

On January 10, Apple released a critical update for QuickTime designed to fix five separate vulnerabilities, any of which can result in “arbitrary code execution” if you simply view a specially crafted image file (QTIF, GIF, TIFF, or TGA) or a similarly doctored media file. The vulnerability exists on Windows XP, Windows 2000, and Mac OS X. Sounds at least as serious as the WMF exploit that Microsoft was pilloried for, and indeed it is. (It took 71 days for Apple to come up with the patch after this vulnerability was reported, by the way, but that’s a topic for another day.)

Being a security-conscious sort, I checked my version of the QuickTime Player and determined that it was hopelessly out of date. I had version 6.5.1 installed; these vulnerabilities are fixed in version 7.0.4. I tried the Update Software option from the QuickTime Player menu, but when it finished its quick download and installation I was only at version 6.5.2, and it told me I was completely up to date. So I headed over to Apple’s QuickTime site and was greeted with this page:

I’ve circled the two areas of interest on this page. See that big blue Free Download Now button? That’s what most people will click. I almost did, until I noticed the wording at the top of the page: “QuickTime 7 with iTunes 6.” I don’t want iTunes! But I need that security update. Maybe I should read the security bulletin again. Oh, dear. Right there at the bottom, it has the bad news:

APPLE-SA-2006-01-10 QuickTime 7.0.4:

For Mac OS X v10.3.9 or later
The download file is named: “QuickTimeInstallerX.dmg”
Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbca

For Windows 2000/XP
The download file is named: “iTunesSetup.exe”
Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e

Well, that’s odd. If I own a Mac, I can just get the QuickTime installer, but because I use Windows I have to install iTunes? Doesn’t seem right.

Hey, what’s that tiny link at the bottom of the QuickTime downloads page? The one that reads QuickTime Standalone Installer? Clicking that link from Internet Explorer installs the QuickTime ActiveX control. Clicking it from Firefox downloads a file called … QuickTimeInstaller.exe. No iTunes required. (Update: The QuickTime ActiveX control only loads in IE if it’s not already installed. The download link leads to the QuickTime installer, regardless of browser.)

This is a crappy way to do business, Apple. The security bulletin should reference the QuickTime installer, not just the iTunes setup file that happens to include the QuickTime Player. And if someone comes to your site looking for a critical security update, don’t push extra software on them.

Years ago, Real used to pull this same crap with their RealPlayer. When you visited the download page, you were steered into the trial version of Real’s subscription-based software, and it took a treasure map and a Sherpa to find the tiny link to the free player. It took a few thousand complaints, but Real finally wised up. Go to Real.com now and you’ll see two buttons of equal size: one offers a 14-day trial of its premium SuperPass product; the other is labeled Free Download. No magnifying glass required.

I never thought I’d say it, but Real is setting the standard when it comes to downloads. Apple, clean up your act.

Update: A visitor from Down Under comments that Real.com is up to its old tricks on sites outside the United States. After telling Real.com that I’m from Australia, I can see what he’s talking about. As a point of reference, here’s what the main U.S. page looks like:

How effective is your antivirus software?

eWeek points to an authoritative analysis of how security software companies have responded to the WMF exploit:

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

I know a lot of people who use various free antivirus programs, especially AVG. I don’t recommend them, and this study is one giant data point in my argument.

Anyone with an updated subscription to any of the AV programs on the first list above is fully protected from the WMF exploit. Anyone using a program on the second list should ask themselves whether it’s time to switch.

Symantec shows how not to do security

This post is from guest blogger Carl Siechert, my co-author on Windows XP Inside Out and Windows XP Networking and Security Inside Out:

A coworker recently bought via Symantec’s online store a copy of Norton Internet Security 2006 for her home computer. (This wouldn’t have been my recommendation, btw.) After making the payment, the last page of the order process includes a download button. She clicks the button (and was flummoxed by the Run/Save security dialog) and eventually screws up the courage to save the file to disk. (She’s not particularly at ease with computers.)

It downloads a 156-KB file called Setup.exe (or Norton Upgrade Setup.exe, depending on the target folder), which turns out to be Norton Internet Security Download Manager–a program to download the real application installer. But here’s the kicker: the download manager program is not signed. So, of course, when she opens it Windows pops up an ominous warning about an unknown publisher. Contravening standard security advice, she forges ahead. (Looking at the file properties imparts no useful information either. The Version tab shows a product name of “xDM” and no publisher name.)

Without any warning that the 40-MB download is going to tie up her phone line for a considerable time, it eventually completes, depositing on her desktop a file called NIS06900_2YR.exe. (Examining the properties of this file is even less helpful; it doesn’t even have a Version tab.) Because it was placed there by a program other than Internet Explorer, running the program doesn’t display any sort of warning.

There’s no way to confirm that either of these files came from Symantec, nor any way to confirm that they haven’t been altered by someone else (or that they aren’t a different potentially malicious program altogether).

This kind of sloppy work by one of the major players in security software makes it difficult to explain to unsophisticated users how to determine which programs are safe to run. How many warnings have we seen about malicious programs that purport to be a security program or update from Symantec and its competitors? And what’s our usual advice? If it’s not signed by the publisher, it’s probably bogus. Nice work, Symantec.

Apple ready to turn on activation

Goodness gracious! Apple apparently wants to lock their new OS to your hardware:

Apple Computer, which is in the process of switching to computers based on the omnipresent Intel processor, has filed a patent application describing a method for securely running Mac OS X on specific hardware.

The Mac maker has applied for a patent to cover a “system and method for creating tamper-resistant code.” Apple describes ways of ensuring that code can be limited to specific hardware, even in a world in which operating systems can be run simultaneously, in so-called virtual machines. The patent application was made in April of 2004, but only made public last Thursday.

In its application, Apple describes a means of securing code using either a specific hardware address or read-only memory (ROM) serial number. Apple also talks about securing the code while interchanging information among multiple operating systems. Mac OS X, Windows and Linux are called out specifically in the filing.

I’ll be eagerly awaiting the screams of anguish from the usual suspects.

Windows Defender and a dissertation on search algorithms

Dwight Silverman has a pair of interesting observations on the news that Microsoft Antispyware is about to become Windows Defender:

I mentioned above that there’s already an application dubbed Windows Defender. I found that by doing a Google search, which turned up many links to the existing package as the top results.

But if you do the same search at MSN Search, the top results are front-loaded with references to the Windows Defender renaming announcement by Jason Garms. In fact, the first reference to the existing Windows Defender product doesn’t show up until the seventh page of results at MSN.

Maybe Microsoft forced the results for its own entry higher on its search engine. Or maybe Google’s just slow to index blog postings. Or a little bit of both . . .

That first observation is interesting, indeed. Microsoft has an army of lawyers, and one would have to assume that no product naming decision gets publicly announced until there’s been a thorough trademark search. (At least the windowsdefender.com domain is owned by a guy in Seattle who is a contractor for Microsoft.) If someone made a public announcement like this without acquiring the trademark rights from the existing product, they were incredibly sloppy.

What about the search results? Is Microsoft really favoring itself?

When I looked at the MSN Search results, I found that a download link for the existing Windows Defender product was fourth on the list. (Hey, I’m even on that first page!) So it’s not like every reference to the existing product has been scrubbed.

I think there’s a (somewhat) more innocent explanation for the different search results for MSN Search versus Google. In my admittedly limited testing, I’ve seen clear evidence that the MSN algorithm emphasizes freshness much more than Google does. By contrast, Google’s algorithm emphasizes the number and quality of links to a given page (PageRank) and thus is inherently biased toward pages that are older and have had more time to acquire lots of links from high-traffic sites. So at least in this case it stands to reason that pages talking about the latest news on this phrase would rank higher at MSN Search than at Google.

For an example that isn’t Microsoft-related (and thus doesn’t have the possibility that Microsoft is unfairly favoring its own sites), try searching for Sony copy protection, a topic that has been much in the news lately.

Here’s the MSN Search results. Note that everything on the first page is about the current rootkit controversy.

Now try Googling the same words. Although there are lots of results about rootkits, I noted that the third item on the first page was a USA Today article from 2002. The sixth item is an undated article from KAOS2000 Magazine that talks about using marker pens to defeat Sony copy protection schemes used on a “new Celine Dion album” released in 2002. And the ninth link on the page is to a discussion at cdfreaks.com, also from 2002.

Those are interesting approaches. Knowing how those two search engines work can help me decide which one to use, but I don’t think either one is biased.

Scoble wrote a flurry of interesting posts on this some time ago. In this post, which I chose more or less at random, he says something I can wholeheartedly agree with: “Anyway, my point wasn’t to get into a rathole discussion on any one search term. It was to point out that at almost ANY search term you can find ways to improve the engine. But, I’ll keep hammering this one in until people get it and see that search is FAR from being done.”

Microsoft buys FolderShare

News out of Redmond:

Microsoft Corp. today announced it has acquired FolderShare, a leading service in the emerging space of file synchronization and remote access technology that helps customers access information across multiple devices. FolderShare customers will continue to be able to enjoy the service at http://www.foldershare.com. Financial details of the acquisition were not disclosed.

This has been on my to-do list for a while. Now I really have to look at it!

Tip of the day: Find your e-mail folder fast

Do you know where your e-mail messages are stored? That’s not just a theoretical question. If e-mail matters to you, you need to back up the files containing your messages so that you can restore them in the event of a hard disk crash or other problem. Here’s how to find your e-mail files with three popular programs:

  • Microsoft Outlook 2003: With Outlook closed, open Control Panel and double-click Mail. In the Mail Setup dialog box, click Data Files and then click Open Folder. This opens Windows Explorer using the folder where your Outlook Personal Stores (PST) file is located. The default name is Outlook.pst. Back up that file, which contains all your messages, rules, contacts, and appointments.
  • Outlook Express: Open Outlook Express and click Tools, Options. Click the Store Folder… button and highlight the entire string contained in the Store Location box. Press Ctrl+C to copy this location to the Windows Clipboard. Close all open dialog boxes, open Windows Explorer, and paste that location in the Address bar. Back up the complete contents of this folder, which contains all of your messages. Note that it does not contain your Address Book, which must be backed up separately.
  • Mozilla Thunderbird: Click Start, Run. In the Open box, type %appdata%\Thunderbird\Profiles and click OK. Windows Explorer opens, showing the contents of your Profiles folder. In a normal installation, this should contain a single folder with a random name (like uepsg00s) followed by .default. Copy this folder, which contains all settings and data for Thunderbird. You can restore it in the event of a crash.

If you use another e-mail program and you know how to find its data files, leave details in the comments section.

The original Widget/Gadget/Gizmo

In a comment to my earlier post on the Widget- Gadget food fight, PB reminded me about Active Desktop. The linked page from Microsoft’s, dated August 2001, includes this text:

The Microsoft Investor Ticker below is just one example of Active Desktop items—live content that Internet Explorer 4.0 lets you bring from the Web to your Active Desktop. Check out the list below. You’ll find cool items that deliver regularly updated news, entertainment, tools, and more.

I remember writing about Active Desktop in 1997, when I was working on a beta copy of Windows 98 and Internet Explorer 4.0.

And sure enough, a little poking around found this October 1997 article from Microsoft Systems Journal. It contains the first reference I can remember to Dynamic HTML, plus discussions of the Channel Definition Format (a very early use of XML that was a precursor to RSS), an Information Delivery API, support for Broadcast TV, and a bunch of other stuff that today we take for granted.

The Wikipedia entry for Active Desktop notes:

Active Desktop works much like desktop widget technology in that it allows users to place customized information on their desktop. [emphasis added]

Splat!