Wiz's Computer and Website Security Blog

World reknowned anti-spyware program - Spybot Search and Destroy - was updated on June 23, 2006. If you use this program be sure to run manual updates as soon as possible.

2006-06-23
Hijacker
+ Crackspider
++ SpywareSoftStop.Hijacker
+ CoolWWWSearch.Feat2Installer
+ CoolWWWSearch.Service
+ CoolWWWSearch.Feat2DLL

Keylogger
++ Ardamax (2)
++ HellzLittleSpy

Malware
++ VirusBlast
+ Winhound
+ SurfSideKick
+ Smitfraud-C.
++ TitanShield
++ Pokapoka79
++ Win23.PE
++ XXXTeenPornPack
+ Vcodec.eMedia

Spyware
+ PurityScan

Trojan
+ MZS.Spoolserver32
+ Wild Media
+ Haxdoor-H
++ Zlob.XPasswordManager
+ Zlob.Downloader
++ SearchSpy
++ Win32.Murlo.du
++ Small.cxl
++ LowZones.df
++ Win32.Lager.aq (2)
++ SilentCaller.pw
++ S.P-Bot.B
++ ConHook
+ Virtumonde
++ Zlob.PornMagPass (2)

Total: 332792 fingerprints in 43604 rules for 2048 products.
Update History

Home - The home of Spybot-S&D!
Spybot Search and Destroy Download page - Program and definition updates.

Read the extended comments for news about Spybot's compatibility with Windows Vista.

Windows Vista compatibility

June 23, 2006
Patrick M. Kolla
Spybot Search and Destroy

It's been a week since Microsofts new Beta 2 for Windows Vista is available to the public, so we found it's time to announce that all our tests so far have shown that Spybot-S&D is completely compatible with Vista - scanning, immunizing, permanent monitoring, updating & tools (except for a minor graphical glitch in the process list tool that does not prevent the application from work as intended in any way).

Microsoft has misunderstood a broken server during Spybot-S&D update for an incompatibility when testing it, so when you're installing Spybot-S&D and Vista warns you about an incompatibility when installing, just go ahead and install anyway. We're already discussing this with Microsoft and the warning should be gone very shortly.

RunAlyzer, RegAlyzer, FileAlyzer and FoldAlyzer have also passed first tests.

Link: http://www.spybot.info/en/news/2006-06-23.html

Posted by Wiz at 11:42 AM | Permalink

back to top ^

Here are two reports about unpatched Excel flaws from Secunia.

1: Microsoft Excel Repair Mode Code Execution Vulnerability
http://secunia.com/advisories/20686/

Secunia Advisory: SA20686
Advisory Release Date: 2006-06-16
Last Update: 2006-06-20

Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround

Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP

CVE reference: CVE-2006-3059

Description:
A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.

NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.

Solution:
Don't open untrusted Excel documents.

The vendor has published various workarounds (see vendor advisory).

Provided and/or discovered by:
Discovered in the wild.

Changelog:
2006-06-20: Added additional information from Microsoft. Added CVE reference. Updated "Solution" section by referring to vendor workarounds.

Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx

Secunia Advisory: SA20748
Advisory Release Date: 2006-06-20
Last Update: 2006-06-22

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3086

Description:
kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions and products using the vulnerable library may also be affected.

Solution:
Do not open untrusted Microsoft Office documents.

Do not follow links in Microsoft Office documents.

Provided and/or discovered by: kcope

Changelog:
2006-06-22: Added CVE reference. Added link to US-CERT vulnerability note. Added various Windows versions as vulnerable instead of Office products.

Original Advisory:
Microsoft: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

Other References:
US-CERT VU#394444: http://www.kb.cert.org/vuls/id/394444

Microsoft has offered some workarounds, which I have listed on this blog page.

Also, see this Microsoft Advisory for the latest information and workarounds.

Posted by Wiz at 12:58 PM | Permalink

back to top ^

Microsoft Security Advisory (921365)
- Title: Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
- Revision Note: Advisory Published: June 19, 2006

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.

Opening the Excel document out of email will prompt the user to be careful about opening the attachment.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds listed in extended comments >>>

Workarounds for Microsoft Excel Remote Code Vulnerability:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

On Excel 2003, prevent Excel Repair mode by modifying the Access Control List (ACL) to the Excel Resiliency registry key

This vulnerability is exploited when Excel enters repair mode. Preventing Excel from entering repair mode can block the vulnerability from being exploited on Excel 2003. To prevent Excel from entering repair mode, change the Access Control Lists (ACL) settings using either the registry editor or Group Policy to remove all user accounts from accessing the registry key. To do this manually, follow these steps:

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For Windows 2000

Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time

1. Click Start, click Run, type regedt32, and then click OK.

2. Expand HKEY_CURRENT_USER, expand Sofware, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.

3. Highlight this key and Click Security, and then click Permissions.

4. Click to clear the Allow Inheritable Permissions from the parent to propagate to this object check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then click OK.

5. You receive a message that states that no one will be able to access this registry key. Click Yes when you are prompted to do so.

For Windows XP Service Pack 1 or later operating systems

Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time.

1. Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.

2. Expand HKEY_CURRENT_USER, expand Sofware, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.

3. Click Edit, and then click Permissions.

4. Click Advanced.

5. Click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then check OK.

6. You receive a message that states that no one will be able to access this registry key. Click Yes, and then click OK to close the Permissions dialog box for this registry key.

Impact of Workaround: The repair mode in Excel helps open corrupted Excel documents. After applying this workaround Excel will not attempt to repair corrupted Excel documents and may not recover gracefully when opening a malformed Excel document. If Excel is unstable after opening a malformed Excel document, close all Excel process with Task manager and restart Excel.

To prevent Excel documents from entering a corporate network directly, block all Excel file types at the E-mail gateway.

Note This will not protect against other attack vectors including a web-based attack.

The following file-types are Excel file-types that can exploit this vulnerability and would need to be blocked at the network perimeter:

xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml, xlv

Block the ability to open Excel documents from Outlook as attachments, web sites, and the file system directly by removing the registry keys that associate the Excel documents with the Excel application.

Excel documents can be opened automatically in Excel by opening them as e-mail attachments, by visiting websites that attempt to load the Excel documents, and from the file system or file shares by double-clicking on the document. Removing the following registry keys will block these attack vectors by preventing Excel documents from loading in Excel directly. To remove these keys follow these steps:

Note While the vulnerability exists in the Excel Viewer 2003, Excel 2002, and Excel 2000, the current exploit has not affected these applications.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
.

1. Click Start, click Run, type "regedit" (without the quotation marks), and then click OK. On Windows 2000 the type regedt32.

2. Highlight each of the registry keys in the list below

3. Right click on each key, and click on Delete, and click on Yes to confirm the deletion.

Note: Depending on installation, some of the keys below may not exist.

Note We recommend backing up each of the registry keys below to restore the deleted keys.

HKEY_CLASSES_ROOT\Excel.Addin\shell
HKEY_CLASSES_ROOT\Excel.Backup\shell
HKEY_CLASSES_ROOT\Excel.Chart\shell
HKEY_CLASSES_ROOT\Excel.Chart.8\shell
HKEY_CLASSES_ROOT\Excel.CSV\shell
HKEY_CLASSES_ROOT\Excel.DIF\shell
HKEY_CLASSES_ROOT\Excel.Macrosheet\shell
HKEY_CLASSES_ROOT\Excel.Sheet.8\shell
HKEY_CLASSES_ROOT\Excel.SLK\shell
HKEY_CLASSES_ROOT\Excel.Template\shell
HKEY_CLASSES_ROOT\Excel.Workspace\shell
HKEY_CLASSES_ROOT\Excel.XLL\shell
HKEY_CLASSES_ROOT\Excelhtmlfile\shell
HKEY_CLASSES_ROOT\Excelhtmltemplate\shell
HKEY_CLASSES_ROOT\.xls
HKEY_CLASSES_ROOT\.xlt
HKEY_CLASSES_ROOT\.xla
HKEY_CLASSES_ROOT\.xlm
HKEY_CLASSES_ROOT\.xlc
HKEY_CLASSES_ROOT\.xlw
HKEY_CLASSES_ROOT\.uxdc
HKEY_CLASSES_ROOT\.csv
HKEY_CLASSES_ROOT\.iqy
HKEY_CLASSES_ROOT\.dqy
HKEY_CLASSES_ROOT\.rqy
HKEY_CLASSES_ROOT\.oqy
HKEY_CLASSES_ROOT\.xll
HKEY_CLASSES_ROOT\.xlb
HKEY_CLASSES_ROOT\.slk
HKEY_CLASSES_ROOT\.dif
HKEY_CLASSES_ROOT\.xlk
HKEY_CLASSES_ROOT\.xld
HKEY_CLASSES_ROOT\.xlshtml
HKEY_CLASSES_ROOT\.xlthtml
HKEY_CLASSES_ROOT\.xlv
HKEY_CLASSES_ROOT\ExcelViewer.Chart.8\shell
HKEY_CLASSES_ROOT\ExcelViewer.Macrosheet\shell
HKEY_CLASSES_ROOT\ExcelViewer.Sheet.8\shell
HKEY_CLASSES_ROOT\ExcelViewer.Template\shell
HKEY_CLASSES_ROOT\ExcelViewer.Workspace\shell

Impact of Workaround: Excel documents will no longer be opened outside the Excel application. To view Excel documents open the Excel application and load the document directly using File and Open.

Do not open or save Microsoft Excel files that you receive from un-trusted sources.

This vulnerability could be exploited when a user opens a specially crafted Excel file. Excel files from trusted sources or Excel files that are known to be trusted can continue to be used.

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Posted by Wiz at 9:50 AM | Permalink

back to top ^

Everybody who has an email account is plagued by the spam and scam epidemic that is polluting your inboxes. Most people simply deal with having to resort to hitting Delete over and over again. Others, like yours truly, do something about it. I report all spam that gets through my defenses to SpamCop, where I have a Reporting Member account. I also use an email screening program that automatically deletes most spam, which I will talk about later in this article.

The SpamCop reporting system requires you to be able to display, copy and paste the complete message source, including the normally hidden headers. Displaying an email's source code is what this article is about. Even if you are not a SpamCop reporting member learning how to read the headers will allow you to trace the origin of scam emails (links in extended comments) from financial fraud artists in countries like Nigeria, and to file complaints with the Internet Service Providers that provide the connections to the scammers or spammers.

I am frequently asked "how do I display email headers and source code?" The methods vary with the email client (program), but every one I have seen will offer some means of displaying the full incoming headers. The following sections cover Microsoft Outlook and Outlook Express, Hotmail, Gmail and Yahoo! browser-based email.

MS Outlook
Double click the message to open it in its own window. Then click View-Options and you can view the data in the "Internet headers" pane. You can copy that data and paste it into another email or SpamCop report.

Outlook Express
If the message is not open, right-click on the message in your Inbox and select Properties > Details > Message Source (button).

If the message is already open, simply press Control and F3 (together) and the "Message Source" window will appear. Once the source code is displayed in the resizable window you can copy it and paste it into a report.

Hotmail
If you are using browser-based Hotmail, login and go to "Options." At the Options page click the link labeled "Mail Display Settings" and find the section "Message Headers." Put the dot in the option "Full." Click on "OK" at the bottom to save your changes. Now, when you get a scam email and Forward it the recipient can read the full headers.

You can reveal the complete source code of any email in Hotmail by opening the message and looking for the blue link labeled "View E-mail Message Source," just above the white email message body. The source will open in a new browser window, and can be copied and pasted.

Gmail
After logging into your Gmail account in your browser, open the email you want to inspect. Look to the right side along the top of the message for three vertical dots. Click on the three dots to open an options menu. Move your pointer down to "Show Original" and click on it. A new tab will open containing the original incoming headers.

Yahoo!
If you use Yahoo! email, login and click on "Mail Options." When the options page loads locate the section labeled Personalization and click on the link labeled "General Preferences." On the General Preferences" page scroll to "Messages" and put the dot in the radio choice labeled "Show ALL Headers."

To forward the headers with an email scam or spam, scroll down farther to "Message Actions" and find "Forwarding Messages." Select the radio choice to "Forward as Inline Text." Click the "Save" button at the bottom. After this all you have to do is Forward any scam emails and the full headers will be at the top of the message.

SpamCop has a list of commonly used email programs, including AOL, with instructions for either displaying the full headers, and/or forwarding as an attachment.

With the source code copied to the Windows Clipboard you can paste it into the report text field in your SpamCop member's reporting page, or paste it into an email that you will send to an authority who can deal with tracing or reporting it, or you can paste it into a new Notepad document and save it for your own analysis.

Copying and Pasting 101
Once you have displayed the source code you will need to copy and paste it into an email or spam report. If you don't already know your Windows keyboard shortcuts for these actions they are as follows:
1: Click anywhere inside the message area and then press Control and A to Select All the text.
2: With all the text highlighted press Control and C to copy it to the "Clipboard."
3: Next, go to the email or form field into which you want to paste the source codes and click once inside that area, then press Control and V and it will be pasted into that field.

Forwarding Emails As An Attachment
Sometimes a recipient of an attempted email scam will be asked to forward the scam to an authority for analysis. The email should be forwarded as an attachment to preserve the headers and mime type details that are stripped out by standard forwarding. Just about every common actual email client has an option to do this, but a lot of browser-based email systems have no such function. ;-(

Outlook Express has a simple means of forwarding as an attachment. If the email is not open, right-click on it in your Inbox and select "Forward As Attachment." Address it to the recipient, type a subject and send it. If the message is already open, go to the menu item "Message" and select "Forward As Attachment."

Yahoo browser email has an option to Forward As Attachment when you are reading an email, by going to your Email Options > General Preferences > Message Actions > Forwarding Messages and selecting "Forward as an attachment." When you want to forward a message this option will now be available via the down arrow on the right side of the Forward button.

If your browser-based email does not provide an option to forward as an attachment (like free Hotmail), set it to display the full or advanced headers, then forward it inline, so all the headers will be sent with the message.

Tracing the origin of an email
If you want to trace the origin of spam and scam messages you will need to study the headers for IP addresses (in Received From or Originating IP details), then do Whois lookups on them until you find the likely source of the message. For this you will need tools. I recommend DNS Stuff, or Sam Spade. Both of these network lookup websites provide you with a choice of input fields where you can perform lookups of the registered owners of the IP addresses in question. You may have to try several IP addresses until you find the originating IP. Sometimes you will reach a dead-end with AOL or Yahoo as the only traceable source IP, but more often you will find that it came from a country known to harbor Internet Fraud artists or Nigerian 419 scammers. Or, it may be spam that traces to China, Korea, Japan, or Russia. Usually the final IP in the Received From: lists will reveal the sender's location.

With DNSStuff you can click a link in the results to reveal the abuse email addresses. You would then forward the scam or spam to the ISP, to the listed abuse recipient. You will have just LARTed the asshole that sent the spam/scam. LART means Loser Attitude ReadjusTment.

Mailwasher Pro - An Email Spam Screening Solution
If you use Outlook Express and are getting a lot of spam emails and have outgrown the hopelessly simplistic rules available in that email client, there is a better solution available. Mailwasher Pro to the rescue! Mailwasher Pro (MWP) is a front-end spam filtering program that works with any real email client (not browser-based). I use it every day, all day long, to screen incoming email from 24 POP3 accounts. MWP intercepts all of your incoming POP3 email accounts, if you configure it to do so, then compares each piece to a set of user-defined rules, blacklists, blocklists, a database of known spam and it's built-in Bayesian Learning Filter.

You can setup Mailwasher to flag suspected spam for manual deletion and blacklisting of the sender, or let it happen automatically. If you make a mistake there is a recycle bin that lets you restore that email. The program does require a fair amount of user know-how, and has a slightly advanced learning curve, but once you understand it you won't go a day without it. It will definitely make a big dent in the amount of spam that gets delivered to your Inbox! There is a Mailwasher forum at Firetrust.com, where users can ask others for assistance. I happen to know that the Mailwasher programmers hang out in those forums.

You can learn all about this awesome product on my Mailwasher Pro page. It also has a link to a copy of my own custom Mailwasher filter rules, which can be used by anybody to reduce the amount of spam that gets through the default filters.

Posted by Wiz at 11:17 AM | Permalink

back to top ^

Home - The home of Spybot-S&D!

2006-06-16
Dialer
+ TIBS
Hijacker
+ CoolWWWSearch.Feat2Installer
+ CoolWWWSearch.Service
+ CoolWWWSearch.Feat2DLL
Malware
+ PestTrap + Vcodec.eMedia + Swizzor (2)
PUPS
+ Hotbar
Security
+ Windows.RedirectedHosts
Spyware
+ 180Solutions.SearchAssistant
Trojan
+ DigiKeygen (18)
+ BraveSentry
+ Win32.Small.kw
+ Win32.Agent.mn
+ Zlob.Downloader
+ Small.cxl
+ Click.AgentHI

Total: 331476 fingerprints in 43336 rules for 2028 products.
Update History

Spybot Search and Destroy Download page - Program and definition updates.

NB: JavaCoolSoftware's SpywareBlaster definitions were updated on June 15, 2006

Posted by Wiz at 11:06 AM | Permalink

back to top ^

Microsoft Security Bulletin MS06-015: Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

Affected Software:
< snip >...
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Frequently asked questions (FAQ) related to this security update

If Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) are listed as an affected product, why is Microsoft not issuing security updates for them?
During the development of Windows 2000, significant enhancements were made to the underlying architecture of Windows Explorer. The Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Windows Explorer architecture is much less robust than the more recent Windows architectures. Due to these fundamental differences, after extensive investigation, Microsoft has found that it is not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability. To do so would require reengineer a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

Microsoft strongly recommends that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which is filtering traffic on TCP Port 139. Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall, as discussed in the workarounds section below.

Will Microsoft issue security updates for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) sometime in the future?
Microsoft has extensively investigated an engineering solution for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). We have found that these architectures will not support a fix for this issue now or in the future.

If you connect to the Internet with a Windows 98 or ME computer you will be at risk from past, present and future threats, with no help coming from Microsoft after July 11. Microsoft is discontinuing ALL support and patches for Windows 98, Windows 98 S.E. and Windows M.E., effective on the evening of July 11, 2006.

"Critical security updates will be provided on the Windows Update site through July 11, 2006. Microsoft will not publicly release non-critical security hotfixes for Windows 98, Windows 98 Second Edition, or Windows Millennium Edition."

If you are still using one of those operating systems on a computer that connects to the Internet, you are strongly advised to scrap it and get something up to date, with an operating system that is still supported by Microsoft, or get a new Mac instead. In the meantime, add as much anti-virus, anti-spyware and firewall protection as you can find, that will work on your OS, and download as many Windows updates as you can, then buy a disk imaging program and make a copy of the fresh OS, with all patches and security programs in place. Burn that to a CD for use if your OS crashes or gets invaded by a virus, backdoor, trojan, worm or spyware.

Posted by Wiz at 10:33 PM | Permalink

back to top ^

On 13 June 2006 Microsoft is planning to release:

Security Updates

. Nine Microsoft Security Bulletins affecting Microsoft Windows. The
highest Maximum Severity rating for these is Critical. These updates
will be detectable using the Microsoft Baseline Security Analyzer and
the Enterprise Scan Tool. Some of these updates will require a
restart.

Note that, as discussed in Microsoft Security Bulletin MS06-013, with
the release of one of these bulletins, support for the compatibility
patch discussed in Microsoft Knowledge Base Article 917425 will
cease.

This means that all users who apply this security update will receive
the ActiveX update discussed in Microsoft Knowledge Base Article
912945 regardless of whether or not they have applied the
compatibility patch discussed in Microsoft Knowledge Base Article
917425.

Administrators are encouraged to review the following articles prior
to release and take appropriate steps for their environment:

- Microsoft Security Advisory 912945 - Non-Security Update for
Internet Explorer:
http://www.microsoft.com/technet/security/advisory/912945.mspx

- Microsoft Knowledge Base Article 912945:
http://support.microsoft.com/kb/912945

- Microsoft Knowledge Base Article 917425:
http://support.microsoft.com/kb/917425

- Information for Developers about Internet Explorer:
http://msdn.microsoft.com/ieupdate

. One Microsoft Security Bulletin affecting Microsoft Exchange. The
highest Maximum Severity rating for this is Important. These updates
will be detectable using the Microsoft Baseline Security Analyzer.
These updates may require a restart.

Note that this update will include the functionality change discussed
in Microsoft Knowledge Base Article 912918. Administrators are urged
to review this Knowledge Base article prior to release and take steps
appropriate for their environment.

. Two Microsoft Security Bulletins affecting Microsoft Office. The
highest Maximum Severity rating for these is Critical. These updates
will be detectable using the Microsoft Baseline Security Analyzer.
These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool

. Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

. Microsoft will release 1 NON-SECURITY High-Priority Updates for
Windows on Windows Update (WU) and Software Update Services (SUS).

. Microsoft will release two NON-SECURITY High-Priority Updates on
Microsoft Update (MU) and Windows Server Update Services (WSUS).

Microsoft will host a webcast next week to address customer questions
on these bulletins. For more information on this webcast please see
below:
. TechNet Webcast: Information about Microsoft's Security Bulletins
(Level 100)
. Wednesday, 14 June 2006 11:00 AM (GMT-08:00) Pacific Time (US &
Canada)

Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PC SAFETY (1-866-727-2338). There is no
charge for support calls associated with security updates.
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx

Posted by Wiz at 4:11 PM | Permalink

back to top ^

"Microsoft executives love telling stories against each other. Here's
one that platforms vice-president Jim Allchin told at a recent Windows
Vista reviewers conference about chief executive Steve Ballmer," David
Frith reports for Australian IT. "It seems Steve was at a friend's
wedding reception when the bride's father complained that his PC had
slowed to a crawl and would Steve mind taking a look."

"Allchin says Ballmer, the world's 13th wealthiest man with a fortune
of about $18 billion, spent almost two days trying to rid the PC of
worms, viruses, spyware, malware and severe fragmentation without
success," Frith reports. "He lumped the thing back to Microsoft's
headquarters and turned it over to a team of top engineers, who spent
several days on the machine, finding it infected with more than 100
pieces of malware, some of which were nearly impossible to eradicate."

Frith reports, "Among the problems was a program that automatically
disabled any antivirus software. 'This really opened our eyes to what
goes on in the real world,' Allchin told the audience. If the man at
the top and a team of Microsoft's best engineers faced defeat, what
chance do ordinary punters have of keeping their Windows PCs virus-free?"

Full article is here

Posted by Wiz at 10:21 PM | Permalink

back to top ^

I am frequently asked about securing the Outlook Express email client. One of the recurring questions is "why can't I receive file attachments in my email?"

Answer:
The default security setting for Outlook Express is to block file attachments. To allow attachments to be downloaded and opened click on the menu item "Tools" then on Options > Security, and UNCHECK the option labeled "Do not allow attachments to be saved or opened that could potentially be a virus."

What do the other security options control and what effect do they have on my email capabilities?

Virus Protection

"Select the Internet Explorer security zone to use:"
I would recommend selecting the radio option to use the Restricted sites zone(More secure), as it will disable some common exploit codes used by viruses, and spyware distributers. By reading email in the Restricted sites zone you prevent tracking cookies from loading, Javascript from running, and cloaked links to phishing sites will reveal their true destination when you hover the mouse over them.

"Warn me when other applications try to send email as me." This will alert you if a Worm gets onto your computer and starts sending out mass spam or virus infected emails that appear to come from you. While this won't catch more sophisticated email sending exploits (using their own SMTP engine), it may stop some exploits from going out with your return address in them. Always select this option.

Download Images:

"Block images and other external content in HTML e-mail."
If you select this option you will not be able to view images in your email. It also prevents tracking gifs, sound files, and flash ads from loading when you open an email. This pretty much cripples 80% of the email you may want to receive, in return for blocking images and tracking gifs in a small percentage of unsolicited commercial email (spam). I personally do not check this option.

The other options only apply to people who maintain digital ID certificates, to apply them when sending or receiving messsages. Most of us don't use any of those options.

After you have checked or unchecked your desired settings click Apply to save them, then OK to close the options window.

You can further secure Outlook Express against security exploits by TURNING OFF the PREVIEW PANE. To do this, with Outlook Express open, go to VIEW > LAYOUT > PREVIEW PANE, and UNCHECK "Show preview pane." Click Apply to save, then OK to exit.

The impact of this selection it that all email will appear in a list from top to bottom, just showing the From, Subject, and other fields you have chosen to view, but not the contents of any messages. To open an email you must double-click on it in the list. This tiny inconvenience helps protect you against code exploits that are not otherwise covered by the other security settings. I strongly recommend turning off the preview pane in Outlook Express!

If you haven't already done so, get a decent anti-virus program that scans incoming and outgoing emails, for viruses and other embedded, or attached threats. If you can't afford to purchase a commercial program there are plently of decent free ones available for downloading. I personally use AVG Free, not because I can't afford a commercial program, but because of it's relatively small impact on system resources (called small footprint in geek talk). You can download the current version from http://free.grisoft.com. AVG Free can be set to automatically check for and apply updates in certain 2 hour time-frames. If you are always online at a certain time of the day or night, set it to check for updates after you first go online. It can also check manually by right-clicking on the AVG System Tray Icon and selecting Check For Updates.

Posted by Wiz at 3:48 PM | Permalink

back to top ^