A threat to common “.dll” files hits many apps

A threat to common ".dll" files hits many apps

By Susan Bradley

Microsoft’s latest Security advisory on .dll-file vulnerabilities reveals a whole new chapter of Internet security troubles — and raises many more questions than it gives answers.

Many popular applications may be targets of this new threat, and there’s no single patch that will fix it.

The public disclosure of this new threat from DLL (dynamic link library) files started with a recent Apple iTunes patch. A security firm discovered that iTunes could load DLLs from locations its developers never intended. (DLL files are used extensively by Windows and Windows apps. For more details on what these files do, see the MS Support article, “What is a DLL?”). Tunes inadvertently loaded a DLL from a shared drive on a network — not from the app folder it was supposed to use. This little flaw prompted Apple security update HT4105.

Researchers soon discovered that dozens of other Windows applications, such as Adobe Photoshop CS2 and MS Word 2007, had the same vulnerability. On August 23, Microsoft released Security Advisory 2269637, which gave details about the flaw. When you read the description, you’re left with the impression that it all comes down to sloppy programming.

How to measure your level of exposure

The wide-ranging nature of this threat makes evaluating your level of exposure difficult. There is a test you can run on your systems, but it’s not for the faint of heart. Here’s what to do:

• Go to Microsoft’s Process Explorer page and download the app. Extract it in a new folder on your computer.
• On Metasploit’s DLLHijackAuditKit page, download this tool to the same folder on your PC.
• If you are running Vista or Windows 7, right-click on 01_StartAudit.bat and select Run as administrator. (If you’re using XP, just double-click the file to run it.) Let the auditing program walk through all the registered file types on your computer. (This might take some time.) When the script is completed, save the resulting processmonitor file as logfile.csv. in the same folder containing 01_StartAudit.bat.
• Now launch 02_Analyze.bat and have it analyze the results.

If you would rather not go through that process, a list of vulnerable applications is being compiled on Peter Van Eeckhoutte’s blog site.

Another Website, Exploit-db.com, is currently the best source for information on what applications may be vulnerable. The Exploit-db folks are accumulating a master database of recent, known exploits — though it’s harder to interpret than Van Eeckhoutte’s site. The list of potentially vulnerable programs submitted to Exploit-db.com includes such mainstays as Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2007 and 2010, Firefox 3.6.8, Foxit Reader, Wireshark, and uTorrent.

Tips for managing DLL vulnerabilities

What? Another round of vulnerabilities? Before you shut down your computer and dive under the covers, never to touch your machines again, take a few moments to understand what we’re facing and what our options are. As a small-business owner, I know the success of my business depends on making the right security decisions.

Based on my reading and testing, thus far, simply downloading patches to fix the problem might break some of my critical business applications. If you use the DLL patch process offered by Microsoft in MS Security Advisory 2264107 (more on that below), do so on a separate test PC first and then look for problems with your apps. If you do run into a problem, look for updates for your software and consider disabling WebClient Service, if possible (discussed below).

Security expert HD Moore has two DLL-fix recommends in his blog, but home users may find them difficult to implement.

First, check that your local firewall is preventing outbound Server Message Block (SMB) file processes. To do this, see whether the local firewall lets you block traffic through ports 135 and 445. But be careful: if you have a peer-to-peer home-network environment, you may need these ports.

Another method is to check your DSL- or cable company–supplied router’s firewall settings. See whether you can adjust it to specifically block ports 135–139 and port 445. On my Linksys router, the port-filtering section lets me control up to five different ranges of ports, as shown in Figure 1.

Figure 1. Linksys home-router port-filter controls (circled in yellow) let you manage traffic on as many as five port ranges.

I have far less control on an AT&T 2Wire modem I use. After I unchecked the Allow all protocols box under Inbound and Outbound Control and then selected the specific outbound connectivity I wanted (see Figure 2), I could no longer securely send my POP e-mail user name and password.

(Checking the POP3 box allowed unsecured e-mail information to pass through port 110. I prefer to use port 995 for secure e-mail transfers, but the 2Wire controls do not allow that level of control.)

I’ll keep looking for a solution for that particular modem, but I may end up buying a Linksys to put in front of it.

Figure 2. AT&T’s 2Wire modem lets you control inbound and outbound traffic by specific protocols but not by port number.

Moore’s second recommendation is to disable the WebClient Service, which will then block the Webdav vulnerability. (WebClient lets Windows apps create, access, and change Web-based files.) But this, too, should be done with caution — it might disable services such as Skydrive and JungleDisk. To turn off WebClient, go into Control Panel, Administrative Tools, and then Services. Scroll toward the bottom and click WebClient. On the WebClient control windows, find Startup type and select Disabled. (See Figure 3.)

Figure 3. WebClient Services can be disabled by going to the Administration Tools within Windows and selecting WebClient.

Microsoft offers Registry patch for DLL control

If you want to test Microsoft’s DLL-blocking solution, go to MS Support article 2264107 and scroll down to the Update Information subsection and find the update for your specific platform. Install it and reboot your computer.

Now you’re ready for step two: go to the Fix it for me subsection in article 2264107 and click the Fix it button. Clicking the button automatically creates a Registry entry that blocks “nonsecure DLL loads from WebDAV and SMB locations.”

Should one of your applications stop working after the fix, you can try the following tweak to the Registry:

• Click Start and Run, then type in regedit and click OK or hit the Enter key. Scroll down the Registry list to HKEY_LOCAL_MACHINE and expand the tree below it.
• Now, navigate down the tree through SYSTEM, CurrentControlSet, Control, and Session Manager (circled in yellow in Figure 4).
• Click on Session Manager and look for CWDIllegalInDllSearch in the list to the right (also circled in yellow in Figure 4). Double-click it.
• In the Edit DWORD Value window that pops up, change the Value data from 2 to 1 and try again. If you still have problems with an app, change it to 0 and push that vendor to fix their application.

Figure 4. If you use Microsoft’s DLL fix and some apps stop working, you may be able to get them running again by tweaking the Registry.

So far, my tests with the Metasploit tool have yielded different results between 32-bit and 64-bit machines. I’ve also found that PowerPoint 2007 and 2010 are consistently listed as being vulnerable. Although an Aug. 31 Microsoft Security Research & Defense blog states that DLL attacks are unlikely to work on files sent by e-mail, I’m still telling my father not to open those PowerPoint files he and his friends love to e-mail around.

For now, block those outbound ports, don’t open up files unless you were expecting them, and be prepared to see your software vendors pushing out patches. And if they don’t, send them an e-mail and ask them why they aren’t updating their software for this problem.

After going through all this, I feel like paraphrasing of Franklin D. Roosevelt’s World War II words of wisdom: We only have fear right now, and not a lot of solid answers in this DLL mess.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

Untimely USB drive disconnect causes data loss

By Keely Dolan

Even the most conscientious PC users disconnect their USB devices before it’s “safe” to do so.

Accidents happen — a hand reaching for a cup of coffee knocks out the USB cord connecting an external drive, and critical data get lost. It could even cause hardware damage.

Lounge member jshaw42 inquires about this problem in his thread titled “Disconnected USB device before ‘safely’ removed.” Helpful Loungers respond in turn, offering recommendations on software-recovery programs and minimizing the damage to valuable files. More»

The following links are this week’s most-interesting Lounge threads, including several new questions that you may be able to provide responses to:

☼ starred posts — particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Keely Dolan is a Windows Secrets Lounge administrator.

Household clothes-washer meets garden brick

By Keely Dolan Have you ever had one of those days where the bricks in your patio just won’t get clean, despite vigorous scrubbing? How about tossing those dirty bricks into the washing machine? In one of those “Gee, I wonder what would happen if …” scenarios, this amusing video graphically illustrates what happens when a common clothes-washing machine meets items its designers never intended it to clean. Play the video

Get a free jump-start on using Windows 7

We like to give our loyal subscribers a little something extra when we can.

This month, every Windows Secrets subscriber can download a one-chapter excerpt from Windows 7: The Missing Manual by David Pogue.

Pogue’s invaluable book provides essential information you’ll need to make the most of Windows 7. It covers topics such as navigating the desktop, using Windows apps and gadgets, and even backing up your files.

Exclusively for Windows Secrets subscribers, O’Reilly Media is providing — free — Chapter 3, Searching and Organizing your Files. It delves into topics such as Windows Search, icons, moving and copying files, and burning CDs and DVDs from the desktop.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Recover from a disastrous hard-drive crash

By Fred Langa Losing Windows’ file names can be almost as bad as losing the files themselves. Getting all your data back the way it was may be possible, but it’ll take some serious digging.

Files recovered but given meaningless names

Lynn Tait’s PC suffered a severe drive breakdown:

• “I recently had two hard-drive failures, both slave and master. My files were recovered but all my photos now have new names like file00000123. Photoshop won’t open them — doesn’t recognize the format.

  “The metadata in Bridge shows the real file name under original and/or preserved file name. How do I get my old file names back or at least have them recognized by Photoshop and Lightroom?”

Ouch! That must have been some crash!

You may be able to recover the names, but I’m sorry to say it probably won’t be easy. If the names had been easily recoverable, the file-recovery process most likely would have found and used them.

I also wonder about the integrity of the “recovered” files. If the files were indeed fully recovered, a tool such as Photoshop should be able to open them, even with a changed name. I suspect more got mangled in the crash than may be immediately apparent.

Hopefully, with a little more detective work you’ll find the path to a solution:

First, try explicitly renaming one of your mangled files. For example, rename file00000123 to test1.jpg. Then try opening the file with your normal photo-editing tools.

No luck? Try a general-purpose image viewing/conversion tool. Because these tools are meant to handle almost any kind of image file, they may be a lot less fussy about the original file formats than high-end, precision photo-manipulation tools.

For example, a tool such as the free-to-try, U.S. $49-to-buy Image Converter Plus (download page) claims to support over 800 image file types and variants. If your saved files are in a format approximating any one of those 800 types, this tool should be able to open them.

Other sites offer free tools — for example, Online Image Converter, ImageMagick, and the venerable IrfanView, all recognize a wide range of image types.

If you can find any software that can open your test file, you’ll probably be able to open all the damaged files and save them with new names in whatever format you want. The newly saved files should now open in other, more-exacting software.

As for recovering the lost names, a tool like Quick File Rename (info site) might do the trick. The app is free to try or €37.84 (U.S. $48) to buy. Otherwise, a skillful programmer could probably write you a script to mine whatever metadata is available and use it to rename the associated files. But I wouldn’t want to try writing that script myself: It’s beyond anything I could cobble together on my own in a reasonable amount of time.

As a last resort, you could use a low-level, hard-drive-analysis tool called a hex(adecimal) editor or sector editor to examine the files (literally byte by byte) to see what information might be in there. You also can use hex editors to rename or repair unopenable files.

But I have to warn you: using a hex editor is a very slow, difficult, and laborious process. So it may best be left to data-recovery professionals.

If you still want to give it a shot after that warning, the Freeware Hex Editor XVI32 (info page) is excellent and works fine on Windows 7.

But with luck, a non-fussy image-manipulation tool will get your files opened and resaved with usable names and formats.

And if I may climb on a soapbox for a moment: this is one of the reasons it’s important not only to have backups but to store them on CDs or DVDs away from your PC, where they’re immune to PC-based trouble.

Should you defrag a solid-state drive (SSD)?

Questions about drive defragmentation just keep coming. Rob Schneider’s is short and to the point:

• “Does defragging the new solid-state hard drives have any benefit?”

Probably not. The main benefit of defragging is the reduction of the time required to mechanically reposition the drive heads as they seek different pieces of a given file.

SSDs have no moving mechanical components, so there’s no real benefit to re-ordering the files.

Moreover, making unnecessary writes to an SSD can actually shorten the life of the most-used memory cells. For more info, see my Jan. 7, 2010, item, “Windows, solid-state disks, and ‘trim’.”

So, if you’re one of the small (but growing) number of people with an SSD, I’d suggest not defragging.

Diagnosing strange .exe start-up files

Bruce Taylor has two mysterious files that always want to run at startup.

• “I wonder if you could please help me get rid of two files — igfxpers.exe and hkcmd.exe. Both files appear separately at the time of start-up, and I have to click on Cancel to get rid of them.”

Your question touches on two separate issues, Bruce. One is identifying the mystery files; the other is getting them out of your start-up process.

A few minutes with your favorite search engine, using an exact file name as the search term, will almost always turn up information about what the file is, who made it, and what it does.

For example, searching on igfxpers.exe will show you that the file is the “Intel Common User Interface Module” often installed on systems with Intel-based graphics chips. It’s part of the system tray software that allows you to quickly access and change graphics settings such as resolution and refresh rate.

Likewise, a quick search shows that hkcmd.exe is part of Intel’s configuration and diagnostic software for their multimedia devices.

Normally, these tools launch at start-up without user intervention. In your case, they’re not working properly. Even if they were working, these tools are optional; it’s perfectly OK to use Windows’ built-in means of changing graphics settings. So feel free to uninstall the Intel tools if you wish.

You can uninstall them in the normal manner. Open Control Panel, then Add or Remove Programs; select any graphics-related software that shows Intel as the manufacturer. Click Uninstall. The software will be gone and won’t interfere with your start-up any longer.

Those steps almost always work, especially for software components from major vendors such as Intel. But sometimes you may run into mystery files with no obvious provenance or files that don’t show up in Control Panel or are otherwise hard to get at. And that bring us to my next item.

More strange startup files — mystery .dlls

Terry Dunn’s problem might seem identical to the problem above, but it’s emphatically not.

• “I get messages on my PC every time I boot the system. The messages say I’m missing lprontl.dll and iqosigegobeyeyo.dll.

  “I’m very suspicious of this because I can’t find them on the Internet anywhere, and I don’t know what they do. I suspect that they are part of a virus program that I recently encountered on my PC.”

Like you, Terry, I could find nothing online about these files. And like you, I suspect malware.

Some cleverly written malicious software disguises itself with randomly-generated filenames. Because no two infected machines will show the same filenames, the malware is harder to identify and remove.

In your specific case, you may have removed most of the malware when you cleaned up your system’s infection, but something still remains that’s calling for the — perhaps now-removed — randomly named files. Here’s what to do:

First, use Windows Search or another search tool to make sure that lprontl.dll and iqosigegobeyeyo.dll are not on your system.

Next, run several different anti-malware scans, one after another, to make sure your system is truly malware-free. Three free sites to try are: McAfee’s Freescan, Trendmicro’s HouseCall, and Symantec’s Security Check.

When all scans agree that your PC is clean, and if the file missing messages still appear at start-up, Windows’ System Configuration utility can help. It’s called MSCONFIG and is included in all versions of Windows. The XP version is shown in Figure 1.

Figure 1. Windows’ built-in MSCONFIG utility gives you fine control over what goes on during start-up.

Use MSCONFIG to selectively and temporarily disable start-up-related software, one at a time. When you’ve disabled the component that’s calling for lprontl.dll and iqosigegobeyeyo.dll, the start-up error messages relating to those files will go away. You can then permanently remove the offending software by uninstalling it or simply by deleting its files.

Microsoft offers a thorough MSCONFIG how-to in MS Support article 310560, “How to troubleshoot configuration errors by using the System Configuration utility in Windows XP.” Scroll down the page to Advanced troubleshooting and follow the steps under Selective startup.

Other versions of MSCONFIG work almost identically to XP’s; the same basic process can be used to control the startup software in any version of Windows!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Spectrum-analysis tools cure Wi-Fi headaches

By Becky Waring If you’re suffering from poor Wi-Fi performance, dropouts, or dead zones despite having the latest and greatest router, it’s time to check your airwaves. Metageek’s inexpensive Wi-Spy spectrum analyzers will root out rogue access points, interfering neighbors, cordless phones, and more — giving you back control over your Wi-Fi net.

So many channels, but still no place to go

There are 11 channels in the 2.4GHz Wi-Fi spectrum (up to 14 outside the U.S.) and a whopping 23 in the 5GHz band. Moreover, most newer routers automatically choose by default the best available channel. So why do we still have so many Wi-Fi problems?

Ask Steve Jobs — his keynote iPhone 4 demonstration (reported in a June 7 InfoWorld story) failed epically due to interference from the hundreds of Novatel MiFis and similar portable wireless access points in the audience. The problem is simply too many devices fighting for too little bandwidth.

Of the 11 channels available in the most-commonly used spectrum — 2.4GHz — only three (1, 6, and 11) are non-overlapping; they don’t interfere with each other when used simultaneously. Fire up your laptop and look at the list of Wi-Fi networks within range. When was the last time you saw only three or fewer SSIDs (network names) listed?

In my Berkeley house, which has only one neighbor within 20 feet in any direction (most are 30 to 40 feet away), I typically see 11 to 15 SSIDs in my Wi-Fi network list. Most have very weak signals that I probably couldn’t connect to with any reliability — which means they probably don’t interfere much. But at least three have usable signal strength, sufficient to actively compete with my access point.

The obvious solution is to move to the 5GHz band, which has more channels and far-fewer occupants. But this band can have coverage problems: its higher frequency needs more power to cover a given area, and most 5GHz routers don’t deliver those extra watts. And because many wireless clients (notebooks, wireless printers, and so forth) have only 2.4GHz transceivers, you’ll end up with a dual-band router anyway.

To help you choose the clearest channel in either band, network scanners such as Metageek’s free inSSIDer software (see Figure 1) can show which channels are taken by nearby routers, as well as the routers’ relative signal strengths. InSSIDer (information page) is the best free tool out there by far, and it provides a valuable grade that measures network quality over time.

Figure 1. InSSIDer shows a list of nearby Wi-Fi networks, plotting their channels and signal strengths on a graph in the lower-right corner of the window. This figure shows many nets competing for channel 1 — and only a couple of nets using channels 6 and 11.

That’s fine if all you had to worry about was competing routers. But in the real world, many other devices use the 2.4GHz and 5GHz bands: cordless phones, Bluetooth devices, wireless speakers, baby monitors, remote control cars, car alarms, microwave ovens, wireless video, and surveillance systems come to mind. None of these devices is revealed by your Wi-Fi adapter or scanning tools such as inSSIDer. For a complete survey of competing radio activity, you need to add an additional piece of hardware.

Get spectrum analysis at a bargain price

To fully troubleshoot Wi-Fi issues caused by non–Wi-Fi sources, you need a radio-spectrum analyzer — a device typically associated with scientists, radio geeks, and network administrators and costing U.S. $2,000 and up. These enterprise-level analyzers come from companies such as Fluke Networks, Cisco Systems, and Berkeley Varitronics, and they’re designed for organizations with really big Wi-Fi networks: hotels, university campuses, office complexes, convention centers, and the like. As you might suspect, the complexity of these tools matches their price.

At its heart, however, spectrum analysis is pretty straightforward. In small-network settings, all you really need for troubleshooting is a picture of what signals are bouncing around your home or office, plotted by frequency and amplitude (strength). This information will let you identify and locate radio sources so you can understand what’s affecting your wireless network.

This is exactly what Metageek’s Wi-Spy USB dongles (info page) are designed to do. These low-cost devices, shown in Figure 2, put spectrum-analysis tools into the hands of anyone with a more-earthly budget of $99 to $599 and the ability to read a graph. Although the first Wi-Spy came out in 2006, it was crude compared to today’s offerings, which now include 5GHz support and far-more advanced software.

The current product line has three models, the $99 Wi-Spy 2.4i, the $199 Wi-Spy 2.4x, and the $599 Wi-Spy DBx. (The 2.4i and DBx are shown in Figure 2.) The 2.4x and DBx add finer signal resolution and an external antenna for better reception. The DBx model also adds 5GHz support.

Figure 2. The Wi-Spy 2.4i and Wi-Spy DBx. The DBx adds 5GHz support and an external antenna for better reception.

Although I tested the top-of-the-line Wi-Spy DBx, most small-network troubleshooters can get by for now with the 2.4x model (or even the 2.4i, if you’re on a tight budget). At this time, there are just not that many products competing for the 5GHz band — the 2.4x gives you the most bang for your buck. These are the only spectrum analyzers in this price range, I know of.

Metageek’s secret sauce? Its software

Although the Wi-Spys are excellent devices, it’s the Chanalyzer software that makes them sing. Windows automatically installed the Wi-Spy DBx, when I plugged the device into my PC. I then installed and fired up Chanalyzer 4 to see what creatures lurked in the 2.4GHz band.

Chanalyzer 4 (info page) is new and is included with both the Wi-Spy 2.4x and DBx. The low-end Wi-Spy 2.4i comes with the more-limited Chanalyzer Lite (info page).

For network troubleshooters who need more-extensive analysis tools, Metageek offers its $499 Chanalyzer Pro software. It adds features which can help you identify conflicting devices and track them down.

Chanalyzer has three graphical views, as shown in Figure 3:

• Topographic. This view, shown at the top of Figure 3, is the main graph of spectral activity. It plots the signal strength (amplitude) of radio activity on the vertical axis against frequency along the horizontal axis. Wi-Fi channels 1–11 are also labeled along this axis. The more activity recorded over time for a given frequency, the brighter the colors get; the longer you let the program run, the more densely filled the graph becomes.
• Planar. The planar view can be plotted on top of the topographic data or separately. It shows single lines representing the average, maximum, and real-time values of frequency versus amplitude. This instantaneous view is great for troubleshooting when viewed together with the historical data.
• Spectral. This view, shown in the middle of the screen, plots activity across the entire frequency band (2.4 or 5GHz) against time on the vertical axis, using color to indicate relative signal strength. The plot moves downward in a waterfall as time passes. A burst of activity manifests itself as brighter colors (representing, for example, the downloading of a file from the Web). Background levels of activity are also displayed. Using this view, you can easily see the effect of turning radio sources, such as a cordless phone or microwave, on and off.

Figure 3. The Chanalyzer 4 software showing all three views: topographic, planar, and spectral.

You can run the scans for hours or even days and record the results for later playback and study. When troubleshooting a problematic site, you want at least 24 hours of activity as a baseline.

In my location, two things became evident as I started scanning. First, there were several competing networks around channel 1 (which I also saw by using inSSIDer). Second, there was a mysterious spike to the left of channel 1 (more visible when we zoomed in on the graph). Using Metageek’s handy library of spectral signatures, I easily identified it as a cordless phone. (You can upload your own spectral recordings to share with other users.)

Figure 4. Some common spectral signatures: a Wi-Fi access point, a microwave oven (wow!), a cordless phone, and a wireless video system.

Sure enough, when I checked with my neighbors, they had a 2.4GHz cordless-phone system. I would never have discovered this if not for Wi-Spy. (Cordless phone users can change channels easily, which can make them hard to pin down over time. One solution is to ditch the 2.4GHz models for those using DECT 6.0, which operates at 1.9GHz.)

One of the coolest new features in Chanalyzer 4 is the ability to overlay Wi-Fi network information on the topographic view and to see a list of networks below the graphs. Essentially, the functions of inSSIDer are now built into Chanalyzer, making problems easier to diagnose and report.

Figure 5. You can now toggle Wi-Fi network labels on and off in Chanalyzer 4’s topographic view.

Use Wi-Spy to map your network landscape

Another great way to use Chanalyzer is to walk around a room or house with it and see how things change on the graphs. You can find dead zones, locate devices that might be unexpected sources of interference, and find the best physical location for your router.

One of my favorite Wi-Fi stories is about the Berkeley professor who kept her router in the living room, on a low stand just behind her TV. It also happened to be next to a wall, behind which were the kitchen sink and granite countertops. She couldn’t get reception anywhere but the living room. She couldn’t understand why — the router had worked fine in her previous house. I moved the router four feet (up to a shelf above the TV and above the kitchen counter line), and voilà, whole-house coverage!

Plumbing, stone, ceramic tile, water tanks, metal, and so on are all physical barriers to Wi-Fi that are easily avoided with proper placement.

You can easily plot the results of your placement changes with Ekahau’s cool HeatMapper (download page), a site-survey application that creates heat maps — geographical signal-strength charts.

With HeatMapper, you can load a floor plan into the program, then walk around clicking points on the map as you pass them — thus logging Wi-Fi signal data at each location. When you’re finished, you’ll get a nice map showing the coverage and strength of your access point in a color-banded topographic view.

With a little upfront planning and airwave investigation using tools such as Wi-Spy and HeatMapper, you can achieve far-better average throughput on your Wi-Fi net, eliminate most dropouts, measurably improve productivity, and prevent countless headaches.

Becky Waring is the former editor of NewMedia Magazine and has written for PC World, Macworld, Wired, Upside Magazine, Technology Review, CNET, and many other outlets.

Bug-counting is a false measure of security

By Ryan Russell Measuring the vulnerability of operating systems and applications to attacks from hackers is vital to safe computing on the Internet. The most-common measure of computing security is counting vulnerabilities. But using this metric is horribly inaccurate and needs to stop.

Inflaming the debate over who has the most bugs

I recently read yet another story about vulnerability counts and which vendor is the worst offender. The article in question, published by AppleInsider, claims Secunia is “assailing Apple” in its most-recent security (PDF) report.

The article is obviously a defense of Apple, but its basic premise is sound: how should you interpret vulnerability data? AppleInsider pointed out that some Apple foes have taken the least-specific, aggregate data of vulnerability counts out of the Secunia report and declared Apple the big security loser.

It didn’t help that contradictions in Secunia’s report added fuel to what became a flaming debate over who has the worst security. It stated that you should not use its data to compare vendors: vulnerabilities vary by product, not by vendors. But it also printed a simplistic “Top-10 vendors with the most vulnerabilities” chart. Unfortunately, we’re more likely to remember charts than text.

(It’s fair to point out that Secunia makes vulnerability-scanning software that Windows Secrets continues to recommend.)

Using simple vulnerability counts is not only pointless, it may have unintended consequences. Look at the incentives. We want software vendors to give us accurate vulnerability information, fix the problems quickly, and produce more secure software from the start.

Patching is no fun, but when we have to do it we want it done right. What happens when headlines such as “Apple (or Microsoft or Adobe) has the most vulnerabilities” affect these vendors financially? They have some incentive to be less transparent about what’s in their patches, and that might make their publicly-disclosed vulnerability count go lower.

Well, so what? Isn’t reporting vulnerabilities in others’ software a powerful way to cajole, embarrass, and bully vendors into doing better? Absolutely. But vulnerability counts don’t accurately measure how secure a given piece of software really is. Nor should they determine what software you use.

That flies in the face of today’s conventional, security-rating-by-bug-count thinking. (And I’ll plead guilty to that way of thinking in the past.) Let’s fix that.

How you count bugs depends on your perspective

To be clear, a bug in this context is shorthand for a security vulnerability, a programming or design error that allows attackers to manipulate programs in a way their designers didn’t intend. These are the programming flaws or holes that generate headlines about stolen Social Security numbers and compromised iTunes accounts — and let hackers steal our passwords and take control of our PCs.

For example, maybe a programmer accidentally codes a classic buffer overflow error, which then gives an attacker an opening for running malicious apps. So the programmer eventually realizes the mistake — it happens to the best of us — and fixes it with a patch or updated version.

So here’s the security-related question: how many vulnerabilities was that? Just one might be a fair number — that one bit of misapplied coding. But from the public’s point of view, the answer could just as well be none. Here’s why:

The programmer probably became aware of this bug because someone brought it to his or her attention. If it was an internal QA person, the company might hide the fact that this new release fixes a bug. As far as the outside world is aware, the bug never existed.

Or maybe the programmer never knew that the bad code had security implications, just that a pesky app-crash problem had finally been fixed. Security bug count: 0. A clever programmer will go back through the code and fix the error in many places, not worrying whether each of the errors was a security problem.

When the patch comes out, the company might issue an advisory stating it “fixed a buffer overflow” (or “some buffer overflows” or “some potential problems”). What is the public bug count now? These global fixes are great for application security but a headache when you’re trying to make a careful bug count. I say this as someone who has worn many hats — bug-counter, developer, vendor, and QA specialist — at various times. Bug counting is a futile metric.

A recent and specific example of a widespread vulnerability, only now receiving getting attention, is a flaw in remote DLL loading. (See Susan Bradley’s companion Top Story, “A threat to common ‘.dll’ files hits many apps.”) This DLL flaw has been known for at least 10 years, but now that we recognize it can be used to execute malicious code, we consider it a vulnerability. Is it Microsoft’s fault, since they included it in the OS? Or is it the fault of every software author that may have taken coding shortcuts? From a bug-counting perspective, it could be one bug or hundreds.

The scope of the vulnerabilities for each application is yet another reason bug counting is a pointless exercise. Sure, you can accurately count the ones you know of. But how many were there when you started counting? How many new ones are hidden in the code when an app is upgraded? What percentage did you find? Suppose IE had 11 one year and Firefox 10. Is that 11 out of 100 and 10 out of 20? Or vice-versa? If Windows has twice as many bugs one year as Linux, does it matter that Windows is five times more lines of code?

These questions are rarely answered, so it’s painfully obvious that the published number of bugs found and bugs fixed tells us next to nothing about how secure that software is.

Measure app vulnerability by how it’s used

Hopefully, you now have a good understanding of why published bug counts are useless for judging the safety of applications among competing products. In fact, I think asking for simple bug counts is the wrong question to ask. The right question is: how will vulnerabilities affect the way you use your preferred software? How do these vulnerabilities cause you pain?

Obvious number-one pain point: Is any of the vulnerabilities actually being used against you? It’s much more important to know which applications are being targeted than to learn which ones have more vulnerabilities.

For example, browser A is frequently attacked but gets also gets timely patches; browser B, on the other hand, is full of holes but is ignored by the bad guys. It’s likely that browser B is safer. This applies to random attacks against the Internet population as a whole. If you’re unlucky enough to have a hacker target you specifically, then browser B is the less-secure product.

Number-two pain point: How onerous is the constant patching? Let’s say you’ve resigned yourself to patching everything once per month. If so, does the number of patches matter? Or what programs need patching? Is it more painful to install twice as many Microsoft releases this month as last? Is Java especially difficult to update? Do you have to patch multiple computers and programs, and do the updates break your important business apps?

There are many more questions that directly relate to the task of keeping your OS and apps secure. And all of them are far more important to your Internet security than how many vulnerabilities a particular application might have.

Patching and systems management is my day job, so I see a lot of these security problems through that professional lens. But I know it’s just as worrisome to the average PC user. You should not care that your vendor of choice has fewer published vulnerabilities this year than last. One bug is too many if your machine gets infected. And your risk increases significantly if you put off patching because it’s just too burdensome. Those are your true security metrics.

And the process of measuring application security will get only more complex — silent patching, for example. That’s where the vendor downloads and applies an update in the background without providing you with any notification. It’s just there when you restart the program. You see this process with Google Chrome and Firefox 4.x betas.

I’d love to hear what you think about this practice. Use the Lounge link below.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is the Director of Information Security at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.