Clean-install Windows 7 from the upgrade disc

How to get the most from Windows 7

This month’s free bonus for all subscribers is a three-chapter excerpt from Windows 7 Tweaks by Steve Sinchak. The book, which is subtitled A Comprehensive Guide on Customizing, Increasing Performance, and Securing Microsoft Windows 7, provides valuable information about making the most of Microsoft’s new operating system.

The printed volume won’t be available until next month, but all subscribers, free and paid, can receive our exclusive excerpt through Dec. 2. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Clean-install Windows 7 from the upgrade disc

By Woody Leonhard

Topping the long list of readers’ Windows 7 questions is whether you can use the upgrade disc to perform a clean-install of the new OS.

You may be surprised to discover that in Windows 7 there’s no difference between the “upgrade” and “full” DVDs and — just as with XP and Vista — the cheaper upgrade version can indeed be used to perform a clean-install.

But that’s just one of your many Windows 7 questions. From what’s possible, to what’s legal, to what-on-earth-were-they-thinking, here’s the skinny on the ins and outs of Microsoft’s best OS yet. There’s no way to fit all your Win7 queries into a single column, so you can be sure I’ll have many more Win7 FAQs in the weeks to come.

Will a Win7 upgrade disc install the full OS?

• “It looks like you can use the upgrade version of Windows 7 to install a ‘genuine’ copy of Windows 7 on any PC, whether it already has Windows on it or not. Why would anybody pay way more money and buy a full-install version of Windows 7 instead of an upgrade version?”

Good question. So far, the only people I know who’ve paid for the full version of Windows 7 thought they had to buy it because they were running Windows XP. When they read that they couldn’t do an in-place upgrade from XP to Win7, they mistakenly thought they had to buy the full release. They got ripped off.

The terminology stinks, but as you will see below in my discussion of upgrade pricing, almost everybody qualifies for an upgrade version of Windows 7.

In my experience, most people using the upgrade package find that their new Win7 key validates immediately after the PC connects to the Internet. You can maximize your chances of getting instant gratification (validation), however.

If you have a version of Windows running on your PC, start Windows, insert the Windows 7 upgrade DVD, and follow the on-screen instructions. (All of the usual caveats about first backing up your data apply, of course.) If you wish, you can reformat your hard drive at the beginning of the installation process. This wipes out all the old data stored on the drive.

In my testing, as long as I started the Win7 installation from within Windows, the upgrade key passed validation. It didn’t matter, in my test runs, whether the PC’s previous version of Windows had ever been validated as “genuine” or not.

If you don’t have Windows running — for example, if you’re installing the OS on a new hard drive — boot from the Win7 upgrade DVD and follow the on-screen instructions. Chances are good that Windows 7 will validate immediately, even if there was no copy of Windows on the drive beforehand.

I have a theory about how and why this straightforward validation just works, but Microsoft hasn’t yet divulged details. I’ll revisit the whys and wherefores in a future column.

If you type in the validation key and see a message stating, “The product key is not valid,” don’t fret. Go ahead and install Win7 without the key and plan on activating the OS later. Remember that you can run Win7 up to 120 days without activating it, as I explained in my Aug. 20 Top Story.

How do I get the upgrade key to activate?

• “I installed the Windows 7 upgrade and the key doesn’t work. What should I do next?”

In such situations, Microsoft recommends that you call the company to validate your copy of Win7 over the phone. In my experience, phone validation works quickly and easily. The people answering the phone bend over backwards to get Win7 validated.

If you want to try this official, phone-it-in approach, review the question in the next section and make sure your PC qualifies for upgrade pricing. If it does, but you can’t get the key to work, gather whatever information you need to verify you qualify and then call Microsoft. The easy way to get Microsoft’s Win7 activation phone number is to click Start, type slui 4, and press Enter.

That said, you can activate with an upgrade key without calling Microsoft at all. There are several ways to do so. For example, writer Paul Thurrott documents in a blog post how you can upgrade in this situation by changing a byte in the Registry and running a single command line.

Failing that, another fairly simple (if more time-consuming) activation method to install from the Win7 upgrade disc and then upgrade Win7 on top of itself. This technique works in Win7 in a nearly identical way to the trick WS editorial director Brian Livingston described for Vista in a Feb. 1, 2007 Top Story.

The short version of that trick is this: Once you’ve installed Win7 from the upgrade DVD, start Win7, and then stick the upgrade disc in the drive again. Follow the instructions to upgrade, but don’t choose Custom — you’re upgrading to Windows 7 from Windows 7. Enter the key when requested, and it’ll validate the next time you’re online.

Does my PC qualify for upgrade pricing?

• “I understand that there are many different ways to upgrade a PC to Windows 7. The $64 question (give or take a few bucks) is whether my PC qualifies for the Upgrade Option for Windows 7 rather than my having to buy the full version. How can I tell?”

Microsoft made it easy in Windows 7 to perform a full install of Windows 7 using only the less-expensive Upgrade Option for Windows 7. In fact, MS made the trick even easier in Windows 7 than it was in Vista, by adding to Win7 the Registry byte change that I mentioned above. The technique in Vista usually required a second install to work. Win7, thanks to changes deliberately added by Microsoft, usually doesn’t require that the setup routine be started twice.

Microsoft’s Windows 7 End-User License Agreement (EULA), however, says you can install an upgrade edition of Win7 only if you had a license for an earlier version of Windows that you’re eradicating.

It’s curious why Microsoft makes it so easy for customers to install an “upgrade” copy of Windows 7 on a PC that supposedly doesn’t qualify. Indeed, why has Microsoft built hooks into the Windows installer to specifically bypass the qualification test — hooks that have been left in place for years?

In any event, the relevant clause in the Win7 EULA says:

• “To use upgrade software, you must first be licensed for the software that is eligible for the upgrade. Upon upgrade, this agreement takes the place of the agreement for the software you upgraded from. After you upgrade, you may no longer use the software you upgraded from.”
  

By that standard, the number of machines that don’t qualify for upgrade pricing is mighty tiny. (It also raises disturbing questions about multiboot systems, but I’ll discuss multibooting in a future column.)

For example, if you own a computer with a Windows Certificate of Authenticity sticker on the case as proof of ownership — and the certificate is for Vista or XP — there’s no question whatsoever that the PC qualifies for upgrade pricing.

If you’ve ever paid for a full copy of Windows — one you purchased “off the shelf,” not a copy that was preinstalled on a PC — you own the right to use that copy of Windows on any PC you like, as long as you use it on only one machine at a time. There’s no requirement that you activate it in order for a Win7 upgrade to work on it. How can that not be a legitimate candidate for a Windows 7 upgrade?

The universe of PCs that don’t qualify for upgrade pricing would seem to be limited to those that (1) have been built from scratch or (2) bear counterfeit builds Windows that unsuspecting customers bought from unscrupulous box shops. New virtual machines also require the full version, but that’s about it — this represents a very tiny slice of the consumer-PC pie.

How do I know my Win7 installation is legit?

• “If I can get an upgrade version of Windows 7 to install on my PC and it validates as ‘genuine,’ I’m running everything legally and don’t need to worry about it, right?”

As far as I can tell, if you pass the validation hurdle once with an upgrade version of Windows 7, your computer won’t have to do anything in the future to prove whether you were or were not entitled to an upgrade.

You’ll definitely be running a copy of Win7 that’s validated as genuine. Whether that also means your new copy meets the written definition in Microsoft’s EULA depends on whether you ever owned a legal copy of Windows for that PC. That can sometimes be hard to verify.

Can I upgrade in place from XP to Vista to Win7?

• “I’m running Windows XP. I know I can’t do an in-place upgrade from XP to Windows 7, but can I do an in-place upgrade from XP to Vista, and then another from Vista to Windows 7?”

You can, but that gives Windows two opportunities to shoot you in the foot.

Many of my friends tell me I’m superstitious, but I strongly recommend that people perform a custom (clean) install. Yes, that entails reinstalling programs and re-entering your custom system settings, but it’s still my advice — even if you have a PC that can accommodate an in-place upgrade.

Sticking Win7 on top of an old copy of Windows is like building a new house on old landfill. You never know what’s going to come to the surface, or where, or when. A very large percentage of the problems people are having with Windows 7 installations occur with in-place upgrades.

Which Win7 is right for me: 32-bit or 64-bit?

• “Should I install the 32-bit or 64-bit version of Windows 7? How do I get the right one?”

Every Windows 7 box that you buy on store shelves — whether an upgrade or full version of Home Premium, Professional, or Ultimate — contains two DVDs. One has the 32-bit version and the other has the 64-bit version.

If you ignore the recommendation I made in the above item and insist on performing an in-place upgrade, you can do so only from 32-bit to 32-bit or 64-bit to 64-bit. However, if you do a custom (clean) install on a machine that formerly ran a 32-bit version of XP or Vista, you should seriously consider moving to 64-bit computing.

See my July 16 Top Story for information that will help you determine whether 64-bit is right for you. If you decide that it is, follow the instructions in the article to run the Windows 7 Upgrade Advisor.

If the Upgrade Advisor indicates your PC can support a 64-bit version of Windows — and it doesn’t warn you that your specific hardware doesn’t have drivers — give 64-bit a try. Although there are some devices from major manufacturers that don’t have 64-bit drivers, several of these vendors have been embarrassed into writing new ones.

Can I upgrade Vista Ultimate to any Win7 flavor?

• “I got suckered into paying for Windows Vista Ultimate. What a waste! Adding insult to pecuniary injury, if I want to upgrade, I have to pay for Windows 7 Ultimate, right?”

Nope.

If you want to perform an in-place upgrade from 32-bit Vista Ultimate, you have to pay for the Windows 7 Ultimate upgrade and must install the 32-bit version. However, if you perform a custom (clean) install, you can upgrade that Vista Ultimate PC to whichever version of Windows 7 you prefer.

It gets confusing because the term “upgrade” has two completely different meanings. If you want to do an in-place upgrade and avoid reinstalling your programs and updating your settings, you have very limited choices about which versions of Windows you can start with and what you can upgrade to. (See Microsoft’s somewhat-muddled explanation of the Win7 Upgrade Option Program on the official Windows 7 site.)

If you’re willing to perform a clean install, you can upgrade any version of XP or Vista to any version of Windows 7, and you need pay for only the Upgrade Option for Windows 7 — no need to buy the full-install package.

I just saved you about a hundred bucks, yes?

The Windows 7 Q&A parade has just begun

This is a small sample of the myriad Win7 questions that have hit my inbox. Some people are having problems with installations that go part way through and freeze. Others see the installation fail, then automatically try again repeatedly.

There are more than a few blue screens running around, and some of you can’t find your games after a Win7 upgrade. I’ll be covering these and many more problems in future columns.

I think Microsoft’s biggest mistakes with Windows 7 are the confusing number of versions and upgrade paths, as well as the complete dearth of technical information about the upgrade-validation process.

The product’s great. The rollout bites.

Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story — hold the sugar coating — in a way that won’t put you to sleep.

Readers offer more ways to enhance Windows 7

By Dennis O’Reilly

Like pouring hot fudge onto vanilla ice cream, there’s nothing like making a good thing better.

Even with near-universal positive reviews, Windows 7 could still stand some improvements — and Windows Secrets readers know just how to enhance the new OS.

Sure, some hardware vendors have been slow to provide Win7 device drivers for some of their products. And some people attempting to upgrade to Windows 7 are greeted with blue screens and infinite loops. But most Windows 7 users wouldn’t think of reverting to their previous OS.

That doesn’t mean they haven’t found ways to make using Windows 7 even better. For example, Cris DeRaud discovered a script that lets you create a Win7 restore point with a single click:

• “I found today that creating a restore point in Windows 7 takes on a new twist and requires knowledge of the proper paths and security settings. When my computer is running really sweet, I’ll add restore points of my own. I name them ‘smooth sailing.’

  “Well, I ran into a snag today trying to make a restore point the Vista way because the option link is all changed in Windows 7. I found an easy alternative from a group of Windows 7 lovers who spell out all the options [on the Windows Seven Forums site].

  “I chose the option to download the script and icon file they have available. Now I just click the icon, name my restore point, and click OK.”

If you prefer to use the manual approach to creating a restore point in Windows 7, right-click the Computer icon, choose Properties, click System Protection in the left pane, verify that System Protection is on, click the Create button, give the restore point a name, and click Create again.

Free MS tool facilitates networking XP PCs

In his Nov. 5 Woody’s Windows column (paid content), contributing editor Woody Leonhard described ways to network PCs running Windows 7, Vista, and XP. Stuart Berg reminds us of a free utility from Microsoft that makes finding XP systems on a home network nearly automatic:

• “In your article ‘Add Windows 7 PCs to Vista and XP networks,’ you never mentioned adding the Link-Layer Topology Discovery (LLTD) Responder to XP. I believe that it makes the networking experience easier and more reliable. If running XP SP2, it can be downloaded [from the Microsoft Download Center], and if running XP SP3, it can be downloaded [via Knowledge Base article 922120].”

Note that the LLTD Responder utility requires a Windows Genuine Advantage scan and works only with 32-bit XP PCs.

Bring the Quick Launch toolbar back to Windows 7

In the Nov. 5 Known Issues column, Ed Kirkpatrick described how he created a custom Windows 7 toolbar to replace the Quick Launch toolbar, which is missing by default in Win7. David Shirly was one of several readers who provided us with instructions for restoring Win7’s Quick Launch toolbar:

• “Regarding Dennis O’Reilly’s piece on Windows 7 early adopters: Quick Launch is still available, but it’s hidden by default. You have to know where to look:

  C: Users  username  AppData  Roaming  Microsoft  Internet Explorer  Quick Launch

  “Simply create a new toolbar and point to this location. You’ll have to enable ‘show hidden files’ to find it.”

Thanks to David and everyone else who let us know how to find this (suddenly) hidden Windows 7 feature. Anybody know where I can find Win7’s Program Manager?

Invisible rope trips up unsuspecting passers-by

By Stephanie Small Remember when you were a kid, and playing pranks on people was the thing to do? Whether it was jumping out of the closet to scare someone or making the infamous prank calls during a sleepover, it was fun — usually, anyway — for both parties involved. Why not resurrect an oldie-but-goodie prank: the invisible rope. Watch as these jokester juveniles trick cars and mall pedestrians into thinking there’s something there when there really isn’t. It will make you look twice the next time you spot someone trying to pull this off! Play the video

Wanted: a free, novice-proof disk wiper

By Fred Langa Wiping the data off old drives is a smart thing to do, but secure erasing also must be easy to do. Powerful software is worthless if it’s too hard to use, but I’ve found a free drive-wiping tool that’s powerful enough for pros yet simple enough for newbies.

In search of a simple, CD-based disk wiper

Kim Boriskin needs a tool that anyone — even unskilled volunteers — can use to reliably wipe the data off hard drives:

• “I do some work for an organization that often processes computers before distributing them to charities, for example. We always wipe the hard drives using a Department of Defense (DoD) wipe. We’ve been using a bootable floppy disk to perform the wipes, but fewer computers than ever have floppy drives, and for reasons I won’t discuss, we won’t use a USB floppy drive to start the process.

  “Do you know of any free disk wipers that can be written on a bootable CD and that can accomplish a secure disk wipe? I’ve found only one, Darik’s Boot and Nuke, from DBAN [more info]. But it’s confusing to nontechies, and clumsy even for techies. We could use something simpler.”

It’s a good idea to data-wipe old drives. Discarded and recycled PCs are a rich vein for identity thieves to tap.

You’re dealing with two separate issues: you need a tool that’s easier to use than the one you currently have and one that can run on a bootable CD. I have a solution, but it takes a minute to get there — so bear with me.

Scrub3 is a venerable, free tool that’s widely used for rendering hard disk data all-but-impossible to recover. Scrub3 can overwrite the disk with various patterns, including the original (2001) DoD three-pass overwrite and the newer, National Security Agency–recommended seven-pass overwrite.

The easiest way I’ve found to get and use Scrub3 is to download the free Secure Data Disposal utility from Lenovo (née IBM ThinkVantage). Lenovo describes the utility this way:

• “Secure Data Disposal (SDD) is a Windows tool used to build IBM PC-DOS bootable floppy diskettes for the purpose of wiping hard disk drives. Each bootable floppy diskette utilizes the Scrub3 DOS executable to facilitate securely disposing of all data on a machine’s hard disk drive.”

SDD offers six levels of data wiping. The “ultra” level performs a highly secure seven-pass overwrite. (See Figure 1.) The program lets you build a preconfigured data-wiping floppy with as few as two clicks. (I’ll cover converting the floppy to other bootable media in a moment.)

Figure 1. The Secure Data Disposal utility can set up a highly secure seven-pass drive wipe with as few as two clicks.

The SSD boot floppy is very simple to use. No technical knowledge is required, so the floppy may be used even by novices. In fact, after the target PC is booted from the floppy, the only user input needed to start the actual preconfigured wipe is a simple confirmation. (See Figure 2.)

Figure 2. The SSD boot floppy requires only a confirmation to do its work.

For advanced users, the floppy is highly modifiable. The actual scrub3.exe DOS executable file is located in the floppy’s SCRUB folder. The executable can be controlled via batch files and command-line switches documented in the SDD Help file and in scrub.txt on the floppy itself.

SDD’s output is a boot floppy, but if you prefer, you can use any of the many third-party tools and techniques to convert the floppy’s contents to a bootable CD. For example, to produce a bootable CD from the contents of a bootable floppy, follow the floppy-conversion tutorial on the Ultimate Boot CD site. Kim can’t use a bootable flash-drive version of the data wiper, but other readers might prefer to use that medium. That’s easy to create using the instructions provided on the BootDisk.com site.

The Secure Data Disposal utility is free and easy to use. It produces disk-wiping boot floppies that can be used by even the most-inexperienced PC users. What’s not to like? Grab your copy from Lenovo’s Secure Data Disposal download page.

Er, what exactly are Windows 7’s Libraries?

Rob Martell echoed a question in many readers’ minds about Windows 7 “Libraries”:

• “Both Woody and Fred have mentioned Windows 7 ‘Libraries.’ I was wondering whether this is just an extended search–type function or just an improved notion of My Documents, since My Documents in XP equates to C:Documents and SettingsusernameMy Documents.

  “I’m also wondering whether this new Library concept will make it even harder to find the actual files when someone needs to copy, back up, or manually deal with something.”

Like any new concept, Win7’s Libraries take a little time to fully understand and master. But once you’ve played with Libraries a bit, you’ll have an “Aha!” moment and see them as the very useful innovation they are.

Here’s the core idea: When you put files from multiple locations into a single Library, you’re actually creating a kind of special link or shortcut. The files themselves aren’t moved. When you access — copy, paste, edit, rename, whatever — a file through a Library, it’s exactly the same as if you navigated to the “real” location and performed the same action there.

Likewise, when you do go directly to the actual file, any changes you make there are instantly and automatically reflected in the Library. Thus, Libraries are just another way to access the real files in their actual, scattered locations.

That’s how they work, but a good demo can help you understand how to use them. For example, see the tutorial page at Top-Windows-Tutorials.com, which includes a helpful video on using Windows 7 Libraries.

Microsoft offers an authoritative — though somewhat lethargic — screencast (a 4MB download) called Organizing with Libraries. Note that when you play the Microsoft video, your screen won’t change for more than a minute, but it’s not a video glitch — it’s just a very, very slow start to the action.

Win7 Libraries actually do make it easier to work with files from multiple locations. Honest!

Windows Genuine Advantage: a necessary evil?

Ian Cressie’s been avoiding Windows Genuine Advantage (WGA) updates for as long as possible:

• “Although I use licensed Windows software, I strongly object to letting Microsoft install stuff on my computer to keep tabs on me. Moreover, given Microsoft’s track record, I don’t want to let them within a mile of my computer unless it’s completely unavoidable. So I would like to know the following:

  “Could refusals by me to download Microsoft updates related to Genuine Advantage be preventing me from installing other Microsoft updates?”

Yes, failure to let WGA periodically revalidate your system can result in your getting locked out of truly useful updates. That’s probably what’s causing your update trouble.

I understand your WGA concerns. Many users — me included — dislike WGA, but it’s really just a minor pain in the posterior. WGA doesn’t collect personal data, it doesn’t snoop on what you’re doing, and it isn’t the ominous Big Brother thing that some make it out to be.

My advice: Hold your nose, let WGA install and update when it wants to, and otherwise simply ignore it.

Vista’s Config.Msi folder grows huge

D. Morgan found a porcine surprise on his hard drive:

• “I was wandering around in my PC and happened to glance at the folder titled Config.Msi. I know the files in that folder are related to install/uninstall, but I saw that the folder contained 28,981 files taking up a whopping 7.44GB of space! I deleted all of them and freed up a huge amount of disk space.

  “I thought these files were supposed to be automatically deleted by the operating system (I’m running Vista Ultimate SP1). Am I wrong? Will I be sorry to have deleted them? I haven’t noticed any effect on operation so far.”

Hogging seven-plus gigs? Yikes!

In normal operation, the Config.Msi folder is created by the Microsoft Installer when you begin a software installation and is deleted upon successful completion. Various problems can leave the folder behind. Clearly, your system either had many small problems along the way or a few real doozies.

It’s usually OK to delete the folder, so you should be fine. But for future reference — and for other readers facing this or similar problems — there’s a safer way.

First, back up your system. Then rename the Config.Msi to config.old and reboot. Odds are, your system will start normally and your apps will all run as they should. You can then delete the config.old folder. If your PC acts strangely after you make the change, restore the folder’s original name or use your backup to get your system back the way it was.

Failed installations often leave junk behind in the Registry, so run your favorite Registry cleaner and then reboot again. Contributing editor Scott Spanbauer reviewed three Registry utilities in his Sept. 11, 2008, Best Software column.

Taking those small extra steps — backing up and temporarily renaming the target file or folder — makes experimenting with such system-file deletions much safer. It also helps you avoid one of those awful “Oh, no!” moments when you realize that you just whacked something you shouldn’t have!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

SSL authentication flaw puts browsers at risk

By Robert Vamosi A hole discovered recently in Secure Sockets Layer (SSL) HTTP sessions is difficult to exploit but may necessitate a revision of the SSL protocol itself. The big-name browser vendors are quietly working to patch the vulnerability before the bad guys figure out how to use it to crack secure Web connections.

Transport Layer Security protocol exploitable

Last August, while researching various applications used by two-factor authentication vendor PhoneFactor, researcher Marsh Ray discovered something odd in the way the SSL Transport Layer Security (TLS) protocol handled authentication renegotiation. Ray was able to write an exploit that would, under certain circumstances, allow a man-in-the-middle attack to eavesdrop on SSL sessions used for e-commerce and online banking.

The flaw allows the attacker to join an authenticated SSL session and execute commands. After Ray proved the exploit to his bosses, he chose not to go public and instead followed Dan Kaminsky’s example after he discovered a major DNS flaw in 2008. (WS contributing editor Ryan Russell described the DNS vulnerability in his July 17, 2008, Perimeter Scan column.)

Just as Kaminsky did last year, Ray quietly contacted the vendors most affected by the SSL/TLS flaw and worked in the background to implement a fix before the malware writers got word of it. In September, Google even hosted a meeting at its Mountain View, CA, campus that produced a tentative draft proposal for the Internet Engineering Task Force (IETF). Microsoft had hosted a similar meeting on the DNS flaw for Kaminsky last year.

On Nov. 4 — quite independently — another researcher, Martin Rex of SAP, went public on the IETF TLS mailing list with his discovery of flaws within channel bindings that also affect TLS. A lively and extended discussion ensued.

Ray states that the fix for the TLS flaw discovered by Rex is very similar to the mitigation Ray proposed for the TLS vulnerability he was researching. Later that day, Ray went public with his own findings.

Who’s affected by the SSL/TLS vulnerability?

According to initial reports, the client’s browser must have a certificate in order for the flaw to be exploited. This led to mixed reactions among security experts. In a Nov. 5 story on TechTarget’s SearchSecurity.com, researcher Moxie Marlinspike dismisses the severity of the vulnerability.

Marlinspike claims the attack is no more than a cross-site request forgery (CSRF) and doesn’t affect webmail, online banking, or online shopping. In other words, the flaw doesn’t rise to the level of the DNS vulnerability discovered by Kaminsky in 2008.

However, Ray indicates in a Nov. 6 article on SearchSecurity.com that not all the attacks require client certificates. He states further that not all the research nor all the implications of the flaw have been made public.

On the other hand, security researcher Chris Paget writes in his blog, “Anyone who says this isn’t a problem simply doesn’t get it.” Paget warns we’ll be hearing about this flaw for years to come. Although he agrees with Marlinspike that there’s a scale difference, Paget argues the TLS flaw is subtle enough to warrant a closer look.

Browser and Web-server software vendors are working to mitigate the ways this flaw can be exploited. End users and enterprises can expect to see a flurry of fixes released for this TLS vulnerability. But patches are only a temporary solution to this fundamental flaw within TLS. It’ll take a new version of SSL to fully address the authentication glitch.

Still more grumbling about the Gumblar Trojan

Susan Bradley’s June 11 Top Story described the threat posed by the Gumblar Trojan and mentioned some of the mainstream sites Gumblar had infected. According to a recent Computerworld story by Jeremy Kirk, both IBM and ScanSafe report that the Gumblar Trojan is back. And this time, it’s attacking known vulnerabilities in Adobe’s Reader and Acrobat software on legitimate sites that remain insecure.

Gumblar typically inserts iFrames into legitimate sites that direct browsers to the malware-laden site gumblar.cn. Previously, law enforcement agencies merely needed to shut down that server to end the infections. But in Gumblar’s latest iteration, the Trojan is hosting the compromised code on the sites it has already infected. This not only decentralizes the attack, it also makes it very hard to shut down.

To defend against these iFrame attacks, I recommend using the free LinkScanner utility from AVG. You’ll find more information and a download link for the program on the AVG site. LinkScanner looks at the code being served by a Web site and strips out any malware-associated content. If you use Firefox, the donationware NoScript add-on (more information) also blocks iFrames and other script-related malware.

Nothing friendly about this Facebook Trojan

It isn’t unusual for Trojans to receive remote commands. What makes the new Trojan.Whitewell noteworthy is its use of Facebook as a delivery method, as described by John Leyden in the Register. In particular, the Trojan targets the Notes section of Facebook’s mobile version.

Trojans commonly rely on IRC and other Web servers to receive updated instructions on the systems they have infected. Researchers are able to intercept these channels relatively easily. However, Trojan.Whitewell uses a Facebook account to receive commands instead.

In Symantec’s security blog, Andrea Lelli states that the malware appears to be only a proof of concept. When she signed into the Trojan’s Facebook account, there was only one note and a handful of e-mail messages present. Still, Lelli claims, the attack can be seen as proof that a social network can be used as the basis for a botnet attack.

WS contributing editor Robert Vamosi was senior editor of CNET.com from 1999 to 2008, writing pieces such as Security Watch, the winner of the 2005 MAGGIE Award for best regularly featured Web column for consumers.

XP patch removes threat of malicious Web fonts

By Susan Bradley Systems running Windows 2000, Windows XP, or Windows Server 2003 are at risk of infection via fonts used on malicious Web sites. No attacks exploiting this vulnerability have been recorded yet, but I expect them to begin soon — so apply this patch right away.

MS09-065 (969947)
Embedded OpenType fonts pose remote-attack risk

Patch MS09-065 (969947) addresses several vulnerabilities in the Windows kernel. One in particular poses serious threats to Windows 2000, XP, and Server 2003. A specific type of Embedded OpenType font allows remote code execution, launching a denial-of-service attack or even taking over your system. The hole will very likely be exploited soon by malicious Web sites.

As frightening as that sounds, the good news is that this week’s patch installed without a hitch on my test XP systems. Apply this update as soon as you can to ensure you’re protected from malicious Web activity. Also, since the exploit requires that you visit a malicious site, think twice before you click a dodgy link in an e-mail or instant message.

While several other November patches are rated “Critical” by Microsoft, this is the only one of this month’s Windows updates that I rate as truly imperative.

MS09-067 (972652) and MS09-068 (976307)
Infected Excel and Word files make the rounds

No doubt you’ve been warned before of the dangers of opening Word and Excel files attached to unexpected e-mails. MS09-067 (972652) and MS09-068 (976307) plug holes that allow a phishing attack to take control of your system when you open an infected Word or Excel file.

It bears repeating: Never open a Word (.doc) or Excel (.xls) file unless you are expecting it. Note that Office 2003 users who have the Office 2007 Compatibility Pack installed may be offered an Office 2007 patch. (See Figure 1.)

Figure 1. Critical patches for Microsoft Office 2007 may be offered to systems running Office 2003 that have the Compatibility Pack.

Office 2004 and 2008 for the Mac are also affected by the vulnerability and need updating as well.

The following is a list of the patches for different versions of Excel:

• Office 2007 SP1 and 2: 973593
• Office Excel 2003 SP3: 973475
• Office Excel 2002 SP3: 973471
• Office Excel Viewer SP1 and SP2: 973707
• Office Excel Viewer 2003 SP3: 973484
• Office Compatibility Pack for Word, Excel, and PowerPoint: 973704
• Office 2008 for Mac: 976828
• Office 2004 for Mac: 976830
• Open XML Format Converter for Mac: 976831

The following Word patches have been issued:

• Office Word Viewer 2003 SP3: 973866
• Office Word 2003 SP3: 973434
• Office XP SP3 (Word 2002): 973444
• Office 2008 for Mac: 976828
• Office 2004 for Mac: 976830
• XML File Format Converter for Mac: 976831

Bottom line: Don’t open unexpected file attachments — whether Office file types, PDFs, or otherwise — ever.

MS09-063 (973565)
Vista update protects connected devices

MS09-063 (973565) affects only Vista and Server 2008 when printers, cameras, smart phones, or other devices are attached to the computer or network. A vulnerability in the Web Services on Devices API (WSDAPI) allows remote code execution when a malicious packet is received. Thus, the attack is most likely to occur from a device attached to your machine or from your internal network rather than from a remote location.

If you don’t connect one of these devices to your PC or network, you probably don’t have the WSDAPI service running and aren’t affected. That’s not to say you shouldn’t install the patch, however — it will proactively secure your system.

MS09-064 (974783) and MS09-066 (973037 and 973039)
Windows servers need important patches

Two other November patches are for Windows servers so probably won’t be offered to most Windows users. MS09-064 (974783) fixes a glitch in the License Logging service on Windows 2000 Server. That platform is supported only until July 13, 2010, after which its support lifecycle is kaput, according to the Microsoft Support site.

MS09-066 (973037 and 973039) affects only servers that run domain controllers and also use the Active Directory Lightweight Directory Service (AD LDS) or Active Directory Application Mode (ADAM).

If stack space is used up while executing some Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) requests, a denial-of-service attack is possible. Windows XP systems are also affected by the vulnerability and should apply this update, which Microsoft rates as important rather than critical.

MS09-058 (971486)
Recap on Windows kernel patch problems

My sincere thanks to several Windows Secrets readers who graciously volunteered their time and computers to help figure out a fix for a glitch causing one October patch — MS09-058 (971486) — to be reoffered to their systems repeatedly.

I still don’t know what triggered the problem, but I can tell you how to correct it. The /overwriteoem flag described in my Oct. 22 column still works, but the following steps will also remedy the situation:

• Step 1: Sign in as an administrator.
• Step 2: Click Start, All Programs, Accessories, Command Prompt to open a command prompt.
• Step 3: Type the following lines and press Enter after each:

  net stop cryptsvc
  ren %systemroot%system32catroot2 oldcatroot2
  net start cryptsvc
  exit

• Step 4: Open the following folder in Windows Explorer:

  %Systemroot%  System32  CatRoot  {F750E6C3-38EE-11D1-85E5-00C04FC295EE}

  where %Systemroot% is the location of your Windows folder.

• Step 5: Delete all tmp*.cat files from the folder. (If there are no tmp*.cat files in the folder, don’t remove any files. The .cat files in this folder, other than tmp*.cat, are necessary for installing hotfixes and service packs.)

Thanks again to everyone who wrote in to let us know they were affected by this persistent patch.

MS09-054 (974455)
October’s IE patch gets an update of its own

The Internet Explorer patch released in October is updated this month due to problems it causes on certain Web sites. After applying patch 974455, you may have experienced scripting errors on some sites. Many users in Asia encountered the scripting glitch, but some line-of-business Web applications were affected as well.

As a result, Microsoft released 976749 to fix the problem. If you have 974455 on your system, you’ll be offered this patch. If you didn’t install the October IE update, you won’t see the more-recent one.

On a related note, 974455 finally removes the warning in Secunia’s software-update services identifying IE 8 as vulnerable. Secunia’s unhelpful instructions recommended that you uninstall the insecure software, which left many people in the Secunia forums confused because IE can’t be easily removed.

You need 976749, the most-recent update, only if you installed IE security update 974455 (which I hope you have done by now). You could wait for the next cumulative Internet Explorer update — which will include this patch — but I haven’t had any problems applying 974455 to my systems, so there’s no need to wait before applying it.

Apple jumps on the OS-update bandwagon

Not to be outdone by Microsoft, Apple released a monster update to the Mac OS — one that plugs 58 holes. (See Figure 2.) One particular hole that can now be patched is a doozy. If even one user account on a Mac has no password (such as a guest account), an intruder could sign in to any account without a password.

Details of the security patch are provided on Apple’s security site.

Figure 2. Apple’s monster Snow Leopard patch addresses 58 separate vulnerabilities.

Also, if you use Office 2004 or 2008 for Mac, update those programs as well. Note that Apple isn’t offering any patches for the Tiger release of the Mac OS, so it may be time to upgrade machines running that version.

Firefox, Adobe, and Java receive security fixes

Following the huge number of patches released by Microsoft in October, Google has been busy updating its Chrome browser to version 3.0.195.32, as described on the company’s Chrome blog. Also, Mozilla added stability improvements in its update for the Firefox browser (to version 3.5.5). See the Mozilla site for details.

Version 11.5.2.602 of Adobe’s Shockwave Player supplies a number of security fixes. You can download the update from the company’s Shockwave site. Finally, Java 6 Update 17 is available from Sun’s download site.

Many Firefox users were alerted by the browser that their Flash Player was out of date. Those who saw this message were prompted to download version 10.0.32.18 from Adobe’s update site. Before doing so, note that you should uncheck the offer for the Google Toolbar prior to downloading the Flash Player update. The download previously preselected an offer for a free McAfee security scan. (Note that the Google Toolbar download is also preselected when you download Adobe’s Shockwave update.)

971644
No rush to install developer fixes for Vista

On my Vista workstation, I noticed an update called Platform Update for Windows Vista (patch 971644). Microsoft’s Knowledge Base article describes the patch as a collection of runtime libraries intended to make it easier for developers to target a wide customer base. These updates are already present in Windows 7 and are being backported to Vista.

However, they’re not security updates, and — at 14.2MB — this is one of the largest patches offered to Vista machines this month. I noticed one other peculiarity with this update. Even though the Vista PC is set to download but not install updates, and even though this patch was listed as “Important,” it wasn’t selected by default for automatic download. (See Figure 3.)

Figure 3. An “Important” Vista Platform Update is not preselected for download.

This may be related to Vista’s new Windows Update interface, which now looks more like the Update screen in Windows 7. Many Vista PCs have already received the new Update app, which Microsoft announced in August on its Update blog.

It appears that any patch that is not high priority — such as this one — won’t be downloaded automatically with the other “Important” updates. You can manually click the box to download and install it, but some nonsecurity updates won’t download automatically even when your PC is set to download but do not install.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.