Folder templates fix Explorer headaches

Folder templates fix Windows Explorer headaches

I’ve spent most of this year — I’m tempted to say “wasted most of this year” — writing about Windows security holes, patches, patches of patches, threats, and vulnerabilities, both real and imagined. For my last column of the year, I want to make amends for my errant ways and write about something positive — a secret (or at least a well-hidden feature) that may come in handy over the festive Yule of Tide, er, Tide of Yule.

Exploring your files with Windows

By now, you’re accustomed to the Windows Explorer task pane — the blue strip on the left of the screen that appears when you click Start, My Documents, or Start, My Computer, or some such. The task pane contains a bunch of useful shortcuts that make it as easy as 1 or 2 clicks to copy files, jump to a different folder, or perform other chores that are appropriate for the kinds of files that are included in the current folder.

Therein lies the rub.

Windows Explorer makes a sporting guess at the types of files in the folder you’ve opened, and displays tasks in the task pane that pertain to that kind of file. For example, if you click Start, My Documents, then click on a file, the task pane gives you a wide variety of options that are appropriate for working with documents — copying, moving, sending as an e-mail attachment, and so on.

If you click Start, My Music, then click on a file, the list of tasks on offer make sense for music files — playing the song or copying to an audio CD, for example. (Microsoft also gives you the option of shopping online at a Microsoft-owned Web site for more CDs. Gawrsh, how thoughtful.)

When you click Start, My Pictures, you see an option to view all the pictures as a slide show, or to order prints online (through yet another overpriced Microsoft affiliate — gawrsh, another thoughtful touch).

Using folder templates to fix things

You might think Windows Explorer would look at the contents of a folder when it’s opened and decide on-the-fly what kind of folder it’s opening. It would then present you with task pane options that apply to the files in the folder.

For many reasons (including some very good ones), Explorer doesn’t work that way. Instead, Explorer makes a determination when you first create the folder about what kinds of files exist within the folder. That decision is permanent — unless you change it manually.

Most of the time, Explorer guesses very well. But sometimes things get screwed up.

Around this time of year, when I’m copying a lot of pictures to my PC, the mistake that bugs me the most arises when Explorer doesn’t identify a folder full of pictures as being, well, a folder full of pictures. Instead, Explorer sometimes marks the folder as containing documents. So when I open the folder, I don’t get the option to view my pictures as a slide show, or order pricey prints online. Instead, I only see the dull document tasks — copying, moving and the like.

Behind the scenes, Windows Explorer attaches a “folder template” to every folder on your computer. These folder templates aren’t anything like Word templates or Excel templates or PowerPoint templates. They aren’t really templates at all. Explorer merely identifies each new folder as containing files in one of six broad categories. Those categories have very strange names:

• Pictures (for folders with lots of picture files)
• Photo Album (for folders with, oh, up to several dozen picture files)
• Music Album (contains all the tracks from one album)
• Music Artist (contains all the albums and tracks from one artist)
• Music (when you don’t know the artist, or the track has many artists, or for playlists)
• Documents (which is really “all other”)

The distinction between the two types of picture folders and among the three types of music folders is tenuous at best. Don’t lose any sleep over it.

The “folder template” (actually, a folder type) dictates what appears in the task pane on the left when Windows Explorer opens the folder. It also controls what options appear under the View menu. For example, if you open a Picture folder, Explorer offers to show the files in the folder as a Filmstrip. There are other subtleties that vary depending on the folder type, but the tasks available in the task pane and the options on the View menu are the ones most likely to concern — and aggravate — you.

How you can change the templates

So what do you do if Windows Explorer mis-identifies a folder? Let’s say you transfer photos from your camera to a folder on your computer, then double-click on the folder. If Explorer doesn’t offer to let you view the pics as a slide show, what recourse do you have?

Ah, it’s easy if you know the trick.

Step 1. First, you have to be able to see the folder itself. That may be a little difficult. If you’re looking at a folder full of pictures, click the “Up” icon on Explorer’s icon bar — it’s the one immediately to the right of the Back and Forward arrows, in the upper left. That should bring you to the folder that contains the pictures.

Step 2. Right-click on the folder and choose Properties. You see the Properties dialog for that specific folder. Click on the tab marked Customize.

(Note: If you don’t see a tab called Customize, you’re looking at a folder that Windows reserves for its own nefarious purposes. For example, if you bring up the Properties dialog for the My Pictures folder, Windows Explorer won’t let you change the folder’s template, and you won’t see a Customize tab. If you can’t see the Customize tab, give up. Windows beat you. Again.)

Step 3. On the Customize tab, click the drop-down box marked Use this folder type as a template, then pick the folder type that seems most appropriate. Click OK, and the folder should now behave the way you want.

Happy holidays, everybody.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Tech items to take with you

By Vickie Stevens ‘Tis the season for traveling! This week, we round up reviews of items that make it a little more fun to get away. In this section, you’ll find the latest items to store your data, keep you entertained no matter how long your journey lasts, and make cell calls on the road.

USB DRIVES
Three models stand out in USB superguides

The editors at PC Magazine have put together the ultimate guide to flash drives, U3 keys, and USB hard drives ranging from 256MB to 6GB of storage. All support USB 2.0. Although three different categories of USB drives are reviewed, the Editors’ Choice is bestowed on only two models: the Kingston DataTraveler Elite (photo 2, above) and the Memorex U3 smart Mini TravelDrive (photo 3). The DataTraveler Elite also took top honors in an earlier, exhaustive review of 20 USB drives by AnandTech, which gave its Editors’ Choice Gold award to the Lexar JumpDrive Lightning (photo 1) as well.
Memorex U3 Mini TravelDrive (PC Magazine Editors’ Choice, Score: 4.5/5.0)
Kingston DataTraveler Elite (PC Magazine Editors’ Choice, Score: 4.0/5.0)
Lexar JumpDrive Lightning (AnandTech Editor’s Choice Gold)
Link to all ratings and full reviews

PORTABLE MEDIA PLAYERS
New-generation players earn high ratings

CPU Magazine’s editors review seven players that do it all: movies, TV, music, photos, and games. The highest rating goes to the Creative Zen Vision (photo 1). Meanwhile, Maximum PC Mag puts portable audio as well as video players head to head. The reviewers declared a three-way tie, choosing the iPod Nano (photo 2) and the iRiver T30 (photo 3) for audio and the Apex (photo 4) for video.
Creative Zen Vision 30GB (CPU Magazine, Score: 4.5/5.0)
Apple 2GB iPod Nano (Maximum PC, Score: 9.0/10.0)
iRiver T30 (Maximum PC, Score: 9.0/10.0)
Apex Digital E2Go MP-6500 (Maximum PC, Score: 9.0/10.0)
Link to all ratings and full reviews

SMART PHONES
Treo 650 and Sidekick II top yet another list

Cell Phone Handbook puts 23 new smart phones through the wringer to name the best PDA/cell phone hybrid you can find. According to the editors, the Treo 650 (photo 2) is "the best smart phone in existence" while the Sidekick II (photo 1) is "the supersmart handset of tomorrow."
PalmOne Treo 650 (Cell Phone Handbook, Score: 5.0/5.0)
T-Mobile Sidekick II (PV-100) (Cell Phone Handbook, Score: 5.0/5.0)
Link to all all ratings and full reviews

——————
For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere

The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Do Microsoft updates now force reboots?

By Brian Livingston Anything that interferes with people updating Windows is bad; we want the process to be as smooth and trouble-free as possible. Unfortunately, Evan Katz, a reader from New York City, says Windows users are suffering from a disturbing new feature of patches downloaded from Microsoft Update:

• “As you may have gleaned over the years, I am neither a Microsoft ‘cheerleader’ nor ‘basher,’ and indeed appreciate the many fine software products that the company has produced. But my colleagues and I am extremely upset and very disappointed at an absolutely horrible protocol that Microsoft recently has introduced regarding its periodic downloadable Windows updates, as the protocol causes data loss, system malfunctions, and other very serious problems.

  “Specifically, when a user downloads and installs a routine Microsoft Update (formerly known as Windows Update) upgrade, such as the “Critical Updates” that Microsoft released this week, if that update requires a system reboot in order to complete its installation, the user is presented, as always, with the usual option to reboot either now or later. As you know, there is nothing at all unusual or wrong with that. And, until recently, if the user told Windows that he or she would reboot later, that was the end of the story, and nothing further happened until he or she manually rebooted his or her P.C. Indeed, this is precisely how all other software companies handle their software updates and any necessary reboots (i.e., it is the user who determines when a necessary reboot occurs).

  “However, and here is where the problem lies, if the user now advises Windows that he or she will reboot later, Microsoft now takes it upon itself to eventually force a reboot — without first obtaining the user’s consent and permission — if the user has not performed a reboot after a certain period of time (about a few hours, I believe, but I have not timed it).

  “This new and incredibly audacious and near-sighted approach by Microsoft, which protocol is not disclosed when the user either downloads or installs a Windows upgrade, has caused completely unintended and unpredicted reboots of colleagues’ computer systems, some of which run very important mission-critical applications, with all the attendant data loss and system malfunctions that can be caused by an entirely unintended and system-forced reboot. As a result, Microsoft’s foolish forced rebooting has caused very serious and horrible results.

  “Are you aware of this problem? I have not seen anything written about it in any of the major computer publications or newsletters (although I have not done a search). Can you please get some press for this egregious situation and hopefully speak with Microsoft and get it to reverse its atrocious decision, so that “I will reboot later” reverts to its original and intended meaning! Thanks.”

Contributing editor Susan Bradley has studied this problem. She says the reboots occur because the reminder dialog boxes grab the keyboard focus from the window you were just using:

• “The ‘forced reboot’ in XP SP2 annoyingly reminds you about every 5 minutes that you need to reboot. The problem is this: When it pops up and says, ‘Hey, you want me to reboot?’, you can be right in the middle of typing something.

  “The pop-up window will catch you pressing Y and thus think you selected, ‘Yes, reboot now.’ Which, technically, you have, since the pop-up grabbed the focus, but in your mind you haven’t.

  “Yes, it is annoying. But Microsoft is not mandatorily making you reboot. You typed ‘Y,’ you just didn’t realize that every 5 minutes a dialog box will annoyingly ask you ‘Yes’ or ‘No.’

  “We’ve had this discussion on MVP listserves and it is never a forced reboot. You can also install on shut down.

  “The better way is to leave your computer on, choose a time at night to apply patches, and make sure all your apps are closed.

  “Vista will have a feature that will allow the file to temp save, reboot the box, and then the machine will return right back to where it was. This will be initially for MS stuff, but app vendors can plug into the API, too.”

Another way to protect against accidental reboots is to switch the Automatic Updates control panel to the option entitled Download updates for me but let me choose when to install them. You access this option by clicking Start, Settings, Control Panel, Automatic Updates in Windows XP and 2000.

Unfortunately, this lowers your security readiness, if you previously had Automatic Updates set to automatically download and install all updates. But it does allow you to postpone any patches that, in all likelihood, will require a reboot.

After you change the Automatic Updates setting to “let me choose,” you still get a notification when new updates are downloaded. You can then install them when you know you have time to wait through any reboots that may be required.

This can expose you to malware risk, since you probably won’t set aside time to run every patch as soon as it’s available. For this reason, I recommend that most individual Windows users set Automatic Updates to install all Microsoft patches automatically.

I hope to have an official comment from Microsoft about the reminder dialog boxes by the next issue of the newsletter.

Reader Katz will receive a gift certificate for a book, CD, or DVD of his choice for sending me a comment that I printed.

Old and new holes threaten browsers

By Chris Mosby It’s been a rough couple of weeks for Web browser security. Not only did a 6-month-old IE 6 vulnerability come back to haunt Microsoft with a vengeance. But also, Mozilla’s important new Firefox 1.5 release was marred by the immediate discovery of an overhyped, so-called vulnerability. Allow me to explain.

Firefox 1.5 ‘vulnerability’ isn’t critical

Earlier this month, News.com reported that exploit code was circulating on the Net for a "vulnerability" in Mozilla’s newly released Firefox 1.5. This exploit involves a flaw in the History.dat file. This file stores information about Web sites you visited while using Firefox.

The initial article reported that Firefox would crash every time the browser was restarted after you visited a Web page with an extremely long title. This caused, in effect, a denial of service of your browser. The article was based on an Internet Storm Center (ISC) diary entry about initial tests of proof-of-concept (POC) code.

Packet Storm, where the exploit code was published in the first place, also claimed that the exploit could cause a buffer overflow that could execute infected code.

After further testing by the ISC, Mozilla.org, and others, it was discovered that this issue was not as critical as claimed. The worst the POC code could do was make Firefox take a long time to start. Secunia describes the flaw as merely a "weakness" and not a vulnerability. The company gives the problem a rating of "not critical" in its advisory on the issue.

Neither the ISC or Mozilla.org could make Firefox crash. Nor could they find any reliable evidence that this "exploit" could make the browser run infected code. Armed with that information, Mozilla.org published a security advisory entitled “Long-title temporary startup unresponsiveness.” This document explains that there is little risk to users. More important, it provides a way to fix the browser’s slow startup time if you do happen to encounter the exploit.

What to do: Mozilla’s advisory gives you two ways to recover from this problem. The best approach is to open the browser’s History from the Go menu, select the item with the long title, and simply press Delete. As an alternative, you can completely delete all history data. To do this, select Clear Private Data from the Tools menu. In the dialog box that appears, check the Browsing History box, then press the Clear Private Data Now button.

IE frames can still be injected

As I reported in this column on Feb. 10, June 30, and Sept. 15, 2005, “frame injection” is a problem that has affected several different browsers for months. As Secunia shows on its browser test page, a malicious site you visit can insert its own content into a frame of a trusted site that you browse to later. For example, you might visit an apparently harmless site, which is in reality untrustworthy. If you then visit your bank online, you might sooner or later see a window that appears to be from the bank, but is actually controlled by someone who wants your password.

When this gaping hole was first reported, there was a lot of press coverage about the inadvertent re-introduction of the weakness into Firefox when version 1.0.3 was released. Internet Explorer supporters crowed about this, but the same vulnerability has gone unpatched in IE since the problem was first discovered over one year ago.

The hole was closed again by Firefox in versions 1.0.5 and higher. The problem doesn’t exist in the new 1.5 version of Firefox.

Microsoft, on the other hand, has dropped the ball on this issue. It still offers no solution for its IE browser after all this time and all the negative publicity. Instead, Redmond has focused its efforts on the development of version 7 of its flagship browser.

What to do: Secunia’s advisory for suggests disabling IE’s Navigate sub-frames across different domains setting. If you’re still using IE and you’ve followed Brian’s "Protect IE without SP2" article from the Nov. 18, 2004, newsletter, then you’ve already taken care of this. Disabling the sub-frames feature is part of Brian’s procedures.

6-month-old hole threatens unpatched IE users

In late November, Microsoft released security advisory 911302. This document warns about a vulnerability that was discovered way back in May of this year. The flaw had originally been seen as just a stability issue that would cause IE to close unexpectedly. But, since that time, it has been publicly reported that the exploit allows the execution of infected code on a PC. The advisory goes on to say that Microsoft is aware of infected code that’s already targeting this vulnerability.

Microsoft quietly reported TrojanDownloader:Win32/Delf.DH in its new “Malicious Software Encyclopedia.” The encyclopedia entry shows us why the company advised people to visit its new Windows Live Safety Center. Microsoft already had a way to remove the first Trojan that used the IE vulnerability.

The same Trojan showed up later under the name JS_WINDEXP.A on Trend Micro’s site. Microsoft, however, hasn’t released a patch, probably because it didn’t think the Trojan was very widespread yet.

The Internet Storm Center soon reported that Web sites are exploiting this IE vulnerability. The center is asking for help from its readers to verify the threat.

Lastly, Trend Micro has posted listings of three new pieces of JavaScript malware that are being run by various infected Web sites. These attacks are named JS_DLOADER.BAA, JS_DLOADER.AZZ, JS_DLOADER.AZY.

Microsoft security bulletin MS05-054 finally closes this dangerous hole. Susan Bradley’s column, below, describes this patch in more detail.

What to do: The risk of the in-the-wild exploits I’ve described above is so great that I urge you to install MS05-054 immediately. But, because IE has many other vulnerabiolities, I recommend that you switch to a browser other than IE, such as Firefox. If that’s not an option, you can secure IE using Brian’s recommended configuration. You should also use at least the components in the Security Baseline, above.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Zero-day patch = zero days to install

By Susan Bradley When you read that there’s a new security bulletin for IE, you probably tune me out like you do with flight attendants: "Keep your browser in its upright and patched position." There’s a twist this week, though, as Microsoft closes a hole that’s already being exploited but which hasn’t had a patch available for weeks.

MS05-054 (905915)
IE DOM/COM patch is a MUST DO NOW

Buried deep down on page 19 in the 46-page security bulletin Microsoft published about IE’s DOM/COM flaws is the information that all of us need to be aware of: "When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?" The answer is, "Yes."

This is a zero-day exploit; it’s already in the wild. It even affects versions of IE 6 with XP Service Pack 2 installed.

The usual caveats about IE patches apply. If you’ve installed any prior hotfixes, be sure to read Knowledge Base article 905915. In addition, previous Internet Explorer patches have caused issues with ActiveX controls. If your company develops custom Web applications, look for quirks of the kind that are discussed in KB 909889.

If you have any such intranet Web applications, my recommendation is to first test the patch on a couple of sample workstations. But do try to get this patch out to all hands this week. Given that next week is the beginning of the traditional holiday vacations, for those of you who work in corporations, you might find this harder to roll out as staffers leave for long-scheduled trips.

One very interesting thing about this patch is that it contains a "killbit" for the original Sony BMG rootkit uninstaller, which opens security holes of its own. Ryan talks specifically about that in his column, below.

For more information on the DOM/COM patch, see security bulletin MS05-054 and KB 905915.

MS05-055 (908523)
Windows 2000 SP4 needs defensive patch

You may think Windows 2000 SP4 is no more vulnerable to bad things than Windows 2003. If so, you should notice that this week’s second patch is rated an "Important" patch for Windows 2000 SP4 but is unneeded on Microsoft’s other supported platforms.

Because this particular hole cannot be exploited remotely, Redmond has merely described it as Important rather than Critical. However, more details on the problem are provided by eEye, which originally discovered the exploit. The company says that even though the Windows 2000 flaw cannot be used across the Internet, it will probably become part of a blended threat that does attack remotely.

For more information, see MS05-055.

(910437)
When Microsoft Update doesn’t

I’ve said in the past that Windows Update and Microsoft Update had problems. This week’s release of a nonsecurity patch for Windows XP and 2003 clearly indicates that Microsoft’s update routines needed fixing.

If you go to Microosft’s update site and receive an access violation, this indicates that you won’t be able to download updates without the patch described in KB 910437.

This patch, along with the DOM/COM patch for IE described above, are two especially important fixes for home users. It’s difficult enough for us to keep our home systems patched. When the mechanism itself breaks, that makes it nearly impossible. For more information, see KB 910437.

(908521)
Using ‘Outlook over HTTP’ and seeing issues?

Now available on the Microsoft download site is an important patch for an "Outlook over HTTP" issue. This would only affect you if your copy of Outlook has been set up to connect back to an Exchange server over the Internet.

Please note that this procedure is normally established in corporate settings. It’s not the normal POP3 connection to your ISP that most of us use Outlook for. For more information, see KB 908521.

WSUS and SUS have a few hiccups

I’d be remiss if I didn’t discuss a few known issues we’ve seen with WSUS (Windows Software Update Services) and one I’m investigating with SUS (Software Update Services) 1.0 SP1.

First, WSUS started offering up the new Microsoft beta photo-sharing product code-named "Max." This category was reported on the WSUS blog to be a glitch that will be fixed in WSUS SP1.

Next up was an update to Exchange Intelligent Message Filtering. The WSUS blog also reported that this update to the filter was incorrect. It added that more information would soon be found on the Microsoft Update site.

At this time, I haven’t seen anything on the site regarding how this will be deployed. I’ll update you as soon as I know, and this will be included in a future newsletter.

Finally, there’s a big issue with the older SUS patching platform, where you do have a slight mess on your hands. SUS servers can cause previously approved updates to require approval again after the December patches.Please note that this does not affect servers using WSUS, only SUS servers. For more information, see KB 912307.

SBS patches now coming via MU and WSUS

The big news for Small Business Server 2003 admins is that patches that are unique to that platform are now offered up on Microsoft Update and WSUS. It’s too bad that those now-infamous attorneys in Ireland couldn’t merely have used Microsoft Update and saved themselves the embarrassment of a Register article about their inability to patch.

To the average home user, patching is still a pain, a chore, confusing and, in all respects, still a mess. But the fact that patching for the server platforms is finally becoming manageable for even small firms is nice to see. For more information, see the WSUS product team blog.

The next version of Small Business Server 2003, which is scheduled to ship as Release 2 in 2Q 2006, will include WSUS inside the program. This was reported by product manager Guy Haycock on the Windows Server blog.

(909988)
SBS 2003 SP1 needs fix for SharePoint

This item applies to you if you have SBS 2003 with SP1 preinstalled. (In other words, the service pack was not applied to an existing box.) If you reinstall Windows SharePoint Services, you could lose some data.

Microsoft’s new patch for this, which is being offered only to “slipstreamed installed” versions of SBS 2003, fixes the issue. It’s expected to be on the Microsoft Update site and the WSUS site any day now, but it wasn’t available for download as of this writing. I hear it’s supposed to be online by Dec. 19, at which time you can read KB 909988.

OK, so I have a thing about patching

If you haven’t figured out by now, I’m a bit wacko over patching. That made it a treat to be interviewed on the SBSShow with Vlad Mazek and Chris Rue. We talked about patches, patch management, and some of the business philosophy behind patching.

The recording is what’s called a podcast. You can download it to a MP3 player or an iPod for playback. Of course, you can also just listen to it on your computer. But that’s not quite as cool as listening in on a white little player with headphones, is it?

MS05-011 (885250)
Disabled 8.3 names and can’t see shares?

Microsoft security bulletin MS05-011 (885250) has been updated to acknowledge an issue that occurs on Windows XP and 2003. If you’ve disabled the use of the eight-dot-three file structure, better known as the old DOS names, and installed MS05-011, you won’t be able to see network file shares using Windows Explorer or the dir command. See KB 896427 for a discussion of the issue and its resolution.

Updates out for Project, SQL, and 2003 Server

We have a new build for Project Server called Service Pack 2a. This replaces Service Pack 2. KB 906429 discusses the fixes in this service pack. If you installed SP2, you may have run into an issue with "enterprise outlook code lookup tables." This is explained in KB 909947. For more information, and ways to download SP2a, see KB 887621.

Back in November, SQL Server 2005 was launched with security enhancements over the 5-year-old SQL Server 2000. Given that database conversions can be tricky, this is one upgrade that will probably take firms a few years of testing and review before approving the upgrade. Typically, you have to wait until your database applications support the new server technology. Therefore, when evaluating SQL Server 2005, first look at what your application requirements are.

Finally, the Windows Server 2003 line got a mini-refresh on the road to Longhorn. Called Windows 2003 R2, the update to Windows 2003 SP1, with a second disc of "feature packs," has been released to manufacturing. It has features for better support of identity authentication and branch offices. See Microsoft’s “What’s New” document for more information.

Keeping yourself up to date and patched isn’t easy, but it helps us all to stay safe. Thank you for being a reader of this newsletter, as you’re part of the solution and not a victim.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title awarded by Microsoft to independent experts who do not work for the company. She’s known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003 and is a partner in a CPA firm.

Make new PCs safe for the holidays

By Ryan Russell It’s December, time for everyone’s favorite packages. That means software and patch packages, of course.

Update those slick PCs you bought

If my last column about updating your family members’ computers applied to you, then I have a small reminder. Don’t forget that any new computers you buy need updating immediately, too.

I have faith that if you supplied a family member with a “new” computer — meaning a refurb or home-built machine — then you’ve already applied all the updates before the PC ever left your broadband connection.

However, if it’s a new, brand-name, out-of-the-box computer from your local electronics chain, then it’ll be several months behind on security patches. Not only has it been in transit and storage, possibly for months, but computer manufacturers only update their install images a couple of times per year, in most cases.

The majority of new Windows computers will come with some flavor of Windows XP installed. As long as it has at least Service Pack 2 on it, and at least the Windows Firewall is enabled, it should survive on the Internet long enough for you to download the new patches without it getting infected. If the OS is older than XP SP2, you must enable the Windows Firewall manually before connecting to the Internet to keep the machine from being hacked within minutes.

Be sure to allow HTTP traffic so you can download the current updates from Microsoft. If you have an older version of XP, you’ll end up with a different (better) firewall as soon as Service Pack 2 is installed.

New IE patch kills Sony BMG uninstaller

Speaking of updates, this Patch Tuesday brought us a new Internet Explorer cumulative update, as you no doubt just read about in Susan’s column, above. In addition to fixing the usual slew of Internet Explorer issues, including one that’s already in the wild, Microsoft has set some “kill bits.”

If you’re not familiar with the term kill bit, it’s a way to disable an ActiveX control.

Old-timers may recall a time when the Web was new and people were concerned about this “active content” that was going to be introduced into IE. This is mostly now referred to as ActiveX. It’s a way to run native Windows compiled code in Internet Explorer.

The (valid) concern was the programming mistakes that people make all the time. “Won’t the ActiveX controls be exploitable, like just about every other piece of code in the world?” people asked. Of course they’re exploitable (and have been, and will be in the future).

One complaint was that Microsoft’s design more-or-less trusted digitally signed controls forever. If the signature was good once, it will be good later, Microsoft figured. That may be true, except things happen — things like certificates expiring and such.

A digital signature was never supposed to mean that a piece of code was flawless. It was supposed to mean that the code came from a particular software publisher, and you were supposed to judge it based on that.

The problem is that about all you typically see is whether the signature verifies or not, and would you like to click “Yes” to make the thing work. Desktop users, as a collective population, don’t usuallly make security-prudent decisions. Further, even trusted companies make mistakes sometimes.

Some controls from Microsoft itself have had holes and had to be taken out of circulation. That sort of worked, except that any bad guys who saved a copy could still offer the vulnerable signed control back to their victims at will.

Fortunately, Microsoft has a mechanism to deal with this, which is the kill bit. If set, it means that an otherwise “good” control is now disabled.

Why do we care and what does this have to do with the Sony BMG rootkit I keep going on about? In the new IE patch released on Dec. 13, Microsoft has set the kill bit for the old versions of the Sony BMG rootkit “uninstaller” program.

The problem was that the old ActiveX control from Sony BMG (written by First4Internet) installed a gaping security hole on your PC. This allowed any Web page you visited to install software on your computer. Very bad.

Microsoft says, “This kill-bit is being set with the permission of the owner of the ActiveX control.” I take this to mean that everyone involved is starting to straighten up and do the right thing. I’m pleased to see that.

Sony BMG now seems to have a fixed uninstaller, which is what everyone wanted in the first place. I haven’t yet tried it or analyzed it, so I encourage you to approach it with caution, but I think we’re finally getting there.

If you’re taking an update CD with you to the relatives’ place for the holidays, don’t forget to add this Internet Explorer cumulative update to the disc.

We’ve got third-party updates, too

In the newsletter that comes out two days after Patch Tuesday, we tend to focus on Microsoft patches. But the Redmond company isn’t the only one putting out updates. There are many third-party software packages that you’re likely to find on the majority of Windows computers.

Among these are Adobe Reader and the Java Runtime Environment (JRE). These two are usually installed, of course, because PDF files require the reader and any Java-enabled Web page or Java-based application requires the JRE.

It used to be that a Microsoft version of the JRE was installed and tracked by the usual Microsoft software update mechanisms. But a spat between Sun and Microsoft a couple of years ago eliminated that. Now you have to go get the Sun version.

There are many issues with these two apps in particular. I’ll try to briefly tackle a couple of the issues.

First of all, they need to be patched and updated, like any application. Recognizing this, they each come with their own self-update mechanisms. This creates potential problem number one: The update process takes place completely outside of your normal patch management process. It puts the decision in the hands of the desktop user, which as we discussed isn’t always the ideal place for it.

The user’s decision-making process is problem number two: Sun and Adobe would apparently like a little extra revenue. They keep offering to give me the Google toolbar and the Yahoo toolbar, respectively. On the occasions when I’ve done the updates on my personal computers, these options have been on by default. I had to uncheck the boxes to avoid getting the extra downloads.

Let me admit a couple of things here. First, I’m very paranoid about spyware, and I spend way too much time cleaning it off computers.

I don’t mean to imply that Google’s and Yahoo’s offerings aren’t 100% above-board and honest. Out of all the toolbars out there, I would probably trust these two the most. However, I’ve run into minor issues with them interfering with performance, browser stability, and some other minor infractions.

I’m not up-to-date on the latest versions, whether everything has been fixed, etc. That’s because, frankly, I just won’t use them. I’ve developed an aversion to extra things in my browser.

Second, I admit to having a strong bias that security updates ought to be painless, free, and as widely available as possible. I think Microsoft should be giving security updates to people who didn’t necessarily pay for their software, for example.

So with those biases disclosed, I claim that bundling in extra things into your patch updates is a problem. I don’t mean to deny Adobe and Sun their extra income. But I think it’s important to keep security patches a no-brainer and trouble-free. Any extra worry makes it that much less likely that fixes will get rolled out in a timely manner.

Another issue, which beyond the scope of this article, is the multiple versions of Java that often end up on computers. For whatever reason, Java’s promise of “write once, run everywhere” wasn’t 100% accomplished. In fact, it seems that any major Java application is tied enough to a particular version of Java that it usually ships with its own copy of a particular JRE version.

This means you’ll probably have multiple versions of JRE on your computer. And that some of them will be older versions and therefore you’re still vulnerable to the original, unpatched security problems. Whoops.

There’ll be more on the JRE issue in future newsletters. Thanks to my fellow columnist, Susan, for suggesting that I mention this topic. I’d also like to acknowledge the contributors to the patchmanagement mailing list (which I help moderate). They’ve been running into these very problems and have been giving me valuable insight into where this is going.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.