Is Firefox still safer than IE?

Is Firefox still safer than IE?

The popular Firefox browser received a security upgrade, known as version 1.0.4, when the Mozilla Foundation released the new code on May 11. This upgrade closes a security hole that could allow a hacker Web site to install software without a visitors’ knowledge or approval.

This is the fourth minor update to Firefox since the open-source browser’s 1.0 release on Nov. 9, 2004. That doesn’t seem like very many patches to me, compared with Firefox’s dominant competition, Microsoft’s Internet Explorer (IE), which is included in every copy of Windows. But I’ve heard a surprising amount of comment that Firefox might no longer be as secure as IE.

At Microsoft’s Windows Hardware Engineering Conference (WinHEC), held in Seattle April 25-27, for example, an IE product manager made this case explicitly. Firefox had had (at that time) “three major releases,” she said, while Internet Explorer 6.0 had had none. This statement was presented as though a lack of upgrades to IE was a benefit.

In fact, Microsoft has released at least 20 major security patches for Windows or Internet Explorer since November 2004. Most of these patches were rated “Critical,” Microsoft’s most severe security alert level.

The evidence I’ve seen so far indicates that Firefox remains much more secure than IE. But it’s worth our time to take a closer look.

IE users were exposed for 200 days in 2004

Some remarkable statistics comparing the major Web browsers have been developed by Scanit NV, an international security firm with headquarters in Brussels, Belgium, and Dubai, United Arab Emirates.

The company painstakingly researched the dates when vulnerabilities were first discovered in various browsers, and the dates when the holes were subsequently patched.

The firm found that IE was wide open for a total of 200 days in 2004, or 54% of the year, to exploits that were “in the wild” on the Internet.

The Firefox browser and its older sibling Mozilla had no periods in 2004 when a security flaw went unpatched before exploits started circulating on the Net. With the latest 1.0.4 upgrade, Firefox has retained its “patch-before-hackers-can-strike” record so far in 2005, as well.

These statistics are so important to understanding the “attack surface” of the major browsers that we should break down this study into its individual findings:

• IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.

• Attacks on IE weaknesses circulated “in the wild” for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit “stopped the clock” on the period of vulnerability.

• Mozilla and Firefox patched all vulnerabilities before hacker code circulated. Scanit found that the Mozilla family of browsers, which share the same code base, went only 26 days in 2004 during which a Windows user was using a browser with a known security hole. Another 30 days involved a weakness that was only in the Mac OS version. Scanit reports that each vulnerability was patched before exploits were running on the Web. This resulted in zero days when a Mozilla or Firefox user could have been infected.

The Opera browser also experienced no days during which unpatched holes faced actual exploits, but Scanit began keeping statistics on Opera only since September 2004.

To see Scanit’s visual timeline of these holes, exploits, and fixes, visit the firm’s Internet Explorer page. On that page, click “Next Page” to see the timelines for Mozilla, Firefox, and Opera.

Firefox fixes take days, IE takes months

From the record to date, the Mozilla/Firefox team has shown that new security discoveries typically result in a patch being released in only a week or so.

This was certainly true in the case of Firefox version 1.0.4. The primary security hole that was closed by that version was unexpectedly publicized by the French Security Incident Response Team (FrSIRT) on May 5. The Firefox patch was released only six days later. (The apparent discoverer of the flaw, the Greyhats Security Group, had been working responsibly with Firefox’s development team and criticized the leak.)

Perhaps the responsiveness of the Mozilla development group will shame Microsoft into fixing security holes much faster in the future. The situation has become so bad that eEye Digital Security, a respected consulting service, maintains an “upcoming advisories” page showing how much time Microsoft is allowing critical problems that are reported to the Redmond company to go uncorrected.

At present, eEye’s count reveals that three critical unpatched issues currently affect Microsoft’s products. None of these have gone unpatched longer than 60 days, the period after which eEye considers a patch to be “overdue.” But some critical, widely-known security holes went as long as six months in 2003 and 2004 without an official fix being made available by Microsoft.

Another security firm that tracks security holes in IE, Firefox, and many other applications is Secunia, based in Copenhagen, Denmark. As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated “highly critical.” Firefox has only 4 unpatched flaws, all of which are rated “less critical” or “not critical,” the lowest severity rating. Opera has none.

Microsoft officials often excuse their tardiness in fixing security holes in IE by saying that the code is so complex that any fix has a high likelihood of breaking something else. Well, who integrated IE so tightly into the operating system that the browser is so delicate? It’s Microsoft’s own poor programming that causes much of the software giant’s very visible problems.

Microsoft employs some of the best software developers in the world. The company enjoys a cash reserve of $35 billion and is highly profitable. Yet a tiny company that builds open-source browser software is making the Redmond giant look foolish and incompetent in securing its products.

I have no particular attachment to the Mozilla Foundation or its products. If the foundation’s browser software was a threat to Windows users, I’d say so. At the present time, several serious unpatched holes are known to exist in IE, while few or none plague Firefox. This isn’t a religious issue, it’s just a fact.

The foundation announced two weeks ago that they’d surpassed 50 million downloads of the free Firefox browser. The application is largely responsible for knocking down IE from a 94% market share in May 2004 to 87% in April 2005, according to OneStat. That’s a remarkable accomplishment, considering that IE is free and comes preinstalled with Windows. Sites with a base of expert Windows users report much higher levels of Firefox usage.

How to keep Firefox upgraded

No matter how fast Firefox’s developers update it, it doesn’t do you any good unless you’ve got the browser configured to notify you of updates. This is a simple matter, but it’s worth making sure you have it right:

• Enable update checking. In Firefox, click Tools, Options, Advanced. Ensure that the selection for Periodically check for updates is on, both for Firefox and for My Extensions and Themes. This is the default setting, so most Firefox users will automatically get notices of updates.

• Check for upgrades manually, if desired. You should see a dialog box informing you of new updates as the Mozilla Foundation releases them. There’s a random delay, however, so every user doesn’t try to download a new version on the same day. To check whether there’s an update that applies to you, click the red up-arrow that’s in the upper-right toolbar of the Firefox menu area.

• Download the latest version. If a dialog box tells you an update is available, close the window, then open Firefox’s download page. If you want a version other than Windows U.S. English, click the Other Systems and Languages link and select your preferred version. Download the executable file to a temporary area of your hard disk, then close all apps (including Firefox itself) and run the installer.

It’s no longer necessary or recommended that you uninstall Firefox before upgrading to a new version. A few glitches affected upgrades to versions 1.0.1 and 1.0.2, but this has been corrected since 1.0.3.

It’s unfortunate that hackers are so attracted to browsers as a way to take over users’ computers. But that’s where the money is, as bank robber Willie Sutton once said. We have to accept a certain amount of upgrading as the price of using complex Windows applications. But we can reduce the threat to ourselves and others by using browsers that have a proven record of rapid, responsible development.

I’d like to thank reader Terry Engles for his help researching this topic. To send us more information about the browser wars, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Devices to carry at work and play

Mobile gadgets dominate this batch of reviews. Everything from gaming devices to wireless mice to Wi-Fi detectors gets a look — and just in time for summer vacations. In recent weeks, several major reviewers, who we summarize here, have also tested LCD monitors, digital cameras, external hard drives, affordable DVD players, and more. We bring together the top ratings for you.

		HANDHELD GAMINGDEVICES PSP is unbeatable handheld, says T3 Mag The new Sony PlayStation Portable hit the market last month, and T3 Magazine is one of the first with a head-to-head evaluation of the PSP against its four main competitors. The device plays movies as well as games and earns a perfect score from T3. Sony PSP (Best Buy, Score: 5.0/5.0) Link to all ratings and full review
		LCDs Dell’s widescreen monitor impresses testers CPU Magazine puts five premium LCDs through the ultimate graphics test. Both Dell’s 16:9-ratio UltraSharp and the 3:4 Sony get high marks, primarily based on overall image quality. Dell UltraSharp 2405FPW (Score: 4.0/5.0) Sony SDM-HS75P (4.0) Link to all ratings and full review
		7MP DIGITALCAMERAS Two Canons tie for CNET’s top camera rating CNET reviews high-resolution, point-and-shoot digital cameras. The two Canon models dominate the top spots on the list. Canon PowerShot SD500 (Score: 7.2/10.0) Canon PowerShot S70 (7.2) Link to all ratings and full review
		USB TVTUNERS Laptop Mag names Hauppauge best TV tuner All six devices in Laptop Magazine’s tests of TV-to-PC tuners use USB to connect, but the editors say the similarities end there. Hauppauge’s high score places it far above competing models. Hauppauge WinTV-PVR USB2 (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		WI-FIDETECTORS Another win for Canary’s hotspot sniffer The Canary Hotspotter has come out atop every previous review of portable Wi-Fi detectors. (See the Wired review and the Mobile PC review.) This time, it’s CPU Mag that’s giving the Canary its highest rating. Canary Wireless Digital Hotspotter (Score: 3.5/5.0) Link to all ratings and full review
		EXTERNAL HARDDRIVES LinkStation is CNET’s drive of choice In tests of low-cost solutions for adding a drive and a print server to small networks, CNET finds the Buffalo LinkStation is most suitable for the Editor’s Choice award. Buffalo LinkStation 250GB (Editors’ Choice, Score: 8.3/10.0) Link to all ratings and full review
		BUDGET DVDPLAYERS RCA DVD is sharp, says Laptop Mag Finally, you no longer have to spend a fortune for a handheld DVD player. Laptop Magazine tests five of the newest offerings and names the RCA model as the pick of the litter. RCA DRC616N (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		INPUTDEVICES MS mouse & keyboard click with PC Mag If you’re still using the keyboard and mouse that came with your computer, PC Magazine may convince you to upgrade. Of the 10 different mice, keyboards, and combos tested, Microsoft’s Optical Desktop came out ahead with a perfect score and an Editors’ Choice. Microsoft Optical Desktop Elite for Bluetooth (Combo, Editors’ Choice, Score: 5.0/5.0) Contour Design RollerMouse Pro (Mouse only, Editors’ Choice, 4.5) Link to all ratings and full review
		CORDLESSMICE BenQ mouse makes cutting the cord easy In the field of wireless mice, Laptop Magazine rates five possible replacements for the awkward touchpad on your laptop. The BenQ M310, with its USB-port connection, wins with the highest score possible. BenQ M310 (Editors’ Choice, Score: 5.0/5.0) Link to all ratings and full review
		WIRELESSHEADPHONES Cordless headphones are maturing, CPU Mag says CPU Magazine puts three wireless headphones through an “audio challenge.” The i-Phono model received the highest rating of the three, but the editors do say corded products still provide superior sound quality. i-Phono BT-420EX (Score: 4.0/5.0) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere Vickie Stevens is research director of WindowsSecrets.com.

Take back Windows: the best readers' tips

By Paul Thurrott

Windows Secrets readers have spoken: Windows today is a convoluted mess of add-ons. Power users have had enough. What follows are the best reader-submitted tips about clearing the gunk out of Windows and making it the OS you want it to be.

First, here’s a reminder about a product I wrote about back in the Mar. 10, 2005, issue: XPlite/2000lite. It lets you fine-tune Windows in ways that Microsoft would like you to believe are impossible. XPlite even lets you remove Internet Explorer from Windows, if you’re looking to be radical.

How to control your startup options

Virtually all of the advice I received was fantastic. But a few of them stood out from the crowd. The following 10 readers are the recipients of our gift certificates for any book, CD, or DVD of their choice.

Customize Boot.ini. Mike Palandri suggests editing the hidden file C:Boot.ini so that your boot time is more functional. The /noguiboot switch (see usage below) turns off the boot splash screen. And the /sos switch lets you view drivers as they load during system boot. This is particularly useful if you’ve done something that causes Windows to hang during boot-up.

You probably already have a line in the Boot.ini file that looks like the following (all on one line, with no spaces around the backslash or equals sign):

multi(0)disk(0)rdisk(0)partition(1) WINDOWS = “Microsoft Windows XP Professional” /NOEXECUTE=OPTIN /FASTDETECT

Simply add the two switches mentioned above so that the line resembles the following (all on one line), or make it a second line so you can choose this alternate boot method if you ever need to do some debugging:

multi(0)disk(0)rdisk(0)partition(1) WINDOWS = “Microsoft Windows XP Professional” /NOEXECUTE=OPTIN /FASTDETECT /NOGUIBOOT /SOS

Note that editing Boot.ini can be dangerous, so be sure to make a backup of the file and proceed carefully.

If you’re interested in related hacks, the Registry Guide for Windows has a complete rundown of Boot.ini options you can use.

Always show file extensions. In a bid to make Windows friendlier, Microsoft turns off the display of file extensions by default. As Alan Crawford pointed out, however, this presents a security risk:

• “If users don’t display extensions, then the old virus trick of naming a virus virus.bmp.exe will end up being executed when the user tries to open the ‘bitmap’.”

Good point. While you’re in Folder Options enabling this feature, consider a trip through the Advanced settings list on the View pane: There are a lot of options in there you may want to change from Microsoft’s defaults.

My favorite: I uncheck Remember each folder’s view settings since XP does such a lousy job of remembering folder positions, sizes, and customizations anyway.

Master the Start Menu. Regardless of which type of Start Menu you’re using — the “Classic” Start Menu from Windows 2000 or the XP-style Start Menu — make sure it’s configured to work the way you want.

If you’re using the classic Start Menu, you can make it work more like the new version by adding folders like Control Panel to the list.

And if you want the XP Start Menu, be sure to customize the menu: You can enable small icons for a longer display of recently used applications, and turn off unwanted entries like Printers and Faxes.

Whichever version you have, several readers noted that they, like myself, like to fine-tune the Start Menu into logical groups like “Utilities,” “Internet,” and “Digital Media.” Also, you can move hard-to-reach Microsoft utilities to new locations.

As Mary Fons points out, System Restore is a handy tool, but it’s location in the depths of the Start Menu is mind-boggling. So move it up close and personal. It’s your Start Menu.

How to get better performance and convenience

Now, we move on to the most popular replies. These are the most common bits of advice I received:

Turn off the fluff. There are a variety of ways to do this, but they both require visits to different parts of the UI.

First, access System Properties (right-click My Computer and choose Properties) and navigate to the Advanced tab. Then, click the Settings button in the Performance section. Select Adjust for best performance. Optionally enable Show window contents while dragging and then click OK and OK again.

Now, fire up Display Properties (right-click a blank area of the desktop and choose Properties) and navigate to the Appearance tab. Click Effects and enable ClearType if you have an LCD monitor and like that effect. Click OK and then OK again.

Clean the desktop. If you find screensavers annoying, turn them off. And configure your power management settings while you’re at it: Hibernation is disabled by default for some reason.

In Desktop Properties, turn off the utterly useless Desktop Cleanup Wizard, which can be accessed from the Customize Desktop button on the Desktop tab.

Be your own admin. One thing I’ve come to realize is that PC power users should treat their home systems as if they were managed PCs in a corporate environment. That doesn’t mean that you have to set up an Active Directory domain at home. But if you’re like me and find yourself customizing new installs fairly regularly, maybe it’s time to automate the process.

One thing I do is use Microsoft’s Custom Installation Wizard from the Office 2003 Resource Kit to create a custom installation of Office 2003. Then, instead of wading through dialogs when I want to add Office to a new install of Windows, I just run the customized setup.

Some readers take that much further with install scripts for Windows and checklists to help remind them what settings to change on new installs. Reader Joseph Hume keeps a series of scripts on a USB keychain drive that lets him customize the PC settings anytime he sits down at a new PC. He has customized installs of both Mozilla Firebird (Web browsing) and Thunderbird (email) on there as well. Smart.

Make any toolbars you want. I was surprised that a number of readers suggested creating your own toolbars, which you can place on the Task Bar or, if you’re really crafty, on various edges of the screen. Either way, you fill these toolbars with shortcuts to the application you most often access and get to work.

First, create a folder that contains the shortcuts you want. Then, to create a taskbar-based toolbar, right-click an empty area of the Task Bar, select Toolbars and then New Toolbar. Choose your folder in the New Toolbar dialog that appears. To place it at the top of the screen, turn off taskbar locking and then drag it to the top edge of the screen. Voilà!

Downgrade. Finally, Raphael Greene presented an option that many of my own friends have resorted to: Simply skip XP altogether and go back to the comparatively fluff-free Windows 2000.

This is a great solution, albeit one with a few gotchas. First, Windows 2000 will never get the security updates that Microsoft has provided in SP2 and will later provide with IE 7 and SP3. Second, many Microsoft applications require XP: If you want to use Windows Movie Maker or Photo Story, for example, Windows 2000 won’t work.

How to find the best utilities

A number of readers mentioned their favorite utilities, those applications they simply can’t live without. Here are some of them:

System tweaks. Microsoft has a great (and free) PowerToy called TweakUI that lets you modify a number of system settings that aren’t exposed in the standard Windows user interface. Tony Pickert, however, recommends X-Setup, which supports all Windows OSes and exposes almost 1,800 hidden functions. A must for any power user, and a bargain at $8 USD.

Desktop utilities. Like me, a number of readers also like Konfabulator, which I wrote about in the Apr. 28, 2005, issue. But some prefer the Windowblinds and DesktopX tools from Stardock. Byron Todd also recommended an intriguing Stardock solution called Multiplicity. It lets you control two or more PCs from a single keyboard and mouse.

Find it for free. If you’re not interested in invasive search utilities, Scott Alan Blanchard recommends Agent Ransack. This is a free desktop search tool that offers a wide range of document support, including ZIP and RAR files, and even network search.

Replace Explorer. Pining for the days of File Manager? James Fuldner recommends V Communications’ PowerDesk, an Explorer replacement that’s like File Manager on steroids.

Win with keyboard shortcuts. Pete Koutoulas recommends a free utility called WinKey that lets you apply shortcuts to any combination of the Windows key, Ctrl, and/or Alt plus any other key on the keyboard.

Have fun with these tips

I could pretty easily spend a lot of time writing about tweaking Windows, and the quality and amount of feedback I received was quite impressive. Thanks to everyone who wrote in. I have a feeling we’ll be revisiting this topic again in the future.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

Hackers may be profiting from your computer

By Chris Mosby

Some hackers don’t break into computers for mere fun and recognition any more, they’re motivated by profit. Somewhere along the line, the war for control of your computer shifted from fame to fortune.

Nowadays, compromised computers — with a total numbering in the millions, organized into “botnets” or “zombie armies” — are sold or traded like commodities. They send out spam e-mails or perform distributed denial of service (DDoS) attacks against Web sites to extort money from the legitimate owners.

How are hackers able to accomplish such large-scale computer compromises? By using respected Web sites to gain entry.

Black hats have hijacked thousands of sites

This has been accomplished by targeting the servers of Web hosting companies. These firms often host scores of different sites on a single server machine. Once a hacker has compromised one of those servers — using any of a number of unpatched exploits, or taking advantage of ineffective patch management by the hosting company or the Web site owners — he or she can modify common Microsoft IIS header files. This injects pieces of infected code into the home pages of every Web site hosted on that server.

Normally, these headers have a legitimate purpose. This is the same technology that’s used to show banner ads atop all the pages of a Web site, for example. But in one recent case, detected on May 3, the headers were changed to include a hacker’s invisible, zero-width frames. These frames then use Java and Internet Explorer exploits to try to install a Trojan horse on computers that visit the respected site. From that point on, an infected computer belongs to the hacker.

The hacker code in this instance uses holes that can be closed by the Microsoft security bulletins MS02-055, MS03-011, MS04-038, and even the fairly recent MS05-001 (released Jan. 2005), as well as a Java Applet vulnerability. This code is also intelligent enough to detect what browser version is being used. This enables it to try particular exploits that would be the most likely to succeed.

There’s no ‘safe haven’ on the Web

Not even Web sites devoted to computer security are safe from this kind of attack, if their Web hosting company doesn’t secure their servers. In the zero-width-frame case mentioned above, Roger McClinton discovered that the home page of his information security blog had been modified. A frame had been added that was directing browsers to a site that exploited IE flaws to install spyware. This hijack was very similar to another hack that happened a couple of months ago.

Roger’s Web host was reluctant to admit that they were at fault in this case, even though a Web search at one point showed over 1,500 compromised Web sites, most of them hosted on his Web hosting service. Until his hosting company fixed the problem, he was forced to keep an eye on his blog for any unwanted modifications. Thankfully, things have by now been corrected at that host.

How you can protect yourself

This kind of mass Web site hijack will happen again. It’s just a matter of time and some new exploits. With this in mind, I’m sure you’re wondering what you can do to keep your computer from becoming another “zombie” that a hacker controls.

The best thing you can do, for a home computer, is to take your security into your own hands and make your PC as secure as possible. No system is 100% secure, but there are steps you can take to get your computer as close to invulnerability as possible.

First, make sure you’ve installed Brian Livingston’s recommended Security Baseline (above). The products listed in this section will go a long way to keeping you as secure as you can be.

Second, if you must use Internet Explorer, make sure it’s secured with Brian’s recommended configuration for IE. Otherwise, I’d recommend using an alternative browser such as Mozilla Firefox.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Do few patches mean few issues?

By Susan Bradley

For a week that only resulted in one patch bulletin, there still seems to be a lot for me to wade through this month.

Perhaps some of that’s due to the fact that I’ve been doing my homework on my servers at the office. I’m getting ready to apply Small Business Server 2003 Service Pack 1, which is due prior to the end of May, plus SQL Server 2000 SP4/MSDE SP4 for databases.

The advantages of SP4 for SQL Server are two-fold: Hotfixes will for the first time be able to be uninstalled, and 32-bit applications running on the new 64-bit systems will be supported.

In a future column, I’ll include a link to a listing of items to specifically look out for when applying SBS 2003 SP1. In general, you should make sure before you apply a major service pack that you have a good backup and in particular a system state backup. This ensures that key elements on your server are backed up and retained should something occur.

Also, I always disable antivirus software before applying major service packs, and always reboot my server right before, just to make sure I have a healthy system. You should review the log files to check that there are no unusual entries, and note the normal pattern of events. This will help you keep an eye on any usual “post-patch events.”

Speaking of post-patch events, let’s revisit some of the patches we’ve had in prior months for some lingering issues.

Hotfix re-released, new MS05-019 coming, too

MS05-019 (893066): I’m still tracking issues with MS05-019. The Microsoft hotfix described in KB 898060, which was originally released to correct network connectivity problems with MS05-019 and Windows Server 2003 SP1, was re-releasedon May 9. Read the re-release notes, because in some cases you’re supposed to install the new fix, while in other cases you’re not.

Normally, the process of obtaining hotfixes is pretty fast and pain-free. In this case, I thought it a bit odd that I had to talk to a Networking Engineer, plus the patch wasn’t immediately packaged up for me before I obtained the original version of the patch.

Now it makes more sense. Hotfixes are ordinarily an easy, free call with minor fuss. But this time I got follow-up calls several times on this hotfix. This is the first time in a long time that I remember so many follow-ups. The reason they give for the hotfix process is that it allows for follow-up, and this should have been a clue to me that there was an issue with the fix.

Microsoft added a note to MS05-019 on May 11 that the entire security update will be re-released in June 2005, presumably on Patch Tuesday of that month. If you’re not having network connectivity problems after installing the April 12 version of MS05-019, MS recommends that you continue using it (or install it now, if you haven’t already) rather than waiting for the June version to come out.

Details on Snap Server and Mac write problems

MS05-011 (885250): In the Feb. 24, 2005, newsletter, I discussed issues with Adaptec Snap Servers and problems saving files after installing MS05-011. We finally have some Knowledge Base articles to sink our teeth into.

KB 896432 covers the issues with Snap Servers — you can use a workaround or obtain a patch from Adaptec. KB 896433 discusses issues with Macintosh computers.

MS releases one patch rated ‘Important’

MS05-024 (894320): We now come to the patch of the month. This fixes a security hole that allows files to infect your computer if they are merely selected (not opened) in Windows Explorer in Windows 2000.

The problem was discussed in last month’s newsletter in an article by Chris Mosby. He described a simple workaround that many network administrators do anyway: Configure Windows Explorer to use its “classic folder” view instead of its “Web folder” view.

Keep in mind that because this patch is rated merely “Important,” there will be no patch for Windows Me machines. Only “Critical” patches are released on Windows Update. Thus, if you feel concerned about this issue and have older machines, merely avoid the threat by right-clicking My Computer, then Tools, Folder Options. On the General tab, click Use Windows Classic Folders. To fall victim to the exploit, you’d have to select an infected file or click on a malicious Web page, which would prompt you to click a link or take some other action.

Microsoft is changing its alert mechanism

My cell phone buzzed and my instant messenger also popped up with notifications of this month’s patch. (See example.) Both were sending me messages regarding this month’s security bulletins. Remember, Microsoft’s traditional security e-mails will be ending in July. New notification mechanisms will be taking over at that time.

To get security alerts via MSN Messenger, Windows Messenger, e-mail, or a mobile device, see Microsoft’s alerts registration page. For more information, including RSS feeds, see MS’s technical security notifications page.

New ‘security advisories’ start this month

This week we’re seeing the first of Microsoft’s new “security advisories.” These aren’t security bulletins, as such, but will advise us of important issues, whether or not a patch is available.

The first two advisories were issued on May 10, which is Patch Tuesday, but MS security program manager Stephen Toulouse said in an interview that future advisories will not necessarily come out at the same time as patches.

The first describes a vulnerability in Windows Media Player 9 and 10. MS released patches for these two programs in March via KB 892313.

The second explains the new, optional “tar pit” feature of Exchange Server 2003 in Windows Server 2003 SP1. This allows admins to chew up the CPU time of Internet servers suspected of sending spam or running dictionary harvesting.

XP SP2 gets WPA2 Wi-Fi upgrade

One patch that probably should have been included in this month’s security advisories, described above, is the new upgrade to WPA2 (Wireless Protected Access 2) for Windows XP SP2. KB 893357 offers a download that increases Wi-Fi security. It’s being widely deployed in organizations. I recommend you get it.

Windows Installer is missing in action

Windows Installer 3.1 was removed on May 3 from Software Update Services, Microsoft’s patch-download application. This was confirmed by Microsoft in a note in KB 894199. Windows Installer would fail to install updates that attempted to upgrade one of Windows’ protected system files, causing issues with some applications, according to KB 898628.

Firefox 1.0.4 adds to browser vulnerability wars

The Greyhats Security Group identified this week a new vulnerability in Firefox. The flaw was made public when proof-of-concept code was unexpectedly released by the French Security Incident Response Team in an advisory. A hacker Web site could infect a Firefox user’s machine, using the Mozilla install-software function, if the user clicked an IFRAME on a page.

Fortunately, the security hole was mitigated by changes the Mozilla Foundation made to its software-download server. These changes should keep such an attack from working. No exploits have been reported in the wild at this writing, but a Firefox upgrade to version 1.0.4 has just been released that will close the hole for good. (See Brian Livingston’s story, above.)

It doesn’t seem necessary for you to do anything, except install 1.0.4 when it comes out. But if you’re concerned, there’s an easy workaround, according to a Sans.org posting. This involves turning off a configuration setting called Allow Web sites to install software. To do this in Firefox, click Tools, Options, Web Features. This reconfiguration is hardly needed, because by default only Mozilla servers are authorized to download software, for the purpose of installing updates to Firefox.

The Greyhats posting included an ominous warning that other vulnerabilities have been found. (The post suggests these will not be revealed to whomever presumably leaked Greyhats’ proof-of-concept code to French SIRT.) Hopefully, these weaknesses have been disclosed to Firefox developers and will also be corrected in version 1.0.4. But the discussion just reinforces my paranoid belief that no browser should be trusted and you should consider Internet surfing one of your most dangerous activities. Always ensure you’re keeping yourself closely aligned with Brian’s Security Baseline (above) and have the necessary components to run a safe computer. As always, be careful out there.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Reducing your rush to patch

By Mark Burnett

You should always keep your systems up-to-date with the latest patches. But it isn’t always that easy to stay current, especially on critical production servers that require careful testing and planned deployment.

This can be a problem because there are bad people out there who scour new security bulletins, trying to exploit the newly announced flaw on as many unpatched systems as possible.

But here’s a secret: you can significantly reduce your exposure to current and future vulnerabilities just by following some basic security best practices. In fact, there are surprisingly few patches that address issues that security professionals have not already anticipated.

All it takes is hardening

As a security consultant, I provide two primary services for my clients: system hardening and patch management. In the hardening process, I eliminate unnecessary OS components, tighten permissions, and tweak settings to reduce exposure to attack.

Then I follow up with monthly summaries of the latest patches. When reading these reports, I like to determine what I could have done to prevent exposure to the issue. Surprisingly, most of the time it’s stuff I’ve already done in the hardening process.

Take, for example, the latest Microsoft security bulletin, released on May 10 and known as MS05-024. According to MS, the issue is a vulnerability in the way that the Windows Explorer Web View handles HTML page previews.

The easiest way to mitigate exposure to this vulnerability — at least until you can install a patch — is to simply disable Web views in Explorer. This is something I already do when securing a server system. (For more on MS05-024, see Susan Bradley’s article, above.)

Finding that I’ve already applied the workaround is quite typical, month after month. If you look back at all of the bulletins over the years, most of them don’t need immediate patching if you followed basic security best practices.

Most of the time it isn’t anything too complicated, just the basics of installing a firewall, not opening untrusted files, and disabling services and components you don’t use.

Vulnerabilities can be foreseeable

Now, disabling Web view in Explorer might sound like a strange thing to include on a hardening checklist, but I’ve done it for more than five years now. There were no known vulnerabilities at the time I started doing it, and for the last five years I had to explain why I did it.

Why did I disable it? Because Web view is of little use on a server managed by administrators. Since they weren’t using it, I just disabled it. It seemed likely that there would eventually be someone trying to exploit that and I would rather just have it be gone. In other words, the issue was foreseeable.

It was foreseeable because it was something that I could imagine someone exploiting. I could therefore formulate a plan to defend against it. Fortunately, most vulnerabilities are foreseeable to some extent. And even if you can’t prevent the actual vulnerability, you can at least reduce your attack surface by using a firewall and removing unused services and components.

Can you live without patches?

It actually is possible to secure a system so well that it rarely needs patches, although I certainly would not recommend that. But it’s nice to know that you can buy yourself more time for proper testing and deployment.

When I first started securing Windows 2000 servers, I did an experiment. I tried to see how long I could go on one Web server without patching, relying only upon foreseeable workarounds. To my surprise, it was almost three years before I ran into an issue that I simply could not mitigate without patching. I stopped keeping track after that, but based on what I see every month, I might have been able to go without patches for yet another long stretch.

Of course, you should always patch, but system hardening can greatly reduce the monthly rush to get to your servers before the hackers do.

For more information on how to keep your systems secure, visit Microsoft’s Trustworthy Computing page.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

Replicator duplicates gold, now only $250,000 at eBay

Quick! You only have three days left to bid on the world’s first Gold Replicator before the auction for this valuable fortune-building device ends at eBay. According to the seller’s description, the replicator will duplicate any metal placed into it — gold, platinum, etc. — without consuming any raw materials. Bids start at a mere $250,000 USD. No bids have been received yet, but the canniest bidders are probably just waiting until the last minute to show their hands. The seller is known as “earthtimetraveler.” He previously offered the Real Time Machine in June 2004 for the bargain price of $219. The Gold Replicator is obviously much more advanced, considering the starting bid. We e-mailed him, asking why he was selling what he says is his only copy of the replicator, instead of simply using it to make all the gold he could ever need. He replied promptly, saying the proceeds would be plowed back into more technology for “genetic dating, time travel, electronic mood adjusters, human happiness research, etc.” Boy, that’s one busy guy. Mr. Traveler should probably generate another gold bar to buy himself some new Web graphics. His eBay-hosted photos of bullion (photo, left) and the device itself are lifted from the first page of Google Images for gold bars and replicator. The latter image is from a Star Trek episode. Just in case the listing of this brilliant inventor is cruelly suppressed, we’re including a link both to the actual eBay page and to our own mirror of it. For more info, see: eBay Gold Replicator listing / Mirror of eBay listing