MagicJack promises dirt-cheap phone calls

Have a question? Ask Fred Langa!

By Brian Livingston

This week in Windows Secrets, our editor-at-large finally gets back to work.

Many of you know that Fred Langa, after nine years of writing the LangaList e-mail newsletter by himself, and then merging with Windows Secrets and writing our lead story for almost a year after that, escaped to the wilderness on a five-month motorcycle journey through the width of the U.S. and back across Canada.

His quest, and the technical support he provided to four lucky Windows Secrets readers who were chosen to receive in-person Housecalls, were documented in an eight-week series of columns we published in our paid content Sept. 27 through Nov. 15.

Now Fred (photo, left) is putting his famed Windows knowledge to good use in a new series of articles that we’ll publish twice a month. He’s devoting his LangaList Plus column to answering questions from you, our readers. Whether it’s a simple question on something we’ve published, or a difficult technical problem that’s come up with Windows, Fred will part the veil and reveal the inner workings of the operating system to you.

If you’re not receiving our paid content, it’s easy to get. There’s no set fee! We accept any financial contribution of any amount, whatever it’s worth to you. We just want as many people as possible to have our best information. Find out how to upgrade

To send a question to Fred, or to any of us, use the e-mail address or Web form that you’ll find on the Windows Secrets contact page.

We hope you enjoy Fred’s technical expertise, along with the material from the rest of our contributors. Thanks for your support.

Take a holiday break — next issue Jan. 3

We skip publishing during the last two weeks of December, so our hard-working staff and contributors can be with their families and loved ones for the holidays. (Our readers are too busy playing with their new toys to read much technical information during their week off, anyway.)

Our next regular publication will be on Jan. 3, 2008. Have a Happy New Year!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

MagicJack promises dirt-cheap phone calls

By Scott Dunn Making phone calls over the Internet is nothing new, thanks to well-known providers like Skype and Vonage. But a simple USB device from an upstart, MagicJack, promises to bring voice over Internet Protocol (VoIP) to the masses for as little as $20 USD per year.

What is MagicJack and how does it work?

MagicJack is a $40 appliance that’s about the size of two USB memory sticks. You plug any analog telephone into one end, and insert the other end into the USB port of a computer with broadband access. After waiting about one minute while the device self-installs, you can make free calls to any phone in the United States and Canada (no matter where in the world you are) — there are no per-minute charges. After the first year, you pay $20 annually for these calls. That’s not $20 per month, it’s $20 per year.

Figure 1. The MagicJack device (left) is approximately the width of two USB flash drives and takes about 30 seconds to initialize itself each time it’s plugged in.

MagicJack rates for calls to phones outside the U.S. and Canada vary from 2 cents per minute to landlines in the U.K., Germany, and France up to $1.21 per minute to Antarctica, according to a list posted by YMax, MagicJack’s parent company. Service to these countries at these rates will reportedly begin in early 2008. If the international party you are calling also has a MagicJack, the call is free.

Except for a desktop shortcut, MagicJack installs no software on the host computer. The company says this allows the device to work on PCs at Internet cafés that don’t permit the installation of executable files.

One frustration is that you must wait 30 seconds or more for the software to load from the device each time you plug it in. But the great benefit is that you can easily take this pocket-sized product with you to use on a laptop in hotels or wherever you may find broadband access. Currently, only Windows XP and Vista are supported, but a Mac version is in the works.

For home use, the product has an analog phone jack, into which you can plug any ordinary telephone. For travel, MagicJack works with any standard headset and microphone, including any that may be built into your laptop. Bluetooth headsets are also supported.

For incoming calls, U.S. customers currently receive a free inbound phone number. You can choose from 116 area codes in 31 cities. That sounds like a lot, but still includes only 23 states. Los Angeles is a major metropolis that’s notably absent from MagicJack’s service, but a company representative says L.A. area codes should be available by Dec. 25. A list of the currently available area codes is posted on the MagicJack site.

Figure 2. You dial calls using MagicJack’s on-screen softphone or the buttons on an ordinary telephone that you plug into the USB device’s RJ-11 phone jack.

Eventually, you’ll reportedly be able to use MagicJack’s site to change your phone number and even port your own, existing landline phone number (for a fee). Those features, however, are not yet available.

In our tests, the sound quality on MagicJack phone calls was very clear, although there was a faint buzzing sound on the caller’s end on one call. Windows Secrets editorial director Brian Livingston recently took a MagicJack on a business trip to Florida and reported no problems calling U.S. numbers via a laptop with a hotel Wi-Fi connection. Every call, however, brings up the on-screen softphone window with its built-in advertising pane on the left (see Figure 2), even if you’re using a regular phone for dialing rather than clicking the on-screen buttons with your mouse.

Other MagicJack features include:

• Free directory assistance using the Free411 Web site (in our tests, this site performed poorly at finding business phone numbers, so you get what you pay for);

• Free 911 service in the United States (you enter your physical address once, which you can change at any time);

• Free voicemail (even if your computer is off); and

• Free call forwarding to your cell phone or any other phone.

The 911 service requires not only that you enter your current address, but also (as with any MagicJack call) that you have power and a working Internet connection so you can dial the number.

If you use Microsoft Outlook, you can also download a plug-in that adds a toolbar to that program for one-click dialing of a selected contact.

MagicJack costs less than other VoIP services

MagicJack is only the latest entry to a growing number of VoIP service providers, two of the most popular being Skype and Vonage.

Perhaps the most similar product to MagicJack is the V-Phone from Vonage. This USB device is the size of a typical flash drive and includes an audio jack for the included cell-style headset (earphones and microphone). Like MagicJack, you plug a V-Phone into a computer with Internet access and, after about 30 seconds of setup, begin calling. You dial out using the on-screen keypad (which is optional in MagicJack). An incoming phone number is included. Like MagicJack, you get voicemail, a call log, and a contact list.

Compared to MagicJack, however, the V-Phone rates are astronomical. Vonage’s cheapest billing plan (see Table 1) costs $180 USD per year for 500 minutes per month. Unlimited calling is available for residential users for $300 per year, while businesses pay $420 per year. The fees include all calls to the U.S., Canada, and a few European countries.

Skype, on the other hand, does not include any hardware. It’s free software that you download and install on your computer. The software includes instant messaging and file transfers, but to make VoIP phone calls, you’ll also need a Skype-compatible headset.

Skype charges $30 a year for unlimited outgoing (SkypeOut) calls to the U.S. and Canada, plus just over 2 cents a minute for calls to 30 selected countries, more to others.

To get a number for incoming calls, the SkypeIn service costs $18 for three months or $60 per year, a price that includes voicemail and call forwarding. (You can also buy up to 10 phone numbers using most U.S. area codes, as well as those from some other countries.) By contrast, if you have MagicJack service, incoming calls are free.

Table 1. MagicJack is cheaper than similar services. (All amounts in U.S. dollars.)

Is MagicJack too good to be true?

With rates as low as those offered by MagicJack, how likely is it the service will survive in the long haul? That’s an open question, even for telecom experts, some of whom don’t expect any VoIP service to last for long. But MagicJack’s business model does offer some advantages that aren’t found in its competitors.

MagicJack differs from companies like Vonage and Skype, who buy their connection services from telecom businesses known as Competitive Local Exchange Carriers (CLECs) and other names.

MagicJack’s parent company, YMax — founded by telecom veteran Dan Borislow — is itself a CLEC that’s certified in 49 U.S. states (soon to be 50). Because the company owns much of its own switching and gateway hardware, YMax can make money by giving out phone numbers and leasing the lines it owns to other VoIP and telecommunications providers.

This infrastructure also gives the company more control over voice quality, asserts MagicJack marketer Don Bruns in a recent issue of TelephonyOnline. Founder Borislow echoes this point in a Broadband Reports article.

In addition to sales of the MagicJack hardware (and the $20 annual fee starting one year later), MagicJack intends to sell advertising that will appear next to the on-screen softphone any time you use the product. Indeed, as an article on the Broadband Reports site points out, MagicJack’s Terms of Service document goes so far as to state that “these advertisements are necessary for the magicJack device to work.”

Whether this business model is sufficient to make MagicJack a viable, long-term success, only time will tell. In the meantime, consumers can take advantage of MagicJack’s low rates and portable calling convenience wherever a computer and a good Internet connection can be found. For more information, see the MagicJack site.

Reader Rand New will receive a gift certificate for a book, CD, or DVD of his choice for his help in suggesting this topic. Have a tip about Windows? Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.

Windows Home Server is not ADS-friendly

By Scott Dunn

I explained in my Dec. 6 article how Alternative Data Streams (ADS) on NTFS-formatted disks can be used to hide data on your computer.

But copying such files to a shared folder on Windows Home Server can corrupt the streamed data, meaning applications on other PCs on the LAN don’t recognize the file format.

After reading the story, reader Gary L. Adelson brought some news to my attention:

• “I would like to point out that there is currently an unresolved data corruption issue related to the recently released Windows Home Server (WHS) and files which have ADS. This has been discussed at length on the Windows Home Server forum. Microsoft has addressed this in Knowledge Base entry 943393.

  “Because of this, I would encourage anyone using WHS to avoid files which have ADS, until this issue is resolved by Microsoft.”

Thanks, Gary! As the Knowledge Base article points out, the problem typically occurs when you copy a file with an NTFS stream to a shared folder on Windows Home Server. If you then access the file from a networked computer running antivirus software, your application may not recognize the file’s format.

In addition, the article states, you can’t open files with an .avi or .exe extension (presumably those that contain ADS data).

To be safe, follow Gary’s advice and keep your ADS files away from WHS until a patch is available.

Other ways to hide files from Windows

Other readers took issue with the whole process of hiding files in data streams. For example, Rich Fox wrote:

• “Seems to me that is a lot of work to hide files. I use Folder Lock myself. I don’t know if you are familiar with it or not, but I like it. It does all that you said and I think a lot more.”

Folder Lock is a security utility that offers password protection, file scrambling, and 256-bit Blowfish encryption. As Rich notes, Folder Lock lets you hide files and folders with a simple right-click command (which you must first enable in its Advanced Options dialog box).

However, such files are not completely hidden; as the Help file itself states, the files are visible in DOS mode or Safe Mode. For maximum security, you have to move the files you want to protect into Folder Lock’s Locker folder. In addition, the demo version only lets you encrypt 35 items. To exceed that limit and get other features, you need to pay the $35 registration fee.

For a free alternative to using ADS or a tool like Folder Lock, try Free Hide Folder. It takes a few clicks to add folders to the hidden list, but once you do, they and their contents are completely invisible. For added security, Free Hide Folder asks you for a password every time you launch it. It works on most folders, but in Vista has trouble with certain built-in folders, such as the Music folder in the Documents folder.

Readers Adelson and Fox will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

Never leave home without it!

It’s a classic story. Boy meets Girl. Boy and Girl spend the night together. Boy has to leave in the morning for a meeting, but asks for Girl’s phone number. Girl clogs Boy’s toilet and ends up leaving an unexpected present along with her number. In this gritty but hilarious three-minute parody of a Home Depot commercial, we learn a new meaning to the phrase, “No S—, Sherlock!” (Warning: crude humor and rude language.) Play the video

Is your ISP in cahoots with spammers?

By Fred Langa Ever wonder if someone’s mining your ISP’s mail server for addresses? Here’s one way to test for malfeasance at your mail server — and I’ll show you several other ways to keep your e-mail address out of the wrong hands.

No good deed goes unpunished

You’ve heard the saying, “No good deed goes unpunished.” That’s the situation reader Fred Stone found himself in when he started to get phishing e-mails after helping set up a friend’s PC:

• “While helping a friend get active with his new ISP and get Thunderbird configured, I created an e-mail address for testing in his account. This address has been used to send or receive maybe 12 messages. Today, I received a phishing message. Since this address should be unknown and has only been sent to about 5 of my various e-mail addresses, the question is how does this get in the hands of phishers? Are folks sitting there monitoring all the Net traffic, culling addresses?”

It’s possible that something’s not right at the ISP (e.g., someone there is snooping the mail server or monitoring the packet streams for spammable/phishable addresses). In a moment, I’ll show you how to test to see if that’s happening. But it’s more likely that e-mail address-harvesting is happening elsewhere. Let’s first look at the more likely explanations for the phishing e-mail you got.

Because you’re a Windows Secrets reader, your own system is probably well protected against spyware and other malicious software. But your friend’s PC may not be.

Although e-mail harvesting via malware is less common than it once was, it can still plague unprotected PCs, especially the systems of less sophisticated users. Once address-harvesting malware gets onto a system, it can quietly monitor the e-mail addresses in an address book and in the In and Out boxes, periodically sending the gathered addresses to a phisher or cracker. Similarly, any of several kinds of keystroke-capture malware could also be collecting data off your friend’s PC and periodically phoning home to the malware’s creator.

You no doubt already know of the many excellent tools (both free and paid) that can protect a PC from spyware and similar nasties. But you might want to help your friend check to make sure his PC is clean, and help him install protective software to prevent any future infections. For specific product recommendations, see the WSN Security Baseline.

You said the suspect e-mail account was used only to send a few test messages, so this following item may not apply. But, for completeness, I should also mention that a very common means of address harvesting has nothing to do with e-mail per se. It’s the disclosure of your e-mail address on chat rooms, message boards, auction sites, or other Web pages; or by placing an order online with a less-than-scrupulous business.

In these cases, it’s best to use a throw-away e-mail address (an address that’s unique to each place you use it). This lets you easily see the source of any resulting spam/phishing, and you can pull the plug on it by turning off that address.

I won’t spend more time on preventing these types of harvesting, because they’re covered better and in far more detail in Brian Livingston’s excellent e-book, “Spam-Proof Your E-Mail Address.” Highly recommended!

Dealing with forged or guessed addresses

Alas, you still may get spam/phishing e-mails even if your e-mail address is well protected and even if you never use your real address on a Web site. You see, malicious mass e-mailers often use powerful tools to generate vast quantities — millions, even — of guessed e-mail addresses. One common approach is analogous to a "dictionary attack" by a brute-force password cracker.

For example, a malicious e-mailer simply can run through a list of all common names and the common permutations of e-mail address formats for any given domain. Many e-mail addresses are in the form of first initial/lastname, so a brute force attack might generate a phonebook worth of last names with different initials (Asmith@, Bsmith@, Csmith@, etc.). Another common addressing format uses firstname/last initial, so the attack might generate a pile of names in the form of FredA@, FredB@, FredC@, etc.

The fact that you received spam or a phishing e-mail doesn’t necessarily mean that your address was specifically targeted. Instead, it may simply mean that a mass-mailer’s software guessed correctly, getting a "hit" amidst a blizzard of bad guesses. A good "Bayesian" (statistically-based) e-mail filter is your best defense against this kind of spam or phishing missive. Use WinFind with the search term bayesian for more information and recommendations.

Brute-force attacks also can exploit the way some mail services work when errant mail gets dumped into a master mailbox. Let’s say I own the domain XYZ1234.com and the domain’s catch-all e-mail address is:

fred AT xyz1234 DOT com

In many standard configurations, the mail server will dump unknown and misaddressed mail to the catch-all account to make sure nothing gets lost. So, the fred account may get not only legitimate mail addressed to it, but also all brute-force generated e-mails that were targeted at nonexistent addresses at the XYZ1234.com domain.

If you have your own domain, the solution here is to have all misaddressed e-mails either deleted upon receipt or redirected to a special holding account that you periodically check for the occasional valid but misaddressed email.

If none of the above approaches gives a clue to how the phishing mail arrived, you can examine the e-mail itself for signs. This involves a careful analysis of the e-mail "headers" (the complete addressing and classification information that accompanies every e-mail). Most e-mail clients have a software toggle that will allow you to see the full, unmodified header information. If you don’t know how to work yours, see the SpamCop article, “How do I get my e-mail program to reveal the full, unmodified e-mail?”

You can read the following articles to dissect the header information to figure out where the unwanted e-mail came from, and even to report the spammer/phisher to the appropriate ISP and/or legal authorities:

• Analyzing e-mail headers and tracking e-mail
• How to analyze e-mail headers
• Analysis: spam headers
  

Is your ISP at fault after all?

Odds are, the above steps will help you identify the source and help resolve your spamming/phishing problem. If not, perhaps the problem is indeed at your ISP or mail host. Here’s one way to test for that:

The concept here is to send e-mail from an account set up with a random, nonhuman name — a name that wouldn’t appear in a dictionary attack and that would be extremely unlikely ever to be guessed correctly. For example, you can use a good password generator (such as the one provided by Gibson Research) to create an all-but-unguessable fictitious user name. For example, if your e-mail account is hosted by XYZ1234.com, and that domain allows e-mail usernames of up to 16 characters, you might use a password generator to create a random string of 16 characters and thus create a new e-mail account with a unique, unguessable name, such as:

v900z372o05wqo8o AT xyz1234 DOT com

Then, on a PC known to be free of malware, use the new e-mail account to send a bunch of e-mails to another known-clean PC in that domain (or in a pinch, to yourself). Do nothing else with that address. (Don’t post it on Web pages, for example.) Wait a while. If that account ends up getting spammed or phished, it’s time to have a chat with your domain administrator, because about the only way that address could have gotten into circulation is by being harvested off the mail server.
Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

Will Vista SP1 improve your performance?

By Mark Edwards Microsoft says that Vista Service Pack 1 will improvement system performance, and many of you probably think. “It’s about time!” This week, I give you a rundown of several improvements you can expect after you load Vista SP1, and a link where you can learn even more.

You can get a glimpse of Vista SP1 now

Microsoft is busy working on Windows Vista Service Pack 1, which the company says will improve Vista significantly. To be sure, some of the improvements in SP1 have been available for some time as individual hotfixes, so you might already have a few of them on your Vista system. But installing SP1 is an easy way to get all the updates in one fell swoop, and you’re bound to get other improvements that you previously didn’t have.

Some of the more interesting claims for SP1 are related to performance:

• Vista SP1 is said to vastly improve file copying, which as you probably know can be painfully slow at times. According to Microsoft, you’ll find that file copying is much as 50% faster when copying files between two Vista SP1 systems. You’ll reportedly experience a 45% performance increase when copying files between a Vista SP1 system and a non-Vista SP1 system. And, Redmond says, you’ll experience a 25% performance increase when copying files locally.

• You may have noticed that Internet Explorer is slower on Vista than previous versions of IE when you’re visiting sites that use a lot of JavaScript. SP1 will improve that performance lag. Microsoft says that with SP1, IE on Vista should become as fast as IE on previous versions of Windows.

• Another nagging performance problem relates to boot delays. In some cases, Vista can take up to five minutes to boot, due to problems with Vista’s new ReadyBoost technology. SP1 is designed to fix that problem, too.

• Remote Desktop will get some help in the form of a new compression algorithm for sending images. Microsoft says that the new algorithm will reduce the size of the RDP network stream by as much as 60%.

• On the flip side, when you install SP1 you’re going to notice an initial performance hit. The reason is that SP1 initially deletes all user-specific data used by Vista to improve performance. You’ll have to use your system for a while in order for Vista to “learn” how speed up again. As you use your computer, Vista will track some of your usage habits, store data about your work patterns, and use that information to increase overall performance.

• For those of you using Vista in a business environment, be aware that SP1 will uninstall the Group Policy Management Console (GPMC). You’ll then have to download an updated version of GPMC that will have new capabilities, such as a new search facility and the ability to add comments to policy objects and settings.

• Other changes you can expect in SP1 include numerous security improvements, better desktop management and administration, new support for emerging hardware technologies, and reliability improvements. Some of these fixes can help prevent Vista from crashing.

If you plan to get SP1 on CD, it consumes about 450MB. If you download it from Windows Update, it’ll be about 65MB.

For more detailed information, you can read “Notable changes in Windows Vista Service Pack 1 (release candidate), a document at Microsoft’s TechNet Web site.

VideoLAN: free media player and streaming system

I was recently searching the Internet for a free DVD player, since Windows Media Player (on XP) didn’t work with one of my DVDs. During my search, I stumbled across VideoLAN VLC Media Player. This powerful, cross-platform tool is excellent for a variety of reasons. It’s open source and free for anyone to use, and it runs on Windows, OS X, Linux, BSD, BeOS, QNX, and Solaris.

VLC Media Player can play DVDs and a long list of other media files. This includes videos encoded in a variety of formats, including Windows Movie, Real Video, Indeo, Cinepak, Sorenson, DIVX, MPEG, and more. It can also play audio files encoded as AAC, MP3, WMA, Real Audio, and Vorbis, to name a few.

Another really slick aspect of VLC Media Player is that can also stream media files over a network. So, for example, you can use it to stream a movie to several other PCs, as long as you have a high-bandwidth network between the server and client systems. If you’ve got a TV card in your system (such as those from Hauppauge) then you can also stream live television.

For a more complete list of VLC Media Player features, visit the VideoLAN Web site. At the top of the page, you’ll find a link to download a copy for your particular operating systems.

AVG Free will soon include LinkScanner

I bet a lot of you are using AVG antivirus software from Grisoft. In case you don’t know already, Grisoft offers AVG Anti-Virus Free Edition and AVG Anti-Rootkit Free Edition for non-commercial use.

I recently learned that Grisoft made an agreement to acquire Exploit Labs, the makers of LinkScanner. Grisoft said the first thing it will do with LinkScanner is integrate it into AVG Anti-Virus Free Edition. That’s good news all around, since LinkScanner offers decent protection against evil Web site content. So those of you who use AVG can expect to see some new Web content-related security features in the near future.

Windows proxy auto-discovery is vulnerable

Microsoft released an advisory on Dec. 3 about a new problem with Web Proxy Auto-Discovery (WPAD). Under certain conditions, bad guys might be able to wedge themselves in between your system and any endpoint sites that you try to contact.

The attack technique is called a man-in-the-middle attack, and the danger exists for users of every supported version of Windows. So if any of your software, such as Internet Explorer, uses WPAD, you might be at risk.

While there is no patch available yet, Microsoft does include a list of various factors that can help you determine if your systems are vulnerable. The advisory also includes several workarounds, such as creating a wpad.dat file, disabling proxy auto-detection in IE, disabling DNS Devolution, and configuring a domain suffix search list. Review advisory 945713 for complete, step-by-step instructions.

Minor vulnerability with Firefox character sets

Paul Szabo, the computer systems officer of the University of Sydney, found that Firefox 2.x has a problem with character-set encoding. Szabo writes that, when viewing a Web page that has an embedded iframe, the browser will inherit the charset of the parent page — if you’ve configured the character set in the browser manually.

According to a Secunia advisory, this problem might let bad guys conduct cross-site scripting attacks. There’s no fix for the problem yet, but fortunately Secunia considers it be a low-risk issue. A simple workaround is to not manually configure the character set in the browser. In Firefox, you can accomplish this by pulling down the View menu and selecting Character Encoding, Auto-Detect, Universal.

Use 7zip to encrypt on legacy Windows systems

In my Nov. 29 column, I wrote about how you can reset any Windows login password in 60 seconds or less. As part of that column, I also mentioned using Windows’ Encrypting File System (EFS) to protect your data in case someone resets your administrator password without your permission.

Timothy McGowan writes to say that EFS isn’t available on Windows XP Home Edition. Tim also mentions that he can’t use the excellent, free TrueCrypt tool, because it only works with Windows 2000 or later versions of Windows, and he needs to encrypt data on older Windows systems.

Tim suggests that people with older Windows systems can encrypt their data using the free 7zip compression tool, since it runs on any Windows platform from Windows 98 onward. It also runs on Linux. 7zip supports 256-bit AES encryption, which is strong enough for most people’s needs. The program is also handy for unpacking nearly any archive type, including the formats RAR, CAB, ISO, ARJ, LZH, CHM, MSI, WIM, Z, CPIO, RPM, DEB and NSIS.

Check it out at the 7zip Web site. Thanks for the tip, Tim!

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Office 2007 SP1 surprises Vista SP1 beta users

By Susan Bradley Many people were startled on Dec. 12 to see that Service Pack 1 for Office 2007 had been auto-installed, and their machines had been rebooted. Microsoft had said that Office 2007 SP1 would be made available on Dec. 11, but would not auto-install on that date — but the beta versions of Vista and several other Microsoft products didn’t behave that way.

Running Vista SP1 beta? Fun with Office 2007 SP1

I woke up on Wednesday morning to find a notification that a Vista machine had rebooted after being patched. I found, to my surprise, that the new Service Pack 1 for Office 2007, which was released on Tuesday, had been auto-installed.

As I wrote in a special, short Patch Watch column on Dec. 6, Microsoft promised that Office 2007 SP1 wouldn’t automatically download and install on Patch Tuesday this month — even though it would be publicly released on that date. Redmond made the assurance because the large size of the download, in addition to all the other patches released that day, would bog down many people’s systems.

It turns out that running the beta test version of SP1 for Windows Vista causes Office 2007 SP1 to be auto-installed. This didn’t occur just on my systems. I’ve received several reports that other companies have found the same behavior.

The log files of several of my test machines show that Microsoft Update is getting its information from a test update site. It’s the auto-update setting from Vista SP1 that caused Office 2007 SP1 to look like an update that should be installed automatically, in my case.

On my test boxes, I enable Windows’ Automatic Updates feature to confirm the expected patching behavior. On these test machines, my beta testing of Vista SP1 caused this server to deploy Office 2007 SP1 rather than delaying it until I manually approved the install.

If you’re running the beta versions of Vista SP1, XP SP3, or WSUS 3 SP1, be aware that all of these betas configure your machines to install from a different patch server. I’ve also found that even if you manually install Office 2007 SP1, the Automatic Updates feature of these betas will later auto-install the service pack regardless.

If you are not running any of these betas, and Office 2007 SP1 was automatically installed without any intervention by you, please use the Windows Secrets contact page to let me know which operating system you’re seeing this behavior on.

How to deal with the Office 2007 patches

It was recently reported by eWeek that Service Pack 1 for Office 2007 was released on Dec. 11, several weeks earlier than Microsoft had originally planned, because the beta for SP1 was deliberately kept small.

I’ve personally seen that small betas are sometimes more successful than larger ones, but I’m not convinced that testing a service pack only in a few large enterprises sufficiently tests it for small businesses and consumers. In several cases, security patches have had unusual interactions with otherwise stable software that’s aimed at consumers.

For you individual users and small businesses who manually install patches via Microsoft Update, you’ll find that you are offered Office 2007 SP1 by MU, as you can see in Figure 1 (a dialog box from a Vista machine):

Figure 1: If you absent-mindedly leave on all the checkmarks in this month’s list from Microsoft Update, you’ll get the giant Office 2007 SP1 download, which is the second line from the bottom.

It’s not supposed to be downloaded and installed automatically (although this does happen in the case of some beta software that I described above). But SP1 is there in the list and is prechecked to be installed.

If you are a bit asleep and just blindly approve all of the patches, you get a very large wait while SP1 for Office 2007 is downloaded.

Bobbie Harder explained in the official Microsoft Update blog on Dec. 12 the scenarios in Vista where it would appear that the system might wrongly auto-install Office 2007 SP1, but it isn’t. After testing, I agree with her findings.

If you have a PC set to Check for updates but let me choose whether to download and install them, you might not realize that Office 2007 SP1 was included in the detected and ready-to-be-approved patches, which you then approved. On my Vista test systems (nonbeta), I never saw Office 2007 SP1 install without approval, even if the options Automatically install or Download updates but let me choose when to install them were selected in the Automatic Updates control panel.

Office 2007 SP1 requires 1.1GB of free disk space on XP and 1.75GB on Vista. But the Microsoft installer fails to check for this much free disk space, verifying only that there is 264MB free to extract the installer itself, according to a blog post by Windows Secrets contributing editor Woody Leonhard. This fact, and the weird error message you get when SP1 fails to install due to lack of disk space, is explained in KB article 943589.

Also being offered to users is patch 943649, which ensures that Office 2003 has the ability to access Windows Live Mail accounts, Microsoft’s successor to the company’s Hotmail accounts. If you use neither service, you can pass on installing this patch.

I haven’t yet found any negative side-effects in my testing of Office 2007 SP1. However, most of us don’t have spare machines with valid licenses of Office 2007 to test. This means I urge you to hold back on this service pack and wait until those of us in the consumer and small-business market have had a chance to test it. Look for me to have an informed opinion on this service pack in early 2008.

MS07-069 (942615)
Internet Explorer gets the last patch of ’07

Internet Explorer gets the last patch — for 2007, that is.

MS07-069 (942615) is the 69th and last patch of the 2007 calendar year. Like all of Microsoft’s other IE patches, I urge you to install this as soon as you can, assuming you don’t have some custom software that’s negatively impacted.

Of special interest regarding this cumulative rollup for IE is its impact on Intuit’s tax and accounting software. Security research firm Secunia points to this issue in a company advisory that lists more than two dozen products from Intuit that are affected by MS07-069.

I received an e-mail directly from Intuit explaining the issues, and have posted it in full. You’ll be protected from the specific security holes that impact Intuit’s software whether you install the updates from Intuit or the IE patches in MS07-069.

Included in the rollup are several fixes that need special Registry changes to enable them. These fixes are available from Knowledge Base article 942615. They include the following patches:

• 921090 keeps IE from generating an error page, especially when connecting to a Web site that supports SSL version 3;

• 924764 helps IE 6 not hang when printing;

• 939913 fixes an issue with Japanese characters in a text box;

• 942174 corrects an issue that turns layers on a Web page gray; and

• 942198 corrects problems that even administrative users in Vista have installing ActiveX controls.

Also included in the rollup is 943141, which prevents the Trusted Sites zone in Internet Explorer from being reset to default values — a problem with previous IE patches.

MS07-068 (941569, 944275)
Protect yourself from Windows Media Format

I found it a bit ironic that one of the last security patches in 2006 was for Windows Media Player, while one of the last ones for 2007 is for the runtime of Windows Media Format, which exists in everything from Windows 2000 to Windows Vista.

Security bulletin MS07-068 (patches 941569 and 944275) corrects the problem with Windows Media Format runtime versions 7.1, 9, 9.5, 11, and Windows Media Services 9.1.

While no exploits for these holes are currently known to be circulating, the bulletin is clear that all it would take to impact you would be someone hosting a hacked video.

During this holiday season, be wary of forwarded e-mailsand clicking on unknown Web sites. This patch is a reminder of why even innocuous-seeming media files can impact us unless our systems are updated.

MS07-067 (944653)
Macrovision security patch now on Windows Update

MS07-067 (944653), released on the Windows Update platform, fixes an issue that was first addressed in security advisory 944653. This involves a vulnerability in third-party software that helps game developers ensure that people are using only authorized copies of their games. This technology was shipped with XP, 2003, and Vista, but the version in Vista isn’t vulnerable.

This hole has already been seen being exploited on the Web. The threat is mostly from hacked executable files that must be installed unknowingly by a user. The fact that some user interaction is required is not much consolation. Since this exploit is already being used in attacks, this patch is one that I advise you to put on your systems as soon as possible.

MS07-064 (941568)
DirectX file needs an update for gamers

MS07-064 (941568) is notable in that it is yet another media vulnerability. I found on several of my XP systems that the version of quartz.dll, the DirectX file in question, was pretty old at version 6.05.2600.2749. It turns out that PCs using the beta version of Microsoft Update were not getting the update, which they should have been. If you have a version of quartz.dll below 6.5.2600.3243, it is vulnerable and you should get this update.

A prior KB article, 909596, lists different versions of the affected quartz.dll file that were patched previously.

Bottom line: If you’re like me and have only a few users running XP, and they’re obviously not of the gamer variety, don’t be alarmed if you don’t see this bulletin being offered as a patch. It may be that no one has ever installed DirectX.

MS07-065 (937894)
Message queuing patch important to W2K Server

If you’re still running a supported version of Windows 2000 Server, MS07-065 (937894) is of importance to you. The vulnerability corrected by this patch, which affects the Message Queuing Service (MSMQ), is of lesser risk in XP and Windows 2000 Professional, since the service is not installed on those operating systems by default. In Windows 2000 Server, however, it can be exploited remotely. Vulnerabilties that take advantage of this have already been found on “for pay” hacker sites.

I’ve personally seen MSMQ running on my communication servers. Admins running Windows 2000 Server should place this patch on their high-priority list. A good firewall should protect the savvy administrator, but you’d be wise to review your network and install this patch if it’s needed.

MS07-063 (942624) and MS07-066 (943078)
Two updates are important for Vista users

Vista users who are not beta-testing SP1 will see two specific Vista patches this month.

The first one fixes SMB version 2, Vista’s new file sharing protocol. MS07-063 (942624) patches an issue with digital signing. Only machines with version 2 of SMB use this version. If you are sharing files between Vista and XP, Vista will drop down to the older version of the file-sharing software.

The second patch, MS07-066 (943078), fixes the core part of Vista, known as the kernel. I’ve not seen any negative side-effects from either one of these patches on Vista systems.

While neither of these patches is rated “Critical” by Microsoft, I still urge you to install them as soon as possible.

.NET versions 2 and 3 get new patch support

I’ve been successful in patching .NET versions 2 and 3 to their respective service pack levels, as listed in KB 929300. Other people, however, have not been as fortunate.

In many cases, workstations that didn’t like the last round of updates don’t like this set any better. The trick you need to know is to bookmark a few links that can help you to fix the installer — and even remove and reinstall the impacted version of .NET, if that step becomes necessary:

• KB 290301 will help you fix the .NET update installer;

• KB 908077 should be bookmarked as a good troubleshooting guide for install issues; and

• Last but not least, Aaron Stebner’s blog post gives you additional guidance that is a must-have.

The reason you may find several different versions of the .NET runtime on your system is the various applications you may have installed. For example, .NET is used by QuickBooks 2006 and 2007, whereas .NET 2.0 is required by Quickbooks 2008. For this reason, you may need to retain multiple versions to support the applications you use. When in doubt, don’t remove a version of .NET unless you know that no application needs it.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.