Microsoft evades promise of Vista Ultimate Extras

Microsoft evades promise of Vista Ultimate Extras

By Scott Dunn The Microsoft Corp. in January released Vista Ultimate, the priciest version of the company’s new operating system, with the promise of additional downloadable “Extras,” available only for the top-of-the-line product. Months later, buyers of Vista Ultimate have seen no new Extras since the mere handful that were offered around the initial Vista rollout.

Extras were to enhance expensive Vista edition

When Windows Vista was released to consumers on Jan. 30, the operating system debuted in a number of different “editions” — versions with different features and price ranges for different customers.

The so-called Ultimate edition combines the features of Vista Home Premium and Vista Enterprise. Vista Ultimate includes Media Center, DVD Maker, and Movie Maker — multimedia features of Home Premium that aren’t in Vista Enterprise. Also, Ultimate offers BitLocker drive encryption, support for Unix-based apps, and Virtual PC Express, which Home Premium does not.

But third-party multimedia and encryption features can easily be added to Vista Home Premium and Vista Enterprise via downloads. The real allure of Vista Ultimate was something that none of the other editions would ever have: Ultimate Extras. Some of Microsoft’s promises for these Extras are shown in a Help screen in Vista’s Windows Update control panel (see Figure 1).

Figure 1: In the task pane of Vista’s Windows Update control panel, you can click Learn about Windows Ultimate Extras to display the things Microsoft promised.

Summarizing this feature, the marketing site for Windows Vista Ultimate states, “These cutting-edge programs, innovative services, and unique publications provide a richer computing experience for Windows Vista Ultimate users.”

As indicated on the Vista Ultimate site, three Extras were released in connection with the launch of the product itself in January of this year. These were:

• Language packs for the Multilingual User Interface (MUI).

• Enhancements for Vista Enterprise’s BitLocker and its Encrypting File System (EFS). Some sources, including the Microsoft marketing site for Ultimate, count these as two separate Extras.

• A poker game in which you play “Hold ‘Em” against the computer.

Since January, no completed Extras have been released. A pre-release version of Windows DreamScene — which lets you display videos as screen savers on your desktop, something that was possible with previous Windows versions using HTML — has been available for download since March, but no finished version has yet been offered.

Ultimate users start to notice — and complain

The absence of new Extras has not been lost on the online community, some of whom are beginning to complain vociferously in their blogs. For example, a commenter named Larry on Josh’s Windows Connected blog opines, “It’s high time someone brought this scam to light. $400 for Vista Ultimate, and nothing about it has been ultimate so far.”

Keith Carey, another poster on the same site, echoes the sentiments of many that even the few existing Extras are nothing special. “Ultimate has been a three trick pony with 1 trick few use (BitLocker), one that is so-so (Texas Hold’em) , and the other more of a preview (DreamScene),” he writes. “If this was a standalone product and not a version [of an operating system], we would be calling it vaporware.”

Windows Secrets contributing editor Woody Leonhard goes further, saying, “The BitLocker Drive Preparation Tool really is a prerequisite for using BitLocker, unless you perform a clean install.” Even then, he points out, “You have to go through some extraordinary machinations, from the command prompt, prior to installation.” (The steps are explained in a forum posting by developer Mark Minasi.) Leonhard concludes that the Drive Preparation Tool should have been part of Vista Enterprise in the first place and is hardly an Extra.

In addition, the MUI language packs are not unique to the Ultimate Extra program. They’re available to all Vista Enterprise purchasers who used Microsoft’s Volume Licensing Program (as large enterprises typically would), according to infrastructure design consultant Raymond Comvalius.

Adding mystery to the mix, one blogger, Long Zheng, claims that a confidential source has revealed to him the real reason why Microsoft’s video screen saver has been released in final form. Dreamscene Extra, he writes, has such serious code problems that the company may have to keep it in perpetual beta. Dreamscene, for example, is reportedly unable to work properly on systems configured to use right-to-left languages, such as Arabic and Hebrew — an unbelievable architectural flaw for a product that Microsoft would like to market as finished.

Why is Microsoft not following through on its Ultimate Extra promises? Blogger Zheng has his own theory:

• “Another reliable source suggested there is not even an Ultimate team in existence anymore. Some suggest there were never a team to begin with, more of a collection of people all over Microsoft who worked with marketing on Ultimate Extras. This would explain the lack of direction, insight and progress on Ultimate Extras if no one’s responsible for it anymore.”

For its part, Microsoft officially maintains the position that nothing is wrong. Asked about the lack of Extras or whether the responsible team has been disbanded, a Microsoft spokesman responded only that:

• “We’ve released four Windows Vista Ultimate Extras this year — Windows Hold ‘Em, Language Packs for the Windows multi-language user interface, Secure Online Key Backup, and BitLocker Drive Preparation Tool. We plan to release more in the future. We have no additional updates at this time.”

More than 30% of Windows Vista buyers choose the Ultimate version, according to March 2007 figures quoted by the iTechNote blog. Many of these purchasers selected Ultimate on the promise of its Extras alone.

In my opinion, Microsoft has an ethical obligation to honor its own marketing hype and follow through with useful tools in a timely way.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Questions linger on the Svchost.exe bug

By Scott Dunn

The problems discussed in our June 21 issue surrounding svchost.exe, a component of Microsoft Update that periodically consumes 100% of CPU time, raised questions about the related files that it touches.

You can get more info on these files — if you know where to look.

Multiple instances of Svchost.exe are normal

Following my June 21 story on the Svchost.exe problems, many readers, including David Ward, wrote in with a question like this one:

• “I took a look at my Task Manager to find that I have six Svchost.exe processes running. Is this right? Three are for System, two are for Network Service, and one is for Local Service. The highest memory usage is not more than 32,124 K, which is in System. I don’t know if I should be concerned.”

Yes, this is very normal. Svchost.exe is a component of Windows that runs services (processes like audio, fax, network functions, and much more). Multiple instances of Svchost.exe typically run at the same time, each instance loading one or more services. Unfortunately, Task Manager doesn’t show which service(s) each instance is running.

You can find more information on Svchost.exe in Microsoft’s Knowledge Base article 314056. To see what services normally run on your system, click Start, Run, type Services.msc, and press Enter.

How to check Windows Update’s version number

The same story discussed the need to update the Windows Update client. But reader Suzanne Lutkoff had this question:

• “I cannot find the information on which version of Windows Update I am running. Have looked in all the logical places. My laptop is set for Automatic Updates, and I don’t always get to see what’s being updated.”

To learn whether you have the latest version of Windows Update, use Windows Explorer to go to the WindowsSystem32 folder and look for a file called Wuaueng.dll (if your configured language is English). Right-click that file and choose Properties. Click the Version tab and then select File Version under Item name. If the “value” (version) displayed is 7.0.6000.374 or above, then you have the needed fix.

Download pages posted for ZoneAlarm’s Vista versions

A few readers were confused about how to find the new Vista versions of ZoneAlarm software that I discussed in the June 21 issue. Fortunately, Daniel Mitchell found a solution:

• “The only way I could figure out to get the software is to download a ‘trial version’ with a 15-day limit, and then enter the unique product code identifier when the software asked me to ‘purchase the software.’ “

For those who still need to get their Vista upgrade, Jaan Warnhoff of Sweden sent us a link to the download page he received from Check Point Software customer service. Recently, Zone Labs has also added a page that discusses its ZoneAlarm Vista products.

Readers Mitchell and Warhoff will receive gift certificates for a book, CD, or DVD of their choice for being the first to send us tips that we printed.

Gamer takes a different look at MS Surface

The big buzz in sexy new technology lately is Microsoft Surface. The concept is to embed a fancy, highly graphical computer into a table top. But not everyone is so excited by the possibilities. Among the skeptics are the folks at The Sarcastic Gamer. Check out their twisted trailer extolling the virtues (or at least the vexations) of tabletop computing. Watch the video

How to supercharge your wireless router

By Mark Joseph Edwards Did you know that you can gain new wireless router capabilities without buying a new router? This week, I tell you about an alternative third-party firmware package that you can install to add numerous new features and improve your Wi-Fi performance.

Talisman turns Wi-Fi into a super-router

Wireless networking is a useful technology — but, as you might have found out already, typical wireless routers have their limitations. In the past, getting around some of those limitations often required that you buy a new router whose features and functionality better met your needs.

The output strength of your router’s signal, for example, might not be strong enough to reach all the areas of your home or office where you need connectivity. Or you might need to use specialized services, such as Dynamic DNS, router-based VPNs, access-controlled wireless hotspots, etc.

These features and others are typically not available in common routers available today. But instead of buying a new router, you might be able to replace its existing firmware with new third-party firmware.

This is possible because many common routers (especially those made by Linksys, Netgear, ASUS, and Buffaltech) actually use a mini-Linux operating system. And since Linux is open source, people who base their router firmware code on Linux typically must publish their modifications. As a result, some people have extended the firmware in Wi-Fi routers to include new capabilities.

I’ve looked at numerous third-party packages over the last year and found that Sveasoft Talisman firmware is superior in its capabilities. Talisman comes in four varieties: Basic, Hotspot, Mesh, and VPN. Two new varieties, Micro and VoIP, are under development.

Sveasoft licenses Talisman for $20 per year, and for that price you can load the firmware on up to four routers plus receive any updates that are released. Here’s my take on which version might be right for you.

• Talisman Basic is a full featured firmware package, so don’t let the name fool you. It has all the features of standard vendor-supplied firmware, plus several new capabilities.

My favorite feature is the signal power adjustment. It lets you adjust the power output level anywhere from 1 milliwatt (0.001 watt) up to 1 full watt, if your router’s chipset supports an output level that high. For a wireless router, 1 watt is a very strong signal. Without getting into all the radio engineering behind increasing your transmitter output levels vs. improving your antenna performance, suffice it to say that by increasing the output level you might be able to avoid buying a better antenna.

Another very useful feature is the ability to establish up to 15 virtual LANs (VLANs). Each can have its own configuration settings, including SSID, encryption settings, bandwidth controls, and security settings.

You can also configure a long list of basic operational characteristics, such as overall bandwidth transmission rates, bandwidth usage for specific network protocols (very useful for online gaming, voice over IP, etc), a maximum number of client connections, the maximum distance a client can be from the AP, authentication requirements (WEP, WPA, WPA2, or RADIUS), and much more.

• Talisman HotSpot includes all the features of Basic, plus enabling you to setup an access-controlled hotspot, complete with its own log-in page. You could create a hotspot in your neighborhood or in your business location and charge people to use it. Or you might create a free, public hotspot and govern access to it.

• Talisman Mesh lets you link routers together (using the same SSID) to build a larger, wide-area network (WAN). All of the routers in the mesh can be made to automatically configure themselves, based on your pre-defined settings.

• Talisman VPN is great for creating powerful virtual private networks (VPNs). It includes PPTP and IPSec Server. It also supports the encryption standards Advanced Encryption Standard (AES), DES, and Triple DES (3DES), so it’s a good solution for providing a very secure endpoint as a gateway into your private, internal network.

• Talisman VoIP. Still underdevelopment, the VoIP version will reportedly allow you to establish a wireless voice-over-IP server. This will include the ability to handle both software-based and hardware-based SIP phone calls directly on the router, or they can be forwarded to an internal SIP server. If I understand correctly, it’ll include a modified version of Asterisk, which is a very popular open-source VoIP platform.

• Talisman Micro, which is also still in development, is a scaled-down version of Talisman Basic designed for routers that have 2MB or less of RAM. Since such routers have less memory than other routers, they can’t store as much firmware, so their capabilities are more limited.

All versions of Talisman include a Web-based adminstration interface. The firmware is dependent upon specific chipsets, all of which support certain features and not others. As of this writing, Talisman supports numerous routers, many of which include similar or identical chipsets. If your router appears in the list below, give Talisman a look as an alternative to buying a new router — or as a way to add new and useful features:

• Netgear: WNR834B Rangemax
• Linksys: WRT350N, WRT150N, WRT300N, WRTSL54GS, WRT54GS v1–v4, WRT54G v1–v4 (not v5), WRT54GL v1.0, v1.1
• Buffalotech: WBR2-G54, WBR2-G54S, WLI-TX4-G54HP, WHR-HP-G54, WHR-G54, WZR-RS-G54, WZR-G300N v1 MIMO
• ASUS: wl500w, wl500gp, wl550gE, wl500gd, wl500g, wl500ge
• Belkin: F5D7320-4 v2000, F5D7320-4 v1444, F5D7231 (Belkin models support only Talisman Micro)

Before you install third-party firmware onto your router, a strong word of caution is in order. Be extremely careful installing the firmware. I can’t stress this enough. If for some reason the installation fails, it’s possible that your router might lock up and become totally unusable. This, incidentally, is referred to as “bricking” your router, because at that point it’s about as useful for networking as a brick.

If there’s a storm brewing outside, and your power might go out, don’t try to update your firmware. Also, be sure to download a copy of your vendor’s original firmware for your router before you load third-party firmware. You might decide to reload the original firmware back into your router.

Finally, while using Talisman I noticed a quirk with its Web interface. Sometimes, when using Firefox on Windows, saving new configuration settings didn’t work. I’m not sure why, but when I used Firefox on Linux (and Internet Explorer on Windows), the problem doesn’t occur. Keep that in mind so you don’t wind up becoming frustrated, as I did.

For more information, visit the Sveasoft Web site.

MS releases Media Player plug-in for Firefox

Have you ever visited a Web site using Firefox — only to find out that you can’t view some of the site’s content because it required the use of a Windows Media Player plug-in? Or maybe you noticed that your existing Windows Media Player plug-in had bugs that prevented it from working properly?

I have, and in the past it’s been more than a bit frustrating.

Those days are now over. In April, Microsoft released a new Windows Media Player Plug-in for Firefox — finally! The new version works on 32-bit and 64-bit versions of Windows XP (with SP2) and Windows Vista, and it’s downward compatible with Windows Media Player 6.4.

This is probably welcome news to all of you Vista users, since the plug-in wasn’t included with the original distribution of Vista. And it’s good news for XP users, too, since the former plug-in had various problems (which differ, based on the particular content that you’re trying to view.)

You can download a copy of the new plug-in at Microsoft’s Port 25 Web site.

How to get really private browsing in Firefox

Sometimes you might want to surf the Web with Firefox, but not leave any traces of your activity in the browser when you’re finished. Firefox includes a great feature that lets you clear private data, so you can easily wipe out all of your browsing history, cookies, list of downloaded files, etc.

Firefox does give you some control over what’s erased, using the Clear Private Data dialog box accessible via Tools, Options, Privacy, Settings. But what if you don’t want to wipe out everything? What if you only want to wipe out specific activities?

You can’t do that just using Firefox’s native features. But you can do it with the Distrust extension for Firefox.

When surfing the Web, you enable Distrust by clicking its button at the bottom of the browser. When enabled, it notices all of your activity. When you click the icon again to disable Distrust, it then removes all the tracked activity, including your cached files, the list of downloaded files, cookies, and browsing history — without removing any other data that was tracked by the browser.

It effectively lets you use the browser, without letting other people know that you’ve removed private data. For all intents and purposes, the browser looks like you never used it. Pretty slick, eh?

You can learn more about Distrust at the Skattertech blog. For more information, and to download a copy, visit the official Distrust Web site.

Simple tweaks improve Firefox performance

In the June 16 edition of this newsletter, I explained how to adjust Firefox configuration settings to make it start up right you left off when you last shut down. One of our readers, Cory, wrote to tell me about several settings that he manually adjusts to make the browser run faster.

Those settings include:

network.http.pipelining
network.http.proxy.pipelining
network.http.pipelining.maxrequests
nglayout.initialpaint.delay

These settings make the browser download Web content faster, causing Firefox to use more connections in parallel and start to render pages sooner.

The easiest way to configure these settings is to install the Tweak Network extension for Firefox. This add-on gives you an easy-to-use interface to the controls and lets you enable or disable custom settings on the fly.

Another way to speed up Firefox is to adjust its memory usage. When I started using Firefox 2.0.x, I noticed that it consumed a tremendous amount of RAM, most of it in virtual memory (that is, the system’s pagefile). As a result, the browser runs much more slowly after I’ve kept it open for days on end — perhaps because I’ve also left up to two dozen tabs open.

The reason for the slowdown is that Firefox constantly has to reload data from the pagefile, which takes time.

I finally found some help in adjusting the settings to prevent this sort of problem. Head over to Fanpotai.com, where you’ll find the Firefox Tweaks page. This is a great resource that discusses several memory usage settings in detail. For instance, you can reduce to 10 the number of pages that are cached by Firefox’s Back and Forward buttons. (The default is 50 pages, which can consume a substantial amount of memory — and few people go back that many pages.)

You can also read about these tweaks at Mozilla’s about:config entries page, but you’ll find more specifics at the Firefox Tweaks page.

I don’t know of an extension that can handle those particular settings — changing them manually seems to be your only option for now. If you know of an add-on that provides a user interface, send me a message using the Windows Secrets contact page. Thanks!

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and writes the weekly Security Update e-mail newsletter. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Firefox needs NoScript to close vulnerability

By Chris Mosby While Firefox is my Web browser of choice, I still realize that it isn’t 100% secure. Any piece of software that is even remotely popular is going to have hackers going over it trying to find ways to exploit it for their purposes — and that’s led to a Firefox hole you should plug.

Firefox allows sites to piggyback on others

Mozilla Firefox has a flaw in the way that it handles iframes, which are rectangular areas that can appear within Web pages. This vulnerability allows one Web site that you visit to run scripts affecting other sites that you may navigate to.

A hacker could modify the iframe of a site to gain access to sensitive information. This could include passwords or bank-account information that you enter at a different site. Other exploits are also possible with this flaw. For example, a hacker site could run its scripts outside of the security zone you’d set. In other words, an untrusted site could run a script using the profile of a trusted site.

This flaw has been confirmed in all versions of Mozilla Firefox up to 2.0.0.4 (which is currently the latest version) running on multiple operating systems.

What to do: If you’re like me, and Firefox is your browser of choice, I recommend that you install the third-party NoScript add-on to protect yourself from this threat. The NoScript extension allows you to enable scripting on Web sites you trust while blocking scripts from all other sites from running by default. The latest version also has Cross-Site Scripting (XSS) protection, which directly helps to protect you against this flaw in particular.

This extension is usually the very first Firefox plug-in that I install, whever I have to install Firefox on another person’s PC.

Google Desktop lets hackers run programs

The Google Desktop application has a flaw that lets hackers trick users into running any program that may be located on their local computer. This is accomplished by a “man-in-the-middle-attack.”

The problem allows a hacker to spoof a Google search for a local .exe file. Such a file is displayed in the "Results stored on your computer" portion of the search results. When these results are clicked on, Google Desktop causes the local program to run with the rights of the logged-on user.

As I’ve described it here, this attack may seem to be a very specific and orchestrated one that would be very difficult to carry out. This may be true, but the potential is there for other hackers to expand on this flaw and make it easier to exploit than it sounds.

If the hacker who developed the hack described above took the time to get it working, you can be sure there’s yet another hacker who’ll try to expand the technique into something even more dangerous.

What to do: I highly recommend uninstalling Google Desktop until this issue is taken care of. Personally, I’ve always found this application to be way too invasive and too much of a resource hog to be of any use. However, if you simply can’t live without a desktop search tool, the free Copernic Desktop Search is what I’d suggest.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He also writes the comic-book blog Tales from the Longbox and is a contributor to Configuring Symantec Antivirus Corporate Edition.

WGA's tricky install is no advantage

By Susan Bradley The latest back-door method Microsoft is using to install its Windows Genuine Advantage (WGA) marketing software has hit a nerve for many. The e-mails have been piling up on me since I wrote about that subject in my June 14 column.

(892130)
Microsoft is installing WGA by subterfuge

[NEWS FLASH: After my June 14 column regarding Microsoft slyly installing WGA, readers complained to Microsoft — and the Redmond company has apparently removed the WGA requirement from at least one patch. More details will appear in the July 5 issue of this newsletter.]

I’ll be the first to admit that I’ll put up with some annoyances in order to be secure. For example, I leave Vista’s User Account Control (UAC) turned on because it doesn’t really annoy me.

But what does annoy me is when I know that some Microsoft program is bothering others and keeping them from patching their PCs. WGA is one of those annoyances. I’m revisiting this subject, which I previously covered in my last Patch Watch column, to follow up on the many e-mails I received and to answer the numerous questions about WGA.

Last Patch Tuesday’s WGA update on June 12, known as patch 892130, technically wasn’t new. The ActiveX update component of that patch was actually released back in February.

What was new was that many of us are used to avoiding a WGA update by simply setting its Windows Update status to Do not show or just not installing the update. This time, we couldn’t do so — regardless of whether we used “Express” or “Custom” install.

When you manually install updates, Microsoft validates your machine as being “genuine.” If you have a recent version of the validation tool on your system, you’d never see this silent validation of your status unless you ran a network sniffer.

At the end of May, this ActiveX control was updated. The timing for the update couldn’t have been worse. The wording on the screen implied that the patch was the update we were all waiting for to correct the Svchost.exe issue (which I most recently wrote about on June 14). In reality, it wasn’t related to that problem at all.

Many of you have asked how to remove 892130, once it’s installed. For what it’s worth, the Elecboy blog has posted a description of its WGA removal tool. It removes the notification portion of WGA, while leaving behind its validation-checking portion. I think I’ll pass on installing that tool, just because I’m a bit paranoid about downloading code from sites that I’m not sure about. But it’s out there.

In my office, I typically avoid WGA installs as a matter of course. If you’re in an environment in which updates are controlled by Microsoft’s network-based patching engine called WSUS, you’ll never see WGA. You’ll only see it on stand-alone machines that get manual updates.

The only other way to bypass WGA’s annoyances is to enable Automatic Updates on your system, let WGA install, and play Russian roulette with the possible negative side-effects of installing patches the day they come out. I think I’ll pass on that one as well.

Back in April, blogger Robert Moir commented about WGA being caught sending information back to Microsoft. He implied that MS isn’t “getting it” in regards to the need for transparency about what WGA is doing.

I agree. If I was in charge of the WGA project, I’d have someone like Microsoft’s Mark Russinovich dissect WGA and assure us of exactly what it’s doing. (He’s the developer who dissected Sony’s 2006 rootkit debacle, as reported at the time by BBC News) A little bit of transparency and disclosure would go a long way to assure all of us.

Server 2003 service pack missing in action

I have several machines that I allow Automatic Updates to remain enabled on — just so I can see how well the Russian guinea pigs are doing in their roulette games.

On one server that I’ve set to Download but do not install patches, I have yet to see the yellow shield that should by now be notifying me that Windows Server 2003 Service Pack 2 is ready for my machine.

Servers have a hidden 100-patch limit

I would strongly advise you not to enable Automatic Updates for your servers without carefully considering the consequences. One such consequence was recently reported on the SBS blog, where there is an interesting patch threshold being revealed.

It turns out that if you have more than 100 patches installed, you may not be able to install additional ones. This counter gets reset by a service pack, but if you haven’t installed one recently, you may hit this issue.

Forget any Microsoft patching this week

This week, I don’t want you to focus on patching Microsoft applications. Seriously.

No, I haven’t lost my mind. I’m just getting more concerned that the bad guys out there have figured out that we’re getting pretty good at installing Microsoft patches, but we’re still pretty bad patching everything else.

The Incidents.org Web site reminded me of this with its recent post about banner ads being hijacked and using scripts to infect systems. In a separate story, the site provides a description from the iDefense security group about more than 10,000 sites that are being used in a coordinated malware attack. the hackers are exploiting a series of vulnerabilities and say that 45% to 50% of PCs are susceptible.

This reminds us — and we need reminding — that older versions of Quicktime and Winzip can be used in attacks just as easily as older versions of Windows.

I highly recommend Secunia’s Software Inspector, which checks your system for up-to-date versions of these and many other software applications, as listed at the Secunia site. Run the scan at Secunia yourself and ensure that you’re up to date.

Figure 1: Secunia Software Inspector warns you when you’re running an older, nonsecure version of an application or lack the latest patches for Windows. (Links in the above image won’t work, but you can click the image to visit the Software Inspector’s start page.)

I found on a test machine that I was behind the times, both on Java and WinZip (see Figure 1, above). Until I corrected the situation, that machine would have been wide open to security flaws that could be used in an attack.

MS07-034 (929123)
No new OE/Windows Mail patch issues found

I’m still hearing comments surrounding the rather cryptic 929123 patch. As I said in my June 14 column, if you install this patch and then use Internet Explorer to browse to a Web page that contains .mht files, you may get warned by a dialog box. (The .mht extension indicates MIME Hypertext Markup Language, a standard method defined by RFC 2557 for storing all of a Web page’s text and images in a single file. Admins of Web servers can edit their code to avoid the warning, as described by KB article 937912.)

I haven’t seen any other operational issues with installing this patch, so this week I’m giving the green light to installing it. See MS07-034 (929123).

MS07-033 (933566)
May 2007 IE rollup is fouled up — but fixable

In the June 14 newsletter, I told you to hold back a bit before installing the June 12 cumulative rollup for Internet Explorer, known as MS07-033 (933566). Included in this patch is an update to IE’s Phishing Filter. You may feel this is worth installing, but you’re risking possible side-effects that may not have become known yet.

Many companies are still suffering molasses-like Outlook 2003 slowness as a result of last month’s May 2007 IE patch: MS07-027 (931768).

If you’re in the Outlook 2003 slowdown boat, I’d recommend following the advice in the SpywareSucks blog. Don’t allow antivirus software to place tons of undesirable Web sites into the Restricted Sites zone of IE. This can cause enormous slowdowns in Outlook after a certain number of sites have been added. Instead, use a customized Hosts file to keep your browser users away from bad sites.

The use of a Hosts file to block bad sites has been common for many years. The WinHelp 2002 site has a well-maintained list of what should be banned in your Hosts files. The site also supports a blog to notify you of updates to the file.

Apple’s new Safari browser needs patching

Less than two hours after being released, Apple’s new Windows version of its Safari browser was found to have security issues, as reported by Thor Larholm on his blog. Within three days, Apple had patches on its Web site. (See contributing editor Ryan Russell’s analysis of this turn-around in his June 21 column.)

The rumor is that Apple released a Safari browser for Windows in order to get third-party developers to build applications for Apple’s upcoming iPhone.

My advice, if you feel an urge to have anything to do with the iPhone when it’s released on June 29, is to download Safari if you like, but stay away from the Apple store on that day.

Most analysts are saying that the iPhone isn’t ready for business. In a June 22 article, “Just Say NO to iPhone,” WServerNews points out that the device currently cannot sync securely like a BlackBerry, requires an iTunes registration, and creates a music directory on a user’s desktop. But the TechWorld blog is predicting that the “cool” factor will win out, none the less.

MS releases tool to fix Windows OneCare

Recently I was asked to help out with a Windows OneCare installation that failed to update. Microsoft’s all-in-one virus, antispyware, and firewall product is supposed to be easy to use and provides 24/7 support to back that statement up.

I clicked on the box to get the support phone number to call for help. I was directed to a link that sent me to a page in Australia.

While I do plan to go to the SMB Focus Conference in Sydney this fall, I don’t think that the link is very helpful — especially when the phone number appears to be missing a digit that I need in the U.S. to call for help. 1-800-234-836 doesn’t work on an American telephone.

I think it would have been better for Microsoft to send people to this document. On that page, the Redmond company provides a tool, CaclsDeleteDB.exe, which resets OneCare back to "factory defaults" and get the updates working again.

My thanks to all of you

On a final note this week, I’d like to thank everyone who wrote in about their like or dislike of WGA. You are the best security weapon we have. Because you don’t accept things blindly and question, you are exactly the type of people we need to have more of.

Thank you for being an aware computer user and not accepting everything that your computer offers up to you.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.