Startup offers free Wi-Fi security

Startup offers free Wi-Fi security

Wi-Fi devices and software are finally starting to support real encryption to protect you from identity theft (or worse) when you go wireless. But setting up a truly secure system is still way too difficult in most cases.

That’s why I’m excited that companies are starting to offer easy-to-use Wi-Fi security services for free. The first user-friendly, industrial-strength ID-and-password system — which hasn’t even been formally announced yet — is from WiTopia, a company that’s young but is run by some very experienced network talent.

You may already own secure devices

In an article entitled “Wi-Finally” — published in the May 26, 2005, issue of the Windows Secrets Newsletter — I described the three pieces that have finally come together this year to make Wi-Fi safe to use. Let’s summarize the components you need:

• A Wi-Fi router or access point that supports the new WPA or WPA2 standard (the older, obsolete WEP standard is now considered useless);

• A Wi-Fi adapter that supports WPA and/or WPA2; and

• Wi-Fi client software that’s updated to support either standard;

If you have such a set — most of today’s “g” products and some older “b” products qualify — you’re ready to use Wi-Fi safely.

To find out which devices support or can be upgraded to the new specs, visit the Wi-Fi Alliance’s Certified Product Listing page, select the WPA or WPA2 check boxes, and run a query. To find an updated Wi-Fi client software driver or "supplicant," visit Microsoft (for Windows XP SP2) or Funk or Meetinghouse (for other Windows versions). If you need more help, see the original article.

Let good users in, keep bad people out

With the above pieces, you have a choice of two kinds of secure encryption:

• WPA uses a method of encryption called TKIP, which almost all "g" products are capable of supporting.

• WPA2 uses AES, an encryption standard that requires hardware support that some "g" devices don’t have.

Using either WPA or WPA2, there are two kinds of user authentication:

• WPA-Personal and WPA2-Personal use a pre-shared key (PSK). The PSK is a password, which should be at least 32 characters long and completely random, that you enter into your wireless router/access point and all of your Wi-Fi devices.

• WPA-Enterprise and WPA2-Enterprise require the entry of a valid username and password combination before wireless resources can be accessed. This rule is usually enforced by a server running so-called RADIUS software.

Almost anyone who can follow printed instructions can enter a PSK into each access point and each desktop or laptop computer that will wirelessly use it. This is called Personal Mode. The drawback to Personal Mode is that all users must be given the same PSK. When an employee is terminated, you must change the PSK in every access point and in every client device.

Companies with a number of employees who come and go should require a separate username and password for each one who uses wireless resources. This is called Enterprise Mode.

Unfortunately, setting up a RADIUS server can be a daunting task for a small business. The acronym stands for Remote Authentication Dial-In User Service. It no longer has much to do with dial-up modems but is used for all kinds of broadband and wireless connectivity. But it’s a technical challenge that few people have experience setting up.

If you’d like to configure a RADIUS server yourself, software to do so is built into Microsoft’s Internet Authentication Service (IAS) for Windows 2000 Server and Windows Server 2003.

On the other hand, if you’d like to take advantage of someone else’s work and have the benefits of full username-and-password authentication of Wi-Fi users in just 10 minutes or so, the new free service from WiTopia is probably just what you need.

Free Wi-Fi security for up to 5users

WiTopia quietly started offering its SecureMyWiFi service free of charge for home users and small business just a couple of weeks ago. The gratis level of service supports one wireless router or access point and up to five users.

If you have more devices than that, each additional access point costs a mere $10 a year. Each additional block of five users is a bargain at $5 a year ($1/yr. per user).

If you have WPA- or WPA2-capable devices, WiTopia has made it surprisingly easy to get Enterprise Mode working. You create an account online, then enter each of your username-password combinations (see image at right). To connect to your Wi-Fi signal, a user must authenticate through Witopia’s RADIUS server, which the company maintains 24/7 at its Reston, Virginia, location. You can add and subtract users and change passwords at any time.

No one without a proper username and password is able to authenticate. In addition, WiTopia supports remote MAC address filtering, granting access only to authorized users on specific laptops or desktops. Intruders, therefore, are blocked from gaining access to your Wi-Fi network.

Full Mesh Networks, a "sister company" to WiTopia, was founded in 2003 by Bill Bullock and Steve Shippa. The two entrepreneurs formerly spent more than seven years in management at UUNET, which at that time handled as many as 25 million sessions a day, making it arguably the largest RADIUS infrastructure in the world.

The WiTopia executives are making a calculated gamble that offering a free RADIUS service to individuals and small businesses will eventually produce paying customers. The no-cost service is billed as being for a limited time, and Bullock said in an interview that the offer would probably last only through the end of this year. Everyone who signs up, however, will be guaranteed free service for at least a full 12 months, he said.

For those with obsolete, non-WPA equipment, or who want the simplest possible experience, WiTopia will sell you an updated Wi-Fi router, configure it in-house, and ship it to you. For example, the site currently sells the Linksys WRT54G router for $64 and the D-Link AirPlus G Wireless Pocket Router for $70. There’s a one-time $59 charge for custom configuration.

More fun tricks withWi-Fi

WiTopia also maintains a PersonalVPN service. It’s beyond the scope of this article to explain how a virtual private network works, but think of SecureMyWiFi as protecting wireless access in your own building and PersonalVPN as protecting you when you’re using someone else’s wireless router to access your usual network remotely.

The company’s PersonalVPN formerly cost $79 per year, but during WiTopia’s current "Secure the World" promotion, it’s as low as $39.50.

Windows Secrets reader Stephen Charme recently tested PersonalVPN and HotSpotVPN1, a competing service that costs $89 per year. He and the company both confirmed that they have no business relationship other than as a customer and a provider. Here’s his report:

• "WiTopia uses OpenVPN, which you can download for free as another reader did and set up yourself. But WiTopia streamlines and simplifies the process, and more importantly, retains half of the security certificate generated, which makes it virtually impossible for someone to get your data.

  "HotSpot uses PPTP while WiTopia uses SSL, which is much more secure. I used the Gibson Research Corporation’s Shields Up to test each service. HotSpotVPN showed most of the ports as closed, with a few in stealth mode, but also a few that were open. However, with WiTopia, all ports showed up in stealth mode, which is the optimum result.

  "Technical support for both companies was responsive to my e-mails. WiTopia was particularly responsive to numerous e-mails that I sent when I mistakenly believed there was a glitch, when all along I had neglected to check something out that I should have. (Unknown to me, the setup wizard is in the registration file, rather than the installation file, and since I routinely ignore readme and registration files, etc., I missed it and mistakenly thought there was a problem with the software. WiTopia was very patient, and also offers a money-back guarantee.)"
   

A separate product, HotSpotVPN2, is an SSL-based VPN that requires the download and installation of a software client. For more information, visit HotSpotVPN.

For more information on WiTopia’s offerings, and its current fire sale of sharply lowered prices, visit WiTopia.net. I believe we haven’t yet seen the last startup seeking to build a customer base of Wi-Fi users by cutting its fees to the bone or positioning its services as completely free.

Reader Charme will receive a gift certificate for a book, CD, or DVD of his choice for submitting a comment that we printed.

To send us more information about the ways you’re using Wi-Fi, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. Thanks in advance.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Magazines rate the top GPS alternatives

By Vickie Stevens Whether you’re navigating the highways or the backcountry, handheld GPS devices point the way. This week, three magazines release tests of various ultraportable GPS devices and pick the best ones for different needs. We also summarize a review of FM modulators for your MP3 player, a pair of new tests of 4″ x 6″ photo printers, and picks of today’s best HDTVs.

		HANDHELD GPSDEVICES Handheld mag tests seven PDA GPS add-ins New GPS receivers are widely available as SD cards or Bluetooth devices for PDAs such as Pocket PCs and Palms. Handheld Computing Magazine reviews the options and hands out "A" grades to the TomTom Navigator (photo, left) and iGolf SDIO. TomTom Navigator 2004 (Pocket PC and Palm, Score: A) iGolf SDIO GPS card (Palm, A) Link to all ratings and full review
		HANDHELDGPS DEVICES TomTom’s GPS line wins 2nd award Separate from but related to the Handheld Computing test shown above, Ultimate Mobility Magazine gives its top rating to another TomTom unit, the standalone Go 700 (at left). the editors deem it the best at making GPS navigation easy and affordable, and it also doubles as a Bluetooth-enabled speaker for your cell phone. TomTom Go 700 (Ultimate Choice) Link to all ratings and full review
		HANDHELDGPS DEVICES Wired Magazine gives Magellan highest GPS rating Wired tests four standalone GPS devices for accuracy, navigation, adversity, and battery life. The Magellan eXplorist, it says, is "unmatched in this competion" due to its off-road and on-road capabilites. Magellan eXplorist 600 (Score: 5.0/5.0) Link to all ratings and full review
		FMMODULATORS Sound & Vision picks iTrip FM device The easiest way to play your iPod on the road is with a modulator that transmits signals to your car’s radio. Sound and Vision Magazine tests seven of the most popular and chooses Griffin’s iTrip as the survivor (shown inserted into an iPod, bottom of photo). Griffin iTrip (“I’d opt for the iTrip”) Link to all ratings and full review
		4″ X 6″ PHOTOPRINTERS American Photo likes Dell picture printer You no longer need either a PC or a photo lab to make digicam prints. The editors at American Photo Magazine review six specialized photo printers, and give Dell’s 540 their top award. Dell Photo Printer 540 (Best Buy) Link to all ratings and full review
		4″ X 6″ PHOTOPRINTERS Ultimate Mobility: HP best printer on the go For their part, the editors of Ultimate Mobility Magazine give portability a high priority in testing 4″ x 6″ photo printers. HP’s Photosmart offering is their choice for its printing quality, speed, and how well it travels. HP Photosmart 375B (Ultimate Choice) Link to all ratings and full review
		HDTVSETS Perfect Vision names seven Best Buys Perfect Vision Magazine rates the latest HDTVs, broken down by technology. Rating 21 of its favorite products on features, connectivity, HD picture quality, and value, the mag gives Best Buy awards to only seven models, including the Toshiba direct-view (photo, left). Toshiba 30HFX84 (Direct-view CRT, Best Buy) Dell W4200HD (Direct-view Plasma, Best Buy) Panasonic TH-42PX50 (Direct-view Plasma, Best Buy) Toshiba 57H84 (Rear-projection CRT, Best Buy) Sony KDP-57WS655 (Rear-projection CRT, Best Buy) Optoma H31 (Front-projection single-chip DLP, Best Buy) Sony Cineza VPL-H251 (Front-projection three-chip LCD, Best Buy) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Fix Windows or just make it zippier

Our readers are nothing if not resourceful. Throw a Windows problem at them and they’ll dig down until they find the cause and, more often than not, a cure.

In this issue, we learn how to fix broken Internet connections and possible NetZero incompatibilities, plus making Windows run as fast as its original, youthful self.

New ways to repair your Internet connection

Lots of things these days get attached to and uninstalled from the Internet Protocol stack these days. Usually, everything works together fine. But a bit of corruption can totally hose your Internet access, with few if any hints about the problem. Reader Mark Palmer points out a little-known new feature of Windows that can clean up the mess:

• “I recently helped troubleshoot a computer that had lost the IP catalog on the hard disk. Everything on the PC looked normal, but the PC would not connect to the Internet. According to the ISP’s tech support, Microsoft finally has released in Win XP SP2 a command to rewrite the catalog. The command is

  netsh winsock reset

  After rebooting, the connection was ‘magically’ restored. I think this is a valuable resource that needs to be available to everyone. The IP catalog can easily be corrupted during power outages and the like.

  “I especially enjoy it when the first step in a restore starts with ‘Go to a DOS window…’ How many years has it been since Bill Gates announced ‘DOS is dead’?”

Warning: This reset command can disrupt many programs that access the Internet, such as antivirus, firewall, and proxy clients. You may need to reinstall these applications after you run a reset command. If you can’t access the Internet at all, of course, you may find reinstalling some things preferable to just sitting there staring at a useless PC all day.

The new crop of netsh commands is actually available in both Windows XP SP2 and Windows Server 2003 SP1. For example, you can run netsh winsock show catalog to display programs that are extending Winsock via a mechanism known as LSP (Layered Service Provider). After this, you may wish to run netsh winsock reset catalog to return the catalog to its default configuration (at the risk of disabling some apps).

You should carefully read Microsoft’s articles about netsh before playing around with it. The Redmond company has separate documents for Windows XP SP2 and Windows Server 2003 SP1.

Deleting spooler files speeds up Windows

Mike Butler finds that leftover print spooler junk can make his PC run as slow as molasses. Fortunately, he lucked into a helpful Microsoft tech who explained to him the secret sauce:

• “I recently experienced an extreme slowdown of my computer. Task Manager revealed that a process named Spoolsv.exe was using between 85-99% of the CPU’s time. Ultimately, I got hold of a Microsoft techie, located in India of all places, who spoke very good English and helped me solve my problem. I found him by going calling MS’s group [Product Support Services] that passes out hotfixes for Windows XP problems.

  “In a nutshell, the MS tech told me to look in a folder buried in c:Windows. Its path is

  c:Windowssystem32spoolprinters

  "In the folder were two non-descript looking filenames. He had me create another directory and move those files to the new directory. When I rebooted my computer, it ran like it was a teenager. He said when print jobs are terminated, Windows will sometimes put files of those old print jobs in the printers subfolder. When that happens, spoolsv.exe doesn’t know what to do with them, so it just runs and runs and runs.

  “Before I implemented the fix he suggested, it took me 4 to 5 minutes to load Word. I’m running a Pentium 4, 2.80 GHz with 1 gig of DRAM. After the fix, Word loaded in 23 seconds.

  “I’ve never seen this problem talked about, but the MS tech said it was common with XP and 2000.”

For more information on spoolsv.exe and other problems it can cause you, see KB articles 840371, 822834, and 257859.

NetZero 7 can conflict with MS patches

We appreciate Microsoft for sending us all the nice security patches to install to make Windows safer. But some of the latest patches (we haven’t yet determined which one) may be causing problems with NetZero, the Internet service provider. Floyd Fisher explains:

• "I’m disseminating this info about a possible problem with NetZero 7.0 software and MS Windows XP patches. It seemed one of them caused NetZero’s software to go rouge and, on my computer, caused a problem where tons of browser windows opened up on startup, all of them with the following in the URL section:

  http:///?%20free%20internet

  “To stop this from happening, you need to do one of two things:

  1. Run msconfig and disable HCM in your Startup section.
  2. Upgrade from Netzero 7.0 to 8.0 immediately.

  “HCM is the ‘Netzero Search Enhancements v2.0’ utility that, as far as I can tell, enables the search utility on the Netzero Toolbar, commonly called the Zerobar.”

I couldn’t find any confirmation that NetZero had announced any specific patch that would cause this behavior. Any number of conflicts could cause this maddening outcome. Anyone out there have anything better by way of details?

Readers Palmer, Butler, and Fisher will receive gift certificates for a book, CD, or DVD of their choice for sending us tips we printed.

Why Fi? A tutorial on wireless tech

By Paul Thurrott

We’ve written a lot about Wi-Fi security in Windows Secrets. But aside from security issues, how do you pick the best Wi-Fi technology? There’s a variety of technologies to understand. Here’s what you really need to know about wireless to make the right choices.

In this era of constant connectivity, it’s understandable that you’d want a wireless network to both share your broadband connection and share resources among your various PCs and other devices. A wired gigabit or 100 Mbps Ethernet network is always the best approach, from a bandwidth perspective. But if your office or home wasn’t wired for Ethernet when it was built, this kind of network can be expensive and disruptive to add after the fact. Wireless (Wi-Fi) networking has emerged to solve this problem.

The ghost of wireless past

Today, the initial form of Wi-Fi, called 802.11b, is outdated and should be ignored if possible. (Stupidly, Sony’s recently released PlayStation Portable, or PSP, ships only with support for 802.11b). The reason is performance: Though 802.11b purports to offer 11 Mbps of bandwidth, wireless bandwidth is a measurement of data rate, not true throughput. Plus, 802.11b connections are shared. As you add more 802.11b clients, overall bandwidth decreases quickly. Because of this, most 802.11b wireless networks rarely rise above a true data rate of 1 to 5.5 Mbps.

802.11b, however, is not unique in this regard. No wireless networking technology is going to achieve its purported data rate, and wireless transfer speeds will never measure up to the performance you can get on wired networks. Simply put, there is less overhead on a wired network. And don’t be fooled into thinking that a slow wireless network is OK because your broadband account offers only 3 or 5 Mbps of download bandwidth: A cable modem or DSL connection can pump data significantly faster than a 802.11b network, something that can be very noticeable when two or more people are using Wi-Fi.

G, your wireless downloads fast

Responding to the bandwidth limitations of 802.11b, wireless vendors came up with a wireless standard, which is also (confusingly) branded “Wi-Fi,” just like 802.11b. It’s known as 802.11g, or Wireless-G. 802.11g offers about three times the actual data rate of 802.11b, which is fantastic, and is backwards compatible with 802.11b, which is a mixed bag.

The good news about this compatibility is that all your old 802.11b devices will work. If you get an 802.11g access point, you can still access the wireless network, albeit at slower 802.11b speeds. The bad news is that this compatibility comes at a cost: Once any 802.11b device connects to an 802.11g network, the entire network drops to a lower throughput rate. This is called mixed mode, and most access points allow you to turn that off, so only 802.11g devices can connect. The result is a faster network, but one that won’t support legacy 802.11b devices.

According to Barb Bowman’s excellent overview of the 802.11g specification, 802.11g is capable of 20 to 24 Mbps when not used in mixed mode. As with other wireless technologies, your results will vary based on interference (many common devices use the same frequencies as Wi-Fi), distance (wireless signals lessen as you move further from the access point), obstacles such as walls and floors, and other factors. You can find out more about 802.11g at Broadcom’s 54g Web site.

To increase wireless throughput, many vendors are now shipping 802.11g access points and routers with proprietary speed boosting functionality. The problem is that there are two different types of this technology. The first, called Super G, is designed by wireless chipset maker Atheros, and used by companies such as D-Link and Netgear. Super G is marketed as working at 108 Mbps (twice the quoted performance level of 802.11g), but real world throughput is about half of that, or 54-60 Mbps.

A competing format, called Speed Boost, is offered by Broadcom and sold by companies such as Belkin and Linksys. Aside from the performance boosts, both Super G and Speed Boost offer few other changes over stock 802.11g. But, as you might expect, Super G and Speed boost are not compatible with each other. That means a Super G wireless adapter can only connect to a Speed Boost-based access point at standard 802.11g speeds (i.e. 20-24 Mbps in a best-cast scenario) and vice versa.

The dark horse: 802.11a

A third form of wireless networking, dubbed 802.11a, arrived at around the same time as 802.11g. Like 802.11g, 802.11a offers 54 Mbps of purported throughput and is now augmented with speed boosting technology that doubles the effective performance. But 802.11a is completely incompatible with 802.11b/g, since these standards run on different frequencies. The 802.11a frequency, as it turns out, suffers from less interference than the one used by Wi-Fi. So 802.11a actually offers some advantages over 802.11g.

On the downside, 802.11a has a shorter range than 802.11g. Even though the performance is better close to an access point, an 802.11a network adapter will lose its connection more quickly than an 802.11g adapter will, typically, as you move further away.

The big problem, however, is that 802.11a never really caught on with consumers. For this reason, there are few 802.11a compatible devices. However, 802.11a is worth considering for a number of reasons, which I’ll discuss below. For now, remember that many notebook and PC makers offer machines that include combination wireless networking adapters that can connect to 802.11a, 802.11b, and 802.11g access points. Such an adapter is ideal is you want the performance of 802.11a in a small business or home office but need the compatibility of 802.11b for business trips or jaunts to the local Starbucks.

Find out more about 802.11a at Wikipedia.

Living N the future

A future evolution of the Wi-Fi standard, called 802.11n, is expected to offer 5 to 10 times the performance of 802.11g, depending on whom you ask. It will also be backwards compatible with 802.11b and 802.11g, but without the bandwidth throttling issues that plague 802.11g in mixed mode. The problem is that 802.11n is still a year or more away from being ratified as a standard. So some wireless device makers have started shipping faster products before the 802.11n specification is finalized. Belkin’s products, for example, are marketed under the name Pre-N.

Pre-N, or more specifically, 802.11n, sounds like wireless nirvana. But today’s Pre-N devices probably won’t be upgradable to meet the eventual 802.11n specification. Since Pre-N equipment is expensive — roughly twice the cost of comparable 802.11g hardware — it’s a dicey investment.

My buying advice in today’s market

With all this wireless technology floating around, how do you choose? If you’re starting off a wireless home or small business network from scratch, your best bet for general home networking today is likely 802.11g, because of the low cost of the equipment and its excellent compatibility.

There are few areas where 802.11g will fall short, but one of them is digital video streaming. If you think you’ll want to wirelessly stream video, TV, or HDTV signals from PC-to-PC, or from a PC to a connected device, the throughput limitations of 802.11g will be problematic. In such cases, 802.11a outperforms 802.11g. But don’t get stuck with an 802.11a-specific access point or router. Instead, get a dual-band access point or router that supports both 802.11g and 802.11a. Your normal network traffic can use the 802.11g network, and your digital video devices can use the 802.11a network.

Here’s a typical example. If you have a Media Center PC (running Windows XP Media Center Edition) and would like to wireless access live and recorded TV content from that PC using a Media Center Extender, 802.11a is absolutely the way to go because of its better performance and lack of interference.

In general, consider buying products from the same company or, if you’re going to pick a speed-boosted 802.11g solution, at least get products that utilize the same chipset. This type of setup will result in fewer problems and provide better performance. More important, perhaps, you’ll have better luck getting support from a wireless equipment maker if all of your devices are made by that company.

USB-based wireless adapters are much easier to install than internal cards, but be aware of a few issues. First, if you plug a USB 2.0-based wireless adapter into a USB 1.1 port, the performance is going to suffer dramatically. Also, internal cards tend to have larger (and external) antennas, and so can often achieve better throughput than external add-ons.

Finally, unless you really like to live on the edge and don’t mind upgrading your hardware again a year or so from now, skip Pre-N devices. The theoretical maximum speeds are nice, but compatibility issues with the finalized 802.11n specification are almost guaranteed.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

MS JavaVirtual Machine opensIE hole

By Chris Mosby

You probably thought — as I did — that Microsoft’s ill-fated version of Java would never rear its ugly head again after MS settled with Sun Microsystems over one year ago.

The agreement between the two software giants allowed Microsoft to support its version of Java ’til the end of 2007. Despite this lengthy transition period, however, the Redmond company soon removed all downloads of the Microsoft Java Virtual Machine (MSJVM) from its Web site. It also stopped development of all enhancements.

Unfortunately, even with MSJVM being almost completely obsolete, the old code became a big problem to IE two weeks ago.

On June 30, 2005, Microsoft released a security advisory — which was later revised on July 1 and again on July 5. The company revealed a problem in a COM object (javaprxy.dll) that can cause IE to crash if exploited.

No patches yet, but workarounds available

Microsoft’s advisory states that they may produce a patch for the above issue “depending on the results of the investigation and customer needs.” This isn’t exactly great news, but at least there are (by my count) seven different workarounds you can use to nullify the issue.

Before I get into all of that, you should first check to see if you even have the MSJVM installed. Some versions of Windows were shipped without Microsoft’s flawed flavor of Java after the settlement with Sun. You can check on MS Java’s presence by opening a command prompt — click Start, Run, then type cmd and press Enter if you’re a Windows 2000 or XP user —  then type in the word Jview and press Enter. If you get an error message, you’re done. You don’t have MSJVM installed on your system.

For everyone else, you more than likely saw a listing of what version of the Virtual Machine is installed. That means you have a little more work to do.

Most of Microsoft’s suggestions are poor

Most of the workarounds suggested by Microsoft in its security advisory are just plain silly. Modifying file access control lists, setting IE security zones to high, and restricting access to the DLL through a Software Restriction Policy only mask the problem. These measures also leave you open to other MSJVM vulnerabilities that will probably be revealed in the future.

Three other workarounds that Microsoft suggests make more sense.

First, you can set the “kill bit” for the javaprxy.dll file. If you know what version of IE you’re using, and what OS and service pack is installed, you can download a program from the Microsoft security bulletin MS05-037, which was released on July 12, to take care of this for you. However, this still leaves the risky MSJVM installed on your system.

Second, you have the option to unregister the javaprxy.dll file with the operating system. Take note that any applications you have that still depend on the MSJVM will no longer function after this. If that doesn’t concern you, then you do this by clicking Start, Run, typing regsvr32 /u javaprxy.dll, then clicking OK. You’ll get a confirmation message that the file is unregistered, and you’ll have to then close and reopen IE for the changes to take effect.

Unregistering the DLL is a step in the right direction, but it still leaves all the other components of MSJVM on your system, where they might be exploited later.

I say, get rid of MS Java completely

Last but not least, Microsoft suggests removing MSJVM from your machine completely. Now we’re talking! According to KB 826878, the MSJVM Removal Tool is no longer available for download. That is, unless you contact Product Support Services (PSS) and they decide you qualify to get it. I don’t know about everyone else, but I’m still waiting for that tool since the last time I asked PSS for it.

You’re not out of luck, though. A Sun Microsystems page gives you step-by-step instructions on how to uninstall MSJVM manually. These instructions aren’t exactly for the average user, but if you read them carefully, any experienced person should be able to follow the steps just fine.

If you uninstall MSJVM and install Sun’s official version of Java, you should know how to update the Java Runtime Environment whenever necessary. Sun’s update routine does not currently remove old Java components when adding newer ones. This leaves software on your machine that could potentially be exploited by a hacker if an attack someday gets into the wild. You should uninstall Sun’s Java, as described by Sun, using the Add/Remove Software control panel, before installing a newer version. The Sun Security Coordination Team says it’s investigating whether its installer can handle this automatically in the future.

To learn more about this vulnerability, another good source of information (aside from Microsoft) is Secunia advisory 15891. You can also get the latest version of Sun’s official version of Java from the download page at Java.com.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Half our patches out of the way

By Susan Bradley

Where has the year gone?  We’re already to the first Patch Tuesday of July, which means we have half of our patches for the year under our belt and the other half to come.

Tuesday’s batch of patches are for one old standby program that many new systems aren’t even running anymore (MS Java Virtual Machine), another for Office, and the last one to fix a buffer overrun affecting images. These patches prove once again we need to get away from running our machines as Administrator (and get developers to release programs that can run as User).

Office patches are now MU-able

MS05-035 (903672): One thing to remember about the Word patch this month is that you can have this patch come to you in the new one-stop patch tool called Microsoft Update (MU), which is appropriate for home users and small businesses without WSUS or other update-management software.

All of this week’s patches, in fact, are deployable using MU. So step number one, if you haven’t already done so, is to “flip” yourself over to Microsoft Update and use that to patch individual machines.

To do so, jump to the Microsoft Update page. (This link in particular, and MU in general, require the use of Internet Explorer and other browsers won’t work.) The MU page will enroll you in the new update engine, which upgrades Office, SQL Server, and other Microsoft applications in addition to Windows.

Office 2003 is not vulnerable to the exploit described in MS05-035, which affects earlier versions of Word and all versions of Microsoft Works Suite since 2000.

The key element you need to take away from this patch is the fact that the attacker only gains the rights the user currently has. Thus, if you’re running your system as a “restricted user,” you don’t need to be as concerned about patching. Of course, we still face many programs that won’t run in restricted-user mode. I was recently quoted in an eWeek article by David Coursey, which describes the problem and links to listings of such offenders.

Don’t get me wrong, I always recommend patching your machines. But running in restricted-user mode from the get-go (if your applications support it) gives you the confidence to patch on your own schedule instead of frantically. For more information, see MS05-035.

Not another confusing image patch?

MS05-036 (901214): Microsoft Security Bulletin MS05-036 is a bit of an odd bulletin, about as odd as the Jview profiler patch (which is covered above in Chris Mosby’s column). I hope it doesn’t turn into something like the confusing Jpeg patch, which had to be re-released by Microsoft.

I’ll be flat out honest with you that, while the problem description says “Microsoft’s color management module,” I’m just not sure whether or not other platforms may have similar issues. A lot of things handle “ICC profile format tags,” such as printers. See MS05-036

What does Microsoft Update do, anyway?

In my June 30, 2005, column, I urged folks to switch to Microsoft Update and let me know what they thought of the experience.

First off, let me assure you that if you flip to Microsoft Update, you can quite easily flip back. The first thing that occurs when you opt into Microsoft Update is that an ActiveX control is downloaded to your machine.  If you want to flip back and forth between Windows Update and Microsoft Update, follow KB 901037 to toggle them on and off.

But, honestly, I can’t see any reason why you’d want to go back to Windows Update once you’ve switched to Microsoft Update. Most importantly, it patches Office as well as Windows, when needed. I know you’ve been told to visit Office Update to keep Office up to date. But do you really remember to do that?

Log files you might need to look at

One thing to keep in mind with the new version 6 of Windows Update and Microsoft Update is that the log file format is changing.

The v4 version is stored as Windows Update.log. The new version 6 (which gives details of both version 6 of Windows Update and Microsoft Update) is stored as WindowsUpdate.log. To make heads or tails from the gobbletygook in this file, look no farther than KB 902093.

WSUS and SBS 2003 sp1 installing issues

One issue we are tracking is a problem installing WSUS (Windows Software Update Services) on Small Business Server 2003 OEM-installed servers. (This means that you or your consultant set up the machine “as is” from the OEM manufacturer and haven’t reinstalled SBS 2003 from scratch.)

At this time, we’re seeing spotty reports that folks are having issues getting WSUS installed on these servers. For now, if you have this type of Small Business Server, hold off on the installation and stay tuned until there is a final resolution.

Meanwhile, if you’re seeing Blue Screen of Death issues when installing Small Business Server 2003 SP1 on Dell OEM machines, you’re urged to call Microsoft Product Support Services and open a no-charge support incident.

Claria deal no-go and other good news

It was a great relief to hear from Clickz News that the rumored deal between Claria and Microsoft has fallen though. Meanwhile, it appears, based on a new Pew Internet study, that all this spyware is causing us to change our surfing, clicking and Internet habits. Almost half of those surveyed say they’ve stopped visiting Web sites that might deposit unwanted programs. Too bad, that might include your site. Spyware is a terrible scourge..

Firefox 1.0.5 released this week

Also on Tuesday, joining our much-needed patches from Microsoft, Firefox released version 1.0.5 . The new upgrade, which does not require you to uninstall any previous version of Firefox, includes both security fixes as well as stability fixes. Brian Livingston wrote about the need for this upgrade in a June 10, 2005, newsletter update, reporting on a security flaw that affects Firefox 1.0.3 and 1.0.4.

What are your biggest security risks?

Next issue, I’ll include some tips and tricks to figure out how vulnerable you are to security issues. This can give you guidelines on how long you should wait before deploying patches. Also, you can estimate whether you can can safely remove a patch to troubleshoot whether it might be causing issues in your computers.

I’ve noticed in the communities I hang around that the last batch of June patches have had some issues with server clusters. Administrators, unfortunately, are unwilling to remove any patches to test which ones might be causing the issues.

Say ‘Goodnight, Gracie’ to Windows 2000 SP3

One more thing of note in the recent patches: Windows 2000 SP3 is no longer a supported operating system. As of June 30, you need be on Service Pack 4 to be fully supported.

For those who are still testing the Windows 2000 Rollup that Microsoft recently released, please let me know your experiences. Again, just let me remind you that this rollup is just as major as any service pack, so test your systems accordingly before deployment.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Beware of automated patch-management syndrome

By Mark Burnett

A number of years back, I owned a car with a seatbelt that automatically ran along a track and over my shoulder as soon as I closed my car door. It was one of the first of its kind and I thought it was very cool. The only problem was that you still had to manually pull the lap belt over to be completely safe (and not be decapitated in a crash). Unfortunately, the automated shoulder strap gave such a false sense of security that it was easy to neglect the lap belt.

That’s beginning to be the problem with patch management. Patch management used to be such a time-consuming, manual chore that it’s a great relief having so many tools to do it for you now. For many users, you can just turn on Automatic Updates and really not have to worry much. The only problem with this is that is makes it so easy to lapse into a false sense of security.

Home users can usually get away with this. But if you manage a network of systems for your organization, you really should spend some time knowing what’s going on with each month’s new patches.

There’s wisdom in the Knowledge Base

If you haven’t noticed, Microsoft has made some great improvements in their security bulletins and Knowledge Base articles concerning new patches. The articles used to be vague and defensive, but now are loaded with clear details outlining each vulnerability. It’s well worth the time to read these bulletins, even though you might already use a completely automated update-management solution.

These articles provide a good explanation of the security issue, offer workarounds, and explain factors that might mitigate the impact of the vulnerability. Occasionally, there are important notes that might greatly affect the impact of the vulnerability on your systems.

Sometimes, a vulnerability that’s critical for one environment may have no importance in another environment. In some cases, reading the article will make you realize you don’t even need to install the patch after all.

Creating a set of key information

Every Patch Tuesday, I have to create summary reports for various clients. It doesn’t take me long and it gives me a much greater understanding of the issues. The process is so informative that I recommend it for anyone in charge of managing more than a few systems.

Some of the information I look for is the severity rating of a patch, whether the patch requires a reboot or not, what files will be updated, what is the impact of the vulnerability, what mitigating factors might exist, and what other workarounds might be available.

After doing this month after month, I discovered some interesting facts. For example, I keep seeing the same mitigating factors and workarounds — patch after patch.

Even if the workarounds aren’t precisely the same, they follow the same best practices and are a great way to learn to think like a security expert. Another helpful benefit of understanding the issues is that it’ll be easier to recognize them if they happen to you.

Microsoft spends a lot of time now developing these articles and there’s a lot more information there to see. But a lot of people never read these useful tips because their whole patch-management process has become so automated.

Don’t let automation make you complacent

That’s the problem with many types of security — the more you automate it, the more you can forget about it. But the more you forget about it, the easier it is to pretend the problem isn’t there.

So, even if you have a convenient, automated update system in place, please take a few minutes to browse the bulletins none the less.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.