Upgrading to Firefox 1.0.1

Upgrading to Firefox 1.0.1

The Mozilla Foundation, the group responsible for developing the Firefox browser and many other applications, released Firefox 1.0.1, a security upgrade for Firefox 1.0, on Feb. 24. Firefox’s "check for updates" feature was then enabled by the foundation several days later on Mar. 1.

Since the 1.0.1 upgrade eliminates 17 bugs, some of which are potential security holes, I issued a short, plain-text newsletter update on Mar. 3 recommending that all Windows users install it.

At that time, one known issue with the upgrade affected people who’d obtained Firefox 1.0 via a special .zip file instead of an auto-installing .exe file. Running the .exe version over the .zip version makes Firefox prone to crashing when pressing Enter in the address bar. So I urged people in this situation to uninstall Firefox before running the 1.0.1 setup file. Other people had reported good results running the 1.0.1 upgrade without uninstalling 1.0 first.

Since that time, several readers have reported to me some incompatibilities when 1.0.1 is installed over 1.0. For this reason, I now feel that uninstalling 1.0 first is the safest choice. Using Firefox’s "check for updates" feature and upgrading to 1.0.1 in place will go smoothly for most people — we’ve upgraded half a dozen machines in my office this way with no problems — but uninstalling 1.0 first avoids any complications.

Be sure to read the Firefox release notes page for possible issues before upgrading. And read my upgrade recommendations in the Mar. 3 newsletter update, if you haven’t already.

If upgrading to 1.0.1 caused any problems for you, uninstalling 1.0.1 and then installing it from the setup .exe again fixes these problems, according to many reports.

Backing up your Firefox profiles

Although there are few reports of irreversible problems with the upgrade, you should always make a full backup of your PC before installing any major application. At least make a copy of Firefox’s "profiles" folder, which holds your bookmarks and other configuration preferences. This folder is located in different places in different versions of Windows, as explained on Firefox’s release notes page.

Reader Les Barnes uses a third-party backup application to ensure his profiles remain intact. He also describes an incompatibility that he discovered and cured:

• "First, I want to say that there is an excellent, free backup program for FireFox’s profile at mozbackup.jasnapaka.com. Even though the author has discontinued it, I use it constantly.

  "I upgraded by installing 1.0.1 over 1.0. FireFox worked OK, but Spoofstick and Roboform did not. When I installed the latest version of SpoofStick, it would ‘install’ all right, but I could see no icons in View, Toolbars, Customize. Since the new version of SpoofStick is an icon to drag onto a toolbar, instead of a toolbar itself, it was worthless. Then I read that the FF people recommend uninstalling 1.0 first.

  "Anyway, I ended up uninstalling everything, then reinstalling SpoofStick. Everything worked fine, with my icons reappearing in Customize.

  "I used the paid version of Roboform, so I was rather upset when the Roboform people said that they don’t make Netscape adapters for small browser changes. But I did find that I could ‘force’ the installation by showing the Roboform program where the browser was located (since it couldn’t find 1.0.1) and it installed beautifully.

  "I would recommend using the profile backup program, uninstalling 1.0. and then installing 1.0.1. Just my humble opinion."

It’s my hope that other developers will step forward to replace Pavel Cvrcek’s backup program with an updated version. Many useful extensions to Firefox, of course, are available at the Mozilla Firefox Update site, and new ones appear almost every day. Perhaps our reader’s preferred backup program will spawn a successor.

Nope, upgrading from 0.9 to 1.0.1 doesn’t work

Mike Rose has a different perspective on the Firefox upgrade. The foundation always warned that beta versions of Firefox (such as 0.9.x, the last generation of betas) had to be uninstalled before a new version could be put in, just like most beta software. Our intrepid reader learned this the hard way:

• "I attempted to follow your upgrade scenario, but soon discovered that if one does not have Firefox 1.0 but instead had 0.9.x, that it did not work! When searching for updates, you get a ‘no updates found’ message. Hmmmm, I thought.

  "So I ‘Ghosted’ my drive to another and tested the copy’s bootability, something I always do before installing any software on my machine. I then turned off the Ghosted drive and re-booted with the original. Went to the Mozilla site, downloaded the install.exe, copied my user data to a ‘save’ directory, un-installed the 0.9.x version (just in case), and did the 1.01 install.

  "It went flawlessly, even to the point that, when it came up again, ALL my settings were perfectly preserved. In fact, it was so exact that the first thing I did was to check the version info, to make sure I was now using the new one!

  I’d have to say that this upgrade was considerably less painful than most Microsoft software upgrades by a long shot. Now I guess I should upgrade to the latest and greatest Thunderbird [the foundation’s e-mailprogram]."

Force extensions to work with 1.0.1

One issue you may run into is that updated versions of Firefox won’t run any installed extension that hasn’t been "marked" for that version by the extension’s developer. Most 1.0-registered extensions should work with no problem under 1.0.1. But some developers may take their time or just forget to re-register their extensions when a new edition of Firefox is released.

If you have a crucial extension that won’t work under 1.0.1, but you’re sure it actually would work fine if given a chance, the procedure described below will trick Firefox into running it.

Let me be clear that you need to use caution and common sense when attempting this. There’s a reason why extensions are required to specify a valid range of Firefox versions they’ll work with. In most cases, a minor upgrade won’t change anything enough to break any extensions. But the chance of a mismatch that could crash Firefox increases with every subsequent release.

For this reason, you shouldn’t use this trick across major revisions. And be sure to test the effects when you do make such a change, so you can remove the tweaked extension if it causes problems.

Having said all that, it’s a fairly simple process. Here it is, as promised in my Mar. 3 newsletter update:

Step 1: Uninstall any previous versions of the extension.

Step 2: Download the latest version and save the file in an empty folder.

Step 3: Rename the file from Extension.xpi to Extension.xpi.zip (replace Extension with the actual filename).

Step 4: From this file, unzip Install.rdf into the same folder as the .zip file.

Step 5: Open the file Install.rdf in your favorite plain-text editor.

Step 6: Find the line containing the word maxVersion. Change the number between the angle brackets to a number equal to or larger than your current Firefox version.

Step 7: Save the file, then add it back into your Extension.xpi.zip file, overwriting the original Install.rdf.

Step 8: Rename the extension file from Extension.xpi.zip back to Extension.xpi.

Step 9: Drag and drop the file into an open Firefox window. Hold your breath, and if it works, enjoy it!

For details on maxVersion, see "Packaging Firefox/Thunderbird Extensions," an article by Ben Goodger (who is in no way responsible for me revealing this hack!).

Readers Barnes and Rose will receive gift certificates for a book, CD, or DVD of their choice for submitting comments that we printed.

To send us more information about Firefox 1.0.1, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. Thanks in advance.

Sayonara, IE: removing your browser code

By Paul Thurrott

Because of relentless electronic attacks against Internet Explorer users, maybe it’s time for a more radical approach to PC security. Microsoft says it’s impossible to remove IE from Windows. That’s not technically true, so let me explain how to do so (although this is not a solution for everyone).

Today, an Internet-connected Windows PC is an easier target than Paris Hilton’s cell phone. But you’ve got to get your work done anyway. So you subscribe to an antivirus solution. You regularly scan your system for malware using two or more anti-adware packages. You drop-kicked XP’s ineffectual firewall for something more protective. And you download and install Microsoft’s critical software updates without question, because the potential problems caused by doing so are vastly outweighed by the alternative.

Feel safe? You shouldn’t. Even Microsoft admits that the latest and greatest Windows version — Windows XP with Service Pack 2 (SP2) — is only a security stopgap. And now, more than six months after SP2 shipped, the ineffectual nature of that monolithic update is becoming clearer. Malware — viruses, Trojans, adware, and spyware — is adapting and changing daily, and in insidious ways. Products like XP SP2 don’t solve the problem, because they’re slice-in-time solutions that take many months to develop. Major updates like XP SP2 are almost out of date the day they’re made available to the public.

The problem with Windows in a nutshell

Don’t get me wrong: XP SP2 is an important update, and one that all XP users should install. But XP SP2 doesn’t solve two of the most glaring security problems with Windows:

• Windows, at a low level, isn’t designed to be secure. Because its architecture predates broadband Internet access, Windows is woefully insecure by default.

  One simple example: XP supports Limited User accounts that should, in theory, prevent less experienced users (or children) from accessing private data or introducing Internet-based malware into the system. But Limited User accounts are almost completely useless in real-world use. Most applications — especially the games and educational titles you’d expect kids to use — won’t work unless the logged-on user has administrative privileges.

  As a result, few people use Limited User accounts, giving malware all the administrator-level access to your system it needs.

  Application developers haven’t exactly done a good job of writing code that doesn’t require admin level access, because all Windows users just run as admin. But if Microsoft had engineered Windows right, we would almost always be running with reduced privileges, even with an admin account. That’s how it works in Mac OS X and Linux, which have a temporary “su” facility so you can enter an admin-level password to perform tasks that require it. (Longhorn will have this, too.)

• Internet Explorer. Microsoft keeps fixing IE, but it remains the number one opening through which malware enters users’ PCs.

  The problem isn’t isolated to the IE application, either. Other major Windows components — including the Windows shell, Outlook Express, and Windows Media Player (WMP) — all rely on IE’s HTML rendering engine, too, so these and other components are open to IE-based attacks.

  IE’s support of inherently insecure technologies like ActiveX in this day and age is simply irresponsible. IE is so insecure, in fact, that Microsoft is releasing an IE 7 version this year. That release wasn’t originally in the cards, but the company acknowledges that today’s IE just isn’t secure enough.

Sometimes the fix can be worse than the problem

Should you simply ditch Windows? Unfortunately, operating system alternatives like Apple’s beautiful Mac OS X, or the surprisingly capable open-source solution Linux, will still fall short for most Windows users. For the majority of Windows users who simply can’t drop the platform for various reasons, Brian’s well-reasoned Security Baseline (above) provides a bit of sanity in an insane world while we wait for Microsoft to fix Windows.

But another solution exists between the draconian step of abandoning Windows and merely defending against attacks by adopting the Security Baseline. Despite Microsoft’s claims to the contrary, you can, in fact, remove IE from Windows. Two applications that do so are XPlite/2000lite ($39.99 for Windows XP and 2000) and 98lite ($20 for Windows 98, 98 SE, and Me users) from LitePC. Using these apps, you can modify your Windows desktop into a more secure OS that provides most of the benefits of Windows while exorcising IE and its many problems.

XPlite (shown above) removes insecure technologies from Windows.

These products are interesting primarily because they let you remove Windows components, including IE, Outlook Express, and WMP. Microsoft only lets you hide some of these components to comply with its U.S. antitrust settlement. With XPlite and its sister products, you choose which products to leave installed in Windows and which to remove for good.

For example, in addition to removing the IE application, you should also remove the IE rendering engine, which will in turn remove any components that require it. Aside from following the principles of the Security Baseline, this drastic surgery may be the best single step you can take to protect your PC from electronic attack.

What you lose when you remove IE

Like most things in life, removing IE from Windows comes with trade-offs. The most obvious is that you can no longer access some Windows Help files or Microsoft’s Windows Update service. However, Automatic Updates still works, providing you with automatic access to all of Microsoft’s critical security fixes.

If you want to learn about, and potentially download, any of Microsoft’s noncritical updates (any important patch that isn’t labeled a "critical security update") after removing IE, you’ll have to find these things manually. I recommend subscribing to the free Microsoft Download Notifications e-mail newsletter, which provides weekly updates about the company’s new software downloads. (You can choose between HTML and plain-text versions.)

In addition, certain applications and updates won’t install or run properly without IE. For example, WMP won’t work without the IE rendering engine. If you remove the HTML engine using XPlite, it will automatically remove WMP as well. It’s possible that you may use one or more third-party applications that require IE, too. So you’ll need to test.

There’s one more issue, and it could be serious: Going forward, Microsoft’s new Windows Genuine Advantage (WGA) program might ultimately spell doom for the IE-less Windows crowd. WGA is designed, ostensibly, to help stop software piracy. Soon, all Microsoft.com downloads will require users to verify that their Windows system is legitimate by using an ActiveX control or HTML application (HTA). These technologies — you guessed it — require that you run IE.

Try restricting the rights of Web apps

For this and other compatibility reasons, surgically removing IE from Windows won’t be a viable solution for many users. One alternative, if you find you must run in administrator mode, is to run with reduced rights your Internet-enabled activities, such as e-mail and browsing. This requires that you download a DropMyRights.msi file and reconfigure all your shortcuts that run Web apps. Michael Howard explains all this in an MSDN article.

If you simply must have the most secure Windows desktop possible, and aren’t turned off by the challenges or limitations, solutions like XPlite/2000lite, and 98lite are there for the taking. They work as advertised, whatever you may think about the risks you’re taking. More info.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

How not to gethooked by phishers

By Chris Mosby

There are hordes of unscrupulous phishers out there, wading the surf of the Web. They’d love to catch you in their phishing net and steal your personal and banking information.

You can keep from getting hooked by their bait by staying informed on two new, unpatched software vulnerabilities they could use against you.

Further proof that pop-up windows are bad

I can’t stand pop-up windows. They’re annoying, distracting, and get in the way of the browsing experience. As far as I’m concerned, they’re the bane of the Internet and should be stamped out wherever they appear.

Now I have even more reason to hate them. It was discovered recently that phishers can use pop-ups to launch their attacks with a weakness reported in Internet Explorer.

This weakness is caused by the way IE handles pop-up windows that are opened by a script. This could allow a phisher to display false information in the title bar. This could be used in various ways in phishing attacks. It could easily trick a person into entering login information into a pop-up window, because the window would, in fact, show the Web address of an online banking site, for instance.

Proof-of-concept code for this is already available, and an example can be tested on the SecurityFocus Web site. This weakness is still present in a fully patched system using Windows XP SP2 and IE 6.0 SP2.

What to do: If you use IE, download and install a pop-up blocker like the ones offered by Google and Yahoo.  Who wants to see pop-up windows, anyway?

More info: Secunia and SecurityFocus both have detailed descriptions of this problem.

Phishing attacks with IE, from top to bottom

I described above how the title bar of an Internet Explorer window can be seeded with false information. There’s another weakness in IE and Outlook Express that could allow the same thing to happen to the status bar at the bottom of those programs’ windows as well.

It’s always been a feature of IE that custom information can be displayed in the status bar — important status information, ideally — with the right scripting.

Unfortunately, an error in how this feature is used in IE and Outlook Express allows status bar information to be changed without scripting. This allows such changes to be made even by sites that’ve been placed in the "Restricted Sites" zone. All that’s needed to exploit this weakness is some specially-crafted HTML code. This could easily be present in an HTML formatted e-mail, and be used with other vulnerabilities — such as the one described in the first part of this column — to aid a phisher who’s attempting to steal your banking or personal information.

What to do: The easiest thing to do is just turn off the status bar in IE and Outlook Express, so it can’t be used to fool you. In IE, you can do this by opening the View menu and selecting Status Bar to uncheck it. In Outlook Express, you can open up an e-mail from anywhere in your Inbox and follow the same steps.

More info: Secunia has a good description of this weakness that includes proof of concept code.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Sitting here onPatch Tuesday with nothing todo

By Susan Bradley

Last Friday, Microsoft gave me the word that I could take the day off. "No patches for Tuesday!", came the word from the North.  But before we all head to the beaches or ski slopes or your favorite watering holes, does this truly mean we are absolutely without issues and not vulnerable?

There are times that I feel a bit like "Chicken Little" running around saying that the sky is falling. But, in reality, every time we use our computers, we’re accepting risk out here. So let’s see where we still have some issues, shall we?

Losing share but not gaining enough security

While those of us in the admin world are likely to be just finishing up the 12 or so patches from last month’s rollout, the dearth of patches this month does not mean there are no security issues out there. Internet Explorer still tops Secunia’s list with the most unpatched vulnerabilities of any browser and, perhaps as a result, the once-universal app has dropped below 90% in market share.

Windows Update still has a few goodies this month

Folks who are still on the Windows 98, 98SE, and Me platforms finally got patches for bulletin MS05-002 (which was released in January for newer OSes and involves cursors and icons) and MS05-015 (which came out in February and involves hyperlinks).

Those of us who are on Windows 2000, XP, and 2003 also did receive a new Malicious Software Removal Tool for March. This will find a few malware items. If it reports that there’s nothing on your machine, you’ll wonder what the fuss is about.

Firefox responds to the IDN issue

Firefox recently came out with an upgrade from 1.0 to 1.0.1, a new version of its alternative browser that incorporates many security fixes. This includes one for the IDN issue, which allowed international domain names to be spoofed in the browser’s address bar.

If you followed Brian Livingstons’ advice in the Mar. 3 newsletter update to ensure Firefox’s automatic updates are enabled, you should see an icon in the corner indicating that updates are available to be installed. If not, click on Tools, Options, Advanced, then scroll down to Software Updates and click the "check now" button.

After you finish the upgrade, IDN support is re-enabled. With verson 1.0.1 you are, however, fairly well protected from phishing attacks by sites using IDN. Sites that use non-ASCII characters in their domain names are displayed in Firefox 1.0.1’s address bar in "punycode," which is a pure-ASCII equivalent. All such domain names begin with "xn--" in their ASCII form, making it impossible for these sites to form names that look like legitimate banking sites.

What to do: Upgrade Firefox 1.0 to 1.0.1, using the steps Brian recommends in his top story, above.

You may have implemented the network.enableIDN workaround we recommended in the Feb. 10 newsletter, or the compreg.dat workaround in the Feb. 24 newsletter. If so, and upgrading to Firefox 1.0.1 didn’t reset these to their default values, you should undo those changes yourself. International domain names are harmless in Firefox 1.0.1, since they can no longer display false information in the address bar.

Netscape, new kid or blast from the past?

The "new kid" on the browser market is an old, familiar name. Netscape has released a beta of its browser, but with a twist. Under the hood of version 8.0 is both the Internet Explorer page-rendering software and Firefox’s platform.

The bad news is that, at the present time, the Firefox version used by Netscape 8.0 is the unpatched Firefox 1.0. Therefore, if you want to choose the Web browser with the fewest public, unpatched vulnerabilities, Firefox is still your only choice. Of all the the popular Windows browsers, Firefox has the fewest unpatched issues, according to figures compiled by Secunia.

I would still strongly recommend that you maintain your consciousness of "safe surfing" for the Web sites you visit. As my mother always told me, if it sounds too good to be true, it probably is.

On April 12, you’ll wake up with XP SP2, right?

The tech news boards have been saying that Apr. 12 is the day those of you on XP SP1 will get handed XP SP2 via download, whether you like it or not. The reality is a bit different.

The confusion relates to the "kill bit" that Microsoft allowed administrators to put into their systems. This bit enabled admins to delay the deployment of XP SP2 via automatic updates. This is what is "expiring" on April 12th.

If you don’t have Automatic Updates turned on in the first place, XP SP2 will not come down on that day. Furthermore, downloading does not mean it’s installed. You still have to click on an end user license agreement (EULA) before SP2 will install.

The process of installing XP SP2 must ensure that the machine is free of malware. I’ll discuss this process in the next edition of Patch Watch on Mar. 24.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

For once, we hit a quiet patch

By Mark Burnett

Those of us who manage Windows systems got a pleasant surprise this month: no new patches for March! Could this be a trend? Unfortunately, not yet. We just got lucky this time.

But it does give us a chance to step back and talk about some other things. For one, I want to examine the quality of patches.

For a long time, people simply didn’t install patches unless they absolutely needed to. The first reason people gave was, "Why change something that’s working fine?" Second, people simply didn’t see the urgency of security patches. Finally, people had a good reason for not installing hotfixes: they had a tendency to break things.

Even to this day, administrators are wary of automatic updates because they might potentially break other software. Fortunately, this is becoming rare nowadays. Microsoft has made some notable improvements on the quality and consistency of their patches.

Monthly release schedule is improving patch quality

One of the biggest changes that Microsoft is releasing most patches on a regular monthly schedule. This allows them to properly plan for and test patch releases, rather than constantly scrambling around to get them out the door. This alone has made a big difference in the quality of patches and has also made things easier for us on our end.

Another big improvement is the adoption of standards throughout the entire patch management process. This includes standardizing Microsoft’s terminology, Knowledge Base article formatting, patch naming and, most importantly, the installer the patch uses. It’s not very apparent any more, but at one time there were well over a dozen different Microsoft installers. Each had its own command-line parameters, log formats, and uninstall support. Now they’ve almost got it down to just two installers: Microsoft Windows Installer (MSI) and Update.exe.

New Update.exe has features you can use

Microsoft has also made numerous improvements to Update.exe, which is used mostly for operating-system hotfixes. Two of my favorites are installation source integration and HotPatching.

Installation source integration allows you to incorporate a hotfix directly into your Windows source files. This means that the hotfixes install with Windows. Supposedly, you could do this previously, but my experience showed that it didn’t always work as expected.

Integration not only saves time, but a system that’s installed with the hotfixes in place is immediately protected. This avoids any possible security incidents during or shortly after install.

One thing to watch for, however, is that integrating hotfixes into the Windows source sometimes doesn’t register the hotfix properly, thereby fooling some patch management products. I’ve seen several products report a missing, which I know I already integrated into the OS.

If you ever see this happen, be sure to report it to the vendors so they can take care of the problem.

The other new feature is HotPatching. This is a technology scheduled for integration with the upcoming Windows Server 2003 Service Pack 1 (SP1). HotPatching actually patches a file in memory, significantly reducing the number of reboots required after installing hotfixes. It’s a promising technology, but I do hope they’ve taken the necessary precautions to prevent hackers from abusing this. We’llsee.

Five-week beta cycle provides real-world exposure

To address quality issues, Microsoft has implemented a five-week test cycle with significantly more stringent testing requirements.

The Redmond company has also launched a new customer patch validation program to further identify potential problems. A select number of organizations and individuals now beta test the hotfixes in different real-world environments. The program is closed — they aren’t taking anyone else — and was only made available to close business partners and Microsoft Most Valuable Professionals (MVPs).

Finally, the Microsoft Security Response Center (MSRC) performs a final post-mortem review of the update before releasing the security bulletin.

It’s been years since Bill Gates’ infamous Trustworthy Computing e-mail, but we’re finally starting to see a few tangible improvements. Hopefully, this will continue. If so, we’ll start seeing more Patch Tuesdays pass quietly — with the simple announcement that there are no new bulletins for this month’s release cycle.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

The dance-off of the geek movie stars

Who would win the ultimate dance competition — Napoleon Dynamite, the nerdy high schooler from last year’s MTV movie of the same name (upper photo at left), or Fender, the star of Robots (lower photo), which opens across the U.S. on Mar. 11? Now you can judge for yourself at the new Napoleon vs. Fender site. Play clips from the movies and support the character of your choice. Who’s winning the race at this moment? You’ll have to vote to see. The clips are, of course, accompanied by dance music (in Fender’s case, a hilarious put-on of Britney’s "Baby One More Time"), so watch the volume level if you’re in a cubicle. See the videos