All browsers are vulnerable to clickjacking

All subscribers can get free PC buying advice

We’ve obtained a license for you to download the best two chapters of How to Be a Geek Goddess: Practical Advice for Using Computers with Smarts and Style. The work is by Christina Tynan-Wood, who’s contributed columns for PC World and PC Magazine and written for Popular Science, Family PC, and other magazines.

The printed book won’t ship until mid-November, but Windows Secrets subscribers can get our exclusive excerpt right now. The PDF download focuses on how to get the best deal when buying a laptop or desktop computer — advice that applies equally to Geek Gods and Geek Goddesses. Everyone likes a bargain.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Yay, Fred's back! Readers give a big thumbs-up

By Brian Livingston

Ever since I announced on Oct. 9 that our editor-at-large, Fred Langa, was coming out of retirement to bring you a new column every week, we’ve received hundreds of e-mails from readers who’re glad to see him back.

We’ve received only a couple of messages like, “Fred who?”

My favorite comment came from a reader named Sheri, who enjoys our paid content (including Fred’s new column) and also was a subscriber to Ian “Gizmo” Richards’ newsletter, Support Alert, which merged with Windows Secrets last July:

• “A few years back, I found Gizmo’s newsletter. From the first issue, I knew I’d found advice I could trust, so that when I was doing repairs or upgrades for myself or my friends, I wouldn’t accidentally do something or install something that would make a computer unusable. Happily, every computer I’ve worked on has left my home in better shape than when it arrived! …

  “One time I wrote Gizmo and told him I got a lot of newsletters, but his was the only one I’d actually pay money to receive. That’s still true of Windows Secrets, and I can’t thank you all enough for the newsletter and for the opportunity to pay what I could to receive it.”

Fred’s using his new column each week to answer at least three or four questions sent in by readers. He’s committed to work through your problems for at least another year or two. (And I think we can keep him busy a lot longer than that!) His column appears in our paid content but, as always, there’s no fixed fee to get it — we accept any financial contribution in any amount from anyone.

All of our writers are working hard to dig up information on Windows that can help you work better and stay safe. It really keeps us going to see the positive responses from so many subscribers. Thanks for your support!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

All browsers are vulnerable to clickjacking

By Stuart J. Johnston

The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.

What’s worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you’re clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple’s Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

The problem doesn’t stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe’s Flash player and Microsoft’s Silverlight streaming-media plug-in.

“If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security,” Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.

Disguised links lurk behind clickable buttons

In clickjacking, surreptitious buttons are “floated” behind the actual buttons that you see on a Web site. When you click the button, you’re not triggering the function that you expected. Instead, the click is routed to the bad guy’s substitute link.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.

They point out that even users who watch their systems like a hawk can be victimized.

“There’s really no way to know if what you’re looking at is real,” Hansen told Windows Secrets.

In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a “new class” of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.

Clickjacking isn’t new. In fact, it dates back to at least 2002, Hansen said. What’s new is the range of browser vulnerabilities that make clickjacking possible.

Hansen’s blog posting describes the scope most clearly:

“There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them.”

This doesn’t mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites.

Disabling JavaScript has serious drawbacks, because so much of the Web’s interactivity is driven by JavaScript apps.

“[Disabling JavaScript] totally cripples the Web experience,” Skoudis said.

In addition, Hansen states, even browsing with JavaScript disabled will not protect against all possible avenues of attack.

“Most browsers are going to be vulnerable,” Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft’s upcoming browser to be patched by the time it’s released later this year.

Flash apps may activate webcams and mics

Besides browsers, the bad guys can also exploit Web programs such as Adobe’s Flash player.

For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC’s webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop’s built-in camera and mic.

Clickjacking vulnerabilities don’t stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.

Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat’s complexity.

In fact, in the three weeks since Hansen and Grossman first revealed the discovery of the clickjacking vulnerabilities, Hansen says he’s received about half a dozen examples of proof-of-concept code and knows of several more — not counting the half dozen or so that he and Grossman have already found.

To date, there have been no attacks in the wild, although with proof-of-concept code already out, it’s just a matter of time.

Can you stay safe in a clickjacking world?

Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe.

• Adobe: The Flash vendor has issued a patched version that will help keep you safe from Flash-based attacks. See the company’s download page. Previously, the company had posted a security advisory containing a workaround.
• Mozilla Foundation: Install Giorgio Maone’s open-source NoScript plug-in to block execution of JavaScript except for sites you approve. NoScript is free, though the vendor requests a donation. The add-on lets Firefox users designate the sites on which scripts are allowed to run and blocks JavaScript on all other sites.
• Microsoft: To date, the company has taken a noncommittal stance in regard to the clickjacking threat. Microsoft responds to questions by referring users to the company’s Security Support page.
• U.S. Computer Emergency Readiness Team (US-CERT): The agency provides a document that describes how to protect IE, Firefox, Safari, and other browsers from a range of attacks.

Even taking all of the above precautions doesn’t guarantee that your system is 100% immune to the new threat. You’ll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.

While we’re all waiting for vendors to patch their products, Alfred Huger, vice president of software development for Symantec Security Response, has some down-to-earth advice. Since most malware attacks occur on adult sites, keep your browsing rated PG-13.

“You’re most likely to see [attacks] on porn sites or on sites that offer game-cracking software,” Huger adds.

When in doubt, ask yourself whether your mom would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

Despite the seriousness of this latest round of security threats, SANS Institute’s Skoudis says he is optimistic. While the threat of attack may be high for the next three to six months, Skoudis expects more complete protections to become available as early as next spring and no later than next fall.

“This is a very serious finding, but this is not going to be the end of the Web,” Skoudis adds.

Stuart Johnston is associate editor of WindowsSecrets.com. He has written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.

Are criticisms of Vista bogus or legitimate?

By Dennis O’Reilly

Several readers were dismayed to read about the Vista problems reported by Stuart Johnston in last week’s Top Story, some going so far as to call it “Vista bashing.”

On the other hand, we heard from just as many readers who are struggling with the same problems as the readers Stuart quoted — plus other Vista glitches of their own.

Reader Victor Sacco left no doubt about where he stands on the issue:

• “It’s simplistic and plain silly to say that Vista x64 is ‘junkware,’ or [that] ‘bugs abound’ in Office 2007 when run in Vista x64. And that business about 23 million Registry entries — how was this determined? Is it accurate? What does it mean?”

We’ve heard from many readers who struggle to get Vista 64 to work as advertised, not just Vince Heiker, the subscriber quoted by Stuart. (For the record, the application Vince used to count the lines in his Registry was Registry Easy.)

Reader John Douglas offers an explanation for some of these glitches:

• “Most problems plaguing Vista — both 32- and 64-bit — are caused by poorly written apps and drivers. I strongly suspect that this is caused by the higher demands of the OS, but it’s not like the developers haven’t had time to get through it.

  “And likewise, it’s not like Microsoft didn’t do due diligence in making Vista betas available. Vista is simply an extension of Windows Server 2003 SP1, which was also the foundation of XP x64, which was my favorite OS until Vista 64 was introduced.

  “Of course, this is not the first time we are using applications that have a different code base than the OS. How many 16-bit apps did we use on 32-bit OSes? And some still are! Also, what applications would benefit significantly from a 64-bit extension? Video and high-resolution photo apps like Photoshop and Premier Pro, or perhaps database apps. …

  “Finally, I will agree on one thing: the Registry is overdue for some serious optimizing. I just exported my Vista 64 Registry using Regedit, and the file is 374MB! Good thing I have 8GB of RAM.”

There’s no doubt that many, many people are having problems with Vista almost two years after the product’s release. Stuart’s story wasn’t an editorial: it reported on real problems of real users, and their experiences are far from isolated incidents.

Whether someone’s Vista Registry has bloated itself up to millions of lines, hundreds of megabytes, or some other measure, the problems Stuart wrote about represent the experiences of many Vista users.

Ferreting out a disk-imaging bargain

One of my favorite things is saving money on what I consider an indispensable PC application. That’s why I stood up and took notice when reader John Sullivan wrote to tell us about a great deal he found on Acronis’s True Image disk-imaging software:

• “While on a tech chat with Acronis one day recently, they told me to go to [this site]. Turns out, on that site they offer to give you — yes, give you — version 8 [of True Image] for free, then tell you that you can upgrade to the current version 11 for only $30 instead of the retail $50 or common street price of $35 to $40. And you don’t even have to install it (version 8), just get a free key from them to qualify for the upgrade. Here’s their page telling about it.”

Maybe you could use the money you save to treat your broker to a showing of “Beverly Hills Chihuahua.” He or she should have plenty of time to kill.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

'Chicken or fish?' may max out your credit card

By Katy Abby Remember the good old days, when virtually every flight came with a full meal? Airline food may have become a synonym for any dubious cuisine, but it still nurtured us and ensured that we arrived home with a full belly and at least one harrowing mystery-meat anecdote to amuse our friends. Today’s airline patrons are lucky if they get so much as a complimentary cup of joe, and the victuals that people everywhere once loved to hate now seem like a downright luxury. But cheer up, folks; the worst is yet to come! Watch this video for a hilarious glimpse into the airlines of the not-so-distant future. Play the video

Repair XP's ability to format floppy disks

By Fred Langa Why do some Windows XP installations lose their ability to format a floppy while others don’t? There are three likely culprits, but (fortunately) fixing them is usually fast and free: even a worst-case fix costs only about $10!

Flustered and flummoxed by floppy-format foibles

Nathan Erlbaum sets up his PCs almost identically, but some of them mysteriously lose their ability to format ordinary 3.5-inch floppies:

• “I have four XP machines on my home network. Three are SP2 and one is SP3. On all of the SP2 machines, I cannot format a floppy, but on the machine with SP3, I can.

  “On my main machine, I run AVG Pro, Zone Alarm Pro, and Counter Spy. On all of the other machines, I run the free versions of Zone Alarm and AVG. I searched with Google, and it suggests the resident portion of the antivirus software is doing it, but disabling it didn’t solve the problem. I don’t really need the floppy except for BIOS updates.”

Indeed, the most common cause of this kind of trouble is too-aggressive security software or, sometimes, two or more dueling security tools that step on each other’s toes. You said you tried disabling the security software; I’d suggest going a step further and uninstalling — not just disabling — the security tools one by one.

You see, disabling the top-level portions of a security tool doesn’t always completely shut down the deeply buried, always-on components, which are variously called “active monitoring,” “real-time protection,” “resident protection,” and so on. This type of always-on protection can be a source of subtle, hard-to-track problems, especially if you have more than one security tool running.

Write down any unlock keys or install codes used by the software and then remove your security tools one by one. Reboot after each uninstall to ensure that all active components are removed from memory. Then, after the reboot, try to format a floppy. If you suddenly find you can format normally, the last piece of software you uninstalled was the culprit.

If removing the software doesn’t work, that leaves two options: media and hardware.

Floppy disks have a finite life, even if they’re just sitting unused on a shelf. If your floppy failures involve trying to format the same disk(s), it’s possible the media simply went bad. It’s cheap and easy to test: just buy a factory-fresh box of floppies ($5 or so) to be sure you’re working with good media.

If your floppies still won’t format, then about all that’s left is the physical hardware. The technology used in 3.5-inch floppy drives is relatively crude by today’s standards, and problems can and do creep in over time.

Sometimes, a disk that formats and reads okay on an older 3.5-inch drive will be unreadable and unformattable on another because the drive’s read/write heads have drifted out of mechanical alignment. One floppy drive may quite literally be unable to follow the data tracks of another.

Floppy heads can be realigned, but it’s really not worth it because you can find brand-new 3.5-inch floppy drives online for about $10 or so. When parts are that cheap, it’s simply not worth the time and effort to get old ones working again.

Note that many newer BIOS-update tools no longer require that you use a floppy, and they work off either the system’s hard drive or a USB flash drive. Still, it can be good insurance to have a 3.5-inch floppy drive around somewhere as a last-ditch boot option or to access older software. At $10 for a brand-new 3.5-inch floppy drive, there’s really no reason not to!

Tame those annoying e-mail read-receipt requests

E-mail read receipts have some entirely legitimate uses, but their main purpose today seems to be in sending spam mails. Greville Thomas wants to make them stop.

• “Recently, when Outlook has been emptying my deleted items, a pop-up has come on screen saying that a sender has asked for a read receipt. The senders are always spammers so, of course, I refuse.

  “The thing is, there’s also an option to not be asked again. I was wondering, if you say ‘yes’ to one particular read-receipt request and then check ‘don’t ask again,’ would you end up sending read receipts automatically in the future and thus accidentally verify your e-mail address as valid?”

Good question, Greville! And you’re right: spammers use read receipts to determine whether a mailbox is alive and monitored. If their initial spam mail triggers any response at all, they know they’ve found a live one and can target that mailbox for future spam attacks.

In Outlook, read-receipt requests are normally handled on a message-by-message basis. With the default settings, the answer you give applies only to the current e-mail. Even the “don’t ask again” option applies only to that particular message. But there is a way to tell Outlook never to respond to read-receipt requests, or always to respond. It’s easy:

• 1. On the Tools menu, click Options.
• 2. Under the Preferences tab, click E-mail Options.
• 3. Click Tracking Options.
• 4. Select one of the following:

  • Always send a response means Outlook will automatically send a read receipt whenever one is requested. This is the setting spammers love.

  • Never send a response means Outlook will simply ignore all future read receipts. This is the option I use. If I want someone to know that I’ve seen their e-mail, I’ll tell them myself.

  • Ask me before sending a response means Outlook will handle each request for a read-receipt on a case-by-case basis.

There’s more info on Outlook’s read-receipt settings in Microsoft’s Office Help and How-To pages. The link is for Outlook 2007, but earlier versions of Outlook use almost exactly the same options. In fact, every e-mail client I’ve ever seen offers similar settings. Check your client’s Help file for specifics.

Misplaced backup file clogs hard drive

Gilles Larabie was doing the right thing — backing up his system — but the huge file ended up somewhere on his C: drive, almost completely filling it:

• “I did a backup with my external device connected and did not change the drive letter in Preferences and ended up with the backup done on my main hard disk. Now I have no more space on my C: drive. I keep getting a message of ‘Low disk space on local Disk (C).’ How do I proceed to delete this backup so I can recover my disk space?”

There are several options, depending on whether you want to save the backup file. If you know the name and location of the offending backup file, skip the next two paragraphs.

If you’re not sure of the file’s name or location on your C: drive, click Start, Search, All files and folders. Under What size is it, select the Specify size radio button and enter the approximate at least size of the file (look at your previous backup files to see about how large they are).

If you don’t have easy access to your old backup files, pick a large size. The Specify size function asks for input in KB. For example, enter 250MB as 250000 KB, 500MB as 500000 KB, and so on. (Note that in Vista, use the Advanced Search options to search by size.)

Once you’ve found the backup file, right-click it. If you simply want to delete the file, press and hold the left Shift key and select Delete from the right-click context menu; holding the Shift key means the file will be instantly deleted instead of being moved into the Recycle Bin, where it would still occupy disk space.

If your intent is to save the backup file to some location other than your C: drive, select Cut from the right-click menu and navigate to an external drive or other location where you wish to store the file. Right-click that location and select Paste; the file will be removed from your C: drive and placed where you’ve indicated.

Timesaver bonus: If you open two folder windows on your screen — one showing your C: drive and the other showing the destination drive — you can just drag-and-drop the files between them.

And by the way: good on ya for making backups! I’m still amazed at how many people don’t take this simple step to protect themselves and their data.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Use a sandbox to improve your PC security

By Ian “Gizmo” Richards Sandboxes are a relatively new type of security product that can significantly reduce your chance of getting infected when you surf or when you download and install programs. I’ll explain why sandboxes are so important and show you how to use my favorite sandbox program.

Block access to system files as you browse

A security sandbox is a program that creates an isolated environment on your PC within which other programs can run. It sets up a kind of virtual PC within your real PC. Programs running in that virtual PC are corralled from the rest of the system.

It’s like building a room in the deep interior of your house with no windows or doors. What takes place in that room cannot affect what takes place in the rest of your house. In the same way, what takes place in a security sandbox cannot affect your PC.

Now, this may sound abstract and theoretical, but it has some very practical implications.

First, if you run an infected program within the sandbox, the infection is restricted to the sandbox and cannot get to your real PC.

Second, when you shut down the sandbox, the infection is eliminated from your PC. It will be gone forever without ever affecting your system.

These characteristics make sandboxes ideal for improving your PC’s security. And, as we shall see in the next section, sandboxes address the latest type of security threat confronting PC users: hostile Web sites.

Why sandboxes are important to your security

A few years ago, the major risk PC users faced was getting infected by a virus or worm that was contained within an e-mail. You may recall a time when there seemed to be a major virus outbreak every few weeks. Not anymore; with improved ISP e-mail filtering and more extensive use of antivirus products, large-scale, e-mail–borne virus outbreaks have become uncommon. They’re not eliminated but are much less frequent.

Today, there is a new threat: infection by visiting a hostile Web site. It works like this:

You go to a seemingly innocent site. While you are viewing the site in your browser, your PC has been silently probed for security vulnerabilities by malware implanted surreptitiously in the site. Once the malware finds a weakness, the site secretly downloads Trojans, keyloggers, and other malicious software onto your PC. You are not even aware of what has happened.

What does this secretly downloaded malware do? Pretty well anything the criminals behind the scheme want it to. For example, they could take control of your PC and turn it into a remote-controlled slave PC — or zombie — that will do its master’s bidding. This may be sending out spam e-mail, attacking Web sites targeted for extortion, or engaging in numerous other criminal and fraudulent activities.

Alternatively, the criminals may install a keylogger on your PC that transmits details of your banking and financial details to some remote computer.

Standard PC security measures aren’t enough

At this stage, many of you are probably thinking, “This can’t happen to me. I visit only reputable Web sites. Besides, my PC has all the latest Windows security updates installed and I have an excellent antivirus program.”

While good security practices will certainly reduce your chances of being infected by a hostile Web site, you can still get infected. Furthermore, the risk is greater than you may think. Here’s why:

First, an increasing number of hostile Web attacks are from reputable sites. Criminals may take control of a legitimate Web site via security vulnerabilities in the site’s software. They can then use the site to infect unsuspecting visitors.

It may be hours or days before the site owners detect and correct the problem. In the meantime, thousands of unsuspecting visitors to the site could be infected.

The most famous example of this process was the Super Bowl incident last year. The Web sites of Dolphin Stadium and of the Miami Dolphins football team were hacked and used to distribute a keylogger. The sites were infected for over a week before the problem was discovered. In the interim, thousands of surfers who visited the sites looking for football information instead had their PCs infected.

Second, keeping your PC fully up-to-date with the latest Windows security patches may not help, either. Some of these hostile Web attacks use unknown security holes, flaws that even Microsoft doesn’t know about. These so-called zero-day vulnerabilities are quite commonly used in hostile site attacks, perhaps because they allow a lot of PCs to become infected in the short time before the site owners discover their site has been hacked.

Finally, don’t expect your antivirus and antispyware software to fully protect you. Yes, your security software will catch some of these Web-based infections, but the chances of zero-day attacks being detected are not high.

Worse still, some of these hostile sites attempt to download software that disables your security software before it gets a chance to warn you of their presence.

Now, all this sounds alarming, but keep in mind that the risk that the average user will encounter a hostile Web site is relatively small. There’s no need to get into a panic about this; it’s just another security risk that all Internet users face.

However, though the risk is small, the consequences are serious, so putting some protective measures into place is worthwhile. This is where sandboxing comes into the picture.

Using a sandbox for safer browsing

My favorite sandboxing program is Sandboxie, which I’ll use to illustrate how sandboxes work and how they protect you. Other sandbox programs may work differently.

Sandboxie is a small, 350KB program for Windows XP and Server 2003, both 32-bit and 64-bit. The program does not currently work with Windows Vista. Sandboxie is free for personal use, though there is a U.S. $30 registered version with a few more features.

Most folks will be happy with the free version, though I encourage you to register if you can afford to, because this program is the work of a single hard-working individual — Ronen Tzur — not a large corporation.

After you install Sandboxie, you will notice very little that is different on your PC other than a small, yellow sandbox icon in the system tray.

Just because you installed Sandboxie, don’t think your browser is now sandboxed.

Unlike ZoneAlarm’s $30 ForceField and other sandboxing applications, Sandboxie does not set your browser to open in a sandbox automatically. You must do so manually by right-clicking your browser icon and selecting Run sandboxed.

Sandboxie can be set up to isolate your browser automatically whenever you open it. To do so, add the name of your browser’s executable file, such as firefox.exe or iexplore.exe, to Sandboxie’s list of the programs it always opens in a sandbox.

I use this setting to ensure that my browser always runs in a sandbox, regardless of whether it is started manually or automatically by clicking a link in a document or e-mail.

Some folks like full manual control, while others prefer it to be automatic. With Sandboxie, it’s your call.

Whatever method you use, Sandboxie employs a simple technique to let you know when your browser is running sandboxed: the program places a number symbol (#) before and after the contents of your browser’s title bar.

Security apps see in, malware can’t see out

While running sandboxed, you can browse with near-perfect safety to just about any part of the Web. If you get infected by a hostile site, your antivirus and other security programs can still warn you because they can see into a sandbox, even though sandboxed programs cannot see out.

However, be aware that your PC may become infected even if your security programs don’t sound the alarm, particularly if you encounter a new zero-day infection.

That’s no problem when you’re using Sandboxie. When you’ve finished surfing, simply close your browser, right-click the Sandboxie tray icon, and select Terminate programs to remove any program — including malware — that’s running in the sandbox. Then select Delete contents to completely remove any downloaded programs. After that, your PC is completely clean, with all traces of infection removed.

The same technique can be used to ensure privacy. When you clear the sandbox, all traces of your surfing activity are removed, including the sites you visited, the searches you made, and the files you downloaded.

Of course, this can be a mixed blessing: I like to retain my surfing history as well as any saved passwords and bookmarks.

But that’s no problem: you can set Sandboxie so that programs running in the sandbox have access to certain nominated files outside the sandbox. If you configure Sandboxie to allow sandboxed programs access to your real Favorites folder, then any new bookmarks you create while surfing in the sandbox will be saved.

However, you are exposing these shared files to any program running in the sandbox — including malware — so be sensible about what you choose to share.

Sandboxing isn’t just for Web browsers

You can sandbox any program, not just your browser. This is a great way to check out downloadable apps whose integrity cannot be established. Remember what I said earlier: your security software can see into a sandbox even though sandboxed programs cannot see out.

Since your antivirus scanner can detect an infected download running in a sandbox, you can simply clear the contents of the sandbox, and all trace of the infection is gone forever.

These days, I never surf without a sandbox. On the rare occasions when I get infected, it’s a great feeling to simply clear the sandbox contents and know my PC is safe from harm.

Sandboxing does not replace your antivirus scanner or other security software. Rather, it provides an additional layer of protection. No individual security solution — including sandboxing — is perfect. The more layers of protection you have, the greater your overall security.

I suggest you try the free version of Sandboxie, but first a word of warning: sandboxing programs cause problems on a small percentage of PCs, so before you install Sandboxie or any other sandbox program, please make sure your PC is backed up. That way you can recover in the event of a problem.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Put these file locations on your backup radar

By Dennis O’Reilly

The roster of files in need of backup that Ian “Gizmo” Richards provided in his Oct. 2 column was comprehensive.

But reader Timothy J. McGowan points out some additional file locations to back up.

• “Firefox 3 and above no longer use bookmarks.html, at least not by default. The file doesn’t get deleted when you upgrade, but once the bookmarks are imported into the new storage file, the old bookmarks.html file is normally ignored.

  “Bookmarks are now stored in your profile folder in a file named places.sqlite. Other sqlite files contain your cookies, permissions, preferences, and more. Rather than just backing up your bookmarks, you should really back up the entire Profiles folder and its subfolders, or you’ll miss a lot.

  “To get Firefox 3 to start using bookmarks.html again (in conjunction with places.sqlite, not instead of it), start Firefox and press Alt+D, or click [in] the address bar. Delete the text that appears there, type about:config, and press Enter. The Filter control will be active; start typing autoexport until you see browser.bookmarks.autoExportHTML appear under Preference Name.

  “Double-click it to change the value from false to true; the entire line of text will become bold. Press Alt+Home or click the Home button to navigate away from this page.

  “(There are a lot of other settings revealed when you use about:config in Firefox. You can seriously mess up your installation if you start playing with items to see what they do. Don’t do that. You have been warned.)

  “To find your mail folders in Thunderbird, [click] Tools, Account Settings. If you have more than one e-mail account, you’ll see them listed in the left panel; one account will usually be named Local Folders.

  “Click Local Folders [to] see the location of that e-mail store under Local directory.

  “If you have other accounts, they will normally be expanded so that you can see the Server Settings item under the name of each account. Click Server Settings and at the bottom of the dialog box you’ll see the Local directory for that account.

  “Normally, unless you’ve really customized your system, all accounts will share a path to the unique storage folder; that is, if you set up Thunderbird to store your e-mail in D:ThunderbirdE-mailStorage [for example], you’ll see that each account is stored in a subfolder of Storage.

  “If you have specified a custom folder for your Thunderbird e-mail stores, then you’ll need to remember to back up both the profile folder and the e-mail folder(s).”

That takes care of the recent versions of Firefox and Thunderbird. But for many Outlook users, there’s yet another file in need of backing up, as reader Pierre DeCrocq describes:

• “Ian forgets to mention .ost files too in the Outlook section. So a file called outlook.ost, if found, is as important as outlook.pst, since, for MS Exchange users working in cached mode, it is the local copy of the servers’ mailbox.”

Patch knocks out Net for XP PCs with ZoneAlarm

By Susan Bradley Once again, a Windows security patch is causing users of ZoneAlarm security software on XP systems to lose their Internet connection. It’s important for users of many different ZoneAlarm products to update their programs before installing this week’s XP patches.

MS08-066 (956803)
ZoneAlarm users: postpone this week’s XP patch

This week, a special heads-up is needed for Windows XP users who have Check Point Software’s ZoneAlarm security products installed on their systems. Microsoft Security Bulletin MS08-066 (patch 956803), which updates the Microsoft Ancillary Function Driver, can throw your Internet connection for a loop.

The ZoneAlarm and Check Point products affected by the patch are:

• ZoneAlarm Internet Security Suite 6.5.645.000 to 7.0.482.000
• ZoneAlarm Pro 6.5.645.000 to 7.0.482.000
• ZoneAlarm Antivirus 6.5.645.000 to 7.0.482.000
• ZoneAlarm Anti-Spyware 6.5.645.000 to 7.0.482.000
• ZoneAlarm Basic Firewall 6.5.645.000 to 7.0.482.000
• Check Point Endpoint Security 6.5.645.000 to 7.0.865.000 (excluding 7.0.843.0007 and 7.0.866.000)

Before you apply the XP patch, visit Check Point’s download page and look for an updated version of your ZoneAlarm software. Don’t update XP until a ZoneAlarm refresh is available.

MS08-063 (957095)
File sharing may be hazardous to your PC

Normally, sharing files on a local or peer-to-peer network is a good thing. But there are times when it’s not such a good idea. Take the case of the Microsoft Server Message Block (SMB) bug described in MS08-063 (957095). This vulnerability allows an attacker to break into the network by sending malicious packets to file-sharing ports.

A good firewall will protect you from this type of attack. On a network, the attacker first needs to be authenticated, and then must know the NETBIOS name of the system and which open ports to target.

The probability of a bad guy exploiting this glitch appears to be low. Still, I recommend that you install this patch as soon as possible.

MS08-064 (956841)
Virtual-memory bug could allow real attack

When we think of RAM, most of us think only of the physical memory modules installed in our system boards. Windows also uses virtual memory — which it borrows from the hard drive — to assist in running the PC. MS08-064 (956841) patches a problem that lets an “authenticated attacker” take control of a system via its virtual-memory addressing.

At this time, there are no public exploits of this bug, which affects Windows XP, Vista, Server 2003, and Server 2008.

MS08-061 (954211)
A patch for Windows XP Service Pack 3

I’m still getting reports on a regular basis from people who have had bad experiences with Windows XP Service Pack 3. In past columns, I’ve discussed spontaneous system reboots, and readers have complained of problems with video drivers and other components.

Throughout all of this, I’ve still warily recommended that XP users download and install the service pack as a way to ensure the general health of their systems. Yet when I see the results of MS08-061 (954211), I start to question my own advice.

Among other potential problems, this patch for the Windows kernel may need to be installed twice on machines that are running XP SP3.

The MS bulletin states that — on systems on which XP SP3 has been uninstalled or the service pack failed to install — the file win32k.sys will be unsigned. In this case, you may see the patch offered to you a second time. In addition, some XP systems with SP3 installed may be offered the patch twice.

This “should” only happen on systems where the install of SP3 failed or SP3 was uninstalled. It shouldn’t happen to everyone who installed SP3. But it points out that installation of the service pack is not as clean as it should be.

If your XP system has been updated to SP3 and you get KB 954211 offered to you twice, please contact me via the link in my bio at the bottom of this column. I urge people to stay up-to-date on patches, but update woes such as these erode my trust in the process.

So far, XP SP3 has not been earning Brownie points with me. And to think Microsoft claimed SP3 would be a boring service pack!

MS08-058 (956390 and 956391)
Must-have patches arrive for Internet Explorer

You must know the routine by now: every other month, there’s an Internet Explorer patch that requires you to reboot your system. This month’s significant IE patch is MS08-058 (956390), which protects us from the latest malware cocktail.

There’s a specific ActiveX-killbit patch I urge you to install as soon as possible. Security advisory 956391 includes an ActiveX killbit that prevents a Web attack via Microsoft Access.

The patch also sets a killbit for several other vulnerable Office applications. I was offered the Access ActiveX control in question while visiting a Web site recently, so I know that the faulty control is being used in attacks.

Killbits tweak Windows’ Registry to ensure that Web-based applications can’t be launched automatically when you land on a Web site.

Even if you use Firefox, Safari, Opera, or another browser besides IE, install these two patches right away. Internet Explorer is a key part of your operating system, so you need to patch the program even if it isn’t your default browser.

These patches highlight why you need to upgrade from IE 6 to version 7, which is much more secure. If you haven’t already, download and install IE 7 right away.

MS08-057 (956416)
Patch Excel to prevent infection via spreadsheet

The latest patches for Microsoft Excel arrive in MS08-057 (956416). They’re described for individual versions of Excel in the following Knowledge Base articles, links to which are included in 956416:

• 955470 for Office 2007
• 955466 for Office 2003
• 955464 for Office 2002
• 955461 for Office 2000
• 955935 for Office Viewer 2007
• 955468 for Office Viewer 2003
• 955936 for Compatibility
• 955937 for SharePoint
• 958267 for Office 2008 for Mac
• 958312 for Office 2004 for Mac
• 958302 for Office XML for Mac

As in the past, we’re patching Excel versions from Office 2000 all the way to Office 2008 for Mac. In addition, SharePoint 2007 Enterprise and all Web servers that offer Excel Services need to be patched.

In a typical attack, you’d be enticed to open a malicious spreadsheet that was either sent to you as an e-mail attachment or presented as a download from the Web. You’d have to actually open the malicious document, not just download it, to become infected.

The best remedy is to open files you expect from known senders. If you weren’t anticipating the file, don’t open it. At present, there are no known public exploits of this bug.

On a related note, MS08-056 (957699) patches a hole in Office XP SP3 that allows a Web site to inject malicious code. This patch deregisters the troublesome protocol.

MS08-062 (953155)
Windows Internet Printing Services need a patch

In the Windows 2000 era of several years ago, Microsoft’s Internet Information Services (IIS) had a bad reputation for security. Several worms — including Nimda and Code Red (yes, named after the Pepsi soft drink) — specifically targeted IIS servers.

In the Windows 2003 era, the security of the IIS platform improved to the point that it was rare to see a patch that targeted Web services specifically. Well, we have one of these rare Web-service patches this month.

MS08-062 (953155) affects the Windows Internet Printing Service in Vista, XP, and Windows Server versions from 2000 through 2008. The exploit in question has already been detected in attacks, so if you administer a Windows-based Web site — as I do — either ensure that the buggy protocol is not enabled, or patch your IIS server as soon as you can.

MS08-060 (957280), MS08-065 (951071)
Windows 2000 gets two special updates

Attention, system administrators running Windows 2000 Active Directory domain controllers: you’ll need to conduct a little special patching this month.

First up is MS08-060 (957280), which affects only Windows 2000 Server running as a domain controller. Any Small Business Server 2000 installations are also affected by this patch.

Second, a patch for message queuing on Windows 2000 Server is included in MS08-065 (951071). Message queuing doesn’t involve e-mail transmissions, as you might expect. Rather, it’s used by Windows 2000 Server to send communications between applications.

If you’re running Windows 2000 Server, don’t wait to install both of these patches.

MS08-059 (956695)
Host Integration Server admins only need apply

If you manage Host Integration Servers, note that an important security patch for those systems has arrived. MS08-059 (956695) describes how an attacker can gain control of the servers due to a flaw in the SNA Remote Procedure Call (RPC) protocol.

In general, RPC flaws are quickly exploited. Given the low number of servers affected, however, there may be no attacks. Regardless, if you run Host Integration Servers, apply this patch.

Other patches are interesting but less important

The only other patches Windows users need to worry about this month are the typical updates for junk e-mail filters and Microsoft’s Malcious Software Removal Tool. Media Center users will also receive 955519, which is a cumulative update for the Vista version of the program.

Vista and Windows Server 2008 users will get their monthly application-compatibility patches via 957000. This patch updates the Customer Experience Improvement Program (CEIP), so the Vista team can get more information about faulty drivers. I always participate in Microsoft’s customer-feedback loop to ensure that future patches and driver updates are as effective and trouble-free as possible.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.