Flash ads bearing malware plague popular sites

Two search engines help you find Windows info

By Brian Livingston How many times have you said to yourself, “I know I saw an article three or four months ago, but now I’m danged if I can find it”? Our site now makes it easier for you to locate the exact trick you’re looking for in more than 6,000 articles that our contributors have written in the past few years — or on the entire Web.

Query our content or all Windows sites

1. Search within Windows Secrets, LangaList, and Brian’s Buzz

We’ve added the ability for you to search every individual article that’s ever appeared in the Windows Secrets Newsletter, the LangaList Newsletter (published by Fred Langa from 1998 to 2006), and Brian’s Buzz on Windows (a newsletter I wrote in 2003 and 2004).

The Windows Secrets Newsletter was formed in 2004 by merging Brian’s Buzz with Woody’s Windows Watch, a newsletter published by our contributing editor Woody Leonhard from 1998 to 2004. LangaList merged with Windows Secrets in 2006. (We’ve managed so far to catalog Fred’s articles going back to 2001. We plan to add Woody’s back issues to our search index in the weeks to come.)

Free subscribers: You can now see a summary of all our articles, even the paid ones, on every page of our search results. The summary might be all you need to jog your memory! If you’d like to read the full text of any paid article, however, there’s no big fee. We accept any financial contribution of any amount — and you get a full 12 months of paid content to boot! How to upgrade

Figure 1. The “Windows Secrets” tab searches our own content, whereas the “All Windows-related sites” tab queries Google’s index of tech sites.

To search within all Windows secrets articles, click the Search tab in our top-level menu, or surf to our search page. To add LangaList and Brian’s Buzz articles to your query, simply turn on the check boxes for these titles in Advanced Options (as shown in Figure 1).

2. Search within ALL sites related to Windows

What if you can’t find the specific Windows tip you need, even after you’ve gone back through several years of Windows Secrets content?

We’ve developed a second, specialized search engine that queries all of the top Windows-related sites. This feature uses code we’ve created based on the API (application programming interface) of Google.com.

Why wouldn’t you just use Google.com itself to search the Web? Our front-end makes Google crawl through only those Web sites that focus exclusively on Microsoft Windows. Instead of seeing row after row of sites that sell Windows, you’ll get results from sites that have great information about Windows.

Google itself decides which Web sites are “Windows-related.” That means it ain’t just our friends who appear in the search results — thousands of sites are searched. If your favorite geek site doesn’t show up, we aren’t the ones who excluded it. You’ll have to complain to the billionaires at the Googleplex.

I think you’ll find, though, that Google does a very good job of determining which sites have worthwhile info. Using our “Windows-related sites” search, you’ll never again get information about stained-glass windows when you’re looking for technical help.

To query all Windows-related Web sites, visit our site search page.

Golly, gee — it’s trickier than it looks

It might seem easy to craft a search engine, but it turns out to be one of the hardest development jobs to get right. Imagine a program that accepts one or two words of input and gives you back only the results you wanted.

My old WinFind 1.0 service was launched back in 2003. Major enhancements were released as WinFind 2.0 in 2004. This week’s new search engines represent WinFind 3.0, although that’s like saying a Porsche is just an upgraded Model T. (I announced WinFind in InfoWorld magazine on Feb. 6, 2003. WinFind 2.0 was unveiled in the Windows Secrets Newsletter on July 8, 2004.)

Prior to today, our search page was powered by technology from Atomz.com. (Atomz was acquired by Web Side Story in 2005, which changed its name to Visual Sciences and was recently acquired in turn by Omniture.) By contrast, our two new search engines are entirely based on our own code, plus the Google API.

Credit for the development effort should go to Windows Secrets research director Vickie Stevens and program director Brent Scheffler. An earlier launch of theirs brought you our new Library feature — an improved way to browse our articles, as I described in a Mar. 20 article.

Like any .0 version, our two new search engines may still have some quirks. Please run a few queries. If you find any results that look odd, let me know using our contact page, and we’ll soon bring out a .01 version.

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Flash ads bearing malware plague popular sites

By Scott Dunn A Flash-based advertisement that appeared last week on the USA Today site downloaded malicious code to users’ computers, generating erroneous warnings of a malware infestation and offering a phony solution. The Flash vulnerability is so widespread that such “malvertisements” may be present on thousands of sites, but there are measures you can take to reduce your exposure.

Just opening the page puts you at risk

Visitors to USAToday.com last Thursday got more than they bargained for. A hacked Flash advertisement meant that merely viewing a page in your browser was capable of triggering a malware attack on your PC. According to an alert on the security site Websense, the ad can take control of the browser without any user interaction at all.

Two days after the ad appeared on the USA Today site, two prominent Utah-based news sites, DeseretNews.com and SLTrib.com, were found to have similarly dire banner ads. These ads directed users to various unexpected locations, including the site for AntiSpywareMaster. This destination has been called a “corrupt anti-spyware parasite” and a “fake program” by the RDV Group, a safe-computing organization.

News sites aren’t the only victims of what Sandi Hardmeier, who authors the blog Spyware Sucks, calls “malvertisements.” The ads themselves may appear perfectly harmless, notes Hardmeier, who’s been recognized as an MVP (Most Valued Professional) by Microsoft. “The criminals behind such malvertisements . . . have no shame,” she writes, “impersonating everything from WeightWatchers to Oxfam.”

Advertisements are not the only source of the problem. The principal conveyors of this malicious code are Flash animations (or .swf files), which are commonly used to create intro screens, online video, and other Internet content in addition to Web ads.

Of particular concern are Flash files that are vulnerable to insertion of malicious code using a technique called cross-site scripting, or XSS.

This vulnerability was widely publicized earlier this year by Google researcher Rich Cannings and his co-authors in their book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. According to a report in the U.K.–based tech-news site The Register, a Web search revealed more than 500,000 vulnerable files on major Web sites.

A permanent fix is a long way off

Makers of Flash-building tools, including Adobe, Autodemo, TechSmith, and InfoSoft, quickly updated their development environments to patch the holes, according to a March story in The Register. But because many of the vulnerable files have to be regenerated from scratch, a titanic number of high-risk Flash files remain online.

Speaking at last month’s CanSecWest security conference in Vancouver, B.C., Cannings estimated that over 10,000 sites host the risky files, The Register reported.

But that estimate may be low. In his security blog, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, writes that “potentially hundreds of thousands” of Web sites could be at risk. “Reasonably workable fixes are going to be a long time coming,” he adds.

Even diagnosing the problem can be a challenge, notes Spyware Sucks’s Hardmeier. She points out that advertising commonly appears on Web sites in one of two ways: either the Web site’s staff handles its own advertising and posts the ads directly, or the site is served ads from an advertising network, which typically manages the content.

Unfortunately, it isn’t always easy for sites or advertising networks to detect problem ads. “Malvertisements are coded to exclude particular IP addresses, cities, states, and even entire countries,” Hardmeier explains. “It is standard operating procedure for a malvertisement to be coded so that it will not trigger a redirect if displayed on a computer within the IP range of the victim Web site or victim advertising network.”

What you can do to protect yourself

Even though the long-term solution is for the providers of Flash-based content to create more-secure versions of their files, there are some measures users can take to protect themselves. These protections are not foolproof, but they at least reduce the risk of exposure to malware via compromised Flash files.

Some of these tips come from Andre Gironda, Secure SDLC Consultant and author of the ts/sci security blog, who posted his pointers in a comment to Grossman’s blog posting.

The no-Flash option

The most effective – albeit drastic – way to protect yourself from malware-bearing Flash files is to uninstall Flash entirely. Adobe provides a special tool for doing this; you can find instructions and a link for downloading this file in a Technote published on the Adobe site.

The part-time-Flash option

If going without Flash entirely is too extreme, you can limit the sites that use this and other risky plug-ins by installing free browser add-ons that let you manage active Web content more granularly:

For Internet Explorer, TurnFlash lets you toggle between blocking Flash files and allowing them to run. A tray icon lets you turn Flash on or off, but the setting takes effect only in any new IE windows that you launch, not in the existing browser window.

A similar utility called No! Flash also switches Flash on and off, but it also gives you the ability to turn off several other elements, such as Java applets and other scripts. As with TurnFlash, the changes take effect in the next IE window you open.

For Mozilla Firefox, a plug-in called Flashblock disables all Flash content on Web sites and replaces it with a round Flash logo. You can selectively enable Flash files by clicking their icons.

For more comprehensive security, the plug-in NoScript not only disables Flash but also turns off Java, Silverlight, and other active Web elements. A NoScript icon in the Firefox status bar provides a pop-up menu for adding a site you trust to the add-on’s “whitelist,” which enables all scripts and animations on the site (but not necessarily those on the site’s pages that are served up by ad networks). You can also right-click a link in Firefox to set its NoScript options via the context menu.

The minimal option

At the very least, update the Flash Player software on your system to the latest version (9.0.124.0 or higher). In the last three months, Adobe has patched a number of security holes in this product. The update won’t protect you from all buggy Flash files on the Web, but it will make your browsing much safer.

You can download the latest Adobe Flash Player from the Adobe Web site.

After you install the update, run the free Secunia Software Inspector online malware scanner to find old versions of the Flash Player that may have been left behind on your system. Secunia’s on-screen report will show the path and filename of the old files you need to delete. You may have to run the inspector more than once to make sure all the old files are deleted. If you delete a needed file by mistake, simply run the newest Flash Player installer again to correct the problem.

One danger posed by Flash bugs is the ability of hackers to get your login credentials for a given site. Andre Gironda recommends creating multiple Firefox profiles, each with its own NoScript (or, if you prefer, Flashblock) settings. He uses his Flash-enabled profile to browse sites such as YouTube, but he exits that browser and launches his Flash- and script-blocked copy of Firefox when he conducts online banking and visits other sites that require logins.

To set up a Firefox profile, do the following:

Step 1. Choose Start, Run. Type cmd.exe and press Enter.

Step 2. At the command prompt, type:

“C:Program FilesMozilla Firefoxfirefox.exe” -profilemanager

Then press Enter. (Note that the quotation marks are required and that your path may differ.)

Step 3. If you want Firefox to prompt you for a profile each time you launch it, uncheck the option Don’t ask at startup in the Firefox — Choose User Profile dialog box.

Step 4. Click Create Profile and follow the steps in the wizard to name your new profile. Repeat the steps to create a second profile. For example, you might name one profile Flash-Yes and another Flash-No. When you’re done, click Exit.

Step 5. Rather than being prompted for a profile each time you open Firefox, create separate shortcuts to launch each profile. For example, if you have a shortcut to Firefox in your QuickLaunch toolbar or on the desktop, drag the shortcut with the right mouse button pressed, drop it, and choose Create Shortcuts Here.

Step 6. Right-click one of your Firefox shortcuts and choose Properties. Click the Shortcut tab and edit the command line so it ends in with -p followed by a space and the name of one profile. For example, the entire command line might read:

“C:Program FilesMozilla Firefoxfirefox.exe” -p Flash-Yes.

Repeat these steps for a second shortcut to launch your other Firefox profile.

Step 7. You may need to download and install one of the plug-ins described above for these profiles and configure each profile’s browser differently. However, any changes you make should be saved with that profile, so they will be in effect the next time you launch it.

A complete solution to high-risk Flash files may not come any time soon. Until the creators and managers of these files can ensure a high degree of safety, users have to be extra cautious to avoid the risks of Flash-borne malware.

For more on Flash security vulnerabilities, see Windows Secrets contributing editor Mark Edwards’s Apr. 10 PC Tune-Up column.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

The U.S. election process, in a nutshell

It’s a campaign for the record books. First, a neck-and-neck race for the Democratic nomination will be won by either the first African-American nominee or the first female nominee of a major party. That winner will go up against the oldest person ever to vie for an initial term in the White House. For the first time in decades, voters of all stripes are actually paying attention. But just how does the whole U.S. political system work, anyway? Luckily, Newstopia, an Australian comedy news show, has taken the liberty to sum up the process for us in this brief — albeit hilarious — clip. Get ready to take notes; this will be on the final! Play the video

Three fast, thorough, easy-to-use disk cleaners

By Fred Langa CCleaner, Cleanup Assistant, and DTweak Pro are powerful, ready-to-run tools that target junk files and more. Along with these best-of-breed, GUI-based disk-cleanup tools, I’ll tell you about the most popular choices sent in by your fellow readers — and maybe by you!

De-junkify your drive for little or no money

It’s one of your busiest days. You’re in the middle of a major project, juggling several apps at once. Suddenly, your system bogs down. The problem: your hard drive is maxed out, its “busy” light glowing brightly. As your drive plays catch-up, you wait several precious seconds each time it slogs through the queue of pending operations.

A hard drive that’s cluttered with useless junk is a system choke point. These orphan files cause the drive to perform unnecessary seeks and reads. In addition to preventing optimal disk defragmentation, the excess junk slows the OS by forcing needless cataloging and indexing operations.

My columns of Mar. 13, Mar. 27, and Apr. 10 described ways to pare Windows’ common junk files manually and by using a command-line tool. I also warned you away from some disk-cleaning programs that are a waste of time and money.

This week, I’ll tell you about the very best cleanup tools I’ve found, as well as some reader recommendations for disk cleaners. My favorite is Piriform’s CCleaner, which scrubs areas of your drive that most other utilities miss. Cleanup Assistant from DBSoft scores points by letting you delete unneeded files that are locked at the time of the cleanup during your system’s next reboot. Still, the program is a notch behind CCleaner in its ability to ferret out the files you don’t need. My third choice is Daoisoft’s DTweak Pro, which cleans thoroughly but suffers from an unpolished interface.

Why review this many tools? PCs are almost infinitely variable: no two real-life PCs have exactly the same junk files in exactly the same locations. Because of this complexity, no cleanup program I’ve seen will successfully identify and remove every junk file every time. No matter which utilities you run, different programs will find at least some files missed by the others.

To keep your hard drive running at peak performance, find the two tools that do the best job of cleaning your PC’s drive, and use both for routine cleanups. When you want to perform the occasional full scrub of your system, run one or more of the other disk-cleaning programs as well.

Given that all these utilities are free or dirt cheap, you have nothing to lose but your PC’s junk!

CCleaner super-scrubs your drive

CCleaner from Piriform started life years ago as a very funky little utility called (believe it or not) “Crap Cleaner.” As the tool matured into professional-quality software, it morphed to its current, less-profane moniker. But no one who knew of it back then is likely to forget its original name!

In addition to cleaning out junk files from the usual system locations (Temporary Internet Files, etc.), CCleaner also looks for the disk debris created by more than 150 common applications, including MS Office, Adobe Reader, Java, and Quicktime.

Figure 1. CCleaner can identify and delete junk files left behind by more than 150 different applications, in addition to the unneeded files created by Windows itself.

The program is pretty slick: it scans your system to determine what applications are installed and then presents you with a customized list of junk-file locations based on your PC’s specific setup. CCleaner runs a bit slowly, but it does an excellent job of deleting unneeded files that are either missed by other tools or more difficult to delete using other methods. While CCleaner also includes a Registry cleaner, its forte is finding and deleting junk files.

Of course, every silver lining has a cloud, and CCleaner’s downside is that it doesn’t place deleted files in the Recycle Bin or some other location where they’d be easy to recover. As it runs, the program warns you clearly that its file removals are permanent, so this is not something that sneaks up on you. Still, the only way to recover from an erroneous deletion is by restoring a file from one of your own backups.

CCleaner works with all versions of Windows. It’s donationware, which means you may use it for free, but the publisher requests a donation if you decide to keep the program.

Remove locked files with Cleanup Assistant

Although DBSoft’s Cleanup Assistant bills itself as “7 tools that help you keep a clean hard drive,” its main feature is its Trash Cleaner. Unlike any other utility of this type that I’ve seen, Cleanup Assistant uses a set of “trash definitions” that’s continuously updated by DBSoft. At each run, the program checks to see that it has the latest definitions of what is (and isn’t) junk and then removes files on your system that match the definitions.

Another unusual feature: If any junk files are in use or otherwise locked at the time of the attempted removal, Cleanup Assistant will offer to delete the stubborn files at the next reboot, before they become locked again.

The program doesn’t seem to be quite as thorough as CCleaner in sniffing out third-party junk. It does, however, manage to find the files left behind by even some less-common software, such as Google Earth. And, by default, deleted files are moved to the Recycle Bin for easy recovery, if necessary.

Figure 2. Despite a minimalist interface, Cleanup Assistant does a pretty good job in ferreting out third-party junk files as well as Windows’ own leftovers.

Since Cleanup Assistant is donationware, it’s unreasonable to nitpick very much. My chief complaint about the software is that the interface is a little clunky and unpolished. But it works, and that’s what matters most.

DTweak Pro cleans well but has rough edges

DTweak Pro from Daoisoft is an ambitious piece of software that includes an Intelligent Disk Cleaner in addition to a Registry cleaner, disk defragmenter, drive monitor, and other maintenance and optimization tools. The program is available in a free-trial version (with some nag screens and a few features turned off) and as a fully functional Pro release for $29. There’s also a completely separate, 100%-free version called DTweak Free, but this release is severely feature-constrained and not worthwhile.

I focused on the Pro version’s Intelligent File Cleaner. In the trialware version, this tool runs only in default mode. If you pony up the full price for the program, additional disk- and file-selection options become available. Even the default mode in the utility’s trialware does a good job of finding the junk on your drive, including some files that other tools left behind. The program offers to make a Restore Point, but the only certain way to recover an improperly deleted file is to create your own backup first.

Although DTweak Pro’s default language is English, it’s clear from the spelling and grammar errors sprinkled throughout the interface that the authors are non-native English speakers. This isn’t necessarily a big deal, but one hopes that the lack of linguistic quality doesn’t carry over to the actual code quality. (I encountered absolutely no problems in testing the software on different systems running Vista and XP Pro, however.)

Figure 3. DTweak Pro has an interesting interface but is marred by misspellings and awkward wordings here and there.

These minor niggles aside, DTweak Pro cleans junk files well, even in its free/trialware configuration. When you consider the other disk-maintenance tools included in the program, plus the additional features you can unlock at a relatively low cost, it’s easy to see why this program merits a look.

Readers suggest even more disk-cleaning options

Many, many readers responded to my request last week for cleanup-tool suggestions. (Thanks to all who wrote in!) Three tools were mentioned most often: CCleaner (see above), Windows CleanUp!, and EasyCleaner.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

The best — and worst — personal firewalls

By Mark Joseph Edwards If you chose the firewall on your PC based on reputation, you may be in for an unpleasant surprise. The Matousec Firewall Challenge answers the million-dollar question: “Is my firewall really protecting me?”

Firewalls that pass the leak test

Defending against data leaks is an important aspect of any firewall. Leak-testing sites such as the popular PC Flank help you determine whether a given firewall can stand up to the various tricks that the bad guys pull in their efforts to steal your data.

I recently came across a leak-testing project that I consider to be above and beyond the others: the Firewall Challenge is run by Matousec, a security consulting and research group named after its founder, David Matousek. The security researchers and consultants of Matousec bring far more knowledge to firewall leak testing than most competing sites, which gives me more confidence in their results.

Over the past several weeks, the Matousec team has been putting personal firewalls through the wringer. Their tests are based on four categories: data leaks; terminations; bypasses; and stability, reliability, and other factors. Matousec tests using Windows XP with SP2 and Internet Explorer 6.

So far, the results are staggering: of the 19 firewalls tested, 10 failed miserably (including Windows Live OneCare) and as such should not be relied upon to protect your system. Only five of the firewalls tested received a rating of “excellent” or “very good.” Three others were rated “good,” and one was rated “poor.”

Based on Matousec’s leak-test results, the top two personal firewalls are the free Comodo Firewall Pro and Tall Emu’s $40 Online Armor Personal Firewall, both of which stopped every attack thrown at them. In third place is ISecSoft’s $30 ProSecurity, which blocked 93% of the test’s access attempts, and in fourth place is Agnitum’s $40 Outpost Firewall Pro, which thwarted 91% of the attacks. (Note that the fee-based firewalls offer free trials of 30 to 90 days, and their prices include one year of updates for up to three PCs.)

A lot of you probably use Check Point Software’s $40 ZoneAlarm Pro. Be aware that the program scored only 74% in Matousec’s leak tests. Microsoft’s $50 Windows Live OneCare is nearly at the bottom of the barrel in 18th place, scoring a miserable 5%. Pretty shocking, eh? The firewall in Symantec’s $60 Norton Internet Security (no free trial available) didn’t fare much better, stopping only 32% of the test’s attacks. Another shocker was the poor performance of Sunbelt Software’s $20 Sunbelt Personal Firewall, which scored a low 18%.

Amazingly, no big-name companies are among the top performers. The closest any major firewall vendor came to the top of the heap is Kaspersky Labs with the firewall in its $80 Internet Security suite, which scored 85%.

If you’re using a firewall that performed poorly in the Matousec tests, then by all means consider changing to another program as soon as possible. Check out the complete test results for each of the products, along with an outline of Matousec’s leak-test methodology and scoring system. You’ll also find responses from various vendors whose products were tested. [Editor’s Note: The firewall section of the WSN Security Baseline will be updated with this new information next week.]

Keep an eye on Matousec’s Firewall Challenge site to learn the results of other firewall tests as they become available.

The ultimate Windows boot CD

Gordon Golden sent me a great tip about making a bootable CD or flash drive that can help you recover from a Windows failure: UBCD4Win, which is an acronym for Ultimate Boot CD for Windows.

According to the project’s site, UBCD4Win “includes network support and allows you the ability to modify NTFS volumes, recover deleted files, create new NTFS volumes, scan hard drives for viruses, etc.” The tools bundled in the program let you find and remove viruses and other malware, make disk copies, work with disk partitions, and recover files, among other tasks. UBCD4Win also includes Firefox and the InScribe e-mail client, as well as VPN tools.

While UBCD4Win is technically designed for creating a bootable CD, Gordon said that he was able to install its tools on a flash drive that worked just fine. To do that, he followed instructions available on the site’s support forum.

UBCD4Win sounds like a great tool, and I’m sure a lot of you will find it useful the next time Windows goes south (which likely isn’t too far off). Thanks for the tip, Gordon!

Make Windows XP look like Vista

A gentleman named Jerry recently wrote to say that he saw a PC that looked like it had a Vista desktop, even though he knew that the system was running XP. Naturally, he wonders how XP got the Vista look.

I know of a few ways to accomplish the XP facelift, all of which involve installing software that includes themes. One way is to load Razor Vista, which replaces the Windows shell and installs some new styles. Or you can use Vista ZRB.BLK VS, a program that is similar to Razor Vista and was created by the same person, Mauricio M. Takemura. You’ll find a few other interface renditions in his gallery.

Another way to Vista-fy XP’s look is to use VistaVG, created by Vishal Gupta. In order to use the program, you need to install a DLL (uxtheme.dll) and run a utility that patches Windows so that it can use the theme. The developer shows several variations in a gallery at DeviantArt.com.

I’ve used Gupta’s approach to install other custom themes for XP, and it worked fine. (One of my XP systems looks like it’s running OS X.) However, I ran into a problem when trying to upgrade XP. So, as you install VistaVG, make notes of the steps you follow so, if necessary, you can reverse them later.

Yet another Vista theme for XP is AeroGlassXP V3 The Remix. This program requires that you install Stardock’s WindowBlinds for XP, which is a theme subsystem that costs $20.

Finally, take a look at BricoPack Vista Inspirat Ultimate 2, which can also transform XP to look like Vista.

All five options offer a decent desktop conversion, though they all consume some system resources, particular AeroGlassXP, which relies on WindowBlinds. Be sure to back up your system before installing any of these theme conversions.

Reset a lost Administrator password

A reader who goes by the handle Tugftb77 wrote to say that he lost his Administrator password. He wants to know how to recover it without reformatting his hard drive and reinstalling Windows.

In my Nov. 29, 2007, column, I wrote an article called “Own any PC in 60 seconds or less.” When you read the article, you’ll learn about a very good tool that lets you reset your Administrator password to anything you want — and you can make the change in about 60 seconds flat, if not quicker.

XP SP3 and Vista SP1 aren’t available on CD

Another reader, Jacob, wrote to ask whether Windows XP SP3 and Vista SP1 will be available on a free CD from Microsoft. As far as I know, Microsoft isn’t providing free CDs for either service pack. Unfortunately, you’ll need to download both service packs. The good news is that after you download them, you can burn them to a CD.

Keep in mind that retail versions of Vista now include SP1. When you buy Vista, make sure you’re buying a copy that comes with SP1. Then you won’t have to install the entire service pack separately, since it’s integrated into the operating system.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

.NET Service Pack 1 creates a tax-season .MESS

By Susan Bradley An unannounced auto-deployment of Microsoft’s .NET Service Pack 1 rocked the accounting industry by affecting key applications right before the U.S. tax deadline. This week, I’ll help you control the damage by providing you with a primer on .NET patching.

.NET 2.0 SP1 wreaks havoc on tax deadlines

Every taxpayer in the U.S. knows that the 15th of April is a magical day — magical for Uncle Sam, anyway. It’s the deadline for filing your personal income tax returns and paying any tax you owe. The last thing accounting firms want to deal with this time of year is a faulty software update.

.NET 2.0 Service Pack 1 was deployed via automatic updates suddenly and unexpectedly last Thursday, just one week before the tax deadline. A glitch related to the update affected some installs of Intuit’s popular QuickBooks accounting software and TurboTax tax-preparation software, as well as tax software from CCH (Commerce Clearing House).

Ironically, the service pack was initially released months earlier and has been in the high-priority and critical sections of Microsoft’s Windows Update service. I’m still scratching my head trying to figure out why the company decided to schedule the automatic update so late in the current tax season.

While not all individuals who received this unexpected service pack experienced problems, the glitches were widespread enough to require the immediate attention of the software vendors. Their response provides a template for all of us to use when dealing with failed .NET 2.0 patches.

Un-botching a botched .NET update

As Intuit documents, even uninstalling QuickBooks and reinstalling it will not fix the .NET service-pack problem. The only solution is to uninstall and reinstall .NET itself. If .NET doesn’t uninstall, the best course of action is to use Aaron Stebner’s .NET Framework cleanup tool to remove .NET and start over.

The faulty service pack also impacted CCH’s electronic tax-filing program, as I reported in the Patch Management Listserve. CCH also recommends uninstalling and reinstalling .NET 2.0. Here’s hoping no other key financial applications got hit with the bad patch during tax season.

How do you know whether you need .NET?

I get asked time and again, “How do I know whether I need .NET in the first place?” To begin with, .NET is a foundation for other software. For instance, QuickBooks 2006 and 2007 use .NET 1.1, while QuickBooks 2008 requires .NET 2.0. That’s why it’s difficult to know which version of .NET you need: it depends on what software you have installed on your system.

The next question I get is, “Can’t I just upgrade to .NET 3.5 and remove the rest?” Again, it’s hard to give a definitive answer, because some line-of-business applications require old versions of .NET. You may find .NET 1.1, 2.0, 3.0, and 3.5 installed on the same machine, if different apps require different .NET versions.

The best advice is to install all service packs and patches that you’re offered for existing .NET versions, but if an update message indicates that it will install a new version, just say “no.”

How can you avoid the service-pack problem described above? Whenever you’re approaching a key deadline, adjust the auto-update settings on all mission-critical and business-critical machines to “Download but do not install.” This gets the patches ready to go but lets you control when they’re installed.

There’s usually no rush to install service packs if you keep up-to-date on individual security patches. That was certainly the case with .NET 2.0 SP1, as many people discovered last week.

MS80-022 (944338)
Installation problem hits VBScript and JScript

If you attempt to install the security update described in Knowledge Base article 944338 and Microsoft security bulletin MS08-022, and the patch fails, you may be experiencing a problem I described in my Apr. 10 column. The difficulty involves VBscript 5.6 installed on systems running Internet Explorer 7.

The fix is to install the 5.7 version of the scripting engine manually. Simply download Windows Script 5.7 to patch the patch.

MS08-024 (947864)
Internet Explorer patch may block all Web access

It seems that every Internet Explorer patch ends up causing a few folks to lose the ability to browse the Web altogether. Even if you try to use Firefox or Opera, you’re locked out of the network. When you uninstall the patch, all is well again. Microsoft suggests that to fix the problem, which is documented in KB 942818, you visit your security-program vendor’s Web site to check for an update.

The other advice Microsoft offers is to uninstall and then reinstall your security software. Ugh! Before you go to this extreme, recheck the firewall exclusions in your security program. Perhaps this will save you the hassle of uninstalling and reinstalling the security app.

938371
A Vista update knocks out mice and keyboards

When I travel to tech conferences, I don’t normally pack an external mouse with my laptop. I rely instead on the machine’s touchpad. It’s a little bit of a hassle, but less trouble than making room in my laptop bag for a mouse.

Now imagine, if you will, finding that your mouse and keyboard have been deactivated, with no alternative means of controlling your computer. That’s what befell some folks after they installed update 938371 on their Vista machines.

Members of the Windows Update newsgroup report that the update leaves them with no operating keyboard or mouse. Only if they can tab and spacebar their way into the Control Panel and Device Manager can they instruct the system to reload the mouse and keyboard drivers. (If you can remember what all these keyboard shortcuts are, your memory is better than mine.)

If you encounter this problem, uninstall the update and contact me via the Windows Secrets contact page. Microsoft needs some additional information about affected systems to help debug the issue.

Of course, this assumes that you can tab and spacebar your way to getting me the message in the first place. The good news is that, in my testing, this issue does not appear to be widespread. The bad news is that, if you’re one of the few struck by the glitch, your system is pretty much dead in the water.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.