Free tools deactivate unsafe ActiveX controls

Find any Support Alert article from your browser

By Brian Livingston

If you remember reading an article from the Support Alert Newsletter — but you can’t recall the date — there’s a better way than random browsing to find what you seek.

You can now download our free browser plug-in, which adds Support Alert as a database you can query from the search bar of IE 7 and Firefox.

1. Search past years of Support Alert content

As you know, Support Alert merged with the Windows Secrets Newsletter on July 24, 2008. We’ve posted all the previous issues of Support Alert (1998–2008) in the WindowsSecrets.com library.

Even better, we’ve posted every Support Alert article going back to July 2002 on its own page. And we’ve indexed all of these 3,000+ articles in our library search engine to help you find the exact trick you’re looking for. (By July 24, we’d only finished indexing each article going back to June 2006. The last editor of Support Alert, Ian “Gizmo” Richards, started writing the newsletter’s articles in July 2002, when he took over from the previous writer, Robert Schifreen.)

Figure 1. Using our free plug-ins, you can now search from your browser for any past article from Support Alert or Windows Secrets — or search all Windows-specific sites via our Google API implementation (notice the last three rows in the image at left).
__________

A built-in search bar is included in Internet Explorer 7 and Firefox 2 and higher. In both browsers, you can easily install as many search plug-ins as you like.

After installing our Support Alert plug-in, you select it in the browser’s drop-down search box. Enter your query, click the magnifying-glass icon, and our library search engine does the rest. (The Opera browser doesn’t support these plug-ins, but only 0.8% of our site visitors use Opera, according to our server logs.)

You’ll see a page of results from past Support Alert articles. Once you’re on our search-results page, you can easily expand your search if you don’t immediately see the answer to your question.

One of the reasons why Gizmo, our new senior editor, licensed to Windows Secrets all of the past Support Alert content is because we could make it known to a larger audience. By working together, we can notify more than 400,000 combined e-mail subscribers each week about new ways to access this storehouse of data. The Support Alert Newsletter had 150,000 subscribers prior to July 24.

To get our free Support Alert search plug-in, or all three plug-ins, visit our search engine plug-in page.

Our newest download is based on coding efforts by our program director Tony Johnston and Web developer Damian Wadley.

2. Query everything in Support Alert, Windows Secrets, and LangaList

In addition to the articles that appeared in Support Alert, you can also use our library to find articles from past newsletters published by Windows Secrets and the LangaList. Start at our search page.

3. Search all Windows-specific sites using our specialized search

If even our combined library of some 10,000 articles isn’t enough, you can go wide using our Google API hack. This free service allows you to query every Web site that Google considers to be an “authority” on Microsoft Windows. Start at our Windows-related search page.

Our Google API tool is laser-focused, but it still includes hundreds of truly useful sites. For this reason, I find that our implementation produces better results on Windows questions than the generic version of Google.com.

What’s your experience? Try a few queries and let me know what you think via the Windows Secrets contact page.

New reviews replace old in our software sidebar

I announced in the first combined newsletter on July 24 that we’d added to WindowsSecrets.com a “software sidebar.”

This new site widget lets you jump to the most recent rankings by the Support Alert Newsletter of the best free and commercial software. These articles, as mentioned above, were licensed to Windows Secrets by Gizmo as part of merging our two newsletters.

I also said that we planned to update the software reviews in the most important of the 100+ categories by the end of 2008.

I’m pleased to say that we’re making good progress on re-reviewing every category of free software.

Since May 15, when our new reviewers Scott Spanbauer and Becky Waring started writing for Windows Secrets, we’ve updated the 16 categories shown in Table 1. Our new senior editor, Gizmo, is now writing 22 new reviews per year in our paid content, too.

Together with associate editor Scott Dunn — and other writers who’ll chip in reviews now and then — we should be able to retest every category of software by some time next year.

Table 1. New reviews added to the software sidebar since May 15, 2008.

Check out any of the above reviews on categories of software you’re interested in. You can see the entire software sidebar on many of our pages, including our reviews home.

We don’t expect to make everyone agree with our rankings, but we do promise that we’ll do our best to make them interesting.

Thanks for your support!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Free tools deactivate unsafe ActiveX controls

By Scott Dunn Don’t count on Microsoft to shut down ActiveX vulnerabilities when they arise, as Microsoft Access users learned last Patch Tuesday when the company had no fix to offer for a leaky ActiveX plug-in. ActiveX security holes appear all the time, so you need these tips and tools to keep your system safe from flawed or malicious Internet Explorer add-ins.

An explosion in the number of ActiveX exploits

Microsoft designed ActiveX back in 1996 as a way to share data, run applications, and display animations in Internet Explorer. While Windows has some ActiveX components of its own, most ActiveX controls must be downloaded separately to access all of the functions on a Web site that relies on them.

Unfortunately, malware producers make ActiveX controls that spy on you and pull other dirty tricks. Also, otherwise-harmless ActiveX elements are exploited by hackers to attack users’ systems. That’s what happened with the recent vulnerability in the Snapshot Viewer function of Microsoft Access, as reported in Network World.

In recent years, the number of ActiveX vulnerabilities has grown exponentially, according to a study published last year by Symantec.

In 2006 alone, researcher H.D. Moore identified more than 100 vulnerabilities in the ActiveX components built into Windows XP and nearly 100 others in controls that ship with Microsoft Office and other mainstream applications, according to a SecurityFocus report written by Robert Lemos. This was just a few months after Microsoft had released ten patches for IE, including one for ActiveX itself.

Just enter activex on the Windows Secrets search page to find numerous examples of ActiveX problems and patches in the past few years.

Protect yourself against flawed ActiveX controls

With new ActiveX risks popping up several times a year, how can you protect yourself from security problems related to this technology? Here are several steps to consider.

Switch browsers. Since IE is one of the few browsers that rely on ActiveX, you can easily avoid problems related to the controls by using a different browser, such as the free Firefox 3 or Opera 9.5.

These IE alternatives are not free of security issues of their own, of course. But Microsoft’s policy of releasing patches only on one Patch Tuesday each month means that when a problem is discovered, a solution may be weeks away.

Turn off ActiveX. To deactivate ActiveX in IE, choose Tools, Internet Options, Security. Click the Custom level button at the bottom of the dialog and select Disable for every item listed under “ActiveX controls and plug-ins.” Click OK twice and restart IE.

Of course, disabling ActiveX may cause some functions on a Web page not to work properly. Also, some corporate intranets require ActiveX, so you may need to change these settings back to use all the features on those sites.

For additional ways to tweak IE for safety, see Brian Livingston’s tips from the Oct. 26, 2006, issue.

Fine-tune your ActiveX management. Turning off all ActiveX functions in IE is something of a sledgehammer approach. For a more surgical solution, use a product that deactivates only selected ActiveX controls. I took three such utilities for a test drive: Errata Security’s AxBan and two programs from Nir Sofer: ActiveX Compatibility Manager and ActiveXHelper.

All three programs are free, standalone executables, which means there’s no installation required. All three also let you select and disable or enable a given ActiveX component, including the ability to turn off Snapshot Viewer’s ActiveX control, which is the unpatched Access vulnerability I mentioned above.

In addition to checking for the Snapshot Viewer problem, I tested whether the programs let me disable the Flash ActiveX object. AxBan passed this test, as did ActiveXCompatibility Manager. However, I had to manually add the entry to the latter program before I could disable it. ActiveXHelper displayed the Flash object by default but failed to disable it.

#1: ERRATA SECURITY AXBAN

View only the controls you need to worry about

AxBan, which Ryan Russell described in his July 3rd Perimeter Scan column (paid subscription required), lists only ActiveX components that have been known to cause problems or have vulnerabilities in the past. Problematic items that are installed on your system and still active are highlighted in red.

Although AxBan uses a format similar to Windows Explorer’s Details view, you can’t sort its list of controls nor search for specific items. What you see is what you get.

You can disable or enable items by editing the Registry using a technique called a “kill bit,” which is described in Microsoft Knowledge Base article 240797. Unfortunately, AxBan doesn’t give you granular control over these items: Your only option is to disable all red-highlighted items at once by choosing the KillBit All button.

Figure 1. Disable problematic ActiveX controls via AxBan’s KillBit button.

You can re-enable individual items by selecting one and clicking Unkillbit Selected. Unfortunately, multiple selections aren’t allowed, so if you want to disable only some controls, make a note of the ones you want to re-enable later before you click the KillBit All button (which also removes the red highlight).

Despite its clumsy controls and interface, AxBan is the best choice for the average user because it presents a manageable list of known items only rather than overwhelming you with a huge roster of all the ActiveX controls in your Registry.

#2: NIRSOFT ACTIVEX COMPATIBILITY MANAGER

A less-exhaustive list of troublesome controls

ActiveX Compatibility Manager presents a database of ActiveX components that can be disabled or enabled using the same kill-bit technique as AxBan.

As in Windows Explorer, you can sort the list by clicking column heads for File Description, Company, Filename, and other categories. Without this capability, it would be difficult to locate just the controls installed on your system (items that are not installed lack these names and descriptions).

The program’s list of ActiveX components is not exhaustive, however, as shown by the feature that lets you add new entries just by entering class IDs in the Registry. Class IDs are a series of numbers and letters, as distinguished from the more prosaic program IDs (for example, ShockwaveFlash.ShockwaveFlash). It wasn’t clear to me why Flash and other popular items aren’t on the list to start with.

In addition to adding items, you can search, delete, and copy controls to the Windows clipboard. To enable or disable controls, simply select one or more items, click the green (enable) or red (disable) buttons on the toolbar, and restart IE.

#3: NIRSOFT ACTIVEXHELPER

This control killer is undone by media players

ActiveXHelper shares many features with Sofer’s ActiveX Compatibility Manager, including the ability to search, sort, copy, enable, and disable controls. Unlike ActiveX Compatibility Manager, however, ActiveXHelper prompts you for the source of items to list each time. The program can list items found in the Registry’s HKEY_CLASSES_ROOTCLSID key or show a custom list or text file.

In my tests, I was unable to use the product to disable Flash ActiveX controls. Clicking the Disable button neither changed the Enabled status listed in the window nor affected the use of Flash in IE. Consequently, I can’t recommend this utility.

If you can’t bring yourself to give up Internet Explorer or its ActiveX technology, I recommend you (cautiously!) try a tool such as AxBan or ActiveX Compatibility Manager.

But whatever your strategy, always keep your browser and other network-connected software patched with the latest security updates, as recommended here in Windows Secrets. Note, however, that you needn’t be in such a hurry to update Windows itself, as Susan Bradley described in her July 24th Patch Watch column (paid subscription required).

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Product reviews are a change for the better

By Dennis O’Reilly The integration of Windows Secrets and Support Alert puts more in-depth hardware and software evaluations at your fingertips. Expect the prime categories in our Software Sidebar to be updated every few months with reviews of the newest versions of the programs you rely on.

The new Windows Secrets lineup packs a punch

It has been a hectic summer in the Windows Secrets offices. We’ve wrapped up the combination of content from the former Support Alert Newsletter with our Windows Secrets library, we’ve created the Software Sidebar that puts the latest reviews a click away, and we’ve welcomed several familiar names to our roster of contributing editors.

Dan Eckert is one of several readers who are pleased with the recent upgrade.

• “I’ve been highly critical of Windows Secrets since the merger with Fred Langa. I’ve been especially disappointed with the merger of Gizmo’s newsletter to Windows Secrets.

  “So in the interest of fairness, I found your 07/31/08 issue one of your best since I’ve been on this rant. The newsletter addressed three different software areas that I have interest in. The comments were informative and reassuring that I had made right decisions about several software solutions.

  “How about an article on free or inexpensive PDF editors? It’s a problem I’m having right now. I hardly ever edit a PDF, but find myself facing $70 to $90 to find software to complete a single form or submit a form with all kinds of watermarks on it.”

We’ll test PDF editors in an upcoming issue, but until then you’ll find information about various PDF tools in the “best free PDF utilities” section of the Windows Secrets site.

Driver-update utility is no longer supported

Scott Dunn’s review of driver-update services from last week’s special update included the DriverMagic utility from SymplisIT. We have learned that the program is no longer supported by the vendor, and we’ve removed the rating of DriverMagic from the review.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

There's nothing subliminal about this message

By Katy Chenoweth Throughout history, many great scientific minds have worked to unravel the male psyche. Freud and his ilk devoted entire lifetimes to understanding what goes on inside the mind of the common man… yet with one fell swoop, this hilarious commercial spoof has captured the very essence of the male attention span. With that in mind, it should come as no surprise that this commercial parody contains overt sexual references. Furthermore, we can take no responsibility for any resulting cupidity for pizza, beef jerky, or professional sports. Play the video

The two most useful utilities on my PC

By Ian “Gizmo” Richards I have dozens of utilities installed on my PC — but I’d like to tell you about two that are not well known, yet top the list of my favorites. These specialist tools are not for everybody, but if they apply to you, discovering them is going to make your day.

Freeware lets two PCs share a keyboard and mouse

I normally work simultaneously with two PCs whose screens are stacked one above the other. It’s a highly productive arrangement: while one machine is tied up doing something, I can use the other to continue working.

This setup works amazingly well, because I control both PCs from the one keyboard and mouse, using an open-source freeware program called Synergy.

Synergy is like an electronic keyboard-video-mouse (KVM) switch. With a KVM, you swap your keyboard and mouse from one PC to the other by manually turning a switch. With Synergy, you just move your mouse to switch control between the two systems.

It works like this: if I’m using my laptop, I move the mouse to the top of the laptop screen, and the cursor miraculously appears on the monitor mounted above that belongs to the second PC. Automatically, the laptop mouse and keyboard are connected to my second PC.

It may sound like a miracle, but the explanation is quite simple. Synergy senses when the cursor is at the screen edge and switches the mouse and keyboard electronically. In other words, it uses my local area network to make the connection rather than a set of KVM cables.

But Synergy is more than an electronic KVM. The program allows me to cut and paste between PCs, a feature I use all the time. It also synchronizes screensavers and can even sync screen-locking of both PCs.

Synergy is a true freeware gem.

Industrial-strength text processor saves work-hours

Every time I use TextPipe Pro (TPP), I silently thank the developer. This product has saved me so much time and so much angst over the years that I can hardly imagine what my computing would be like without it.

Yet most folks have never heard of TextPipe Pro.

It’s a pricey commercial utility designed to process text files. TPP can extract text elements, replace them, modify them, combine them, compare them, and do much more.

If you know Unix, you could consider TPP a combination of the UNIX awk and grep utilities, but bundled with a good graphical user interface. That’s a pretty accurate description, but not very understandable by Windows users. Maybe I could say TPP is like a search-and-replace utility on steroids, but that would dramatically understate the product’s power.

The best way to describe TPP to Windows users is by an example.

Let’s say a colleague sends you an e-mail containing a list of names and e-mail addresses of folks who want to join a national social club. Your job is to write to each person who lives in your state.

Now, doing this by hand would be a pain. Doing it using normal computing tools would be even worse. You’d have to copy and paste each e-mail and physical address into a spreadsheet and then sort the spreadsheet by state.

That’s OK for a dozen names, but impractical with 50 or more. Using TPP, it would be a one-minute job — regardless of the number of names on the list.

Simply copy and paste the original e-mail into TPP and use one of the program’s hundreds of preconfigured filters to extract only the lines containing the state in question. Then use other preconfigured filters to extract the e-mail addresses, sort the results alphabetically, delete duplicates and blank lines, and write the results to a file.

I just tried it and it took me 52 seconds. Not bad, eh? The results would be much the same whether there were 10 addresses or 10,000.

The key to TPP’s usefulness is its flexibility. Before I discovered TPP, I wrote custom, one-off computer programs to perform tricky text-processing tasks. Not anymore. In fact, I don’t think I’ve written a custom program in the past two years.

If you work with large text files, you are simply wasting your time if you’re not using TPP. At $399, the program is expensive — perhaps the most expensive utility I have ever bought — yet in time saved, it has retuned me that investment many times over.

If you’re interested in the dozens of other utilities I use on my personal PC, you’ll find a full list in my Desert Island Utilities report.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

E-mail form letters save you time and trouble

By Woody Leonhard Do you find yourself sending out the same basic kind of e-mail message every day — or worse, many times a day? A nifty-but-little-known feature in Windows XP and Vista lets you generate a “form letter” message with just one click.

Shortcuts get you out of your e-mail rut

I don’t know about you, but I find myself sending out the same message — give or take a tweak — to more-or-less the same people two or three or four times a day.

It got to the point where I could click Outlook’s “New” button and type the beginning of three or four names in my sleep, relying on Outlook’s autocomplete function to fill in the addresses plus a little judicious cut-and-paste to fill in the body of the message.

As anyone who has used the program knows, Outlook has a nasty habit of autocompleting e-mail addresses incorrectly: If you type fast and don’t watch closely, you may end up sending the message to the wrong person. That’s happened to me — embarrassingly — dozens of times.

I’ve played with Outlook’s Distribution List feature (which changed considerably from Outlook 2003 to Outlook 2007), but I don’t like to use those lists. Why? It’s very hard to send a message to “everybody on the Distribution List except this guy” — and I tend to do that rather frequently.

It turns out that Windows itself has a better way to create cookie-cutter messages, which you can then edit as necessary and send off in a nonce.

Create messages by clicking or typing a shortcut

Windows XP and Vista let you create shortcuts that generate e-mail messages. The trick works with all flavors of Outlook, Outlook Express, Windows Mail, and Windows Live Mail. The crux lies in using the “mailto:” command.

Here’s how to crank out a simple message by using a Windows shortcut:

• Step 1. Right-click any empty place on the desktop and choose New, Shortcut. Windows brings up the Create Shortcut Wizard.
• Step 2. In the box labeled “Type the location of the item,” enter mailto: followed by the first recipient’s address, a question mark, and a one-word placeholder for the message’s subject. (Don’t get too hung up on the details just yet.) The line may look like this:

  mailto:billg@microsoft.com?subject=Sales

• Step 3. Click Next. The Wizard asks you to type a name for the shortcut. Choose something pithy, like “Daily Sales Report.” Then click Finish.
• Step 4. Double-click the new shortcut that appears on your desktop. Depending on which e-mail program you use, you should see the skeleton of a message, similar to what is shown in Figure 1.
• Step 5. “X” out of the skeletal message (no, you don’t want to save the draft) and you’re ready to improve on the original shortcut.

Figure 1. An e-mail generated in Outlook 2003 by a Windows XP shortcut.

Modify the shortcut to automate your mailings

Now you’ll tweak the simple shortcut you just created to add items to the various fields. Right-click it and choose Properties. The dialog box should open with the Web Document tab chosen and the text in the URL: field selected. You can add other “To” addresses or completely new fields, such as a “Cc:” field (see Table 1).

Table 1. Fields recognized in a mailto: shortcut.

The mailto: command has a very specific — and very strange — syntax:

• Separate multiple entries in the mailto:, cc=, and bcc= fields with semicolons;

• Put a question mark at the end of the mailto: address list;

• Put an ampersand between all the other fields.

For example, the mailto: command below generates the message shown in Figure 2.

mailto:billg@microsoft.com;steveb@microsoft.com?cc=accounting@microsoft.com&subject=Daily Sales Report&body=Our sales for today came to

Figure 2. A more complex e-mail message automatically generated by Windows.

If you want to add or delete an e-mail address or futz with the subject or body of the message, just modify the shortcut as appropriate, click Send, and your e-mail program handles the rest.

Turn the e-mail shortcut into a one-click wonder

Once you have the shortcut working the way you want it to, drag it to the Windows Quick Launch Toolbar. I talk about putting items on the Quick Launch Toolbar in my Jan. 25, 2007, column on Vista timesavers.

If you send the same message over and over again (What, you don’t do status reports?), this little trick can save you a bunch of time. Besides, it’s a whole lot more fun than pounding out the same boring glop day after day, and it may even help prevent sending the wrong message to the wrong person.

Think your boss will notice?

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

'Tis the season for emerging PC threats

By Ryan Russell It’s the middle of summer in the northern latitudes, and in the security field that means new exploit techniques. As several key security conferences get under way and students have extra time for research, the pace of threat innovations picks up.

Summertime is also security-update time

For me, summer means security conferences. I just got back from the Last HOPE conference a couple of weeks ago, my first time attending. I don’t have a lot of new software tricks to report from it; HOPE is different from other conferences I attend in that respect.

However, if you’re concerned about physical security — as in metal keys — the topics of several of the conference sessions should interest you. Medeco, one of the best-known “high security” lock brands, was compromised in different ways in no fewer than three talks. (Like many security people, I pick locks as a hobby.)

Of course, the main event for me is the Black Hat conference. By the time you get this, I will have been there for a couple of days.

If you happen to be going, please look me up. I’ll be hanging around the BigFix booth, or the folks there will probably be able to tell you where I am. I would love to meet some readers. I will also be at DefCon, but it will likely be difficult to spot me among the 6000+ attendees of that show.

A few of us Windows Secrets editors have already covered several aspects of the DNS flaw that Dan Kaminsky plans to reveal fully at BlackHat. The patch is out, the secret was figured out, and exploits are available. But knowing Dan, I’m sure he still has a couple of tricks up his sleeve.

The DNS glitch is getting a lot of attention, but I think there are a couple of other hot topics worth watching.

Some concerns arise over virtualization

There is a track on virtualization security at BlackHat. This resonates with me. In my day job, I’m about to buy around 60 terabytes of SAN storage for VMWare ESX server. A big chunk of that will be used for testing, where security needs are pretty lax. But some of that space represents my production servers, disaster recovery strategy, and backups. Security is a big concern there.

My company is pretty small, but these are enterprise-like problems, not ones that most Windows Secrets readers have to worry about. Or will you? How many of you employ some sort of desktop virtualization software, such as VMWare workstation for Windows?

If you’re one of the “cool kids” like me who lug around some Mac hardware but still need Windows to get a bunch of real work done, you likely have some virtualization happening to accomplish that. I’m using VMWare Fusion.

You don’t have a huge SAN at home, but how many of you have one of the ~$400 1TB home network drives? How about some sort of media center arrangement? Some of those products sacrifice security features for cost or ease of setup.

The Web remains a ripe target for bad guys

Another Black Hat track has to do with Web and application security. A coworker has assigned me to come back and brain-dump a talk titled “FLEX, AMF 3, and BlazeDS: An Assessment.” My company is getting ready to ship a product that is based heavily on those technologies. Do you know what they are? Did you know your Web browser supports them?

Web browsers (and ActiveX controls, viewers, and plug-ins) have been a huge growth area for security research in the past several years. This summer looks no different. Expect to see more Web 2.0 worms, drive-by exploits, and patching of browsers, Flash, QuickTime, and other net-enabled apps.

One of the reasons these problems can be particularly scary is because Web technologies try hard to make things work across platforms. That means it doesn’t matter as much if you’re using Windows or Mac, IE or Firefox, a full PC or some sort of mobile device. Apple finds itself in the position of patching Safari on Windows, Mac, and the iPhone, often for the same vulnerability on all three platforms.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is Director of Information Security at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.