How to simulate User Account Control in XP

Make sure you get the e-mails you want

By Brian Livingston We’ve made some improvements in the systems that send you the Windows Secrets Newsletter. But, as they say, no good deed goes unpunished, so our upgrades meant that some readers didn’t receive the last issue at all!

Simple steps to let good mail through

Last month, ActionMessage.com, the company that broadcasts our e-mail newsletter, doubled the memory of its server and moved to a new Web-hosting facility. This makes the system more responsive, which is good. But some Internet service providers (ISPs) had a funny reaction to the server’s new IP (Internet Protocol) address.

Despite our best efforts to stay in the good graces of large ISPs, some rejected our newsletters simply for arriving from an IP address that hadn’t been seen before.

About 12% of our 277,000 subscribers didn’t receive the newsletter on July 19, due to “bounces” from ISPs. After we saw the problem and took steps to correct it, 6.5% of our subscribers still bounced on July 26. That contrasts with fewer than 0.7% bounces for every other newsletter we e-mailed in June and July.

One ISP with notable problems was RoadRunner (rr.com). Last week, more than half of the bounces affected subscribers who have rr.com e-mail addresses.

We’re working overtime to make sure you receive the newsletters you’ve requested. But we also need you to do two or three things that we’ve found to be effective:

Step 1. Help your e-mail program recognize our “From” address. Place our “Editor at” address, shown below in an image, in your e-mail program’s address book and any safe-senders list it uses.

All mail from us will bear this “From” address, even our personal replies when you send us a tip. If your e-mail program doesn’t allow you to specify the “From” address of senders you want to receive mail from, you should consider upgrading to a more modern program.

Step 2. Whitelist our new IP addresses in your mail server. If your company administers its own mail server, ask your administrator to place the following IP addresses on the server’s “whitelist.” This ensures that you’ll receive (a) the newsletters from our e-mail broadcast server, (b) admin messages from our Web server, and (c) personal e-mail replies from our in-house mail system, respectively:

72.9.103.50 and 72.9.103.51
216.182.80.209
64.81.169.38

These IP addresses are controlled by ActionMessage.com and WindowsSecrets.com, neither of which tolerate spammers. Your mail admin can be confident that whitelisting our IP addresses will get you only good mail.

Step 3. Resend the current newsletter to yourself. Sometimes, an ISP deletes important e-mail without even notifying you. When we find that an ISP has bounced your newsletter, we e-mail you a short text notice, using our Web server’s IP address, to alert you to the problem.

If you ever miss an issue of the newsletter, you can send it to yourself again, as long as the next issue hasn’t been published yet. To resend the current issue, simply use one of our links to your preferences page. Once you’re there, click the “Resend” link. You can do this several times a day, if need be, to test your e-mail system until the e-mails you want get through.

It’s frustrating that the spam problem has made some ISPs unreliable in transmitting basic, wanted e-mails. Rest assured that we’ll do everything we can to deliver the mail to you, through snow or rain or gloom of night!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

How to simulate User Account Control in XP

By Scott Dunn Vista users love to complain about the intrusiveness of User Account Control, but it does provide a degree of security. If you’re using Windows XP, I’ll show you what steps you can take to give yourself a similar level of safety.

Protect your system from attacks

One of the most common complaints about Windows Vista is its frequent requests for confirmation. Vista User Account Control (UAC) feature pops up when you launch certain kinds of programs, attempt to customize the Start menu, configure parental controls, install applications or drivers, and so on.

But annoying or not, this feature provides important safeguards against intrusions by viruses and malicious users. UAC is also an important component of Internet Explorer 7 in Vista. It allows IE 7 to run in “protected mode,” in which the browser lacks the rights to install start-up programs or directly reconfigure Windows.

If you use Windows XP, you can’t add all the protections afforded by UAC, but you can take steps to limit the damage malware can do.

Don’t run as administrator all the time

Most people using Windows XP routinely log in administrator privileges. At first glance, this makes sense — why wouldn’t you want to have all the rights necessary to control your own system?

The answer is that doing so also gives unlimited access to every program you run. The single best way to simulate user account control in Windows XP is to run as an ordinary user. Don’t worry; I’ll show you how to get around the limitations when you really need to.

Step 1. Start anew. Since your existing administrator account might come in handy, don’t demote it. Instead, create a new, restricted account: In XP, click Start, Run. Type lusrmgr.msc and press Enter. With Users selected in the left pane, choose Action, New User. Fill out the dialog box with the new user name and other desired options. Click Create.

To make sure your new profile is a restricted account, double-click its name in the list of users. Click the Member Of tab. If “Administrators” or “Power Users” appears in the Member Of list, select them and click Remove. To keep the new profile as safe as possible, you want it to be a member of Users only. Click OK. Close Local Users and Groups by choosing File, Exit.

To test your new profile, click Start, Log Off {Your Name} or (if you don’t see that command) click Start, Shut Down, and choose Log Off {Your Name} from the drop-down list and click OK. Now log in using the new account name and password.

Step 2. Transfer your settings. At this point, you may be thinking of all the custom settings you’ll need to re-create in this new account. Fortunately, Windows gives you a quick way to transfer these to your new profile.

First, make sure you’ve logged into the new profile at least once (as explained in the previous paragraph). You’ll also need to reboot the computer at least once before proceeding. Also, be aware that any changes you made or files you added to the new profile will be obliterated in this process, so it’s best to do this to a brand new profile that has no vital information.

At this point, log into a profile that is neither the one you are copying from or copying to (preferably, another administrator account you’ve created). In Explorer, right-click on My Computer and choose Properties. Click the Advanced tab and, under User Profiles, click Settings. Select the profile whose settings you want to copy to the new, restricted profile and click Copy To. In the Copy To dialog box, click Browse and navigate to the folder corresponding to the new profile you created (it should be in the Documents and Settings folder). Select it and click OK. Now click OK and wait while the transfer takes place. Then close the remaining dialogs.

Step 3. Get around limitations. As you use your new profile, you’ll discover some of its restrictions. For example, you won’t be able to install applications and drivers; create or change users and groups; stop or start services (for example, using services.msc) that are not started by default; and more. For some such tasks, you’ll simply have to log out and log back into your administrator profile.

But, in some cases, you can simply make an application itself run as an administrator for the current session. For example, to run an application with your old privileges without logging out, simply right-click its shortcut or its .exe file and choose Run As. Select the option The following user and, if necessary, edit the user name to the profile you want (using the form computeruser). Type the password and click OK.

Some programs (such as Microsoft Installer files with an .msi extension) don’t display the Run As command on their context menus. In that case, you can use Run As on the command prompt (Start, All Programs, Accessories, Command Prompt) to launch the installer with administrator privileges. Any application you launch from that command prompt will have administrator privileges as well.

If you find that you frequently need a command prompt with administrative rights, you can create a batch file that launches one. Open Notepad and type:

runas /user:computeruser cmd.exe

Press Enter to end the line. Replace computeruser with the name of your computer and the name of your administrator account, respectively. Then save the file, giving it a .cmd extension (not .txt). Anytime you need this “power prompt,” just double-click the file, type your password, and press Enter.

Remember, using Run As to give applications administrator privileges gives that application the same access to your computer as if you launched it in your administrator profile. So avoid running applications with elevated rights unless you really need to do so.

Use NTFS for added PC security

Here’s another important security measure: If your hard disk is not already using the NTFS format, consider converting it. NTFS provides more security than the older FAT32 file system, as well as allowing encryption and compression. For example, NTFS is required for administrators to control the permission levels of the various users of a computer.

You can convert an existing volume to NTFS by opening a command prompt and typing:

convert x: /fs:ntfs

where x is the letter of the drive you want to convert. Be aware that once you’ve made the change, you can’t convert back to the old file system without reformatting the drive, effectively wiping out all its data. If you’re unsure, make a complete backup of the partition first. And consider opening Windows Help and searching for the topic “Choosing between NTFS, FAT, and FAT32.”

These measures don’t provide all the protections of Vista’s UAC. For example, the UAC protections provided to Internet Explorer 7 are only available in Vista. But the above steps can limit the damage an attack can do to your system.

Now it’s your turn: What are your favorite tips for securing your computer? We’ll publish the best ones in an upcoming issue. Use our Windows Secrets contact page. We’ll send a gift certificate for a book, CD, or DVD of your choice if you send a tip we print.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Drive encryption not just for hard disks

By Scott Dunn

I pointed out in our July 19 issue some programs that encrypt hard-disk partitions — a feature of the more-expensive Ultimate and Enterprise versions of Windows Vista.

But these days, you may want protection for more than just hard disks, such as Flash drives.

Get portable encryption on Flash drives

Reader Richard Niolon has a question about the hard-drive encryption programs I described:

• “I read the column by Scott Dunn about file security in Vista and how you can get similar protection for your XP system. But it discusses computer hard drives.

  “I’ve been looking for something for my Flash drive that is portable, is easy to use, doesn’t slow down file access unbearably, and most of all… that does not require administrator privileges.

  “That way, I can access my Flash drive on the public computers at my school. Any ideas? Free is nice, but not required.”

The freeware encryption tool TrueCrypt will probably fill the bill. Although it requires an administrator account to set up an encrypted file, you don’t need to be an administrator to mount the encrypted container later on. TrueCrypt can encrypt entire Flash drives or just create an encrypted container on part of the Flash drive.

Since you want it to be portable, you’ll need this second option. According to the FAQ on the TrueCrypt Web site, as long as you create an encrypted container on one part of the Flash drive, and put TrueCrypt on another part of the drive (i.e., not in the container), you should be able to accomplish what you are want. For details, see the Traveller Mode chapter of the user guide.

Virtual PC works on XP and Vista Home

The July 19 issue also mentioned that the system requirements for Microsoft’s Virtual PC application don’t include XP Home or Vista’s Home Premium edition. But reader Pete Green writes to tell a different story:

• “I thought you might like to know that, despite what Microsoft says, both in its requirements and when you install the program, Virtual PC does in fact work fine on XP Home. I’ve been using it on my Home install ever since it became available.”

In a similar vein, Mike Simpson writes:

• “You mention Virtual PC not being compatible with XP Home. A similar message appears if you attempt to install it on Vista Home Premium, stating you are not licensed to use Virtual PC. However, if you do not care if you are licensed or not, you can still install it with no problems under Vista Premium Home.”

Other readers wrote in with similar comments. Naturally, using a product in a way not contemplated by the license means you can’t expect to receive any support from Microsoft if something goes wrong.

Run old DOS programs under Windows

A number of readers commented on a letter in the July 26 issue, in which reader Gerhard Oberschlick wondered how to get MS Word for DOS to run on his XP Home computer. For example, Howard Wexler writes:

• “Don’t know what Gerhard Oberschlick is talking about. I have XP Professional, but I have always been able to run Word for DOS 5.0 from XP without any added software.”

But many more readers pointed to the solution first proposed by a reader named Tommy:

• “Since the user wanted to run DOS programs, I’d suggest he investigate using DOSBox from dosbox.sourceforge.net.”

According to its Web site, DOSBox emulates an Intel x86 machine. This permits older DOS programs (including but not limited to games) to run in newer operating systems like Windows 2000 and XP, including support for sound, graphics, mice, and more. It also includes a rudimentary command prompt for helping you install your old applications.

The downloads page includes add-ons for languages other than English. The product appears to be free, but the site does solicit donations.

We’re sending a gift certificate for a book, CD, or DVD of their choice to readers Green, Simpson, Wexler, and Tommy for sending us tips that we printed. Send us your tricks using the Windows Secrets contact page.

Apple takes on iRack

Sure, Apple Inc. is famous for cool products with trendy designs. But what would happen if the high-tech corporation took on something different, something even bigger than it already has? That’s the question MadTV asks in this skit about the most daring Apple product to date — the iRack. Watch the video

Does the future of Windows include adware?

By Mark Joseph Edwards Microsoft recently filed for a patent that may change the way the company targets advertising at its customers. This week, I tell you how that technology might impact both your desktop and your privacy.

Microsoft’s ominous adware patent application

Last week, I learned about a patent application filed by Microsoft for a new “advertising services architecture.” That means adware — and possibly the invasion of your privacy.

According to the patent specification, Microsoft intends to change how advertising is delivered to your system. More importantly, the company may change how data is used to tailor advertisements sent to you.

Google, for instance, uses data based on search queries and Web browsing to determine how to tailor advertising. Microsoft could also use data from your own computer to make that determination.

When you read the patent, you’ll find that item 11 in the Claims section states that data sources could be “at least one of user document files, user email, user music files, podcast files, computer status messages, and a profile database storing existing tag data.”

Further in the application, in item 19, you’ll find that the company intends to integrate those advertisement as “part of the OS, an application or integrated within applications” and that “[a]n application, such as a word processor or email client, may serve as both a source of context data and as a display client.”

What this patent application appears to indicate is a way that, sometime in the near future, Microsoft intends to grow its revenue stream. This involves using its operating system and applications to make a strategic manuever against Google’s growing presence.

While this doesn’t affect you right now, consider a possible future scenario. Imagine the generation of Windows after Vista (code-named Windows 7). It might be made available by subscription, whereby you’d pay a fee for online access to a remotely hosted “Windows desktop.” This fee would include remote storage for most all of your data (documents, media files, e-mail, and so forth).

By storing your documents for you, Microsoft could easily search through all of your data to tailor advertising. Even if you keep your files on your own disks, Microsoft could still use its OS and applications to parse your data. In either case, you might also be offered a chance to pay a higher rate for access to software that isn’t loaded down with advertising.

If this scenario does come to pass, would you find the adware annoying enough to pay more to exclude ads from your OS and applications? Send me your opinion on this potential future, using the Windows Secrets contact page.

K9 Web Protection, a free content filter

One of our readers, R. Krasner, sent us a note saying that he finds K9 Web Protection to offer “rock solid” parental control. Krasner states, “I have not been successful in bypassing this Web filter, except when running a browser inside of a virtual OS.”

Based on the available documentation, K9 Web Protection does look like a good product. However it does have understandable limitations.

For example, if you access a site using SSL (https:), K9 won’t be able to determine whether the encrypted content is unacceptable. While it’s possible to use advanced techniques to inspect SSL traffic, any product that did so would lose my trust. If your Web content-filtering system can read the data in, say, your SSL-enabled banking transactions, you should be very leary, indeed.

K9’s maker, Blue Coat Systems, offers the product free for home use. It’s a great offer that can help protect you against sites with malware and other types of undesirable content. You can download a copy of K9 Web Protection from the company’s Web site.

Ways to bypass Web content filters

In the previous topic, I pointed out that SSL can be used to bypass many Web content filters. Sometimes, filtering systems are very useful and can protect you and your PC from dangers. Many companies and service-related businesses (such as hotels and coffee shops) legitimately implement such filtering systems to maintain control over the computers that reside on their respective networks.

In other cases, however, content filters are overly restrictive, blocking access to sites that you really do need to access. This might happen if your company relies on a filtering list provided by a third party. It can also happen when companies (or repressive countries) decide they don’t want anyone accessing certain sites from their network.

You can easily get around many Web content filters with the simple trick of using a “proxy” as a go between. By far the easiest, quickest, and least suspicious method is to use a search engine as your proxy. Any network monitoring tools that may be in place might think that you’re simply using a search engine, not visiting prohibited sites.

Many search engines, such as Google and Altavista, offer Web-site translation services or other conversion tools, such as for mobile-computing devices. By using those services, the search engine can deliver otherwise-blocked content to your Web browser.

To try this technique, go to Google’s translator page or Altavista’s translator page. Then enter the URL of the site you want to view and configure the service to convert French (or any langauge) into English. It doesn’t matter which origin language you choose, as long as you convert the site into English. Sites written in English will be automatically detected and delivered to your browser in the original language.

Another method is to use Google’s mobile conversion tool. This service does tend to strip down the content for use on a cell-phone screen, so sites won’t look the same as they do in a browser

You can also use Google’s cache to retrieve Web pages, although the process is a bit more tedious. To do that, you must search for the page you want to view (using keywords or a URL string) and then click on the Cached link, if one exists.

Any of these approaches have one problem that you need to keep in mind. Your browser will try to load images directly from the target site, not from Google or Altavista. That process could trigger content filters and other monitoring software.

Finally, if you own a hosted Web site that lets you install scripts, you could load a simple script that acts as a powerful proxy server. Such a proxy can be used to bypass some Web content filters. It can also be used to visit sites without revealing your real IP address, should that be your goal. In my next column on Aug. 16, I’ll tell you about a great script that I use for this purpose, so stay tuned!

McAfee offers free Rootkit Detective

McAfee recently announced the availability of a new, free tool, Rootkit Detective, that the company claims has the most comprehensive rootkit detection capabilities available today.

“We have achieved extremely high levels of accuracy, using various techniques to find anything that hides itself on a computer,” says Ahmed Sallam, lead research architect at McAfee.

The company says that the tool reveals hidden processes, Registry entries, and files, and scans kernel memory to detect modifications. The tool then lets users remove or disable detected malware. The tool can also collect samples and allows users to submit them to McAfee’s Avert Labs for analysis.

Rootkit Detective, as described on McAfee’s download page, runs on Windows 2000, Windows XP, and Windows Server 2003. But be aware that the tool isn’t for the novice. Mistakes in a removal process could easily crash your system. Be extremely careful if you use it.

We’re sending reader R. Krasner a gift certificate for a book, CD, or DVD of his choice for sending us a tip that we printed.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and writes the weekly Security Update e-mail newsletter. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

IE 7 allows Firefox exploit to work

By Chris Mosby In my July 12 column, I discussed a flaw in IE that was exposed by installing Firefox. Now the tables have turned and the opposite is true with the latest releases of Firefox and IE 7.

URI flaw has new exploit method

I discussed on July 12 a problem with the way that Firefox registers certain URI handlers with the operating system. If exploited, these handlers could call IE to launch Firefox, using JavaScript-based attacks that can compromise a user’s system.

This flaw was fixed in a new version of Firefox known as 2.0.0.5. The exploit, however, is reportedly still possible with other browsers, such as Safari for Windows, according to security researcher Thor Larholm.

Since then, the Web has seen a constant flow of arguments over who was at fault for this flaw. “Mozilla,” says former Microsoft security strategist Jesper Johansson, “Microsoft,” says Mozilla developer Window Snyder.

The most recent new flaw is very similar to the previous one — except this time, the presence of IE 7 on a system that also has the latest version of Firefox allows Firefox to be exploited. Also, instead of an infected URL being passed from IE to Firefox, this exploit works entirely within Firefox itself.

A Windows flaw makes Firefox vulnerable

The new flaw is caused by an input validation error that’s introduced by the installation of IE 7. It involves the browser’s handling of URI handlers such as "mailto," "news," "nntp,", etc.

Exploiting this flaw requires a user to visit an infected Web site using Firefox. The site offers up a page or document that includes a semicolon (;) character and ends in an extension like .bat, .cmd, etc. Examples of the problem can be found on Billy Rios’s site.

This vulnerability has been confirmed in fully patched Windows XP SP2 and Windows Server 2003 systems using Firefox 2.0.0.5 and Netscape Navigator 9.0b2.

What to do: Firefox released on July 30 an updated version, known as 2.0.0.6, which corrects the flaw. You can upgrade Firefox to the new release using the browser’s Check for Updates function on its Help menu. For more information, see Mozilla’s Firefox 2.0.0.6 release notes.

If, for some reason, you can’t update Firefox, US-CERT provides an advisory with some workarounds.

You can also use my favorite Firefox add-on, NoScript, which provides built-in protection from this flaw.

More information: Secunia, Tales from the Crypto, Ryan Naraine’s Zero Day

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He also writes the comic-book blog Tales from the Longbox and is a contributor to Configuring Symantec Antivirus Corporate Edition.

How to clean up after MS's .NET patches

By Susan Bradley Let’s review one more time the issues we’ve seen with Microsoft’s July 10 .NET patches Hopefully, this will give you a bit more guidance to help you get your systems patched.

MS07-040 (931212)
Here we go with .NET one more time

I’m revisiting the .NET patches in my column this week because these patches are the ones people are having the greatest number of issues with. I previously wrote about the .NET patch problems in my July 12 and July 19 columns.

Microsoft Knowledge Base article 931212 documents all of the known issues so far. Meanwhile, the MPECS Inc. blog has a great step-by-step post that shows how to deal with typical .NET patch issues.

There are two tools that may be of help, as well. The first removes the old .NET 1.1, while the second uninstalls .NET 2.0. Either step might be necessary in order to recover and start over. Aaron Stebner’s blog is the source for both the .NET 1.1 tool and the .NET 2.0 tool.

907747
Exchange message filter infrequently updated

Back in January, the WSUS team announced on its blog that the long-awaited Intelligent Message Filtering updates for Exchange 2003 were being placed on hiatus for a month.

Microsoft’s IMF operations guide is described in KB 907747, which was last modified on Oct. 27, 2006. This guide and the filter have gone far too long without updates.

I just this week saw the first filter update in a long while. There was no usual mid-month update, and meanwhile we’re being overwhelmed by PDF and postcard spams that are a challenge for filters to catch. In early reports, this week’s new filter appears to be catching about two-thirds of those annoying PDF spams.

Fortunately, I use a hosted spam-filtering solution in my office that’s keeping up with the spam issues. But if you don’t have ExchangeDefender.com in front of your own mail server, you may need to change your IMF SCL rating to deal with the spam issues.

Daniel Petri has an excellent how-to that you can use to review your IMF settings to determine what values you need.

If you’re offered several IMF updates over and over again, you can use SBS MVP Kevin Weilbacher’s process, detailed on his blog, to get rid of the old, outdated spam-filter packages.

936150
New resources on Vista’s resume problems

Associate editor Scott Dunn’s July 26 article on Vista hibernation issues is joined by new Knowledge Base articles that offer possible solutions.

KB 936150 describes Vista crashes that occur when the OS comes out of sleep mode. This problem is as a result of applying the patch in KB 929762. That patch, in turn, was supposed to fix a different issue with Vista waking up.

Quite honestly, I simply don’t use hibernation or sleep mode in Vista. I turn the machine off or just turn off the monitor. I’ve actually installed a gadget named Vista Shutdown Control that makes it easier for me to click the shut-off button. (See Figure 1.)

Figure 1. The Vista Shutdown Control widget makes it easy to turn your PC off.

Long Zheng reports in his IStartedSomething blog several hotfixes for Vista hibernation and file-sharing issues. Long indicates that the patches used to be on a public Web site, but were pulled down.

While this sounds a bit ominous, hotfixes are typically not placed on publicly accessible pages until they’ve been through extensive testing. Prior to public release, they go through a limited bout of testing, and are then made available for free if you call Microsoft Product Support.

One recent hotfix that I spotted was KB 936003, a cumulative rollup for many Vista USB fixes.

The good news regarding hotfixes is that Microsoft has recently added the ability for you to ask for them via a Web request page. The bad news is that early-release patches do not have a publicly viewable hotfix article. This means that it’s sometimes impossible to get the hotfixes. When the article isn’t public yet, the hotfixes are typically so new and untested that they’re not available via a phone call. Such is the case for two rollup bundles I’m aware of, which are apparently to be called 938194 and 938979 (but weren’t posted by press time).

Despite the standard Microsoft warnings that hotfixes are not regression tested and should not be placed on production systems — and even then you should have a good backup — I personally have never had any problem with a hotfix placed on my system.

You do need to be aware that you shouldn’t apply hotfixes just because you “think you might need them.” You can easily get into a situation like the one with Server 2003 SP2, which fails to install if more than 100 fixes have been applied, as described in the official SBS blog.

In other news, many folks are having to be patient for cures with Outlook 2007 performance issues. Even after the patch in KB 933493 is applied, people still report slowdowns with Outlook 2007.

939429, 939217, 939427, 939428, 939429
Will your Windows Home Server need patching?

There’s a new product named Windows Home Server that Microsoft will be releasing through OEM channels in a few months. Windows Secrets contributing editor Woody Leonhard is in the process of writing Windows Home Server for Dummies.

We already have our very first Knowledge Base articles on Windows Home Server. KB articles 939426, 939217, 939427, 939428, and 939429 all deal with issues relating to setup and backup. Will patching issues be next?

938828
You may want to skip one ‘stability patch’

In the July 26 edition of Windows Secrets, Woody Leonhard described issues with KB 936357, a so-called “stability patch.”

On July 24, Microsoft released a patch on the Windows download page that is also referred to as a stability patch. KB 938828 documents the issues that are fixed by this patch. Some antivirus and printing applications crash Explorer.exe, according to MS.

I have yet to see this fix running on any of my machines. If you’re not directly affected by the problem described in KB 938828, you should pass on installing the patch until further notice.

An apple patch today keeps the bad guys away

Normally, Windows users can skip over bulletins about Macintosh security patches. Not today, though, for users of iPhones and Safari on Windows.

If you’re one of the lucky buyers of an iPhone, it’s already time to patch it. Apple just announced an update that includes fixes for five security vulnerabilities. One serious flaw allows a bad guy to “own your phone” after you merely view a hacked Web page.

In the same vein, Apple also released patches for its Safari Web browser on both the Windows and Macintosh platforms.

Finally, not to leave out the Macintosh operating system itself, that OS gets a whopping 45 security issues fixed in Apple’s 07-07 release.

U.S. bans speaker from attending Black Hat

Windows Secrets contributing editor Ryan Russell is on his way to the annual Black Hat security conference this week. Meanwhile, security researcher Havlor Flake blogs that he was denied entry to the U.S. and sent back to Germany.

Black Hat has made news in the past, notably in a 2001 Register.co.uk report describing the arrest of a Russian cryptologist. This year, talks on Vista, virtualization, and iPhone security are planned for the conference.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.