Outages cast doubts on MS online services

Outages cast doubts on MS online services

By Scott Dunn With the recent public betas of Office Live Workspace and Microsoft Online Services, the Redmond company is ratcheting up its efforts to deliver the power of MS Office — or at least a portion of it — to the Internet. But Microsoft’s ability to offer software as a service (SaaS) has come under fire due to server outages and bugs that have plagued the company’s online services in the last several months.

Early missteps in bringing Office to the Web

Microsoft’s SaaS efforts are off to a very bumpy start. In recent weeks and months, widespread and long-lasting outages of Windows Live Hotmail, Live Messenger, and other new online services have left many of its customers wondering whether Microsoft is up to the challenge.

Failures of Microsoft services since last summer have reportedly affected millions of subscribers, and some of the problems have persisted for several weeks.

A little over a month ago, the Microsoft Developer Network (MSDN) was struck by a series of outages that confounded customers. On Friday, Feb. 29, and Saturday, Mar. 1, MSDN subscribers were unable to download products or product keys.

“There was a downtime to complete some system work that had been started four weeks ago,” wrote MSDN and TechNet subscription product manager Julie H. Cairn in the Official MSDN Subscriptions blog. “The fact that the completion work this weekend would even impact subscriber downloads was totally missed by those that could have gotten a notice posted externally. No excuses — just an apology.”

According to Microsoft, on the Monday after the weekend outage, errors prevented a “large number” of subscribers from downloading products or getting product keys. MSDN had considered the problem small when it was initially discovered the previous week, but by that Monday, reported cases had grown so numerous that the service put together a fix the same day.

This was bad enough for MSDN subscribers, but a problem of much greater magnitude affected them last October. An outage that involved a mysterious “Error 11008” made it impossible for numerous subscribers to access downloads.

Many customers could not progress past an Error 11008 screen to access MSDN features. The problem dragged on for at least three weeks, proving especially frustrating to consultants who depend on the service to meet the needs of their clients.

“Of all people, is Microsoft not capable of keeping a subscription service up and running more than half the time?”, asked a user identified as Ren in the MSDN blog comments.

Another writer, identified as JD, wrote:

• “At this point, most companies would have rolled this back to that past release rather than see how angry they can make their highest-value customers. We are the developers that use and recommend your products…. Is this the level of service/reliability we can tell our management to expect from Microsoft? Is there any kind of plan in place to compensate users for this substantial interruption?

  “Please remember that many of us are also developers and understand the complexities of a site like this. I suspect that some of us also support even more complex sites, but could you imagine what it would be like if your local bank left a broken bill-pay site up for a few weeks?”

Microsoft product manager Cairn replied in a post on Oct. 31 that “we have already had the ‘rollback’ discussion a few times.” She offered that in a few months the system would be “a lot less complicated in terms of ownership and responsibility.” Her post promised, “The integration point where these 11008 failure points are happening today will not even be part of the system come February,” though she noted the need for continued work on the problem.

Just a few days later, on Nov. 5, the rollback option was rejected. Kathy Dixon of TechNet Plus Subscriptions posted an update on the TechNet Plus blog, explaining, “It is not an option to roll back these changes, so work is now underway to evaluate possible solutions.”

The next weekend, Nov. 10–11, the MSDN site was down intermittently as the team implemented updates and fixes. For some users, this resulted in a new and equally perplexing “Error 11009” message, which several subscribers complained about in comments on Dixon’s blog post.

Although the problems were resolved for some users, they persisted for others. In a TechNet Plus blog comment on Nov. 12, subscriber Glenn MacDonald said, “It will not make it worthwhile to renew. I have lost at least a month of service now, and as an independent contractor, it makes it difficult to research errors for clients when I don’t have access to software.”

More problems for consumer online services

Microsoft’s online outages have extended beyond developers:

• Hotmail hell. One of the most recent frustrations for Microsoft customers occurred in late February 2008, when problems with Windows Live login IDs blocked access for users around the world for most of a day. According to a story in Computerworld, users in the U.S. and at least four other countries were unable to log in to Windows Live Hotmail, Xbox Live, Skydrive Live, and Live Messenger. Estimates of the number of individuals affected varies, but many bloggers put the number in the millions.
• Invalid validations. For much of a weekend last August, users who attempted to activate legitimate copies of Windows, or to use the Windows Genuine Advantage (WGA) feature to validate them, were told that their products were “not genuine.” The problem was described in Susan Bradley’s Patch Watch column in the paid version of Windows Secrets on Sept. 6, 2007. It was also explained in the WGA blog by Microsoft program manager Alex Koch.

  The problem, wrote Koch, was that “production servers had not yet been upgraded with a recent change to enable stronger encryption/decryption of product keys during the activation and validation processes.” Koch claimed that this was not an outage (if it were, systems calling in would pass validation), but rather that the “trusted source of validations” was responding incorrectly.

• Partner problems. As of this writing, the opening page of the Microsoft Partner Program server contains an announcement (shown at right) of known sign-out problems on the Partner Portal. “We are aware of the problems with signing out of the portal and are actively working to resolve these issues,” the note states, somewhat cryptically.

Will mission-critical services be different?

The public beta of Office Live Workspace (OLW) debuted on Mar. 4. Microsoft’s OLW lets you view, share, and store Office documents using a Web browser. Unlike Google Docs and other online applications, the new service doesn’t let you create and edit documents online. Still, it represents Microsoft’s first attempt to bring Office to the Web. The current build also supports a link within the PC version of MS Office that allows posting and viewing documents online.

Around the time OLW’s public beta began, the software giant also broadened the beta testing of its Microsoft Online Services (MOS) offering. This package combines features of Exchange and SharePoint servers, with support for additional functions. Before last month, MOS was available only to businesses with 5,000 or more employees.

The twin moves are among the first in Microsoft’s attempts to enter the SaaS era. The promise of SaaS is that users will be able to create and edit documents via a Web browser instead of using programs that reside on their local machines.

However, for Microsoft to succeed in providing software as a service, individuals and companies need to have confidence that the services will meet their needs at a reasonable cost and with minimal risk. The recent server problems make it even more important for customers to be assured that their files are safe and accessible.

Some people argue that outages of free services, such as Hotmail and Live Messenger, are less costly than any failures of the mission-critical, hosted applications that Microsoft intends to offer its enterprise customers. Therefore, this thinking goes, the enterprise-level services are likely to receive more attention and resources from Microsoft than the free ones.

Lee Pender, a writer for the independent Microsoft-analysis site Redmond Channel Online Partner, points out that Microsoft’s partners, and not the company itself, handle most of the enterprise-level SaaS hosting duties. However, Pender acknowledges that this comparison may hold little weight with the average customer, who is more likely to have an emotional reaction to Microsoft’s server problems.

“Even if hosted Web-based e-mail and hosted enterprise applications don’t make for a good apples-to-apples comparison,” he writes, “huge problems with Hotmail don’t exactly instill confidence in partners or IT folks mulling over the idea of outsourcing important enterprise functions to a hosted model.”

You need only ask MSDN customers affected by the outages last October and last month whether the problems had a significant impact on their businesses. Judging from the comments posted online, the answer for many was a clear “yes.”

For Microsoft to translate the success of its popular Office applications to the online world, its development teams must inspire greater confidence in their ability to provide consistent, reliable service. Based on the stumbles to date, this is far from a sure thing.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Article on Vista upgrade trick rattles the cages

By Brian Livingston The lead story in Windows Secrets on Apr. 3 revealed that Vista Service Pack 1 allows the “upgrade edition” of the OS to be clean-installed, something that supposedly requires Vista’s more-costly “full edition.” The same trick was present in the original release of Vista, as I reported more than one year ago, but the fact that Microsoft executives have allowed the procedure to remain in SP1 sparked yet another round of thrills on the Web.

It’s news that MS execs retain the process in SP1

The Apr. 3 article, written by associate editor Scott Dunn, demonstrated that Service Pack 1 permits a clean install of Vista to be performed using the operating system’s upgrade edition. The list price for that version of Vista Home Premium is $130 (in the U.S. market) compared with $239 for the full version — a difference of $109.

Microsoft officials have repeatedly confirmed that this procedure is built into Vista. In a News.com interview on Feb. 14, 2007, a Microsoft representative called the hidden feature in the original version of Vista a “workaround,” but claimed that using the trick without owning a copy of Windows XP, 2000, or another qualifying version of the OS would violate Vista’s end user license agreement (EULA).

The clean-install method involves booting a PC from the Vista upgrade DVD. The setup program is then completed without the user entering the disc’s product key or downloading any patches.

Once this unactivated, trial version of Vista is running, setup is started again — this time from within Vista. The “upgrade” option is selected, the product key is entered, and Vista can be activated exactly like the full edition of the product. A complete set of steps was published in my Feb. 1, 2007, article.

Among the numerous Web sites that noted Scott’s latest findings, Computerworld.com gave the story major play. Writer Eric Lai summarized Scott’s story and pointed out another cost-saving policy that Microsoft makes available:

• “Microsoft Corp. continues to give its tacit blessing for consumers to exploit a technical loophole that allows them to upgrade to Vista with Service Pack 1, even if they don’t own the necessary prior editions of Windows. …

  “Microsoft has a long history of de facto toleration of loopholes that allow determined users to get its software for less than full price. For example, many online stores sell student editions of Microsoft software to any customer with a pulse.”

(To give credit where credit’s due, Scott reported way back on Apr. 12, 2007, that even your dog can buy Windows at Microsoft’s “student” price.)

Other significant media that covered Scott’s Vista SP1 story include Ars Technica, Download Squad, and Slashdot.

How modern, big-time software marketing works

Microsoft’s pricing strategy for Windows Vista is a lot like the old yarn about how some undertakers really make their money.

As told by Jessica Mitford in her 1963 book, The American Way of Death, some funeral directors first show a bereaved next-of-kin the most expensive casket available. This could be called the “gold-plated coffin.”

If the grief-stricken relative approves the first option that’s shown, the undertaker makes a handsome profit. If, instead, the family member asks to see cheaper models, the options that are subsequently offered seem reasonably priced, compared with the high-ticket item that first established the price range.

The full edition of Windows Vista is Microsoft’s gold-plated coffin.

Microsoft hardly expects anyone to actually pay the gilt-edged price. Corporations that sign volume-licensing agreements, for example, can get discounted units that are cheaper than retail upgrade packages. And most individuals will receive Vista preinstalled when buying a new computer, the maker of which qualifies for low OEM pricing.

That does leave a market, of course, of computer hobbyists who plan to install Vista from scratch. This includes Mac users who need to buy a retail package to run Vista in a dual-boot scenario, perhaps using Apple’s Boot Camp.

For every person willing to buy the full edition of Vista for $239, many more would be willing to buy the upgrade edition for “only” $130. Microsoft much prefers to deposit those people’s 130 bucks rather than get zero if people decide that Vista isn’t worth $239.

How do we know what Microsoft executives are thinking about this gimmick? Let’s look at the record:

• It’s still there after our articles. No one at Microsoft issued a patch to remove the clean-install procedure from Vista after it was first reported in early 2007.
• It’s still there after the story went viral. No one removed the procedure after the widely read News.com site reported it two weeks later.
• A CD test? Why bother! Microsoft could have made Vista’s upgrade process request the insertion of a CD containing Windows 2000 or XP, the way XP itself works. But this simple proof-of-ownership test was removed from Vista.
• Version checking? Who cares! Microsoft could have made Vista’s upgrade process check for a running version of XP or 2000 before upgrading — or made Vista Ultimate check for a running version of Vista Home Premium. But OS version checking was removed from Vista (as confirmed by Knowledge Base article 930985).
• It’s documented in the Knowledge Base. That same KB article, which was last updated on Mar. 17, 2007, recommends that buyers “use one of the following methods” to clean-install the upgrade edition of Vista. Method 1 provides a terse but effective explanation of the upgrade trick. The document describes Windows 2000, XP, or Vista as “a compliant version of Windows.” The second method is to purchase the full edition. The first method is given more prominence.
• SP1 is coming, should we take the trick out? Not a single person in a position of authority over the development of Windows directed that the upgrade trick we’ve described be removed in Vista Service Pack 1.

The final proof that Microsoft considers the upgrade trick to be an effective marketing technique is that Microsoft hasn’t issued a patch to remove it, even after this week’s widespread blog exposure. The patch would be so simple that Microsoft CEO Steve Ballmer could order it done tomorrow. I’ll even give him a name for the new build, no royalties required: Vista Service Pack 1.01.

Either Microsoft’s top executives are so out to lunch that they have no concept of what’s happening with their company’s top product, or Microsoft wants people to use the trick, expecting few people to pay Vista’s gold-plated-coffin price.

One blogger seemed to take personal offense that we’d published an article about a documented feature of Vista that’s more than one year old and still works exactly the same way in Service Pack 1.

Ed Bott writes books for Microsoft Press. In his Apr. 4 blog post for ZDNet, though, he sounds more like he wants to be a legal assistant in Microsoft’s corporate litigation department:

• “If you qualify for an upgrade license, this technique allows you to do a clean install, legally. If you don’t qualify for an upgrade license, then doing a clean install with this technique is technically possible but violates the terms of the license agreement. …

  “The fact that you can work around a technical limitation doesn’t automatically make the practice legal.”

This statement is completely ridiculous. There’s nothing illegal about using an install technique that’s recommended by Microsoft in its own Knowledge Base. The trick was programmed into Vista because authorized people at Microsoft wanted it to be used, and it’s remained in Vista because Microsoft officials wanted it to remain.

Scott and I clearly reported in each of our articles what the Vista EULA states: “To use upgrade software, you must first be licensed for the software that is eligible for the upgrade.”

But clicking OK when shown the first few lines of a EULA on-screen doesn’t legally require anyone to suspend common sense. When Microsoft’s own KB article defines Vista as “a compliant version of Windows,” and the upgrade procedure is recommended for all to use, no court would rule that a person who’d paid the retail price for Vista’s upgrade edition had done something Microsoft could complain about, legally or ethically.

Any reporter who’d read our story and done any real research would have found each piece of evidence I’ve presented in the six bullet points listed above. Such nonsense about what’s “legal” doesn’t belong in ZDNet or any respectable news site.

And, by the way, some Microsoft exec should take Ed aside and clue him in on the joke.

No ethical dilemma in using a documented feature

Integrity is crucial for a journalist, as it is for people in most professions. I would never encourage anyone to steal, because it’s wrong and it can only haunt you (or wreck your karma). Whether I sign a written agreement, or I merely look you in the eye and shake hands on a deal, trying to fudge the terms later would cast a shadow on my reputation, which is all I really have.

It’s possible that the clean-upgrade path was added to the original release of Vista by a rogue programmer. I didn’t believe this back in February 2007, and I said so then, but it’s possible. Now that we see that the technique has not been removed from Vista Service Pack 1, however, I believe we have solid evidence that Redmond decision-makers tacitly approve of its use.

A handful of readers e-mailed Windows Secrets last week, though, concerned that launching Vista’s clean-install process would be unethical if someone used it without owning a previous version of Windows.

I support software makers’ right to earn an honest buck. I honor those readers who are so honest that a hint of deviating from the strictest reading of a EULA raises moral issues for them.

The best description of this concern was submitted by James Beach, who writes:

• “The new house I just purchased allows anyone to walk up to the door and let themselves in — with no need to have access to a ‘key.’

  “The same behavior was present when my last house was burglarized, but the fact that the trick wasn’t removed from my new house suggests that I approved the back door as a way to make the price of my stuff more appealing to criminals.

  “It sounds like you guys would like the world to be a place where trust is replaced by an attitude of ‘get away with anything you can.’ After all, if people are stupid enough to extend trust that you’ll be a law-abiding citizen, they deserve to be taken advantage of. They probably want you to take advantage of them.

  “Get a life and start publishing legitimate secrets instead of trying to play Robin Hood. (Oh, and I’m assuming by your attitude that I’m perfectly OK to plagiarize all of your work as long as you haven’t taken the time to find and prosecute me.)”

Let’s be clear that neither Scott Dunn nor I ever said that anyone should try to get Vista for free. There are plenty of “timer cracks” on the Web that will let people use the original version of Vista free without activation until 2099 or whenever. We’ve never published these cracks, and we never will.

The clean-upgrade path, as we’ve described it, requires that consumers pay the going price for a copy of Vista. Microsoft likes this revenue, and if you want Vista, you should buy a copy. We won’t help you steal it.

For the sake of argument, is buying less than the full edition of Vista a form of stealing?

The publication of Scott’s article is nothing like planting the following sign in front of your home:

My Front Door is Unlocked —
Please Take Everything You Find Inside

What Scott has reported is more like planting the following placard:

Home for Sale — $499K
$100K Off with Coupon Code BALLMER

People who are selling things find creative ways to make the price look like a good deal. It’s clear that Microsoft has done nothing to remove the clean-upgrade path from Vista. And its continued existence in SP1 proves that the trick is a useful marketing tactic.

There’s no moral problem with a home buyer taking the seller up on the “$100K off” promotion. For the same reason, there’s no moral issue with someone using Microsoft’s documented feature to pay $100 less than the gold-plated price. It’s what Microsoft wants and expects (regardless of what its p.r. surrogates say).

I don’t work for Microsoft. I work for consumers. Until someone pries my cold, dead fingers from my keyboard, I’ll be working to let you know anything Windows does that varies from Redmond’s official pronouncements.

If the clean-upgrade technique is truly unwanted, Mr. Ballmer could have a patch made to remove it as quickly as he can send an e-mail to an intern. Now that Vista has been in wide circulation in various forms for almost two years, and no such patch has appeared, I’m not holding my breath for one to be ordered.

The Vista upgrade discs are fully functional

Mary Smith-Markell writes to ask about the difference between the upgrade and full editions of Vista:

• “OK, I’m computer challenged. If a Vista ‘upgrade edition’ disk does the same thing as a ‘full edition’ disc, why would Microsoft even bother having two separate products that do the same thing? Unless they were trying to bolster sales by bilking the undereducated (like me). …

  In a side-by-side comparison of the two discs, are there any differences? For example, can one use the upgrade edition to do a repair install, or is the full edition required? Are there any tools or features available in the full edition that are not available in the upgrade edition? Thanks for clarifying.”

Having installed both forms of Vista on test machines many times, we can say that the only difference between the full and upgrade editions is the product key that the user enters.

If you boot from the Vista DVD (rather than launching Vista setup from within Windows), the clean-install option is not available if you enter an upgrade key at that point. That’s why you have to do a clean install with no product key, and then afterwards launch setup from within Vista to do an upgrade installation with the key.

The upgrade disc does include the repair function and all the other features that you ordinarily see when you boot from the DVD.

MS leaves prices unchanged for Anytime Upgrade

Reader Daniel Coté has this question about the pricing of upgrades from one version of Vista to another:

• “Now that Microsoft has reduced the price of Vista, are you aware of a potential reduction for the so-called Anytime Upgrade price? I’d like to upgrade from Vista Home Premium, which came installed on my PC, to Vista Ultimate.”

The Windows Anytime Upgrade (WAU) program lets those who purchased one flavor of Vista upgrade to another. This is explained on a Microsoft Web page.

However, according to a Microsoft spokesperson who responded to Windows Secrets, the recent Vista price reduction does not affect the Anytime Upgrade. Microsoft does not plan to make changes to the WAU pricing structure at this time.

A new approach for handling telemarketers

Telemarketers. They have an uncanny knack of calling right when you don’t want them to. Whether you’re just sitting down to dinner, forced to interupt a relaxing shower, or deep in R.E.M., they generally find you at the most inconvenient moment — all so they can try to subscribe you to a magazine you’ve never heard of. In this hilarious 3-minute video, comedian Tom Mabe decides to have a little fun with an offending peddler. It’s a little more work then simply asking to be put on the “do not call” list, but the world is a funnier place for it! Play the video

Beware disk cleaners that can make things worse

By Fred Langa My search for the best disk-cleanup program has uncovered some that aren’t worth the time and effort, let alone paying a registration fee. One of the utilities I tried even left more unnecessary files on my drive than were there before I ran the program!

In search of the perfect disk-cleaning utility

My last two columns on Mar. 13 and Mar. 27 showed you how to create a free, highly customizable, and automated cleanup tool using Windows’ built-in features and functions.

My do-it-yourself (DIY) tool can actually clean your hard drive much, much more thoroughly than Windows’ default cleanup tools and settings. But crafting the tool takes some time and tinkering.

My DIY approach uses commands that delete files without making it easy to restore them using Windows’ built-in Recycle Bin, if need be. Also, these commands are character-based and don’t offer a graphical user interface (GUI). So, I went searching for the best GUI-based program that supports the recovery of any files it deletes.

To winnow the candidates to a manageable size, I added a further stipulation that the tool should either be free or at least offer a fully functional free trial.

I’ll finish my testing and announce the winner in my next column on Apr. 17. Today, my goal is to warn you away from some programs that I definitely don’t recommend.

Dustbuster: a tool I wouldn’t wish on my enemies

Some tools were truly awful and are worth mentioning only to steer you far, far away from them. For example, the very worst tool I found was Dustbuster: Advanced Cleaning Technology for Windows, from a company called Casperize. I wouldn’t even let it run to completion.

For me, the fatal flaw is that the program takes a “black box” approach to disk cleaning. The only feedback it offers is small, uninformative dialog boxes that display generic text such as “Disk scan in progress.”

The dialogs are in Italian, but that’s not what’s wrong. The real problem is that you don’t know what the program is scanning for or what it will do with the files it finds. There’s absolutely no clue.

With no idea what it was doing to my system, I tried to kill the tool and found the next major problem. Unlike every other tool I tested, this one runs as a system process rather than as a normal application.

The only way I could find to stop the process was to select it in the Task Manager’s Processes tab and then use the “End Process” button. I did so, quickly.

PC Engineer doesn’t actually clean what it says

Other tools I tested offered little or no advantage over my DIY routine and jv16 Power Tools, and some introduced new problems.

For example, PC Engineer from Cupid Systems is trialware, allowing you to run it 16 times with full functionality. I have no idea what happens when you run it for the 17th time. There’s no mention of any fee or cost on the Web site and no explanation of what’s required at the end of the trial.

I never got that far. I pulled PC Engineer from my testing after just four runs when it failed one of the informal tests for cleanup tools that I’ve developed over the years.

I’ve found that many such tools exaggerate their cleaning abilities by including in their “files cleaned” totals even those files that are in use (and thus are undeletable when the tool is run). Some programs even count files that Windows will automatically rebuild once they’re deleted. Counting files such as those is a kind of mild cheating, because their “removal” nets you nothing: there’s no real gain.

For example, on one run, PC Engineer reported the junk it found on my PC this way: “Size of files is — 4,190,864 Bytes.”

I let PC Engineer clean the junk files and then re-ran the software. It reported the junk it found on the newly-cleaned PC like this: “Size of files is — 4,190,864 Bytes.” Nothing was really cleaned at all.

Worse, while running, it tried to access cacls.exe (Change Access Control Lists), a Windows system-level executable that’s used to change access permissions for folders and files. The software offered no explanation as to why it needed to diddle with my system’s permissions. I didn’t like that at all.

Worse still, the software didn’t cleanly uninstall when I removed it. The irony: the cleanup tool itself left files I had to clean up manually.

Wise Disk Cleaner scans disk but goes far afield

There were a few tools that came closer to making the grade. For example, the free Wise Disk Cleaner did pretty well. (A $20 “pro” version offers a few extras.) The free version is GUI-based and offers a way to recover deleted files. However, the program uses a fixed list of only about 50 rules (for example, common extensions for temporary and junk files) to decide what to delete. You might not consider this a very sophisticated rule set.

When first run on a system that had already been cleaned by my free, DIY tool, Wise Disk Cleaner reported: “Finish. 13835 folder(s) searched. 1707 file(s) found. Total size: 1.30 MB.”

OK, 1.3MB is not a lot of space to save, but it’s something. The next run reported: “Finish. 13794 folder(s) searched. 38 file(s) found. Total size: 0.01 MB.” So, to its credit, the tool wasn’t inflating its “files removed” amounts with lots of files that are immediately rebuilt by Windows.

But I ended up uninstalling this program, too. Why? Because, for unexplained reasons, it sought to access the Internet and the “trusted zone” of my office LAN. I had no mapped or remote drives enabled, so there was absolutely no reason for this software to sniff beyond the bounds of the PC it was installed on.

Maybe the software was doing something totally benign. But with a multitude of tools to choose from, why use one that poses a potential security concern?

You can help me find the best GUI cleanup tool

It’s been informative to me (and kind-of-geeky fun) to see examples of how some software fails to pass muster. But this is only half the story. In my next column on Apr. 17, I’ll report on the winner of the GUI-based cleanup tests I’ve run.

There’s only one of me, but there are many readers of this newsletter. Together, we’re much smarter than any one of us alone. If you know of a good, reliable cleanup tool, please share it with me via the Windows Secrets contact page. Put the phrase DISK CLEANUP in the subject line. I’ll report my readers’ favorite cleanup tools in a future issue.

I’ll compare the programs you nominate against my two favorite and known-to-be-good cleanup tools, both of which are available to you right now: my free, DIY tool and jv16 Power Tools. (Registered versions start at U.S. $29.95.)

The DIY approach does require some effort to set up, but it will reliably delete anything and everything you tell it to. Plus, because you build the tool yourself, you know exactly what it’s doing. No black box operations, no “phone home” worries.

If you prefer a more automated approach, the jv16 Power Tools disk cleaner is easy to use and works well with no security weirdness or inflated performance claims. Plus, you get several other utilities in jv16’s mini-suite (such as a Registry cleaner) as well.

Until and unless I report on something better, one of those two options ought to do the trick for you!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

Disabling AutoRun still leaves you open to attack

By Mark Joseph Edwards The worst kind of security bug is one that Microsoft probably won’t be fixing any time soon. This week, I tell you about an annoying security problem in which Windows Vista fails to disable its AutoRun and AutoPlay features, even though you think you’ve got these two security risks under control.

Vista AutoRun might leave your systems vulnerable

According to an advisory published by US-CERT, Vista might not truly disable its AutoRun and AutoPlay features when you configure the operating system to do so. Those features kick into action whenever you insert a CD or DVD.

On a typical system, if a CD, a DVD, or a U3-enabled USB drive includes an AutoRun file — or can be detected by Vista as AutoPlay media — Vista automatically launches a corresponding application to view or play the media. That behavior can pose a serious security problem if you insert a medium that contains malware.

To protect against that possibility, Microsoft provides ways to disable AutoRun and AutoPlay for various devices. However, according to the US-CERT advisory, “Windows Vista may [leave] some AutoPlay enabled, even though the Group Policy Editor and associated registry values indicate otherwise.” This, of course, means that an attack would still be possible.

As far as I know, Microsoft has not issued any kind of patch for this problem. Worse, I’m not even sure that the company will issue a patch. (AutoRun and AutoPlay are considered important and desirable features.)

US-CERT’s advisory, however, does offer some information that might help you reduce your vulnerability. One workaround involves creating a .reg file and loading it into the Windows Registry. I consider the other workarounds that are listed by US-CERT to be problematic and less reliable.

Windows Secrets associate editor Scott Dunn warned last year about the problem with AutoRun appearing to be disabled (in both Vista and XP) but actually still allowing attacks. He prescribed exactly the same .reg workaround that US-CERT is now proposing, but he provided far greater detail. See Scott’s Nov. 8, 2007, column for the complete story.

To read US-CERT’s analysis, see its vulnerability note 889747.

Thousands of Flash applications are nonsecure

Last December, security researchers revealed some nasty problems with Shockwave Flash applications. It turns out that not everybody has cleaned up these insecurities yet.

The basic security problem is that bad guys can use defective Flash applications to grab your login credentials and all sorts of other data. The method involves our old friend: cross-site scripting.

One problem can be remedied by updating your Flash plug-in. If you haven’t updated lately, make certain you’re using the latest version by visiting Adobe’s Flash version detection page.

More info: Flash version detection page, Flash download page.

You also need to protect yourselves against potentially dangerous Flash applications, because other vulnerabilities can’t be defended against merely by keeping your Flash plug-in up to date.

From my perspective, the most effective way to do that is to install Flashblock for Firefox, NoFlash for IE 6, or IE7Pro for IE 6 or 7.

Flashblock and NoFlash give you site-by-site control over Flash objects. IE7Pro does this, too, but also adds many other new features to the browser.

More info: Flashblock, NoFlash, IE7Pro.

If you want to completely uninstall Flash, Adobe recommends that you run the Flash Player uninstaller.

If you have Flash applications on your Web site or you use Flash development tools, you should definitely take action. If you’re a Flash developer, make certain you’re using an up-to-date version of your Flash development platform. If it hasn’t been updated since December, your platform may be creating dangerous Flash applications.

According to an article at The Register, there are data validation libraries available to developers to help ensure that cross-site scripting isn’t possible on a particular Flash application. You should also see a whitepaper from Adobe that discusses how to develop secure Flash applications.

If you’re not a developer, but Flash applications exist on your Web site, try to determine whether they might contain these vulnerabilities. That’s not easy to do, but some help is available.

A tool from the Open Web Application Security Project (OWASP), SWFIntruder, can help you test existing Flash files for vulnerabilities.

If you’re interested in the nitty-gritty details of the vulnerability itself, you can read about them in a whitepaper by Rich Cannings.

DNS rebinding attacks take the spotlight

RSA Conference 2008 is taking place this week in San Francisco. Dan Kaminsky is slated to give a presentation called “Black Ops of Web 2.0: DNS Rebinding Attacks.”

Kaminsky, director of penetration testing at IOActive, intends to show how JavaScript can be used in a malicious Web page to contact your router (or other network devices with a Web management interface) and change the settings.

Such an attack could work — assuming, of course, that you haven’t changed your router’s default password. It’s obviously imperative that you do change all your default passwords for any devices on your network. Anyone who can reconfigure your router could possibly gain access to all your network communications.

The presentation is bound to prod bad guys into creating new exploits for phishing attacks and other forms of fraud. This is true, even though DNS rebinding attacks aren’t necessarily new. The technique has been known for at least a year, but public awareness hasn’t been very high.

Many browsers and other Web-related applications are vulnerable to such attacks. For example, exploits can be launched via Java applets, Flash files, and browser timing bugs.

To protect yourself against DNS rebinding attacks, turn off Java in your browser until you need it for a specific trusted Web site, enable it when you need it, and disable it again when you’re done.

Also, use Firefox browser plug-ins such as FlashBlock, and consider using NoScript to block untrusted sites from using JavaScript. Keep your software up-to-date, and always — always — change the default passwords on any device or software that has a login interface.

If you’re interested to learn whether your particular system might be vulnerable to DNS rebinding attacks, head over to Stanford University’s site, where you’ll find a very slick Web-based demonstration.

The page will try to detect possible attack methods and present you with a drop-down list of selections. You can choose a method and try to launch a harmless attack against yourself to see whether it can actually work.

There’s also a PDF whitepaper available from Stanford: “Protecting Browsers from DNS Binding Attacks.” This report explains in detail how such attacks work and to defend against them with better software, assuming that the major browser vendors are willing to adopt any of the proposed methods. All in all, I think you’ll find the paper extremely educational.

IronKey is a great, secure flash drive

While looking for a new USB flash drive recently, I came across one particular device that caught my attention. It’s called IronKey, and it offers some really nice features.

First of all, the name says a lot about its physical design. The device container is metal, and the inside is filled with a hardened compound that protects the internal circuitry. That makes this flash drive difficult to break, in the event that it’s ever dropped or put under a lot of pressure.

IronKey also comes with a custom version of Firefox that helps protect your login credentials for various Internet sites.

For example, when you login to a site, Firefox can store your login details in the IronKey device. When you visit the site again, IronKey software first makes sure you’re actually on the original site and not a forged site. It can then automatically fill in your login details for a speedier login process.

The custom version of Firefox causes all private data (such as cookies, browsing history, usernames, passwords, etc.) to be stored on the IronKey drive instead of on the local hard disk, so you won’t leave any traces on the computer itself. All files stored on the drive are protected using AES encryption.

Another cool feature is the software’s tunneling capability. The custom version of Firefox can create an encrypted VPN (virtual private network) between your computer and IronKey’s corporate network. It can use that tunnel to move data across the Internet, which prevents people from snooping on your activity.

This feature could come in very handy for those of you who use public Wi-Fi hotspots at hotels, coffee shops, and other places.

The device also has some very strong, tamper-resistant technology built in. In extreme cases, the device can pre-emptively erase your encryption keys and data, thereby preventing your valuable information from falling into the wrong hands.

Overall, I found IronKey to be pretty impressive and not overly expensive. You can find a 4GB IronKey at several distributors, including Amazon, OfficeDepot, NewEgg, and other popular stores. The best deal I found for a 4GB device was U.S. $139.98, with free shipping, at Buy.com.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Patches for IE should be top priority this week

By Susan Bradley Patches for IE should be our first priority this month, with several vulnerabilities that are ripe for malicious attacks facing us. There’s still no sign of Windows XP SP3 in the near future, but Windows Server 2008 is receiving its first patches, and Vista SP1 is subject to a much-needed patch for an earlier patch that’s proved troublesome.

MS08-022 (944338) and MS08-023 (948881)
Internet Explorer gets its usual dose of fixes

The two browser-related patches that appear in this topic, and the one that follows, are all equally important for protection against malware that exploits IE.

Our first patch is MS08-022 (944338), which fixes an issue with VBScript and JScript — languages that can be used by Web sites. If a hacker sets up a site and embeds an infected script, control of your system could be handed over.

This paragraph is for those who installed Visual Basic Script Edition 5.6 or earlier on systems with IE 7 installed. You may find that you need to manually install Script Edition 5.7 if the install of patch 944338 fails with an error code of 0x8007F0F4.

Early reports from the public Windows Update newsgroup indicate that the update to Script Edition 5.7 appears to solve the issue. This version is available from the Microsoft Download Center.

MS08-023 (948881) is also of interest. It’s a standalone bulletin that kills off an ActiveX control for Yahoo’s Music Jukebox. A proof-of-concept exploit has already been discussed on the Internet; installing MS08-023 defends against the attack.

MS08-024 (947864)
‘Click to Activate’ is no more after IE rollup

The usual cumulative Internet Explorer patch is found in MS08-024 (947864). As always with Internet Explorer patches, watch your antivirus and firewall programs, any of which may interfere with this update. If you can’t get on the Internet after the install, check your antivirus and firewall settings. Most of the time, disabling and re-enabling the settings does the trick.

Included inside the IE cumulative patch this month is a tweak that disables the so-called Click to Activate control. This feature is something that a Web surfer would typically see when visiting a page with an embedded object, such as Flash or another “active” technology.

A patent dispute that started years ago with the University of California has now come full circle for Microsoft. I don’t wish to go into the details here, but back in 2006 a SharePoint consultant by the name of Iyaz blogged about the negative effects of the extra click that Microsoft had inserted into IE to avoid infringing the UC patent.

After a patent lawsuit and the involvement of many attorneys, this extra click has now been removed. This whole episode points out to me that our patent system needs updating even more than our workstations do.

MS08-021 (948590)
Image viewer vulnerable in many Windows versions

Every time I see a patch with the term GDI in it, I immediately say to myself, “AGAIN?!” We’ve had to patch image vulnerabilities many times in the past, and I hate to see this yet another time.

MS08-021 (948590) is the latest edition of this drama. It patches the same file type that we were all scrambling to protect ourselves against just after Christmas 2005. The threat resulted in the first patch of 2006: MS06-001.

As with the earlier patch, this month’s update protects your PCs primarily from Web-based attacks. The vulnerability can affect you even if you merely view an image on a Web page in a browser. Because the flaw lies in the way Windows’ built-in GDI routines display image files, the hole can be exploited somewhat independently of which browser you use. This problem affects all the following operating systems: Windows 2000, XP, Server 2003, Vista, and Server 2008.

Of interest to me is the fact that Vista with Service Pack 1 is impacted. Due to Microsoft’s staging of the automatic downloads, SP1 still has not been delivered to many of the machines that are running Vista.

The MS08-021 patch, fortunately, is smart enough to install the correct patch files for the original version of Vista and then install later versions once Vista users obtain Service Pack 1.

Although this vulnerability impacts the newly released Windows Server 2008, it doesn’t trouble the not-yet-released Service Pack 3 for Windows XP. That service pack appears to be slated for release later this quarter.

MS08-025 (941693)
Windows Server 2008 gets its first update

Windows Server 2008, the new kid on the block, gets its first patches this month in MS08-025 (941693). The security firm ImmunitySec has already posted a proof-of-concept, showcasing in a video available from the company’s site that the exploit works.

The good news is that the exploit requires a hostile person to have rights to a system in order to attack it. Such a person who has authenticated access to a system can use the vulnerability to gain higher privileges.

It’s interesting to note that this hole exists in Vista SP1 and Windows Server 2008, but not in the as-yet-unreleased Windows XP SP3, just like the GDI problem I discussed above.

Knowledge Base article 941693 documents an interesting connection between the MS08-025 patch and MS08-021. Certain files are shared by the two patches. This means that, if you remove patch 941693, you revert to vulnerable versions of the files patched by 948590. In that case, you will eventually be prompted by Windows Update or Microsoft update to upgrade those files.

Since neither MS08-021 nor MS08-025 affects Windows XP Service Pack 3, it appears that those two fixes are already present in that service pack. Perhaps all good things really do come to those who wait?

A preliminary patch for Vista SP1 is fixed

Many of you suffered though repeated reboots caused by patch 937287, which sometimes got into a loop when configuring itself. This is a “preliminary patch” that prepares systems for the later installation of Service Pack 1 for Vista.

Microsoft prevented patch 937287 from being downloaded for a few weeks until the problem was resolved. The patch has now been re-released, this time with its own patch: 949939.

The latest patch ensures that the original patch will go well for those who might otherwise be affected. The Microsoft Update blog describes the details.

The original patch thought it needed to update right in the middle of when it was being installed. This caused the reboot loop. As of this week, patch 949939 installs prior to 937287. The original patch has been improved so that it won’t try to install unless it finds the new fix in place. This prevents the repeated rebooting issue from affecting machines that otherwise would have experienced the problem.

Patch 938371 is another preliminary patch that’s being offered by Windows Update in preparation for Vista Service Pack 1. This patch is even being offered to some machines that do have SP1.

On one machine I’ve observed, I was surprised to see patch 938371 offered to the PC a second time. For those of us who already have SP1 installed, the second download is just installing some changed bits, which will make the updating process more reliable in the future.

Also out this month is an update to a webcam file known as ks.sys. This file is blocking Vista SP1 from installing for many folks who own laptops with OEM software.

To fix the webcam conflict, patch 950127 updates the computer. Once the correct file is installed, if your machine still isn’t offered SP1 by Windows Update, you may need some expert advice.

Robert Habib describes in the Dell forums how he was finally able to install SP1. He writes that he had to manually remove a Sigma audio driver from his system and then allow Windows Update to detect that a new driver was needed. Only after all this was he offered Service Pack 1.

Finally, Windows Server 2003 is getting a much-needed patch. This fix ensures that Vista SP1 won’t download over and over again via WSUS (Windows Software Update Services), which can cost companies beaucoup bandwidth. The patch, 938759, is a high priority for any server that acts as a patching server for your network.

MS08-020 (945553)
Internet backbone needs protection from spoofing

Most of the time, domain name resolution is something that only your Internet service provider worries about.

You’re probably only vaguely aware of DNS (Domain Name System), other than to occasionally use the system’s long numbers when setting up a network card or router. Your ISP may have told you at one point to enter these numbers so you can surf the Web.

MS08-020 (945553) updates your workstation so it can’t be tricked by a DNS request into resolving to locations where you don’t really want to go.

The good news this time is that Windows Vista SP1 and Windows Server 2008 are not vulnerable. If you’re using these platforms, you won’t need these updates.

MS08-018 (950183), MS08-019 (949032, 947896, 947650), and 946691
Office patches leave me scratching my head

I was installing patches this week on a Vista SP1 system with Office 2007 SP1. In the process, I was fully expecting that the machine would be offered MS08-019 (either 947896 or 947650), because Visio was installed. I wasn’t expecting MS08-018 (950183), as the system didn’t have Microsoft Project installed.

What left me scratching my head is why the machine was offered 946691. The PC already had Office 2007 Service Pack 1 installed, so what’s going on?

Figure 1: Update 946691 is offered to PCs that already have SP1 for Office 2007 installed.

As far as I know, patch 946691 is needed only before Office 2007 SP1 is installed. I don’t understand why 946691 is coming down in this scenario, but I suffered no ill effects after installing the patch as suggested.

It’s time for you to run a Secunia scan again

It’s always a good idea for you to run Secunia’s Software Inspector at least once a month to find patches you may have missed (for Windows and for many other vendors’ software). I want to stress that you really must do so this month.

Take the time to either visit Secunia’s regular scan site or install the company’s enhanced, client-side application, the Personal Software Inspector.

There are two third-party software applications in particular that it’s very important you bring up to date.

1. QuickTime. Earlier this month, Apple released a QuickTime update. This update responds to a vulnerability in the company’s video player program.

If you happen to have the Apple software-update engine installed and you run this QuickTime update, be careful that you don’t accidentally end up with the company’s Safari Web browser, too. Apple has turned on an easy-to-miss check box that installs the company’s browser by default, as I reported in my column on Mar. 27.

As noted in a post by a CommonGate blogger, an attack on the Safari browser was successful on the Apple Macintosh platform. It’s uncertain whether the Windows-based version of Safari is equally vulnerable. The weakness was demonstrated on an Apple MacBook in a hacking contest at the CanSecWest security conference.

2. Flash. Adobe also released a patch last Tuesday for a Flash vulnerability. In the release information on Adobe’s site, the company indicates that a malicious SWF file can exploit this hole merely by being opened in Flash Player.

My fellow MVP Sandi Hardmeier, who runs the blog site SpywareSucks, has been tracking how hacked Flash files are being used in attacks. She’s termed the problem “malvertisements.” Specifically, banner ads that include malicious Flash content can be served to unsuspecting Web sites.

Both the Apple QuickTime and Adobe Flash vulnerabilities were bought by 3Com’s Tipping Point division, as discussed on the group’s blog. The firm reports such problems privately to vendors, which eventually fix the problems and release patches.

Keep an eye on both QuickTime and Flash. Just as with Windows, we need to be vigilant in our patching of these powerful but problematic technologies.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.