Protect yourself from software-vendor ‘snarketing’

Support Alert is merging with Windows Secrets

The Support Alert Newsletter will merge with the Windows Secrets Newsletter on July 24, creating a combined readership of more than 400,000 (see my Introduction column). The editor of Support Alert, Ian “Gizmo” Richards, has prepared for us a special get-acquainted gift: 9 Free Programs Every PC Should Have, an all-new e-book. All Windows Secrets subscribers, free and paid, can download this 38-page printable PDF file at no cost. Simply visit your WS preferences page, update your preferences as you wish, and you’ll see a download link after you click the Save button:

To get your free bonus: Visit your preferences page

Watch for our first combined newsletter next week. Thanks for your support! —Brian Livingston, editorial director

New readers join us from Support Alert on July 24

By Brian Livingston

It’s not every day that we welcome 50% more readers to our ranks, but that’s what we’ll be doing on July 24 when 150,000 Support Alert Newsletter subscribers join us.

As I announced on July 9, our new newsletters are merging, and the combined audience will exceed 400,000 active Windows users, with even more great tips that we can pass along to you.

We’ll have a combined logo for 6 weeks

To help all of the Support Alert subscribers recognize that the two newsletters have merged into a single, larger publication, our logo will combine the two names on July 24 (left). The words Windows Secrets & Support Alert have already been added to most of the pages of WindowsSecrets.com. The combined newsletter will also carry the revised logo until the beginning of September.

On Sept. 4, we’ll publish our first newsletter after the summertime transitional period. Our name then will revert back to simply Windows Secrets.

The Windows Secrets Newsletter will continue to come out weekly, as it’s done since switching from twice monthly to four times a month in 2006.

The newsletter won’t be noticeably longer, but we’ll have a new column by the former editor of Support Alert, Ian “Gizmo” Richards. You’ll see the result next week — keep sending us Windows tips, and we’ll keep sending them out to you and to more and more people!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Protect yourself from software-vendor 'snarketing'

By Scott Dunn These days, even the software we like often comes with hidden annoyances designed to help the vendor at the expense of us poor customers. Here are five examples of sneaky marketing — snarketing, as I call it — and what you can do to mitigate the practice’s ill effects.

Software downloads are rife with deceptions

Clicking a link on a Web page to download software certainly beats strolling the aisles of your local computer superstore. But anyone who has spent much time acquiring freeware or buying and registering shareware or other software products knows that some of this convenience is undercut by the very people who say they want us to use their products.

These companies want to make a sale so badly that they’re willing to resort to underhanded and obnoxious marketing practices to close the deal.

Too often, these sneaky marketing — or snarketing — practices go unpunished because not enough of us complain. Well, I’ve found five examples of software-marketing practices that a snake-oil salesman would love.

Install crapware by default. When you need a Web plug-in to use a particular site, you just want to click your way through the essential download and be done with it. Similarly, if you’re just trying to install a security update, you may think you can click the Install button and download only the code you require.

Unfortunately, if you go with the installer’s default settings, you might end up with a lot of unwanted software cluttering your system. For example, both Adobe Reader and Adobe’s Flash Player install the Google Toolbar unless you opt out; Sun’s Java applet installs the Yahoo Toolbar; and unless you uncheck their options in the installer, Apple’s QuickTime updates include the Safari browser and iTunes player, whether you want them or not.

Initially, the QuickTime updater installed Safari without the user’s knowledge or consent. According to a story in InformationWeek, that practice was halted a few months ago. But the Apple updater still defaults to installing Safari and iTunes unless you uncheck their respective boxes.

For more on this type of snarketing, see Susan Bradley’s Mar. 27 Patch Watch column in the paid version of the newsletter.

A close cousin of this practice is the tendency of some online stores to use purchase forms that surreptitiously gain your consent to share your e-mail address with other companies or to receive additional mail from the seller itself.

What can you do to protect yourself? Read before you click.

Fortunately, most of these sneaky, bundled installations are not buried in the fine print the way many other license-agreement tricks are. Still, you have to train yourself to look carefully at every field and option in a form and decide for each whether the default is the option you really want.

Hide the freebie. Software publishers often make a less full-featured version of their product available for free as a way to promote sales of the commercial version. Then they make the link to download the free version as difficult to find as possible.

It’s as if the company had no confidence in the power of the free version to sell the full version. Moreover, the frustration of hunting for the free version causes some people to give up and choose an alternative program — or none at all.

Some of the more egregious examples of this scheme are the EditPad text editor (click the Free EditPad Lite link on the left and then scroll to the bottom of the EditPad Lite page) and Foxit Reader, a PDF-viewing alternative to Adobe Reader (resist the temptation to click the big, misleading “Get It Free” buttons and instead click the tiny “Download” link just above them).

Similarly, you can waste a lot of time hunting around Grisoft’s site looking for the free version of the company’s AVG Anti-Virus program unless you know that the freeware has its own separate Web address (free.avg.com).

To give credit where it’s due, not all software publishers pull this trick. For example, in recent years both Real and Apple have made it much simpler to find the free version of their respective media players. Just go to each company’s main page and use Real’s “Get Real Player — Free” button and Apple’s “Free Download” button.

If you find yourself spending too much time looking for the free version of a program, search for it at a big-name download site such as CNET’s Download.com or SnapFiles. The chances are good that you’ll get the very same product without all the up-sell pitches and other marketing distractions.

Keep on charging. As I reported in my May 17, 2007, column, purchasing a security application may automatically sign you up for a subscription to updates or virus-definition files — a fact that is often buried in a lengthy license agreement or hidden behind an optional link (or both).

Many customers discover this catch only after an automatically recurring charge appears on their credit cards some time later. Furthermore, many of these companies provide no easy way to cancel the subscription.

To avoid hidden charges in online purchases, ask your credit-card company to issue you a disposable credit-card number that can be used only once per purchase. Another strategy is to see whether the product you’re buying has a pay-by-check option, which means you don’t have to provide a credit card number at all.

Finally, consider buying your security software at a brick-and-mortar store. Doing so is less convenient, but if you watch for sales, you can sometimes get a new security program every year for less than you’d pay for an online subscription renewal.

Faking the grade. It’s common knowledge that many major software-download sites (including Download.com) and online merchants (such as Amazon) let customers post their own ratings and reviews. It would be nice to think that all the user-authored reviews are from unbiased customers giving their honest opinions.

Unfortunately, it’s all too easy for developers to post their own stealth reviews and comments, praising their own products or slamming the competition — or both.

For example, the site TechCrunch recently reported that Slide Inc. had posted multiple positive reviews of its Funwall application on Facebook. The reviews used fake names with fake accounts, some of which have been traced to Slide’s senior product manager.

Similarly, a Venture Chronicles article from last April described how employees of the company Parallels posted 5-star reviews of the firm’s own product on Amazon and added less-than-kind reviews of a competing product, VMware Fusion.

Such practices are certainly nothing new, but the fact that they persist in 2008 shows that corporations still have a long way to go in their ethical practices.

Software publishers need to establish clear policies for employee behavior that — at a minimum — require their staff members to identify themselves and their employer in any reviews they post.

Unfortunately, there is little that we can do to distinguish between the authentic and fake customer comments. The only way to avoid falling into the trap is to rely on reviews in Windows Secrets and other reputable publications and Web sites.

In addition, if a company makes available trial versions of its products, you can try them out yourself with no financial risk and form your own opinion. Just make sure the trial download has all the functionality of the full release.

Nag, nag, nag. It’s reasonable to assume that a free program or the trial version of a commercial product will nudge you now and then to upgrade to the paid version. But when a program you’ve already bought and registered keeps hitting you up for money, it’s difficult to avoid getting irked.

But that’s exactly what McAfee Internet Security and some other security programs do. Either they’re reminding you to renew your subscription months before it’s set to expire or they’re pushing you to buy related products that claim to offer more protection.

Recently, a Windows Secrets editor starting seeing notices from Symantec pop up every time he booted his PC. The nag notes pointed out that he had X number of days (starting with 30) to renew his subscription to the Norton 360 security suite. The pop-ups came in bunches of five or six in quick succession, requiring that he close each one before he could continue with his work.

This went on for two weeks before he received an e-mail notice from Symantec stating that he had signed up for automatic renewals. Were the two weeks of pop-ups an attempt to double-bill a paid-up customer? Or were the bogus warnings simply an indication of Symantec not having its renewal act together? In either case, the company comes across as hostile toward its customers.

I wish I could tell you some easy way to avoid these kinds of shameless marketing tactics. Sadly, there is none. Your best bet may be to wait until your subscription expires and then try a different (and less annoying) security product.

Don’t patronize obnoxious snarketers

In olden days, merchants at least paid lip service to the idea that the customer is always right. But snarketing practices such as these show total disrespect for the needs and convenience of software consumers. Such behavior by vendors suggests only a blind interest in an immediate sale without regard to encouraging brand loyalty.

If these companies think they can thrive by courting first-time buyers only, then that’s their decision. But as consumers, we have a choice. Personally, I’m boycotting any vendor that isn’t on the up-and-up, even if theirs is the better product.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

SAN + WS = the info Windows users need

By Dennis O’Reilly Adding Ian “Gizmo” Richards to the top of the Windows Secrets roster puts the Web’s best software reviews, tips, and Windows news in a single spot. Whether you subscribe for free or for pay, this is the place to look each week for the information you need to keep your PC humming.

Ramping up the software reviews

Since the late 1990s, Ian “Gizmo” Richards has been dispensing Windows news, tech tips, and software reviews in his Support Alert Newsletter. Beginning next week, that publication will be combined with Windows Secrets to create one of the most widely read Windows resources anywhere.

Gizmo’s popularity is due to more than simply the great information he has published in his newsletters. He connects with readers in a unique way, as evidenced in the missive we received from J.D. Hamilton.

• “Mr. Richards, I stumbled upon a link to your newsletter a couple years ago. As an old (amateur) DOS hand (that had to be dragged, kicking and screaming, into the Windows environment), I have learned quite a lot from your newsletter and have found many of the utilities you’ve reviewed to be extremely helpful.

  “I have had several friends ask me for help with their systems, and thanks to you, I’ve been able to be of assistance. So much so that those I’ve helped often want to give me money! I figure that I’ve been given around $100 so far. So I will be mailing you a check for $100 toward a lifetime subscription.

  “Thanks again, and BRAVO! to the editor(s) of Windows Secrets. I’m looking forward to reading your half of the newsletter. If Gizmo is associating with you, you must be good. I can’t wait to see your half of the publication!”

While Gizmo’s software reviews will appear only in alternate issues of the new combined newsletter, his influence will be felt elsewhere in the publication as we jack up the number of hands-on evaluations of software and services.

In addition, the Windows Secrets site will soon add all the reviews, tips, and other articles from past Support Alert Newsletters.

What you get for free, what you get for a fee

Like Windows Secrets, the Support Alert Newsletter has always offered some articles for free and made other content available only for a fee. But as Bill Todd points out, it’s not always clear which Windows Secrets articles are available to everyone, and which are restricted.

• “It’s really annoying to follow a link only to find out that it’s paid rather than free content. Gizmo always made it clear which was which beforehand — you should, too.”

Our library pages, which show a summary of previously posted articles, indicate the titles of paid content with symbol of a gold circle. (On that page, click the plus sign to the left of “Summaries” to see which articles are free content and which are paid.) The image looks as follows:

When you use our site’s search engine to look for particular articles, such as a search on xp sp3, the golden symbol also shows the distinction.

We added the indicator just this week to the permalinks at the bottom of recently posted articles, such as the July 10 lead story on TechSpot and Google. Thanks for pointing out that this needed to be fixed!

Cleaning up after Microsoft’s latest update fiasco

Last week was a Patch Tuesday that many ZoneAlarm users will remember for quite some time. That’s because a Windows security update caused people using Check Point’s firewall program to lose their Internet connection. As Jim Penrose found out, the fix was anything but straightforward.

• “The article in today’s Windows Secrets about the new MSoft patch mucking up ZoneAlarm just earned every penny I paid for my sub. Thank you. This problem hit me yesterday and really had me P.O.’d.

  “You offer one of the most content-rich newsletters I get, and it’s always one of the first things I read when it hits my inbox. Once again, thank you for saving me hours of work trying to solve this problem.”

Google alternative keeps your searches private

Finally, Ken Sommers alerts us to a more secure way to search the Web.

• “My favorite search engine, ixquick, has just been awarded the first privacy certification issued by the EU. Ixquick is a metasearch engine that provides a small number of focused hits.

  “The home page has long had a link to their privacy policy, which states that they do not save searchers’ information. The recently issued certificate backs up that claim.”

It’s good to be reminded now and then that there’s more than one way to search the Web.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

So that's why they're called flip-flops!

Summer is here! But you may want to think twice before jumping into your favorite pair of sandals. Check out this hilarious clip of a friendly prank gone terribly, well… right! This poor guy’s probably allowed to cry over some spilled milk. And our readers might join him — with tears of laughter! This clip is a shining example of good old-fashioned, mean-spirited fun. But remember, all you would-be pranksters, paybacks are a beeyotch! Play the video

The top Firefox security and privacy add-ons

By Becky Waring Stay safe and protect your privacy when you’re on the Web by using these top-notch browser extensions. Block malicious Web sites, stop annoying ads, control your cookies, cover your tracks, and manage your passwords securely with this collection of free Firefox add-ons.

It’s time to update your Firefox extensions

When you upgrade to Firefox 3, you also have to update or reinstall the browser’s add-ons. The most popular extensions — including the ones I recommended here — now work with Firefox 3 and can easily be installed right within Firefox using the browser’s Add-ons manager (on the Tools menu).

In this column, I review the best Firefox security and privacy add-ons. In the coming weeks, I’ll tackle bookmark and tab managers, Google enhancements, user-agent switchers, and other organizational tools designed specifically for Firefox.

If there’s a particular category of Firefox extension that you’d like me to cover, drop me a line via the contact page.

Three must-have add-ons for safe surfing

If you’re concerned about phishing sites, spyware, viruses, fraudulent online stores, or child safety, you need WOT (Web of Trust). This unobtrusive yet amazingly useful extension shows a rating icon next to each site in search results from Google, Yahoo, Wikipedia, and other popular Web services. The rating is easy to interpret, so you can see instantly which links in the results are safe to click.

WOT also places an icon next to the address bar, so you can check the rating of your current page in case you didn’t get there via a search engine.

The add-on’s site ratings are derived from other people’s browsing experiences and databases of malicious sites. The four categories of ratings are Trustworthiness, Vendor Reliability, Privacy, and Child Safety.

WOT uses a five-color scale that goes from red to green for each item. If you click a link with a red icon, you’ll see a warning before you can navigate to the page. This can save you from accidentally surfing to malicious sites that install viruses or spyware.

The extension is amazingly accurate and complete. In a week of testing, I found very few search results that were not rated and only a handful of ratings I would question, especially compared to the ratings provided by McAfee’s SiteAdvisor, a similar free extension.

WOT’s accuracy is probably due to its incorporation of community input, which also makes possible the “vendor reliability” score for online stores.

You can register with WOT to get some additional features such as custom settings and the ability to add your own site ratings, but the unregistered version of the program provides all the features I need.

The second essential add-on for safe Firefox surfing is Sxipper. This password-management tool goes far beyond the one built into Firefox itself.

Sxipper is ideal for families and other users who might have multiple IDs registered at a given site by letting them create up to four different “personas.” Each persona can register its own form-filling information and passwords.

Sxipper is also amazingly intuitive to use, unlike other password managers I’ve tried. When you first install the program, it gathers information already stored in Firefox and then builds from there.

When you navigate to a site with a form, Sxipper automatically populates the fields or shows options for filling in any items that have more than one possible entry. Having all these options at hand makes it easy to maintain different IDs for various Web purposes.

Bonus tip: No matter which password manager you use, be sure to turn on Firefox’s master password option in the Security preference pane. This will require that you to enter a password when first opening Firefox, which then unlocks all other passwords on file.

Finally, everyone needs a good cookie manager, and CookieSafe is my choice as the best Firefox cookie handler. The program places an icon in the bottom-right corner of the browser window. Click it to block or allow cookies temporarily or permanently on the current site.

Your cookies will still be stored in the Firefox cookie list, so you can view and edit them as normal within the Firefox Privacy options pane. All CookieSafe does is make control of cookies quick and easy without having to open the Options window. The program is simple and unobtrusive, and it just plain works.

Stop dangerous scripts, ads, and animations

Most Internet dangers come from malicious ads and scripts on rogue Web pages. Simply blocking Java, Flash, and advertisements goes a long way toward preventing spyware, Trojans, and viruses from getting on your computer. In the process, you’ll also benefit by speeding up your surfing and eliminating a lot of those distracting ads and animations.

However, blocking scripts or ads entirely also disables many functions you may want to use on various sites, so good ad-, Flash-, and script-management utilities are needed. That’s where Adblock Plus, Flashblock, and NoScript come in.

Adblock Plus is my favorite Firefox ad blocker. The program turns ads on and off for particular sites and features customizable blocking filters. On the New York Times home page, for example, Adblock Plus removes all ads while leaving just the articles and photos.

Some sites — such as Cycling News — don’t distinguish ads from content properly. Also, not all ads can be blocked, but Adblock Plus is the best tool for minimizing the impact of annoying (and possibly malicious) ads.

For blocking Flash animations (which are a frequent source of intrusion, judging by the constant stream of Flash Player security patches), I use Flashblock. This add-on replaces Flash animations with a playback button you can press if you want to view them, which is a good compromise for people who don’t want to disable Flash entirely.

You can create a whitelist of sites where you always want Flashblock to be off, such as YouTube, but Javascript must be enabled for Flashblock to work.

For full control of Javascript, Flash, Silverlight, QuickTime, and other plug-ins, look no further than NoScript, an extremely powerful and customizable Firefox extension that can block pretty much every kind of script.

When you navigate to a page such as the Apple iPhone 3G QuickTime demo, NoScript blocks the demo initially. Just click the NoScript icon at bottom right of the browser window to unblock scripts on that site temporarily or permanently.

Figure 1. The NoScript script-blocking extension for Firefox lets you decide which sites to trust.

NoScript maintains a customizable whitelist of sites you have unblocked. You can also decide exactly which plug-ins you want to block: Javascript but not Flash, for example. It takes a little effort to teach NoScript about your frequently visited sites, but once that’s done, you’ll really appreciate the control and safety the program provides.

Two plug-ins to keep your Web tracks covered

Sure, you can set Firefox’s privacy options to always “Clear private data” when you close the browser. Or remove private data manually at any time via the Clear Private Data option on the Tools menu.

Unfortunately, this all-or-nothing approach nukes all your data — not just the things you want to keep from prying eyes. I like having a long surfing history that tells me where I’ve been and makes it easy to get there again. That’s why I want to keep around the cookies that remember my settings on frequently visited Web sites.

I don’t want to give up that convenience, so I manage my cookies and passwords carefully by using the add-ons I described above. I also use two additional extensions when needed: Stealther and Panic.

Stealther temporarily turns off tracked elements such as your browser history, cookies, and cache. The program can be accessed via a shortcut that it places at the top of your Tools menu during installation. You can also toggle Stealther on and off by using a configurable hot-key combination.

Before you navigate to sites you want to keep private, simply invoke Stealther, surf, and then turn the applet off again when you’re ready to go back on record. Your history before and after the Stealther session is maintained.

One gotcha is that turning off cookies may cause some sites not to work properly. Still, you can configure Stealther to keep cookies on and then delete them later in the Firefox Privacy options pane. Also, be sure to turn Stealther on BEFORE you navigate to the page you want to keep out of your history.

Stealther worked as advertised for me, with one exception: The Recently Closed Tabs list (at the bottom of the History menu) was not cleared until I closed the Firefox window.

Since I would normally close the window anyway on finishing a browsing session, this wasn’t too much of a problem. However, if you leave Firefox open while you’re away from your computer, take note.

You might also want to check out Distrust, an add-on that has essentially the same functions as Stealther. However, Distrust has not yet been fully updated for Firefox 3, although it should be available for that version soon.

Finally, if you’re at work or in a public place where you might not want people to see what you’re doing online, try Panic. This utility places a button in the bottom-right corner of your browser window that instantly closes all tabs and opens a predetermined page of your choice instead. The Panic “button” can also be invoked from the keyboard.

Unfortunately, Panic doesn’t have a restore feature, which would make it far more useful. However, this might add a crucial second or two to the process.

Of course, you could just quit Firefox instead, but that may bring up a warning message about closing multiple tabs and give your boss — or whomever — enough time to glimpse the YouTube video you were watching or your latest fantasy-baseball standings.

Becky Waring has worked as a writer and editor for PC World, NewMedia Magazine, CNET, The San Francisco Chronicle, Technology Review, Upside Magazine, and many other news sources. She alternates the Best Software column with Windows Secrets contributing editor Scott Spanbauer.

Microsoft presents: Attack of the Killer Updates

By Woody Leonhard Microsoft set the standard for poorly implemented, intrusive, duplicitous, and all-too-frequently destructive updates disguised as security patches. Be of good cheer: Several software heavyweights are following in the footsteps of the ‘Softies, peddling snake oil and snoopers dressed up in security-patch clothes.

A history of botched auto-updates

Full-disclosure time: I’ve been railing against Microsoft’s automatic updates since the early days of Windows XP. My first mention of “automatic update” appeared in this newsletter on May 11, 2006, in an article called “When Automatic Updates can be harmful.” You can probably guess from the title how much I did, and do, trust Microsoft’s ability to automatically fix my computers.

Like so many other topics in the Microsoft milieu, what was once considered a heretical stance has become mainstream. Microsoft fought hard to earn our distrust. Year after year of botched, re-botched, and re-re-botched patches has led many of you to the same conclusion I posited years ago: automatic updates are for chumps.

You can read last week’s Susan Bradley column on Microsoft’s apparent pass on testing its most recent patch — MS08-037 — on any machine running Windows XP (with any service pack) and ZoneAlarm. That’s only the latest in a long series of screw-ups. No doubt you recall the endless reboots for some hapless souls who installed an early version of Vista Service Pack 1 (see Susan’s Feb. 28, 2008, column on the topic).

Or the blocked navigation problem with the MS06-015 security patch (see the Securiteam blog).

Or the botched Core 2 Duo patch.

Or the botched MS06-016 patch for Outlook Express, or the botched MS07-017 ANI cursor patch.

Or the initial version of Office 2003 Service Pack 2 that locked up if you happened to delete the optional Office 2003 installation files.

Or… well, you get the idea. Microsoft has not only messed up an enormous number of patches, the company has used the patching mechanism and “security” imprimatur to convince consumers to install software of, shall we say, dubious value. See, inter alia, Brian Livingston’s article “Genuine Advantage is Microsoft Spyware” in the June 15, 2006, issue of this newsletter.

Sun follows Microsoft’s mal-update lead

Several events over the past few months leave me wondering whether other software heavyweights have been consciously following Microsoft’s playbook. Take Sun, for example.

A couple of days ago, a notification popped out of my PC’s system tray (next to the clock) stating that I needed to install a security update for Sun’s Java Runtime Environment. A couple of clicks led me to the download instructions for Java version 6 update 7. I mindlessly started clicking through the security patch installer until the dialog box shown in Figure 1 stopped my clicking finger cold.

Figure 1. Java wants to install OpenOffice.

What the %$#@!? I remember earlier Java security patches offering to install OpenOffice for me — golly, it’s so nice of Mr. McNealy to give me free software — but this is the first time I realized that Sun would put OpenOffice on my machine by default as part of a Java security patch.

The situation isn’t quite as dire as I first thought: Sun was offering to install only the OpenOffice installer (big distinction, eh?), not OpenOffice itself. But this was a sobering experience nonetheless. It felt a lot like Microsoft’s “Live” installer, which pushes all the company’s un-dead offerings even if you want only one little program. It also felt like Apple’s sneaky update shenanigans.

At Apple, carpet-bombing is Jobs 1

On Mar. 21, Apple infamously began offering its Safari browser as an, uh, unexpected bonus when QuickTime users were directed to download a security patch. Susan Bradley takes Apple’s maneuver to task in her Mar. 27 column, saying it “makes me question the entire concept of trusting auto-update mechanisms as a way of seeking better security.”

B.S. (Before Safari), Apple used its Apple Software Update program only to distribute QuickTime and iTunes patches to Windows users. But when the time came for Apple to distribute its March security patch for QuickTime, the company’s update program offered — by default — to install Safari. You may recall that Apple ultimately relented and, as of this moment, you can patch iTunes or QuickTime without fear of a Safari carpet bomb.

But the reverse is not true. In his June 24 posting titled “How does Apple get away with this badware behavior?”, ZDNet blogger Ryan Naraine showed that installing Apple’s Safari on a new PC causes the same Apple Software Update program to offer to install — by default — both iTunes and QuickTime.

Thanks, Steve. You just gave me one more good reason to avoid Safari.

Will the real Adobe Reader 8.1.2 stand up?

Unwanted and unexpected software is only part of the story. Sometimes it’s very, very hard to tell what programs you have lurking on your PC.

Example: Adobe just released a security patch for Adobe Reader 8.1.2 called Security Update 1. You can tell whether your PC has Adobe Reader 8.1.2 SU1 installed by checking, uh… darn, that doesn’t work. Here. Just check… oh, wait a sec, that doesn’t work either. You can look at… er, uh…

The official Adobe Knowledge Base article says that it’s easy to tell whether you have version 8.1.2 of Acrobat or the free Reader app: just click Help, About. But if you want to know whether SU1 has been installed, you must follow these instructions from the Adobe site verbatim: “Check Add and Remove Programs in the Control Panel, but make sure you to enable the Show Updates check box. Then, Adobe Acrobat or Reader 8.1.2 Security Update 1 will show up as a child entry underneath 8.1.2. Another way is to click Help >> Adobe Plug-Ins. Click on Comments. The API should be dated 6/7/2008.”

Or maybe it’s 7/6/2008 if you live in Europe or Canada.

Sounds like a nice, intuitive way for your Great Aunt Mildred to see whether her copy of Adobe Reader has been patched, eh?

Liberate AVG Free from tracking your Web activity

Once upon a time, I recommended AVG Free from Grisoft as my favorite free-for-private-use antivirus product. For years I used AVG Free, recommended it to hundreds of thousands of people, and rarely heard a disparaging word.

Then the folks at Grisoft decided to “monetize” their free product. The current version 7.5 of AVG Free is being forcibly replaced by AVG Free 8. Soon, you won’t be able to get version 7.5 virus-signature updates. When you install AVG 8, you have the opportunity to install the AVG Security Toolbar (with integrated Yahoo search box — be still, my heart!) and you get a wondrous snoop program called LinkScanner, whether you want it or not.

From a PC user’s point of view, LinkScanner works a lot like McAfee SiteAdvisor: Every time you use Google, Yahoo Search, or Windows Live Search, LinkScanner reviews all of the links in the results and tells you whether the sites are potentially dangerous.

If your first page of Google search results turns up ten sites, AVG’s LinkScanner phones home, retrieves the status of all ten pages, and in the process leaves your computer’s IP address — which could be used to identify you — on AVG’s server attached to a list of the sites you checked. Ka-ching!

LinkScanner may sound worthwhile, but it’s been lambasted widely. Virus Bulletin noted last month that “as the scanner checks each link turned up in real time, it emulates visiting each page returned in the search results as if a real user had visited it. This behavior could be behind unforeseen rises in Web activity, which is expected to increase further as more of AVG’s vast user base upgrade to the latest version.”

Jeremy Kirk at InfoWorld reports that AVG claimed last week to have solved the bandwidth-sucking problem. But that still leaves open the question of why anybody would want LinkScanner in the first place.

As I explained in my Apr. 24 column, Firefox 3 gives you many of LinkScanner’s features with none of the privacy-sapping problems. Google displays badware notifications as part of its search results. The LinkScanner shtick is old news. AVG bought LinkScanner last December, and the program looks to me to be darned near obsolete already.

Fortunately, it’s easy to turn off LinkScanner. Just double-click the AVG icon in the system tray, click Tools, Advanced Settings and, on the left, choose LinkScanner. On the right, uncheck Enable AVG Search-Shield. Click OK and restart your browser, and your AVG Free will be free.

It hurts when a trusted old friend like Grisoft starts acting like Microsoft.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Block a serious threat to your DNS servers

By Ryan Russell A new vulnerability has been discovered in the basic design of the Web’s Domain Name System, prompting almost all of the DNS software vendors in the world to release a patch. There are a couple of different ways to determine whether your DNS servers are vulnerable to this widespread problem.

Don’t wait to install these DNS patches

In her Patch Watch column last week, Susan Bradley described problems users of Check Point’s ZoneAlarm firewall program experienced following the release of Microsoft’s DNS patch two days earlier.

While that problem was bad enough for ZoneAlarm users, it will look like a minor hiccup compared to the potential DNS disaster waiting in the wings.

My friend and co-author Dan Kaminsky has been doing interesting DNS research for a number of years. Dan discovered a vulnerability that he claims makes DNS cache poisoning very practical. If attackers can poison your DNS cache, then they can redirect you to their evil servers whenever you try to go to www.microsoft.com, for example.

The entire process of resolving DNS names to IP addresses may be at risk. I’d like to give you all the gory details, but I don’t have them.

In a somewhat unusual move, Dan has agreed to withhold the specifics about the DNS glitch until he gives his presentation at the Black Hat conference in Las Vegas on Aug. 6, 2008. Dan says he wants people to have the extra time to install the required patches.

This, of course, has security researchers up in arms because they can’t stand to have information withheld. Some security pros immediately accused Dan of overhyping his findings and not having anything worthy enough to warrant the attention this has received.

So let me provide my reasoning for why you should pay attention: Dan convinced many different software vendors — including Microsoft, Cisco, and the ISC (makers of BIND, one of the most used free DNS server packages) — to release patches simultaneously.

After a number of well-known researchers confronted Dan about all the mystery, he brought a couple of them into his confidence to describe the problem. They immediately said Kaminsky was right. Everyone who knows about the problem is saying it is serious and needs to be patched immediately. You should listen to them.

Check your DNS from your browser

Dan has provided a convenient way to check your DNS server’s vulnerability from your browser. Just visit his site and click Check My DNS in the upper-right corner of the page. In the box below that on the page, you will see a brief report that says whether your DNS server is at risk and what the validator thinks is your DNS server’s IP address.

If the check indicates that you’re not vulnerable, great. Verify all your other network connections to see how they fare. If the test finds a vulnerability, then you need to install a patch or reconfigure the server.

That’s if the DNS server is yours. The DNS servers most of us rely on when we browse are run by our ISPs. That’s why verifying the reported IP address is important. Is it the IP address of a computer you manage? Then install the appropriate patch. If the address actually belongs to some other server, then you have to wait for them to fix it. Keep an eye on the calendar and recheck the server as we get closer to Aug. 6.

If the IP address reported for your name server isn’t what you expected, or if it doesn’t match the number you see for your DNS server if you run ipconfig /all from a Command Prompt, then you’ve got what is called a slave DNS server. It just passes the request on to another DNS server that does the actual work, and that is the one in need of patching.

DIG for more info on your DNS risk

Dan’s Web tool works only for your default DNS server. Sometimes you want to check another server. There is a standard DNS tool called DIG (Domain Information Groper — seriously) that you can use along with another service being offered by DNS-OARC (DNS Operations, Analysis, and Research Center) that checks arbitrary Internet-reachable DNS servers. The command will look something like this:

dig @10.11.12.13 +short porttest.dns-oarc.net TXT

DIG does not come standard with Windows. However, the utility has been ported umpteen times, so Google up your favorite source. I don’t have a particular one to endorse, but I often install the Cygwin system utilities, which includes a version of DIG.

You can find more information on the DNS-OARC service and detailed instructions on the organization’s porttest page.

Resources:

• Main CERT advisory
• Dan Kaminsky’s blog on vendor coordination
• Paul Vixie’s blog on the subject

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.