Readers reveal their adware battles

Readers reveal their adware battles

My article in the Jan. 27 newsletter on anti-adware and antispyware generated a wave of responses from our readers.

The conventional wisdom — reported by many computer magazines until quite recently — had been that two free programs, Ad-Aware and SpyBot Search & Destroy, were able to remove most malware when both were used.

In reality, I reported last issue that these two programs have not kept up with the growth of the adware threat. I compiled raw data provided by researcher Eric Howes, who exhaustively tested 20 applications in October 2004.

The results showed that only one anti-adware program, Giant AntiSpyware, was capable of removing more than 50% of the little buggers. Every other program removed fewer than half of the problem cases.

The best two-program combination to root out adware, the study indicated, was Giant AntiSpyware — which deleted 63% of the unwanted components by itself — plus Webroot Spy Sweeper, which brought the figure up to 70%. (For links, see the Security Baseline section, below.)

Ironically, Microsoft purchased the little-known Giant Software Company in December 2004. This has created a different sort of problem, but we’ll get to that later.

After the article appeared, the newsletter received literally hundreds of reports from readers. They related the pain they’ve experienced from adware and the relief they’ve gotten from using some of the newer, more accurate anti-adware utilities.

Here’s just one brief example of the many success stories readers sent us (this one from Mike Butler):

• “You guys have hit a home run with this edition.

  “The adware discussion prompted me to download Microsoft Windows AntiSpyware and CWShredder.

  “I couldn’t believe the trash that Spybot failed to catch. Thanks a million for your brilliant work. If I never read anything else about Windows, I read your column religiously.”

Well, that’s enough kudos. Now let’s move on to the tough work of dealing with the malware and adware we still must defeat.

Keeping up with an accelerating armsrace

One corporate network administrator, who asked to remain anonymous, reports that malware programs are exploding in number and that anti-adware apps need to evolve at least as quickly.

His own findings, and the questions that lie behind his message, will be interesting to anyone who’s grappling with rampant adware:

• “I’m a network engineer working as IT manager for an electronics company. I’ve spent the last few months pushing my management team towards a purchase of an enterprise-wide antispyware program. We’ve just bought and implemented Webroot Spy Sweeper Enterprise Edition, and it’s going in this weekend.

  “I first used the 30-day trial of Spy Sweeper in August 2004, when my marketing manager got her system all but disabled by spyware/malware. SpyBot Search & Destroy just wasn’t helping, so I did a little research and downloaded Spy Sweeper.

  “Spybot was picking up 14 instances of spyware. Spy Sweeper picked up 56 instances (over 1,200 traces in all). Quite a difference. Two sweeps with Spy Sweeper (the second in Safe Mode) and the workstation was clean.

  “Admittedly, Spy Sweeper wouldn’t have been able to tell me about problems it wasn’t programmed to detect. But my Registry warnings, Run and Run Once keys, running processes (in Task Manager), MSCONFIG lists, and Add/Remove Programs screens were clear (and, more importantly, have stayed clear).

  “Also, the user’s prolific pop-up and browser hijacking problems stopped completely.

  “Part of the 30-day trial was an update of the Spy Sweeper pattern files. At that time (August 2004), the update brought the original number of recognized patterns from 4,000+ to 29,000+. I had a second workstation badly compromised the next month (September 2004) and by then the patterns numbered over 34,000.

  “The current number of recognized patterns (although it will probably grow between now and the time you look) is 54,000 and change.

  “See my issue? Spy Sweeper is now recognizing nearly twice the number of spyware / malware / Trojan / etc. infestations as it was when Eric did his (truly impressive) research runs. You don’t list the dates of your patterns when you did your product combinations, but it seems that every couple of weeks hundreds, or even thousands, of new holes are being plugged.

  “Is there any way to find out if those percentages have changed in the last four months to reflect the significant change in SpySweeper’s arsenal? Speaking as a network manager who’s just talked my management team into a pretty sizeable investment, I’d love a response.”

I believe the anti-adware market has progressed very quickly since Eric Howes conducted his tests in October. He tells me that he’s planning another round of tests within the next month or two. This set will attempt to evaluate the Microsoft Antispyware beta, which didn’t exist four months ago.

In the meantime, other testers are suggesting that new leaders now hold the mantle of anti-adware effectiveness. In ratings released last week, for example, PC Magazine gave its coveted Editors’ Choice award solely to one of the two programs we recommended: Webroot Spy Sweeper. (See the Security Baseline section for details.)

What’s Microsoft’s responsibility forspyware?

Several readers sent in criticisms of Microsoft for causing the virus/malware problem in the first place. In this view, the Redmond company started a “Trustworthy Computing Initiative” about five years too late and even then didn’t complete its mission. Others question Microsoft’s actions regarding its purchase of Giant AntiSpyware, as expressed by Jim Corsa:

• “I haven’t read anyone exposing Microsoft’s conflicts of interest in buying/developing its own antispyware and antivirus software. Why are pundits praising the [Microsoft] AntiSpyware beta and debating whether Microsoft will sell it, instead of pointing out that antispyware wouldn’t be so critical if Windows and IE were designed and coded properly?

  “If Microsoft is going to make money selling antispyware and antivirus products, then where is the incentive to fix Windows? …

  “It appears Microsoft has made matters worse by removing the best antispyware from the market, or at least from users of older Microsoft operating systems. (Another attempt to kill older versions of Windows?)

  “I clicked on the Giant AntiSpyware download link and arrived at a page which gives the impression I can download Giant AntiSpyware 1.0. However, after checking the Microsoft AntiSpyware beta link, I’m suspicious, because it appears Microsoft is abandoning Windows versions before 2000 and has stopped the sale of Giant AntiSpyware licenses.

  “The Microsoft page contains these paragraphs. The first paragraph addresses Windows versions Giant covers and Microsoft does not. The second paragraph seems to say that anything from Giant is a dead end:

  • Support for Windows 98SE, Windows ME, Windows NT (with Service Pack 3, 4, or 6a) operating systems. GIANT AntiSpyware supports these operating systems, in addition to Windows 2000, Windows XP, and Windows Server(tm) 2003. The Windows AntiSpyware (Beta) software supports only Windows 2000, Windows XP, and Windows Server 2003.

    Microsoft will continue to provide the same level of support to current subscribers of GIANT AntiSpyware software as was offered by GIANT Company Software prior to its acquisition by Microsoft Corporation. Microsoft, however, will no longer sell new licenses, subscriptions, or subscription renewals for GIANT Company Software products, including GIANT AntiSpyware.

  “It’s the ‘however’ that caught my eye. Does this mean folks with old hardware running Windows 98SE cannot get the best antispyware? Or is it still available?”

It appears Microsoft has shut down most or all of the routes by which consumers could download and register Giant AntiSpyware, as opposed to the Microsoft AntiSpyware beta. The download link mentioned above, involving a product page at Download-ware.com (a former Giant Software Company sales affiliate) no longer works. If any reader knows a legitimate way to download and register a supported version of the genuine Giant AntiSpyware, let me know. I personally believe it’s been killed dead.

Numerous readers, while criticizing Microsoft for weak code, wrote to support the growing movement to the new, free Firefox browser as a safer alternative to Internet Explorer. Many rogue programs install themselves silently, track users’ keystrokes, and do other nasty things using IE’s Browser Helper Object “feature.” This is one particular problem that Firefox is relatively immune to. (Firefox supports extensions but not BHOs.)

We’ve written about the benefits of Firefox many times, most recently in the Dec. 2, 2004, issue and as far back as a July 12, 2004, column.

How to recover if antispyware breaks your Net connection

Finally, reader Ken Baker fills us in on a problem that Microsoft Antispyware and some other anti-adware programs can create if they remove malware in a sloppy way. Many unwanted programs insert themselves into the Internet connection process. Deleting a rogue program without fixing the Registry entries it tampered with can leave the PC unable to connect.

Fortunately, there’s a cure if this happens to you:

• “There have been instances in the past where removal of spyware wrecked computers’ Internet connection. In these cases, spyware files insinuated themselves into Winsock.

  “Win who? Winsock is our new term of the day. It’s a series of files that are used to make the Internet connection. So the spyware files wrote themselves into the Registry. That made the spyware a required part of the Internet-connection process. See how tricky these folks are?

  “When the spyware was deleted, the Registry could no longer find those files. Therefore, the Internet connection failed.

  “Over time, the antispyware makers learned to remove the Registry keys when the Winsock invaders were deleted.

  “The Windows firewall works closely with Winsock. It appears that the spyware is insinuating itself into the startup of the firewall. When you remove the files, the Registry can’t find them. So, it refuses to start the firewall service.

  “Repairing Winsock formerly meant going into the Registry. You had to track down the offending keys and delete them. But Windows has a command that will do the job.

  “To run the command, click Start, Run. Type cmd in the box and click OK. That will put you at a command prompt. Enter netsh winsock reset and press Enter. Close the DOS window and reboot the computer.

  “After doing the above, you should be good to go!”

Information about recovering from Winsock corruption is documented in more detail by Microsoft in Knowledge Base article 811259 and, for fixing general TCP/IP corruption, KB 317518.

In response to all the readers who asked, be assured that we very much plan to bring you more news on this front as we discover it. We’re just beginning to see the full scope of the damage that adware can cause, unfortunately.

In the meanwhile, to send us more information you’ve uncovered about adware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Readers Butler, Dippel, Corsa, and Baker (and Mr. Anonymous) will receive gift certificates for a book, CD, or DVD of their choice for sending us tips we printed.

How to install patches when Microsoft's tools don't

With Microsoft announcing 12 new updates this week — 8 of them rated critical — it was a busy Patch Tuesday for many of us. But even with all these updates, few people have so far reported serious problems after installing them. Is Microsoft starting to get the hang of this patching stuff?

Ever since my first copy of Windows NT 3.5, patching has been a confusing and scary ritual that we admins had to regularly endure. Only in the last couple years have we had reliable patch management software to ease much of the pain.

Fortunately, Microsoft is getting better at it. The company’s update strategy is showing signs of maturity. This month’s rather smooth updates are a testament to this.

But don’t get too comfortable yet; there’s always something that doesn’t go as planned.

Secrets of updating ASP.NET

Microsoft finally released a patch to an issue brought up several months ago regarding ASP.NET authentication. At that time, someone publicly announced the problem rather than reporting it to Microsoft. This forced Microsoft to hastily issue a workaround, which successfully blocks the attack.

So, you might ask, why is it necessary to install this update if you are already blocking the attack?

The answer is that this attack can be carried out in other ways, besides the one that was made public.

The workaround blocks the attack, but it doesn’t address the underlying vulnerability. You should definitely apply this patch if you use ASP.NET, as the vulnerability is potentially more serious than most people realize.

What to do: There are several important things to remember when applying this update:

First, WindowsUpdate and SUS (Software Update Services) check for this update, but MBSA (Microsoft Baseline Security Analyzer) does not.

Second, you should check to see if you have multiple versions of the .NET framework installed. You can do this by opening Windows Explorer and examining C:WindowsMicrosoft.NETFramework. There will be a different subfolder for each version that’s installed.

Because Microsoft designed the .NET framework to allow multiple versions to run side-by-side, you should patch each installed version.

Many of the patching tools I’ve tested only reported the latest version as needing the patch, so you might find yourself needing to install the other versions manually. Microsoft’s security bulletin explains how to obtain and install these patches.

Finally, if you encounter errors installing this patch, check out Aaron Stebner’s weblog. It offers excellent information on .NET installation issues.

Enterprise Update Scanning Tool fills in the cracks

Too many people think that using Windows Update, MBSA, or Automatic Updates will keep them patched against the most serious issues.

Unfortunately, that isn’t enough, especially this month.

You must also pay a visit to Microsoft Office Update or get the Office Update Inventory Tool to address any Microsoft Office-related issues, which includes the Microsoft Works Suite.

But you aren’t done yet. Depending on which method you use for detecting such things, all of the above might still not catch all required updates.

To fill the gaps between the various tools, Microsoft has released the Enterprise Update Scanning Tool (also available for SUS users via Knowledge Base article 894154).

This tool is unique for each MSRC release cycle, so you need to download it every Patch Tuesday, if a new one is available.

The Scanning Tool only scans for updates not handled by other tools, and you cannot run it against remote systems, so its usefulness is somewhat limited.

This is obviously a temporary solution until Microsoft releases Windows Update Server. But, until then, you should first update Windows, then update Office, then run the Enterprise Update to make sure you get everything.

Microsoft’s patches are more stable nowadays, but there are clearly some gaps in Microsoft’s update detection tools, so you really should look at third-party patch management solutions.

While the majority of these products target enterprise patch management, many patch management vendors do provide free, trimmed-down versions of their tools for home users. These will be discussed in more detail in upcoming columns.

Force Automatic Updates to run scans for you

Here’s a tip for those who use Automatic Updates: if you know Microsoft has made patches available, but you don’t see the Automatic Updates notification icon in your system tray, you might want to force Automatic Updates to check for new material.

To do this, select Run from the Start Menu, then type wuauclt.exe /detectnow at the prompt.

Perhaps I’m a bit paranoid, but I find myself running this a lot on the morning of Patch Tuesday.

Mark Burnett is a Microsoft MVP, the author of Hacking the Code: ASP.NET Web Application Security, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

Don't get scammed by the 'Bait and Switch' trick

The "Bait and Switch" routine is an old sales tactic. A store will advertise something for an outrageously low price or some other kind of unbelievable deal. That gets you in the door, and then you hear things like, “We’re out of stock right now, but since you’re here, wouldn’t you like to look at this instead?” It’s an unethical thing to do, but I’m sure that more than one store out there still uses this practice.

Under the right conditions, hackers can do the same thing when you’re surfing the Web. Browser and application vulnerabilities allow a hacker to make you think you’re on one Web site, when you’re actually on another. From there, anything can happen.

Don’t let hackers frame you

Security firm Secunia discovered last July that a 6-year-old vulnerability that was thought to be patched is still present in browsers from multiple vendors.

This vulnerability allows a hacker to hijack a frame in a legitimate Web page. The perpetrator can then insert his own page in an effort to make you think that page is legit, too.

The booby-trapped page can then use other hacker methods to trick you. Because the page looks normal, you might reveal bank or credit card information, unknowingly install a Trojan horse on your computer, or fall prey to other tricks. This vulnerability exists because browsers didn’t validate frames to ensure they belonged to the Web site of the parent window.

Since this vulnerability was re-discovered, most browser vendors have supplied patches or upgrades to their browsers to re-fix this problem yet again. But not all have done so.

Browsers that are still vulnerable include:

• Internet Explorer 5.01 through 6.x
• Safari 1.2.2
• Konqueror 3.1-15redhat

Here’s a list of browsers that are no longer vulnerable:

• Mozilla Firefox 0.9 and later
• Mozilla 1.7
• Opera 7.52
• Netscape 7.2
• Camino 0.8 (build 2004062308)

Yes, you read that right. Internet Explorer is still defenseless against this 6-year-old vulnerability.

Microsoft tried once before, patching a similar vulnerability in IE 3 and 4. But the problem crept back into the browser with version 5.01 and up. The problem has been confirmed to affect even a fully patched Internet Explorer 6 on Windows XP SP2.

What to do: Make sure you’re using the latest version of your browser of choice, and keep it updated with any patches that are available. If there isn’t an upgrade or patch for the browser that you’re using, switch to one of the browsers listed above that isn’t affected by this problem.

If you’ve implemented the recommendations for hardening Internet Explorer in the Nov. 11, 2004, issue of the Windows Secrets Newsletter, then you’re already protected from this problem.

If not, you can disable IE’s Navigate sub-frames across different domains setting as follows:

• Open the Tools menu in Internet Explorer.
• Click Internet Options and select the Security tab.
• Select Internet Zone, then click the Custom Level button.
• In the dialog box that opens, look for the Miscellaneous section.
• Finally, click Disable on Navigate sub-frames across different domains.

For more info about the problem, see Secunia’s advisories on the IE vulnerability and a free vulnerability test that shows whether your browser suffers from the security hole.

RealPlayer files can be a real problem

Security researchers have recently confirmed a vulnerability in RealPlayer 10.5 (Build 6.0.12.1056). This allows hackers to make .rm files that bypass the security restrictions in RealPlayer. Other versions may also have this vulnerability.

The issue is that RealPlayer .rm files are able to open local files within the browser that’s built into the player. Hacker techniques can then be used to open HTML in the context of the local machine. This could allow the intruder to run code, install keylogging Trojans, and so forth.

Exploit code has already been released that takes advantage of this problem. The released code combines the RealPlayer flaw with well known weaknesses in Internet Explorer to compromise a user’s computer.

What to do: Until RealPlayer and IE are fixed, you can prevent .rm files from being opened automatically by deleting the file association for .rm files. This can be done as follows:

• Open Windows Explorer.
• On the Tools menu, click Folder Options.
• Select the File Types tab, then scroll down to RM RealAudio/RealVideo files.
• Select that entry, then click the Advanced button.
• Select open, then click Edit.
• Copy the contents of the Application used to perform action field.
• Save the contents in a text file, then click Cancel twice.
• Back in the File Types dialog, click the Delete button.
• Click Yes to confirm the deletion, then click OK to close the dialog.

To re-associate .rm files with RealPlayer after it’s been patched, right-click a .rm file, click Open With, Choose Program, and select RealPlayer. Confirm that the contents of the Application used to perform action field match the original setting you saved.

For more information, see the latest advisories from Secunia and eWeek

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

We definitely need our Wheaties today!

By Susan Bradley

Fasten your seatbelts, it’s Patch Tuesday.

Microsoft released 12 bulletins on Feb. 8 that covered the gamut, from operating systems to Office suites to Messenger applications.

Inside these 12 bulletins are a lot of patches to handle — even if you are like me where you have a patch management tool and a tried-and-true process to deal with them. Fellow Microsoft MVP Harry Waldron recommended in his security blog that we "admins" have an extra bowl of Wheaties (an American breakfast cereal) to ensure we had strength. He wasn’t kidding!

So what did I do when I saw the bulletins arrive on my desktop on Tuesday morning? Well the first thing I did was determine which patches needed to be installed on certain workstations or servers faster than others. I call this process "zoning," and it helps me to "chunk down" the security patches in more manageable bites that I can handle. I then tried to identify which patches would come down the wire merely with Windows Update and those I’d have to manually install.

Several of the patches out this week are only needed in network environments. And there’s also an update to the Malicious Software Removal Tool. If you don’t have any "bad stuff" on your system, you’ll probably ask yourself "did it do anything?", and you’ll want to run it again manually just to make sure. You can do this by visiting Microsoft’s MSRT Web page and manually running the tool.

In full disclosure, I think I killed a tree while printing out this week’s 12 bulletins just so I could make sure I was getting all the information needed to make my "risk determinations." I’m hoping that my "risk ratings," below, will help you save a fewtrees.

IE and Drag-and-Drop get patched right NOW!

First off, the big news is that included in this batch of patches is a cumulative update for Internet Explorer (MS05-014/867282) and a patch to the Drag and Drop vulnerability (MS05-008/890047).

I know that my desktops still operate with user rights that allow users to install anything they want. I also know that this practice leaves me at higher risk for browser exploits. These are two patches, therefore, that I’ve already installed on my office workstations that are my "tester" machines.

I’ll be installing these patches extremely quickly to my workstations, but I won’t worry about installing these patches until the weekend on my servers. People surf on their workstations, and that’s where the risks lie, but not on the servers. So on my workstations, which are XP SP2, I’m letting the security update for Windows XP (MS05-008) and the cumulative security update for Internet Explorer for Windows XP (MS05-014) be installed now.

Already there are known issues with the MS05-014 patch for Internet Explorer. These issues, including Media Player not playing some chapters of some DVD discs, are listed in KB articles 867282 and 884487.

Remember that even if you use Firefox for browsing, you still have Internet Explorer under the hood. It’s still important to patch Internet Explorer bugs, even if you are using alternative browsers.

Due to the fact that these two bulletins cover public vulnerabilities for Internet Explorer, I pulled these two bulletins way, way ahead of the rest to get extra fast attention and extra fast installation in my network. But there are other bulletins rated as critical, so let’s keep digging to see which one deserves your attention next.

There’s another bulletin that also has potential Internet Explorer impact: Internet Explorer ActiveX gets updates again in bulletin MS05-013 (871781). This is another of the notorious Xfocus public vulnerability disclosures that occurred during Christmastime and is finally getting a needed patch. Secunia had discussed the issue in an advisory.

In my Windows XP SP2 environment, MS05-013 is only rated "important." But for those not on XP SP2, you should include this patch with the other two Internet Explorer patches and install these three before all other patches.

MS05-011 fixes a soon-to-be-exploited hole

Security firm eEye has already released a detailed advisory on the vulnerability fixed by MS05-011 (885250). It’s only a matter of time before this one has a working exploit or proof of concept. Given that there’s enough information for the black-hat community to easily build an exploit, I’ll be putting this patch on a fast track for installation, like the Internet Explorer ones above. This one might be our "sleeper" vulnerability of this round and end up being painful. I hope I’m totally wrong in my assessment.

MSBlaster again? This fix bears watching

The next one to pop up a bit higher on my "radar" is one I’ll call "Blaster III," only because it replaces the patches for MSBlaster that were contained in both 03-026 and 03-039.

This bulletin appears to deal with a lower risk than Blaster originally did. The latest threat requires interaction by a computer user, whereas Blaster only needed an exposed port not protected by a firewall.

Bulletin MS05-012 (873333) is critical only because of "Web clicking" and "e-mail opening". Watch this patch, as the files in question are used in network connectivity. In the past, the 03-026 patch did cause issues with Autocad files.

Already there are identified issues between MS05-012 and the debugger IMallocSpy. See KB 894194.

Due to the fact that I don’t see this hole as quite the threat Blaster was, I’m not assigning this patch quite as muchurgency.

Windows Messenger may need manual updating

As if we didn’t have enough issues with image files, this month includes a critical update for issues dealing with the handling of PNG image files in Windows Messenger, MSN Messenger, and Media Player. See MS05-009 (890261).

You may be like me and run both a version of MSN Instant Messenger and a Windows Messenger that hooks into Live Communication Server 2005. Installing MS05-009 corrects both applications.

Microsoft announced on Feb. 9 that exploit code for this vulnerability is circulating, although attacks in the wild haven’t yet been seen.

If you wish to patch MSN Messenger separately, don’t wait for it to auto-update. Download an updated version immediately by visiting Messenger.MSN.com and clicking the Download Now button (for individuals) or Microsoft’s Download Center (for enterprises) as explained in an MS notice.

Microsoft recommends that enterprises not use MSN Messenger in a corporate environment. Instead, uninstall instances of it and block its access to network services, as described in KB 889829.

Meanwhile, to separately update Windows Messenger, you’ll have to use your patch-management software or manually update to the needed 5.1 version.

MS05-015 is not as critical for servers

Among the patches rated "critical," I disagree with this assessment for MS05-015 (888113). The bulletin indicates that the "entry point" of this vulnerability is clicking an e-mail or visiting a malicious Web site. When I’m on my servers doing administrative tasks, I only surf to Web sites like Microsoft.com or Windows Update. So I won’t be fast-tracking this one at all for my servers. Workstations will get a bit more attention to this, but not myservers.

The second round of patching

Later on this week I’ll deploy the rest of the patches, especially those for Office. Remember that to patch Office XP at this time you need to visit the Office Update Web site. You’ll also need your original Office XP media. These security patches will not be included in Windows Update. Again, I’ll be putting more effort on patching my desktops rather than my servers due to the higher risk I feel in the desktops.

Bulletin MS05-010 (885834) includes Windows NT patches two months after the end-of-life of this platform. Microsoft has stated that in order to continue obtaining patches past December 31, 2004, that a firm would have to pay for the patches. On Windows 2000 (especially SP4) and 2003, this patch is not a critical issue. I will patch my servers, but I’ll wait for the best time for my firm, which is normally closer to the weekend.

Last but not least is our “moderate” bulletin of the month. MS05-006 (8879811) affects Windows Sharepoint Services, Sharepoint Team Services, and Small Business Server 2003 (which includes Sharepoint services as the default Companyweb intranet). This issue is obviously of high interest to those admins that host an externally facing Sharepoint site. It’ll be of less interest to Small Business Server 2003 admins who only open up Sharepoint for authenticated users.

Let’s recap the top-priority downloads

I’ve already installed patches to two workstations to begin my "test" routine. Now, to be honest, I had more patches that I wanted to install quickly than ones I would wait to install. So I downloaded MS05-007, MS05-008, MS05-011, MS05-013, MS05-014, MS05-015, the Malicious Software Removal Tool of 890830, MS05-012 and the two .NET Framework patches I needed, 886906 and 886903. This allows me to begin my testing and makes it easier on myself and Windows Update. I’ll install patches on my test server, but not on my real production server until theweekend.

Don’t forget, call Microsoft if all else fails

Remember, as I said in last month’s Patch Watch, that if all else fails, you can always call the technical support line of Microsoft. Any issue with a security patch is a free call, but that still means you have to deal with the after-effects. In the U.S., call Microsoft at 866-727-2338. In other countries, check Microsoft’s support page to look up the correct local number.

Firefox users, be wary of the IDN bug

Just when you thought that being multicultural was the politically correct thing to do, an issue arises with browsers other than Internet Explorer.

Firefox, Mozilla, and Camino have an issue with the IDN or International Domain Name implementation. This allows a malicious Web site to spoof the address displayed in the Address Bar, the SSL certificate, and the status bar. See Secunia’s advisory. Secunia has set up a test Web site where you can check your browser for this issue.

What to do: According to an analysis by Eric Johanson, you can make Firefox immune to this attack. To do so, type about:config in the Address Bar and press Enter. Set network.enableIDN to false. This disables IDN support. Reverse the setting when a patch becomes available.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

The bare facts about MSN Search

By Paul Thurrott

Google is still the place to go for general Web searches. But Microsoft’s new Web index entry, MSN Search, is shaping up as a great alternative when you need something a bit more complicated.

Most Web-savvy users utilize the Google search engine, thanks to its speedy searches and voluminous Web index. But Google isn’t the only game in town. Last week, Microsoft launched the new MSN Search, which features a number of unique features.

In my admittedly unscientific testing, MSN Search doesn’t appear to offer much of an advantage over Google for straight Web searches. Google is — for now — still the champion.

Where MSN Search comes out ahead is in an area that I’ve felt has been lacking for a long while on the Web. While you can search for topics with any search engine, you can’t get facts. You can’t get answers to questions. MSN Search does a reasonable job at this, even though the technology is still young.

How to get the Encarta encyclopedia for free

The key to this kind of searching is the Encarta encyclopedia back-end, which was previously available to users only as a paid service. Now anyone can access the full Encarta encyclopedia — for free — through MSN Search.

There are two ways to do so. First, you could type in a search phrase on the MSN Search home page and then click the Encarta link to search only Encarta’s database. This is a particularly excellent tool for students, of course. But it’s also a great tool for almost anyone. Let’s say you need a pithy quote: Try searching Encarta for an applicable quote.

You will also see Encarta results returned with “normal” searches at MSN Search, usually when you construct a search as a question. For example, type in who shot abraham lincoln? The first result is graphically offset with the text Answer. There are also links for Encarta Answers — which provides more detailed information — and to find out more about Abraham Lincoln.

The new kinds of queries MSN supports

MSN Search now supports the following types of searches:

• Definitions, i.e., Define debacle or What is debacle?
• Math, i.e., 3+3 (will provide the answer, 6), 2y^3 + 4y -10 = 9 (will solve for y), cos 45 degrees
• History, i.e., Who was Einstein? or When was World War II?
• Sports, i.e., Who won Super Bowl XXXVIII? or Who is Joe Namath?
• Conversions, i.e., How many centimeters are in an inch? or How many liters are in a gallon?
• Entertainment, i.e., Who is Paul McCartney? or Who is Michael Moore?
• Geography, i.e., What is the capital of South Dakota? or What is the circumference of the earth?
• Nutrition, i.e., How many calories are there in coffee? or How many carbohydrates are in milk?

Some of the above functions are documented by and available in Google, but MSN Search does a greater variety of calculations, in addition to its Encarta connection.

MSN Search also integrates with other MSN services. If you’re a music lover, you can search for artist or album information and find links to new or favorite music on MSN Music. Like the Encarta results, MSN Music results are graphically offset. And you can playback songs on MSN Music directly from links in the MSN Search results page.

Finally, here’s one last tip. While Google has the advantage of an easily remembered and typed URL, you can actually get to MSN Search arguably as quickly by simply typing msn into the Internet Explorer or Firefox address bar to navigate to the MSN.com home page. Then, type Alt+S to place the cursor into the MSN Search box at the top of the page. From there, you can directly type in your search query and get to work.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

You've got a good head on your shoulders

A digital photographer, Susan Hesse, is creating a stir with her Web gallery of faces overlaid on various objects, such as a Napa cabbage bearing the visages of her and her husband, Stephen (photo, left). She reportedly e-mailed her friends one of these whimsical creations a day for 10 months before a friend, Norman Sanders, surprised her by assembling the shots into a Web site. Now the odd and hilarious images can surprise you, too. Visit Hesse’s site