Security alert: Remove Java from your browsers

Headlong history of electronic invention

“Hacker” manages to be a term of opprobrium and approval. The reissue of a classic book about digital-age innovators reminds us of the dual nature and ambiguous effects of computer hacking. Steven Levy’s Hackers: Heroes of the Computer Revolution tells of the free thinkers who pushed computing in unexpected directions. The 25th anniversary edition of Levy’s book is augmented with new commentary by notable leaders of the digital community. This month, all Windows Secrets subscribers can download an excerpt: Chapter 8, “Revolt in 2100,” a profile of Lee Felsenstein, one of the founders of Community Memory, an early digital bulletin board (and much, much more), in Berkeley, California. If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear. Info on the printed book: United States

Security alert: Remove Java from your browsers

With nearly every news outlet — along with the U.S. Department of Homeland Security — calling for its removal from PCs, who wouldn’t worry about running Java on their computer?

Fortunately, there are steps every Windows user can take to lessen the chances of being bitten by a Java exploit.

Why everyone should be concerned about Java

In the computing world, Java is very nearly ubiquitous. As noted on Oracle’s Java FAQ site, it runs on lots of PCs, but it also runs on “billions of devices worldwide, including mobile and TV devices.” Java is not JavaScript, as Susan Bradley notes in her companion piece, “Java: More than the usual cup of coding coffee,” about what Java is and isn’t.

In this article, I focus on one task — disabling Java in your Web browser(s). It’s the most effective way to protect yourself from most Java-based threats. Yes, some PC users still need Java in their browsers to work with specific websites. But most of us have little to lose and much security to gain by keeping our browsers Java-free. (And yes, Mac users should block Java, too.) Java in browsers has been a malware magnet for years — it’s unlikely that fact will change anytime soon.

I’m not going to review the most recent round of Java exploits, their patches, or new exploits built onto the backs of Java fixes. Java updates are routinely covered in the twice-monthly Patch Watch column. Brian Krebs has an interesting Krebs on Security post detailing the latest war between Java security and hackers.

Scorched earth: Remove Java from all browsers

These days, it’s common for PC users to use multiple browsers. Most versions of Windows have Internet Explorer installed, and many — if not most — PC users are running Firefox or Chrome — or both. On any PC with multiple browsers, the most effective security policy is to disable Java in all browsers; then see what, if anything, breaks. Most likely, you’ll never miss it.

Websites requiring Java are on the decline, but if you hit one, you can just move on to a different site. On the other hand, if your bank, brokerage company, or some other critical site requires Java, then you need to limit your Java exposure. (I’ve been running Java-free for about six months now, and I haven’t missed it one bit.)

Here’s how to disable Java in all your browsers simultaneously. (Note: some of this information was provided in the Jan. 17 Patch Watch column.)

• Step 1. Make sure you have the latest version of Java. My personal preference is to run Secunia PSI (see Fred Langa’s July 26, 2012, Top Story) and automatically keep up to date on all sorts of software, including Java.

  If you don’t have PSI installed, go to the main Java page and, under the bright-red “Free Java Download” button, click the Do I have Java? link. Now click the Verify Java Version button. You should be running Java 7 Update 11 (or later, depending on when you read this column and whether Oracle has its act together). If you don’t have Java 7 Update 11, go back to the main Java page and click the Java download button.

• Step 2. Crank up the Java Control Panel. It’s typically found in the Windows Control Panel. If you don’t see it, try typing “Java” into the Control Panel’s search box (upper-right corner of the CP window). In some unusual circumstances, you might have to go directly to the Java Control Panel applet by navigating to it — C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin (or something similar) — and clicking javacpl.exe.
• Step 3. Disable Java in all browsers. In the Java Control Panel, click the Security tab and uncheck the Enable Java Content in the Browser box (see Figure 1).

  There’s a small problem with this setting’s labeling: The checkbox should say “Enable Java Content in all browsers.” Once unchecked, this setting should disable Java in every browser installed on your system.

  

  Figure 1. Unchecking the Enable Java content in the browser box disables Java in all installed browsers, simultaneously.

• Step 4. Click OK and close the Java Control Panel. A couple of important notes on this process. Java is still installed on your PC; it’s just disabled in browsers. With Java disabled, the Java site will no longer be able to verify the installed version of Java.

You’re ready to start surfing the Web with Java reliably turned off in all your browsers.

Turn off Java in each browser separately

If you must use a site that depends on Java, the best way to limit your Java-exploit exposure is to leave Java enabled in just one browser. Use that browser for sites that need Java, and use a browser with Java disabled for general Web access.

That means you’ll have to leave the “Enable” box in the Java CP checked and manually disable Java in specific browsers. It’s easy to turn off Java in Firefox, Chrome, and Safari, but it’s unbelievably difficult to turn off Java in Internet Explorer. (Don’t shoot me — I’m just the messenger.)

In a perfect world, it’s best to turn off Java in IE and Firefox but leave it enabled in Chrome, which is smart enough (and polite enough) to explicitly ask you for permission to run a Java program whenever it encounters one (see Figure 2).

Figure 2. By default, Chrome always asks before running a Java app.

But as I said, turning Java off in IE is difficult — so difficult, it isn’t worth the effort. Here are the steps for disabling Java in Chrome and Firefox — and, if you’re feeling lucky, IE.

• Chrome: In the browser’s address bar, type chrome://plugins and hit Enter. Scroll down to the entry Java (2 files) – Version: 10.7.2.11 (or 10.7.2.21), and click the Disable link. Restart Chrome and you’re done.
• Firefox: By default, Firefox disables outdated Java plugins. If you have an old version, it might not show up on the Firefox Plugins list. To check, click the Check to see if your plugins are up to date link at the top of the Plugins list.

  To disable Java, click Firefox’s Tools menu option and select Add-Ons. Select the Plugins tab (“plugins” and “add-ons” are used somewhat interchangeably) on the left, and scroll down to Java(TM) Platform SE 7 U11. Select it and click Disable. Repeat for any add-ons you see that refer to Java, then restart Firefox. Easy.

• Internet Explorer: I’ve looked all over the Net and talked to several of my security-enhanced friends, and I’ve not found a better way than the one documented by (gulp!) the Department of Homeland Security/Carnegie Mellon’s CERT site.

With the CERT approach, you download and run a Registry-altering file that zaps almost 800 possible Java entry points in Internet Explorer. You then delete two files which you have to find manually. It’s ugly. More to the point, nobody’s absolutely certain that the CERT approach (or Microsoft’s method, given in KB 2751647) will protect IE from future attacks. So running through this process is not only difficult; it might be insufficient.

So now you know why I recommend that you disable Java for all your browsers and take your lumps.

I have no idea why Microsoft made it so hard to disable Java in IE, particularly when it’s such a simple process in Firefox and Chrome.

Should you use a 'Hosts file' hack on Windows?

All Windows versions allow you to use a Hosts file as a way to block ad-serving and malware-infested sites.

Although it’s possible to use Hosts files for that purpose, there are good reasons not to. Here’s how they work and why they’re impractical for most PC users.

Using an aging security concept to block sites

Reader John has used Hosts files in the past and would like to use them again on Windows 8.

• “Is there anything similar to MVPS [site] Hosts files for Win8? I really miss all the junk-blocking it did.”

Glad you asked, John! The Hosts file question comes up just about every time a new Windows version is released. In fact, I remember discussing Hosts files back in the Win98 days — in the original LangaList!

Yes, Win8 (like all previous Windows versions) can still use a Hosts file for blocking suspect or malicious sites. I’ll even show you how, in a moment. First, however, let me review why I thought using Hosts files was a bad idea back in the Win98 days — and still is today.

Once you have all the facts, you can decide for yourself.

An aging security concept is easily subverted: Hosts files are a vestige of 1970s networking technology, dating all the way back to Arpanet, the precursor of today’s Internet.

Arpanet (Wikipedia info) was an early networking and communications service. Decentralized by design, every machine on the network had to maintain its own local list of addresses for every other machine hosting Arpanet services. This list — just a plain-vanilla, manually maintained, static, text file — was called a Hosts file. There weren’t that many Arpanet machines at first, so the Hosts files were small and worked fine.

As PCs came into use, some of their users needed a way to attach to Arpanet. So Hosts-file technology was added to their new machines. At about the same time, PCs were also connecting to a new type of network: local area networks (LANs). LAN technology borrowed the Hosts-file concept. As a result, early PC operating systems (Apple, MS-DOS, PC-DOS, UNIX, etc.) allowed the use of Hosts files.

Eventually, the concepts of Arpanet evolved into the public Internet, and Arpanet was shut down. As thousands of machines came online, the limitations of Hosts files became all too obvious: it was absurd to have every machine maintain a local, static, text-file list of all other available machines. Hosts files become ridiculously long, and the task of manually updating them (as computers were added or removed from the list or had their addresses changed) became extremely labor-intensive. The Hosts-file system was simply no longer up to the job.

The solution was (and still is) the Internet’s centralized, domain-name system (DNS; info). To look up the current address of any system (workstation or server) on the Internet, computers now contact an always-current, automatically updated, domain-name server.

Although DNS made Hosts files obsolete for Internet connections, personal-computer operating systems still allow the use of Hosts files for LANs and for backward compatibility.

A new application for an old technology: In the 1990s, clever geeks realized they could use the old Hosts-file technology in a new way: use a Hosts-file entry to redirect a PC away from malware-infested or ad-serving sites. The PC ends up at a known-good or null site. (With a null site, the connection doesn’t fail, but it also doesn’t actually go anywhere.) It seemed like such a great idea that some user groups and businesses circulated custom Hosts files to keep PCs away from possibly troublesome sites.

It worked — up to a point. Unfortunately, the owners of hostile sites soon countered by simply changing network addresses, immediately making installed Hosts files partially or completely ineffective. To update a Hosts file, someone had to generate a new file with accurate addresses and then distribute it to all participating PC users. In the meantime, the malicious sites could have easily changed their addresses, once again.

To make matters worse, some malware makers started writing simple, tiny malware programs that altered Hosts files (they’re just plain text!) on target PCs. They effectively hijacked legitimate network addresses. A victim might, for example, click on Google.com, Facebook.com, or their credit-card or banking site, and the altered Hosts file would redirect those clicks to a malicious Web server — with the victim none the wiser.

As the Internet grew exponentially and the custom, site-blocking Hosts files got longer and longer, quality control issues arose. Bad judgment, malice, or even simple typing errors could result in blocking perfectly valid sites.

To my knowledge, the two best-known sources of site-blocking Hosts files are BISS Hosts File Manager (site) and the one you mention, MVPS Hosts (site). Together, their custom Hosts files contain some 100,000 site entries!

Those gigantic lists have to be accurately and constantly updated. Think about it!

That’s primarily why I believe Hosts files are not the way to go for site blocking. It’s far better to use the automatic, dynamic, heuristic, self-maintaining protections of fully current browsers and up-to-date anti-malware tools. With them, I think you’ll get superior, reliable, automatic protection against malware and hostile sites without having to resort to a technology that’s 40 years out of date.

Applying Hosts files in Windows 8: All that said, if you still want to use Hosts files, you can do so in Windows 8. If you tried it and ran into trouble, it’s most likely because Win8’s built-in version of Windows Defender locks down the Hosts file to limit its misuse and modification by malware. (A good thing, I think.)

You can, however, gain full access to the Win8 Hosts file by excluding it from Windows Defender’s protections. Here’s how:

• Press the Windows key, type Windows Defender, then press Enter.
• When Windows Defender opens, click the Settings tab. In the left pane, click Excluded files and locations.
• Click Browse and navigate to the Hosts file location (usually C:WindowsSystem32Driversetchosts).
• Click Add and Save changes, as shown in Figure 1.
  

  Figure 1. You can exclude the Win8 Hosts file from Windows Defender's protection, if you so choose.

It’s a bit more drastic, but you can also gain full access to Win8’s Hosts file by totally disabling Windows Defender. On the same Defender Settings tab, click Administrator (in the left pane), uncheck Turn on Windows Defender, and then click Save changes.

Of course, if you disable Windows Defender, be sure to install some alternative anti-malware tool, so you won’t be running completely unprotected.

Bottom line: A Windows Hosts file can be used for site-blocking, but there are potential pitfalls to using disco-era networking technology to solve current-day Web-security problems!

System suddenly slow to boot and loses Wi-Fi

As is often the case, Dave Healey’s trouble came out of the blue:

• “A few days ago, my laptop suddenly began taking about 10 to 15 minutes to boot. (Prior to that, it was taking two or three minutes.) At the same time, the laptop apparently stopped automatically launching Wi-Fi on bootup. (I can still launch it manually.)

  “These two issues didn’t develop gradually. One day all was well; the next day I had these two problems. I didn’t make any changes to my system (that I am aware of). Any ideas?”

Almost surely, some automated update process (for Windows or third-party software) went awry. But because you know when the trouble started, the fix should be easy!

Start with Windows’ System Restore to roll back your system to its state just prior to when the problem first appeared. (Need help? Click Windows’ Start/Help and search for System Restore. Or see Microsoft’s “System Restore” page.) This should resolve the trouble, but it won’t necessarily tell you what went wrong.

If you want to try to figure out exactly what went wrong, you might identify the files that changed by using Windows Search’s ability to find files created or modified on a certain date or between certain dates. Click to Microsoft’s “Advanced tips for searching in Windows” page and scroll down to Adding search filters.

Either way, by using a date-specific fix, you should be able to set things straight in short order!

Two ways to fix long right-click delays in XP

Stuart McFadyen’s XP machine has developed trouble:

• “Just recently, my XP SP3 system started pausing for up to 30 seconds after I right-click the mouse, such as when trying to launch Properties. Any ideas?”

There are two common causes for this problem. One is excessive CPU load; Microsoft details a fix in MS Support article 819101. The other is XP’s context menu handlers, which you can explore with NirSoft’s free ShellExView tool (site). On Ramesh Srinivasan’s Windows XP MVP site, you’ll find excellent instructions for using ShellExView to solve XP’s right-click problems.

Recommended email junk remover — and saver

Australian reader John Ferris is following up on a recent discussion (Oct. 25, 2012, LangaList Plus) of Mozilla’s Thunderbird email client and its alternatives.

• “I use Thunderbird as my main email. A neat program called MozBackup (site) allows complete backup and restoration of my mailboxes. Works exceptionally well and is free.

  “Probably the best email spam filter available is MailWasher Pro (site). I’ve tried quite a few mail cleaners over the years, but this one is the easiest to set up. Once trained, it automatically gets rid of junk from the server. It works with Outlook and Thunderbird.”

Thanks, John! Mailwasher is free to try for two weeks. After that, it’s U.S. $30 per year, on up to three PCs.

As if paying taxes weren't hard enough

Sometimes your software makes your tax-paying ordeal even mightier.

Lounge member hodget’s first obstacle to completing his tax preparation was upgrading TurboTax. He turned to the “Other Software” forum for help, where at least he got what he needed to get to square one of the tax-paying task. You, too, might benefit from tax-software upgrade assistance.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Microsoft Home Use Program for Office 2013
Word Processing	Author of Word 2010 document
Spreadsheets	Global text search-and-replace on sheet tabs
Databases	Open or convert database file into earlier Access version?
Presentation Apps	Where is Paintbrush Effect in PowerPoint?
Visual Basic for Apps	Word 2010: Can you populate listbox from building blocks?
Microsoft Outlook	Recover Outlook when it won’t load properly?
Non-Outlook E-mail	Windows Mail recently slowed
Windows
General Windows	Install SSD and keep SATA drive for data
Windows 8	Win8 prevents BIOS access
Windows 7	Problem resizing C: partition
	Custom installation: Item selection?
	Seeing Task Host Window message and slowed shutdown
Windows Vista	Need help with repair install
Windows XP	Please help me find Windows Movie Maker
Windows Servers	Upgrade Win2000 server to Win2008 or leave it alone?
Internet/Connectivity
Internet Explorer	Need two Internet Explorer shortcuts?
Third-Party Browsers	Firefox and Norton problem?
Application Servers	FTP server problem
Networking	Usernames and passwords for router setup
Social Media	Google Sync question
Software Development
Windows Programming	Batch file needed
Other Technologies
Security & Scams	Want to be rid of Java, again
Maintenance	Removing Norton Online Backup trial version
Hardware	About bootable USB Flash drives?
Graphics/Multimedia	Lucid Virtu MVP and video editing
Other Applications	Trying to upgrade TurboTax Deluxe for 2011

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

Pursuit of high-risk happiness via surfboard

By Kathleen Atkins Some people, not naturally endowed with feathers or fins, go to a lot of trouble for their flying-over-water fun. Among these are the contestants in the Mavericks Invitational big-wave surfing competition, where the waves can loom 100 feet high. This year’s event took place Sunday, January 20, at Half Moon Bay in California. I prefer thrills like these second-hand and can do so, thanks to the intrepid videographers who shot these sequences. Who knows — after watching the ultimate surfing challenge, you might be tempted to take your chances on (somewhat smaller) waves. Play the video

Java: More than the usual cup of coding coffee

In this week’s Top Story, “Security alert: Remove Java from your browsers,” Woody Leonhard discusses why and how you should remove Java from your browsers.

PC users conflate Java with JavaScript, and while both are vulnerable to malware attacks, Java is the more vulnerable of the two. Here’s a quick tutorial on Java.

Java and JavaScript: Shared name, different code

What’s the difference between Java and JavaScript? In a recent webcast (which talks about a JavaScript threat in IE), Microsoft MSRC Program Manager Dustin Childs stated, “Java is to JavaScript as Ham is to Hamster.” More specifically: though both are programming languages, Java is used to create applications; JavaScript is used primarily as a scripting language within programs and webpages. As noted in the Wikipedia JavaScript page, JavaScript adopts “many names and naming conventions from Java, but the two languages are otherwise unrelated and have very different semantics.”

From a malware-prevention perspective, the distinction between the two languages is important. It’s Java that we’re regularly updating on our PCs (if we have it installed). But even with the most up-to-date version of Java, we’re still vulnerable to malware attacks, as reported in an ISC Diary blog post.

JavaScript is still frequently used for creating dynamic, interactive webpages. Java, on the other hand, is used by fewer and fewer applications. I use only two applications that rely on Java: one is a Dell DRAC card, used to remotely access servers; the other is software used to adjust and configure some D-Link webcams. Neither application is critical to my day-to-day computing.

The ultimate cross-platform application language

Many developers love Java because they can code an application once and run it on a wide variety of platforms. You’ll find Java on Windows, OS X, Linux, and Android devices. According to Oracle, it’s also found on many dedicated devices such as cable boxes, DVD players, and routers — even ATMs and parking meters. (It’s not natively supported in iOS.)

“Code once” doesn’t mean never update. As with browsers and other apps, staying as secure as possible means always updating to the latest Java. If you have a bank or other financial institution that demands a version prior to Java 6, you really need to question that firm’s security stance — as well as its concern for your financial assets. Contact the firm and ask someone why they’re not protecting you as well as they should. Even a Java help page recommends:

“If you are being asked to run an application on an older version of Java and this version is installed on your machine, we strongly recommend trying the application with the most current version of Java installed on your system first.”

As detailed by Michael Horowitz on his Java Tester site, a Java component — called Java Virtual Machine or Java Runtime Environment — must be installed on a computer before Java programs will run. An Oracle Java page states:

“The JRE consists of the Java Virtual Machine (JVM), Java platform core classes, and supporting Java platform libraries. The JRE is the runtime portion of Java software, which is all you need to run it in your Web browser”.

Although you’ll typically see Java listed among your installed apps and add-ons, it’s the runtime components you’re disabling — if you follow the instructions in Woody’s Top Story, “Security alert: Remove Java from your browsers.”

Common — and uncommon — apps that use Java

Computers often come with Java components preinstalled. Michael Horowitz notes that trying to keep up with applications that demand Java is difficult. In his April 9, 2012, blog, Ed Bott listed numerous apps that use Java. Michael followed up with the following list:

• GoToMyPC — works more easily with Java, though it’s not required
• GoToMeeting [Java not required with newest browsers]
• GoToWebinar [Java not required with newest browsers]
• Scottrade
• The Wall Street Journal website, wsj.com, uses Java for dynamic charts
• Secunia’s Online Software Inspector
• ThinkFree Office Online
• FreeMind — mind-mapping software
• France’s online voting system
• LuxSci webmail — Java used only for some advanced features
• time.gov — the official U.S. time site (Java can be disabled)

Of those applications, I’m most concerned that Secunia’s Online Software Inspector requires Java for its scanning processes. I recommend switching to Secunia Personal Software Inspector (site) to scan your PC for needed updates.

The threat from Java-based attacks

If you must run Java on your computer and in a browser, how vulnerable are you? Merely stumbling across a website that has a Java-based attack script could result in an infection. But how prevalent are these attacks? Therein lies the rub; it’s hard to tell whether a new zero-day exploit will be a passing worry or a major threat. Like Woody, I recommend erring on the side of caution and removing Java. Then see what breaks.

That said, keep in mind that Java on the desktop is not the same as Java JRE in the browser. Using Java to attack a PC via a browser is much easier than using Java on the desktop. (As mentioned above, JavaScript can be a path for malware. NoScript [site] is a popular Firefox extension for quickly enabling and disabling JavaScript.)

When a HomePlug network suddenly stops working

What do you do when your home network suddenly dies? If you’re like me, you waste time and money replacing devices that don’t need to be replaced.

But if you’re smart, you’ll read about my misadventures in network troubleshooting — and learn from my mistakes.

Networks fail at the most inopportune times

Just before Christmas, my HomePlug network suddenly died, killing Internet access in the front half of my house and depriving my family of Netflix, Hulu Plus, and other assorted, essential entertainment. The teenagers, needless to say, were restless.

I found a solution, but I also wasted considerable time and bought products I didn’t need. In my rush to fix the problem, I forgot two rules of network troubleshooting: Test all possible cheap-and-easy fixes before going on to the difficult and expensive ones; when you find a networking solution that’s remarkably easy to set up and use (something that’s truly plug-and-play), just wait — it’ll eventually turn on you.

HomePlug: The network inside your power grid

For those unfamiliar with HomePlug: it’s a technology that lets you run your home or small-business network over the local AC electrical system. To make it work, you need at least two HomePlug-certified adapters. Each HomePlug adapter plugs into a standard AC wall socket and has at least one Ethernet port. Some have multiple Ethernet ports and/or built-in Wi-Fi; they might also have an AC socket, so you don’t have to sacrifice an outlet for the network. That’s particularly convenient because these adapters won’t work when plugged into most surge protectors.

Setting up a HomePlug network can be astonishingly easy. Just connect one adapter to the router via an Ethernet cable and plug it into a wall socket. Plug another adapter into a socket in another room, and that room suddenly has a working Ethernet port.

Is it better than Wi-Fi? That depends on your router’s location, the layout of your house, and what the house is made of. Simply put: If your wireless network doesn’t extend into all parts of the house, HomePlug is an extremely easy way to bring your network to underserved areas.

A HomePlug system is also faster than Wi-Fi. Although I’ve never come close to HomePlug AV’s theoretical 200 megabits-per-second (Mbps) performance, I have clocked speeds above 70 Mbps. My home’s 802.11n network rarely gets above 40 Mbps.

(If you use your home network primarily to access the Internet, HomePlug’s speed is academic. Network speed simply isn’t an issue, as long as the internal network is faster than your Internet connection.)

A quick note on terminology: You’ll often find HomePlug and Powerline used interchangeably. Technically speaking, however, “Powerline” refers to the technology; “HomePlug” is a specification that lets Powerline adapters from different companies work together.

Home-networking paradise — then purgatory

My HomePlug experience started back in 2009, and it looked like a networking technology made in heaven — I just plugged it in and it worked.

And I really needed it to work! Because I work at home, testing and writing about technology, my router must reside in my home office — a semi-basement at the back of the house. The router broadcasts an acceptable Wi-Fi signal into the rooms immediately above my office (and into the back yard), but the front of the house had long been a Wi-Fi wasteland. That included the TV room, where we particularly wanted a wireless connection.

I tried various solutions for extending my Wi-Fi, but none worked acceptably. So I tried a Belkin Powerline AV+ Starter Kit; I plugged in the two adapters and immediately had three Ethernet ports available to my home-theater system.

Over the next few years, I extended the range of my Wi-Fi by adding two D-Link PowerLine AV Wireless N Extenders (more info). These adapters were a bit more difficult to set up; I had to give them network IDs and passwords. (The trick was to give them the same name and password as the router’s Wi-Fi network. That way, they effectively become different points on the same network.) Those additions gave us full-strength Wi-Fi throughout the house.

The HomePlug network was effectively out of sight, out of mind — until a few days before Christmas, when my daughters informed me that “the Internet was dead.” It didn’t take me long to determine that the Internet as a whole was healthy, as was our connection to it. But our HomePlug network was down for the count.

Because none of the adapters was working, I assumed there was a fault with the nearly four-year-old Belkin adapter in my office, or possibly with the Ethernet cable that connected that adapter to the router. Swapping cables didn’t help, so I figured that the problem had to be the adapter. Big mistake!

Unable to imagine life without full Internet access throughout the house, I rushed out to the nearest big-box store and plunked down U.S. $60 for the only HomePlug package it had — the D-Link PowerLine AV + Mini Adapter Starter Kit (more info).

Figure 1. D-Link's PowerLine AV + Mini Adapter Starter Kit (DHP-309AV) comes with two surprisingly small HomePlug adapters.

I replaced the Belkin adapter connected to my router with one of the new D-Links, and everything started working again.

Happy ending! Well … not quite.

Nightmare on HomePlug Street: The Net fails again

Shortly after reviving the network, I did some LAN performance tests. The results were disheartening: my HomePlug network was chugging away at about 16 Mbps — fast enough to handle our Internet connection, but pathetic for home networking.

Things got worse on New Year’s Day, when the HomePlug network died again. Those new adapters proved to be only a temporary fix.

We left on vacation that night, which let me ignore the problem for a few days. But once home, I was immediately back to playing computer tech. For testing purposes, I picked up another HomePlug starter kit — NETGEAR’s $130 Universal Internet Adapter for Home Entertainment (more info).

Figure 2. Netgear's Universal Internet Adapter for Home Entertainment – 3D HomePlug kit

I plugged it in and — you guessed it — still no luck!

It was only then that something occurred to me. One of the LEDs on every HomePlug adapter indicates the signal strength coming through the power grid. Every adapter I’d tried in my office displayed either a weak or inconsistent signal — or no signal at all.

Puzzled, I plugged one of the adapters into an outlet in my kitchen, which is next to my office. It had a strong, solid signal. I ran a long Ethernet cable from my office to the kitchen (stringing it so that no one would trip over it) and soon had the network back up and running.

Surprisingly, when I ran my network benchmarks again, my HomePlug speed was the fastest I’d ever recorded. (If I’d just moved the adapter to the kitchen first, I’d have a bit more money in my pocket — and fewer gray hairs.)

The cause of my travails

I had found a solution — or at least a workaround — but that’s hardly the same as discovering what had brought down my HomePlug network.

HomePlug performance can be compromised in several ways, such as by poor-quality AC wiring in your house, electromagnetic radiation from other electronic devices, appliances, and whole-house surge protection.

But what changed in my home (or, more specifically, what suddenly made my office HomePlug-unfriendly) was — and still is — something of a mystery.

Large appliances such as a washer, dryer, or refrigerator, can wreak havoc on a Powerline network. This can happen with a new appliance — plug it in and the network dies. I had not installed any new appliances, but it’s possible that an old one that’s slowly deteriorating could be the cause. Moving the adapter to another circuit (as I did) can fix the problem (and is cheaper than replacing the refrigerator).

The adapters themselves can also deteriorate — although, as I learned the hard way, that wasn’t my problem.

Something within the electrical system of the house (especially an old house) can be deteriorating and cause interference.

Another possibility: In theory, Powerline signals never leave your house’s power grid, but that’s not always the case. A neighbor’s HomePlug network could affect yours. (Powerline networks can really hurt ham radio broadcasts, but I’ve never heard of problems going the other way.)

Figuring out exactly what caused the failure might take some time. I suspect that, whatever the cause, it has been building for a while. Those tests I made just before the network died that showed a surprisingly low bandwidth? The network might have been getting slower for years — and we didn’t notice because it was still faster than our Internet connection.

At this point, I’ve got a working HomePlug network, so I guess I should be happy. (The teenagers certainly are.) Besides, if I did solve the basic problem, I’d have to take down that Ethernet cable.

So what can you learn from this? When troubleshooting a network (HomePlug or otherwise), don’t replace an expensive piece of hardware until you’ve tested every other possibility. And remember that networks are somewhat like Manhattan real estate — it’s all about location.

Tackling the thorny .NET update process

It’s time to revisit the many .NET Framework updates, starting with the often problematic Windows XP/.NET update process.

Windows 8 also has a few platform fixes, and there are a few leftovers for Vista and Windows 7.

Typically, Patch Watch items are broken down by patch number. But due to the complexity of .NET updates, I’ve divided them up by platform. For more on these updates, see MS13-004 and MS13-007.I’ve not seen reports of problems with any of these .NET updates — aside from the usual installation problems.

Installing .NET updates on Windows XP

Windows XP SP3 and XP Pro x64 SP2 users should see one or more of the following .NET updates:

• KB 2742595 for .NET 4
• KB 2742596 for .NET 2.0 SP2
• KB 2742597 for .NET 1.1 SP1
• KB 2742607 for .NET 1.0 SP3
• KB 2736416 for .NET 3.5 SP1
• KB 2736428 for .NET 4
• KB 2756918 for .NET 3.0 SP2

Windows XP doesn’t typically ship with .NET installed; it accompanies any application — such as QuickBooks and video-card control panels — that needs it. However, it’s not unusual to find .NET 1.0 or 1.1 on Windows XP systems.

The less-common .NET 4 typically shows up with the latest version of QuickBooks 2013 and other recent business applications. If you see .NET 4 and you are fairly certain you don’t have an application that needs it, it’s possible that Microsoft Update installed it. To pave the way toward new and better apps, Microsoft offers .NET 4 to any system with .NET 3.0 or 3.5 installed. Microsoft needn’t be so pushy; most of the business software I use includes .NET 4, if it’s required.

Adding .NET patches to Windows XP. Patching .NET on XP systems is a crapshoot — it either installs nicely or fights you all the way. Start by reviewing the process of running Aaron Stebner’s .NET Framework Cleanup Tool (site), so you can remove and reinstall any .NET updates that fail. Aaron states that this tool should be used when all else fails. I believe just the opposite: it’s the first tool I go to when .NET fails to install.

Keep in mind, however, that .NET is like Java: you need it only if an installed application uses it. If a particular .NET update (especially .NET 4) fails to install, skip it — and hide it in Windows Update.

What to do: Try installing any of the .NET updates listed above that show up in Windows Update. Either skip any failed updates or use Stebner’s .NET removal tool.

.NET updates for Windows Vista

Vista shipped with .NET 2.0 and, more often than not, also has .NET 3.0 installed. Vista SP2 users might see any of these updates, including multiple updates for the same .NET version:

• KB 2736416 for .NET 3.0 SP1
• KB 2736428 for .NET 4
• KB 2742595 for .NET 4
• KB 2742597 for .NET 1.1 SP1
• KB 2742595 for .NET 4
• KB 2742601 for .NET 2.0 SP2
• KB 2742613 for .NET 4.5
• KB 2756919 for .NET 3.0 SP2

You should get updates for .NET 4 and 4.5 only if those two versions of .NET are already installed on your system.

What to do: Install any of the above .NET updates offered. Updating .NET on Vista typically goes more smoothly than on XP. But as with XP, skip and hide any updates that fail.

.NET updates for Windows 7 and Win7 SP1

Windows 7 shipped with .NET 3.5, so you’ll surely receive updates for 3.5.1. Windows 7 users could see the following updates:

• KB 2736418 for .NET 3.5.1
• KB 2736422 for .NET 3.5.1
• KB 2736428 for .NET 4
• KB 2742595 for .NET 4
• KB 2742599 for .NET 3.5.1
• KB 2742613 for .NET 4.5
• KB 2756921 for .NET 3.5.1

As with the Vista updates, you should get updates for .NET 4 and 4.5 only if they’re already installed on your system.

What to do: Install any .NET updates offered and skip and hide those that fail to install.

Small number of .NET updates for Windows 8

Windows 8 ships with .NET 4.5 as its native .NET platform. If you see updates for any other .NET versions — such as .NET 3.5 — those versions came along with some application you installed.

Windows 8 users should expect KB 2742614 for .NET 4.5. If .NET 3.5 is installed on your system, you might also see KBs 2736693, 2742616, and 2756923.

What to do: These .NET updates should be failure-free on Windows 8. Install them as you would any other update.

2750147, 2750149, 2770445, 2770446

.NET 4.5 performance and signature updates

Windows 8 and Server 2012 users aren’t quite done with .NET updates. This also applies to Windows 7 and Server 2008 R2 users who have manually installed .NET 4.5.

Both KB 2770445 and KB 2770446 fix a premature digital-signature expiration problem in the original .NET 4.5 for use on Windows 7 and Vista systems. KB 2750147 is a routine “reliability, compatibility, stability, and performance issues” update.

KB 2750149 is another reliability, compatibility, etc. fix, but I’m skipping it because it can break cluster nodes on Server 2012, as noted in an Aidan Finn blog. Microsoft has released a fix in Support article 2803748, but the company might also rerelease the original patch.

What to do: Install KBs 2750147, 2770445, and 2770446. Skip KB 2750149.

2726535, 2786400, 2794119

Optional patches for various nations

Because the January 8 Patch Tuesday was full of security updates, I recommended holding off on several nonsecurity patches. You’re now free to install them — but only if you really need them.

For example, KB 2726535 adds South Sudan to Windows’ list of countries; KB 2786400 changes the default settings for Arabic-text rendering. If you share calendar entries with anyone in Israel and/or Libya, KB 2794119 provides a time-zone update.

What to do: Unless you need KB 2726535, KB 2786400, and/or KB 2794119, hide them in Windows Update.

2763674, 2773072, 2786081

Update odds and ends for Vista and Win7

I put a few other nonsecurity updates into the wait column in the Jan. 10 Patch Watch. KB 2763674 fixed a SHA-256 certificate flaw in Vista; KB 2773072 updated game ratings in Windows 7; and KB 2786081 is a Win7 patch that lets the OS run IE 10 (still in beta) properly.

What to do: I’ve not found any faults with these updates, but I also don’t see any urgent need for them. I recommend that Vista users install KB 2763674. Skip KB 2773072 and KB 2786081 unless they are truly needed.

2793214, 2793216, 2803748

A few more odds and ends for Windows 8

It should be no surprise that we have another round of Windows 8 updates to fix various problems with the new platform. Some, however, leave me scratching my head: KB 2803748, for example, fixes a flaw that should impact only Server 2012 (a Failover cluster–management snap-in fails when you install KB 2750149). Obviously, that can’t happen on a Windows 8 client; but because Win8 and Server 2012 share the same codebase, you get the update offered on Windows 8.

You probably won’t see KB 2793214 and KB 2793216 unless you’re upgrading from Windows 7. They are automatically installed during Win8’s initial setup — before you can even see the operating system.

What to do: If you have to ask whether you need KB 2803748, you don’t. Do install KB 2793214 and KB 2793216 if they show up in Windows Update.

Betweeen a Surface and a hard place

Surface users have had their own unique issues with Windows Update. As noted in a ZDNet blog (and numerous others),
some RT devices went into connected standby mode while installing Jan. 8 updates and locked their users out of the Windows Store and Windows Update. Those updates included a firmware upgrade.

What to do: If you’re one of the unlucky ones, there will reportedly be a fix in early February.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.