Symantec edges out ZoneAlarm in Security Baseline

Break time! Next issue will be Feb. 7

By Brian Livingston

They say honest work never hurt anyone, but we do need a chance once in a while to sleep in between bouts of digging up for you the secrets of Windows.

That’s why we publish our newsletter weekly, except on any 5th Thursday of the month that occurs. Next Thursday, the 31st of the month, is the 5th Thursday in January.

That week, we’ll be locked away, burrowing into Microsoft technical manuals, looking for more tricks to reveal to you — and we won’t publish again until Feb. 7. (We also skip the week of Thanksgiving and the last two weeks of August and December, but you knew that.)

Keep sending us your tips via the Windows Secrets contact page, and we’ll continue to reveal to you the best insider facts that we possibly can. Thanks for your support!.

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Symantec edges out ZoneAlarm in Security Baseline

By Scott Dunn Symantec’s security suite has gained more first-place awards from respected test labs than the well-known ZoneAlarm suite, pushing Symantec into the top spot in our WSN Security Baseline. We publish the baseline and update it whenever our analysis of the recommendations of leading PC publications and Web sites changes.

Symantec suite garners most editor’s choice awards

Windows Secrets has no test lab of its own and usually doesn’t benchmark products. Instead, we analyze the test results published by numerous computer authorities, such as PC Magazine and PC World. We summarize our findings in the Security Baseline to help individual and small-business PC users see at a glance the add-ons that are needed to protect against malware.

Today, the minimum requirements to protect an Internet-connected computer fall into three categories:

• A hardware firewall, which is usually built into a router;

• A software security suite, including an inbound-outbound software firewall (which is the only firewall possible for portable devices); and

• A patch-management tool to help you remain current with the latest updates.

Since last update of the Security Baseline, a number of sources have published comparative reviews of security suites.

The highest rated package in two of these collective reviews is Symantec Norton Internet Security 2008 (left, street price about U.S. $50 for three installs). The product garnered an Editor’s Choice from both PC Magazine and PC World. Computer Shopper, however, was less impressed; in its comparison of six security suites, Symantec’s product tied for last place.

The previous Security Baseline front-runner, the ZoneAlarm Internet Security Suite from Zone Labs, received ratings from PC Magazine that were almost as high as those for the Symantec suite. The magazine found the ZoneAlarm suite to be superior in blocking spam, but it scored lower than the Symantec suite in controlling spyware.

By comparison, the PC World roundup placed the ZoneAlarm suite in second-to-last place.

Computer Shopper, which is owned by CNET, inexplicably did not include the ZoneAlarm product in its review of security suites. The magazine gave its suite accolades to BitDefender Total Security 2008. A slightly higher score was credited to Steganos Privacy Suite 2008, but that software has no antivirus function at all, disqualifying it from our consideration for the Security Baseline.

Symantec provides an alternate product, Norton 360, for the less technically inclined who want a simple, all-in-one solution. CNET last year, and PC Magazine in its latest roundup, each gave Editor’s Choice awards to Norton 360 (in addition to PC Mag’s award to the Symantec suite).

If you’re satisfied with your current security suite, I don’t recommend switching at this time. But if your subscription to a security suite is set to expire soon, or if you haven’t installed a suite yet, one of the Symantec products is worth your consideration.

To see all of the top-rated products, visit the Security Baseline. To read the full version of the reviews mentioned above, see:

• PC Magazine: 2008 security suites review
• PC World: top all-in-one security suites review
• Computer Shopper: six security software suite reviews
• CNET: Norton 360 review

For more information on the security suites that rated highly, see:

• Symantec Norton Internet Security 2008
• Symantec Norton 360
• Zone Labs ZoneAlarm Internet Security Suite

One vote for an advanced new router

I pointed out in an article on May 24, 2007, that some routers based on the new 802.11n wireless standard are getting favorable ratings. These reviews are coming out even though the standard itself, which is currently in draft form, may not be ratified by the IEEE (formerly the Institute of Electrical and Electronics Engineers) until 2009. The spec is now in its third draft revision, and more “n” products are appearing all the time.

Since then, PC Magazine on Dec. 17 gave another Editor’s Choice award to a new product, the Linksys Dual-Band Wireless-N Gigabit Router WRT600N. With prices between $242 and $280, this router is decidedly more expensive than the magazine’s previous Editor’s Choice, the NetGear RangeMax 240 WPNT834 (about $100), and may be more advanced than many users need.

The WRT600N offers a firewall and wireless security, along with four 1-gigabit Ethernet ports. In addition, the product features a USB port for attaching external storage devices to make files available throughout your network. (The reviewer did note some difficulty getting this to work in Windows XP.)

Most users are not likely to need a router of this speed and power today. But if you’re currently in the market for a secure router anyway, PC Magazine gives this one its full endorsement.

• PC Magazine: Linksys Wireless-N router review
• More info: Linksys WRT600N

Use Secunia and Software Patch for updates

In addition to the hardware devices and software protection described above, you also need a way to get regular security patches and updates for both Windows and any other software you install.

We recently added the Secunia Software Inspector to our Security Baseline page. This free service scans your hard drive, quickly and easily determining which software on your system needs updating. You’re alerted not only to updates for Windows itself, but also for applications from many other vendors.

To download and install the actual updates, check out my Oct. 4, 2007, article on the pros (and a few cons) of using The Software Patch. This site makes Microsoft and non-Microsoft updates available in one easy-to-navigate service.

As more products are reviewed by reputable industry analysts, we’ll continue to update the Security Baseline with the tools you need to keep your system secure. But it’s up to you to check your system with Secunia and Software Patch at least once a month to make sure you have the updates you need.

Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Leaving MSN may be easier than you think

By Scott Dunn

Some readers of my Jan. 3 and Jan. 17 articles on the shrinking appeal of MSN Premium asked what they might lose if they canceled Microsoft’s for-pay service, which is now duplicated by features in the company’s free Windows Live and Windows itself.

The facts show that fears of losing one’s e-mail address or dial-up access are groundless.

Are there any reasons to keep MSN Premium?

Regarding my Jan. 3 story on MSN Premium, which many people subscribe to for $9.95 per month, David S. Ritchey writes:

• “Just wanted you to know how happy I was when I read the first article on paid MSN vs. free Live mail offerings. I immediately called and canceled my MSN subscription. They were very polite, walked me through everything to expect, allowed me to keep all 5 family e-mail accounts active, and even credited me back some of the unused month. No hassle.

  “Needless to say, after saving me all that money, I’ve upgraded to the PAID version of your newsletter, also! Thanks for alerting all of us suckers out there paying $9.95 a month for nothing!”

It’s good to hear that David experienced no problems cancelling his MSN subscription. (To get the paid version of the Windows Secrets Newsletter, please see how to upgrade.)

David’s experience also answers a question posed by more than one reader. For example, Dan Rambow wrote to explain why he still keeps his MSN Premium account:

• “Why do I pay that $9.95 per month? There are two reasons:

  “First, I would lose the e-mail address and account name I have had for more than 12 years, as Microsoft will not transfer the old name to the new account. In my case, since I have so many accounts that respond to that e-mail address, I don’t really want to lose it.

  “Second, I need an emergency dial-up Internet account, should the DSL go down (yes, it happens once in a while), or if I should be traveling, say, to my 83-year-old mother’s home, where the Internet and computers are still considered science fiction.”

Dan and others who raised these points appear to be laboring under some misconceptions.

As David’s letter above shows, Microsoft will allow you to keep your e-mail address, even if you cancel your paid account. This is confirmed in a post to a Microsoft online forum by moderator Stephen Boots. He writes (in the 4th comment in the thread) that, if you cancel your MSN subscription, “all of your @msn accounts will become free accounts that can be accessed via www.hotmail.com.”

As for the question of dial-up, check with your current Internet service provider (ISP). It very well may offer dial-up numbers. Many ISPs have such numbers for customers to use if normal service is not available, although dial-up service is no longer emphasized.

If your ISP does not provide a dial-up option, chances are still good that you can find a free solution, simply by using your favorite search engine to query on free dial-up.

Still more ways to access Administrative Tools

In the Jan. 17 issue, I explained how to make Administrative Tools appear on the Start menu in Windows XP and Vista.

Reader Daniel Brunt has a tip that’s useful for computers that you can’t or don’t want to reconfigure:

• “I work on a lot of different machines for different companies, so I just find it much easier to access Administrative Tools via their default hiding place: Start, Control Panel, Administrative Tools.”

Ironically, although the Administrative Tools folder can reliably be found in the Control Panel, the method you use to open the Control Panel can vary depending on how the Start menu is configured.

For example, the above steps should work for the default Start menu in XP and Vista. But if you use the “classic” Start menu, you need to choose Start, Settings, Control Panel, Administrative Tools.

Furthermore, if the above steps open Control Panel in its default “category view,” you may need yet another click — selecting either Switch to Classic View (on the left) or Performance and Maintenance — before you can open Administrative Tools.

Perhaps the simplest and most consistent way to open the Control Panel is to press Windows+R (the Windows key and the letter “r”) to open the Run box, type control, and press Enter.

If you use Vista’s default Start menu, you can always type administrative tools in the Find box and press Enter.

Readers Ritchey, Rambow, and Brunt will each receive a gift certificate for a book, CD, or DVD of their choice for sending comments we printed. Send us your tips via the Windows Secrets contact page.

Pick up the phone, it's Ahnold

The campaign trail can be a grueling, cold, and humorless place. What better way to brighten the day then with a supportive call from the Governator himself? At least that’s what Matt Romney, the son of Republican presidential candidate Mitt Romney, thought when he decided to play a practical joke on his father. Let’s hope that a sense of humor runs in the Romney family! Play the video

Where's the Recovery Console in Windows Vista?

By Fred Langa The good ol’ Recovery Console from Windows XP has morphed into five separate Vista tools. XP’s console was good for system recovery after a crash, but it’s gone in Vista, replaced by different tools and a whole new front end.

What to do if Vista just won’t start

If you’ve ever had to use it, you already know that the Recovery Console in XP can be a godsend. In those (thankfully rare) situations when XP won’t start, even in Safe Mode, the Recovery Console gives you limited, low-level access to the guts of an XP installation.

You start the Recovery Console by booting your PC from an XP installation CD and selecting the program from the text menu that appears. It’s also possible to install Recovery Console from the CD to your hard drive so you can run the program without using the CD. (Microsoft’s complete description of the Windows XP Recovery Console, including how to install and use it, is in Knowledge Base article 314058.)

Running the Recovery Console allows you to (1) copy or repair some key operating system files and folders; (2) control devices and services that want to run at startup; (3) repair some kinds of hard drive errors; and so on.

One of our readers named Ed was a fan of XP’s Recovery Console and was surprised to find it missing in Vista:

• “What happened to the Recovery Console? What are you supposed to do if Vista just plain won’t start?”

Well, Ed, there’s good news and bad news. The bad news is that Vista doesn’t offer a Recovery Console. The good news is that Vista offers a mixed bag of alternative tools called System Recovery Options.

Some of these tools are actually better than their Recovery Console equivalents. Some aren’t.

What Vista calls ‘System Recovery Options’

As you probably know, XP’s Recovery Console is a rather raw-boned, nonintuitive tool that operates via the command line and some primitive text menus.

Vista’s System Recovery Options tools, by contrast, are an attempt by Microsoft to make the recovery process a little more accessible. For example, instead of nothing but a naked command line, there’s now a simple, point-and-click menu you can use to access the various tools.

If you have a Vista installation CD, that’s where you’ll find the System Recovery Options menu. If your computer came with one of those disk-image, all-or-nothing restoration CDs, then it’s possible that the manufacturer preinstalled the Recovery Options on your hard drive.

Sad to say, some manufacturers don’t ship all the normal tools with Windows. The only way to see what you have is to check what came with your computer or go to the manufacturer’s Web site.

To access the tools on a normal Vista setup CD, you must boot from the CD. (If you don’t boot from the CD, the System Recovery Options menu will not appear.)

Normally, to boot from the CD, you power off your computer, insert the CD, and then power up. If your computer isn’t configured to boot automatically from a CD if one is present, there’s usually a relatively easy way to make your PC do so by configuring its BIOS settings. Again, you’ll have to check your manufacturer’s Web site for the specifics.

When the Vista installation screen appears, click the Repair your computer link in the lower-left corner of the screen.

After loading many files into memory (it takes a minute or three), the Vista install process will then offer you regionalization choices, such as your preferred language. Chances are, you can leave this as is and simply click Next.

The software will then locate the copy of Vista that you want to repair. To do this, it sniffs your hard drive and presents you with a list of installed operating systems to choose from.

If you have a single installation of Vista on your hard drive — that’s the most common setup — the software will present you with that one OS choice. Select your normal copy of Vista from the offered choice(s) and click Next.

What the five tools are and what they do

When it loads, the System Recovery Options menu presents you with a selection of five tools:

• Startup Repair. This is an automated tool that attempts to fix problems such as missing or damaged system files. If it finds such files, it will replace the bad copies with fresh copies from the installation CD.
• System Restore. Nothing fancy here; it’s just a different way to access Vista’s normal System Restore functions. This tool allows you to roll back your computer’s system files to the way they were before you ran into trouble. This assumes, of course, that you’ve allowed System Restore to operate, and that one of your saved Restore Points is old enough to predate whatever problem you’re trying to resolve.
• Complete PC Restore. Also nothing fancy here. This is just another way to access the functions of Windows Complete PC Backup & Restore. Use this tool to replace the contents of your hard drive with data from a previously made backup. The catch here is that Windows Complete PC Backup & Restore is not included with Vista Starter, Vista Home Basic, or Vista Home Premium. If you’re running one of these versions, the Complete PC Restore option does diddly for you.
• Memory Diagnostic. This tool scans and exercises your computer’s RAM to make sure it’s working properly.
• Command Prompt. This is the pick of the litter and a major improvement over the limited command prompt in XP’s Recovery Console. In Vista, the System Recovery command prompt is actually the real deal: a fully functional command prompt that lets you navigate around the hard drive, launch software, work on files and folders, and lots more. For a full explanation of everything you can do at the Vista command prompt, open the Vista Help system (Start/Help and Support) and search on the phrase command-line reference.

Yes, all this is a mixed bag of applets

Some of Vista’s tools simply put lipstick on standard tools like Windows Backup, System Restore, etc., and aren’t a very big deal at all. But the newly unfettered command prompt is. That improvement, at least, will be welcomed by Vista power users everywhere.

For more information on Vista’s System Recovery options, see the Microsoft “Help and How-to” article What are the system recovery options in Windows Vista?

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

ExtraOutlook is a free way to set Outlook loose

By Mark Edwards Microsoft Outlook is a great tool, but it’s too bad that you can only run one instance at a time. Fortunately, some savvy coders have come up with a way to get around that limitation, and now their free workaround is available to everyone.

How you can run two instances of Outlook

If you use Outlook, you probably know that you can run only one instance at a time. That limitation can be a problem for some people. For example, if you want to retrieve mail from two or more Exchange Servers, you can’t easily do so, because Outlook wasn’t designed to support more than one server.

However, the good news is that there’s an experimental free tool called ExtraOutlook that can help. ExtraOutlook was created by Jason Geffner at the request of Timothy Mullen, both of whom work at Next Generation Security Software.

The tool basically tricks Outlook 2007 into launching twice by hooking Outlook’s exit process, fooling the app into thinking that it’s not running. Having done that, a second instance can be launched using a completely different user profile.

Overall, the tool performs a slick trick. If you’re interested in the nitty-gritty technical details, you can read all about them at Geffner’s blog.

Those of you who think you could benefit from such a tool can download a copy of ExtraOutlook at Mullen’s site. Just keep in mind that the tool isn’t supported by NGS Software, you’ll be using the tool your own risk, and that it only works with Outlook 2007. Also, be certain to backup your mailbox before trying it.

Revisiting portable XP, made possible by MojoPac

Two weeks ago, in the Jan. 10 edition of this newsletter, I wrote about MojoPac — a tool that essentially makes Windows XP entirely portable on a removable drive.

As it turns out, at least one subscriber who wrote in had a misunderstanding of the nature of MojoPac. It seemed to the reader that MojoPac was simply a tool that copies files and applications back and forth on an existing installation of Windows XP.

Technically speaking, MojoPac is a desktop virtualization tool that creates a completely separate environment from the computer’s native installation of Windows XP. Under the hood, MojoPac works by decoupling applications from the OS, making them entirely portable.

As a result of that technology, MojoPac can be used to establish a unique Windows XP desktop on nearly any USB-based portable media device. After you’ve installed MojoPac and configured your virtual desktop, you can boot directly into that desktop using any computer that runs XP.

While the current version of MojoPac only works with XP, I spoke with company representatives who told me that a beta version is available for Vista right now. If you want to try the beta, you can send an e-mail message to mojoguru [at] mojopac.com and you’ll receive instructions on how to download and install it.

At the end of March, another public beta program will begin for the next version of MojoPac, which will let you use the tool on both Vista and XP systems. For example, if you install MojoPac with a Vista desktop, you’ll be able to use it on a system that’s running XP. Likewise, you’ll be able to use your XP-based installation on systems running Vista.

The upcoming beta will run for three months. An official release of the cross-platform version is expected by the end of the second quarter of 2008.

How to safely find and register a domain name

Finding a domain name that fits your needs is becoming increasingly difficult. As you’ve probably noticed, if someone has already registered a particular dot-com name, chances are good that someone else has also registered the dot-net and dot-org versions. The same holds true in any configuration of those three top-level domains (.com, .net, and .org).

When a domain name is registered, domain squatters often grab up the same name on other top-level domains in order to take advantage of potential traffic.

A couple of weeks ago, I read a story by Larry Seltzer at eWeek.com about Network Solutions, a major domain registrar. As you may know, you can use a Web form on Network Solutions’ home page to check the availability of a domain name.

What you might not know is that — if the domain name is available — Network Solutions will immediately register it to itself! Network Solutions told eWeek that the reason this is done is to protect you from domain grabbers who might register the domain before you do. Even so, Network Solutions’ form of “protection” presents a problem if you want to register the domain name with another registrar, most of which offer lower registration fees than Network Solutions. (Network Solutions subsequently made a few minor changes to its practices, as described by Seltzer in a later post.)

An obvious solution to this problem is to not search for domain-name availability at Network Solutions’ site. However, that won’t protect you from other registrars who might start using the same practice.

I’ve found a safer way to handle the entire process of locating and registering a domain name, especially in cases where you’re researching a possible name for a Web site that you’re not launching immediately.

For example, maybe you’ve got an idea for a site, but you’re not sure you’ll actually build it. Naturally, you’d be curious as to which domain names that match your topic areas are available. But you might not want to spend the money (or needlessly tie up names that others could use) by registering all of the available domain names you find.

You can’t simply enter a desired domain name into the address bar of a browser, or search on the name in Google. Many names that have already been registered, and are therefore unavailable, don’t show up using these methods, because no visible Web pages have been posted — not even a home page with an “under construction” sign.

The best approach is to look up domain names in a service that never registers names that you search on and never sells its search queries to third parties. One such service is EasyWhoIs, a feature of EasyDNS.com, a domain-name-system hosting provider that Windows Secrets itself uses.

EasyDNS’s privacy policy specifically describes the company’s “no front-running” guarantee. Use the https version of EasyWhoIs, so your search is encrypted as it travels across the Internet. Using secure https may be a bit paranoid, but it does protect your valuable domain-name concepts in the unlikely event that an ISP employee is sniffing Web traffic for ideas.

Beware of Fanbox and other dubious Web 2.0 sites

The misuse of private information is a huge problem on the Internet, and it’s only getting worse.

I was recently referred to a post at the Spamhuntress blog that discusses Fanbox [dot] com. (I’m not spelling out the site’s URL, because I don’t want you to be transported there if you accidentally click the name in an e-mail program that automatically makes all domain names clickable.)

If you aren’t familiar with Fanbox, it’s a social-networking site that includes a type of virtual Web-based desktop. You can create a public profile, browse the Web, start a blog, create and edit documents, and more, all using Web-based applications.

I haven’t personally verified the spam claims made by Ann Elisabeth Nordbø (the operator of the Spamhuntress blog), but I do see huge problems with sites of this type.

On the surface, Fanbox looks like a nifty idea. But, to take full advantage of the site, a person must give Fanbox a lot of private information.

For example, you can use the site’s Web-based chat client to chat with people on instant-messaging networks, such as MSN, AOL, Yahoo, and Google’s Talk. In order to do that, you must enter your private chat sign-in info.

You can also receive SMS messages to your cell phone from people who send you a message from Fanbox. For that to work, of course, you have to give Fanbox your private cell phone number, along with your cell phone carrier information.

There’s also a feature that lets you “see which of your friends have a Fanbox account.” To do that, you’re required to give Fanbox your Hotmail sign-in information.

The problems here should be obvious. Once you’ve given an untrusted third-party your private details, there’s not much you can do to prevent that party from abusing the information. Furthermore, if that third party’s databases are ever broken into remotely — or sold by crooked insiders — bad guys will suddenly have your private information.

I’m fairly certain that everyone reading this newsletter is wise about such risks. Since many of you are network administrators, it would be a good idea for you to educate your company’s users about the potential dangers. You might even consider sponsoring a company policy that prohibits the use of such sites, and backing that up by having every network user read and sign the policy.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

The new IE 7 and Silverlight are coming your way

By Susan Bradley This week, I’ll show you how to prevent the automatic deployment of Silverlight and a new build of Internet Explorer 7 throughout your company via Microsoft’s WSUS utility. Optional software isn’t mandatory, and I urge you to skip the Silverlight download in particular unless you have a specific need for the software.

Preventing auto-install of the new IE 7

For many administrators who have not yet deployed Internet Explorer 7, the word that a new build of this browser version would be automatically deployed this week through WSUS (Windows Software Update Services) caused many to ask me how to block it. People may have nothing against IE 7, but they need their company’s users to continue using IE 6 or the current version of IE 7 for compatibility with certain older apps.

Microsoft has provided a “blocker toolkit” to prevent the new build of IE 7 from being offered to users. The kit is available from, and documented at, Microsoft’s Download Center.

The toolkit has two parts. The first part is for administrators and includes a group policy administrative template (an .adm file) to block the deployment of IE7.

Also included in the bundle is a script that adds a Registry key:

HKLMSOFTWAREMicrosoftInternet ExplorerSetup7.0

with the value of DoNotAllowIE70.

To run the toolkit on your system, download the bundle from the Download Center to a location on your hard disk. I used c:block. I then opened a command prompt and used the following commands to change to the c:block subdirectory and run the script:

cd c:block
ie70blocker . /b

The period (.) between ie70blocker and /b makes the program run on the local machine, which is the default. You can specify another PC on your LAN, if you have sufficient security permissions to edit that machine’s Registry.

This command and its results are shown in Figure 1. Running this will keep IE 7 from being offered to your users as their machines are scanned for applicable updates that can be installed. The command can be reversed using a /U parameter, as explained in the Download Center documentation.

Figure 1. The ie70blocker script allows individuals or admins to prevent the new build of IE 7 from being offered to users as an update.

I’m writing about this procedure to ensure that you know how to block the deployment of IE 7, in case you have a line-of-business application that does not support it. Having said that, I urge you to put pressure on your vendors to make their apps compatible with version 7 of Microsoft’s browser.

Unless you have a very good reason not to push out IE 7 to your users, please do deploy it. IE 7 is a much more secure browser at this writing than is IE 6. I wrote briefly about some of the benefits of the new build of IE 7 in a special, abbreviated Patch Watch column on Jan. 17.

The bottom line is: block IE 7 if you absolutely must do so, but understand that you’re missing out on the improved protection that the newer browser provides.

I’ve already turned off Silverlight

While I strongly urge you to install IE 7, I’m just as strongly recommending that you pass on Silverlight, Microsoft’s new competitor to Adobe’s Flash.

Downloads of Silverlight are being offered in the optional section of available updates for Windows XP and Windows Server 2003. I discussed some of my objections to Silverlight — in my tests, it’s slower than Flash and troublesome to install on some workstations — in my Jan. 17 column.

Unless you have a real need for Silverlight, I’d urge you to hide the offering from view in Windows Update and Microsoft Update, and remember not to install it if it’s offered to you in other ways. Since Jan. 22, WSUS will propose that you install it, but Silverlight (fortunately) isn’t automatically installed, as WSUS would do by default if the download had been categorized by Microsoft as an “update rollup.” An administrator must check a box to approve Silverlight before WSUS will deploy the software.

Items in the optional section of the available updates that are shown in Windows Update, what I call the middle section, are just that: optional.

The only legitimate reason I’ve found to install Silverlight — and I’ve taken advantage of this myself on one workstation — is to watch some Microsoft security videos that are presented in Silverlight format.

Figure 2. Windows Software Update Services has started offering Microsoft Silverlight as an optional download that admins can deploy throughout a company.
For instance, the Microsoft TechNet site offers videos that require you to download the Silverlight player software. A presentation by Microsoft’s Steve Riley at TechEd 2007 on the topic of the trade-offs between security and getting work done is one such video.

The downside of saying no to the Silverlight download is that you may find yourself on a Microsoft site that needs the player to showcase certain videos. For now, I’d recommend installing it when you need it, and not this week.

943899
Vista reliability patch needs Intel fix

Windows Secrets reader Angel Mazo provides confirmaton of a problem with the Vista performance patch known as 943899, as I described on Jan. 17. Certain Dell laptops need an update to their copies of the Intel Matrix Storage Manager before the machines will boot properly. A download called the R154198 patch, which can be found on the Dell Web site, should be installed on those systems that need it.

If you’re in this situation, I’d advise you to use the onboard Dell updating software to check for updates. As an alternative, you can visit the Dell site, have it find your system tag, and read which updates are recommended for your machine.

Once or twice a year, if not more, you should visit the Web site of the company that manufactured your PC. Once you’re there, look for updated drivers and fixes that you may find on the site.

MacMini won’t patch unless QuickTime is updated

Windows machines last week received a notice via Windows Update that QuickTime for Windows needed upgrading. Because of this, I expected that a MacMini in my office would also notify me that an upgrade was available.

When I went to the Mac desktop and logged in to view the update window, however, the machine had not downloaded the patches, nor did it indicate that any were available. It was clear when I manually scanned for updates, though, that several were needed.

In reviewing posts to the Apple support site, I noted a few other people in the same situation as mine. Once they manually downloaded the QuickTime patch, the Mac system was once again able to automatically update.

Figure 3. Even though updates are available from Apple, Macs may not automatically detect them until QuickTime is patched.

Once I manually upgrade QuickTime, the MacMini went back to checking and downloading updates, as I had configured it to do. I guess this proves that patching has its hassles, no matter which operating system you use.

938759
WSUS admins need a hotfix in order to patch

Attention, all WSUS administrators who are supporting Vista machines and are waiting for Service Pack 1 for Vista to be released. You need to send Microsoft an e-mail to get the hotfix described in Knowledge Base article 938759.

This hotfix ensures that WSUS servers can properly handle Vista SP1. The large size of this service pack will cause the download to fail unless the hotfix is first applied to whatever server hosts the WSUS software.

I’d urge those who are running WSUS servers — including anyone with a Small Business Server 2003 R2 system — to call 1-800-Microsoft (that’s 1-800-642-7676, or use the e-mail link in the KB article) to request the hotfix now rather than later. We’ve already seen one preliminary patch to get system up-to-speed for Vista Service Pack 1, as I reported on Jan. 10. That’s a sign that SP1 itself isn’t too far around the corner.

947506
Vista Ultimate language packs block updating

After the installation of Vista Ultimate language packs, some Vista users are reporting issues with updating. The hotfix available from KB article 947506 addresses this issue with language pack installs.

I know that it’s bit tiresome to click those language updates one by one and tell them to “hide” because I don’t want or need them. Now it seems that actually installing them can be even worse.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.