XP Service Pack 3 blocks .NET security patches

Holiday greetings are coming to all

By Brian Livingston

This week, Windows Secrets is promoting some small businesses that are managed by subscribers to our e-mail edition.

Next week, we’ll offer a new kind of holiday gift that all of our e-mail subscribers will be able to take advantage of.

As I announced on Nov. 26, we’re running ads this week absolutely free for Windows Secrets subscribers who run Web businesses. We received far more submissions than we could fit in. Following the announced rules, we selected 12 at random to show this week. Every other week of the year, Windows Secrets accepts no more than nine ads.

All of this week’s ads were submitted by subscribers like you who read Windows Secrets. I hope you’ll take some time to visit their sites and see some of the products and services they’re offering.

I know that ads aren’t people’s favorite content, but they support our research (when we’re not giving away the space for free!). This makes it possible for us to bring you the detailed articles that our columnists produce. Our writers work hard to dig up Windows tricks, and I’m glad to be able to bring you the results.

I’m now cooking up a holiday treat that every Windows Secrets subscriber will be able to enjoy this month. Watch for an announcement of that special program next week.

Thanks for your support, and have a healthy and happy holiday season.

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

XP Service Pack 3 blocks .NET security patches

By Susan Bradley Installing SP3 on Windows XP eliminates the operating system’s ability to install important security patches for Microsoft’s .NET technology and possibly other software. This problem forces XP SP3 users to apply patches manually to complete vital updates.

The new error is the latest in a long series of glitches relating to XP’s SP3, which Scott Dunn described in his Sept. 11 Top Story. The issues include spontaneous rebooting of systems based on AMD chipsets, as documented by Jesper Johansson in a blog post from last May.

To determine whether your XP SP3 system has a version — or multiple versions — of the .NET Framework installed, open Control Panel’s Add or Remove Programs applet and look for it among the list of currently installed programs. If you don’t see any .NET entries, you don’t have the framework installed on your system and needn’t be concerned about the update problem.

If you do see a listing for Microsoft .NET Framework, you need to use a third-party update service such as Secunia’s Software Inspector (described below) to patch the program.

A Sept. 16 post on the Windows Server Update Services (WSUS) blog disclosed that .NET 3.0 would not be offered to XP SP3 users. On Sept. 23, Microsoft Knowledge Base article 894199, which tracks changes in the company’s patches, indicated that .NET 3.0 and .NET 3.0 Service Pack 1 should be offered to XP SP3 workstations as optional patches.

However, when I tested this on various Windows XP SP3 configurations, I wasn’t offered .NET 3.0 as an optional patch. Things got really dicey on my first attempt to install .NET on a Windows XP SP3 machine. During that test, updates for .NET 1.1 and .NET 2.0 failed midstream. I had to use the Windows Installer CleanUp Utility (which is described in KB article 290301) and Aaron Stebner’s .NET Framework cleanup tool (download page) to uninstall the partially installed .NET frameworks.

Ultimately, I had to install .NET 3.5 SP1 in order to get any .NET framework loaded onto the test XP workstation. While the latest version of .NET 3.5 is a cumulative patch and thus could be installed in place of prior versions of .NET, what invariably occurs is that line-of-business applications require and install earlier versions of .NET.

For example, one of the programs I use regularly is QuickBooks, which includes .NET 1.1 in some versions and 2.0 in the 2008 and 2009 releases. I recommend against removing various versions of .NET if the frameworks were installed by your applications.

On my second and third tests of Windows XP SP3 machines, Windows Update did not detect .NET 3.0 as an optional update, but the frameworks were installed without error just the same. However, to manually update the XP systems, I first had to install Microsoft’s Windows Genuine Advantage tool, which is described in KB article 892130.

Next, I had to upgrade the installer program, as described in KB article 898461. After installing these two programs and returning to the Windows Update service, the XP SP3 machine was offered .NET 1.1 and .NET 2.0 as optional updates but not .NET 3.0 as a patchable item.

Figure 1. Windows Update fails to offer Windows XP SP3 the most recent .NET 3.0 framework.

When I attempted to update a system running Windows XP SP2, I was offered .NET 3.0 as an optional update, as shown in Figure 2 below.

Figure 2. On a PC running XP SP2, Windows Update does offer .NET 3.0.

I recommend that you install any version of the .NET framework only when your applications need it. However, Microsoft security bulletins dated as recently as Nov. 25 indicate that XP SP3 machines should be offered .NET 3.0. Clearly, XP SP2 PCs are prompted to install .NET 1.1, 2.0, and 3.0, while XP SP3 users are offered only .NET 1.1 and 2.0.

A full three months after Microsoft’s WSUS support blog disclosed that PCs using XP SP3 aren’t offered .NET 3.0 as an optional patch, the problem still has not been fixed. If you rely on Windows Update or Microsoft Update for your patching needs, use Secunia’s online Software Inspector service to ensure that you’re getting all the updates you need.

Even better than the online detection tool is Secunia’s Personal Software Inspector (download page), which you download and install onto your PC to constantly monitor the update status of the software on your system. The free program will alert you to older versions of Java, Flash, and other common applications, including Microsoft’s .NET Framework. You’ll be walked through the process of removing older — and possibly vulnerable — versions.

Based on the numbers from Secunia for the first week following the removal of the program’s “beta” tag, you need to scan your PC for out-of-date apps right away. Secunia PSI Partner Manager Mikkel Locke Winther reports that of the 20,000 new system scans conducted in the first seven days of PSI’s official release, only 1.91% had no insecure programs, and a whopping 45.76% had 11 or more insecure programs installed.

For a complete rundown of the early PSI scan results, check out Jakob Balle’s Dec. 3 blog post.

MS08-067 (958644)
Malware targets recent Windows worm threat

The Microsoft Security Resource Center reports an increase in malware attempting to take advantage of the security breach described in Security Bulletin MS08-067. If you have not already done so, please ensure that you have installed this patch.

There are few reports of problems resulting from this fix, and most of those glitches concern wireless connectivity. In those rare cases, uninstalling and reinstalling the patch, or deactivating your antivirus and firewall programs, appears to remedy the problems.

Support desks are seeing an increased number of calls from people infected by this malware. Quite honestly, there’s no excuse for not patching this hole. After an easy install and a quick reboot, you’re protected.

Vista Service Pack 2 beta goes public

If you’re the type who enjoys paper cuts, tight-fitting shoes, and tax planning, you’ll want to know about the public beta of Service Pack 2 for Windows Vista and Windows Server 2008. You can now visit this page to sign up for Microsoft’s Customer Preview Program (CPP) and volunteer as a Vista SP2 tester.

According to a post on the Windows Vista blog by Windows Product Management VP Mike Nash, the CPP is intended for “technology enthusiasts, developers, and IT pros” who want to test the service pack on their networks. Nash recommends that “most customers” wait to install the final release of the service pack.

I’ll go even further: most Vista users should wait until several weeks after the service pack’s final release to install it. That way, you can let the early adopters work through all the service pack’s inevitable glitches and incompatibilities.

You know what they say: you can tell the pioneers because they’re the ones with the arrows sticking out of their backs.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

The warning signs of a PC infected with malware

By Dennis O’Reilly

Last week’s news alert by Woody Leonhard described the high level of sophistication behind the Sinowal/Mebroot Trojan and described tools that attempt to remove the malware.

Many readers asked for more information on symptoms they should look for if they fear for their machines’ security.

Subscriber Leslie Kight asks the following question:

• “Great article. I’m curious, though: what makes Woody suspect his XP machine is infected by Mebroot? What symptoms did he see to raise that question?”

Here’s Woody’s reply:

• “I kept getting weird virus warnings from AVG — viruses would appear, I would remove them, then they would reappear in different locations, or entirely different viruses would show up. AVG reported that the MBR [Master Boot Record] was being changed every time I rebooted, even when I did nothing.

  “I did a deep scan — first with AVG, then with NOD32 — to remove all the reported malware, but the viruses kept reappearing. Antirootkit scans turned up nothing. Then I couldn’t connect to F-Secure’s Web site, so I pulled the plug.

  “As I said in the article, I have no idea at all if it was Mebroot. But I couldn’t find any reports of similar collections of problems and decided to err on the safe side.

  “Periodically reinstalling Windows is something I recommend anyway: once a year is ideal, in my experience. I’m happy to report that I’ve reinstalled XP Pro (SP3, of course), reactivated [Windows], and brought back the data files; everything appears to be working just fine. The machine’s snappier than ever.”

Double up to remove a virus from a hard drive

In deference to animal lovers, I will avoid the cat-skinning analogy, but as reader Bob Biegon points out, there’s more than one way to return an infected hard drive to a healthy state:

• “One of the easiest and, by my experience, most effective ways to remove many serious virus-spyware-rootkit infections is to remove the PC’s hard drive, put it in another PC (or connect to another PC via a USB-to-IDE/SATA adaptor), and scan the drive with the second PC’s anti-malware software.

  “This method ought to work well for the Mebroot virus without compromising the host PC’s drive. My favorite products to use in this endeavor are AVG 8 and Sunbelt Software’s Vipre.”

Since when did mice start hunting cats?

The best analogies have a basis in reality (not the one I mentioned above relating to feline pelts, thank goodness). But another kind of cat reference in Woody’s column from last week gave reader John Walsh pause:

• “I do enjoy Woody Leonard’s articles and have been a fan of his for many years. However, in his latest article, Woody notes ‘Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.’

  “In my mind, the cats are actually the good guys trying to help eradicate the vermin (malware) represented by the mice. Therefore, I would suggest it is actually the black mice who are winning and proliferating, much to the consternation of the white cats.”

Indeed, the bad guys are scavenging for your data and your money while the good guys hunt them down. However, Woody’s use of “black cats” in this sense plays off the term “black hat” to describe a hacker with evil intent.

Mixing puns and analogies is dangerous business, but that’s the kind of adventurous, risk-taking writer Woody is. That’s only one reason why his readers love him so.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

Too bad there's no do-over for this 'I do'

By Katy Abby Picture this: you’re about to marry the love of your life in front of all of your friends and loved ones. Everything’s going swimmingly. Your best man stands by your side, ready to play his part in the ceremony. He’s the perfect choice: responsible, trustworthy … so what if he’s also a little clumsy? At this point, nothing can dampen your spirits! Watch what happens as this hilarious wedding clip gives new meaning to the expression “taking the plunge!” (The fact that the video may have been staged reduces the desired effect only slightly.) Play the video

Give the boot to files that refuse to delete

By Fred Langa Malicious files — and even some benign ones — can sometimes be very hard to remove from your system. Don’t take no for an answer when Windows tells you it can’t delete a particular file.

Some files just don’t know when to leave

Have you ever tried to delete or move a file, only to have Windows inform you that the file’s locked, in use, or otherwise inaccessible to you? Sometimes, this is just an annoyance. Other times, it’s a serious problem.

Exhibit A is reader Andrew Gillert’s experience in rooting out a suspected malware file that refused to go away:

• “How can I deal with Trojan horse msfnot.dll? Norton SystemWorks identifies but cannot quarantine or delete the infected file.”

When Windows or an application tells you that a file is locked, busy, or otherwise seemingly undeletable, the easiest solution is to use one of several free file unlock/removal utilities. These tools let you flag any file for removal or relocation. Most of the programs use a small startup script to delete or move the offending file early in the next reboot, before the file gets relocked, reactivated, or otherwise protected.

For XP, I like MoveOnBoot, which is part of Gibin Software’s free File Utilities suite. (Get it from Gibin’s download page). Alas, the latest version is not compatible with Vista, but there are many other file unlockers and removers that will work with both Vista and XP (and older versions of Windows).

For example, TheFreeCountry.com features a list of free unlock/removal utilities. One of the programs there will surely do the trick for you.

If these utilities aren’t able to remove the file, you can use the Recovery Console’s more-advanced command-line options. That’s a separate topic in itself, so let me point you to an InformationWeek article I wrote a while ago that explains the Recovery Console’s lesser-known abilities.

Another option is to boot from an “alien” operating system, such as a self-contained Linux installation on a CD or flash drive. Use that OS to delete the Windows file.

Most of the time, the simple and free unlock/removal tools will be all you need.

Disk imaging as a backup option

Tom B. has a favorite backup tool, and he wonders why it’s not talked up more:

• “Many moons ago, Fred Langa used to recommend BootIt Next Generation software for imaging and repartitioning a hard drive. I still use and love BootIt NG, but I wonder why I never hear anyone talk about it anymore.”

I still use BootIt NG too, Tom. But the reason why you and I use it is probably also the reason you don’t hear it discussed much. Let me explain:

BootIt NG is a “disk imager.” Like a conventional file-by-file backup tool, a disk imager copies the contents of a disk. But a disk imager does more. It copies not only your hard drive’s complete contents but also the drive’s format and structure, right down to the physical placement and order of files on the drive.

Restoring a disk image puts everything back exactly the way it was when the image was made — the OS, settings, program and data files, and even the organization and placement of files on the hard drive; everything is bit for bit exactly the way it was before. No file-by-file backup tool can be as thorough and complete as a disk-imaging tool.

The downside: Disk imaging is slower and more complicated than the file-oriented approach.

The most popular disk imagers today — including Symantec’s Ghost and Acronis’s True Image — run conveniently from inside Windows. The programs use a technique called “shadowing” to capture everything, including in-use and locked files.

Shadowing was a little dodgy when it first appeared, but the method works pretty reliably now. Most tools of this sort also let you create special boot CDs, which allow you to restore your system if Windows itself won’t run.

BootIt NG is different: the program runs at boot time, before any other operating system loads. It actually runs its own self-contained mini-OS for its operations. This way, the main OS is inert and can’t get in the way of the imaging process.

There are no locked or in-use files, so BootIt NG doesn’t need to use software tricks such as shadowing to copy anything. Plus, because BootIt NG is totally OS-independent, it can back up just about any OS, including all versions of Windows and Linux.

As the name suggests, BootIt NG is a boot manager. The program coexists peacefully with Linux and Windows — including Vista. You can install a mix of operating systems on your PC and boot whichever OS you want whenever you want. Each operating system thinks it “owns” the hard drive and is unaware of BootIt NG’s interventions or existence.

BootIt NG is also a partition manager that understands all current major partition types: FAT, FAT32, NTFS, Ext2, Ext3, ReiserFS, Linux swap, and others. You can create, format, move, nondestructively resize, and delete partitions at will without disturbing the surrounding partitions.

Frankly, BootIt NG is rather geeky and nonintuitive to use. I know a number of perfectly competent PC users who have run screaming into the woods after trying to work with BootIt NG.

That’s the primary reason you don’t hear more about the program. It’s definitely not a backup tool for casual PC users, and it’s plainly overkill for simple Windows setups. Rather, BootIt NG is geared for technically oriented users who are willing to give up a little ease of use for extra control, features, and flexibility in managing more-complex Windows setups.

When people ask about backup tools, I usually suggest that they start with something like Windows’ built-in backup utility. If they find, after using that program for a while, that it’s not suited to their needs or preferences, they can try a commercial backup or disk-imaging tool.

If it turns out they need more-advanced features — such as OS-independent multiboot, heterogeneous partitioning, or inert-OS imaging — and if they’re comfortable swimming in the geekier end of the pool, a tool like BootIt NG might be just the ticket.

BTW, while BootIt NG costs U.S. $35, it’s one of several disk-imaging tools available for time-limited free trials; here’s the download page for BootIt NG’s trial version. This way, you can experiment with several imaging programs to see which one best suits your needs.

Use XP Setup CD to reformat your hard drive

New Zealand reader Ron Dickinson wants to get an end-of-the-year system cleanup started:

• “Fred, can you tell me where I go in XP Pro to type format c: so that I can reformat the hard drive? I’m thinking it’s about time I give it a good clean-out before I reinstall my copy of XP, which has been running since 2002.”

If it’s a fresh reinstall you’re after, there’s no need for a separate format step; your XP Setup CD can do this for you automatically.

As always before any major system work, back up your existing setup. Then boot from your XP Setup CD and follow the steps for a new installation, not a “Repair.”

At the Welcome to Setup screen, press Enter to choose the option to set up Windows XP now. After you accept the offered license terms, the setup software will sniff your system and detect your existing XP disk or partition, plus any other partitions you have on the disk.

Select your current XP setup’s disk or partition and follow the on-screen instructions to delete that partition. You’ll be asked to press D and then to confirm your selection twice more for safety’s sake, because once that partition is deleted, it will be difficult or impossible to recover. Before proceeding, make sure you really do want a fresh, to-the-bare-metal reinstall.

Once the existing partition is deleted, Setup will loop you back to the partition-selection screen. Choose the now-empty space that you just created as the target for your new Windows installation and follow the on-screen prompts. Setup will reformat the empty space and install a fresh copy of XP in the normal fashion.

This technique gives you a fresh format and a clean reinstall as part of one continuous process rather than requiring that you format separately.

If you have something else in mind and you really need a standalone format command, you can run a classic manual format from the XP Recovery Console. (For instructions on using the Recovery Console, see the InformationWeek article I referred to at the end of the first item in this column.)

Finally, there’s the boot-floppy option: start your PC from a bootable floppy that also contains some basic disk-maintenance tools, including the format command. Perhaps you (or a friend) have an old boot floppy in a drawer somewhere.

(Note: If your PC doesn’t have a floppy drive, you can usually boot a PC from an external floppy drive that connects to a USB port. You may need to configure your BIOS to boot from an a: drive.)

If you don’t have a boot floppy handy, there are several places online that offer free bootable floppies of various OS flavors. For instance, BootDisk.com lets you download all the programs and files you need to create your own bootable floppy, thumb drive, or CD.

In fact, the service offers downloadable discs for every OS that Microsoft has released, all the way back to DOS 5. (You can get Linux boot disks from the site, too.)

Use caution with those online boot discs. Prior to actually running that software or booting from the disks, thoroughly scan them for viruses and malware. Also, the distribution of old Microsoft boot files is an ethically gray area.

On the one hand, I can’t imagine that Microsoft really cares whether someone needs to dredge up an obsolete and unsupported copy of, say, the format command from Windows 98. But on the other hand, it is (or was) copyrighted software. Be aware of the issue and make an informed decision.

Best way to track your bandwidth usage

Another reader from Down Under, Peter Sutherland, asks about a way to record his online bandwidth use to avoid telecom overcharges.

• “Do you know of a software program that will keep track of my download usage, so I can monitor my usage against the amount I am charged for?”

Windows has such a tool built into the Network Status dialog, and it may be all you need — with one caveat I’ll mention in a moment.

Access to the Network Status dialog is similar in both XP and Vista. (There actually are several ways to get there in each OS, but I’ll focus on just one for brevity’s sake.)

In Vista, one easy path to the correct dialog is to click Start, right-click Network, and select Properties. The Network and Sharing Center will open with your active connection(s) shown. Find the connection you wish to monitor and click its View Status link to see the live running totals of the traffic sent and received over that connection.

In XP, click Start, right-click My Network Places, and select Properties. When the Network Connections dialog opens, right-click the connection you wish to monitor and select Status. A new dialog will open showing you a live running total of the traffic on that connection.

If the data are shown in bytes, you’re basically done and have the tool you need to monitor use. But some connection types report traffic in packets rather than bytes, and that’s a potential snag.

You can convert packets to bytes, but doing so is clunky. First, download a file of known size and note how many packets it occupied. Divide the number of packets by the number of bytes and you’ll have a conversion factor for your particular networking setup. You can use that derived number to convert the ongoing packets-received display to an approximate number of bytes downloaded.

That’s pretty inconvenient and indirect, so if your connection traffic is displayed as packets, a simpler approach is to use a third-party tool to track cumulative usage. Well-regarded traffic-monitoring tools include the free version of Tiler.com’s FreeMeter utility (download page) and the freeware Wireshark (download page), which Ryan Russell described in his Apr. 3 Perimeter Scan column.

Whether you choose Windows’ built-in network monitor, the count-’em-yourself approach, or a third-party byte counter, there are tools readily available for your needs.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Foxit patches PDF weakness months before Adobe

By Woody Leonhard A few weeks ago, software giant Adobe patched a security hole in its ubiquitous Acrobat and Reader software for PDF files. Several months before Adobe released its patch, however, a small company named Foxit, which makes a highly recommended PDF reader, had already distributed its own fix for a similar security breach.

JavaScripts add a new dimension to PDF files

No doubt you’re familiar with Adobe’s Portable Document Format (PDF), which the company invented in 1993 to make it easier to view files on different types of computers without altering the appearance of the documents.

Once a fairly straightforward document description language, PDF has evolved — like everything else in the computer biz, eh? Starting in 1996, Adobe added JavaScript support to Acrobat and PDF files. A sufficiently talented developer can put JavaScript programs inside PDF files to respond to all sorts of document actions.

You can use JavaScripts in PDFs to create forms automatically, pull information from a database, interact with Web sites, and perform other functions that turn plain-vanilla PDF files into sentient servants.

Sometimes, subvertible sentient servants.

Recently discovered security holes in such PDF applications as Foxit, Adobe Reader, and Acrobat stem from the way the programs handle a JavaScript command called util.printf() whenever a file sends the command a big floating-point number.

Earlier versions of all three products assumed that the floating-point number wouldn’t be too long — at most, 256 bytes or so. Eugene Xiong at Foxit described it to me this way: “It sounded reasonable, but it’s not a safe assumption, if someone puts a very long number in there.”

It’s a classic buffer-overflow security hole. Here’s how it works:

Somebody with ill intent creates a PDF file that includes a JavaScript program. The program includes a util.printf() command with a very long number. When Foxit or Adobe Reader encounters that long parameter in the util.printf() call — instead of falling over dead, as it should — part of the parameter gets treated like a program, and it runs. Ka-BOOM! Malware has found another way into your system.

If you’re curious about the precise way the util.printf() function gets subverted, Didier Stevens has a fascinating blog entry in which he not only takes apart an infected PDF document but also traces how the author developed the program. Amazing stuff.

Foxit responds with a fix in under a month

Dyon Balding at Secunia Research discovered the original util.printf() security hole in Foxit Reader. Although there doesn’t seem to be an official account of the technique he used to find the hole, it was likely a process called “fuzzing,” which involves blasting a program with all sorts of unexpected input and seeing what happens.

Secunia officially notified Foxit of the problem on Apr. 23, 2008. Two weeks later, Secunia notified Foxit again and got an immediate response, according to a report on the Secunia site.

On May 20, Foxit released a patch for the buffer-overflow problem as part of Foxit Reader 2.3 build 2913. It took the folks at Foxit a little under a month to patch their product, test the patch, and release it for download.

Adobe’s patch is a much longer time coming

According to Core Security Technologies, shortly after the Foxit patch appeared, Damian Frizza from the Core Impact Exploit Writers Team found out that Adobe Acrobat and Reader were vulnerable to a similar (but not identical) problem in how the programs handle long numbers in the util.printf() function.

Core’s security advisory explains in detail how the Adobe security hole was discovered, starting with the published Foxit crack. Core formally notified Adobe of the problem on May 28.

On the other hand, a Secunia Research Bulletin states that the hole affecting Adobe Acrobat and Reader was discovered by Secunia researcher Dyon Balding and that Adobe was notified on April 16. The official Adobe Security Bulletin APSB08-19 credits both Balding and Frizza, among others.

Regardless of which version of events you choose to believe, there’s no question that Adobe knew about the util.printf() security hole by May 28.

The advisory from Core Security contains a detailed history of the company’s interactions with Adobe. The chronology doesn’t portray Adobe in a, uh, kind light. Apparently, Core was led to believe that the hole would be patched in July. On July 2, Core threatened public disclosure in an attempt to get Adobe off its posterior. The two companies went back and forth, with multiple delays on the Adobe side, according to the Core account.

Finally, on Nov. 4 — a full six months after being advised of the vulnerability — Adobe released its patches for Acrobat and Reader.

Free software-update service is out of beta

What conclusion can be drawn from this unusual — Eugene calls it “rare” — example of how two companies approach nearly-identical security holes? Obviously, you should use Foxit, not Adobe Reader. Windows Secrets contributing editor Scott Dunn recommended exactly that in his Apr. 28 Top Story.

Clearly, free software offered by small companies often runs rings around the big-buck alternatives. But you already knew that, too.

The hidden moral of the story is that you really need to install Secunia’s Personal Software Inspector (see the PSI download page) and run it religiously. It’s officially out of beta testing (finally!) and ready for prime time.

PSI won’t protect you from a software company that’s sitting on its laurels, but it will get you warned — and help you get patched — just as soon as the patches appear.

If they ever do.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Tools let parents control their kids' PC use

By Becky Waring You can do your best to keep your children safe by using one of two top Internet access–control utilities. My top choices for little kids and teens cover all the bases: protocol-level filtering, usage time limits, monitoring tools, and remote management.

Parents, there are some things software can’t do

When my editor at Windows Secrets asked whether I would tackle parental-control software for this column, the topic hit close to home. My sister and her husband have three small boys. The four-year-old twins are just starting to use computers, poking away at educational software and occasionally watching animal videos on YouTube with their parents.

Lately, the four-year-olds have been trying to access YouTube on their own, prompting fear on the part of their parents that they will be exposed to inappropriate videos or — horrors! — somehow find themselves dropped into the sinister hinterlands of the World Wide Web.

So, Aunt Becky was charged with the task of figuring out how best to protect their innocence — for a few more years, at least. Thus began my odyssey into the bizarre world of parental-control software.

I say “bizarre” because parental control is really a misnomer. There is simply no way to prevent all the countless bad things floating around the Internet from reaching your child, no more than there’s a way for your antivirus program to provide 100% protection against malware.

And with parental controls, you have the added and very real problem of kids — many of whom are far more tech-savvy than their parents — actively trying to circumvent the controls.

Parental-control programs merely act as a first line of defense against such dangers as pornography, profanity, chat-room predators, and offensive spam. The list of what these programs can’t do is long indeed: none attempt to stop programs from being downloaded and installed, for example, nor do they prevent the use of proxy sites designed specifically to circumvent filtering.

No software can replace an actual parent actively supervising his or her child’s Internet use. But of course, that’s not always possible, which is where these two programs come in. I’ll also offer some advice on implementing a child-safe system that meets the needs of your family.

After studying up on the products in this category, I found that Safe Eyes and Net Nanny universally topped the reviews. Other parental-control contenders are BSafe Online, Cyber Patrol, and Webroot Parental Controls.

Note that I recommend these programs for two different age groups: Safe Eyes for preteens and Net Nanny for teenagers. Thus, they’re sorted in this column by age group, not with the top-scoring program appearing first.

INTERNET SAFETY SAFE EYES 5

Best parental-control software for wee ones

With very young children, the biggest worry is accidental exposure. If they can’t yet read or write much, they are unlikely to be Googling ways around your controls or even understand that they can.

Also, small children don’t have homework assignments that require access to the Web at large, so you can maintain stricter site filtering.

That’s where Safe Eyes 5 comes in.

At U.S. $50 per year for up to three computers (with a 14-day free trial), Safe Eyes is not cheap. But it’s easy to install and use, and it comes with 24/7 phone support plus quick-response e-mail support.

Safe Eyes lets you set up individual logins with customized controls for each child. You can fine-tune filtering for 35 categories of Web sites. In addition, you can create your own lists of sites that are allowed or denied.

The program can send parents alerts via phone, e-mail, or text message whenever a child attempts to access a blocked site. There’s also a keyword feature that blocks access to sites containing any word in Safe Eyes’ dictionary of profane and sexually suggestive terms, regardless of whether the sites appear on the blocked-sites list.

For small children, the best course of action is to whitelist a few sites that you feel comfortable allowing them to access on their own, such as Seussville and Animal Planet.

Save your visits to more unpredictable sites, such as YouTube, for when you’re surfing together — when you can enter a password to override the controls, if you wish. The very fact that your kids will have to ask you before they can access other sites helps you be aware of their (and their friends’) level of Web knowledge.

Similarly, Safe Eyes lets you restrict your child’s e-mail access to a whitelist of approved friends and relatives. Anyone not on the list will be blocked from sending e-mail to, or receiving messages from, your child.

Other Safe Eyes features include the ability to schedule Internet usage windows and set overall limits for time spent online. The program generates reports on all the sites your children visited, blocks e-mail and instant messaging, and stops peer-to-peer file sharing at the protocol level, including BitTorrent and GNUtella. Safe Eyes can even record the full text of IM sessions.

Figure 1. Safe Eyes blocks many common IM applications but misses others, such as Skype and Pidgin, which you have to add to its blocked list.

Safe Eyes stores its logs online, so they can’t be tampered with. The program’s time limits are based on Internet time, so changing a PC’s system clock won’t defeat the protection. And you can set Safe Eyes to block Internet access altogether when a user logs out.

I also liked the fact that you can block any installed application from accessing the Internet, not just IM and e-mail programs. You may want to limit children to using a specific browser — for example, one into which you have installed such additional safeguards as safe search, ad blocking, and anti-phishing tools. (See my July 7, 2008, review of Firefox security add-ons for more.)

For older and savvier kids, however, Safe Eyes’ protections break down quickly. For example, I had no problem using many Web-based e-mail services, even though I had supposedly blocked this category of sites.

While you can add such sites to the blacklist, there are too many for any parent to keep up with, and Safe Eyes’ list is obviously incomplete.

Similarly, if you block usage of AIM, Trillian, and other IM programs, that doesn’t prevent Web-based IM access. I logged onto AIM via Meebo.com with no problem and was also able to download, install, and use Skype, even though I had theoretically blocked all IM programs.

Another much-touted feature, which monitors outgoing transmissions for personal data such as your address and phone number, simply notifies you that the breach has taken place — rather than stopping it to begin with. This makes it pretty useless, in my opinion.

I was also frustrated by the program’s cursory and incomplete documentation, which contains no mention of such key features as Safe Eyes’ ability to perform remote overrides. The help files answered practically none of the questions I had about what the program could and could not do.

I had to test things out by trial and error to make sure a particular program was blocked or a logging feature worked the way I thought it did, for example.

Overall, while Safe Eyes can provide a tight net for small children, it’s easily circumvented by older kids. For them, you’ll need more protections, such as those found in my top choice for controlling a teen’s use of the Internet.

NET NANNY 5

Top parental-control software for older kids

While no parental-control program on the planet stands a chance against system-savvy teens — even nongeek teens could guess your password or simply use a PC at a friend’s house — Net Nanny 5 tries the hardest to foil them.

Net Nanny can be more expensive than Safe Eyes, depending on how many PCs you have. Pricing starts at $40 per year for the first computer and $20 for each additional system (with a 14-day free trial). For a three-computer household, that adds up to $80 a year, $30 higher than Safe Eyes.

Installing Net Nanny is an overly complex process. In my testing, downloading the program required many connections to the vendor’s server, which generated several error messages. Not knowing what was wrong, I started the download and installation three times using different e-mail addresses until I finally succeeded in completing the process.

It turned out that my installation woes arose from problems Net Nanny was having with its server that morning, pointing up a pitfall of any filtering software: the programs depend on access to a central site to refer to their blacklists and to perform account maintenance.

(Note that the need to check with a central server when filtering can also impact browsing performance. During my tests, however, I didn’t experience any perceptible slowdown over my fast DSL connection.)

Complementing its complexity, Net Nanny provides 83 pages of documentation, which are far more useful than Safe Eyes’ measly 20 pages. The documentation clued me in to features I was unaware of and answered most of the questions I had about the program. My first question was how to turn on the controls, since nothing seemed to be blocked in the app’s default mode and no password was required.

I eventually figured out that you need to switch immediately to “User mode” to start creating accounts and passwords, and you must customize settings for them. This is something you should not have to read the manual to figure out.

After doing so, I quickly created a test “child” account and went through the filtering options to block Web-based IM and e-mail. Unlike Safe Eyes, Net Nanny blocked Meebo and Me.com correctly, indicating that Net Nanny’s protocol filtering or blacklists are more up-to-date.

Figure 2. Net Nanny’s Web-filter settings offer plenty of options.

At the program’s most restrictive filtering levels, Net Nanny was more effective than Safe Eyes, stopping access in more cases. This is perhaps due to the more granular controls it offers users.

However, even Net Nanny failed the download-and-install-Skype test. I was chatting away on Skype immediately, even with every IM-blocking option on.

Both Net Nanny and Safe Eyes offer the ability to override controls remotely. This is useful if you’re out and your teenagers need to access a site to finish their homework or want extra time beyond their daily allotment, for example.

Both programs also have Mac versions, so you can use a single product to protect a multiplatform household.

Other Net Nanny features include integration with the Safe Search options in many Web browsers (it will automatically turn Safe Search back on if your kid turns it off), toll-free tech support, automatic updates, blocking of peer-to-peer download protocols, usage time limits, and customizable reports of each child’s Internet activities.

The downside to Net Nanny’s power is that the program is far less intuitive to use than Safe Eyes. However, once you read the manual, you’ll have a much better understanding of the program’s features than you get when reading Safe Eyes’ documentation.

That’s good, because when it comes to Web access, you’ll need all your Windows Secrets smarts to outwit your teenagers.

Emphasizing the ‘parent’ in parental control

Parental-control software is only as good as the mom or dad supervising it. You can’t just install any such program and think your work is done.

The single biggest loophole is that your kids may guess your password or learn it by watching you enter it. Then they’ll merrily override the controls whenever they want. Also, an older child with more privileges may give his or her password to a younger sibling, unwittingly or not.

That’s why it’s absolutely imperative that you read these programs’ logs regularly to see what sites your kids have been visiting. Also, pay attention to the alerts they send you, no matter how often they arrive.

Your best guarantee of good Internet behavior is simply to put the computer in an open area where a parent or other responsible person will be present when the kids are using it.

Don’t allow kids to use a computer alone in their rooms — advice that goes double for smartphones. Your children may kick and scream, but it’s not much use to restrict computer-based Web browsing if they have full access on a cell phone.

Make homework and surfing a parent-child activity, where you’re always nearby and available for assistance. Come over frequently and check what they’re up to. This will have benefits beyond Internet-access control.

Talk with your kids about their Web use, and set clear rules and guidelines. Are Facebook and MySpace allowed? IM? Under what circumstances and with whom? Make sure you know all your child’s passwords, and check their IM logs and e-mail activity regularly.

Also, make sure your children aren’t spending a lot of time on a PC with nonexistent or lax controls at a friend’s house or other location.

Finally, be aware that your kids are — or will become — more computer-literate than you are. Common workarounds for parental-control software include installing alternative browsers and IM clients, changing router parameters, setting up separate user accounts with full privileges, resetting the system clock, and installing a second hard drive (something any teenager can do for little money). A little Googling will turn up many sites with complete instructions for doing so.

But don’t despair. With a combination of good control software and good parenting, you can prevent your child from encountering most unsafe or inappropriate sites and also learn more about their friends and interests than they might otherwise share with you.

Becky Waring has worked as a writer and editor for PC World, NewMedia Magazine, CNET, The San Francisco Chronicle, Technology Review, Upside Magazine, and many other news sources. She alternates the Best Software column with Windows Secrets contributing editor Scott Spanbauer.