Brian Livingston

If your software garbles this newsletter, read the current issue at WindowsSecrets.com.

YOUR NEWSLETTER PREFERENCES Change
Delivery address: ***
Alternate address:
Locale: United States
Reader number: 56541-09336
Bounce count (visit this link if not 0): 0

Home

Newsletter

WinFind

Reviews

Polls

Contact

Current

Past issues

Upgrade

Ads

Prefs

***

Windows Secrets Newsletter • Issue 84 • 2006-10-12 • Circulation: over 140,000


TOP.STORY..	MS OneCare halts flow of antivirus info
SECURITY.BASELINE..	The Security Baseline as it stands
HOT.TIPS..	You'll love IE 7's tabs or hate 'em
OVER.THE.HORIZON..	Microsoft skips some critical IE patches
PATCH.WATCH..	Goodbye old friends, hello Office patches
PERIMETER.SCAN..	Is Vista locking out security competitors?
USEFUL.LINKS..	Hundreds of ETFs are heading your way
WACKY.WEB.WEEK..	Battle of the animated album covers
YOUR.SUBSCRIPTION..	How to change your delivery address or ***

For links to every subtopic in this issue, scroll down to the Index

ADS

Speed up your computer
Run our free Optimize scan to find out how to fine-tune Internet and System settings. Identify clutter from your registry and hard drive. PC Pitstop Optimize can make your computer faster and more stable.
www.pcpitstop.com

Backup your data with ZipBackup
Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off.
www.zipbackup.com

Get your product seen by 140,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 140,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
www.WindowsSecrets.com

See your ad here

TOP STORY

MS OneCare halts flow of antivirus info

By Woody Leonhard

When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields.

But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think?

The PowerPoint zero-day smoking gun

Before Microsoft started selling antivirus protection, the major antivirus companies (and many of the smaller ones) enjoyed more-or-less equal access to Microsoft's top-secret AV information. When Microsoft found out about a new threat, the AV companies all heard about it at the same time. When MS figured out how certain types of malware worked, the AV companies learned about the holes quite quickly.

Then Microsoft announced that it would start competing in the antivirus arena with the product we now know as Windows Live OneCare. AV companies received assurances that the flow of information wouldn't stop — that Microsoft wouldn't use its special position as the provider of the operating system to take unfair advantage with their AV product.

On September 26, antivirus researchers at McAfee discovered a new zero-day PowerPoint exploit that goes by the unlikely name of CVE-2006-4694. Like so many other zero-day exploits, this nasty critter was discovered in the wild when it dropped a targeted Trojan that McAfee calls Exploit-PPT.d.

There's just one little problem with Exploit-PPT.d. As McAfee antivirus researcher Craig Shmugar points out in his Sept. 26 blog entry, Microsoft already knew about this particular Trojan and, presumably, the zero-day exploit that delivers it. Craig shows a listing that seems to prove that Microsoft had not only identified the exploit, but had updated one of its scanners to detect the dropped trojan three days before McAfee found it. The Microsoft scanner, dated Sept. 23, identifies the trojan as Win32/Controlppt.X.

My friends in the antivirus community tell me that, as far as they know, Microsoft didn't bother to mention this particular zero-day exploit, or the Trojan, to any other AV companies. Microsoft simply updated its own AV product and let its competitors pound sand.

Microsoft goes public after the fact

On Sept. 27, Microsoft finally fessed up to the zero-day hole, issuing security advisory 925984. That advisory not only lists PowerPoint 2000, 2002, and 2003 as being vulnerable, as McAfee had advised. It also lists two versions of PowerPoint for the Mac. Take a look at the advisory and tell me if it looks like it was thrown together in the 24 hours after McAfee posted its warning.

The advisory states that Microsoft is "actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks."

You might believe that statement, but I doubt Craig Shmugar does.

The security advisory also says, "Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability." Being the inquisitive cuss that I am, I decided to take a look at the safety scanner and see what I could find.

Windows Live OneCare Safety Center revisited

In the June 29 and July 13 paid issues of this newsletter, I talked about a remarkable, free, online antivirus scanner from Microsoft called the Windows Live Safety Center. My conjecture then, as now, is that the free Live Safety Center primarily exists to let Microsoft off the antitrust hook: Microsoft sticks antivirus detection updates in the (free) Live Safety Center before they update the (paid) Windows Live OneCare. That way, when a politician or competitor claims that Microsoft has tilted the AV playing field in its favor, Microsoft can point to the Live Safety Center and say, "But we made the fix available, free, days (or hours or weeks) before we put it in Live OneCare."

When I wrote back then about Windows Live Safety Center, it was a slow, bloated, poorly-documented and nearly unknown service with one single design objective: to keep Microsoft out of court on antitrust charges. In mid-August, the folks in Redmond morphed the Live Safety Center into the "Windows Live OneCare safety scanner." (Note the lower-case "s"es.) The new incarnation presents itself as a slow, bloated, poorly-documented and nearly unknown service acting primarily as an advertising come-on to get people to sign up for the $50/year Windows Live OneCare.

See the difference?

The new Web site for the safety scanner leaves much to be desired. The "Top threats" that are listed all date back to May and June 2006. We've seen, ahem, a few threats since then.

When I tried to look up the Win32/Controlppt.X trojan, the one dropped by this new zero-day PowerPoint exploit, there was no match. When I searched for Win32/Controlppt, without the .X, I got 24 hits (including three duplicates). All of them advised, "This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat." So I have no idea whether or not the Windows Live OneCare safety scanner actually removes the malware.

I asked Microsoft to comment on the current dismal state of Windows OneCare safety scanner affairs, and was told by a spokeswoman, "We are unable to participate in this particular opportunity at this time."

The Vista kernel lockout and beyond

Elsewhere in this issue of the Windows Secrets Newsletter, my co-contributing editor Ryan Russell (below) talks about Microsoft's ongoing efforts to keep antivirus products out of Windows Vista's kernel. Ryan's observations, and particularly his conclusions, speak for themselves.

Microsoft has released a white paper called Microsoft Windows Vista: An Inflection Point for Kernel Security and 64-Bit Computing that deals with the controversy. I've gone over that paper, forwards and backwards. Aside from a few marketing platitudes, I didn't see anything worthwhile.

At its core, Microsoft is stuck between a rock and a hard place. If Microsoft builds hooks into Vista's kernel so antivirus products can get in, the bad guys will no doubt figure out a way to use the hooks. But if Microsoft lets legitimate AV companies into the kernel using, say, the method that MS employed for its own firewall, the 'Softies will be put in the unfortunate position as gatekeepers over a potentially messy mob of programs that want to get in.

Microsoft has to provide some way for AV and firewall manufacturers to intercept traffic coming into and going out of your PC. The white paper says that will be accomplished with the "Windows Filtering Platform" — but gives no details about what that entails, or how it will work. What (or who) is going to keep the bad guys from using WFP?

Most troubling of all: the "hypervisor" situation, where a properly constructed hypervisor rootkit could run with absolutely no hope of detection. (Hypervisors use hardware virtualization to run outside the operating system: Blue Pill's demo at the 2006 Black Hat conference took advantage of a hypervisor hole.) The white paper says, "Microsoft is actively building a hypervisor solution." The guys in white hats are waiting with bated breath — and faint hope.

If Microsoft holds the keys, how do small companies and startups get in? And... who voted for Microsoft in the first place, eh?

Antitrust abuses or unfortunate oversights?

Many of you will look at the events I've described and shrug them off — a notification oversight here, a bit of sloppy Web site updating there, with an unfortunate kernel conundrum thrown in for good measure. But I, for one, am getting more and more uneasy about Microsoft leveraging its monopoly in operating systems to unfairly compete with antivirus, antispyware, antiscum, and firewall manufacturers.

It currently appears as if the US Department of Justice is going to roll over and play dead. At least, if there are any rumblings at DOJ, I certainly haven't heard them. Whether the EU will take it lying down remains to be seen. There's more than a little irony in the thought that the European Union may represent Americans' best hope for consumer protection.

This much I know for sure: If you're paying Microsoft to protect your computer, you're part of the problem, not part of the solution.

Reader, please rate the above article:

1: Poor 2: Fair 3: Good 4: Great 5: Superb

Woody Leonhard's Web site posts MS-DEFCON reliability ratings for Microsoft patches. His recent books include Windows XP Hacks & Mods For Dummies.

Contents Index

TELL A FRIEND

How you can share this information

We love it when you send your friends links to our articles. But please don't forward your copy of our e-mail newsletter to people, which can subject us to spam complaints. Instead, simply suggest that your friends visit this issue's permanent Web address, shown below. A complete index at the bottom of the Web page provides you with hyperlinks to any article you'd like to recommend.

The address of this issue is http://WindowsSecrets.com/comp/061012

THE SECURITY BASELINE

The Security Baseline as it stands

By Brian Livingston

No new reviews of security products have recently been published by major test labs that change the rankings of the top-rated items.

This means that there are no changes this week in what respected reviewers consider the best add-ons to stop malware.

Based on the latest published findings, the best four products to give your PC comprehensive protection against hackers are (1) a Linksys hardware firewall, (2) ZoneAlarm Security Suite, (3) Webroot Spy Sweeper for antispyware protection, and (4) Shavlik NetChk Protect for update management. See details below.

	1. Hardware firewall. For small-office networking, the most affordable secure firewall is the Linksys Wireless-G WRT54GL router (left, about $70 USD street), which offers 802.11g Wi-Fi and also includes four wired Ethernet ports. To cover more than a few adjacent rooms, consider the Linksys WRT54GX ($160), which doubles the usual "g" range. Be sure to enable WPA or WPA2, either of which provide strong Wi-Fi security. The WRT54GL (previously named WRT54G) and the WRT54GX are PC Magazine Editors' Choice winners.
	2. Security suite. ZoneAlarm Internet Security Suite (left, $60 street) has long been rated as the best all-in-one software firewall, antivirus program, and antispam filter — now with antispyware scanning and Windows OS kernel protection. It has Editors' Choice awards from PC Magazine and CNET as well as being rated "the best all-around protection" by Consumer Reports Magazine. (Turn off ZA's real-time spyware protection so this can be handled by your antispyware program, shown below.)
	3. Antispyware program. For individual PC users, the most effective remover of spyware is Webroot Spy Sweeper (left, under $35 per year), according to comparative tests published by PC Magazine and PC World. (Note: PC Mag has also given an Editors' Choice to Encore's PC Tools Spyware Doctor.) For businesses that are looking for a centrally managed solution for 10 or more seats, Webroot's Spy Sweeper Enterprise ($240 per year for 10 users) has won the latest comparative review by Windows IT Pro and was rated a Best Buy by SC Magazine.
	4. Update management. Windows Update and Microsoft Update are no longer recommended. To protect against questionable Microsoft downloads, knowledgeable users should configure Automatic Updates to Notify me but don't automatically download or install. Then read our free and paid newsletters to learn which patches not to select. Home users and small-business networks should deploy critical patches using Shavlik's NetChk Protect (free with registration for one year for up to 10 PCs). The technology has won top honors from Redmond Magazine and SC Magazine. The product is complex, so be sure to read our tutorial and workarounds. For larger businesses, GFI LANguard Network Security Scanner ($495 for 32 machines) is top-rated by WindowSecurity.com and MCSE World. —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere Brian Livingston is the editor of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books. The Security Baseline section appears in every issue. It summarizes the top ratings of trusted reviewers in four categories of products that every PC needs for protection against threats.

Contents Index

HERE'S A TIP

The best stuff is in our paid version

To upgrade, simply make a contribution of any amount you choose. If you do this by Oct. 25, 2006, you'll instantly be sent the full, paid version of today's newsletter.

Subscribers to the paid version receive additional information in each issue. Some of the extras this week are:

	Brian Livingston / Hot Tips. The best information available on making Windows work the way you want it to: • You'll love IE 7's tabs or hate 'em • How to configure IE 7's tabbed browsing • Advanced issues with Spy Sweeper and NetChk • Command-line trick speeds up Vista browsing
	Chris Mosby / Over the Horizon. The steps you need to take NOW to protect yourself, because patches aren't yet available for some known threats: • Microsoft skips some critical IE patches • Serious IE ActiveX flaw left unpatched • Daxctle.ocx allows infected file execution • How to get more details
	Susan Bradley / Patch Watch. We tell you which official patches have problems and, more importantly, how you can work around them: • Goodbye old friends, hello Office patches • One IE zero-day threat patched, one not • Death by PowerPoint revisited • Microsoft's servers take Woody's go-slow advice
	Ryan Russell / Perimeter Scan. The latest on protecting yourself and your in-house network, whether you're responsible for 5 PCs or 5,000: • Is Vista locking out security competitors? • Security companies question Microsoft's intentions • Which companies can protect Vista's kernel? • More on those Java install errors

Paid subscribers can access all old and new paid newsletter content
Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter.

To upgrade to the paid version of Windows Secrets, please visit our upgrade page. Thanks in advance.

Contents Index

EBOOKSHELF

Spam-Proof Your E-Mail Address, 2nd Ed.
This 32-page e-book by Brian Livingston gives you step-by-step instructions that can prevent 97% of the spam that would otherwise clog an e-mail account. You could call it "Livingston's Spam Secrets." The PDF e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can make your e-mail addresses invisible to spammers, not just battle an ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info

Contents Index

USEFUL LINKS

Hundreds of ETFs are heading your way
ETFs are the fastest-growing investment vehicles in global markets today. You may not have heard much about ETFs until now — but you'll be hearing much more about them soon. (By Brian Livingston, Datamation) More info

How trustworthy Is the TRUSTe logo?
Harvard Law School graduate Ben Edelman, a respected antispyware researcher, has published an analysis disputing the trustworthiness of sites that bear the TRUSTe seal. (By Brian Livingston, Datamation) More info

Contents Index

WACKY WEB WEEK

Battle of the animated album covers

In this hilarious 3-minute animation, classic album covers come to life, putting some famous band members into a variety of weird and wacky situations.

It's the creation of animators at Curious Pictures, an entertainment company based in New York. The clip was submitted for Battle of the Ad-Bands, a competition that benefits the city's public schools.

Regardless of all that, it's just plain funny. Beware, however — sophomoric and gross humor abound, so it's not for the straight-laced. Watch the video

Contents Index

INDEX

Use the index below to jump to any topic

Contents Index

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published twice a month on alternating Thursdays. Issues appear 2 days and 16 days after Microsoft Patch Tuesday (the 2nd Tuesday of each month). Only the first issue of the month is published in August and December to allow vacation breaks. A short "news update" is sometimes published between regular newsletters.

Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor: Brian Livingston. Contributing Editors: Susan Bradley, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

YOUR SUBSCRIPTION PREFERENCES (change your preferences):

Delivery address: ***
Alternate address:
Country: United States
ZIP or postal code:
Reader number: 56541-09336
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.

To change your preferences: Please visit your preferences page.

To upgrade your free subscription to paid: Please visit our upgrade page.

To re-send a missed newsletter to yourself: If your mail server blocked a newsletter, you can re-send the current issue to yourself. To do so, visit your preferences page and use the "re-send" link.

To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All *** requests are honored immediately, period. Privacy policy

HOW TO ***: To *** *** from the Windows Secrets Newsletter,

Use this 2-click *** link; or
Send a blank e-mail to w-leave@WindowsSecrets.com with leave *** as the Subject line; or
Visit our *** page.

Contents Index

Back to newsletter list

Date:

From:

Subject:

OneCare halts flow of antivirus info [Newsletter Comp Version]