Windows Tips and Tricks

The low-end office suite called Microsoft Works has been a mainstay for home users who had no need for all the functions and complications of the full-blown Microsoft Office. In fact, for most home PC owners, using Office is like cracking a peanut with a sledgehammer. I doubt if most people use more than a few percent of the available functions. Works has always been a bit of an orphan at Microsoft and now it seems the company is mulling whether to make it a purely Web-based application.

ZDNet reports on an interview with Richard Wang, Director of Threat Research for the security firm Sophos. Statistics from Sophos confirm that criminal activity is now the major source of malware.

As a sure sign that crime ware is growing look at this number that Sophos reports. 60% of all malware is in the form of Trojans. The total number of Trojans in their list exceeds the number of viruses, worms, etc by a huge margin.

In my opinion, a new approach to computer security methods must happen sooner or later. In a longer discussion than is usual for my posts in this blog, I have outlined some thoughts on this matter. The discussion is on a separate page, A Better Way to Computer Security, which is linked in the sidebar under “Pages”.

You must have heard the story about the frog that sits in a pot of water that is gradually heated. The process is slow and the frog doesn’t notice as the temperature inches up, even when it gets quite hot. Finally, it is too late and the frog is boiled. Well, we are all frogs in the computer security pot and it is getting awfully hot.

The manufacture and application of malware is no longer the province of script kiddies, thrill-seeking hackers, and occasional malcontents. It has passed into the hands of professionals who are in it for the same reason as bank robbers- money. These people are in the full-time business of removing your wallet. They are located all over the world and are almost impossible to prosecute (if they are ever caught). Not only do they use sophisticated programming but like other types of con men they are masters of psychology and social engineering.

It isn’t just individuals who seem to be ignoring the rising heat. Institutions like banks have been shameful in their neglect of basic security practices. It’s the old story of human behavior when faced with an unpleasant prospect. They hope it’ll go away and they won’t have to actually confront the situation. Security is too much work. Security is inconvenient. Security is unpleasant. Security costs too much.

Well, the problem is not going away. It’s only going to get worse; there are too many easy pickings for the international gangs. The statistics that get reported are very discouraging. There’s no way of knowing the true numbers but various studies show that maybe 10 to 20 percent of PCs (or more) contain malware. Much of this is some form of Trojan horse that makes the unwitting owners of the infected zombie computer part of “botnet” rings. Even a small number of infected machines is a problem. The Internet is like a giant organism with low resistance and a few infected machines rapidly multiply their numbers.

In my opinion, this is a situation that is rapidly getting out-of-hand. It’s a mess that gets more complicated by the day. You are supposed to have a vast collection of software to guard you. You need a firewall. You need anti-virus, anti-Trojan, anti-spam, anti-phishing, anti-spyware. All of these programs do not always play well together. Yes, you can get suites but so far there is no suite without at least one or more inferior components. All these things running in the background result in a big hit to system performance. Next, you need constant security updates for all of this. And you also need security fixes for all kinds of other applications. You need to update Windows. You need to update your browser. You need to update Microsoft Office. You need to update Flash. You need to update Java. And so on. Then there is the problem that not everybody bothers to update. The software companies are trying to make the updating as automatic as they can but the statistics on the results are not good. People get “patch fatigue”. They get numbed by the constant drumbeat about new malware. Even businesses with full-time IT staff have a hard time keeping up. The fact is, even with constant updating, systems are still vulnerable to so-called “zero-day” and undocumented exploits.

Moreover, it’s not just the PC that is a problem. People are becoming more and more connected. Cell phones, iPods, Blackberrys, and other similar instruments are ubiquitous. The criminals are not neglecting these fresh pastures.

I could go on with the lamentations and hand-wringing but that becomes boring. Let’s look at possible answers. We have to begin with the sad fact that our fellow human beings are not to be trusted. Most of us are basically decent and responsible people who do not steal or enjoy vandalizing other people’s computers. We would prefer to be able to use the Internet in a spirit of community and trust. Unfortunately, there are always hoodlums and charlatans and sociopaths waiting to take advantage of our trust. So we have to stop believing everything that we read on the Internet. We have to treat all emails as possibly suspicious and never click on any links they contain. We have to regard unfamiliar Websites as potentially dangerous. We must test anything that we download before we install it to see if it is malware. We have to trust less and verify more.

Also, there is no getting around the fact that we must give up a lot of convenience. There is a clear trade-off between ease-of-use and security. Locked doors are less convenient to use than open doors. For example, online operations like banking will have to involve longer procedures. Security can be tedious but we must learn to live with computers that are harder to use. Reports on the Web about the annoyances of the new security features in Windows Vista illustrate that point.

Some people (usually officials who want headlines) suggest that more laws are the answer to the security problem so they urge or pass laws against Internet fraud. These efforts are so pathetic that I have to wonder how seriously the law-makers really take them. There are plenty of laws against fraud already. Does anyone really believe they are going to deter the gangs in places like Uzbekistan, and Iran, and Russia? However, if the legislators want to pass laws, there is a very important way that they could help. Let them make fiduciary institutions like banks more responsible for security breaches. At present these institutions are woefully inadequate in guarding your personal data or in guarding against phishing. (There are some exceptions like Bank of America and Vanguard that are beefing up their online security.)

If your identity is stolen, the burden is on you, not the bank. Let the legislators pass laws making the banks, stock brokers, etc. responsible for losses due to identity theft. Make them responsible for safeguarding your personal information. Make the institutions liable and then you’ll see a lot more security. Of course, this will cost money and make things like online banking less convenient but it has to be done. As long as it is really easy to steal somebody’s account information, thieves will thrive. As of now, institutions haven’t the incentive to do much about it.

I also believe that the current notion that the PC should be an all-purpose machine with the same basic type being used by everybody from grannies doing email to big businesses with large applications is fatally flawed. Microsoft and Intel and Dell have a big investment in this model so we are probably stuck with it for a while but it makes no sense. A whole lot of the people who use computers at home simply don’t need the power and flexibility of the current PC and they are completely unprepared to do many of the security measures that these systems require. I deal with a lot of ordinary people who have little understanding of Windows and no interest in learning details about how a PC operates. They want something that works like their other appliances. They want to turn the PC on, do some email, surf a little and that’s it. The needs of this large section of the PC users could easily be met with a machine that is a lot safer and easier to use than the present PC type. It would also be cheaper and that’s the rub; there’s no money in selling a box with limited functions. Unfortunately, these average users are the very people who are the biggest security problem. I gave a lecture to a group of average PC users recently where I asked how many had a firewall. About half either had no firewall or had no idea what a firewall is. About half did not have an up-to-date anti-virus subscription. Their machine had come with Norton or MacAfee and when the update subscription expired, that was that. This is not a scientific sample but it is indicative.

What about the defenses right there on our own PC? Can we improve them? In a previous article, “Do We Need a Paradigm Shift in Anti-Malware Protection?“, I suggested that the reactive approach with anti-everything software was clearly not working. The solutions mentioned in the previous article included using virtual machines and I think that may be the best practical solution.

There are various ways to configure your Internet browser to make your computer safer but that’s a subject that involves technical details and will have to wait for another time. Meanwhile, don’t let the criminals out there ruin your enjoyment of the wonderful world of the Internet.

A rather severe security exploit is being used to attack Internet Explorer (IE) users. Internet Week reports

An unpatched vulnerability in all editions of Microsoft’s Internet Explorer browser is being exploited, security researchers said Tuesday, with the attack dumping a broad range of adware, spyware, and Trojans onto PCs whose users simply surf to an infected or malicious site.

The article says that so far it’s mainly porn sites that are using the exploit but the problem is expected to spread rapidly to other sites. Microsoft has issued a security advisory but no patch is available yet and may not be until October 10, the regular “Patch Tuesday”. Here are suggested workarounds:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.

To un-register Vgx.dll, follow these steps:

1. Click Start, click Run, type “regsvr32 -u “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll ” (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

Modify the Access Control List on Vgx.dll to be more restrictive

To modify the Access Control List (ACL) Vgx.dll to be more restrictive, follow these steps:

1. Click Start, click Run, type “cmd” (without the quotation marks), and then click OK.

2. Type the following command at a command prompt make a note of the current ACL’s that are on the file (including inheritance settings) for future reference in case you have to undo this modification:

cacls %ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

3. Type the following command at a command prompt to deny the ‘everyone’ group access to this file:

echo y| cacls %ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll /d everyone

4. Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.

Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

You can help protect against this vulnerability by changing your settings to disable binary and script behaviors in the Internet and Local intranet security zone. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.

2. Click the Security tab.

3. Click Internet, and then click Custom Level.

4. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.

5. Click Local intranet, and then click Custom Level.

6. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.

7. Click OK two times to return to Internet Explorer.

Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only. Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

1. The changes are applied to the preview pane and to open messages.

2. Pictures become attachments so that they are not lost.

3. Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Whew! Wouldn’t you really rather have a safer browser?

As I have said in a number of blog entries, I believe that the traditional reactive methods of defending our computers against malware are not sufficient and that a new paradigm in computer security is needed. A different approach that is promising is the use of a method called the “sandbox”. This technique is akin to the virtual machine method and creates an area on the system that is isolated from the rest of the system. Any malware infection that occurs in the sandbox is prevented from spreading system-wide. By placing the Internet browser in the sandbox, infections from the Internet are quarantined to the sandbox.

Software for running sandboxes is becoming available and an excellent review and assessment of eight programs is given by Ian “Gizmo” Richards at Tech Support Alert. His top pick is Green Border. This is commercial software with an annual fee of $29.95. With one minor reservation, Richards also likes a free (donation suggested) program, Sandboxie.

This year there seem to be a lot of articles celebrating various anniversaries. This year marks 15 years for the Web and InternetWeek gives some history. Here’s how WWW began:

In late summer of 1991, an information technology consultant named Tim Berners-Lee posted an unassuming message to the alt.hypertext newsgroup, making public a project he had been working on for the European Organization for Nuclear Research (CERN). He began, “The WorldWideWeb (WWW) project aims to allow links to be made to any information anywhere.”

With that memo, Tim Berners-Lee changed the world. No one — not even Berners-Lee himself — saw it coming. Not on this magnitude

That’s the theme of this PC World article. The choices are a little idiosyncratic but you can be entertained by the list anyway. The pick for the number one worst site is MySpace.com, which is going to surprise a lot of people.

I do not personally use Outlook (not to be confused with Outlook Express) but, in spite of its many flaws, many other people do. A comprehensive guide to troubleshooting problems in Outlook can be found at this site.

The reactive approach used in traditional anti-virus software has drawbacks and the need for a different approach is leading to the development of alternate tools. Some of these are discussed in a PC World article