News and other tidbits that Chad Cloman finds interesting enough to share
There is a new security threat, this time in specially-crafted Microsoft Word documents. If you have Office 2002/2003/XP or Word 2002/2003, be careful about opening untrusted Word documents that you receive via the internet. The good news is that it isn’t a virus, i.e., it doesn’t progagate itself. The bad news is that infected Word documents allow the author to take control of your system.
Microsoft has released the minimum system requirements for Windows Vista. Looking at them, they are very minimal—it may be possible that Vista would run on such a system, but a lot of other programs will not. Vista will be officially released in January.
This article gives a good overview of the new features in the upcoming Internet Explorer 7 release. Personally, I use Firefox—and don’t miss IE one bit.
I’ve been using Windows since before version 3.0, and already knew most of these shortcuts—but there were a few new ones. The ones I use most are CTRL-A, CTRL-C, CTRL-V, CTRL-S, and CTRL-Z, which are all conveniently placed for my left hand to easily press. One (non-keyboard) shortcut that isn’t documented but many people find by accident: double-click on the top bar of a window to maximize/restore it. This saves having to click on the little button on the top right.
ExtremeTech has written a long but informative article covering the major new features of Windows Vista, which will be released later this year. There are quite a few significant changes, and I found it to be worth the read.
Microsoft is offering to send out USB drives filled with “Valuable Information” about its products and services. The folks at digg.com quickly recognized this as a great way to get a free USB drive (although it will most likely have a small memory capacity).
Here’s how it works:
If you’re worried about the Passport account, I’ve had one for years without any problems.
Microsoft has free programs that allow you to view/print Office documents. I use StarOffice, but found that every once in a while it had problems with PowerPoint presentations—so this is just the thing I need. While I’m on the topic, OpenOffice is another good choice for the discerning user who doesn’t want to spend hundreds of dollars on a productivity suite.
Microsoft has been touting Windows Vista (previously known as longhorn) as a significant change in how we use computers. But at what cost? If you want to take full advantage of what Vista has to offer, the preliminary system requirements include a 2.4GHz processor with 512MB of RAM. I think I’ll just continue muddling along on WinXP with my 600MHz Pentium III.
For those who read my recent post on the perils of leaving an unpatched Windows computer connected to the internet, you may have noticed a slight problem. The typical home user would install Windows XP, then connect to the internet and run Windows Update to download/install Service Pack 2. In the time it takes to download the updates, however, your computer has a non-trivial chance of being compromised and turned into a zombie. So what’s the solution?
The first option would be to get a copy of SP2 on CD. Microsoft provides them for free (plus a shipping charge). But there is still a drawback. If you configure your network/internet as part of Windows setup, you could still be compromised in the time it takes to install SP2 from CD.
A better option is known as “slipstreaming.” If you have a Windows XP installation CD, you can combine it with Service Pack 2 to create an integrated installation. This, in turn, can be burned to disc—thus creating a Windows+SP2 installation CD. The slipstreaming process will also save the time required to install SP2 (and the required reboot).
The process is fairly straightforward and is described in detail at Tom’s Hardware. It does require you to download a very large (270+ MB) file from microsoft.com, so no dial-up allowed! The same file appears to be on the SP2 CD, however, so you could probably skip the download if you have the disc.
Copyright © 2005 by Chad Cloman
Microsoft released another round of Windows security updates on Tuesday, and within hours a security company developed a workable exploit. I doubt it’ll be long before hackers do the same. Time to update if you haven’t already done so.
For all you old-school UNIX/Linux weenies out there (thanks Josh):
I don’t think Microsoft is ever going to live down that paperclip.
I’ve been seeing a bunch of articles on a new type of spyware: keystroke loggers. A keystroke logging program will keep track of everything you type and then forward it to someone who will look for account numbers and passwords. This can be very bad when the information is for banking, credit cards, and such. A recent study found that 15% of all spyware is of the keystroke logging type.
Most of you reading this are quite tech savvy and know all about not opening attachments on incoming emails and not clicking through to web addresses given in emails (especially those purporting to be from eBay, your bank, or PayPal). But there are other ways to install malicious keystroke logging programs with which you may not be familiar.
Security Holes: Computer systems that don’t have the latest security updates are vulnerable for as long as they are connected to the internet. Malicious programs continuously scan the internet for computers with open ports to unpatched programs. Tests were run with a fresh installation of WinXP SP1, and it took approximately 4 minutes before the computer was compromised. The best way to protect against this type of attack is two-pronged: 1) Apply all patches and updates as soon as they are available, and 2) use a firewall.
Browser Vulnerabilities: Carefully crafted web pages or even web addresses can attain the ability to execute programs on your system. The best way to protect against this type of attack is to not use Internet Explorer. If you must, ensure that all of the latest patches are applied.
DNS Cache Poisoning: This is one of those cases where even if you do everything “right”, you can still be compromised. Essentially, a system that you use for DNS is given false DNS information and stores the data in its DNS cache. So when you type in www.paypal.com, for instance, you are redirected to a spoof site which gets your login/password information (and may also attempt to exploit browser vulnerabilities). The best way to protect against this type of attack is to minimize financial transactions online. In reality, you just have to trust that your ISP and upstream providers don’t let their systems get compromised—it’s really quite simple and comes down to having their DNS system correctly configured.
Internationalized Domain Names (IDN): IDN is a fairly new standard whereby non-Latin (non-English) character sets can be used in domain names. This is of greatest concern for Asian-language domains, but it was expanded to include all languages. It turns out that some languages have characters that are identical to the English language, but which are treated as different under IDN. This only works when you click through to a spoofed web site, via email or a link on another site. The best defense against an IDN attack is to use Internet Explorer 6, as it does not support the IDN standard. Other browsers, such as Firefox, have implemented security procedures to ensure the user is aware of IDN site names, but older versions do not have these measures in place and are vulnerable. More recently, researchers have found another IDN exploit in Mozilla/Firefox, and it seems like the best thing to do for now is to simply disable IDN.
