Spyware Sucks

New IE related KB articles

When you connect to a Web site that uses a client certificate for user authentication, IE6 does not filter out invalid certificates on a Windows XP SP2 based computer:
http://support.microsoft.com/default.aspx/kb/929477

How to move the Standard toolbar to a location that is above the Address bar in IE7:
http://support.microsoft.com/default.aspx/kb/930645

Groundbreaking settlements hold online advertisers responsible for displaying ads through deceptively installed adware programs

That’s one hell of a headline, yes?  It’s taken from this announcement by the Office of the New York State Attorney General Andrew M. Cuomo:
http://www.oag.state.ny.us/press/2007/jan/jan29b_07.html

Basically, thanks to their involvement with Direct Revenue (having spent hundreds of thousands of dollars delivering advertisements through Direct Revenue software) Priceline.com Incorporated (“Priceline”), Travelocity.com LP (“Travelocity”) and Cingular Wireless LLC (“Cingular”) have been found responsible for how their advertisements are displayed on user’s computers.  To quote the press release:

““Advertisers will now be held responsible when their ads end up on consumers’ computers without full notice and consent,” Cuomo said.  “Advertisers can no longer insulate themselves from liability by turning a blind eye to how their advertisements are delivered, or by placing ads through intermediaries, such as media buyers.  New Yorkers have suffered enough with unwanted adware programs and this agreement goes a long way toward clamping down on this odious practice.””

Priceline, Travelocity and Cingular all promise to:

• Provide to consumers full disclosure of the name of the applicable adware program and any bundled software;
   
• Brand each advertisement with a prominent and easily identifiable brand name or icon;
   
• Fully describe the adware and obtain consumer consent to both download and run the adware;
   
• Make it practicable for consumers to remove the adware from their computers;
   
• Obtain consent to continue serving ads to legacy users;
   
• Require their affiliates to meet all of these same requirements.
• Undertake “due diligence” when selecting and using adware providers including investigating how the online ads are delivered.
• Immediately cease using any adware provider if said provider breaches the above terms “or their own adware policies”.

Priceline will pay $35,000 to the State of New York as penalties and investigatory costs, Travelocity will pay $30,000 for the same reason, and Cingular will pay $35,000, again as penalties and investigatory costs.

The implications of this decision are quite staggering, and will force media buyers and other intermediaries and those who buy content from them, to clean up their act, unless they want to lose advertising income from their reputable clientele.

I would have liked one more condition to be added to the agreement between the New York State Attorney General and Priceline, Travelocity and Cingular, that being that if their media buyers or other intermediary are shown to be allowing cr*p like Winfixer to be promoted via a service also used by Priceline, Travelocity and Cingular, that they (Cingular, Travelocity and Cingular) should stop using said media buyers or other intermediary unless and until the media buyers or other intermediary stops said malware advertisements.

The words “or their own adware policies” could be a stumbling block for media buyers and other intermediaries such as Right Media and those they on-sell to.  What if, for example, Company X has a “no spyware or malware” policy.  It could be said that the New York agreements mean that if the companies in question hire media buyer or intermediary X, and that supplier also has, for example, people who are distributing Winfixer as a client, then the companies affected by the New York settlement could quite likely be beholden to dump media buyer X as their supplier.

That scenario, as far as I’m concerned, would make me very happy indeed.  I want the media buyers, intermediaries and anybody else who conspires and contributes to the distribution of malware like winfixer via pop-up ads to become internet pariahs, avoided by reputable companies and relegated to the world of has-beens, avoided by anybody who values their reputation.

The full “Assurance of Disclosure” can be found here:
http://www.oag.state.ny.us/press/2007/jan/adware-scannedAODs.pdf

ISA2004 update available

Yay. Thanks to Susan for pointing this out.

Available here:
http://www.microsoft.com/downloads/details.aspx?familyid=25bb5f65-4734-4268-b2b1-1606dceac06f&displaylang=en&tm

Fixes the following issues:

• 917718 The ISA Server Control service may not start after you rename and then restart a computer that is running ISA Server 2004
• 917265 Error message when client computers that are behind a proxy server access Web sites that are published by using ISA Server 2004: "404 Not Found. The requested item could not be located (12028)"
• 917903 You cannot join a Windows Vista 64-bit client computer to a Windows domain on which ISA Server 2004 is configured as a firewall (Bingo - need this for my Ferrari x64)

TomTom 910 - bundled software infected with malware

More specifically the TomTom software being distributed with the 910 was infected with win32.Perlovga.A Trojan and TR/Drop.Small.qp - an excellent write-up (and, I think, the article that originally broke the news) is available here
http://www.daniweb.com/blogs/entry1276.html

TomTom's statement about the situation is here which notes that the satnavs were produced between September and November last year:
http://www.tomtom.com/news/category.php?ID=2&NID=349&Language=1

Regarding TomTom's statement that the viruses are "low risk", I say B*LLS*T. There is no such thing as a trojan that is not dangerous.  If that trojan is used to morph your system into a spambot, that is dangerous - if it is used to host somebody's p0rn or warez collection, that is dangerous.  If your infected system is added to a botnet for DDOS attacks, that is dangerous.

Nobody has any way of knowing what the end result of infection by that trojan is going to be, and how the bad guys are going to use the access granted by said trojan, and therein lies the real danger.  It is all well and good to tell victims to delete the two affected files that TomTom installed (copy.exe and host.exe) but what about the crud that is installed on a system *by* that trojan - hands on experience has shown me that the crud that is downloaded and installed by such trojans after infection can be extremely difficult to detect and remove.

Detection of perlovga has been available since July 2006 - two months before TomTom started distributing the trojan, so where was their antivirus protection?  How did this trojan get into their production environment? Just like happened with Apple, who distributed a mystery number of iPods infected with the RavMonE virus, we are seeing the end result of a basic breakdown in quality control and antivirus protection.  It simply isn't good enough to distribute between September and November malware that has been detectable since July.

Well, at least they didn't try to blame Windows, unlike Apple:
http://msmvps.com/blogs/spywaresucks/archive/2006/10/18/184326.aspx

Windows Vista - security updates available via Windows Update and WSUS

Microsoft have released a series of updates for Windows Vista, both x86 and x64 versions, including (finally) a phishing filter update for IE7 that speeds up Web surfing - the XP version of the phishing filter update was released a while back.

Here's what you will see in a corporate environment if you are using WSUS:


If updates have already been downloaded by your Vista system, or if Windows Update is otherwise active (installing or waiting for a reboot) you will see this icon in the system tray: 

Vista users can access Windows Update easily, by clicking on the Start button and typing Windows Update:

Windows Update will show you what updates are available and away you go - you can install the whole lot or pick and choose - unfortunately, Windows Vista may need a reboot after installation (I thought we weren't going to have to do that anymore?) and I recommend that you check for further updates after you reboot - my system detected 3 updates on the first run, and another 5 on the second run.  The reboot is a bit disconcerting the first time you see it; the system shuts down normally, then the blue/green loading screen comes up as per normal to let you know that the updates are being installed but then, be warned, your screen may go black again when the system restarts a second time as part of the update installation - it can be a bit scary to see the screen go black again - I actually thought something had gone wrong - but hang in there - if the power is still and there is hard drive activity things should be fine - be patient with lower resource systems.

When installation is finished you can View update history which has a cool feature - if you double click on any entry in Update History a new window will open just like this one that describes the update in detail:

Installed Updates window (see the failed ATI  and Atheros updates? That's how the Ferrari 5000 was delivered to me - not too good Acer)

 Updates detail window

Windows Update:

Selecting updates:

Updates successfully installed:

Leo Stoller puts his hand into a hornet's nest again, but this time, the nest is owned by Google.

Back in June last year I wrote about how a Vexatious Litigant by the name of Leo Stoller had gone after Castlecops by claiming that he (Leo) owned the trademark "Castle":
http://msmvps.com/blogs/spywaresucks/archive/2006/06/28/103057.aspx

I later reported that the USPTO had finally run out of patience with Stoller:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/23/105518.aspx

Stoller has now drawn the ire of no less than Google, by apparently claiming that he (Stoller) owns Federal registration of the Google trademark (and common-law rights) via the various corporate entities mentioned in the lawsuit.

Google alleges false advertising, RICO violations and unfair competition.

Google v. Central Mfg Inc., No. 07CV 385
http://www.roylance.com/Uploads/CentralMfgCo/Complaint%20FILED.pdf

Google's prayer to the Court for relief requests:

1) An injunction prohibiting the Defendants from engaging in further acts of false advertising, racketeering and unfair competition as to Google.

2) An order requiring the dissolution and/or reorganisation of the enterprise and requiring the divestment of any interest, whether direct or indirect, therein.

3) Three times the plaintiff's (Google's) damages and defendant's profits, together with reasonable attorney's fees and costs.

4) Three times the plaintiff's damages and costs of suit, including reasonable attorney's fees and costs.

5) Punitive damages sufficient to punish the Defendant and deter such misconduct in future.

6) Prejudgment interest, as appropriate.

7) Such other and further relief as the Court deems just and proper.

Commentaries on the lawsuit:

43(b)log
http://tushnet.blogspot.com/2007/01/google-v-stoller.html

The TTABlog
http://thettablog.blogspot.com/2007/01/google-sues-leo-stollers-companies-for.html

Stoller responds:
http://rentmark.blogspot.com/2007/01/google-inc-plans-to-sue-leo-stoller-in.html

So, what drew Stoller to Google's attention?  Stoller did it to himself.  Research reveals that back in 2006 Google applied to register the mark GOOGLE for "toys and sporting equipment, namely plastic exercise balls.", and that this registration application led to Stoller filing an opposition, wherein he claimed to own the mark "Google" (Source: The TTABlog: http://thettablog.blogspot.com/2006/04/leo-stoller-opposes-google-application.html).  Surely Stoller did not honestly believe that Google would let such claims stand unchallenged.  The suit was eventually dismissed with prejudice by Stoller's bankruptcy trustee.

Stoller also petitioned for the cancellation of the mark Google for search engine services - again Stoller's bankrutpcy trustee withdrew and dismissed "with prejudice" the petition (Source: The TTABlog: http://thettablog.blogspot.com/2006/12/stoller-trustee-consents-to-dismissal.html)

As much as I dislike Stoller's activities, I have to ask, why the heck did Google apply to register the mark for "toys and sporting equipment, namely plastic exercise balls" in the first place?  Google don't manufacture sports equipment, and Google cannot expect to stop everybody from using the word "Google" in whatever context - especially now that Google is a transitive verb http://www.m-w.com/dictionary/google  (Wordnet (Princeton University) lists google as a noun *and* a verb - http://dictionary.reference.com/cite.html?qh=google&ia=wn)

How did Stoller become a bankrupt?  Well, in what ended up being another fantastic misjudgment on Stoller's part, Stoller himself started things by lodging a Chapter 13 voluntary petition for relief back in December 2005 whilst embroiled in a lawsuit with Pure Fishing (another one of Stoller's attempts to sue for trademark infringement lawsuits).  The Chapter 13 had the effect of staying the lawsuit against Pure Fishing which Stoller was on the verge of losing in spectacular style.  In a Chapter 13, Stoller would have controlled the reorganisation of his debts and finances.

The Pure Fishing lawsuit was decided in Pure's favour in December 2006, with judgment being entered for the amazing sum of $969,751.81.

The Chapter 13 was converted to a Chapter 7 insolvency after Pure Fishing lodged a claim in Stoller's bankruptcy proceedings, and requested the conversion to Chapter 7.  The Court agreed to the request and a trustee was immediately appointed to manage Stoller's estate.   By December 2006 the trustee not only had control of Stoller's bankrupt estate, he also had the ability to begin, maintain, terminate, or settle any pending proceeding that involves Stoller or any of his proprietorship entities AND Stoller's actions as sole share holder of all corporate entities owned or controlled by Stoller - oops.

Why was Stoller's Chapter 13 converted to a Chapter 7? For starters, it was because of bad faith on the part of Stoller - bad faith in this case a being lack of candor and a failure to maintain books and records, the fact that Stoller would be denied a discharge under Chapter 7 because of said failure and the fact that he transferred real property to his daughter just before starting the Chapter 13 proceedings, and didn't declare that property, Stoller's failure to disclose the existence of unincorporated business entities he owns, and, ironically, because Stoller does not have a regular income and because to convert to Chapter 7 is in the best interest of creditors.

Court documents reveal the quote about Stoller revealing that Stoller, "who was actively engaged in business for many years lacked business books and records from which his financial condition and income could be ascertained so as to determine whether his Chapter 13 Plan for payments to the Chapter 13 Trustee was proposed in good faith. Second, [Stoller] deeded title in valuable real estate to a family member shortly before filing in bankruptcy and did so without apparent consideration. The circumstances of that property transfer raised serious questions as to whether it should or could be attacked as a fraud on creditors or otherwise, an issue that should be investigated by a Chapter 7 Trustee." (Source: http://www.ilnb.uscourts.gov/JudgeSchmetterer/Opinions/Stoller.pdf).

The Findings of Fact in the ilbn.uscourts.gov PDF make for interesting reading.

Information about Stoller with links to court documentation that was used for this article is available at Wikipedia:
http://en.wikipedia.org/wiki/Leo_Stoller

Do you use CompuServe? Word is, you can't use Windows Vista if you want to use CompuServe software.

Source: http://billpstudios.blogspot.com/2007/01/upgrade-to-vista-lose-compuserve.html

What I want to know is, *why* won't CompuServe work with Vista?

Does anybody have instructions on how to connect to CompuServe without using CompuServe software?  I'd much prefer that a workaround be found, rather than users not install Vista if that is what they want to do - the security improvements are worth the effort.

Sandi's top 3 articles

Kind of predictable, really:

How to uninstall IE7 (22,582)
http://msmvps.com/blogs/spywaresucks/archive/2006/02/05/82589.aspx

Helping HP Director play nice with IE7 (18,729)
http://msmvps.com/blogs/spywaresucks/archive/2006/10/22/197647.aspx

IE7 Gold has gone live (16,954)
http://msmvps.com/blogs/spywaresucks/archive/2006/10/18/182724.aspx

New KB article: IE6 and SharePoint

Bushfire!!

Ah, the charms of living in Australia during the Summer, and a drought.

My son and I faced a bit of a challenge when we went to pick up my daughter from work this afternoon.  My son took some photos using my camera when we realised that this trip could get a little interesting...

Uh oh - this could be a problem:

Getting closer:

Somehow I don't think we're going to get to my daughter.... maybe we should plan an alternative route:

This was as close as we could get - the police have blocked off the road - excuse me but my daughter is on the other side of that thing!!

I've been quoted by The Register and spywaresucks is the 3rd most visited blog on msmvps.com

I found out today that my blog entry about the problems with HP Director and IE7 is currently the 3rd most commonly visited page at msmvps.com - amazing.  The only blogs visited more often are Chrisl and Coad.

My HP article is not only an often visited article, it also attracted more reader comments than any other article that I have written, and would have attracted even more if comments were not automatically barred after 60 days:
http://msmvps.com/blogs/spywaresucks/archive/2006/10/22/197647.aspx

I also found out today that I have been quoted by The Register:
http://www.theregister.co.uk/2007/01/27/myspace_scareware_myscare/

""I have said this many times, but I strongly recommend that MySpace be blocked on your networks," writes Sandi Hardmeier, a consultant under Microsoft's most valuable professional program, on her blog. "Don't let your kids go there. Don't let your employees go there. It simply isn't safe."

Pot, meet kettle, perhaps."

The blog entry they have taken the quote from is this one:
http://msmvps.com/blogs/spywaresucks/archive/2007/01/25/516895.aspx

Let's not forget that it was The Register, and Temerc, that first drew the MySpace problem to my attention.  Temerc has posted about the problem on dozens of forums, including his own:
http://temerc.com/phpBB2/viewtopic.php?p=3422711#3422711

I have now tweaked my home network now so that I can access MySpace, while still preventing anybody else on the network from getting there, so that I can keep an eye on things. 

Mike Burgess of MVP Hosts File fame, advised that MySpace adverts are served up from delb.myspace.com (216.178.33.60), which redirects to Right Media (ad.yieldmanager.com).  Whois Results for www.yieldmanager.com

I'll be honest - I still think it is time to go after Right Media; they are further up the distribution chain than MySpace, ActiveWin and the Messenger Plus! sponsor program, all of which I have personally seen being used as a conduit to get Winfixer aka Drivecleaner aka Errorsafe on to victims' computers.  The FTC went after Zango, and I can see no reason why they could not go after Right Media as well.

That being said, it is extremely important to keep the pressure on MySpace to clean up its act.  With its "119.5bn ad impressions in Q4" (source: The Register)  (which I calculate to be 1,327,777,777.78 ad impressions per day, at 90 days per quarter) it presents a risk to potentially millions more people than the Messenger Plus! sponsor program ever did (the latest statistics posted by Patchou reveal that Messenger Plus! is being installed roughly 230,000 times per day and has 14 million activer users) and, unlike CiD, MySpace doesn't have the option of editing its users' HOSTS file in an attempt to protect visitors from risk.

I am sure that, if they could be convinced to take such a step, a threat by MySpace to take their business elsewhere would be more than enough to encourage Right Media to clean up their act.  Add to that convincing Circle Distribution (CiD - the provider of the Messenger Plus! Sponsor Program) and other high volume clients to do the same thing, and negative press from the anti-spyware community, and we may just be able to make a difference.

www.yieldmanager.com redirects to https://my.yieldmanager.com/ which is a Right Media log-in page.

The heat is off Firefox - Opera has a far greater percentage of unpatched installations according to Secunia

99.85% for Opera 8.x, 80.41% for Opera 7.x and 13.66% for Opera 9.x

See the news pane to the left of screen for the latest statistics.

Playing with IE7 add-ons

I've been having a look at IE7 add-ins to use on my x64 Vista based system over the past few days.  So far I've had a look at 3, all of which are available at http://www.enhanceie.com/, being Find As You Type, Feeds Plus and Feed Folder.

Feeds Plus has a competitor which has been around since 27 December 2006 called msfeedicon.  I'll be having a look at that very soon and I suspect, going on what I can see on the developer's blog, that it may end up my preferred choice for beefing up RSS in IE7.

You can find the latest version of msfeedicon here - now at build 2.1:
http://www.wictorwilen.se/Post/msfeedicon-version-21-released.aspx 

Version 2.0 - those using Vista may need to install this version if UAC causes a problem:
http://www.wictorwilen.se/Post/Announcing-msfeedicon-version-20.aspx

Remember, I am using Windows Vista on an x64 based system - problems that I see may not occur for you.

Find As You Type
This is a toolbar for IE and works by hooking Ctrl +F in Internet Explorer.

The advantages that I can see are that:

1) It works like the Microsoft Word Wheel, jumping through the web page to the first match as you type more characters
2) There are audio cues when you type a character combination that does not appear on the page

The primary disadvantage is that when we press Ctrl +F the previous Find entry is not highlighted for easy deleting.

Decision: This is a keeper for now.

Feed Folder
This add-on adds your RSS feeds to your Favorites list.

Strike 1 against Feed Folder:  I don't use the Menu Bar within IE7, therefore the only place that Feed Folder would be of any use is in the Favorites Pane, but that did not work at all well.

Strike 2 against Feed Folder:  Feed Folder crashed and displayed an "unspecified error" dialogue box if I tried to open an RSS group in the same way as I would open a Favorites Group, by clicking on the group arrow to display one feed in each window - according to Event Viewer, ole32.dll was involved.

The blue arrow that crashes Feed Folder

Strike 3 against Feed Folder:  I was not happy to discover that when Feed Folder is installed, the RSS pane in IE7's Favorite Centre appeared empty, meaning that if I left Feed Folder installed I would only be able to access my feeds using that add-on.  As soon as I uninstalled Feed Folder the RSS Feed Pane worked properly again. 

Decision:  Sorry, but if an add-on tries to enforce a "my way or the highway" situation, that add-on will be removed.  Feed Folder lasted only 5 minutes on my system.

Feeds Plus
Ok, this was a little more successful.

Documentation for Feeds Plus is sparse, and it displays several different icons in the system tray, but we have to guess what those icons are for.

This one appears when Feeds Plus is working, for example when updating Aggregate folders

I am not sure what this one with the gleam is; I thought it was to indicate a new feed, or new content in a feed, but it has only appeared once, when Feeds Plus was first installed.

The default icon which is there all the jolly time

Strike 1 against Feeds Plus: It is constantly marking feeds as having an unread article which turns out to be days, or weeks old - very irritating.

Strike 2 against Feeds Plus: Feeds Plus is meant to display an Outlook style notification whenever new feed content is available but on my system this notification only appears when my laptop is first turned on.  There is no sign of the notifications for the rest of the day.

Feeds Plus takes a little getting used to.  It adds a new feed entry, "* All %foldername% Items", to every folder, and a Feed called "* All items" that captures the content for all subscribed feeds.  To review the content of each folder in Aggregate view, simply click on the "All %foldername% Items" entry for that folder.  But, be warned, if you leave the aggregate view before reviewing all new content, and switch to another folder, and if IE7 is set to automatically mark a feed as read when viewed, all feeds in that folder will be marked as read at the same time.  Also, if you click on the All %foldername% Items a second time, all items will be marked as read.  All feeds in a folder will also be marked as read if you click on a hyperlink in an RSS article when using aggregate view.

We seem to have found a bug - see how the aggregate entry, "All Internet Security Items", is not bolded? It should be because, as we can see, one of the Secunia entries has unread content.

Feeds Plus has only three option windows - screenshots below:

Decision: Feeds Plus can stay, for now, but I suspect it will be replaced by msfeedicon. 

Secunia reports that 37.16% of all scanned Mozilla Firefox 1.x installations are insecure

Check out the Secunia stats to left of screen in my News pane.

37.16% is an extremely high percentage of vulnerable computers.  Compare that to 2.59% of all IE7 installation, 9.32% of all IE6.x installation and 4.68 of all Firefox 2.0.x installations.

The most likely cause of the extremely high FF 1.x percentage is the fact that FF did not have an auto-update mechanism until version 1.5.

It's great to see that IE7 has the lowest percentage of the lot despite being the most commonly scanned Web browser.

Myspace serving up Winfixer aka Drivecleaner aka Errorsafe

I have written about Winfixer a lot on this site.  Patchou and Messenger Plus! have felt a lot of heat from me because of the Sponsor Program pimping Winfixer - CiD ended up editing MP! users' HOSTS file to block it.  Activewin.com have also been criticised by me, several times, for allowing Winfixer advertisements to appear on their site.

Now MySpace have been accused of serving up Winfixer advertisements.  I have not seen it myself, because MySpace is blocked on all networks for which I am responsible because of the many other risks that their users and visitors have been exposed to, so this expose is coming via The Register and Temerc, an anti-spyware crusader, who let us know by email of the article.

The Register article can be found here:
http://www.theregister.co.uk/2007/01/24/myspace_accusation/

I have said this many times, but I strongly recommend that MySpace be blocked on your networks.  Don't let your kids go there. Don't let your employees go there. It simply isn't safe.

MySpace cannot ignore this problem, or stonewall and hope it will go away - it won't - and the antispyware community are not inclined to let such problems be swept under the carpet or forgotten.  I certainly don't.

The MySpace articles are being sourced from Rapid Media Right Media, the same provider that CiD uses to source advertisements for the Messenger Plus! sponsor program.  Methinks its time to start putting some heat on Rapid Media Right Media as well as the primary source of the problem.

The more publiclity this problem gets, the better. I may adjust my network controls to allow on me to access myspace so that I can monitor this situation and join the antispyware community in putting the same pressure to bear on MySpace as has been put on other sites and software purveyors in the past.

Lots of people are going to love this Vista feature - Restore Previous Versions.

Have you ever accidentally deleted a file?  Or overwritten a file accidentally and wanted the old version back?

Larry Osterman discovered this Windows Vista's  - Restore Previous Versions feature and shares the joy:
http://blogs.msdn.com/larryosterman/archive/2007/01/23/how-the-magic-of-windows-vista-saved-38g-of-my-data.aspx

See, there's more to Vista than IE7, improved security, some eye candy and high spec hardware requirements

McAfee kills Lotus Notes - McAfee says turn off virus scanning - huh?

Affected McAfee product is VirusScan Enterprise v 8.5i.  Affected Lotus Notes Clients are R6 and R7. 

It turns out that a November update of McAfee is crippling Lotus Notes.  IBM and McAfee have both released an advisory. IBM's advisory says:

""While working in Lotus Notes mail for some period of time, typically an hour or two, upon opening or deleting a message, the following error appears: 'You are not authorized to perform that operation,'"

McAfee says to disable "scan all server databases" and "scan server mailboxes", or disable MCafee Notes Scanner statements in Notes.ini, or uninstall VirusScan Enterprise 8.5i and revert to the older VirusScan Enterprise 8.0i

IBM says to "Completely disable the anti-virus software or to change the Notes Scanner settings to disable: "Scan all server databases" and "Scan server mailboxes".

The primary role of antivirus is to protect users from viruses being sent via email.  An antivirus product that cannot be used to scan emails is as useful as *** on a bull, and turning off mailbox scanning is simply not an acceptable option.  This leaves McAfee's victims with only one alternative - roll back to the older version of Enterprise.

IBM documentation:
http://www-1.ibm.com/support/docview.wss?rs=475&context=SSKTWP&dc=DB520&uid=swg21252429&loc=en_US&cs=UTF-8&lang=en&rss=ct475lotus

McAfee documentation:
http://knowledge.mcafee.com/article/573/7227825_f.SAL_Public.html

Neowin web site compromised - visitors at risk from malware infection via iframe attack

If you have visited Neowin over the past couple of days, and are running IE6 or earlier without antivirus or antispyware protection, or if your antivirus or antivirus protection is out of date, or you are running your Web browser (any version) with lowered security settings, I strongly advise that you check your system for possible infection by malware.

I was surprised to see an email a short while ago on a private anti-spyware mailing list from Mike Burgess of MVP HOSTS FILE fame asking if anybody on the list had direct contacts at Neowin net because he had discovered that the neowin site had been hacked and an iframe exploit embedded in neowin pages that tried to infect visitors with a new java byte-verify and/or general java trojan downloader.

Here is what Mike saw when he visited the forum index page that was his first warning that something was amiss:
http://mvps.org/winhelp2002/blog/remote-data.gif

Further investigation revealed that an iframe had been inserted in the page that was redirecting to encoded javascript.

I couldn't reproduce the problem at the time of writing this article, so hopefully the site has been cleaned up, and I did find a couple of discussion threads confirming Mike's findings - that pages at neowin had been compromised and attempts were being made to infect visitor's machines using an iframe:

Neowin Trojan?
http://www.neowin.net/forum/index.php?showtopic=532189

FAO Moderators - Virus warning
http://www.neowin.net/forum/index.php?showtopic=531918

From what I can see in the threads discussing the problem, the hacking may have been restricted to pages displayed using the default blue theme, and that it was there for quite a few hours.

When I popped over to Neowin to check out the current situation and to see if I should try and get a hold of the guys behind the forum, there were nearly 1600 visitors currently viewing the site - I shudder to think how many visitors passed through the site while it was a danger.  And yes, after reading through the threads above, it was obvious that the forum owners and moderators knew of the hacking and were fighting it.

We have no way of knowing how many users were potentially exposed to malware, or how many systems were infected, and Neowin is certainly not the first site to be compromised, nor will it be the last.  It wasn't that long ago we had a site shut down because the site owners did not act fast enough to clean up their network (http://msmvps.com/blogs/spywaresucks/archive/2006/10/22/196321.aspx).

My personal belief is that when a Web site hacking is discovered, and visitors have been at risk of infection, that the site should be taken down immediately and after the site has been cleaned up and allowed back on the air an alert should be posted on all entry pages to that site, warning about what has happened and advising users to have their systems checked for infection.  This is because victims are no longer facing just the embarrassment of their PC sending out "please open this attachment" virus to everybody in their addressbook - the stakes are far higher. 

Just some of the end results for infected systems include that they could be hijacked and used to send hundreds of thousands of spam messages, they could be added to botnets and used for internet based attacks, and personal and private and financially sensitive information can potentially be put at risk.  If the computer you are using is in a work environment, or you are around kids, I have just two words for you - "Julie Amero".  If the bad guys get into your system thanks to malware, and use it to store p0rn or upload a p0rn site on to it or use your machine to distribute porn or other illegal content or if your machine to infect even more systems, and you find yourself faced with a visit from the local police force, you will be in a hell of a lot of trouble.  The same applies if your system is compromised and used as a phishing host, or a mule site host.

So, in short, if you know your site has been hacked, please do all you can to warn all visitors to the site. Yes, it is embarrassing, but a short term embarrassment is far better than leaving your visitors to discover for themselves that they have been infected.

The problem of hacked Web sites is becoming so widespread that strong action is required when infection is discovered.  The owners must act fast, and if not the owners, the ISPs that host the sites.  Sadly, though, some site owners and ISPs are not responsive when told of problems, and some now say that a "name and shame" campaign along the lines of "do not go to these Web sites because they have been hacked" and "do not go to sites hosted by this ISP because they refuse to assist with cleanups when hacked sites they host are reported" is needed.

Remember, it is no longer enough to say "I never go to p0rn or warez sites, and I never download freeware, therefore I am safe".  You are no longer safe if you stick to "safe" sites.  We all believed Neowin is a safe site, yes? We all believed sites owned by Circuit City, and HP, and Asus, and spreadfirefox, and msblog, and debian, and sites owned by Capital City Bank, Wakulla Bank and Premier Bank were safe, and that the Google Video email group and myspace were safe (well maybe not myspace).  All of them have put visitors at risk, whether it be from hacked pages with hostile code injected, or downloads that are infected with viruses, or by hiding the fact of a security incident behind a veil of secrecy making it impossible for visitors to judge what risk they may or may not have been exposed to - better to acknowledge a security incident, reassure your visitors and let *them* decide what checks they want to make, than to try to hide the fact that an incident occurred - keep people in the dark and they're gonna assume the worst(edit=italics)

You can never be sure that a site you are visiting is "safe". Therefore please.. if you are using IE upgrade to IE7 if possible.  If you are using Firefox, or Opera or any other browser of choice, please, check for security patches and install the latest version of your browser of choice.  And if you have been to Neowin in the past day or so, check your system carefully for signs of infection.

Fallacy busting - the magical morphing x64...

I gifted a copy of Windows Vista x86 to a family member the other day.  Today that family member was on the phone to me saying that his computer technician had told him that he has an x64 computer because the computer has "two 32 bit dual core processors".

First, x86 Vista will not magically morph into x64 Vista if you install it on an x64 machine.

Second, if you have 2 x 32 bit processers in your computer this does NOT mean that you have a 64 bit machine.

<sigh>

Mystery solved: Why is the Internet Explorer folder in Event Viewer always empty (IE7)?

This is because Application Compatibility Logging is not enabled on your machine.  This is completely normal because, by default, IE7 does not enable Application Compatibility Logging.

You can enable Application Compatibility Logging to have a look see at what happens by editing the Registry as follows:

The relevant registry key will look like this:

IE will warn you the first time it is started after Application Compatibility Logging is enabled by displaying the following alert:

In addition, there will be a new icon on your status bar as follows:

When I enabled Application Compatibility Logging the Internet Explorer folder in Event Viewer immediately started filling with data - please do not try to repair IE7 because of the 1037 errors - as far as I know they are NORMAL because ACL is not meant to be turned on via the registry without the Application Compatibility Toolkit also being installed.