Month: June 2007

This morning, Sunbelt researchers discovered a new custom Trojan that attempts to steal money by selling a fake iPhone. This Trojan looks custom-built and has very poor coverage by AV vendors (report here).

The malware produces a popup, triggered by going to yahoo.com or google.com. There are multiple types of popups, including one saying “supported by Google” and one “supported by Yahoo”.

So, normally, when you go to iPhone.com, you get redirected to Apple’s site — http://www.apple.com/iphone/

However, on this infected system, you get directed to a custom “iphone.com” which actually is a fake site.

The Trojan is pulling content from your local disk in a file that has been created in %system%confg.xml.

Also, we have our BHO (Browser Helper Object) which is created:

BHO: H – {AA7F2000-EA05-489d-900C-3C7C0A5497A3} – C:WINDOWSsystem32rwera21s1.dll

They are using this BHO to inject code into Internet Explorer to make it appear as if you are on a website owned by Apple. The same technique is used by malware to target banking websites.

The site is being hosted on HOSTFRESH, which is a hotbed of malicious activity.

So if we were to go ahead and place an order, we would see this:

Our order status is pending and now we have to send payment via Western Union or Moneygram, to a fellow in Latvia.

So there you have it: A trojan that spawns a fake popup for an iPhone, using a BHO to redirect you to a fake iPhone.com. If you order this phone, you’re assuredly be contributing to lining the malware author’s pockets, and you can forget getting your iPhone.

Alex Eckelberry
(Credit to Sunbelt researcher Adam Thomas)

Comscore has been a subject of some controversy in the past. And apparently, despite being flush from a successful IPO, the controversy continues.

Today, Ben Edelman released a short piece called, “Comscore doesn’t always get consent”:

At least as serious are ComScore’s installation practices. ComScore pays independent distributors to install ComScore software onto users’ computers. Predictably, some of these distributors install ComScore software without getting user consent.

Using independent distributors to get downloads is a recipe for disaster. We ourselves (as Ben mentions in his article), have just recently documented a non-consensual install of Relevant Knowledge.

Alex Eckelberry

I was up this week at the AntiSpyware Coalition Public Workshop in Boston, moderating a panel on “new market trends in responding to spyware”. Still catching up, will post some updates and news when I get a free moment.

We released CounterSpy version 2.5 today. It delivers several new features, including improved real-time protection performance, 64-bit support for Windows Vista, and architecture enhancements to CounterSpy’s VIPRE™ technology that provide powerful protection against the ever-changing landscape of today’s spyware and malware threats.

Improved Active Protection™ performance
CounterSpy’s Active Protection has been improved to deliver better, overall system performance while continuing to provide robust real-time protection for users’ PCs. Several performance-tuning programming techniques have been implemented to reduce Active Protection’s already low system resource requirements.

Support for Windows Vista 64-bit
CounterSpy now adds to its current 32-bit support for Windows Vista full support for 64-bit versions as well. Additionally, CounterSpy also supports both 32-bit and 64-bit versions of Windows Server 2003 SP1 and higher.

Architecture enhancements to VIPRE technology
CounterSpy’s hybrid engine merges spyware detection and remediation with Sunbelt’s VIPRE technology (Virus Intrusion Protection Remediation Engine). Because VIPRE incorporates both traditional antivirus and antimalware techniques, enhancements have been made to CounterSpy’s underlying architecture that will enable advanced delivery of software and definition updates.

The upgrade to CounterSpy version 2.5 is free to all existing customers of CounterSpy who have a current subscription plan.

Due to overwhelming response, Sunbelt has extended its competitive upgrade offer to CounterSpy.

The CounterSpy competitive upgrade is available for $9.95 and includes all of the features, toll-free support, and updates of a standard subscription. To benefit from this competitive upgrade pricing, simply visit our website and complete a short form or call toll free at 1-800-336-3166. The CounterSpy competitive upgrade is available for $9.95 and includes all of the features, toll-free support, and updates of a standard subscription.

No big surprise here, but a little side story: I have a couple of MySpace accounts, which don’t have any activity. One I set up a few weeks ago. Of course, I started getting “friend invites”.

One was from “Gianna”:

Of course, clicking on “My personal pictures and video” gets you redirected to Adult Friend Finder, a hotbed of naughty images. No surprise: Adult Friend Finder is infamous for being marketed by rather dubious means.

It’s also worth noting that Adult Friend Finder popups have also been seen served by spyware. In other words, this crap is everywhere.

Alex Eckelberry

Can’t install XP after creating partitions with Vista
If you use Windows Vista or the Windows Preinstallation Environment (PE) 2.0 to partition your hard disk, you might find that you aren’t able to successfully install Windows XP. Even though the text mode part of Setup completes, the computer won’t reboot to go into the graphical part of Setup. What’s up with that? It happens only on certain computers that have a particular type of BIOS, but luckily there are a couple of workarounds for the problem. For instructions on how to use them, see KB article 931760.

Can’t switch between displays on XP laptop
You can normally switch from the internal display on your laptop computer to an external monitor by pressing a key combination. However, you might find that sometimes when you attempt to switch soon after you’ve connected the external display, it doesn’t work. That’s because of a bug in the video port driver, but there’s a hot fix to resolve the problem. It should only be applied to systems that are having this particular problem, and you have to call Microsoft Customer Support Services to get it. For more info, see KB article 937930.

You get an error message when you try to validate XP
You have a legal copy of Windows XP and you need to validate it (for instance, in order to get updates) but when you try to do so, you get an error message that says “0x80080201 Cannot detect product ID (PID).” The problem is that Windows Genuine Advantage isn’t able to access the PID for some reason. The fix depends on the cause of the problem, and there are several possible causes. They’re all addressed, along with their resolutions, in KB article 938720.

Deb Shinder

How to fix font display problem in Safari for Windows
If you installed Safari and discovered that fonts on the menu bar, menus and some web pages display as random characters and numbers, making the browser unusable, there’s good news: there’s a pretty easy fix. The problem is apparently caused by a conflict between the Lucida Grande font that come with Safari’s installation program and the same font on your Windows system. Here’s what to do about it:

1. Navigate in Windows Explorer to the Safari installation folder, which is typically Program FilesSafari.
2. Double click the folder named Safari.resources.
3. Find the two font files named Lucida Grande Bold.ttf and Lucida Grande.ttf.
4. Rename the files with a different file extension (or you can just delete them).

This may fix the problem, but if it doesn’t, there’s another, more complicated fix you can try: editing the fonts.plist file. You’ll find instructions here.

And if you have a problem with no fonts showing up at all, the problem may be that you don’t have the Lucida Grande fonts. You can download them from the link on this page. You’ll also find another font fix there. (Thanks to Blake A. for this tip.)

Can’t start Vista after installing XP
QUESTION: Okay, looks like I really messed up. I got a new Vista computer but I wanted to be able to run XP some of the time, because I have a couple of applications that wouldn’t run in Vista. So I thought I’d be clever, since I have lots of disk space, and just install XP to dual boot with Vista. But after I installed XP, I could boot into XP but not Vista. Now I didn’t intend to get rid of Vista altogether. Is there hope or do I have to start all over to get Vista back? – Dennis L.

ANSWER: It always goes a lot more smoothly if you install operating systems for a multi- boot configuration in chronological order, with the earliest installed first. Unfortunately, you couldn’t do that because Vista was already on the machine. Vista uses a new startup method, where boot information is stored in a Boot Configuration Database (BCD) store. It doesn’t recognize boot.ini, which is the file XP uses for booting the OS. When you installed XP, the XP Setup program overwrote the Master Boot Record and boot files.

But all is not lost. You can restore the Vista MBR and boot code from the Vista installation DVD. When you do that, you’ll be able to boot into Vista – but not XP. However, you can restore that ability by creating a new entry in the BCD boot file to point to the XP operating system. Then you’ll be able to choose the OS you want from a boot menu at startup. You can find Microsoft’s step by step instructions for both processes here. Happy dual booting!

Deb Shinder

Virtual Vista: No, then yes, then no again
Virtual Machine (VM) software has exploded in popularity over the last several years. VMs allow you to run operating systems within an application on your desktop, on top of your “real” (host) OS. With VM technology, you can, for instance, run XP as your primary operating system and install Vista in a VM to try it out or to run Vista-only software without having to reboot to it. Those of us who write about new operating systems use VMs all the time. I can have my highly customized Vista desktop just the way I want it, and have another instance of Vista installed in a VM that’s configured with all the default settings for capturing screenshots for books and articles that require that.

Looks like nobody will be writing much about Vista Home editions, though. Most tech writers are likely to run the Business or Ultimate editions as their primary operating systems, but under the Vista license we aren’t allowed to run Home Basic or Premium in a VM. For a while, it looked as if Microsoft was going to change this, but then they did an about-face and announced last week they were sticking with the restrictions. That made a lot of people – not just tech writers – unhappy. You can read more about it here.

Which Desktop Search Engine works best?
The battle of the desktop search engines is playing out not just on users’ desktops, but now in the legal system as well. Google has filed complaints alleging that because Vista’s desktop search can’t be turned off, users who install Google’s competing product experience performance slowdowns. For the real story on that, see George Ou’s blog post of June 11th.

Meanwhile, both search systems have outspoken advocates, while other similar products such as Copernic also have their fan clubs. Search is a big issue with today’s computers holding hundreds of gigabytes of information. Being able to find what you want when you want it is crucial. Tell us what search methods or products you prefer.

Waiting on Vista Service Pack 1?
I’ve heard a number of people say that they were waiting to install Vista until after Service Pack 1 is released. Some of them make that a policy with each new operating system, preferring to let us early adopters find all the bugs and get them worked out before they take the plunge. If you’re one of those who’s waiting on SP1, there are some indications that a beta version might be available before the end of the year. You can read more about service pack speculation here.

BitLocker helps protect your laptop
Portable PCs have special security risks and needs. They’re subject to the same threats from the Internet as a desktop computer, but in addition there’s an increased chance of a laptop being lost or stolen – and then what happens if you have sensitive data? If it’s a work computer and you’re part of a regulated industry and you have confidential client data on there, you could be in big trouble. Of course, you can always use EFS file encryption to protect certain documents in XP, but with some versions of Vista you have an added layer of protection: BitLocker full drive encryption. It’s only in Enterprise and Ultimate editions, but if you have it, you can set it up so that a thief won’t even be able to boot into the OS. BitLocker can also be used on desktop computers that are vulnerable to unauthorized physical access. Read more about it here.

Deb Shinder, MVP

Pencils and books may not yet be obsolete, but it’s becoming increasingly easy to get a college education without ever having to go face to face with an instructor or set foot in a classroom. “Distance learning” is becoming a popular alternative for those who don’t have the time or inclination to take traditional classes, and a quick web search will turn up thousands of online educational programs.

Online courses have augmented or replaced old-time correspondence courses with a vengeance. Once the province of specialized schools, online learning is now part of the course offerings at a huge number of respected colleges and major universities. Even Harvard and other Ivy League schools have online extension schools, and schools such as the University of Phoenix make it possible to complete an entire degree program online.

There are lots of advantages to getting an education online, but there are disadvantages too. Online learning is great for those who need to work and go to school at the same time, because you can often do the work on your own schedule and at your own pace. This route is particularly popular with people whose jobs require that they work odd hours. For example, with many law enforcement agencies now requiring college hours or degrees for hiring or promotions, many police officers are studying criminal justice at home via computer in their free time instead of trying to fit rigidly scheduled classroom time into their rotating work schedules.

And it’s not just degree programs that can be done this way. Mandatory continuing education training for various professionals – cops, lawyers, accountants, etc. – are also becoming available over the Internet, sponsored or approved by state licensing agencies.

Moms can stay home with their children and at the same time, further their educations in preparation for going back to work when the kids are in school. Dads can work on their MBAs after hours without being away from home every night. Recent high school grads who can’t afford to be full time college students can still get a head start and earn credits while holding down a full time job and saving money to attend classroom instruction in their upperclass years.

Those who swear by this new way of getting an education say the benefits far outweigh any drawbacks. In addition to saving you the time it takes to drive to and from classes and the cost of gasoline or public transportation to get there, it also frees you from having to dress up for school (thus indirectly saving more time, as well as money). With more flexibility about when and where you study, you may be able to concentrate more on your studies and get better grades than you would in a classroom environment. There’s less competition with classmates and more focus on your own individual progress. There’s also less of a chance that classroom politics or personality conflicts with instructors will become a factor, although it can still happen. Online courses may also be less expensive, tuition-wise, than their classroom counterparts (although this isn’t always the case).

Okay, so it sounds as if online learning is the wave of the future. What’s not to like? Like any life choice, though, it has its down side. Learning online isn’t for everybody. Some people seem to need the structure of the classroom, peer pressure and close oversight by instructors to motivate them to succeed in their studies. Any type of self-paced program requires more self discipline and gives the student more responsibility – it’s easy to sit at the computer and goof off instead of doing your work. If you’re easily distracted by the temptation to surf the web, read your personal email, send IMs to your friends and play computer games, online learning may not work as well for you.

Some folks also worry that going to school online doesn’t give you the social interaction and experience in dealing with people that you get in a classroom, and thus doesn’t prepare you as well for the work world – although, with more and more people telecommuting, that argument is becoming less valid. But for all these reasons, online learning may be more appropriate for older students, whereas younger people right out of high school may benefit more from attending traditional educational institutions.

On the other hand, with the sophisticated software available to schools today, virtual classrooms can emulate many of the characteristics of physical classrooms and, in fact, in some cases you may actually get more interaction with the instructor than you would on campus.

Tell us what you think. Would you take – or have you taken – courses online? Do you get as much out of them as you would in a traditional classroom? Would you want your kids to go to college online instead of on campus? Do you think online learning is superior, inferior or just different?

Deb Shinder

New malware: DVDacess, a fake zlob codec, and VirusHeal, a clone of rogue security product SpyHeal.

URLs:

virusheal(dot)com
inc-codec(dot)com

Obviously, installing either of these programs on a system is a bad idea. And for those people who find out about fake codecs by googling my site, it goes without saying that you should not install fake codecs. All sorts of very bad things will happen, like rootkits, trojans and the like.

Alex Eckelberry
(Credit to Bharath)

Over the past several months, we’ve seen several alarming stories of trojans being loaded from YouTube videos, like this one that came out today:

Within the past week, cybercriminals have hidden Trojan horses in fake video postings on the wildly popular YouTube site, according to Paul Henry, vice president of technologies with Secure Computing. While YouTube techies were quick to pull down both postings, Henry said in an interview Wednesday that the two incidents could sound the bell for a new means of attack.

It’s worth noting that it is highly unlikely that these are actually YouTube videos.

Videos submitted to YouTube are converted to Adobe Flash Video (.flv), a format based on Flash. We have not seen any instances of this format being hacked in a manner to spawn the Zlob fake codec (which is the one mentioned in this article).

The Zlob codec, on the other hand, is typically installed using added functionality in Windows Media Player. You click the movie, and up comes a dialog that tells you that you need a “codec” to view the video. This codec, of course, is bad news.

So what likely happened here is that someone saw some advertisement or comment spam for a video on YouTube — not a YouTube video itself.

It’s worth noting that deception and social engineering around YouTube has been seen. But it’s not the YouTube videos themselves.

Alex Eckelberry

Our malware research team has observed SmartFixer, an apparent legitimate product, now being installed through dubious methods (trojans/exploits, all that kind of fun stuff).

It’s a shame. One supposes that the company, in trying to increase its downloads, has made deals with distributors, perhaps not realizing that some of these distributors bring one “lots of downloads” through less-than-savory methods.

Alex Eckelberry

Conventional wisdom by marketing experts is that you’re never supposed to say the word cheap in any association with your products or services.

The ostensible reason is that it degrades the quality aspects of your product, since cheap, as it is sometimes used, may indicate that a product that is low-priced, but of an inferior quality.

Instead, one must use words like “affordable” or “inexpensive”.

This rule has almost become a silly religion. Just for fun, go into a car dealer, look at the price of a car, and remark that it’s “really cheap”. The salesman will immediately bristle and correct you on this, saying, “oh, no, it isn’t cheap, it’s affordable”. Do it — I guarantee you’ll get this reaction.

However, this hasty corrective action by the salesman ignores the simple fact that in the lingua franca of American English, the word “cheap” is how people often refer to quality products that are well-priced. (It also ignores the fact that I was the one referring to the car as cheap, and not in a pejorative fashion. Why any sales or marketing person would be stupid enough to correct a customer is beyond me. I also prefer not to have a salesman tell me how to talk.)

So with that preamble out of the way, I’d like to announce that today we announced a new product that’s, well, dirt cheap. And it’s a basic product, but pretty darned good.

It’s also a product that about about 90% of the people who read this blog could care less about. But I feel compelled to announce new products on this blog, so here it is:

Sunbelt Software today announced the availability of Ninja Disclaimers™, a tool to provide enterprise email disclaimers for Microsoft Exchange-based email systems. The product is aggressively priced at $99.95 for unlimited mailboxes per organization.

So there it is: Our new (incredibly cheap) Ninja Disclaimer product. Good disclaimers for legal, complaince or other purposes. $99 for the whole enterprise, regardless of how many mailboxes are being protected.

Of course, the reason that have made this product so incredibly cheap should be clear: We feel that once people use our Ninja Disclaimer product, they’ll be interested in the rest of our email security line (which is also cheap and darned good).

At any rate, more information on this inexpensive, affordable and cheap product can be found here.

Alex Eckelberry

Can’t print to files programmatically in XP
If you try to print to a file programmatically in Windows XP and the print job fails, or the job appears in the print queue but nothing prints, and then you cannot delete the job, or if program errors occur, you might need the hot fix referenced in KB article 905519. To find out how to get it, see this page.

Can’t configure maximum concurrent SMB requests in XP
By default, concurrent SMB commands in Windows XP are limited to 10, the same as the limit on concurrent network connections. This can cause a problem in certain circumstances where you have long-term SMB requests that remain open until answered. It can result in error messages and other requests going unanswered. If you have this problem, there is a hotfix that will let you increase the maximum number of concurrent SMB commands up to 255 in XP with SP2. To find out more, see KB article 926646.

SD card rollup package for Vista
Microsoft has released a rollup for Windows Vista that will address issues with Secure Digital (SD) cards, including support for SD cards with capacities of 8 GB or larger and support for SD Input/Output (SDIO) cards such as network adapters and other devices that use the SDIO slot. For more information on how to get the rollup, see KB article 933847.

Deb Shinder

Editing photos in Vista
Vista includes many photo editing tools in the OS. The Windows Photo Gallery is a replacement for the old Windows Picture and Fax Viewer in XP, and it allows you to directly import digital photos from your camera , CD, flash card, etc. When you import the pictures, you can have them automatically rotated to the correct orientation. That’s a cool feature if you take lots of pictures with the camera held vertically. You can even select to delete the photos from the camera after they’ve been transferred so you don’t have to do it manually. There are basic editing functions such as adjustment of exposure and color, cropping, and automatic red eye fix. Find out more about Photo Gallery here.

How to create a shortcut to quickly lock your XP or Vista computer
It’s a good idea to lock your desktop if you’re going to be away from the computer for a while and there are others around and you don’t want them to use your account. You can do so by pressing the key combo Windows Key + L (with Fast User Switching disabled), but what if you’re using a keyboard that doesn’t have the Windows key? Then you can create a shortcut to put on your desktop or Quick Launch bar and simply click it to lock the desktop. This works in both XP and Vista:

1. Right click an empty area of the desktop and select New Shortcut.
2. Enter the following location for the shortcut: %windir%System32rundll32.exe user32.dll, LockWorkStation
3. Name the shortcut “Lock” or something similar.

Now when you click the shortcut, the desktop is locked and you must press CTRL+ALT+DEL and enter your username and password to unlock it.

Beware fake greeting cards
There are several web sites through which you can send a virtual birthday, anniversary or other greeting card to a friend. It’s a nice gesture; you construct the card, create a message to go inside and enter the friend’s email address, and he/she is notified to pick up the card on the web site. I’ve received many in the past from friends of mine. Recently, though, phishers have begun to exploit this common feature, sending you fake cards with URLs that, when clicked on, will take you to a malicious site that attempts to steal information that can be used for identity theft. Even experienced Internet users are sometimes fooled; see the blog post here. Be very careful about picking up those cards now. One clue that a greeting card message isn’t legit: most of the real services give you, in the email notice, the name or email address of the sender. If the message just says “a friend sent you a card,” with no identifying info, proceed with caution.

Why is my password expiring?
QUESTION: I reinstalled XP Pro on my computer a month or so ago. Now I’m getting a message that my password will expire in 14 days. I know I never got those messages before the reinstall. I don’t want to change my password. Is there a way to stop it from expiring? Thanks! – Joel K.

ANSWER: By default XP Professional is set up for passwords to expire in 42 days. You start to get the warning 14 days prior to expiration. This is a security measure; changing your password regularly makes it less likely to be guessed or hacked, especially in a business environment. On a home computer, you may not need such a high level of security. Here’s how to stop your passwords from expiring:

1. Click Start Run and type this in the Open box: control userpasswords2
2. In the User Accounts dialog box, click the Advanced tab.
3. Click the Advanced button under Advanced User Management.
4. In the Local Users and Groups section, click Users.
5. In the right pane, right click your user name.
6. Click Properties and then click the General tab.
7. Check the box labeled Password Never Expires.
8. Click Apply and OK to close the dialog boxes.

Now you can keep the same password and it will never expire.

Deb Shinder

Editor’s note: Our weekly tech tips can be pretty big. So we’re splitting them into three segments each week:

• News, Hints, Tips, Tricks & Tweaks
• TechTips
• Configuration and troubleshooting

Tell us what you think of the new format!

Is your ISP joining forces with RIAA?
Some ISPs have fought the efforts of the recording industry and Hollywood studios to obtain information about computer users who frequent peer to peer file sharing services, but others are joining forces with the content providers to create technology to identify movie and music pirates, and that has some privacy advocates up in arms. It was reported last week that AT&T recently met with entertainment company representatives toward that end. You can read more about it here.

Microsoft drops Digital Image Suite
What is DIS, you might ask. Well, that’s part of the problem. Although it was a decent little photo organizing/editing program, Microsoft’s Digital Image Suite never gained widespread popularity. Now DIS stands for DIScontinued, as Microsoft announced recently that they will no longer make the software since many of its functions are now included in the operating system. If you use DIS, though, don’t despair. The product will still be supported through April 30, 2010 and you can even still buy it while supplies last. Read more here.

Get cool free icons
If you have your own web site (and who doesn’t, these days?), you can dress it up with graphic elements like icons and buttons. But paying a designer to create graphical elements for you can get expensive, and just “borrowing” ones you like from other web sites can be a violation of copyright law. Luckily, there are plenty of sources of free icons on the web. A pretty extensive collection here.

Vista hologram mystery solved
You may have read some blog posts recently speculating about a vast conspiracy surrounding three tiny mysterious faces that appear in the authenticity hologram on the Windows Vista Business Edition DVD. They’re too small to be seen without magnification. You can see pictures of the images here.

Unfortunately, the story of who they are and where the pictures came from isn’t nearly as exciting as some folks anticipated. It’s only a watermark, designed to make it harder for counterfeiters to copy. Thanks to Nick White for clearing up the mystery in his Vista Team blog post.

Does Google own you?
This eWeek article says yes. The search engine giant has taken a lot of hits lately over its increasing intrusions into our lives, including street level photos on the Google Maps site and the huge amount of personally identifiable information it collects when you use its software and services. Is it something to be concerned about, or can we trust the company just because it claims to “do no evil?”

Deb Shinder

For a long time, the battle over which is the best operating system has been a three-way one. The vast majority of computer user still depend on some version of Windows, but the market share for Linux in all its varieties has grown over the years. And there is an even larger (although still small) following for the Macintosh.

Here’s the way it’s broken down as of May 2007, according to the Market Shares web site run by Net Applications: Windows XP currently enjoys a little over 82 percent of the market, with other Windows operating systems making up another 11 percent or so.

Macs come in second with almost 9 and half percent (includes both MacOS and MacIntel), and Linux – despite open source advocates’ best efforts – is reported with less than 1 percent of the market. The numbers don’t add up to 100 percent because a few other specialty operating systems, such as Hiptop (for mobile phones) and PSP (for gaming consoles) are also included in the statistics, but the top three dominate desktop computing.

The web browser is arguably the most used piece of software on most computers and similarly, the browser wars have been primarily a battle between three contenders: Internet Explorer (with almost 79 percent), Firefox (with just over fourteen and a half percent) and Safari (with almost 5 percent). There are many other browsers available, including the one-time favorite Netscape, Opera, Konqueror and versions of Mozilla, but the rest all show under 1 percent of market share.

Safari has, up until now, suffered a disadvantage in this contest. Since it ran only on Macs, and Macs are on less than 10 percent of computers, most users weren’t able to run or even try the browser.

Thus, most folks, when you say “alternative web browser,” think only of Firefox. But now, if you happen to like the Safari web browser that comes with Mac OS X, but prefer to use Windows (or have to at work), now you can take a Safari without switching your OS. Apple has just released a version of Safari for Windows.

Some pundits warn that it’s just a ploy to lure Windows users over to the Mac. Others applaud the ability to use Mac programs they like without having to switch platforms. Some speculate the Safari for Windows release will hurt Firefox more than IE. Whatever your opinion may be, it was downloaded more than a million times in its first two days of availability. Somebody must be interested.

This release is a beta, and it was announced by Steve Jobs at the Worldwide Developers’ Conference 2007 last week. The Windows version has the safe features as the one that runs on OS X. Apples claims that Safari runs twice as fast as IE and significantly faster than Firefox. Since the need for speed seems to be a common trait of computer users, this makes Safari look like an attractive alternative.

It also boasts some interesting features such as SnapBack, a button that lets you instantly go back to the top level of a web site after browsing deeply into it or create an anchor point to snap back to after browsing through many links and sites. And it has a security feature called “private browsing” that lets you turn off storage of search results, cookies, site history, download history and other normally cached information, instead of having to erase those caches after the fact.

I wanted to find out for myself. I always install multiple browsers, for several reasons. Some web sites won’t render properly (or at all) in one browser but look fine in another. And I create web pages, so I like to take a look at my own pages in different browsers so I’ll know how others are experiencing them. I currently have IE 7, Firefox and Opera installed on my primary desktop computer and I was eager to add Safari to the collection.

Download and installation of the beta took only a few minutes, but I made sure to create a restore point first, just in case. It was pretty non-intrusive; it did install an icon on the desktop, but interestingly it didn’t open the browser after installation. I clicked the icon – and immediately got a message that the program had stopped working. Subsequent attempts rendered the same result. Although it was advertised as being for XP or Vista, my installation of Vista apparently didn’t like it.

I tried changing the compatibility settings on the Safari.exe program to run in XP compatibility mode. That’s worked for a number of programs that didn’t work on Vista right off the bat, but it had no effect here. Next I tried running as an administrator. That didn’t work, either. Okay, maybe – even though it didn’t say so in the installation instructions – it required a reboot. I closed everything and restarted the computer. Still no Safari for me.

Not one to give up that easily, I next tried to install Safari on a couple of XP machines – first one that belonged to my Windows domain and then, when I was unsuccessful again, on one that wasn’t a domain member. This time I got a little further – Safari detected my proxy server and asked for my credentials. I had high hopes. However, after I entered them, I got the XP dialog box telling me that Safari had encountered a problem and needs to close.

If I canceled the proxy dialog box, I couldn’t access any web sites, but I could examine the Safari menus and Help files. Unfortunately, the Help files provided no help for my problem. The good news was that the installation attempt didn’t cause any problems for the OS or other programs, but darn it, I had used Safari on OS X and wanted to get a chance to actually use it to view web pages on XP or Vista.

Tom started mulling over the problem with me, and we came up with one last idea, based on the request for proxy credentials on the XP computer. Maybe the proxy authentication wasn’t working correctly. He headed upstairs to the server room and turned off proxy authentication on the ISA Server that’s installed on our network edge. Sure enough, Safari then worked fine.

It’s not a very practical solution. For security purposes, we’re not going to leave authentication turned off just so we can use the Safari browser. But at least we did track down what was causing the problem, and I got a chance to take a brief look at the browser.

The interface is the familiar OS X look (which I rather like). Its window frames are not transparent in Vista, though. And yes, it is fast. In side-by- side tests, it opened most pages more quickly than IE and Firefox, but not by a lot. In fact, the other two browsers sped up a lot when proxy authentication was off, too.

I had one immediate complaint: when you click in the address bar, it doesn’t highlight the whole address as IE and Firefox both do, so you can type in a new one without dragging to highlight and delete the old one. Minor, but annoying. Also, as with all OS X programs, you can’t resize the window by just grabbing the edge anywhere; you have to grab it at the bottom left corner. That can take some getting used to.

As promised, it imported my IE bookmarks without asking (not sure if that’s good or bad). The way it handles bookmarks is interesting; there is a bookmarks tab that you can choose to show or hide. SnapBack also works as described, and I think I could get to like that feature.

Note that the initial release had some security problems, but Apple released an update on Thursday (June 14) to fix the vulnerabilities. Be sure you have version 3.0.1. If you have the Apple Update software installed, it’ll be pushed to you through that. And you may want to read this article from Larry Seltzer that discusses the “halo effect” before installing Safari.

If you still want to give it a try, you can download the Safari beta here.

Let me know how you like it and whether you encounter any problems running it on Windows. Also tell us: what’s your favorite web browser, and why? Do you use more than one browser? What features would you like to see on the ideal web browser?

Deb Shinder

Update on the previously reported spam wave spreading malware.

Our analysis of the web page in the spam shows that it uses a number of exploits to infect a system: Cursor ANI, Create Control Range, MDAC (and this), and SetSlice.

So, fully patched systems should be fine. However, the page that one gets directed to does offer the user the ability to download the malware, so social engineering is still at play here.

Also, sources at the CastleCops SIRT (Spam Incidence Reporting and Takedown) team indicate the following URLs are infection vectors:

zlnewly(dot)hk
hxicing(dot)hk
zzease(dot)com
arpower(dot)hk
koride(dot)hk
nfhare(dot)hk
ngvein(dot)hk
fnfame(dot)hk
smsale(dot)hk
mgsilky(dot)hk
ksjab(dot)hk
onleak(dot)hk
jcstark(dot)hk
vswagon(dot)hk
orinput(dot)hk
trrum(dot)com
kjmate(dot)hk DEAD
huwatt(dot)com DEAD
xvglue(dot)com
fcslur(dot)com DEAD
rjsear(dot)hk

Update: More added in the comments section.

[Many of these are live exploit sites. Do not visit unless in a virtual machine, etc.]

More information here and here.

Alex Eckelberry

A run of spam this weekend looks something like this:

From: Martha [fake email address]

Sent: Monday, June 16, 2008 2:56 PM

To:

Subject: Martha sent you a endeny(d0t)hk! Greeting

Surprise! You’ve just received a endeny(d0t)hk! Greeting from from “Martha” [fake email address]

To view this greeting card, click on the following Web address at anytime within the next 30 days.

[malware link]

Enjoy!

The endeny(d0t)hk! Greetings Team

[endeny(d0t)hk is a live exploit site. Do not visit it unless in a virtual machine, etc.]

If you click on the link, you get to a website which attempts to exploit your system (the one we analyzed use the now-patched Ani cursor exploit). A link is also provided on the web page to download the malware yourself.

It’s a new technique that one group is using to deploy the “Storm Worm” P2P bot net.

Alex Eckelberry
(thank Adam Thomas for his research help on this)