The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/feb3,2006.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Winamp Flaws Exploited To Install Spyware
• Sunbelt Kerio Personal Firewall
• Feedback On Browser Appliance Article
• Concerned About OneCare
• Time For Redmond To Rethink Patch Schedule
• New Project - BookGap.com

Permalink | Top

Three serious security flaws have been discovered in the popular Winamp media player. The flaws can be exploited to cause a buffer overflow, which in turn can be used to execute malicious code.

Sunbelt already has discovered at least one spyware exploiting this flaw. You can read the dirty details at Alex Eckelberry's blog.

Winamp swiftly released an updated version, which fixes these vulnerabilities. You can download the new version from Winamp.com. We Winamp users are lucky that Microsoft doesn't make the program. We would be waiting for another two weeks for that patch.

Permalink | Top

Program: Kerio Personal Firewall
Author: Sunbelt Software
Platform: Windows XP and 2000 (not available for Win 98, NT or ME)
License: $19.95 ($14.95 until March 31, 2006)
Purchase: http://www.sunbelt-software.com/rd/rd.cfm?id=060124EB-SpywareInfo

I have written a full review of the Sunbelt Kerio Firewall, where I describe many of the features. It is much too large to put it here. However, you can read the review on the web site.

If I were grading firewalls like a school teacher, Kerio would blow the bell curve. Kerio has several features which make it stand apart from other software firewalls. It has been my favorite for years. No other firewall comes close, in my opinion.

Kerio firewall is very simple to use. When a network connection is attempted, to or from your computer, you decide what to do about it, check a box and your decision is applied to that same connection every time. Kerio also gives you the ability to control network connections right down to the IP address and port number. It also allows you to firewall a computer being used as a shared internet connection host, without interfering with the internet activities of the other computers on your local network.

Kerio firewall features three different intrusion detection systems. These systems will block everything from network worms to buffer overflow exploits. The "Behavior Blocking" system will alert you to programs that might have been modified by a virus and let you decide if you want one program to launch another. It also can be used to forbid specific applications from being loaded.

Kerio has a web filtering system with several features. It will block advertising banners, cookies, scripts and ActiveX. It also can block the referer string, which will prevent a web site logging the address of the web page you just visited. Unlike other firewalls, Kerio simply deletes the referer, rather than inserting an advertisement for itself.

The privacy settings, in the web filtering options, allow you to define certain information that you want to prevent being sent out over the internet. If you are concerned that your kids might post your address or phone number on a web site, you can enter that information into the firewall. If someone attempts to post that information somewhere, Kerio will block it.

I am running out of space, so I will let the review say the rest.

Sunbelt Software is offering a $5.00 discount, until March 31, 2006. That brings the price down to $14.95. This firewall is a bargain at twice that price. If you have any problems with the ordering page, please email Catherine: http://www.spywareinfo.com/email2.php.

Permalink | Top

I have received many excellent letters regarding my article on the VMware Browser Appliance. I overlooked a few things while I was writing it.

First of all, I failed to notice that the system specs for the VMware Player do not include Windows 98 or ME. I don't know if that means it requires 2000 or XP, or if that is just a recommendation. One guy wrote and said he had it running on Windows 98, so who knows? It is free, so if it doesn't work, you haven't lost anything but time.

Linux has excellent support for accessibility software. Unfortunately, none of it is installed on the Browser Appliance. I have written to VMware and asked if they could update it to include that. Either they haven't answered or my spam filter ate their reply.

I haven't had much time for looking around, but reader Erik van Luxzenburg recommended one program called gnopernicus. That will install and enable a whole suite of accessibility programs. I only had time for a brief look at it.

If your vision is impaired, but you are not completely blind, gnopernicus should be useful. If nothing else, you can use the screen magnifier feature to zoom in on text.

There also is a text-to-speech feature but it didn't seem to work very well. I don't know if it was because it was running under VMware or if it simply didn't like my hardware. All I could hear was a loud static, with some vague mumbling in the background.

This is how you install gnopernicus:

Within the Browser Appliance, click the "Applications" button, go to "Accessories" and click the entry for "Terminal".

Type the following:

sudo apt-get install gnopernicus

When it asks for the password, type vmware.

Text will flash by quickly for a few seconds, then it will ask you to continue. Press y and hit "Enter". When it is done, gnopernicus will be installed at "Applications" > "Accessibility".

The first time you use it, it will ask you to enable accessibility support. Tell it "yes", then reboot the Browser Appliance. The next time you use it, you may have to disable the text-to-speech feature, if it malfunctions like it did with me.

I haven't had a chance to look at it further. I have many projects to finish and I am behind on all of them. This is on the "priority" list, however.

Because of these two issues, I will relent and put the original "Prevent a Browser Hijacking" article back where it was. I hate to do it, because that is incomplete protection. Still, it is better than no protection at all.

My files were scattered all over the place after my hard drive failure last month. As soon as I figure out which of my four hard drives has the file, I will put it back on the site.

Permalink | Top

I am a little concerned about the Microsoft OneCare project.

OneCare, which is labeled as "beta" for now, is a software suite and service that provides antivirus, antispyware and firewall protection, backs up the system regularly and performs an occasional tune up. It has the potential to be a very useful service.

Security consultant Roger Grimes has found a problem with the service - the firewall does not regulate internet connections made by software, if that software has a digital signature.

That is a pretty serious problem, when you think about it. Setting up a firewall to allow unidentified software unrestricted access to the internet defeats the purpose of having the firewall in the first place.

You cannot trust software to be benign, just because it has a digital signature. This is why ActiveX, for a long time, was the preferred method for installing browser hijackers - because people were told they could trust signed ActiveX programs. I have never seen an ActiveX drive-by installer for spyware or a browser hijacker that wasn't signed. Not once.

It looks now like Microsoft intends to make the same mistake with non-ActiveX programs. They are making a very flawed assumption - that signed software cannot be malicious.

Digital signatures for software, whether ActiveX or otherwise, are useless. No one is making sure that those signatures are not being attached to malicious software. The people who should be doing that are the same people collecting fees for the certificates.

There is something else that concerns me. Roger Grimes pointed out that digitally-signed malware will not be stopped by the firewall, unless the user changes the default settings. The program manager for OneCare, Yoav Schwartz, responded to that by saying: "It is highly unusual for malware to be signed".

"Highly unusual". Yeah, okay.

Care to take a guess at how many spyware/adware/browser hijacker/rogue dialer files I have seen which have digital signatures? I don't mean ActiveX - I mean downloadable .exe installers and program files. Go ahead; think of a number. Now add some zeros to the end of it and you will be in the ballpark.

If OneCare is still "beta", then there must be a way for users to provide feedback. If any of you are test driving that beta, then for the sake of future OneCare users, provide Microsoft with some feedback on this.

Permalink | Top

It is late at night and you cannot sleep. You look out a window and notice that someone is in your neighbor's yard. That person is carrying a burning torch and is about to chuck it through a window.

Do you call the police? Or do you ignore it, because this is not the regularly-scheduled day for giving warnings?

That is a ludicrous question, isn't it? Still, I wonder how Microsoft would answer it?

The Kama Sutra worm (you may know it by another name) delivered its first payload today. Any computer infected with this worm will have had all Microsoft Office documents, plus .zip and .rar archive files corrupted. If these files were not backed up somewhere safe, they are gone.

Microsoft already has updated their Malicious Software Removal Tool to detect and remove this virus. It was ready at least a week ago. The countless millions of computers that check for updates automatically already could have been protected from this worm. Could have been, except that Microsoft refused to release it to the Windows Updates site.

The problem is not a software flaw. This wasn't a security patch that needed to be tested. The Windows operating system would not have been modified, if the updated tool was released. This is a tool that does one thing - remove malicious software.

Microsoft releases bug fixes and other updates on the second Tuesday of each month. The updated removal tool was not made available, because it wasn't on "The Schedule".

Where is the logic in that?

I have been skeptical of this monthly update schedule, ever since Microsoft announced it. When I heard about it, my first thought was "now the malware authors will just wait until every second Wednesday to release their new creations". And I was right.

The reason Microsoft gave for starting this schedule never justified it, in my opinion. Businesses running Microsoft software need time to test new patches, to make sure they don't break anything. The monthly schedule, so the theory goes, makes this less complicated.

I hate to sound callous here, but that doesn't cut it with me. The IT workers who install and test these updates are paid to do that. That is part of their job.

The larger number of people using Windows at home can't pay someone to test each patch. So they sit there, unprotected, hoping that the flaw on their computer is not exploited while they watch the calendar.

It is unfortunate that it causes some complications for corporate users, when the patches are released as soon as they are ready. The massive chaos that results, when home and small business users are forced to wait unnecessarily for those same patches, is even more unfortunate. I think it is obvious which is the lesser of two evils here.

Consider the WMF flaw that made the headlines last December. Because of the nature of that flaw, all you had to do was view a malformed image and you could be infected with spyware. SpywareInfo's message board was filled with people who were infected in this manner.

Microsoft had to be begged, publicly, by nearly the entire security community, to release the bug fix ahead of the normal schedule. People were out there creating their own patches for this bug. That is outrageous!

I think it is time for this monthly schedule to end. It is resulting in far more chaos than it was intended to correct.

I have held myself back from saying this in the past, because it is inflammatory and is certain to generate hate mail, but it needs to be said. When Microsoft knows of a publicly-disclosed security flaw, has created a fix for that flaw, has tested the fix to make sure it doesn't break anything and has it ready to go, withholding that fix because of a schedule is irresponsible and negligent.

In the situation I describe, Microsoft becomes directly responsible for every single instance of that flaw being used to trash a computer, in between the time the patch is completed and the time it is actually released. One of these days, somebody is going to sue them for it. I suppose then we will see how enforceable those click-through software EULAs really are.

I am not asking them to rush patches out the door as soon as possible. Obviously each patch has to be tested first, to make sure they don't cause new problems. Let them take as long as they need to do that. All I am asking for is a little common sense. If a flaw is being exploited and a fix is ready to go, don't wait three weeks to release it.

Common sense, that's all I ask.

I'm sorry. I didn't intend to jump up and down on Microsoft twice in the same newsletter. These two stories have come to a head at the same time and I can't keep my peace about either of them.

I also have a correction related to this. I sent out a mailing on early Thursday, warning people that the Kama Sutra worm was about to explode.

In that mailing, I made a reference to "paying members" of Microsoft's "'Windows Live Safety' and 'OneCare' beta services". That was a goof on my part. Both of those services are free, so obviously there cannot be "paying" members. I apologize for that error.

Permalink | Top

Some friends and I have started a new project: BookGap.com.

Colleges and universities charge a king's ransom for text books. At some schools, the professor teaching the course is the author of the books he or she requires the students to buy for the course. That must be a nice racket. I bet Tony Soprano would approve.

We hope BookGap can help with that. The idea is simple. When you finish a course, you sell the books to someone else who needs those same text books. For a tiny fee, you can list those books on the site, for three weeks or until it is sold.

The site is new and considered to be in "beta", so there probably will be some bugs. We are waiving the fees, until Valentine's Day.

This is from the site:

BookGap is an idea from a student - and our focus is mainly for students. Of course, we welcome all the non students who are using this service. Our main intent, though, is to save students some money. Text books are simply expensive and book costs are a major financial drain for most students.

BookGap is a meeting place. We want to connect you with students or other people who might have that text book that might be needed for a few short months. Further, we want to connect you with people who want those text books that you will no longer use nor want. The BookGap concept is providing a place for people to connect. We do not profit from the sale of a book. The only charge to you is a nominal fee of $1.72 to list a text book or to list a need for a text book. That charge covers our overhead and the costs of maintaining the data bases on a daily basis.

There will be limited traffic on this site until we start publicizing the site. We want to fix whatever we have missed and add a few things here and there. We expect that there will be a good response, once people find us. We hope to have our official launch on February 14, 2006 - Valentine's Day. Then we will start charging for the listings ($1.72 per listing) and pay some bills. We hope you like the BookGap concept. Please tell your friends, your family, your school ... and tell us what you think of the concept.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.

Running SpywareInfo has become an expensive thing to do. We are using three separate servers to display the site and to protect it from denial of service attacks. This is not a cheap web site to host.

If you would like to help with the costs, there are three options. There is PayPal for those who have a Paypal account or don't mind signing up for one (it is free).

There is a snail mail address if you do not like Paypal or have no means of sending money online. Please make sure to make checks (in US Dollars) or money orders (in American currency) out to James Healan and not Mike Healan so I am not hassled at the bank. Please note that contributions to SpywareInfo are not tax deductible.

The address is:
James Healan
PO Box 71
Vidalia, GA USA 30475

Thank you very much for your contributions.

You can also purchase t-shirts, hats, bumper stickers and other items from our CafePress storefront .