Windows News, Friday the 13th Edition

Mark Soper — Fri, 13 Jun 2008 20:55:14 -0500

WoW! Pro Photo Tools Are Not Just for 32-bit Windows Anymore

32-bit Windows XP and Vista photo fans have been enjoying Pro Photo Tools' combination of metadata editing, mapping and GPS support since early May, but now, thanks to WoW64 (Windows on Windows 64, which enables 32-bit Windows apps to run on 64-bit Windows), 64-bit users can use it too, as reported by the MSDN Pro Photo Community Blog.

Hotmail Gets Faster, Adds More Features

If you're a Hotmail user, you're not just imagining greater speed. As reported by the Windows Live Mailcall blog, Hotmail's classic mode is now much faster and no longer reloads the entire page when the screen updates. If you have a paid version of Hotmail, you can now use its "Add an email account" feature to add many POP3 accounts, even if you don't know your POP email server settings.

CastleCops' Loss is Microsoft's Gain

I first encountered CastleCops, one of the most effective antiphishing websites, while writing my book, Maximum PC Microsoft Windows Vista Exposed. Wednesday, InfoWorld reported that CastleCops founder Paul Laudanski has become a Microsoftie, and will be working as part of Microsoft's Internet Safety Investigator for the Live Consumer Services team. Laudanski's new job started May 16th, but CastleCops is still on duty.

Still looking for a PC with Windows XP? The 'Last Chance' Is Coming

InfoWorld reports that HP, Acer, and Lenovo will be accepting orders for systems with Windows XP installed all the way through June 30, while Dell has announced its "last chance" date is this coming Wednesday, June 18th. Check with vendors to see what models offer Windows XP (hint: you'll probably need to order from the "Small Business" menu).

There's no need to panic, though, if you want an XP-based PC from a major vendor but don't want to order it until the second half of the year. What you'll need to do then is to use the "downgrade to XP" option when you order a system with Windows Vista. The details of the downgrade option vary by vendor, though, so make sure the model you want offers the option, and don't wait too long to make your order.

Google's in the XSS Crosshairs - and So Are You

Mark Soper — Mon, 24 Sep 2007 23:32:52 -0500

It's a commonplace that online security threats are aimed at the biggest target available. In terms of operating systems, it's still Microsoft. But if you consider how people use the Internet, think G - G for Google, that is.

According to theRegister.co.uk website (motto "biting the hand that feeds IT"), Google's Gmail web-based email, Picasa picture organizer, and embedded search appliance (used in websites that incorporate Google Search) have recently been proven to be vulnerable to exploits using cross site scripting (XSS).

Web Info Pirates Fly the XSS Flag

XSS takes advantage of the fact that JavaScript, HTML, VBScript, ActiveX, and Flash scripts are commonly used in websites. Put simply, an XSS attack (exploit) embeds a malicious script into a dynamic web page. The script captures or manipulates information as the attacker desires. This type of threat isn't new: the FAQ link provided above goes back to 2003. What's scary about XSS exploits is that they threaten the very richness of the Internet. I remember when websites were almost all text with just the occasional photo or drawing. Today's web user wants more - and unfortunately, that makes XSS attacks more common.

What XSS Can Do to You

In the case of the most recent Google XSS problems, XSS vulnerabilities could be used to steal cookies, steal photos from Picasa, contacts from a Gmail account, and redirected Gmail messages to a specified account. Although Google's taken action to block these attacks, this is just the latest round in XSS-based vulnerabilities suffered by Google - and others. For example, the Samy (aka J.S. Spacehero) virus used XSS to infect over a million MySpace users' pages in 2005, and a May 2007 ranking of websites with XSS vulnerabilities (available from this page) lists many major websites, including Flickr, Photobucket, Yahoo! and many others.

Stopping XSS - If You Can

The ultimate solution to XSS vulnerabilities would be to disable all scripts - unfortunately, in today's Internet, such a move would also disable most commercial websites. Boring! So, what else can you do?

If you develop websites for fun or profit, consider scanning them for XSS vulnerabilities, using a tool such as the Web Vulnerability Scanner from Acunetix Ltd (a free version is available) or others. This Google search (ironic, isn't it?) will find more examples.

But, if you're an ordinary web user, not a developer,what are your options (other than disabling scripting, that is)?

1. If you use browser add-ons or updates to other types of web-enabled products, make sure you install updates as soon as they're available. As with updates for Windows, browser add-on updates are often provided to improve security.

2. Keep in mind that any web-based service can be vulnerable to XSS.

3. XSS vulnerabilities are often cross-browser threats; using Firefox or Opera might not protect you.

4. Most XSS exploits also depend upon old favorites like spoofing or clicking links. As always, think before you click.

Maximum PC pharming RSS Feed