Just a quick post to give y’all a heads-up on a rare opportunity.

One of my most useful productivity tools, and something I use many times per day, every day of the week, is the printing utility ClickBook.

You’ve maybe seen me praising it occasionally in the past.

Well, as a “ClickBook champion” I’ve just been given a special link that, for a very brief time, will allow those in the know to purchase this great product at a very significant discount.

But be careful!

The trick to getting the discount is to only use the special link, because if you make your purchase through any of the normal website pages you’ll be asked for the full price, which in my opinion as a long-time ClickBook user is already a steal.

Now this first link I’m giving you is NOT the secret link, but you might want to follow it first to learn a bit about ClickBook:
http://www.bluesquirrel.com/products/ClickBook/

To purchase ClickBook at the discount price you need to go here:
https://www.bluesquirrel.com/cart/cart.asp?P=CBCSO

And while you’re at the shopping cart…

Give serious consideration to adding in the long reach stapler, which is also discounted. I’ve got one and they’re pretty much indispensable for assembling your booklets. I’ve had mine for some time and so unhappily I didn’t get it at the discount that’s available to you right now, but it’s been so useful I have no complaints.

But don’t mess about or you’ll miss out. This promotion is definitely time-limited and when it’s over its definitely over.

Regarding the movie on this page: If your printer is duplex (i.e. capable of printing on both sides of a page), a common feature these days, then you don’t even need to feed booklet pages a second time as you see the demonstrator doing.

Speaking as a ClickBook devotee I don’t really like that movie all that much, because it only shows one minor feature. Cool as that is, ClickBook can do so much more.

Anyway, the special link for the heavy discount again:
https://www.bluesquirrel.com/cart/cart.asp?P=CBCSO

I’ve used ClickBook for many years and it’s one product I wouldn’t be without.

Highly recommended.

PS If you are already using ClickBook please leave a comment on how useful you find it.

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

Hopefully you will read this warning before it gets to you and you’ll be on the alert. There are a few minor variations, but they all pretty much follow this format…

—-Original Message—–
From: system-administrator [mailto:system-administrator@helyholdings.com]
Sent: Monday, October 12, 2009 11:09 PM
To: [e-mail address deleted]
Subject: Mail server upgrade

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.helyholdings.com.secure.nixserver-systems.com/core/id=7963055930-bill.hely@helyholdings.com-patch9691.exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

So who do you think the “System Administrator” is? Here’s some of the information I dug up:

Domain name : DB-1.NET
Name Server : ns1.x2dns.ru
Name Server : ns2.x2dns.ru
Creation Date : 2009.10.06
Expiration Date : 2010.10.06

Name : Elena V Zhuravlyova
Organization : Elena V Zhuravlyova
Street1 : Orekhovyi boulevard
Street1 : d.31 kv.72
City : Moscow
State : Moscow
Postal Code : 115573
Country : RU
Contact Country : RU
Contact Phone : +7 499 2678638
Contact E-mail : awoke@co5.ru

If you think Elena and her Russki friends have your best interests at heart, I have some nice bridges you might be interested in. Very cheap, but please send me your money now — before Elena gets it all.

[What's the bet that "Elena" has a three-day growth of facial hair and other,  ahem, X+Y chromosome attributes?]

Also…

It’s Microsoft Patch & Updates Day

It’s that time again folks — Microsoft has just released their Security Bulletin Summary for October 2009.

To have your system scanned for relevant products & updates, and to receive update recommendations customized to your installation Click Here Now

Stay safe – patch now! Many of the malware threats that you are frequently warned about in the various news and information media, on and off-line, should never be the slightest threat to you.

If you make a habit of applying the patches & updates that are issued by Microsoft every month, you will be immune from infection by many of the tens of thousands of threats currently circulating on the Internet, with more being churned out by the cybergrubs on an almost daily basis.

The vast majority of these threats get into your computer by exploiting some known vulnerability in Windows. When one of these vulnerabilities is patched by Microsoft, the threat becomes benign — but only if you have applied the free patch to your version of Windows.

So remember…

You Ignore Patches & Updates at Your Peril!

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

But surely we’re entitled to expect a certain level of alertness and perspicacity in the elite few who have reached the top echelon of their calling. People like, say, the director of the FBI.

You agree? Hmmmm…

A couple of days ago our American friends were treated to the story of how FBI director Robert Mueller had been banned by his wife from using Internet banking.

Why? Get this…

Mueller, whom you might expect would be at least reasonably well schooled in shams and scams, and on full alert for them, was (by his own admission) within a click or two of delivering his net banking password to a cyber-crim, courtesy of a phishing e-mail. Only at the last moment did it dawn on him that this “might not be a good idea”.

Huh!

If Mr Mueller subscribed to this blog, the merest thought of responding to a phishing e-mail would not have entered his mind for a moment.

Look, if there’s any reader of this site who is still in doubt about how this works, I’ll distil it down for you right here, short and to the point…

NO FINANCIAL INSTITUTION WILL EVER
ASK YOU TO CLICK A LINK IN AN E-MAIL.
NONE.
EVER.

All financial institutions, and that includes payment processors such as PayPal and Clickbank as well as banks etc, are very well aware of the dangers and the potential for abuse.

If your bank ever really does want you to change your password or confirm your account details or anything like that, they will tell you to login to your account and do such and such.

They will NOT say “click here”.

They will NOT provide you with any sort of a link.

They will expect you to know how to login to your account and they will expect you to do that of your own volition, without any links or other help from them.

ANY link in ANY e-mail is a potential threat until you have given it conscious consideration.

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

Note the “Modules Menu” across the top under the header graphic. There are some more revealing snapshots below, but first, a little background…

Some time back I emailed all members of The Hacker’s Nightmare to advise that in future I would be publishing most of my posts, warnings, notifications and articles on this blog. Prior to that I had always corresponded with members exclusively via e-mail, but I was always fighting…

Mail failures & other challenges

With any large membership list there is always going to be a percentage of members who want to receive your messages but won’t get them, often through no fault of the sender or receiver. Such are the vagaries of e-mail (not to mention some of the stupid practices engaged in by many “providers”).

Anyway, even using the most reliable of commercial e-mail delivery services, it got to the point where various forms of delivery failures were happening so often that I had to rethink my communications channel.

Another advantage of going the blog route is that it makes useful information and timely warnings available to a wider audience.

While members will always have their perks and advantages, it has long concerned me that so many people are vulnerable and exploitable because often they just don’t know that plain language help — advice that THEY can understand and implement — really is available.

At least with a publicly accessible blog there is always a chance those folks will stumble across it, especially one like this that is steadily climbing the popularity rankings.

Guilty As Charged!

But of late I’ve been very conscious of the fact that my communications haven’t been as frequent as they used to be in the pre-blog days. Some of our long-standing members have voiced concern and to that I must plead no contest.

My publication slow-down was definitely not through design, laziness or lack of interest, but their dissatisfaction is justified never-the-less.

So now I’ll offer up my excuse. I hope it’s good enough.

In My Defense, Your Honour

You see, for the past several months I’ve been completely absorbed in creating a new membership site, and unfortunately something had to give way. Publishing the sort of articles I like to provide would have taken valuable time away from that development, which I consider to be very, very important. And I hope you will see it that way too.

The new site will replace The Hacker’s Nightmare member site and will be closely integrated with this blog. Here are a few of the most important points, some of which I will expand on further in future posts:

• This blog will stay public; it will not be hidden behind the membership site login;
• The Hacker’s Nightmare e-book is to be withdrawn from sale;
• The current Hacker’s Nightmare member site will disappear;
• Existing Hacker’s Nightmare members will be automatically grandfathered into the new membership;
• Although the blog will remain public, the membership site will be available to members only;
• Members will benefit from a number of perks, bonuses and special services, as well as having full access to all the reference material, none of which will be available to the general public.

I’ll have more to say about those and other changes in the near future, but right now I need to clarify two of those points:

1. Although The Hacker’s Nightmare e-book will be withdrawn from
sale, all of the material from these substantial resources…

• The Hacker’s Nightmare
• Seven Steps to a Clean PC
• The E-Mail Encryption Guide
• Spam Warfare

…will be included on the new site in a new format.

All of that material, much of it updated, PLUS a lot of new stuff you haven’t seen before, has been categorized into topic-specific modules. The graphic above that I opened with shows some of those modules on the Modules Menu across the top of every page. Each Module has its own Topic Menu down the left-hand side of every page.

Call that a “beta peek” — the page design and layout might change before or after public opening. I’ve been much more concerned with providing lots of quality content than with appearance, although I do think the appearance passes muster for the time being. Also, no doubt more Modules will be added as time passes.

2. Now a few words about the automatic inclusion of existing members
into the new site. In the interests of brevity I’ll refer to those
dedicated people as Old Members.

Old Members won’t have to do anything to gain access to the new site. Once I close the old site and open the new, your existing login credentials should still work fine.

When you purchased The Hacker’s Nightmare I promised you lifetime membership of the member site, and I’m not going to go renege on that promise just because the site is changing. Old members will have full and permanent access to all the reference material.

But what Old Members won’t have automatic access to is some of the services and bonuses that are completely new to the new membership site. There’s a good reason for that:

These services cost me real money, ongoing, but I’ll be providing them to members either free or at-cost, as a benefit of membership.

New Member Benefits

Bonuses and benefits for members are something I’ll be working on continuously. For now I’ll just mention one so you’ll understand that I really am going to be absorbing costs.

Every monthly member will be entitled to free registration of a domain name of their choice PLUS free website hosting for that domain name PLUS a personal website displaying any of your own details that you wish to share PLUS a personalized Contact Form on the website.

The Contact Form is an important security and anti-spam feature that I’ll discuss further in a future post.

I’ve made the website creation process so simple that absolutely anyone can take advantage of it. You order your personal domain name via a simple form in the member’s area. Then, all you need do to get your personal website up and running is answer some straight-forward questions on another short and simple form. The same form allows you to upload an image if you wish.

And be assured this is no server-in-my-basement setup. Your personal website will be professionally hosted on a fast 64-bit web server running Windows Server 2008, located in a professionally managed data-centre.

And yes, you will OWN the domain name. It won’t be owned by us and just loaned out to you, a ploy used by some unscrupulous membership site managers. If at any time you should decide to cancel your membership the domain name is still yours. Of course you will lose your free hosting if you leave us, but that’s something you can take up with any commercial provider.

So What Will This Cost?

The normal monthly membership cost has not been finalized yet, but I guarantee there will be no shocks, no unpleasant surprises.

Membership will be open to new members for a very reasonable monthly fee.

Old Members, who will have free access to all the reference material, will also be eligible for a significant discount on the full membership, thus gaining unrestricted access to all the new bonuses, services and facilities as well.

Stay Up-To-Date

If you would like to be kept informed of progress and developments with the new membership site just provide your name and e-mail address below. Whenever I have new information to share relating to the new site you’ll be notified.

Given the numbers involved I’m probably going to have to to restrict membership numbers initially, as I have to be sure we can service members properly. Also, we just wouldn’t be able to handle hundreds of simultaneous requests for the free website hosting.

Everybody will be catered for eventually, but at the outset preference will be given to those people who register their interest in the new site. So to avoid delay please register below now!

If you have any interest at all in your online welfare and the health of your computer you should stay tuned. I’ll be describing and demonstrating some surprising features.

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

No doubt you have often heard consultants, security people and experts of various flavors expounding on the importance of “good” passwords. There is very good reason for their concern, because easily guessed or easily cracked passwords are the #1 reason for various forms of identity theft online.

So why is it that literally millions upon millions of people don’t heed the advice?

I have a theory that if people understand the basic reasoning behind any particular recommendation, they are more likely to appreciate its importance and actually act on it.

So, putting that theory to the test, I’d like to demonstrate at a very basic level just how easy it would be for almost anyone to start reading your e-mail without your knowledge and without having to gain entry to your PC to do so.

Oh, and please note that whenever I use the word “hacker”, I’m using it very loosely indeed. In the context of this article a “hacker” could be a work colleague, nosy spouse, boy/girl friend (or ex) or the kid next door, not necessarily some shadowy code-genius holed up in a Moldovan basement. While young Percy’s proud mom might like to boast that her clever son & heir “knows all about computers”, more often than not his real knowledge is fairly elementary. Living on Facebook and Twitter and being a hotshot games player does not an expert make. And that’s the whole point — genius not required.

As I will demonstrate momentarily, weak passwords put you at the mercy of anyone with basic knowledge and the will to persevere.

There are many types of information that you would prefer not to share with the world at large, and many ways for a hacker to attempt to access that information. We’ll look at just one way, because access to your e-mail will reveal a lot about you to an intruder with larceny on his mind. So, as an example, I’m going to show you how to hack yourself.

Basic Elements

If they have ever given it any thought at all, most people would assume that for someone to read their e-mail the miscreant would need to have access to their computer, either physically or by “hacking in”.

Wrong!

They can get access to your mail the same way you do — from your service provider’s mail server. Whatever your e-mail client program (e.g. Microsoft Outlook), if you’ve ever set up an e-mail account yourself or taken a look at one that is already set up for you, you will know that just three pieces of information are required for mail access:

1. Mail-server name
2. Username
3. Password

Let’s take a brief look at each of those three pieces of information.

Mail Server: I don’t want to get buried in jargon here, so let’s just say that incoming mail comes from something called a POP3 server. POP3 is an acronym for Post Office Protocol version 3. The acronym is all you need to know, and then only because outgoing mail is handled by a different type of server: SMTP for Simple Mail Transfer Protocol. POP3 in — SMTP out. But the really important thing is that there is nothing secret about the names of mail-servers. Anyone who knows your e-mail address can easily determine the name of your mail-server. Just Google for:

provider-name POP3 server

Example: verizon POP3 server

As you can plainly see, very easily discovered.

Username: In the vast majority of cases the Username (a.k.a. User ID or Login Name) is also very easy to determine, because more often than not it will be either the full e-mail address or the first part of the e-mail address before the “@”. Often you will not be given the option (when establishing the account in the first place) to make the User ID different to the e-mail address. More often than not your service provider’s system will automatically allocate the e-mail address as the User ID.

Password: With most accounts this is the only part of the puzzle that the would-be hacker won’t know in advance, so this is really the only factor that protects your privacy. Are you starting to see why it’s so important?

OK, let’s leave the theory behind and get into a little practical work.

Mounting the Attack

For this demonstration to be effective you will need to have at least one e-mail message sitting on your provider’s mail server awaiting collection by you. It might be an idea to send yourself an e-mail, then quickly close your e-mail program so the messages isn’t downloaded automatically by your Outlook or whatever e-mail program you use.

The next thing you need to do is write down those three items of information I mentioned above. In the following examples I will use these fictional account details:

1. POP3 SERVER: mail.mailserver.com

2. USERID: me@mydomain.com

3. PASSWORD: secret

Now open a Command window (a.k.a. DOS shell). You should find it somewhere under your Windows Start menu, maybe somewhere like:

Start –> Programs –> Accessories –> Command prompt

If you can’t find it, click on Start –> Run, type in the word “command” (without the quotes) and click the OK button (see image below).

Now at the prompt in the DOS window, type this…

telnet mail.mailserver.com 110

…pressing the enter key after the “110″. There is a space after “telnet” and another before “110″. Of course in place of “mail.mailserver.com” you will type the name of your own mail server. 110 is the port number typically assigned to the POP3 service. Only very rarely will you ever find the port number to be different.

By the way, in these examples only your password is case-sensitive. The commands themselves can be upper or lower case.

After you press enter you may briefly see a “Connecting to…” response as shown above, then the screen clears and displays a welcome message, the wording of which may be slightly different to that shown below.

Now type each of the following lines in turn, pressing the Enter key at the end of each line. Again, you will of course be using your own actual login credentials that you have written down:

USER me@mydomain.com

The mail server responds with an OK message

PASS secret

Again the mail server responds with an OK message

Here’s what it should look like on the screen:

If any of your entries are incorrect you will get error messages, but if all is OK to this point, type the word STAT followed by a press of the Enter key.

In the screen-shot above STAT has returned the STATistic that there are 37 messages awaiting collection, with a total size of 9,159 bytes (approx 9k).

Now type this, again followed by the Enter key:

RETR 1

That’s an instruction to RETRieve message #1. If the STAT command has reported the presence of more than one message then you can type a higher number after RETR.

In the screenshot below I have commented out some information in the interests of privacy, but there it is — e-mail message #1 laid bare for the hackers inspection, and he never had to go anywhere near your PC.

Each message retrieved is terminated with a dot as circled in the bottom left.

If you type STAT again you’ll see that the message count is the same (or higher if new messages arrived in the meantime). Thus you know that although the message has been displayed it was not deleted after display, so the owner of the e-mail account will never be any the wiser that someone else has already read the message.

To terminate the telnet session type QUIT followed by the Enter key, and to close the DOS window type EXIT followed by the Enter key.

How At-risk Are You?

So to summarize, two thirds of the information that an intruder needs in order to be able to read your e-mail is public knowledge, so the only thing keeping his nose out of your e-mail is your password.

Are you now thinking: “well nobody knows my password so I’m safe“?

Well, even if there weren’t special programs readily available for cracking away at passwords, there is still the fact that so many people use unsafe words and phrases. Just go to Google and search on this phrase:

most common passwords

Is your password on one of those lists? If so, you are a sitting duck just waiting to be plucked, as every would-be hacker has a list of the most common passwords.

And further, anyone who knows you personally can extend the list with personal details about you,.  Using such details for passwords is equally irresponsible, yet so often used:

• Name of mother/father/child/significant-other/etc
• Name of favorite pet.
• Some part of your address — street/suburb/etc.
• Favorite celebrity, sport/sports team, etc.
• And so on…

But even if you don’t find your password on one of those lists, if your password is a real word or a sensible phrase you are still at high risk. There are any number of programs readily available that can mount what is called a “brute force dictionary attack”. To such programs any passwords comprised of real words, sensible phrases or even common misspellings are a breeze to crack.

You might want to make a mental note that security researchers have determined that the inclusion of punctuation characters in a password makes it significantly harder to crack, but that addition alone may not be enough.

A Couple of Problems

There are two fairly obvious problems with using long secure passwords:

1. You should never use the same password over and over again, so coming up with new, random and reliable variations can become tiresome;
   
2. The longer and more complex a password, the better from a security perspective, but remembering such passwords is practically impossible.

And a Simple Solution

An excellent solution to both of these problems, and one I have relied on for many years and continue to recommend to anyone who will listen, is a browser add-in called RoboForm. If you have already heard of it but aren’t using it then you have completely missed the point.

It would take a rather lengthy article to do full justice to RoboForm, but in the context of this topic it provides two features which are especially useful.

Password Generator

The first of those two features is password generation. A button on the browser’s RoboForm toolbar pops up a small dialog which generates passwords that conform to any limitations you may have preset.

Clicking the Generate button on the RoboForm toolbar pops up a window like that in the screen-shot below.

In the password generator example above, RoboForm has automatically generated this very complex password:

83Gc#@*8bF3ET7Zt

As you can see, that password conforms to the format in the lower half of the window — 16 characters long, a mixture of upper and lower case letters, plus numbers and some special characters thrown in for good measure. The option to “Exclude similar characters” means that RoboForm will not use characters that are visually similar and could thus be confused with one another, such as I or O (the letters) with 1 or 0 (the numbers).

Now obviously that’s a very safe password, but how on earth would you remember it? And just as obvious is the fact that entering it would soon become very tiresome. No problem, because RoboForm has…

A Long Memory

The second RoboForm feature that aids us with complex passwords is its ability to remember what password you used on which website. See the Save button on the toolbar in the diagram above? Each time you re-visit a web page where a password is required, RoboForm will offer to fill in the User ID and Password fields. It can also fill in entire forms of information, but that’s another story.

The only password you have to remember is one you assign to RoboForm itself, which keeps all your stored passwords safe.

For anyone who ventures onto the Internet and who is concerned about safety and security online, secure passwords are absolutely essential. And that in turn makes RoboForm a must-have security tool with great productivity benefits as well.

Don’t offer up your e-mail account for open inspection — or your net banking credentials or any other.

Click Now for a Free Trial of RoboForm

Comments welcome…

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

It’s that time again folks — Microsoft has just released their Security Bulletin Summary for September 2009.

To have your system is scanned for relevant products & updates, and to receive update recommendations customized to your installation
Click Here Now

There are a number of updates to be considered, ranging up to the severity level “Critical”, across a wide range of products, so please don’t ignore. There’s also a new version of the Microsoft Windows Malicious Software Removal Tool.

Stay safe – patch now!

Did you know…

Many of the malware threats that you are frequently warned about in the various news and information media, on and off-line, should never be the slightest threat to you.

How come?

Well, because…If you made a habit of applying the patches & updates that are issued by Microsoft every month, you would be IMMUNE from infection by many of the tens of thousands of threats currently circulating on the Internet, with more being churned out by the cybergrubs on an almost daily basis.

The vast majority of these threats get into your computer by exploiting some known vulnerability in Windows. When one of these vulnerabilities is patched by Microsoft, the threat becomes benign — but only if you have applied the free patch to your version of Windows.

So remember…

You Ignore Patches & Updates at Your Peril!

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

Internet Explorer does not provide an uninstall option on the Windows Start menu, and it’s not all that unusual to find there is no entry for Internet Explorer in the Control Panel’s Add or Remove Programs applet. For an explanation of why this might be so see my article Understanding & Troubleshooting the Add or Remove Programs Applet.

So what to do?

Here is a process that will more often than not resolve such problems and get you back to the latest Internet Explorer version behaving as it should.

To save covering the same ground twice, I’ll assume we are starting with a broken IE8, but if IE7 is your current version just skip the first step.

Proceeds as follows…

Download IE8 to your desktop. Don’t execute it yet, just leave it there ready.

Now please note that in the following steps it is MOST IMPORTANT that you reboot your PC every time you are prompted to do so. This is CRITICAL. No matter how tiresome the repeated reboots, DO NOT DEVIATE.

STEP ONE

Remove the current non-working IE8 using this file that should already be on your computer:
C:\WINDOWS\ie8\spuninst\spuninst.exe

When that’s finished (and after rebooting) your system will default to IE7 if it was installed before IE8, or otherwise to IE6.

STEP TWO

If IE7 is the new default version, and whether it works properly or not, remove IE7 using:
C:\WINDOWS\ie7\spuninst\spuninst.exe

After a reboot your default version should be IE6, which hopefully will run OK.

STEP THREE

Now double-click the IE8 file you downloaded to your desktop, thus starting the IE8 installation.

With any luck at all, after the mandatory reboot IE8 should be running OK, but you’re not finished yet.

STEP FOUR

Open IE8 and navigate to the menu item Tools/Windows Update, and download any updates that are offered. You will probably be prompted to reboot after updates are installed.

Keep going back to Tools/Windows Update after each reboot until there are no updates left for you to retrieve. By default Windows Update will only offer you updates of type “High Priority”, but if you look in the left-hand menu, under the heading “Select by Type” you will see that there are also selections available for “Software, Optional” and “Hardware, Optional”. You may have to go into Windows Update several times to retrieve all the updates that are available.

That’s it! With any luck at all you will now have a clean working copy of Internet Explorer v8.

But in the interests of both security and productivity I really can’t finish without adding this comment…

If you look around the ‘net you will find countless reports of problems with IE7 and IE8, many similar in one way or another, some quite different altogether.

But these are not potential problem you will likely have to face if you make your day-to-day browser the far superior and far less problem-plagued Firefox web browser.

I’m not saying you should ignore Internet Explorer altogether. Unfortunately it is still necessary for some operations. I strongly recommend you make a habit of keeping Internet Explorer updated, but never use it unless absolutely necessary.

There is no problem at all with having more than one browser installed at the same time, or even running simultaneously. I have Internet Explorer 8, Google Chrome and Firefox 3 all installed, but rarely ever use anything but Firefox.

You will be doing yourself a considerable service by adopting the same policy.

Firefox is quite simply a more useful, more versatile, less troublesome AND MUCH SAFER web browser.

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

This is your monthly courtesy reminder that “Patch Tuesday” has rolled around again.

There are more CRITICAL updates for Windows and MS-Office, plus a new version of the Microsoft Windows Malicious Software Removal Tool.

Stay safe – patch now!

If you have automatic updating enabled, don’t forget to check that your PC has indeed downloaded the patches/updates relevant to your system.

If you’re doing it manually then… well… do it!

Did you know…

Many of the malware threats that you are frequently warned about in the various news and information media, on and off-line, should never be the slightest threat to you.

How come?

Well, because…If you made a habit of applying the patches & updates that are issued by Microsoft every month, you would be IMMUNE from infection by many of the tens of thousands of threats currently circulating on the Internet, with more being churned out by the cybergrubs on an almost daily basis.

The vast majority of these threats get into your computer by exploiting some known vulnerability in Windows. When one of these vulnerabilities is patched by Microsoft, the threat becomes benign — but only if you have applied the free patch to your version of Windows.

So remember…

You Ignore Patches and Updates at Your Peril!

PLEASE NOTE: Regardless of what browser you prefer to use on a day-to-day basis, you should use Internet Explorer to find and apply patches & updates. Use the Internet Explorer menu option:

Tools -> Windows Update

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

But judging by some of the correspondence I’ve received at least some readers still do not understand what a broad-based impact the mere presence of Internet Explorer has upon your Windows system taken as a whole.

One version or another of Internet Explorer exists in all Windows installations, and component parts of IE may well be in use by other applications that you do use, whether you use IE itself or not. So the claim “But I don’t use Internet Explorer” is no defense, and therefore no excuse if you get zapped.

Sometimes you might even have difficulty figuring out how an announced Microsoft update that mentions Internet Explorer even relates to IE. For example…

There’s a very popular Microsoft product called Visual Studio. It’s a development environment used by thousands of programmers all over the world to develop all types of Windows applications (programs). And a component part of Visual Studio is something called the Active Template Library – the ATL. Put very simply the ATL is, as the name suggests, a library of program code that can be called upon by Windows programs.

When a program developed within the Visual Studio environment makes use of the Active Template Library, a library file called atl.dll is provided and installed as part of the finished program. If you install said program then atl.dll is stored on your computer along with other miscellaneous program files.

The ATL is also frequently used to create “objects” that can be called from an Active Server Pages (ASP) script. ASP is a common programming language used by Web developers.

If you search your entire hard drive(s) for the existence of atl.dll, there’s a good chance you might find several instances of it.

In other words, the influence of atl.dll is pervasive and widespread, and cannot be ignored, no matter what browser you prefer to use on a day-to-day basis.

OK, so clearly I must have been telling you all that for a reason. Yep, you guessed it… one of the out-of-band updates that I wrote about in my previous post is a patch for a very dangerous vulnerability recently discovered in atl.dll. This is not a theoretical danger. It has already been practically demonstrated that a bad guy can exploit this vulnerability and take control of your PC.

So if you were working on the “I don’t use Internet Explorer” defense, I strongly suggest you rethink your position and refer back to my previous post for the relevant update links.

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.

Every once in a while Microsoft also releases what they call out-of-band security bulletins. Out-of-band bulletins are occasionally released at times of the month other than Patch Tuesday to address vulnerabilities that demand immediate attention.

Today’s out-of-band releases pertain to:

• Security Bulletin MS09-034 – CRITICAL – Cumulative Security Update for Internet Explorer.

• Security Bulletin MS09-035 – MODERATE – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution.

In your own best interests PLEASE
attend to these important patches ASAP

©2009 Bill Hely's "Computer & Online Security". All Rights Reserved.