|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Analysis: How to secure your Windows environment
(IDG) -- By now, you've probably succumbed to the nagging and have installed antivirus software to protect your PC. That's good, but not good enough.
Generally, antivirus packages can only protect you after a major virus outbreak, not during one. Even if you regularly update your software to spot the latest strains, that might not help you should a new virus arrive on the scene. In the wake of the "ILove You" virus, major vendors made antivirus patches, but they were too late in most cases -- the damage had already been done.
"ILove You" and many other recent Windows viruses and worms exploit newly discovered weaknesses in the operating system and in popular e-mail clients. For a couple of years now, most widespread viruses have traveled around the world via e-mail, moving on the Net as attachments to messages.
For awhile, things started getting better because Net users learned not to open attachments from strangers, and they became wary of certain types of files, such as .exe program files and .doc Word files. But lately, matters have worsened again, for two reasons: Virus writers have begun using unfamiliar file types that people don't yet equate with danger (.vbs script files are the best example), and they've also learned to exploit some "features" in Windows that can mask a file's true nature.
In this article I'll show you how to close the points of entry in Windows and batten down its hatches. All you'll need to spend is a few minutes to make some minor Windows configuration adjustments.
Recent e-mail-borne viruses have been successful at spreading themselves far and wide in part because Microsoft leaves your PC open to intruders. Preconfigured defaults in the operating systems and in Windows applications (most notably, Outlook and Outlook Express) give other programs easy access. Microsoft claims that its customers prefer it that way.
The "ILove You" virus took advantage of a feature of Windows 98 called the Windows Scripting Host, which is intended to give programmers and admins the ability to perform behind-the-scenes tasks with very simple code. The problem with the Windows Scripting Host is that lowlifes--such as the creator of "ILove You" -- have found it just as useful as the rest of us.
When files look like other files
Most folks have learned over time that unknown programs -- files with an .exe extension -- that arrive via e-mail are dangerous. Many users have also gotten used to the fact that Microsoft Office files (especially .doc files) are susceptible to so-called macro viruses. Other types of files -- such as VBScript files that sport the .vbs extension -- are dangerous, but unknown to most users. To make matters worse, virus spreaders have begun taking advantage of settings in Windows that can mask filename extensions, making a dangerous .vbs file look like an innocuous .txt text file.
The gotcha is that the full file name of the attachment is actually something like "Love-letter-for-you.txt.vbs". By default, Windows hides the .vbs file extension from view.
When you open a .vbs file, it doesn't appear in Notepad. Instead, Windows fires up the Windows Scripting Host, which in turn begins to execute any instructions contained inside the attached file. Bad news.
If you have a sharp eye, you might have detected this deception by noticing that the attachment has an unusual icon -- different from regular text files. To make these sorts of files easier to spot, change the Windows 98 display defaults. The real file extensions for most registered file types will then appear in Windows Explorer and in your e-mail program.
Hatch Number 1
Voila! The same attachment we saw before will now show its true .vbs colors.
Scraps: Wolves clothed by Microsoft
Since some folks (and antivirus vendors) are hip to attacks from VBScript attachments, hackers have recently switched their focus by slipping a different disguised attachment type into their counterfeit e-mail messages. The Stages worm contains the customary come-on in the message text urging the user to click a "text file" attachment. This time, the attachment is really a Microsoft Scrap Object (a .shs file) with a hidden extension. Scrap Objects can work their black magic just like infected Word documents, executing destructive macros when loaded.
Unfortunately, Windows hides .shs extensions even after you've turned off extension hiding, as described above. The only way to override this foul behavior is to hack the system Registry. Here's how:
Hatch Number 2
Hobbling VBScripts entirely
Due to the onslaught of e-mail viruses that use VBScript attachments, Microsoft has recently issued a patch for Outlook 98 and 2000 (see link below). This patch addresses the problem by forbidding Outlook 98 and 2000 to open or save any executable file attachments at all (including legitimate applications or scripts that users might actually want to transmit and run).
If this remedy is too drastic, here's another way to nullify malicious .vbs attachments. (This trick works for Outlook Express and Outlook 97 as well as Outlook 98/2000 and other e-mail packages.) You can divert VBScript files to open in the harmless Notepad (which will simply display them) rather than invoking the Windows Scripting Host (which will run them).
Hatch Number 3
Vulnerabilities in applications
As in Windows 98, there are "open hatches" that you can close in the configuration settings of Microsoft's Outlook, Outlook Express, and some third-party e-mail programs.
If you use Outlook for e-mail, the first thing you should do is download and install the appropriate attachment security patch for your version. Once that's done, follow the directions below to enable additional safety measures. Download Outlook 2000's e-mail attachment security patch from FileWorld
Download Outlook 98's e-mail attachment patch from FileWorld
Microsoft's Outlook and Outlook Express have an "attachment security" option that will display a warning message on the screen before allowing you to launch a file attachment or save it to disk.
Hatch Number 4
To enable this warning in Outlook 97, 98, or 2000, choose Tools, Options, click the Attachments tab (in Outlook 2000, choose the Security tab, and then click the Attachment Security button), and select "Security Method: High." When you double-click an attachment's file icon in a message window (Outlook 97) or select the paperclip at the upper right of the message and click the attachment icon (Outlook 98/2000) a pop-up message will ask you to confirm that the file is trustworthy before prompting you to launch the file or save it to disk.
In Outlook Express 4 or 5 this warning message comes up automatically as a program default when you attempt to open a file attachment.
All of the Outlooks include an "Always ask before opening" check mark in the pop-up warning. If you remove the check mark for a specific file type (such as a Microsoft Word attachment), the default action for that file type again becomes to launch it directly.
If you enable the high security option and remove the "Always ask" check mark for one file type, other file types will continue to trigger the warning unless you specifically disable it for each one.
If you inadvertently disable Outlook's pop-up warning for a specific attachment type, you can easily get it back. For example, to reenable the warning for Microsoft Word documents:
More Outlook security
As we prepared this story, Microsoft announced the discovery of yet another new potential threat to users of Outlook and Outlook Express. A security flaw in the engine that underlies those products can permit hackers to control your computer simply by sending an e-mail message -- even if you don't open it or run an attachment. Fortunately, a cure already exists, but you may not like it: Download and install the latest version of Outlook, Outlook Express, or Internet Explorer 5. Download Internet Explorer 5.01 Service Pack 1 update from FileWorld. Download Internet Explorer 5.5 from FileWorld.
Hatch Number 5
Keep your guard up with Eudora
PC attacks through hostile code embedded in HTML are not limited to Microsoft's Outlooks. Qualcomm's Eudora is vulnerable to a trick that embeds false Windows shortcut links into an e-mail message.
Hatch Number 6
If you're a user of Eudora 3 or 4, open Notepad ( Start, Programs, Accessories, Notepad), load the Eudora.ini file from your Eudora folder, and add the following line to the [Settings] section: WarnLaunchExtensions=exe com bat cmd pif htm do xl reg lnk
Avoiding Word Macro viruses
Microsoft Word Macro viruses are a little bit passe (and most scanners these days can easily spot them), but they still make the rounds, and they can still do damage.
Hatch Number 7
If your word processor of choice is Microsoft Word, there's always the possibility that some new macro virus will find you before your antivirus vendor issues an update. Although sophisticated macro viruses can slip past Word's built-in macro protection feature, you don't have anything to lose by turning it on. (Word 97: Choose Tools, Options from the pull-down menu, click the General tab, place a check mark next to "Macro virus protection." Word 2000: Choose Tools, Macro, Security and set the Security Level at Medium or High.) Enabling this option causes Word to display a warning dialog box whenever you open a macro-bearing .dot template disguised as an ordinary document.
If you've already created or obtained most of the macros you need for your word processing tasks, you can write-protect your existing Word document templates. Choose Start, Find, Files or Folders, enter *.dot in the Named field, choose My Computer in the "Look in" list, and click the Find Now button. When the search is complete, select one of the Word templates in the Results field, press Ctrl-A, right-click any of the selected files, and choose Properties. Then place a check mark next to "Read-only" in the resulting dialog box. If a new, infected document slips onto your hard drive, the steps you've taken will stop it from spreading its destructive macros to your other templates.
Trouble on the network
As if viruses that spread through e-mail attachments, hostile Web scripts, and Microsoft Word documents weren't enough to worry about, your PC may also be vulnerable to attacks over the Internet if you share files on a local network. Viruses such as the infamous 911 can gain access to your hard disk through the default Windows link between the File and Print Sharing Service and the TCP/IP Internet protocol.
Internet Explorer 4 and 5 provide protection against this weakness in some Windows configurations by offering to disable File Sharing over TCP/IP when you open the Web browser. But if you connect to the Internet manually through Dial-Up Networking or a dedicated LAN, your PC may still be visible and accessible to any hacker who traces your computer name or IP address.
Fortunately, if you don't get the Internet Explorer warning, unlinking File Sharing from Windows Dial-Up Networking is pretty easy.
Hatch Number 8
If you connect to the Internet through a network card or a digital subscriber line adapter, you can guard your computer by unbinding the device's TCP/IP protocol from File and Print Sharing services. Follow the steps outlined above, but instead of looking for TCP/IP bound to the Dial-Up Adapter in step one, look for a line naming TCP/IP and your network device. One catch: You'll lose the ability to share files on a local network unless another network protocol (such as NETBEUI) is installed on your LAN.
As an alternative, if you connect to the Internet through a dedicated network or DSL, you should consider a network firewall. ZoneAlarm is a free software package that does a nice job of shielding your PC from attacks the on Internet. The program can be tricky to set up, so check our tutorial on installing and configuring it.
Above all, keep in mind that computing in the Internet age is not the same as booting up was ten years ago, when personal computers were still stand-alone devices. A connected PC is caught in a sea of danger, but by battening down Windows' hatches, you've increased your chances of safely sailing through any storm you encounter.
Microsoft scrambling to fix new Outlook security hole
RELATED IDG.net STORIES:
Microsoft exec promises security
Microsoft patch for Outlook 98 and 2000
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.