How To Subscribe and Unsubscribe is at the end of this note. Mailing List Trouble? See http://www.langa.com/help.htm
Questions about the advertisers? See the end of this note. Please also see legal notices at the end of this note. LangaList: ISSN 1533-1156

Please recommend the LangaList to a friend! (And maybe win $10,000 !)

An easier-to read formatted HTML version of this newsletter is available
<a href=" http://www.langa.com/newsletters/2002/2002-10-21.htm ">here</a>

The LangaList
Standard Edition

2002-10-21

A Free Email Newsletter from Fred Langa
That Helps You Get More From Your Hardware, 
Software, and Time Online

Please visit our sponsors and help keep the LangaList S.E. free!

1) A Free, Two-Click Solution To "Phone-Home Fields"

Unless you've been under a rock lately, you've probably heard of the uproar caused by "hidden fields" inside Microsoft Office documents. The issue affects all versions of Word (both for Windows and the Mac) from 1997 onward, and also affects Excel 2002.

Some pundits claimed these fields are a "gaping security hole" that places literally every file on your PC at risk. I disagreed about the severity of the problem ( http://www.langa.com/newsletters/2002/2002-10-10.htm#9 ) because only a minority of users would ever be at risk from these fields, and because there's an ultra simple, two-click way to avoid the worst of the security issues.

Microsoft has now released a partial patch for this hidden fields problem ( http://www.microsoft.com/technet/security/bulletin/MS02-059.asp ) but it still leaves a residual kind of "back door" that could conceivably be exploited. I now anticipate another round of even more frantic diatribes from commentators who will spread needless fear about this issue. But don't be taken in: It's incredibly easy to close this back door on your own.

For example, one well-known author (who made his name writing about Microsoft Office in general, and Word in particular) took issue with me when I originally downplayed the severity of hidden fields as a security issue: To prove how wrong I was, he sent me a demonstration file (with my permission--- he wasn't trying to hack me) that contained a hand-crafted hidden field that would secretly lift data from my PC and then surreptitiously relay that data to a distant web site.

But guess what? The exploit didn't work, and no data left my system. In fact, this kind of attack simply *cannot* succeed on my PC because of the way I've set it up and use it: The key security adjustment takes only two mouse clicks.

So, even if you have Microsoft's new patch (and you should), it's important to know about this simple method of self-protection for three critical reasons:

1) The new Microsoft patch is only a partial fix for the hidden fields problems; the "phone-home field" vulnerability remains, even after you apply the patch. My method prevents phone-home activity, too.
2) The patch is brand-new, and not yet proven to be reliable. My method works, as we showed above.
3) Even more important, my method of self-protection works against all current *and future* exploits that use any similar attack strategy, even if they're not covered by the Microsoft patch, and even if they don't involve Microsoft software.

The bottom line is this: Even if you are in the minority of users at risk from hidden fields, you can easily prevent anything bad from happening. The trick is in knowing what these fields are, why they exist, how they work, and how they might be used against you. Once you understand that, you can take simple steps to ensure you'll never, ever have to worry about losing data to this kind of exploit.

To help clear up the confusion--- and to show you exactly how to protect yourself against this kind and all similar kinds of attacks--- I've posted a full-length article at http://www.informationweek.com/story/IWK20021017S0016. There, we'll examine the problem, dissect the two major forms of attack that use hidden fields, and show you how to prevent these attacks from succeeding. Best of all, you can do all this using tools you probably already have at hand, or can easily get for free, even without the Microsoft patch.

Don't believe the hype. No one has to lose data to this kind of attack. It's *incredibly* easy to protect yourself. Click on over to http://www.informationweek.com/story/IWK20021017S0016 and see how!

Click to email this item to a friend
http://www.langa.com/sendit.htm

return to top of page

2) Non-SP1 Patch For XP's Help-System Flaw

If you're running XP, I think Service Pack 1 is worthwhile; it works fine for almost everyone, and improves the OS's security and operation.  But if you've decided NOT to install Service Pack 1 (perhaps for the reasons we've  discussed previously:
http://search.atomz.com/search/?sp-q=sp1+xp&sp-a=0008002a-sp00000000 ), you should consider this standalone patch:

Also: If you've NOT installed SP1, be sure to check out  http://www.langa.com/newsletters/2002/2002-09-19.htm#1 for info on another stand-alone patch for a separate but similar file-deletion exploit in XP.

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

3) Defining "Buffers"

Speaking of Microsoft patches, in recently discussing Microsoft's long history of trouble with "unchecked buffers" (see, for example, http://www.langa.com/newsletters/2002/2002-10-17.htm#9 ) I inadvertently left some readers wondering what the jargon meant:

Fred: What is an "Unchecked Buffer"? ---Tony

My apologies for not explaining better. In software, a buffer is a kind of internal scratchpad where data can be stored temporarily while it's being worked on, or held for near-term future use. An "unchecked buffer" is one where the software doesn't verify that the buffer is OK to use--- that is, that the buffered data is valid in length, format and content. A malicious hacker can use an unchecked buffer as a kind of unguarded entry point into your software, perhaps using it to stuff hostile code into a program, or simply to bring things to a crashing halt as the buffer overflows with more data than the software was meant to handle.

Apparently, Microsoft's quality control people don't have, or don't enforce, effective standards for buffer construction in Microsoft software, and the result has been a stream of literally hundreds of security problems caused by unchecked buffers. (Think I'm exaggerating? See http://www.google.com/search?q=unchecked+buffer+site%3Amicrosoft.com )

If you'd like a more formal definition of "buffer," see http://www.techweb.com/encyclopedia/defineterm?term=buffer&x=24&y=9

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

4) Excellent Suggestion!

Dear Fred, Please remind your readers that when they return from vacation and turn on their computers again to read e-mail...that *first* they must make sure that their anti-virus software has had its virus definitions updated. It's hard to resist the temptation of reading the e-mail before attending to this important detail. Otherwise they may be sitting ducks for the newest viruses--which are probably already waiting to be launched from attachments on their incoming e-mail. (Despite the repeated warnings, people still keep opening attachments.) Best regards, Dave Mawdsley

Great suggestion, David! With so many fast-replicating worms and viruses out there, it really is smart to make sure your defenses are always completely up to date--- especially after any significant time offline. That means it's well worthwhile to FIRST run your AV update tool, and only THEN start visiting sites and downloading email.

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

5) Macy-Jean Turns Five

We first met Macy-Jean last April ( http://www.langa.com/newsletters/2002/meet_macy_jean.htm ). She's a very young Filipina who was facing a bleak future, but--- thanks to LangaList Plus! Subscribers--- her life has gotten a lot better.

She's still too young to be able to write her own notes, but an aid worker in her village recently sent a letter and a new photo on her behalf:

Dear Sponsor::

Look at me now! ( http://www.freetune.com/images/macy_jean200210a.jpg ) I am already 5 years old and presently attending school, where I am in preschool. My favorite subject is Art.

I am a friendly child and I am fond of playing with friends, I would like to thank you, because with the help of your contributions, which were pooled with those of other caring sponsors, my family and I have benefited from the following programs implemented by Save the Children, in Purak 14:

Daycare service/Classes~ Educational Assistance
Immunizations
Micronutrient Supplementation (vitamins and minerals)

Thank you for your kindness.--- Macy-Jean

Because those of us with computers and Internet access are vastly better off than most of the world's population, I decided that a portion of the LangaList Plus! subscription fees would be donated to registered/legitimate charities helping the underprivileged around the world. The contribution does not increase the cost of a Plus! subscription in any way; the donation is taken "off the top" of any profits. (This is described in the pages at http://www.langa.com/plus.htm )

Macy-Jean is one of seven kids sponsored on an ongoing basis--- week in, week out--- by the collective generosity of LangaList Plus! subscribers. Plus! subscribers also have collectively contributed to emergency earthquake relief efforts in India and to funds to help the victims of last year's Sept 11th attacks in the US. (To see all the donations so far, click to http://www.langa.com/plus2.htm#kids )

As the year goes on, and as more readers sign up for Plus! subscriptions, I hope we'll be able to sponsor more children and assist other charities around the world.

If you're not yet a Plus! subscriber check it out: With an inexpensive Plus! subscription (pennies per issue) , you can not only help yourself make the most of your hardware, software and time online--- but you also can help those less fortunate (like Macy-Jean) make the most of their very lives. See http://www.langa.com/plus.htm

If you're already a LangaList Plus! subscriber, thank you. I hope you feel good about giving back a little to those less fortunate, and helping to brighten the life of a child in otherwise-desperate circumstances.

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

6) $10,000 For Your Trouble?

If you think the LangaList is a worthwhile read, just use the following link to recommend the LangaList to a friend. You just may win $10,000(!), your friend just may find a new source of useful information; I just may gain a new subscriber (full details also available via this link): http://www.recommend-it.com/l.z.e?s=143182

Or, win a no-strings $30 Gift Certificate for any item at Amazon.Com--- books, software, hardware, kitchenware, toys... (Full details available via this link):
http://www.langa.com/recommend.htm

Either way, thank you, and good luck!

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

7) No Simple Answer?

Dear Fred: Great Newsletter, and I am happy the Plus! Edition helps with charitable works.

A friend of mine always forgets to switch off her printer and I believe the Ink dries out when printer is left on. Is there any program that can alert her that the printer is ON with perhaps a nag screen and/or an audible warning? Thanks again for many hours of good reading and excellent information. ---Tony Balch

I looked around but came up dry, Tony: If the printer doesn't come with such a program, I think it would be hard to write a good generic one, as it would have to tie into the printer driver to work slickly.

But far less elegantly, it's easy to create a quick-and-dirty batch file that sends a line of text such as "Turn me off!" to the printer port (usually LPT1, if the printer is connected directly to the PC). The batch file contents could be as simple as:

echo Turn me off!  >LPT1

If you use Task Scheduler to make the batch file a scheduled task (maybe once every couple hours.), it will try to print at the scheduled time. If the printer is on, it will spring to life and the "Turn me off" message will print out. Your friend then can turn off the printer. If the printer is off, your friend will get an on-screen (error) message stating that is it indeed off. Crude, but it'll work.

Anyone know of a more elegant solution?

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

8) More Reader Sites!

Do you have a home page or website? (It doesn't matter what size.) Please click over to http://www.langa.com/code.htm, and maybe you can join the hundreds and hundreds of LangaList readers who have "Loaded the Code!" (If you've already "Loaded The Code" and are wondering if your site will appear here or on the Langa.Com web site, please see http://www.langa.com/link.txt )

Speaking of which: Here's another eclectic sample of reader sites--- some professional, some very personal:

View A Randomly-Chosen Reader Site From Among All Listed
http://www.langa.com/randomlink.htm

Manually Browse All Posted-to-Date Sites Starting At
http://www.langa.com/readersites.htm

Kindertransport
http://www.childrenwhocheatedthenazis.co.uk/

Jordan Racing Team
http://jordanracingteam.com/index.html

Fever
http://fever.home.att.net/

Design By Pandora
http://pandora.clarepark.ca/index.htm

antenna conspiracy
http://wakeup.to/antennaconspiracy

Wimborne Baptist Church (UK)
http://www.btinternet.com/~wimborne.baptist/index.html

Muzcom Software
http://www.muzcom.com/

Irregular Net
http://ca.geocities.com/gpmmi2002/

FLORIDA BASS FISHING
http://www.capttexbassfishing.com/index.html

Dogs On Holiday
http://www.dogsonholiday-uk.com/

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

9) "Cablenut"

Hi Fred I just resubscribed to your letter.... I love it.... ALWAYS great helpful and useful tips. I am an Administrator in the forums at http://www.dslnuts.com/  we have the best internet tweaking utility there is - Cablenut. It's completely FREE, no ads or spyware or anything. It allows you to FULLY optimize your internet connection to get the absolute most out of it. Take a look and see, it would be great if you mentioned it in your email letter I believe it fits right in with your GREAT tips. We are glad to assist anyone with any help they need to tweak their connection to it's potential. Hope you take the time to look at it, I think you will be impressed. Thanks for your time. Craig D.Steele

Thanks. Craig. The site and software look very good. Of the latter, the site says:

CableNut is a tool for optimizing your Windows TCP/IP stack i.e. your Internet Connection. We have provided a way to tweak almost every possible TCP registry entry via the CableNut program. You can load 'CableNut Custom Setting' files that are included with the program to tweak your Internet connection.

You can make your own 'CableNut Custom Setting' files save them for later use, or distribute them to anyone with the CableNut program. Dialup, Cable, DSL, and Satellite connections are supported out of the box. If you don't have one of the supported connection types don't worry you can visit the site, and ask the CableNut team for help. Best of all it is freeware. We don't haggle you with annoying ads, banners, time limits, or restrictions.

Just remember that we developed this application to make your Internet go faster, that is what we wanted. This software will support ANY connection type...

http://www.cablenut.com/

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

10) Just For Grins

Andy Hass sends along these "extreme bumper stickers:"

5 days a week my body is a temple. The other two, it's an amusement park.

If we are what we eat; I'm cheap, fast, and easy.

I don't have a license to kill. I have a learner's permit.

Taxation WITH representation isn't so hot, either!

Who were the beta testers for Preparations A through G?

Madness takes its toll. Please have exact change.

If you can read this, I can hit my brakes and sue you.

My wife keeps complaining I never listen to her ... or something like that.

EARTH FIRST! We'll strip mine the other planets later.

Your child may be an honor student but you're still an idiot.

If you drink, don't park. Accidents cause people.

Save the whales! Trade them for valuable prizes.

God is my co-pilot, but the Devil is my bombardier.

Alcohol and calculus don't mix. Never drink and derive.

Stop repeat offenders. Don't re-elect them!

Click to email this item to a friend
  http://www.langa.com/sendit.htm

return to top of page

11) Plus! Edition Highlights:

• Free Partition/Drive Imaging Software
• Mouse Tip And Dictionary Question
• Don't Try This At Home

Today's LangaList Plus! Edition contains all ten items above, plus about 30% more content including: free software that works like the commercial versions of Drive Image and Ghost; ways to double the battery life on cordless mice; sources for world-class dictionaries on CDs; and a weird and wonderful site containing various projects that you probably won't want to try on your own, but that are amazing to see--- when someone else is doing it! <g>

Complete Plus! Edition info: http://www.langa.com/plus.htm 

Click to email this item to a friend
  http://www.langa.com/sendit2.htm

return to top of page

See you next issue!

Best,

Fred
( Editor@Langa.Com )

Please recommend the LangaList to a friend! (And maybe win $10,000!I)

An easier-to read formatted HTML version is available in the "Current Issue" section of http://www.langa.com.  (The HTML version of each issue normally is available by 9AM EST [UT-5] of the issue date.) All past LangaList issues are also available at the Langa.Com site.

return to top of page

Administrivia:

UNSUBSCRIBE: From the same email account you used to sign up with), send an email to
unsubscribe-langalist@lyris.dundee.net

SUBSCRIBE (it's free!): Create and send a new email to
subscribe-langalist@lyris.dundee.net

CHANGE ADDRESS? LIST TROUBLE? HAVE QUESTIONS? OTHER PROBLEM? NEED HELP? See http://www.langa.com/help.htm

This newsletter is SPAM PROOF and requires two levels of subscriber confirmation before delivery begins: See http://www.langa.com/info.htm

About the advertisers: http://www.langa.com/privacy.htm#ads

Disclaimer: http://www.langa.com/legal.htm  In brief: All information herein is offered as-is and without warranty of any kind. Neither Langa Consulting LLC, nor its employees nor contributors are responsible for any loss, injury, or damage, direct or consequential, resulting from your choosing to use any information presented here.

This newsletter is a service of Langa Consulting LLC and is Copyright © 1997-2005 Fred Langa/ Langa Consulting LLC. All worldwide rights reserved. LangaList: ISSN 1533-1156

return to top of page