Category Archives: Tools

Microsoft XML code vulnerable on many computers

A recent report from Secunia (PDF) highlights the unfortunate hole into which some versions of the Microsoft XML parser library have fallen.

Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.

Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.

Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:

We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.

Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:

  • The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
  • Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
  • To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
  • Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.

Further reading:

Web-based password managers found to be insecure

Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.

Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.

We recommend using an offline password manager like Bruce Schneier’s Password Safe or Password Corral.

Tools to reduce browser-based tracking

The search engine DuckDuckGo has received a lot of attention because of its attitude towards user privacy. Unlike Google, DuckDuckGo doesn’t store your search queries. Their motto is ‘The search engine that doesn’t track you.’

Not everyone cares whether their online activities are tracked. But for those who do, DuckDuckGo’s Fix Tracking! page is an excellent source of information. Once you’ve selected your web browser, you’ll be presented with a list of tools and techniques that can help to reduce the amount of tracking that is done when you use that browser.

The Fix Tracking! page also contains a section describing Common Tracking Methods. Recommended reading.

Secunia’s Online Security Inspector is no more

The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.

Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.

The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.

Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.

PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.

Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.

Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.

Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.

Smartphones just became useful

I don’t have a smartphone. I’ve fiddled with them, and I use one for app development. But the mobile device I actually use for day-to-day phone communication is an ancient Nokia 2610b.

Nokia 2610b
Hey, don’t laugh – it works.

I’ve never had any issues with call quality, or any other problems with this phone. It lets me download media from arbitrary web locations and use any sound file as a ring or other tone. It’s sturdy; I literally use it as a beer bottle opener. Of course it doesn’t have a full keyboard, and the buttons are tiny, but I’m no rapid-fire texter anyway. The display is very basic, but it works for me.

I’ve been tempted on many occasions to buy a smartphone. The coolness factor alone has almost triumphed, but so far I’ve resisted its lure. Sure, smartphones can do lots of cool stuff, and I have no doubt that if I owned one, I’d spend a lot of time playing with it. But in the end, the only features I would really use are the phone, contacts, text messages (including alerts from Google Calendar), and occasionally the timer and alarm.

Until today, I thought I might end up using the 2610b until it died (which is unlikely), the battery stopped holding a charge (original battery is still going strong), or somehow it was no longer supported by my carrier (also unlikely).

What changed my mind? Microsoft released a mobile version of Remote Desktop. That’s the software I use to remotely control the Windows PCs I administer. I use it to administer the media computer downstairs, and the server next to me. I use it to manage client computers in this and other cities. And I use it to access my main PC when I’m elsewhere. It’s indispensable. And now it runs on Android and iPhone devices.

This changes everything: now I have a valid reason to buy a smartphone. But I’ll continue to resist as long as I can.

Internet speed tests

I’ve tried a lot of different broadband speed tests. Up until the last year or two, they usually agreed fairly closely when measuring my connection. Recently, the reported speeds have been much more diverse.

Why do the results vary so much? Is there a truly accurate test out there?

It turns out that most of the speed tests offered by Internet Service Providers (ISPs) are actually using the same Flash-based test, provided by a company called Ookla. I’ve read that Flash-based tests are all currently unreliable due to technical limitations in the current versions of Flash. Here’s an excerpt from the web site:

There is buffering between the application and the browser and throughput bursting due to CPU usage. Flash based tests need to make adjustments for this… rough estimate adjustments of up to 40 percent. How can the test be accurate if it’s being adjusted by 30-40% to offset an unknown variable.

Emphasizing this problem with Flash-based tests is my recent experience with very slow speeds from my provider, Shaw. Shaw’s own test showed results that match exactly what I’m paying for: 25 Mbps down; 2.5 Mbps up. This made no sense, since even basic web surfing was painfully slow. I reported the problem; Shaw eventually found the cause and fixed it. Everything went back to normal: web surfing was extremely fast again. But what did Shaw’s Flash-based test show? The same results as when speeds were clearly slow.

So I started looking specifically for non-Flash tests. I’ve found two HTML5-based tests that seem to be much more reliable and accurate than the Flash-based tests: SpeedOf.Me and Both of these tests avoid the problems inherent in Flash-based tests. Both also offer additional features, such as comparisons with previous tests and other test results in your region and from your ISP, and graphs that show previous test results.

But my overall favourite is SpeedOf.Me, because it comes closest to showing the actual speeds I’m experiencing at any given time.

Here’s a list of the speed tests I’ve looked at:

More improvements to Windows 8’s dumb UI

Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.

It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.

I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.