It's been a wild week for Windows security, both globally and locally here in the mess I call my home office. On the global front, an insidious new electronic attack that targets vulnerabilities in both Microsoft Internet Explorer (IE) and Microsoft IIS portends a new breed of complex attack types. Meanwhile, my travails with the Limited user account in Windows XP continue, and I review this month's Laptop of the Month, IBM's ThinkPad T42.

New Hacker Ploy: Targeting Multiple Product Vulnerabilities
Last week, Mark Joseph Edwards wrote an excellent overview of a new attack type, which the Download.Ject attack in Russia started. (See "Vulnerable IIS Sites and IE Users Under Attack" http://www.winnetmag.com/windowspaulthurrott/article/articleid/43088/windowspaulthurrott_43088.html for details about the attack.) In short, this attack involved multiple steps. As I wrote Monday in WinInfo Short Takes(http://www.winnetmag.com/article/articleid/43101/43101.html), the attackers first compromised an IIS Web server by exploiting a previously patched vulnerability that hadn't been patched on that particular server. Then, they infected every page on the site with JavaScript code that redirected users to the malicious Russian Web site, which had been set up to imitate the original site. That site silently installed keystroke recorders and several backdoor entry applications onto each user's PC, potentially compromising user passwords and other private information.

What makes this attack insidious, of course, is that it targets multiple vulnerabilities, one each on the server and client side. The severity of this one-two punch was immediately clear to security researchers, who spent late last week in "the sky is falling" mode, worried that the attack wasn't isolated to one server. By the weekend, however, Microsoft announced that the offending Russian server had been taken offline, dramatically reducing the risk.

With a few days reflection, however, it's now clear that we've entered a new era of more sophisticated electronic attacks. And because the suspected group who launched this attack is known for launching multiple versions of previous attacks, we can assume that more attacks will follow. Likewise, we can expect imitators to foist related attacks on an unsuspecting public soon as well.

The lesson is obvious: We need to keep both our server and client systems as up-to-date as humanly possible (though I should note here that the IE vulnerability that Download.Ject exploits has yet to be fixed). This weekend, Microsoft Chairman and Chief Software Architect Bill Gates promised that Microsoft would dramatically lower the time it takes for his company to release patches, in an effort to keep up with the rapid decline in time between the discovery of a vulnerability and its exploit. But we need to do our job on the receiving end as well. I know you have valid concerns about installing Microsoft patches without sufficient testing, but a line in the sand has been drawn. Would you rather be an electronic attack victim or experience difficulties because of a poorly written Microsoft patch?

The Limitations of Limited User

Last week, I discussed my adventures with using a nonmanaged XP Limited user account and the difficulties I've had getting things to work. My general feeling at this point is that using a Limited user account is viable only for the types of highly technical people who read Windows & .NET Magazine UPDATE; it's not acceptable for most home users. And frankly, home users are the very people for whom this kind of account could be the most beneficial. There are huge gaps in functionality that typical users just can't get around. Perhaps the most egregious is from Microsoft, believe it or not. The company's otherwise excellent home-oriented Media Center software (part of XP Media Center Edition--MCE), for example, can't run under a Limited user account. And even if you use Run As to run Media Center, certain functionality won't work, including the software that updates the Media Guide information. For shame.

For those users interested in pursuing the Limited user option, I did receive a lot of helpful and much appreciated advice from readers. Some readers suggested completing all necessary software applications before reverting to a Limited account, which probably would work. Otherwise, you'll need to manually copy all applicable program shortcuts into the Limited user account's Start Menu.

Most games don't work properly with a Limited user account, so you might consider using a Power User or Administrator-type account for gaming only, which would require logging off (or switching users) to play games. Only serious gamers should consider this option.

Several users mentioned a GUI administrative workaround that I have some misgivings about. Because IE is integrated with the OS, you can actually launch IE under administrative privileges, then navigate to shell locations such as Control Panel to perform tasks as an administrator. It's nice to have that workaround, but doesn't it point to yet another potential source of problems courtesy of IE?

I'll report back in a few weeks about more of my experiences with the Limited account, but keep the advice coming: It's heartening to see I'm not alone in wanting this approach to work but feeling frustrated at its limitations (insert ironic remark here). Perhaps together we can put enough heat on Microsoft and third-party developers to make this solution satisfactory. Something tells me not to hold my breath.

Laptop of the Month: IBM's ThinkPad T42
IBM's legacy of near-perfect notebooks continues with its newest high-end model, the ThinkPad T42. Like earlier T Series notebooks, the T42 features a best-of-breed keyboard (though I still feel that IBM should give up the Redmond animosity and provide the Windows key I always miss so sorely on ThinkPads), an incredible screen, and a fairly complete range of ports and expansion options; still missing, sadly, is a FireWire port, which is inexcusable for a non-ultraportable machine these days. Part of the problem, I suspect, is space: Because most of the machine's back end is reserved for the battery, which you can swap out for a higher-capacity unit, the ports must straddle the left and right sides of the machine only. However, there's a parallel printer port on the back of the unit, which seems unnecessarily antiquated. I suspect IBM's corporate customers are more interested in parallel port printing than FireWire device compatibility.

That said, the T42 is an incredible performer. Powered by a 1.8GHz Pentium M Dothan-class processor, Linksys's Wireless-G and Gigabit Ethernet networking, ATI Technologies' MOBILITY RADEON 9600 graphics with 64MB of VRAM, and 512MB of RAM, the T42 outperformed my desktop machine in virtually all categories, handling performance-busting applications such as Adobe Systems' Adobe Photoshop CS and Macromedia Dreamweaver MX 2004 with ease. The unit also features a recordable DVD drive, a welcome addition that made pretrip backups possible without having to power on my desktop system. The unit also features a whopping 80GB hard disk, enough space for a local copy of all my documents, photos, and music. Astonishing.

The ThinkPad T42 product line is divided between 14" and 15" screens, and I tested the 15" version that had an eye-straining but beautiful 1400 x 1050 resolution. This configuration is fairly large but thin, and it weighs less than 6 pounds; I'm told the 14" version comes in at just 5 pounds. Thus, like earlier T Series ThinkPads I've tested, the T42 is lightweight for its size, thanks to the thinness of its chassis. But you might have difficulty opening it when you're flying coach class.

IBM's software bundle included a few surprises. In addition to the now-standard hard disk shock-protection utility and other stock ThinkPad management applications, IBM also bundled several recordable DVD-oriented utilities and software programs, including software to burn data and movie DVDs. Another surprise is the price. IBM's T Series has always commanded top dollar, but it's possible to grab a low-end T42 for less than $1600 these days. The system I tested, as configured, would set you back about $2500, however, so be sure to spend some time configuring the laptop before buying. Overall, the T42 is an incredible bit of engineering--a solid and well-made speed demon dressed up in unassuming black business attire. Highly recommended.