Windows Patch Tuesday – January 2012
For the swiss cheese of operating systems, Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins. The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.
In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.
The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching
Internet Explorer 6 RIP
Friends don’t let friends use IE6
Many years late, Microsoft is celebrating the news that Internet Explorer 6 (IE6) use in the US has officially dropped below one per cent of internet visits. In March, Microsoft assembled a team to push for the destruction of IE6, and have succeeded in reducing the market footprint of the browser. Currently 7.7 per cent of worldwide internet site visits use IE6, according to Microsoft, but the figure is now 0.9 per cent in the US.
So Redmond threw a party to celebrate. (more…)
Free Java Exploit
An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows and Mac systems.
The Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”
Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X systems. (more…)
Windows Patch Tuesday – December 2011
Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.
Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)
Don’t Fear Tux
The Linux computer operating system turned twenty in August this year. But, despite having reached that fine age (in computer terms), it remains on the fringe, with relatively low usage levels. Mostly, it has suffered from its reputation for being complicated, with many thinking it’s exclusively for geeks and nerds who know each line of code by heart.
But the reputation is undeserved. Linux hardly makes any special demands on users and is far easier then Windows or Mac OS, once you become accustom to the user interface.
Another reason that Linux it is not very popular, is due to the fact that OEM’s, are locked into Windows due to licensing with Microsoft, but that is slowly changing and set to become rather sub-standard now due to Android. (more…)
Windows 8 Antivirus
In a move that is likely to anger the antivirus industry, Microsoft is adding security features from its Security Essentials program to Windows 8. This is good news for consumers, but bad news for the antivirus industry. Microsoft should have been doing this since the release of Windows 95. While many of us do simultaneous facepalms and giggle at a decade-late decision, others question the legality of doing so. A multi-billion dollar industry has grown, based on the absolute porous operating system that is Microsoft Windows.
That’s right. Microsoft this week began offering U.S. customers its free antivirus program via Windows’ built-in update service, a move one major security firm said may be anti-competitive. Microsoft is adding features from its Security Essentials program, which is currently available as a separate download for Windows users, to the Windows Defender package already built into Windows. This means that Windows 8 users will get out-of-the-box protection against malware, along with firewall and parental controls from within Windows without requiring users hunt down a separate download or buy new software. (more…)
Bookseller Defends Itself
Microsoft has sued Barnes and Noble for use of Android in the Nook Color. The bookseller has filed a supplemental notice of prior art that contains a 43-page list of examples it believes counters Microsoft’s claim that Nook violates Microsoft’s patents. I posted the PDF and slides at: http://jet-computing.com/patents/barnes-noble/
Instead of focusing on innovation and the development of new products for consumers, Microsoft has decided to invest its efforts into driving open source developers from the mobile operation systems market. Through the use of offensive licensing agreements and the demand for unreasonable licensing fees, Microsoft is hindering creativity in the mobile operation systems market.
The complaint also notes some odd behaviors on Microsoft’s part, such as refusing to explain what patents it was threatening B&N over, unless B&N agreed to sign a non-disclosure agreement. (more…)
Dell, HP and UEFI
A big issue right now in the world of operating systems – especially Linux – is Microsoft’s requirement that all Windows 8 machines ship with UEFI’s secure boot enabled, with no requirement that OEMs implement it so users can turn it off. This has caused some concern in the Linux world, and considering Microsoft’s past and current business practices and the incompetence of OEMs, that’s not unwarranted. Dell has stated it’s plans to include the option to turn secure boot off, while HP was a bit more vague about the issue.
You believe OEMs and Microsoft on their blue eyes. After years of abuse and patent troll behaviour, smart people don’t.
Dell confirmed that they have plans to ship Windows 8 machines with the ability to turn secure boot off in UEFI, while HP had no idea what was going on. BIOS maker AMI, meanwhile, has said it will advise OEMs to not remove the option, but adds that they can’t mandate as such.
A Dell spokesperson has stated that “Dell has plans to make SecureBoot an enable/disable option in BIOS setup”. Dell plans to move to UEFI with secure boot in the Windows 8 time frame.
HP, sadly, was less clear. “HP will continue to offer its customers a choice of operating systems,” HP said, “We are working with industry partners to evaluate the options that will best serve our customers.” Nobody at HP was apparently even aware of the issue, which means this is a general PR statement with zero actual value.
Lastly, BIOS maker AMI stated that it “will advise OEMs to provide a default configuration that allows users to enable/disable secure boot, but it remains the choice of the OEM to do (or not do) so”. This is entirely reasonable – AMI just provides a software package, it doesn’t control what OEMs remove and include.
Michael Reed is the latest person to write about “restricted boot” (or UEFI) in a major GNU/Linux Web site. Matthew Garrett, who started a lot of the outcry, calls it a bug and Groklaw helps remind us that “Microsoft’s license provision [was] prohibiting OEMs from modifying the initial boot sequence…” There are several other examples of Microsoft sabotaging Linux adoption through booting complexity [1, 2, 3, 4,5, 6, 7] . The worst thing one can do is assume good faith from Microsoft. The people who run the company are extremely anti-competitive. Don’t blame Microsoft; it’s in their nature.
My biggest fear is that like with BIOS today, every computer – even revisions within the same model – will have its own unique UEFI implementation, some of them broken and/or limited, without any means of telling which features are supported and implemented and which aren’t. Heck, I’ve encountered countless BIOS implementations over the years which only allowed you to change the boot drive order, and nothing else.
All in all, this issue is far from over, and Considering Microsoft’s history of anti-competitive practices, its current patent troll behaviour, and the general incompetence of OEMs, it’s entirely reasonable and smart for us geeks to be on our toes.
Windows 7 is supported til 2020 … most large businesses are only just thinking about moving to it and doing testing … the will probably never move to Windows 8. Windows 7 is going to be around for the next good few years as well as businesses that will use XP forever and ever … will need new hardware.
Android > Phoney 7
A business that harasses customers will soon lose customers. Microsoft has repeatedly violated this rule by suppressing competition. The result is a huge body of customers/consumers who are ready to bolt at the first sign of an alternative. Witness the avalanche of consumers who have chosen Android/Linux smart phones instead of stupid phones with Microsoft’s stuff on board.
Larry Page commented on that when he discusses Google impressive growth,
“Rather than seeing, for example, Microsoft compete in the marketplace with their own smartphones, they’ve really continued resorting to legal measures to hassle their own customers, right? So it seems kind of odd. And we haven’t seen the details of those total agreements, and I suspect that our partners are making good deals for themselves there.”
Android/Linux is on most smart phones these days and Phoney “7″ is on 5%, the opposite situation we see in the retail shelves of personal computers. The difference is consumers have a choice in smart phones. They soon will have the same choice in all personal computers because the suppliers who are making money using Android/Linux are not beholden to Microsoft and can make personal computers of all kinds to compete with Microsoft’s legacy stuff that’s too bulky, hot, noisy and unreliable. Folks who love Android/Linux on smart phones know there are better ways to compute. That knowledge is spreading quickly. This Christmas we will see Android/Linux taking up lots of space on smart thingies and notebooks and desktops in retail shops.
We all know how popular smart phones have become today and with their rapid development, new and latest mobile phone operating systems are also advancing. Thus, it was not so long ago that the Windows Phone 7 OS came out for the recently released Windows Phone 7 units. But, there is no doubt that the Android OS has been here longer and if we put the Windows 7 OS in comparison with the Android OS, the latter would surely be better. The in fact quite a few reasons that the Android OS seems more competent and is simply still far better even after the release of the Windows 7 OS.
In fact at this time it would seem pointless comparing the Android OS with Windows 7 for smart phones at such an early stage. Windows Phone 7 still actually has to make its place in the market and prove its capability. Thus there is no chance that it could instantly beat the Android OS.
Taking the homescreens of the two OS for instance, Android had always been using the iOS approach for its smart phones where the homescreen could be filled with as many apps as a user could find. Thus in fact the Android phone could even hold up to seven different homescreens each being filled to brink with numerous Android apps, widgets and other useful tools.
The approach Microsoft took for the Windows Phone 7 homescreen was to merely include tiles over the homescreen which themselves would be filled with apps and other such stuff, while they could be updated via the web. This approach does not seem to be too unique; in fact it seems alike what Android has to offer through its widgets. Thus it seems that the OS system by Microsoft is already lacking the innovation needed.
Thus if we begin our further comparison between these OS, there are a lot of factors that make Android the better OS.
* Much more features included in the Android OS:
If we let alone consider the features, the Android OS is in fact overflowing with them and new ones keep on getting developed and are available for the Android users. Even though it is still new, the Windows Mobile 7 OS is at a serious lack of some new and unique features.
* The Android OS is more customizable:
It already seems that the Windows Mobile 7 OS is rather rigid and would not offer the users much flexibility. This means that it could not be matched with the customization options that Android OS users are able to benefit from.
* More apps available in the Android OS:
Having a hundred thousand apps through the Android OS is quite an immense number for Android users to choose from, with new ones regularly being added. When it comes to the Windows Mobile 7, the users would merely have hundred such apps to select from which is quite a minimal number as compared to what the Android OS has to offer. Thus judging from all of this, it is pretty obvious that currently Android is surely the better OS around.I hope basic comparison chart also will help you understand better.
Animals that are kept in captivity for most of there life, often cannot survive out in the real world, as they now have to think for themselves and find their own food. So its understandable, that the freedom that Android brings may be rejected, by those who are not accustom to choice or who are to lazy to responsible for themselves. But have no fear, Apple and Microsoft will save you from the responsibility of choice. For the rest, for you brave open minded souls embrace the power or choice…embrace Android.
UEFI, Windows 8 and You
Secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn’t take any of the worries away. In fact, Red Hat’s Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
As written before:
- http://jet-computing.com/uefi-secure-boot-and-freedom-of-choice/
- http://jet-computing.com/microsoft-kicks-linux-from-windows-8/
- http://jet-computing.com/after-31-years-say-goodbye-to-bios-and-hello-to-faster-booting-computers-in-2011-with-uefi/
A short recap: if OEMs want to partake in the Windows 8 Logo Program (and they all want to), they will have to implement secure boot on all Windows 8 machines. Secure boot requires signing keys from either Microsoft or the OEMs themselves to be installed into the firmware – any binaries, drivers, or operating systems not signed by one of those signing keys will refuse to work on that machine.
Secure boot is part of UEFI, and in some cases, you will be able to go into UEFI and disable it. However, the fear is that OEMs will not include the option to disable it – there’s enough historical precedence to assume this will be the case. Just look at any of the gazzilion crippled BIOS implementations out there today.
Microsoft tried to address this lingering, but potentially very problematic issue in a blog post today, but sadly, none of our concerns were addressed. Microsoft does not intend to mandate OEMs include the option to turn secure boot off (surprising!), which means OEMs are free to omit this option from their firmware implementations.
And this is exactly what some of them intend to do, according to Red Hat’s Matthew Garrett in a response to Microsoft’s blog post. “Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we’ve already been informed by hardware vendors that some hardware will not have this option,” he notes on his own blog.
Garret explains that Microsoft still dominates the desktop/laptop market. As tough a reality check as it may be, Apple’s worldwide marketshare there is still below 5% (not that they care though – they have a far larger share of the profit) and Linux barely even registers as a rounding error. This means that Microsoft still wields considerable power in this market.
“Why is this a problem? Because there’s no central certification authority for UEFI signing keys,” Garrett explains, “Microsoft can require that hardware vendors include their keys. Their competition can’t. A system that ships with Microsoft’s signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft’s. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft’s influence here is greater than even Intel’s.”
This could be disastrous for end users. They will lose considerable control over their own hardware if Microsoft gets its way. “The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality,” Garrett details, “The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.”
This is going from merely potentially maybe kind of problematic into full-on dangerous. From what both Microsoft and Garrett have told so far, this seems like a perfect storm for Microsoft – they will essentially lock people into using Windows without actually doing any of the locking themselves; they’re basically relying on the utter incompetence of OEMs. And let’s face, three things in life are certain: death, taxes, and incompetent OEMs. This is so damn clever and diabolical I just can’t help having some admiration for it.
I’m not really sure what we can do at this point to prevent this from getting really bad. All I can think of is that clever hackers start work right away on cracking the living daylights out of secure boot – you know, just to be prepared.
So in short, when your desktop or laptop blows up, and your data is toast. I, nor will anyone else, will be able to recover your data, unless you use Microsoft’s products.
