Windows 8 DOA

The Windows 8 Consumer Preview has been out long enough for people to try and get used to its dual Metro/Desktop interface. But the longer it’s out there, the less people like it, and there’s a backlash against the dual system from people ranging from normal users to engineers. Will Microsoft listen and fix the hybrid operating system?

What a whole lot of FAIL, Vista 2.0 here we come. This is great for tablets, but tablets are a fad. This has no place on a desktop operating system. Smart phones are the evolution of computing. Mark my words – in 5 years, tablets will not exist. You will have a phone that will be your primary mobile computer. At home, you will connect your phone to a wireless mouse, keyboard and display.

Ex-Microsoft program manager Mike Bibik launched a broadside against the new operating system because of how difficult it is to use with a keyboard and mouse. He launched a site fixingwindows8.com to air his complaints. (Note: When I tried visiting the site today, it displayed only blank pages.) Among other complaints he has is this accurate one:

“Windows 8 just dumps you into the Start screen. No tutorial, no help icon on the main screen, nothing. This will be fixed by launch or Windows 8 will fail.”

Bibik is on target. Most people who use Windows 8 on traditional computers rather than tablets will spend their time in the Desktop because that’s where the apps they most use are, notably Microsoft Office, which won’t run as a Metro app. Yet the Windows 8 Desktop is less useful than in previous versions because the Start menu and Start button have been taken away.

Metro and the Desktop are essentially two different operating systems incompletely bolted together. Sure, techies can figure out how to navigate between the two interfaces, but other people will have a hard time.

Windows Patch Tuesday – March 2012

Today could be the day malware artists figure out how to do remote code execution on many millions of PCs and servers running Microsoft’s OS with RDP enabled. Microsoft has released a patch this patch Tuesday but who knows how many machines will be unpatched in the next few days?

see MS-12-20

Need we say more about the foolishness of leaving your IT as a monoculture of Microsoft’s stuff after decades of them demonstrating little or no concern for security?

Microsoft yesterday released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

In the company’s words, one of the vulnerabilities “could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.” Only systems that have remote desktop actually enabled are vulnerable, but Microsoft recommends that everyone install the update, just in case. Affected operating systems include Windows XP, Vista, and 7, not to mention Windows Server 2003, 2008, and 2008 R2.

“Microsoft is urging organizations to apply the sole critical update in this month’s Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday’s release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month’s Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio.”

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008— is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys.

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said this bulletin should be considered a top priority, noting that Microsoft has rated its “exploitability index” as 1, meaning that Microsoft expects working exploits to be available in fewer than 30 days.

“An unauthenticated remote code execution is pretty much as bad as it gets,” Marcus said.

For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.

The remainder of today’s updates address three other Windows vulnerabilities, and problems in Microsoft Expression Design and Microsoft Visual Studio.For a breakdown of the patches, see Microsoft’s Security Bulletin Summary for March 2012. The fixes are available through Windows Update.

“A little about MS12-020…this bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP),” Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained in a blog post. “Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled.”

“That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible,” she added. “The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.”

Ben Greenbaum, senior principle software engineer for Symantec’s Security Intelligence Group, agreed users should pay close attention to the RDP vulnerability.

“RDP’s purpose is to enable remote access from the Internet, but preferably to an authenticated user,” he said. “In this case, a malicious attacker can potentially take complete control of the computer. Failed exploit attempts of this issue will likely result in the user being confronted with the blue screen of death. If an attacker can bypass standard memory protection measures, however, they will have access at the kernel level.”

Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, Qualys CTO Wolfgang Kandek opined.

“If the patch cannot be applied that quickly or the necessary reboot cannot be scheduled, IT Admins should look into the available work-arounds that function immediately: protect the machine with restrictive firewalling, access RDP through a VPN service or switch to Microsoft’s NLA protocol that is supported in newer versions of Windows (Vista+) and is not vulnerable to the attack,” he said.

The final bulletin for the month was only rated moderate. A vulnerability in DirectWrite could result in a denial of service condition on receipt of a maliciously crafted sequence of Unicode characters.

This issue could be exploited via instant messenger clients. Windows 7, Vista and Server 2008 are affected.

Paul Henry, security and forensic analyst at Lumension, pointed out that the Internet Explorer 9 zero-day exploit used at the Pwn2own event was not addressed by Microsoft, but noted “To be fair, they received the details only yesterday.” more on that later.

He also observed that while the number of bulletins released this month represented a light load of patches, they “will be disruptive in terms of required reboots.”

 

7 overtakes XP, finally

Microsoft has finally seen use of its Windows 7 operating system (OS) overtake that of its ten year old brother, Windows XP. Windows 7 was released on July 22, 2009 and with Windows XP so intrenched, it has taken little over two-years to catch up.

Web analytics firm Statcounter revealed the change in usage and explained that globally Windows 7 has a 40.5 per cent market share, Windows XP has 38.5 per cent, and Windows Vista has 11.2 per cent. (more…)

Windows Patch Tuesday – February 2012

Microsoft is planning to release nine bulletins, addressing 21 vulnerabilities in Microsoft Windows, Office, Internet Explorer, .NET framework and Silverlight. The patches are scheduled to be released Feb. 14.

The software giant said that four of the bulletins are listed as “critical,” and three of those, all of which affect Windows, will require a restart. The critical bulletins address errors in Windows, Internet Explorer and server-side software. They all are said to address vulnerabilities that would allow remote code execution. (more…)

Malware Turns Twenty-Five

It’s been twenty-five  years since the first computer virus (Brain A) hit the net, and what was once an annoyance has become a sophisticated tool for crime and espionage. Computer security expert Mikko Hyppönen tells us how we can stop these new viruses from threatening the internet as we know it. This is a great video on whats going on today with computer security.

(more…)

No Recovery For You!

When consumers purchase personal computers, they should be given the means to restore/repair their operating system via an included LIVE CD/DVD, in NOT doing so by the OEM is just plain stupid. Bear in mind that as a Microsoft Windows licensee, meaning YOU, the thing with a Windows license is that you DO NOT OWN the software, you DO NOT OWN the product, that you are paying for and by receiving a license to use that software under the terms given, you must abide by them, whether you like it or not. That doesn’t sound to user friendly does it?

What you typically have included with you computer, is a recovery CD (best case), perhaps a recovery partition that just re-images your partition setting everything back to the way it was originally or nothing at all (worst case), none of these truly do fix anything. Normally the best way to accomplish this feat is to boot from a Linux LiveCD to recover your files. (more…)

Windows Patch Tuesday – January 2012

For the swiss cheese of operating systems, Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins. The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.

In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.

The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching

Windows Patch Tuesday – December 2011

Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.

Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)

Automatic Computer Malware

According to a Security Intelligence Report from Microsoft, AutoRun—the feature in Windows that automatically executes files when you plug in a USB or connect to a network—accounts for almost half of all malware infections.  These are infections that don’t require any user-input from you, so it’s kind of not your fault that your computer gets infected. By turning off AutoRun, you’ll add an extra step to certain tasks, but it’s worth it to cut down on malware 50%.

This report states that Windows XP SP3 systems get infected about ten times as much as Windows 7 SP1 64-bit systems, and six times as much vs. 32-bit Windows 7 systems. That alone is one reason why you might want to upgrade your parents’ machines to Linux. bear in mind that Windows XP should have been mostly fixed back in February of 2011. See Microsoft Security Advisory 967940. The update does not disable auto-play for CD nor DVD media, but only USB drives, external hard drives and network shares. (more…)

Windows 8 Antivirus

In a move that is likely to anger the antivirus industry, Microsoft is adding security features from its Security Essentials program to Windows 8. This is good news for consumers, but bad news for the antivirus industry. Microsoft should have been doing this since the release of Windows 95. While many of us do simultaneous facepalms and giggle at a decade-late decision, others question the legality of doing so. A multi-billion dollar industry has grown, based on the absolute porous operating system that is Microsoft Windows.

That’s right. Microsoft this week began offering U.S. customers its free antivirus program via Windows’ built-in update service, a move one major security firm said may be anti-competitive. Microsoft is adding features from its Security Essentials program, which is currently available as a separate download for Windows users, to the Windows Defender package already built into Windows. This means that Windows 8 users will get out-of-the-box protection against malware, along with firewall and parental controls from within Windows without requiring users hunt down a separate download or buy new software. (more…)