Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

Windows PC Malware

The latest semi-annual Security Information Report (SIR) from Microsoft has been released, and its 232 pages carry reminders of some important facts about computer viruses, other malware and overall PC security.

Here is the link to their blog: http://blogs.technet.com/b/security/archive/2011/10/10/latest-microsoft-security-intelligence-report-now-available.aspx

When it comes to Windows, there are ten things that one should keep in mind:

Infections happen

According to the report, of all the computers that visited the Microsoft Malicious Software Removal Tool(MSRT) in the first half of 2009, 8.7 out of 1,000 (that is, not quite one percent) had some kind of malware infection identifiable by the tool.

The hot spots were Serbia and Montenegro, where the rate was 97.2 per thousand, Turkey with 32.3, Brazil with 25.4, Spain with 21.6, South Korea with 21.3, Saudi Arabia with 20.8, and Taiwan with 20.4.

The cleanest were computers in Finland with a rate of 1.9. The U.S. rate of 8.6 was nearly the same as the global average. (Other sources–typically malware protection vendors who see no reason to be coy–quote much higher infection rates.) Not mentioned by the Microsoft report is that Apple Macintosh infections remain rare.

Malware amounts to an ecosystem

There’s viruses that replicate themselves and spread to other computers, sometimes just for its own sake.

They’re called worms if they do it through e-mail or instant messaging. Trojans follow the metaphor of Homer’s Trojan Horse, whose occupants emerged in the night to open the Troy’s gates to a devastating attack. Spyware watches your actions for marketing purposes. Adware produces annoying popup ads. Malware, incidentally, is any software you didn’t ask for, especially software that has malicious intent. A bug, meanwhile, is any software that doesn’t work right–and may be preferable to malware.

Malware has many sources

You can get an infection by visiting a malicious Web site, or by clicking a file attached to spam e-mail, through a p2p file-sharing network, by downloading what you thought was free software, or by using an infected removable device like a USB memory stick. Intrusion attacks can come in over the Internet.

Malware can bite

Many trojans will download other malware that take root in our computer and start doing nasty things. These include password stealers and keyloggers that will try to swipe your account information so that someone else can swipe your money. Or they may turn your computer in to botnet node, under the remote control of a bot herder, who will typically use it to spew spam.

Trojans rule (in the U.S.)

If you’re going to get an infection, at least in the U.S. it’s likely to be some kind of Trojan. According to the SIR, 42 percent of the infections that the MSRT discovered were Trojans. Adware was also big at 16.3 percent. Nasty password stealers amounted to 4.1 percent. Elsewhere, infections are a toss-up. In Brazil, for instance, password stealers aimed at on-line banking predominate. Spain and South Korea have little in common, but both are afflicted by worms that target on-line gamers.

Vulnerabilities vary

Not all operating systems are equally vulnerable. Microsoft’s figures show that unpatched Windows XP has an infection rate of about 32.5 per thousand–about four times the global average. The rate falls to a sub-average 8 for thousand for Windows XP with Service Pack 3 (i.e., fully updated.) The rate for updated Vista machines was 3.1 per thousand for the 32-bit version, and 2 per thousand for the 64-bit version.

Patching works

Hackers have a reputation of being ahead of the software vendors, but in reality they often use vulnerabilities for which patches has already been issued. Even when the bad guys get the upper hand, it may not be for long. Microsoft likes to use the example of the “Reno” Trojan that was attacking Vista, causing Windows Explorer to generate trackable error reports. After Microsoft issued a patch, the reports fell from 1.2 million error reports daily to less than 100,000–in three days. Within a month it was off the chart.

Updating works

The rate of infection of 64-bit versions of software was usually a third lower than the rate of infection of the 32-bit version.

Malware is not the only danger

The big news is the rise in phishing–e-mail that tries to trick you into revealing information that could be used for ID theft or other fraud. The phishers have been going after denizens of social networking sites and even large corporations.

Upshot: Update your gray matter

Software can’t protect you against the phishing plague–only common sense can do that. If some random e-mail asks for your personal information because somehow otherwise your bank account, or our game subscription, or your corporate computer privileges will be suspended, delete it.

Yes, this is why I show people Linux all the time, where you do not put up with all this mess. Who has the time to keep up with all of this garbage? It’s a wonder anyone gets any work done using Windows. There are two lines that I carry with me and I use them often these days:

“In a world without walls and fences, who needs Windows and Gates?”

“I get paid to support Windows, I use Linux to get work done.”

Internet Safety: 7 tips

Don’t use a single, easy-to-remember password for everything you sign up for. It’s tempting because you’re always being asked to create another user name and password at one site or another.

“When criminals are able to get your password from one site that they’ve hacked into, they then take it and try to use it on other common services to see if they can get more access to your personal information,” said Chester Wisniewski, a security expert at security firm Sophos Ltd. “So they’ll go to Facebook and use the same password you used on [the site they hacked into] and they’ll go to your Gmail account.”

If it sounds too good to be true, it probably is. “We see all these survey scams on the Internet all the time where you’re asked to fill in all this personal and private information and enter to win an iPad,” Wisniewski said.

The problem is most of them are frauds and scams. “No one is getting an iPad,” Wisniewski said.

Instead of entering a sweepstakes, what you’re really doing is handing your information over to criminals who might sell it off to someone else or use it to commit identity theft.

Be cautious about sharing information, even if it seems harmless. Don’t give out information such as your birth date on social media or other sites that ask for it.

“Unfortunately, the way we work in the real world, these things may be used to identify you,” Wisniewski said.

Instead of giving away your identity, make another one up.

Keep your anti-virus software up to date. Anti-virus software comes pre-installed on most computers. But after the initial free trial period is over, either shell out for a subscription or install free anti-virus software. You’ll need it.

“It’s not a bulletproof answer because things still get by anti-virus software,” Wisniewski said. “But keeping it up to date improves your safety dramatically. And there are great free solutions out there — namely Linux.

Keep all regular software up to date to ensure it’s secure. If you do, you’ll lessen the chances of experiencing a security breach.

Trojan horses, viruses and other forms of malware evolve every day. When a bug or hole that could harm your computer or let in the bad guys is found in a piece of software, the software company will usually release an update. It’s very important that you run these updates to minimize the opportunities for criminals to steal or misuse your information.

“For example, if you get that little balloon in the tray in Windows, that says ‘Hey, there’s an Adobe update available,’ click ‘yes,’” Wisniewski said.

Keep your browser up to date. If you’re using an outdated browser, you’re also running the risk of being scammed or having your identity stolen. Up-to-date browsers have much better protection against cyberattacks than older versions.

Enable a firewall and configure it properly. A firewall is a system designed to prevent unauthorized access to your computer. Most current operating systems, such as updated versions of Windows XP, Vista and 7, as well as Mac OS X 10.4 and later, have one built in. Otherwise, you can get a inexpensive software firewall from your local computer store, software vendors or your Internet service provider.

“Turning the firewall on makes a big difference,” Wisniewski said, “because if something were to escape your anti-virus [software] and try to communicate with the Internet to send all your banking information, your firewall will stop that if it’s enabled and configured properly.”

Windows XP – 10 years

Ten years ago this, Microsoft released Windows XP, which became one of its most popular flavors of the Windows operating system — largely because what came after it, Windows Vista, was so terrible and a complete failure. Windows 7, and all its glory was so great it took two years to surpass XP.

This month marks the first time that Microsoft Windows XP has dipped below 50 percent market share among personal desktops and laptops worldwide, after having peaked at about 75 percent in 2007, according to NetApplications.com and Statcounter.com

The 10-year-old operating system is notorious for its security holes. It’s got much less protection against viruses, Trojans and other malware than do its successors Windows Vista and Windows 7, and even the National Security Agency itself advised against XP’s continued use in a document released earlier this year. Yet it maintains a strong presence worldwide, especially in China and Russia, and that huge installation base makes it easier for malware writers to spread their wares.

Savvy users might blame XP’s enduring popularity on the naivete of less knowledgeable consumers, but the real culprit might be Microsoft’s own naivete when it comes to how consumers make their decisions.

“Users in general are averse to taking time out of their schedules to come up to speed on the newest features which, at the end of the day, they don’t view as significantly improving their productivity,” said Tom Halleran, a service delivery executive at a global IT services provider.

Microsoft is slowly but surely abandoning XP. Mainstream support was officially retired in 2009, and the software giant will discontinue all support — likely including security patches — for XP by 2014. The company’s motivation is clear: Compared to streamlined modern operating systems such as Linux, XP has become an embarrassment. I have a XP counter at the bottom right sidebar of my website, don’t wait to act and to make a decision on what operating system to migrate too.

Aside from perpetuating security holes that were never fully addressed, XP makes other operating systems more attractive to consumers looking to trade up. Comparison shopping between Windows 7 and Apple’s Mac OS X is a more or less level playing field; comparison shopping between XP and OS X is no contest.

So why are XP users reluctant to upgrade? There are four main reasons.

Price is an obvious factor, and not just because Windows 7 starts at $200. Mainstream consumers tend not to upgrade their operating systems until they buy new machines. Microsoft expects its customers to respond to upgrade deals, yet ignores the fact that the cost of the hardware itself — a new desktop or notebook — is the real stumbling block from a financial perspective.

Then there’s another concern: compatibility. Corporations may have to buy new machines for entire departments to keep up with operating-system requirements. Home users often prefer to have all their machines running the same operating system — the unpredictable network mismatches that can arise are often too difficult or time-consuming to troubleshoot — and at $200 per Windows 7 license, it may be easier to stick with XP across the board.

Home and corporate users also don’t like the learning curve of adapting to a new system. XP users are used to their work flows; they know where to find what they need, and they like it that way.

Microsoft is mistaken in thinking that every new version of its flagship OS must be a substantial change from the last. Windows users have set tasks to accomplish when they boot up, and taking time out to re-learn how to accomplish those tasks is not what they signed up for. The waste of hours (and, potentially, corporate resources) is a strong deterrent to upgrading.

Some advanced users might consider the above three reasons for resistance to be limited to the less computer literate, but many coders and developers find a fourth reason to avoid updating: preference.

“Tech-savvy users who understand the security benefits of upgrading are often unhappy with what they see as an increasing lack of control over their system,” Halleran said.

With both Vista and Windows 7, Microsoft has been pushing toward a sleeker, more user-friendly, but less user-controlled model. It’s no coincidence that these developments have been compared to Apple’s standard look and functionality. A quick Google search for the phrase “more and more like Mac” turns up nearly half a million results, and even a cursory glance at the text excerpts suggests that this isn’t what a lot of Windows users want.

If it’s attempting to win over Mac users, Microsoft has failed on two counts: Mac users exhibit tremendous brand loyalty, and PC power users tend to stick with Windows precisely because it isn’t Mac. If anything, this race toward a shiny OS singularity only encourages power users to adopt alternative operating systems such as Linux; and indeed, as XP’s market share has dwindled, Linux has gained ground.

In mimicking the Mac model, Microsoft is alienating its hardcore demographic. Despite quirky ad spots to the contrary, the choice of “Mac or PC” these days is usually based on mere preference, not technical factors.

At the same time, Microsoft’s unrealistic assessment of consumers’ willingness to upgrade to unfamiliar systems at high prices means that the world will likely be saddled with XP for years after support is completely abandoned.

Facing the glaring security problems of an XP-infested future, Microsoft might need to rethink both its OS development and its business strategy. The company can sweep XP under the rug, but it won’t be easy to smooth out the big lump that remains.

While many of us may be looking to migrate from Windows 7 to Windows 8 when it becomes available (I’m not, I have no need for either) — no date is set, but it could be late next summer — there are still plenty of folks using XP for many of reasons. However, with the economy as it is and getting tighter, now is the time to look at a decent operating system, such as Linux Mint. The benefits are enormous and you are missing out! There is no reason to go out and buy a new computer, just because Windows XP is expiring or even upgrade. Windows 7 has no feature benefits worth spending the money on; the only difference maybe you get Internet Explorer 9, but who needs that when you have Firefox and Chrome, which are are supported with extensions.

The advantages of Linux are five fold:

• Cost – The most obvious advantage of using Linux is the fact that it is free to obtain, while Microsoft products are available for a hefty and sometimes recurring fee. Microsoft licenses typically are only allowed to be installed on a single computer, whereas a Linux distribution can be installed on any number of computers, without paying a single dime.
• Security – In line with the costs, the security aspect of Linux is much stronger than that of Windows. Why should you have to spend extra money for virus protection software? The Linux operating system has been around since the early nineties and has managed to stay secure in the realm of widespread viruses, spyware and adware for all these years. Sure, the argument of the Linux desktop not being as widely used is a factor as to why there are no viruses. My rebuttle is that the Linux operating system is open source and if there were a widespread Linux virus released today, there would be hundreds of patches released tomorrow, either by ordinary people that use the operating system or by the distribution maintainers. We wouldn’t need to wait for a patch from a single company like we do with Windows.
• Choice (Freedom) – The power of choice is a great Linux advantage. With Linux, you have the power to control just about every aspect of the operating system. Two major features you have control of are your desktops look and feel by way of numerous Window Managers, and the kernel. In Windows, your either stuck using the boring default desktop theme, or risking corruption or failure by installing a third-party shell.
• Software - There are so many software choices when it comes to doing any specific task. Sometimes its a simple modification or feature enhancement of a already existing piece of software, sometimes its a brand new application. In addition, software on Linux tends to be packed with more features and greater usability than software on Windows. Best of all, the vast majority of Linux software is free and open source. Not only are you getting the software for no charge, but you have the option to modify the source code and add more features if you understand the programming language. What more could you ask for?
• Hardware - Linux is perfect for those old computers with barely any processing power or memory you have sitting in your garage or basement collecting dust. Install Linux and use it as a firewall, a file server, or a backup server. There are endless possibilities. Old 386 or 486computers with barely any RAM run Linux without any issue. Good luck running Windows on these machines and actually finding a use for them.

Either way you look at it, you will be forced to relearn Windows 7 when you leave XP, then yet again when you leave for Windows 8. Look at the advantages Linux can offer you and make the decision to try something new for once. You will have to eventually as Windows is totally change the user interface and killing off the start menu. http://jet-computing.com/microsoft-kills-start-menu/

Microsoft Word Virus

A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.

The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.

The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.

Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.

So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.

In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.

MS Office 2007 SP3

For those of you that have Office 2007, Microsoft will be releasing Service Pack (SP) 3 for it soon. Here’s a Microsoft blog post with the download links. SP3 is available via the Download Center as of this week, and will be pushed out as an Automatic Update in 90 days Microsoft execs said.

The last cumulative update for Office 2003, Service Pack 3 resolves several compatibility and stability issues with Windows Vista and later operating systems. Mainstream support for Office 2003 application ended in April 2009 and extended support ends in April 2014.

I have written about Office XP here: http://jet-computing.com/microsoft-office-xp-support-retired/ It’s highly doubtful you use Office XP at home, but there may be some poor souls at there still using that decade-old version of Office.

If your in the market for new document software give LibreOffice a try, it is what I use here in the office.  On a side note and with great news, The Document Foundation creators of the LibreOffice office suite of applications, have announced that they are currently working on projects to bring LibreOffice to Android and iOS devices, together with accessibility through web browsers.

The Libreoffice port project is based on the work of Tor Lillqvist and will now be focusing on bringing its suite of applications to mobile devices in the near future. LibreOffice currently competes and offers a great free alternative to Microsoft Offices suite of applications. LibreOffice was created by former OpenOffice.org developers after concerns about Oracle’s community-hostile stewardship of OpenOffice.org and a number of long-standing procedural and governance issues that existed long before Oracle’s acquisition of Sun.

LibreOffice has been developed by The Document Foundation as a fork of OpenOffice.org, and is compatible with other major office suites, including Microsoft Office making it easy to swap too. When created it developers goal with LibreOffice was to create a vendor-independent office suite with ODF support but without any copyright assignment requirements. Since its launch the LibreOffice software has been downloaded over 7.5 million times since its launch back in January 2011.

Windows Patch Tuesday – October 2011

Windows, insecure by design. How else can you explain that all supported versions of Internet Exploiter have the same vulnerability to injection of malware?

Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.

Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.

The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.

Users can download the update by opening iTunes; if you’re not directed to download iTunes 10.5 when you start the program, click “Help,” and then “Check for Updates.” Some OS X users may be wondering how many of these flaws exist in the Mac version of iTunes. According to the SANS Internet Storm Center, Mac users can expect some of these problems to be fixed inSecurity Update 2011-006 and in OS X Lion v. 10.7.2. For the time being, however, neither of those updates appear to have been released.

The latest Windows patches are available through Windows Update or via Automatic Update.

October’s Patch Tuesday release resolved issues in Internet Explorer versions 6 through 9, all versions of Microsoft Windows from XP through 7, .NET and Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration Server, Microsoft said Oct. 11. Two of the patches are rated “critical,” and six are rated “important,” Microsoft said.

Microsoft recommended that organizations apply the Internet Explorer and .NET/Silverlight patches first as attackers are likely to come out with a reliable exploit within 30 days. Malware developers often reverse-engineer the patches after they are released to develop exploits that target unpatched systems.

Kaspersky Lab senior security researcher Kurt Baumgertner said that reliable exploitation will lead to remote code execution across a wide variety of Windows versions because Internet Explorer and Silverlight are heavily used software clients.

“It would be surprising to not see related exploits added to packs and widely used in attack attempts over the coming months,” Baumgartner wrote on the Securelist blog.

The critical update for Internet Explorer fixed at least eight known security flaws in all versions of Microsoft’s Web browser, including the latest Internet Explorer 9. The bugs were in the way IE handled objects in memory and the way memory was allocated and accessed.

If exploited, the bugs in Internet Explorer would expose the user to drive-by download attacks just by merely browsing to a booby-trapped site, according to Microsoft. The attacker can gain the same user rights as the user, but users who have accounts with fewer user rights are likely to be less impacted than those who have administrative rights.

“Patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release in browsers are top exploit targets for attackers,” Jason Miller, manager of research and development at VMware, told eWEEK.

The second critical update fixed a remote code execution flaw in .NET Framework and Silverlight. Users could be compromised just by viewing a malicious page specifically running XAML Browser Applications or Silverlight applications, Microsoft said. The vulnerability would also allow remote code execution on a server running IIS if that system allowed processing ASP.NET pages and specially crafted ASP.NET pages are uploaded to the server and executed. The .NET issue also affects Mac OS clients, according to Dave Marcus, director of security research and communications at McAfee Labs.

The .NET framework class inheritance vulnerability is “complex to exploit” but can be exploited in a “number of ways,” including traditional downloads, drive-by-downloads and by hosting a malicious .NET application, said Joshua Talbot, security intelligence manager at Symantec Security Response.

Microsoft fixed five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway. The cross-site scripting vulnerability in Microsoft Forefront, if exploited, will allow attackers to steal log-in credentials used for VPN access and gain access to sensitive data. The patch for Microsoft Forefront will likely affect the “smallest number” of organizations because Microsoft generally doesn’t have a big presence in corporate security infrastructure, Marcus Carey, a security researcher at Rapid7, told eWEEK.

Microsoft has two bulletins to fix the DLL preload vulnerabilities in Windows Media Center and Microsoft Active Accessibility. Microsoft has released a patch 17 times to close this issue in various programs since it was first identified Aug. 23, 2010, according to Miller.

“Overall this Patch Tuesday is fairly moderate. Three of the included vulnerabilities have been previously disclosed, and there is an available proof-of-concept code,” Marcus said.

October is often the last month in which administrators at financial and retail organizations apply patches before going into “lock-down” mode for the holiday shopping season, according to Andrew Storms, director of security operations at nCircle. “Enterprise IT teams should get ready to pull out all the stops,” Storms said.

Microsoft kills Start menu

Microsoft recently killed the Start Menu, and their explanation for it seems fairly straightforward: no one used it. This may be a bit of an exaggeration, but Microsoft explains that use of the Start menu dipped by 11 percent between Windows Vista and Windows 7, with many specialized Start functions — such as exploring pictures — declining as much as 61 percent.

Windows 8 Metro Start Screen

When you can’t figure out the easy way to launch stuff, look in the Start Menu. This is change for change’s sake. How is someone suppose to use this? You can’t, without much anguish.  Why?..because they didn’t like the look of the big, floor-to-ceiling look of the old XP system, they shrunk it all down so that it only shows 5-6 items at a time and has a scroll-bar. In short, they made it harder to use and less functional than the XP Start Menu, and to everyone’s amazement, people stopped using it, and then they claimed it was some sort of UX triumph.

Ditto with the control panel – rather than one big screen with 100+ tiny icons on it, they reworded a few things (“Display” becaome “Personalization”, and there are 2-3 different UIs rather than the tabs on the old-fashioned XP display.cpl) and made them all look like web-apps. Now that it’s unnavigable with words or icons, everyone uses “search” and it “feels faster”. You can’t write documentation that says Start-Settings-ControlPanel-Display-Screensaver, you have to say “search for ‘screen saver’ and clicky on whatever pops up”… *sigh*

Much like Firefox, most UX innovation is precisely that. If you don’t get the results that match your pet UI design philosophy, move the feature around, and while your users are trying to find the feature you don’t want, accumulate enough telemetry to claim your users aren’t using it as often, then take it away. (Status bar, full URL in the URLbar, etc.)

And the problem fundamentally isn’t that the Start Menu is too complicated. It’s that they’ve never provided a good tool for *managing* it. So the average person, being unaware that it’s just a bunch of directories and shortcut files, suffered with the floor-to-ceiling scrolling menu from hell. M$, on noting their complaints, responded by taking away most of the menu. This led to a different set of complaints, since now no one can find anything and the reaction is to give up on the start menu entirely.

But it still didn’t solve the real problem, which as I said is still that there’s no good tool that average non-savvy users can turn to for *managing* the Start Menu. How hard could it be to make a nice little interface (not relying on drag-and-drop in the live menu, which in my observation is usually a disaster) geared toward letting average folks sort out their programs into reasonable hierarchies, so the Start Menu isn’t always One Huge Mess??

Me being an avid user of Linux Mint , I much prefer using Cairo Dock and Mint Menu, both of which are configurable. I have to chuckle over this, and just shake my head.

It would be fine if I never changed computer, or never needed to re-install the OS, however, any time you used a different computer / OS, you would need to re-organize things, go against the defaults. The other problem I had was that sometimes it was hard to perfectly categorize things. Googles Chrome browser and it’s ChromeOS is working to conquer this aspect.

Without the Start Menu, how do I shutdown? Hold the power button down for ten seconds, just like always. 

So in Windows 8 (for those that tried the demo, yes I downloaded the ISO and setup a VM to try it) they replaced the simple little menu in the start button with a whole screen monstrosity that takes the entire desktop. Taking over my whole desktop because I pushed the start button isn’t the answer to this problem. IMO people don’t use the start menu much because they put icons of their most used programs in the quick launch tool bar and on the desktop itself. Instead they take a simple menu, blow it up full screen and if you decide you don’t want to pick a program and go back to what you have running, there is no logical way to do it (there isn’t a close button that’s obvious, ESC doesn’t work, right click doesn’t work).

Gnome3 and Ubuntu’s Unity solution to doing away with the start button is far better than what Microsoft has cooked up and I don’t really like those either but I can see them working better). If I fail that badly using their “NEW AND IMPROVED” start menu I can’t even comprehend how disastrous this will be for the less computer literate. The best part is, you cannot bring back the old start menu that I could find. It’s not in the control panel, the options are gone from the right click menu, etc.

Microsoft is making a huge mistake overlaying their Windows Phone 7 Metro interface on windows. This is a huge mistake that’s obviously being done to use the windows monopoly against the phone competition. It’s going to backfire and damage windows just like Vista did.

Microsoft killed the Start menu because they want to force everyone to use Windows Phone, even if they aren’t (initially) buying a Windows Phone. They failed for years to sell phones that look like a Windows desktop, so instead they’re changing the Windows desktop to look like their phones, and hoping that iOS and Android end up looking “foreign” to phone users as a result.

People click on the Start menu when they want to find something to Start. Imagine that. The bottom line is that the Windows 95 UI (which is to say, Microsoft’s ripoff of the RiscOS UI [guidebookgallery.org]) was the pinnacle of personal computer desktop UI design. Everything that’s happened since then has been change for change’s sake and has only served to annoy users and get in their way.

There is really nothing wrong with a start menu. Microsoft however never enforced a good practice with their start menu, the signal to noise ratio is VERY low. It’s cluttered with company names, uninstallers and readme files. Why should I have to know the name of the company if I want to use a program, looks very much like advertisement to me. Instead of enforcing a good practice they have extended the start menu with “most used programs” which really doesn’t cure the underlying problem, and to me it’s even more cluttered. They should get rid of everything but the program starters in correct folders, Games in games folder and so on, one program has one menu entry, this was probably how it was meant to be by the original designer but never enforced. Look at Gnome, very simple, and very effective. And now Microsoft have come to the conclusion that nobody uses their cluttered mess of a start menu, and are killing it. I say it could be fixed, but Microsoft doesn’t seem to know what’s wrong with it.

Windows 7 driver problem

Sometime ago, I came across a issue that so far I have never seen, and it’s a stubborn one. This time, it was an issue with a driver released for an integrated wireless NIC by RALink Technology. The issue? Windows 7 refuses to automatically install it because it doesn’t trust the source of the driver. The error that shows up for the properties of the device in Device Manager is:

Windows cannot verify the digital signature for the drivers required for this device. Error Code 52.

Now, while this may not pose as a big deal, the issue at hand is to have the Windows installer use the driver during an unattended installation of Windows 7. What’s even more frustrating, the manufacturer of the PC and the device itself only release InstallShield packages that the user must run to obtain the drivers in the first place. To get the raw driver files for the unattended installation, I must run the InstallShield package to install it on a PC that has the device in it, then go back and look at the properties for the device in Device Manager, and under Driver Details get the list of files to extract, as well as find the oem*.inf file in the c:\windows\inf\ folder. The driver can be successfully installed manually once Windows is installed, where it prompts for the user to allow it to install. What adds to this puzzle is that the driver itself IS signed, because after it is installed, it shows the “Name of signer” for the driver itself as “Ralink Technology Corporation”. So what is the deal here?

After doing some more research, it turns out this is a known issue with Windows, where it does not correctly determine that a driver is signed. Posts about this error show up all over. Microsoft’s article on the error code says:

If the device is a CD or DVD drive, use the Automated Troubleshooting Service, at the Microsoft Support Web site (http://go.microsoft.com/fwlink/?LinkId=192997).

Go to the device manufacturer’s Web site and download and install the latest appropriate driver for the device.

Search for possible solutions for your particular device on the Microsoft Support Web site (http://support.microsoft.com). For example, for issues related with an iPod, you might search for “code 52” iPod.

Well, the first option is not possible as there is no disc, and the manufacturer’s website already contains drivers are are signed and have the same issue. And no additional searches show show any useful information on this on Microsoft’s site. Searching the rest of the Internet on the issue mainly supplies links for downloading the drivers from 3rd party sites, or for software that should “fix” the problem, like “DLL Suite”. No thanks, I’m not about to start installing a bunch of unknown 3rd party products to try and help with a Windows problem.

Personally I think the whole driver model for Windows is a huge mess, especially when problems come up like this, they can be very difficult to fix. As a band-aid, Microsoft implemented its driver signing policy to help alleviate issues with unstable or malicious drivers being released by 3rd parties. Yes I know, most of the time drivers just install and all is good. I like to compare this to alternative operating systems like GNU/Linux, where all drivers for most Linux distributions are pre-compiled for the kernel and are automatically loaded when the kernel is running. There is no hunting for 3rd party packages, extracting driver files from system folders like there is in Windows, or driver signing. GNU/Linux is a huge improvement over Windows on how it handles drivers, since everything is included in the Linux distribution. There are cases where a driver might need to be compiled, but this is extremely rare, and I’ve never had to do this with the 2.6 series of Linux kernels.

This issue has a workaround for now, but it involves manually installing the driver for each PC. And yes, Windows 7 can be set to allow unsigned drivers after Windows is installed, and there are methods to address unattended setup for Windows XP, but so far haven’t discovered the right recipe for Windows 7′s unattended installation. This is not a big deal for a few PCs, but for a large batch it is time consuming, and people should be spending that time doing other tasks like installing additional software.

How Windows gets malware

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers.  Drive-by attacks are when you go to an innocent website and get a virus anyway.  This is typically from ads or hacked links.

Basis of the study

CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.

Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:

CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed.  Here it is slimmed down:

Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.

Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:

Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%

For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.

We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.

1. Uninstall java. Most end users never have a need for it and don’t update it.

2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.

3. Update flash as often as it says or switch to Chrome.

4. Use ESET NOD32 & HitmanPro for protection