WiFi Wide Open

Wi-Fi gives us freedom from wires, but it’s not secure by default. Data is transmitted through the air, and anyone nearby can easily capture it with the right tools. As discussed below, whether you have your own Wi-Fi network or use someone else’s, employing security measures is necessary to protect company files, online accounts, and user privacy.

Why Protect Your Wi-Fi Network?

By default, Wi-Fi routers and access points aren’t secure when you purchase them. Unless you enable encryption, people nearby can easily connect to your network. At best, they just use the free wireless Internet for browsing and downloading, possibly slowing down your connections. However, if they wanted to, they could possibly access your PCs and files. They also could easily capture your passwords or hijack your accounts for websites and services that don’t use SSL encryption, such as some Web-based email clients, Facebook, and Twitter. (more…)

Windows 8 Antivirus

In a move that is likely to anger the antivirus industry, Microsoft is adding security features from its Security Essentials program to Windows 8. This is good news for consumers, but bad news for the antivirus industry. Microsoft should have been doing this since the release of Windows 95. While many of us do simultaneous facepalms and giggle at a decade-late decision, others question the legality of doing so. A multi-billion dollar industry has grown, based on the absolute porous operating system that is Microsoft Windows.

That’s right. Microsoft this week began offering U.S. customers its free antivirus program via Windows’ built-in update service, a move one major security firm said may be anti-competitive. Microsoft is adding features from its Security Essentials program, which is currently available as a separate download for Windows users, to the Windows Defender package already built into Windows. This means that Windows 8 users will get out-of-the-box protection against malware, along with firewall and parental controls from within Windows without requiring users hunt down a separate download or buy new software. (more…)

Dell, HP and UEFI

A big issue right now in the world of operating systems – especially Linux – is Microsoft’s requirement that all Windows 8 machines ship with UEFI’s secure boot enabled, with no requirement that OEMs implement it so users can turn it off. This has caused some concern in the Linux world, and considering Microsoft’s past and current business practices and the incompetence of OEMs, that’s not unwarranted. Dell has stated it’s plans to include the option to turn secure boot off, while HP was a bit more vague about the issue.

You believe OEMs and Microsoft on their blue eyes. After years of abuse and patent troll behaviour, smart people don’t.

Dell confirmed that they have plans to ship Windows 8 machines with the ability to turn secure boot off in UEFI, while HP had no idea what was going on. BIOS maker AMI, meanwhile, has said it will advise OEMs to not remove the option, but adds that they can’t mandate as such.

A Dell spokesperson has stated that “Dell has plans to make SecureBoot an enable/disable option in BIOS setup”. Dell plans to move to UEFI with secure boot in the Windows 8 time frame.

HP, sadly, was less clear. “HP will continue to offer its customers a choice of operating systems,” HP said, “We are working with industry partners to evaluate the options that will best serve our customers.” Nobody at HP was apparently even aware of the issue, which means this is a general PR statement with zero actual value.

Lastly, BIOS maker AMI stated that it “will advise OEMs to provide a default configuration that allows users to enable/disable secure boot, but it remains the choice of the OEM to do (or not do) so”. This is entirely reasonable – AMI just provides a software package, it doesn’t control what OEMs remove and include.

Michael Reed is the latest person to write about “restricted boot” (or UEFI) in a major GNU/Linux Web site. Matthew Garrett, who started a lot of the outcry, calls it a bug and Groklaw helps remind us that “Microsoft’s license provision [was] prohibiting OEMs from modifying the initial boot sequence…” There are several other examples of Microsoft sabotaging Linux adoption through booting complexity [1, 2, 3, 4,5, 6, 7] . The worst thing one can do is assume good faith from Microsoft. The people who run the company are extremely anti-competitive. Don’t blame Microsoft; it’s in their nature.

My biggest fear is that like with BIOS today, every computer – even revisions within the same model – will have its own unique UEFI implementation, some of them broken and/or limited, without any means of telling which features are supported and implemented and which aren’t. Heck, I’ve encountered countless BIOS implementations over the years which only allowed you to change the boot drive order, and nothing else.

All in all, this issue is far from over, and Considering Microsoft’s history of anti-competitive practices, its current patent troll behaviour, and the general incompetence of OEMs, it’s entirely reasonable and smart for us geeks to be on our toes.

Windows 7 is supported til 2020 … most large businesses are only just thinking about moving to it and doing testing … the will probably never move to Windows 8. Windows 7 is going to be around for the next good few years as well as businesses that will use XP forever and ever … will need new hardware.

Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

Web Browser Defense

For most of us, the Web browser is the first application we use when we turn on a computer. It’s how we check email, read the news, chat with friends and do just about everything.

What many users don’t realize, however, is that the Web browser is the most important security defense our computers have — and yet 60 percent of the browsers accessing the Internet today are outdated. An outdated browser ends up impacting everyone’s security, privacy and performance.

I wrote about Microsoft warning us *rolls-eyes* last week, in that we were not using a “secure” browser like Internet Explorer” GASP!..the horror of us ignorant consumers!

To help users understand the importance of the browser you use, the Online Trust Alliance (OTA), a Web-industry trade group based in Bellevue, Wash., that promotes security and trust in online marketing and commerce, recently unveiled the “Why Your Browser Matters” initiative.

“The ‘Why Your Browser Matters’ initiative provides users overall recommendations to upgrade their out-of-date and legacy browsers for a more safe, more private and more compelling online experience,” said Craig Spiezle, executive director of OTA. “The Initiative is all about communicating with computer users to make them realize that an updated Web browser is one of the most important security steps you can take. It’s as important as running anti-virus/anti-malware software.”

Spiezle is quick to point out that while there is no magic bullet when it comes to computer security, the browser is on the front line of defense because it is used so frequently.

“Modern browsers detect malicious websites and phishing URLs, analyze downloads and support a broad suite of privacy features,” Spiezle said. “It’s critical to have these at your disposal when it comes to protecting yourself online, as well as protecting your machine in general.”

Modern browsers try to provide security for users in three different ways, explained Roger Thompson, chief emerging threats researcher for ICSA Labs in Mechanicsburg, Pa.

For example, said Thompson, all modern browsers have “blacklists” of known malware sites and try to prevent users from visiting them. This method works well if the malicious sites are well-known, but online criminals try to move websites around by changing domain names and IP addresses faster than security researchers can update the blacklists — so sometimes this doesn’t work.

Some browsers, such as Google Chrome, also run applets and executable code in a “sandbox,” meaning that the code and applets can’t affect other parts of the browser or the operating system. Again, this doesn’t always work.

And all modern browsers have a somewhat regular patch cycle, in which developers fix vulnerabilities to prevent direct attacks.

A good illustration of how a browser can act as the first line of defense is with regard to shortened URLs, or Web addresses.

URL-shortening services such as bit.ly, tinyurl.com or is.gd are handy to use when including links in instant messages, text messages or Twitter posts. Unfortunately, URL shorteners also mask the actual URLs they lead to, and give no warning that links might be drive-by downloads or exploits waiting for unsuspecting victims.

Fortunately, some enterprising software developers have created a way to find out where you’re going.

“There are plug-ins available for Chrome and Firefox that will automatically expand short URLs to their actual address when viewing pages containing such links,” said Harry Sverdlove, chief technology officer of Bit9, a Web security company in Waltham, Mass. “These are useful when using Facebook or Twitter from a browser, common places where malicious links are hiding in short URLs.”

How to protect yourself

As Thompson pointed out, browser vendors are good about providing updates and patches that improve security by fixing vulnerabilities that bad guys exploit. But after that, it’s up to the user himself to take action by actually downloading the updates, or upgrading the browser to the latest version.

You can check the version number of your browser by going to the Help button on your browser’s menu and checking the “About” section. (On a Mac, click the name of the application next to the apple icon in the upper left of the screen.) Often, the “about” pop-up window will prompt you to check where there might be updates available.

For those who use Internet Explorer, Spiezle has this important piece of advice: ”If it says Internet Explorer 6 … run, do not walk to the nearest free download of Internet Explorer 9.”

(If you’re still running Windows XP, update to Internet Explorer 8, the latest version you can install.) Which is the highest version you can run on Windows XP, unless someone figures out a hack for it, which they will. I rather you run Google Chrome.

Internet Explorer 6 has been the target of a number of malicious attacks over the past decade; newer versions of Internet Explorer are much more secure.

Does it matter which browser you use? Spiezle and Thompson disagree on that question.

While Thompson said that today’s browser upgrades have leveled the playing field when it comes to security, Spiezle pointed out that there still are differences among them, and each user has to assess which is best for his own uses.

“You need to look at not only the security features, but also privacy features, as well as support for the latest technologies,” Spiezle said.

Here is the link for a good start, https://otalliance.org/browser/ At first I was thinking that this was another Internet Explorer centered website, but at least they mention the alternatives.

Internet Safety: 7 tips

Don’t use a single, easy-to-remember password for everything you sign up for. It’s tempting because you’re always being asked to create another user name and password at one site or another.

“When criminals are able to get your password from one site that they’ve hacked into, they then take it and try to use it on other common services to see if they can get more access to your personal information,” said Chester Wisniewski, a security expert at security firm Sophos Ltd. “So they’ll go to Facebook and use the same password you used on [the site they hacked into] and they’ll go to your Gmail account.”

If it sounds too good to be true, it probably is. “We see all these survey scams on the Internet all the time where you’re asked to fill in all this personal and private information and enter to win an iPad,” Wisniewski said.

The problem is most of them are frauds and scams. “No one is getting an iPad,” Wisniewski said.

Instead of entering a sweepstakes, what you’re really doing is handing your information over to criminals who might sell it off to someone else or use it to commit identity theft.

Be cautious about sharing information, even if it seems harmless. Don’t give out information such as your birth date on social media or other sites that ask for it.

“Unfortunately, the way we work in the real world, these things may be used to identify you,” Wisniewski said.

Instead of giving away your identity, make another one up.

Keep your anti-virus software up to date. Anti-virus software comes pre-installed on most computers. But after the initial free trial period is over, either shell out for a subscription or install free anti-virus software. You’ll need it.

“It’s not a bulletproof answer because things still get by anti-virus software,” Wisniewski said. “But keeping it up to date improves your safety dramatically. And there are great free solutions out there — namely Linux.

Keep all regular software up to date to ensure it’s secure. If you do, you’ll lessen the chances of experiencing a security breach.

Trojan horses, viruses and other forms of malware evolve every day. When a bug or hole that could harm your computer or let in the bad guys is found in a piece of software, the software company will usually release an update. It’s very important that you run these updates to minimize the opportunities for criminals to steal or misuse your information.

“For example, if you get that little balloon in the tray in Windows, that says ‘Hey, there’s an Adobe update available,’ click ‘yes,’” Wisniewski said.

Keep your browser up to date. If you’re using an outdated browser, you’re also running the risk of being scammed or having your identity stolen. Up-to-date browsers have much better protection against cyberattacks than older versions.

Enable a firewall and configure it properly. A firewall is a system designed to prevent unauthorized access to your computer. Most current operating systems, such as updated versions of Windows XP, Vista and 7, as well as Mac OS X 10.4 and later, have one built in. Otherwise, you can get a inexpensive software firewall from your local computer store, software vendors or your Internet service provider.

“Turning the firewall on makes a big difference,” Wisniewski said, “because if something were to escape your anti-virus [software] and try to communicate with the Internet to send all your banking information, your firewall will stop that if it’s enabled and configured properly.”

Windows XP – 10 years

Ten years ago this, Microsoft released Windows XP, which became one of its most popular flavors of the Windows operating system — largely because what came after it, Windows Vista, was so terrible and a complete failure. Windows 7, and all its glory was so great it took two years to surpass XP.

This month marks the first time that Microsoft Windows XP has dipped below 50 percent market share among personal desktops and laptops worldwide, after having peaked at about 75 percent in 2007, according to NetApplications.com and Statcounter.com

The 10-year-old operating system is notorious for its security holes. It’s got much less protection against viruses, Trojans and other malware than do its successors Windows Vista and Windows 7, and even the National Security Agency itself advised against XP’s continued use in a document released earlier this year. Yet it maintains a strong presence worldwide, especially in China and Russia, and that huge installation base makes it easier for malware writers to spread their wares.

Savvy users might blame XP’s enduring popularity on the naivete of less knowledgeable consumers, but the real culprit might be Microsoft’s own naivete when it comes to how consumers make their decisions.

“Users in general are averse to taking time out of their schedules to come up to speed on the newest features which, at the end of the day, they don’t view as significantly improving their productivity,” said Tom Halleran, a service delivery executive at a global IT services provider.

Microsoft is slowly but surely abandoning XP. Mainstream support was officially retired in 2009, and the software giant will discontinue all support — likely including security patches — for XP by 2014. The company’s motivation is clear: Compared to streamlined modern operating systems such as Linux, XP has become an embarrassment. I have a XP counter at the bottom right sidebar of my website, don’t wait to act and to make a decision on what operating system to migrate too.

Aside from perpetuating security holes that were never fully addressed, XP makes other operating systems more attractive to consumers looking to trade up. Comparison shopping between Windows 7 and Apple’s Mac OS X is a more or less level playing field; comparison shopping between XP and OS X is no contest.

So why are XP users reluctant to upgrade? There are four main reasons.

Price is an obvious factor, and not just because Windows 7 starts at $200. Mainstream consumers tend not to upgrade their operating systems until they buy new machines. Microsoft expects its customers to respond to upgrade deals, yet ignores the fact that the cost of the hardware itself — a new desktop or notebook — is the real stumbling block from a financial perspective.

Then there’s another concern: compatibility. Corporations may have to buy new machines for entire departments to keep up with operating-system requirements. Home users often prefer to have all their machines running the same operating system — the unpredictable network mismatches that can arise are often too difficult or time-consuming to troubleshoot — and at $200 per Windows 7 license, it may be easier to stick with XP across the board.

Home and corporate users also don’t like the learning curve of adapting to a new system. XP users are used to their work flows; they know where to find what they need, and they like it that way.

Microsoft is mistaken in thinking that every new version of its flagship OS must be a substantial change from the last. Windows users have set tasks to accomplish when they boot up, and taking time out to re-learn how to accomplish those tasks is not what they signed up for. The waste of hours (and, potentially, corporate resources) is a strong deterrent to upgrading.

Some advanced users might consider the above three reasons for resistance to be limited to the less computer literate, but many coders and developers find a fourth reason to avoid updating: preference.

“Tech-savvy users who understand the security benefits of upgrading are often unhappy with what they see as an increasing lack of control over their system,” Halleran said.

With both Vista and Windows 7, Microsoft has been pushing toward a sleeker, more user-friendly, but less user-controlled model. It’s no coincidence that these developments have been compared to Apple’s standard look and functionality. A quick Google search for the phrase “more and more like Mac” turns up nearly half a million results, and even a cursory glance at the text excerpts suggests that this isn’t what a lot of Windows users want.

If it’s attempting to win over Mac users, Microsoft has failed on two counts: Mac users exhibit tremendous brand loyalty, and PC power users tend to stick with Windows precisely because it isn’t Mac. If anything, this race toward a shiny OS singularity only encourages power users to adopt alternative operating systems such as Linux; and indeed, as XP’s market share has dwindled, Linux has gained ground.

In mimicking the Mac model, Microsoft is alienating its hardcore demographic. Despite quirky ad spots to the contrary, the choice of “Mac or PC” these days is usually based on mere preference, not technical factors.

At the same time, Microsoft’s unrealistic assessment of consumers’ willingness to upgrade to unfamiliar systems at high prices means that the world will likely be saddled with XP for years after support is completely abandoned.

Facing the glaring security problems of an XP-infested future, Microsoft might need to rethink both its OS development and its business strategy. The company can sweep XP under the rug, but it won’t be easy to smooth out the big lump that remains.

While many of us may be looking to migrate from Windows 7 to Windows 8 when it becomes available (I’m not, I have no need for either) — no date is set, but it could be late next summer — there are still plenty of folks using XP for many of reasons. However, with the economy as it is and getting tighter, now is the time to look at a decent operating system, such as Linux Mint. The benefits are enormous and you are missing out! There is no reason to go out and buy a new computer, just because Windows XP is expiring or even upgrade. Windows 7 has no feature benefits worth spending the money on; the only difference maybe you get Internet Explorer 9, but who needs that when you have Firefox and Chrome, which are are supported with extensions.

The advantages of Linux are five fold:

• Cost – The most obvious advantage of using Linux is the fact that it is free to obtain, while Microsoft products are available for a hefty and sometimes recurring fee. Microsoft licenses typically are only allowed to be installed on a single computer, whereas a Linux distribution can be installed on any number of computers, without paying a single dime.
• Security – In line with the costs, the security aspect of Linux is much stronger than that of Windows. Why should you have to spend extra money for virus protection software? The Linux operating system has been around since the early nineties and has managed to stay secure in the realm of widespread viruses, spyware and adware for all these years. Sure, the argument of the Linux desktop not being as widely used is a factor as to why there are no viruses. My rebuttle is that the Linux operating system is open source and if there were a widespread Linux virus released today, there would be hundreds of patches released tomorrow, either by ordinary people that use the operating system or by the distribution maintainers. We wouldn’t need to wait for a patch from a single company like we do with Windows.
• Choice (Freedom) – The power of choice is a great Linux advantage. With Linux, you have the power to control just about every aspect of the operating system. Two major features you have control of are your desktops look and feel by way of numerous Window Managers, and the kernel. In Windows, your either stuck using the boring default desktop theme, or risking corruption or failure by installing a third-party shell.
• Software - There are so many software choices when it comes to doing any specific task. Sometimes its a simple modification or feature enhancement of a already existing piece of software, sometimes its a brand new application. In addition, software on Linux tends to be packed with more features and greater usability than software on Windows. Best of all, the vast majority of Linux software is free and open source. Not only are you getting the software for no charge, but you have the option to modify the source code and add more features if you understand the programming language. What more could you ask for?
• Hardware - Linux is perfect for those old computers with barely any processing power or memory you have sitting in your garage or basement collecting dust. Install Linux and use it as a firewall, a file server, or a backup server. There are endless possibilities. Old 386 or 486computers with barely any RAM run Linux without any issue. Good luck running Windows on these machines and actually finding a use for them.

Either way you look at it, you will be forced to relearn Windows 7 when you leave XP, then yet again when you leave for Windows 8. Look at the advantages Linux can offer you and make the decision to try something new for once. You will have to eventually as Windows is totally change the user interface and killing off the start menu. http://jet-computing.com/microsoft-kills-start-menu/

Microsoft Word Virus

A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.

The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.

The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.

Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.

So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.

In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.

Windows Patch Tuesday – October 2011

Windows, insecure by design. How else can you explain that all supported versions of Internet Exploiter have the same vulnerability to injection of malware?

Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.

Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.

The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.

Users can download the update by opening iTunes; if you’re not directed to download iTunes 10.5 when you start the program, click “Help,” and then “Check for Updates.” Some OS X users may be wondering how many of these flaws exist in the Mac version of iTunes. According to the SANS Internet Storm Center, Mac users can expect some of these problems to be fixed inSecurity Update 2011-006 and in OS X Lion v. 10.7.2. For the time being, however, neither of those updates appear to have been released.

The latest Windows patches are available through Windows Update or via Automatic Update.

October’s Patch Tuesday release resolved issues in Internet Explorer versions 6 through 9, all versions of Microsoft Windows from XP through 7, .NET and Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration Server, Microsoft said Oct. 11. Two of the patches are rated “critical,” and six are rated “important,” Microsoft said.

Microsoft recommended that organizations apply the Internet Explorer and .NET/Silverlight patches first as attackers are likely to come out with a reliable exploit within 30 days. Malware developers often reverse-engineer the patches after they are released to develop exploits that target unpatched systems.

Kaspersky Lab senior security researcher Kurt Baumgertner said that reliable exploitation will lead to remote code execution across a wide variety of Windows versions because Internet Explorer and Silverlight are heavily used software clients.

“It would be surprising to not see related exploits added to packs and widely used in attack attempts over the coming months,” Baumgartner wrote on the Securelist blog.

The critical update for Internet Explorer fixed at least eight known security flaws in all versions of Microsoft’s Web browser, including the latest Internet Explorer 9. The bugs were in the way IE handled objects in memory and the way memory was allocated and accessed.

If exploited, the bugs in Internet Explorer would expose the user to drive-by download attacks just by merely browsing to a booby-trapped site, according to Microsoft. The attacker can gain the same user rights as the user, but users who have accounts with fewer user rights are likely to be less impacted than those who have administrative rights.

“Patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release in browsers are top exploit targets for attackers,” Jason Miller, manager of research and development at VMware, told eWEEK.

The second critical update fixed a remote code execution flaw in .NET Framework and Silverlight. Users could be compromised just by viewing a malicious page specifically running XAML Browser Applications or Silverlight applications, Microsoft said. The vulnerability would also allow remote code execution on a server running IIS if that system allowed processing ASP.NET pages and specially crafted ASP.NET pages are uploaded to the server and executed. The .NET issue also affects Mac OS clients, according to Dave Marcus, director of security research and communications at McAfee Labs.

The .NET framework class inheritance vulnerability is “complex to exploit” but can be exploited in a “number of ways,” including traditional downloads, drive-by-downloads and by hosting a malicious .NET application, said Joshua Talbot, security intelligence manager at Symantec Security Response.

Microsoft fixed five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway. The cross-site scripting vulnerability in Microsoft Forefront, if exploited, will allow attackers to steal log-in credentials used for VPN access and gain access to sensitive data. The patch for Microsoft Forefront will likely affect the “smallest number” of organizations because Microsoft generally doesn’t have a big presence in corporate security infrastructure, Marcus Carey, a security researcher at Rapid7, told eWEEK.

Microsoft has two bulletins to fix the DLL preload vulnerabilities in Windows Media Center and Microsoft Active Accessibility. Microsoft has released a patch 17 times to close this issue in various programs since it was first identified Aug. 23, 2010, according to Miller.

“Overall this Patch Tuesday is fairly moderate. Three of the included vulnerabilities have been previously disclosed, and there is an available proof-of-concept code,” Marcus said.

October is often the last month in which administrators at financial and retail organizations apply patches before going into “lock-down” mode for the holiday shopping season, according to Andrew Storms, director of security operations at nCircle. “Enterprise IT teams should get ready to pull out all the stops,” Storms said.

Microsoft kills Start menu

Microsoft recently killed the Start Menu, and their explanation for it seems fairly straightforward: no one used it. This may be a bit of an exaggeration, but Microsoft explains that use of the Start menu dipped by 11 percent between Windows Vista and Windows 7, with many specialized Start functions — such as exploring pictures — declining as much as 61 percent.

Windows 8 Metro Start Screen

When you can’t figure out the easy way to launch stuff, look in the Start Menu. This is change for change’s sake. How is someone suppose to use this? You can’t, without much anguish.  Why?..because they didn’t like the look of the big, floor-to-ceiling look of the old XP system, they shrunk it all down so that it only shows 5-6 items at a time and has a scroll-bar. In short, they made it harder to use and less functional than the XP Start Menu, and to everyone’s amazement, people stopped using it, and then they claimed it was some sort of UX triumph.

Ditto with the control panel – rather than one big screen with 100+ tiny icons on it, they reworded a few things (“Display” becaome “Personalization”, and there are 2-3 different UIs rather than the tabs on the old-fashioned XP display.cpl) and made them all look like web-apps. Now that it’s unnavigable with words or icons, everyone uses “search” and it “feels faster”. You can’t write documentation that says Start-Settings-ControlPanel-Display-Screensaver, you have to say “search for ‘screen saver’ and clicky on whatever pops up”… *sigh*

Much like Firefox, most UX innovation is precisely that. If you don’t get the results that match your pet UI design philosophy, move the feature around, and while your users are trying to find the feature you don’t want, accumulate enough telemetry to claim your users aren’t using it as often, then take it away. (Status bar, full URL in the URLbar, etc.)

And the problem fundamentally isn’t that the Start Menu is too complicated. It’s that they’ve never provided a good tool for *managing* it. So the average person, being unaware that it’s just a bunch of directories and shortcut files, suffered with the floor-to-ceiling scrolling menu from hell. M$, on noting their complaints, responded by taking away most of the menu. This led to a different set of complaints, since now no one can find anything and the reaction is to give up on the start menu entirely.

But it still didn’t solve the real problem, which as I said is still that there’s no good tool that average non-savvy users can turn to for *managing* the Start Menu. How hard could it be to make a nice little interface (not relying on drag-and-drop in the live menu, which in my observation is usually a disaster) geared toward letting average folks sort out their programs into reasonable hierarchies, so the Start Menu isn’t always One Huge Mess??

Me being an avid user of Linux Mint , I much prefer using Cairo Dock and Mint Menu, both of which are configurable. I have to chuckle over this, and just shake my head.

It would be fine if I never changed computer, or never needed to re-install the OS, however, any time you used a different computer / OS, you would need to re-organize things, go against the defaults. The other problem I had was that sometimes it was hard to perfectly categorize things. Googles Chrome browser and it’s ChromeOS is working to conquer this aspect.

Without the Start Menu, how do I shutdown? Hold the power button down for ten seconds, just like always. 

So in Windows 8 (for those that tried the demo, yes I downloaded the ISO and setup a VM to try it) they replaced the simple little menu in the start button with a whole screen monstrosity that takes the entire desktop. Taking over my whole desktop because I pushed the start button isn’t the answer to this problem. IMO people don’t use the start menu much because they put icons of their most used programs in the quick launch tool bar and on the desktop itself. Instead they take a simple menu, blow it up full screen and if you decide you don’t want to pick a program and go back to what you have running, there is no logical way to do it (there isn’t a close button that’s obvious, ESC doesn’t work, right click doesn’t work).

Gnome3 and Ubuntu’s Unity solution to doing away with the start button is far better than what Microsoft has cooked up and I don’t really like those either but I can see them working better). If I fail that badly using their “NEW AND IMPROVED” start menu I can’t even comprehend how disastrous this will be for the less computer literate. The best part is, you cannot bring back the old start menu that I could find. It’s not in the control panel, the options are gone from the right click menu, etc.

Microsoft is making a huge mistake overlaying their Windows Phone 7 Metro interface on windows. This is a huge mistake that’s obviously being done to use the windows monopoly against the phone competition. It’s going to backfire and damage windows just like Vista did.

Microsoft killed the Start menu because they want to force everyone to use Windows Phone, even if they aren’t (initially) buying a Windows Phone. They failed for years to sell phones that look like a Windows desktop, so instead they’re changing the Windows desktop to look like their phones, and hoping that iOS and Android end up looking “foreign” to phone users as a result.

People click on the Start menu when they want to find something to Start. Imagine that. The bottom line is that the Windows 95 UI (which is to say, Microsoft’s ripoff of the RiscOS UI [guidebookgallery.org]) was the pinnacle of personal computer desktop UI design. Everything that’s happened since then has been change for change’s sake and has only served to annoy users and get in their way.

There is really nothing wrong with a start menu. Microsoft however never enforced a good practice with their start menu, the signal to noise ratio is VERY low. It’s cluttered with company names, uninstallers and readme files. Why should I have to know the name of the company if I want to use a program, looks very much like advertisement to me. Instead of enforcing a good practice they have extended the start menu with “most used programs” which really doesn’t cure the underlying problem, and to me it’s even more cluttered. They should get rid of everything but the program starters in correct folders, Games in games folder and so on, one program has one menu entry, this was probably how it was meant to be by the original designer but never enforced. Look at Gnome, very simple, and very effective. And now Microsoft have come to the conclusion that nobody uses their cluttered mess of a start menu, and are killing it. I say it could be fixed, but Microsoft doesn’t seem to know what’s wrong with it.