Windows 8 DOA
The Windows 8 Consumer Preview has been out long enough for people to try and get used to its dual Metro/Desktop interface. But the longer it’s out there, the less people like it, and there’s a backlash against the dual system from people ranging from normal users to engineers. Will Microsoft listen and fix the hybrid operating system?
What a whole lot of FAIL, Vista 2.0 here we come. This is great for tablets, but tablets are a fad. This has no place on a desktop operating system. Smart phones are the evolution of computing. Mark my words – in 5 years, tablets will not exist. You will have a phone that will be your primary mobile computer. At home, you will connect your phone to a wireless mouse, keyboard and display.
“Windows 8 just dumps you into the Start screen. No tutorial, no help icon on the main screen, nothing. This will be fixed by launch or Windows 8 will fail.”
Bibik is on target. Most people who use Windows 8 on traditional computers rather than tablets will spend their time in the Desktop because that’s where the apps they most use are, notably Microsoft Office, which won’t run as a Metro app. Yet the Windows 8 Desktop is less useful than in previous versions because the Start menu and Start button have been taken away.
Metro and the Desktop are essentially two different operating systems incompletely bolted together. Sure, techies can figure out how to navigate between the two interfaces, but other people will have a hard time.
Windows Patch Tuesday – March 2012
Today could be the day malware artists figure out how to do remote code execution on many millions of PCs and servers running Microsoft’s OS with RDP enabled. Microsoft has released a patch this patch Tuesday but who knows how many machines will be unpatched in the next few days?
see MS-12-20
Need we say more about the foolishness of leaving your IT as a monoculture of Microsoft’s stuff after decades of them demonstrating little or no concern for security?
Microsoft yesterday released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.
In the company’s words, one of the vulnerabilities “could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.” Only systems that have remote desktop actually enabled are vulnerable, but Microsoft recommends that everyone install the update, just in case. Affected operating systems include Windows XP, Vista, and 7, not to mention Windows Server 2003, 2008, and 2008 R2.
“Microsoft is urging organizations to apply the sole critical update in this month’s Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday’s release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month’s Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio.”
The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008— is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.
“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys.
Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said this bulletin should be considered a top priority, noting that Microsoft has rated its “exploitability index” as 1, meaning that Microsoft expects working exploits to be available in fewer than 30 days.
“An unauthenticated remote code execution is pretty much as bad as it gets,” Marcus said.
For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.
The remainder of today’s updates address three other Windows vulnerabilities, and problems in Microsoft Expression Design and Microsoft Visual Studio.For a breakdown of the patches, see Microsoft’s Security Bulletin Summary for March 2012. The fixes are available through Windows Update.
“A little about MS12-020…this bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP),” Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained in a blog post. “Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled.”
“That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible,” she added. “The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.”
Ben Greenbaum, senior principle software engineer for Symantec’s Security Intelligence Group, agreed users should pay close attention to the RDP vulnerability.
“RDP’s purpose is to enable remote access from the Internet, but preferably to an authenticated user,” he said. “In this case, a malicious attacker can potentially take complete control of the computer. Failed exploit attempts of this issue will likely result in the user being confronted with the blue screen of death. If an attacker can bypass standard memory protection measures, however, they will have access at the kernel level.”
Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, Qualys CTO Wolfgang Kandek opined.
“If the patch cannot be applied that quickly or the necessary reboot cannot be scheduled, IT Admins should look into the available work-arounds that function immediately: protect the machine with restrictive firewalling, access RDP through a VPN service or switch to Microsoft’s NLA protocol that is supported in newer versions of Windows (Vista+) and is not vulnerable to the attack,” he said.
The final bulletin for the month was only rated moderate. A vulnerability in DirectWrite could result in a denial of service condition on receipt of a maliciously crafted sequence of Unicode characters.
This issue could be exploited via instant messenger clients. Windows 7, Vista and Server 2008 are affected.
Paul Henry, security and forensic analyst at Lumension, pointed out that the Internet Explorer 9 zero-day exploit used at the Pwn2own event was not addressed by Microsoft, but noted “To be fair, they received the details only yesterday.” more on that later.
He also observed that while the number of bulletins released this month represented a light load of patches, they “will be disruptive in terms of required reboots.”
Remote Kill Switch on your PC
Summary: A feature common in phones will let Microsoft remotely disable malware
This doesn’t surprise me at all, people tend to forget that Microsoft is well in it’s rights to put something like that in, after all they own it not you, you paid a license to use, NOT own. In reality, kill switches are nothing new, all recent versions of Windows OS’s have one built in, that’s why you have to activate your version of Windows. (more…)
Ubuntu adopts Windows XP users
LINUX VENDOR Canonical believes that Microsoft’s Windows XP, not Windows 8, could drive adoption of its Ubuntu Linux operating system.
With Microsoft readying Windows 8 for release later this year, companies are expected to evaluate whether it is worth renewing existing Microsoft licenses or splashing out on the latest Microsoft revision of its desktop PC operating system. However, according to Canonical CEO Jane Silber, it isn’t undercutting Windows 8 that holds the key for take-up of Ubuntu Linux but Microsoft’s termination of Windows XP support that will drive Ubuntu growth.
Talking with The INQUIRER, Silber said, “We certainly track it and keep an eye on competition. [...] The larger impact in terms of Microsoft in our customer base isn’t the emergence of Windows 8 but the upcoming, long awaited end-of-life of [Windows] XP.”
Silber’s point rests on the well known fact that many users, especially large businesses, are still running Windows XP. Microsoft has supported the operating system for over a decade, but the Redmond, Washington software house has said that it will end support for Windows XP on 8 April 2014.
Silber said, “What we are seeing there, particularly with enterprise customers with large desktop deployments in the tens of thousands, [is that they are] taking the opportunity to move to Ubuntu at that point, and they are, in some cases, not even evaluating future Windows desktop operating systems.
“It’s not that they are turning down Windows 8, [it's that] with the end of life of [Windows] XP there’s a disruption and a good point for them to re-evaluate their options.”
While Microsoft’s Windows XP April 2014 end of life date is still two years away, organisations that run thousands of Windows XP machines will have already started planning. Working out whether to upgrade to Windows 7 or Windows 8 or move to Linux could take the best part of a year to evaluate and test, and deployment might take another year, so the battle for those customers is well underway.
Silber believes punters are not necessarily looking for bells and whistles when evaluating an operating system. She said, “It’s more likely people are evaluating their desktop experience in terms of what they really need, this is one of the reasons why we’ve seen a lot of interest from enterprises for Ubuntu for Android. People are looking at what does it mean to have a desktop in five years from now. There’s more interest in client solutions, converged device scenarios, so it’s really an opportunity for us.”
Although some will question Silber’s belief that Windows XP, not the cost of upgrading to Windows 8, holds the key to Canonical’s push into the enterprise, the fact is that Canonical and other Linux vendors have two strong opportunities to go up against Microsoft as it tries to push customers into its next churn of its PC operating system cash machine.
7 overtakes XP, finally
Microsoft has finally seen use of its Windows 7 operating system (OS) overtake that of its ten year old brother, Windows XP. Windows 7 was released on July 22, 2009 and with Windows XP so intrenched, it has taken little over two-years to catch up.
Web analytics firm Statcounter revealed the change in usage and explained that globally Windows 7 has a 40.5 per cent market share, Windows XP has 38.5 per cent, and Windows Vista has 11.2 per cent. (more…)
Intel Joins LibreOffice
Summary: Intel distributes LibreOffice, can Microsoft be pleased?
The month of February is a month to remember for the LibreOffice project. LibreOffice, the OpenOffice fork, is a very popular open-source office suite. But, while it has great support from Linux distributors, like openSUSE and Ubuntu, LibreOffice has never had a major corporate backer on the Windows side… until now. Intel is now offering LibreOffice to Windows users via its AppUp application store. I wonder how Microsoft feels about this. (more…)
Windows Patch Tuesday – February 2012
Microsoft is planning to release nine bulletins, addressing 21 vulnerabilities in Microsoft Windows, Office, Internet Explorer, .NET framework and Silverlight. The patches are scheduled to be released Feb. 14.
The software giant said that four of the bulletins are listed as “critical,” and three of those, all of which affect Windows, will require a restart. The critical bulletins address errors in Windows, Internet Explorer and server-side software. They all are said to address vulnerabilities that would allow remote code execution. (more…)
Computer Viruses Evolve
New malware morphs into different shapes unattended by humans
Now this is quite a fascinating story, it seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.
Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. (more…)
No Recovery For You!
When consumers purchase personal computers, they should be given the means to restore/repair their operating system via an included LIVE CD/DVD, in NOT doing so by the OEM is just plain stupid. Bear in mind that as a Microsoft Windows licensee, meaning YOU, the thing with a Windows license is that you DO NOT OWN the software, you DO NOT OWN the product, that you are paying for and by receiving a license to use that software under the terms given, you must abide by them, whether you like it or not. That doesn’t sound to user friendly does it?
What you typically have included with you computer, is a recovery CD (best case), perhaps a recovery partition that just re-images your partition setting everything back to the way it was originally or nothing at all (worst case), none of these truly do fix anything. Normally the best way to accomplish this feat is to boot from a Linux LiveCD to recover your files. (more…)
Windows Patch Tuesday – January 2012
For the swiss cheese of operating systems, Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins. The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.
In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.
The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching
