Thursday, 04 February 2010 08:31
Akuma
Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.
The vulnerability was discussed in depth at this week's Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for the browser. Here's the official description of the briefing: "In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed."
Users running a version of Internet Explorer that does not have Protected Mode, or users who have decided to disable Protected Mode, are exposed to an attacker who can access files with an already known filename and location. Versions affected include Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. Microsoft made sure to note that Protected Mode prevents exploitation of this vulnerability and is running by default for IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Redmond also underlined that it is currently unaware of any attacks trying to use the vulnerability and is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for February 9, 2009, but we're not likely to see a patch out that soon. As always, Microsoft is recommending users upgrade to IE8 (the company urged users to upgrade away from IE6 and XP after hacks affecting IE6 last month).
In the meantime, the software giant listed five mitigating factors for the vulnerability:
- Protected Mode in IE7/IE8 on Windows Vista and later limits the impact of the vulnerability.
- In a Web-based attack scenario, an attacker could host a webpage that is used to exploit this vulnerability or do so via a webpage that accepts or hosts user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites and would have to convince them to do so, which is typically achieved via an e-mail or instant message.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.
- By default, all supported versions of Outlook, Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Microsoft outlined three workarounds in the security advisory. The first is to modify Internet Explorer's settings: set the Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones. The second suggests configuring Internet Explorer to prompt before running Active Scripting or disabling Active Scripting completely in the Internet and local intranet security zone. The third one is to enable Internet Explorer Network Protocol Lockdown for Windows XP. It requires editing the Windows registry, but thankfully Microsoft has created a "Fix it for me" for this workaround, available at KB 980088. Just click the "Fix this problem" link and you're good to go. The Fix It automates Network Protocol Lockdown and can be run on individual systems and deployed by enterprises through their automated systems.
|
Thursday, 04 February 2010 04:47
Akuma
Late last week, Google announced it will phase out old browser support next month on Google Docs and Google Sites. The search giant also sent out an e-mail to Google Apps administrators to warn them of the date, as well as tell them something it did not disclose publicly last week: Gmail and Calendar are next on the IE6 support kill list. Here's the relevant snippet:
We plan to begin phasing out support of these older browsers on the Google Docs suite and the Google Sites editor on March 1, 2010. After that point, certain functionality within these applications may have higher latency and may not work correctly in these older browsers. Later in 2010, we will start to phase out support for these browsers for Google Mail and Google Calendar. Google Apps will continue to support Internet Explorer 7.0 and above, Firefox 3.0 and above, Google Chrome 4.0 and above, and Safari 3.0 and above.
We contacted Google to verify the authenticity of the e-mail. "We plan to stop supporting older browsers for the rest of the Google Apps suite, including Gmail, later in 2010," a Google spokesperson confirmed with Ars. We asked whether phasing out the support for older browsers on Gmail and Google Calendar would affect everyone, and not just Google Apps that companies have deployed. "Correct, both enterprise and consumer users," the spokesperson told us.
IE6 started off 2010 with about one-fifth of the browser market share. Actually, if we add all browser versions below IE7, Firefox 3.0, Chrome 4.0, and Safari 3.0, it's clear that at least one in four users are using browsers that Google plans to stop supporting. There's no telling if this number is the same for those who access Gmail, Google Calendar, Google Docs, or Google Sites; we asked, but Google refused to provide data from its end. The company has been using Gmail to convert IE6 users to Chrome for over a year, but later this year it's going to deal another blow to the ancient browser, moving it that much closer to its well-deserved demise.
Wednesday, 03 February 2010 12:52
Akuma
Windows Mobile is steadily losing market share as consumers look to more frequently updated devices with a larger availability of apps. Despite the launch of Windows Marketplace for Mobile with 246 apps, and the opening of the store to Windows Mobile 6.x devices, developers don't seem as interested as Microsoft would hope. The company is hoping to reverse all the negative trends with the release of Windows Mobile 7, the upcoming version of its mobile OS that has seen multiple delays.
Microsoft is working hard to make Silverlight an important platform for building native applications in Windows Mobile 7 and on future generations of Windows Phones. We already knew that Silverlight for Mobile would arrive with Windows Mobile 7, the release date for which many expect will be announced at the Mobile World Conference in Barcelona this month. But how much emphasis Microsoft will put on the technology in its mobile OS is yet to be determined. One thing is certain though: the company is going to try to use Silverlight as a way to kick start mobile development on Windows Mobile 7, hopefully giving it enough momentum to push both technologies forward.
From the little that we've seen Silverlight used, we have to say it's very powerful. Some may think it's too resource-intensive for the mobile world, at least in its current form, and we would have to agree. That said though, if Adobe can bring Flash to just about every platform but the iPhone, then we think Microsoft can pull off the same with Silverlight. It won't be easy—at least one major delay has proven that. The first community technology preview for Windows Mobile 6 was originally expected in the second quarter of 2008, but the whole project was pushed back to coincide with the release of Windows Mobile 7. Microsoft has no plans (that we know of) to bring Silverlight to Windows Mobile 6.x.
Tuesday, 02 February 2010 12:44
Akuma
Redmond has provided a Release Candidate build of Microsoft Office 2010 to a select group of testers. "Microsoft made a release candidate available to members in the Technology Adoption Program (TAP)," a Microsoft spokesperson confirmed with Ars. "This is one of Microsoft's planned milestones in the engineering process; however they do not have plans to make this new code set available broadly."
Microsoft uses TAP to obtain real world customer feedback on its prerelease products from its partners. These partners have the opportunity to talk to the product engineering team, get help in deploying their Microsoft solutions, get early product education, and of course use feedback to influence the product during its development. The fact that Microsoft is not considering giving this build, or some RC version, to the public is a little worrying given that the company still has four months till Office 2010 is released. Granted, the final build will likely be compiled much sooner, but generally speaking, only providing a single public beta is uncharacteristic of the company. When we asked Microsoft about more public Office 2010 builds, the company refused to reveal anything. "We have nothing additional to share at this time," the spokesperson told Ars.
The Office 2010 beta that Microsoft gave out to the public three months ago was build 14.0.4536.1000 and has already been downloaded over 2 million times. Since then, and even before then, there have been many leaks of other builds; the latest one we've seen is build 14.0.4734.1000, which leaked out only last week:
Monday, 01 February 2010 11:24
Akuma
As expected, Microsoft has announced the general availability of the Azure platform (Windows Azure, SQL Azure, and AppFabric) in 21 countries. Starting today, Microsoft customers and partners in those regions will be able to launch their Azure production applications and services with the support of the full Service Level Agreements (SLAs). The Windows Azure platform AppFabric Service Bus and Access Control will continue to be free until April 2010 for those that sign up for a commercial subscription.
The final release was available last month, and since then Redmond says thousands of customers have moved from the Community Technology Preview (CTP) to the production code (Microsoft did not charge for Windows Azure platform usage incurred during January). This month though, Microsoft's partners will be able to begin selling paid commercial subscriptions based on their own solutions to their customers. Billing and SLAs for all commercial accounts technically begins today.
If you choose not to upgrade to the production code, you should know that CTP accounts are being disabled today and any Windows Azure Storage is being made read-only. SQL Azure CTP accounts will be able to keep using their existing databases but will no longer be able to create new databases and Windows Azure platform AppFabric namespaces will be disabled. SQL Azure CTP accounts that have not been upgraded will be deleted on March 1, 2010 while Windows Azure Storage CTP accounts and Windows Azure platform AppFabric namespaces that have not been upgraded will be deleted on April 1, 2010. Microsoft is therefore asking those who do not wish to upgrade to export their data to a commercial subscription prior to these dates.
The 21 countries onboard are as follows: Austria, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, India, Italy, Japan, Netherlands, New Zealand, Norway, Portugal, Singapore, Spain , Sweden, Switzerland, the UK, and the US. Microsoft is not saying when it plans to roll out the Azure platform in more regions.
Monday, 01 February 2010 04:44
Akuma
This is a reminder post for all the Windows 7 users still using the Release Candidate (build 7100) that was released to the public in May 2009. Bi-hourly shutdowns of this build will begin on March 1, 2010, or four weeks from today. This means that the user will be told to install a released version of Windows and their PC will shut down automatically every two hours. On June 1, 2010, if you are still on the Windows 7 RC, your license will expire and the non-genuine experience will be triggered. Your wallpaper will be removed and "This copy of Windows is not genuine" will be displayed in the lower right corner of your desktop, above the taskbar. Starting on February 15, 2010, Windows 7 RC should actually start giving daily prompts to remind you about the expiration, but just in case two weeks' notice isn't enough, we're letting you know a month in advance.
If you want to continue using Windows 7, we recommend moving over to the Windows 7 RTM (build 7600) that was released to the public in October 2009. Microsoft explained that this would happen when it gave out free copies of the beta (which has already expired) and RC builds, and you've had plenty of time to move over. If you haven't reinstalled a final copy of Windows, do so as soon as possible so as to avoid problems in the next few weeks.
Sunday, 31 January 2010 18:15
Akuma
About two weeks ago, a startup based in Alexandria, Minnesota by the name of Striquent quietly launched a new website that combines results from major search engines. "The idea for qrobe.it was born out of a discussion on if the search experience can be improved upon or as the saying goes 'one can't improve what is already perfect,'" Nisha Boban, QA Analyst at Striquent, told Ars. "So what we did is focus on the user experience and meshed together the best of the Web, search results from Google, Bing and Ask, with ability to instantly share a URL with the leading social sites, save it, shorten it, verify it, etc."
Boban believes Google came very close to perfecting the search experience many years ago, but since then the Web has moved on and the search giant has not changed its service much. Microsoft, on the other hand, rebranded its search engine by launching Bing "with a host of very good features," but could have done a better job with branding (making the homepage pretty doesn't cut it), she says.
Sunday, 31 January 2010 11:15
Akuma
Google is continuing to kill off support for Internet Explorer 6 in its services; the search giant has announced that two more of its Web properties will stop supporting IE6 as of March 1. "Many other companies have already stopped supporting older browsers like Internet Explorer 6.0 as well as browsers that are not supported by their own manufacturers," a blog post on the Official Google Enterprise Blog begins to explain. "We're also going to begin phasing out our support, starting with Google Docs and Google Sites. As a result you may find that from March 1 key functionality within these products -- as well as new Docs and Sites features -- won't work properly in older browsers." Older browsers, according to Google, include anything prior to IE7, Firefox 3.0, Chrome 4.0, and Safari 3.0.
Although one might think this is a reaction to the Internet Explorer's vulnerabilities notably exploited in the recent series of Chinese-based attacks against Google and 30 other tech companies, which Microsoft has since patched, the truth is Google has already done this with many of its other products. Google's Orkut and YouTube started phasing out IE6 support about six months ago and Google has been using Gmail to convert IE6 users to Chrome for over a year.
Google's stance on IE6 varies from Microsoft's because the search giant does not need to support Windows XP, the operating system with which IE6 first shipped, as long as Microsoft (which will support XP and IE6 until April 8, 2014). Google can thus pull IE6 support on its many Web properties and urge users to upgrade. Microsoft, on the other hand, which has stated time and time again that it wants to see IE6 disappear as much as anyone else, won't force anyone to upgrade (though it's worth noting that the software giant's Office Web Apps won't support IE6 either, just like Google Docs). Instead, it says the decision is ultimately up to the user, touting IE8's many features over IE6, particularly in the area of security, in an attempt to push users to upgrade. IE6 ended 2009 with a market share of 20.99 percent.
Saturday, 30 January 2010 07:00
Akuma
Let's look back at the week that was in Microsoft news. Here were the top stories:
Windows 7 leads the way to record quarter for Microsoft: Sales of Windows 7 and a recovering economy helped Microsoft set a record second quarter with a 60 percent jump in profit, to $6.66 billion.
Microsoft releases slew of Windows 7 updates: Microsoft has released a few fixes for Windows 7 and Windows Server 2008 R2, including another stability and reliability update.
|
|
