Thursday, 06 May 2010 12:08
Akuma
Microsoft's security patches sometimes fix more problems than their descriptions let on. This is not a new problem, nor is it unique to Redmond. As much as anything else, it is a consequence of the way patches are produced: when a vendor is analyzing and fixing one flaw, they might well discover other flaws in the same piece of code, and their patch will fix the whole set.
However, research by one security company, Core Security Technologies, suggests that in so doing, Microsoft may be underplaying the significance of various patches, which may lead companies to be less aggressive in rolling out patches for critical flaws.
In particular, the company believes that secret fixes in two of last month's patches make the patches more important than Microsoft's bulletins suggest. It has issued its own bulletins to discuss the additional fixed flaws.
Core Security Technologies analyzes patches to produce attacks for use with its penetration software; it uses real exploits to detect network vulnerabilities. Attackers do the same: comparing patched files to unpatched files to learn exactly what was patched is a common technique, which is one of the reasons that accurate assessments and timely deployment are so important.
Corporate policy at Microsoft—and many other vendors—is to not disclose these internally-discovered flaws. They are mentioned neither in the industry-wide CVE database, nor in the notes to each bulletin.
If the public flaws are less serious than the other flaws that a patch repairs, there is a danger that the importance of the patch will be underestimated by users, and that they will be lulled into a false sense of security. In conjunction with the fact that releasing a patch often makes exploitation of the flaw more likely (due to the aforementioned analysis of the patches), this is a dangerous situation.
Both of the fixes in question were given an "Important" rating, Microsoft's second highest, and even with the additional flaws taken into consideration, those ratings are still likely to be reasonable. Nevertheless, it is still an issue to consider in the future: there may be more to a patch than meets the eye.
Read the comments on this post
|
Wednesday, 05 May 2010 08:10
Akuma
The Internet Explorer 9 Platform Preview was updated today. The update brings improved performance and standards compliance, and in tandem with the new release, Microsoft is providing new demos and standard conformance tests.
Microsoft's particular emphasis with the new release is the "same markup." Microsoft wants developers to use the same markup for every browser, putting an end to the browser-specific workarounds that continue to be a headache for Web developers. This manifests in a few different ways.
Wednesday, 05 May 2010 04:51
Akuma
Microsoft has announced that it intends to phase out its support newsgroups. The company currently has more than 2,000 public newsgroups used for tech support and developer dicussion, but in recent years has been migrating to a more commonplace, Web-based discussion forum platform. On top of these newsgroups, there are a further 2,200 private newsgroups used for beta discussion, MVP communities, and other closed communities.
The closure of the newsgroups will begin next month and will start with the least trafficked newsgroups, with users redirected to the relevant support forums.
The rationale that Microsoft gives is that the NNTP newsgroup platform is old and unsupported. Though the newsgroups did include official Microsoft representatives, they were unmoderated, and frequent victims of spam and virus attacks. Further, Microsoft's own newsgroup servers only had a 90-day retention policy, meaning that valuable answers ended up being purged. The forums, in contrast, are a platform that Microsoft actively develops. They are more accessible, especially since they show up in Web search results, and they offer additional functionality like answer acceptance and voting. These features, Microsoft believes, make them a better solution for online support.
The company says that newsgroup usage has dropped by half in the last year, while the online forums are seeing sizeable growth. This makes the decision to end the newsgroups unsurprising. Nonetheless, as an occasional user of the newsgroups since their introduction in 1996, and a fan of their old-fashioned, plain-text, threaded interface, I'm a little sad to see their demise.
Read the comments on this post
Monday, 03 May 2010 15:35
Akuma
Remember back when Firefox hit version 1.0 and over 90 percent of the Internet used Internet Explorer? As of April, fewer than 6 out of 10 people now use Internet Explorer. The browser trends that we've noted over the past several months are continuing with no sign of alteration: IE continues to slip, Firefox and Opera are fairly static, Safari is very slowly moving forward, and Chrome is pushing ahead at breakneck speeds.
During April, only Internet Explorer and Opera failed to show positive growth.
Saturday, 01 May 2010 09:00
Akuma
Let's look back at this week in Microsoft news:
Windows Home Server version 2 hits public beta: Windows Home Server 2 has entered public beta. The new version offers new media streaming features, better backup capabilities, and a more robust storage system.
ActiveSync, SSL coming to Hotmail: Details of the new Hotmail features rolling out later this year in Wave 4 have arrived. On top of a bunch of new UI features, Wave 4 will bring ActiveSync to Hotmail users, and full SSL support.
Friday, 30 April 2010 11:10
Akuma
Microsoft has put its stake in the ground and committed to supporting H.264 in Internet Explorer 9. That the next browser version would support H.264 HTML5 video was no surprise (though the current Platform Preview doesn't include it, it was shown off at MIX10), but this is the first time that Microsoft has provided a rationale for its decision. More significantly, this is the first time the company has confirmed that H.264 will be the only video codec supported.
H.264 certainly has some advantages. It's standardized, resulting in wide support in both software and hardware. This also provies a migration path of sorts from Adobe Flash; the same H.264 video file can be played both in Flash and via the native browser support, which allows site owners to target both HTML5 and Flash users with a single codec. But the biggest advantage cited by Microsoft was intellectual property: the IP behind H.264 can be licensed through a program managed by MPEG LA. Other codecs—the blog post named no names, but Theora is obviously the most widespread alternative for HTML5 video—may have source availability, but they can't offer the same clear IP rights situation.
Thursday, 29 April 2010 16:30
Akuma
More information is being revealed about the next iteration of Microsoft's Live-branded products. We know when the new programs are going to start rolling out, we know that Windows XP won't be supported, and we know a lot about the features of the next Windows Live Messenger.
Now Windows Live Hotmail is in the spotlight. The web front-end gets a load of new bells and whistles, but two new features stand out in particular.
Following in the footsteps of Google's Gmail, Hotmail Wave 4 will offer full-session SSL. Presently, logging in to Hotmail uses HTTPS to protect user credentials from attack, but e-mail itself is delivered over unsecured HTTP. Gmail switched to using HTTPS for the entire session—both logging in and reading/sending mail—by default in January (previously, it was an opt-in feature).
In Wave 4, Hotmail is following suit, offering HTTPS encryption for mail access as well as authentication. With the most valuable part of a mailbox often being the mail itself, not the credentials used to access it, this is a welcome change.
The other big news is Hotmail will offer ActiveSync support. ActiveSync is used by Exchange to provide push mail and other facilities to smartphones. By adding ActiveSync to Hotmail, Microsoft is extending these features to 300 million smartphones, giving Hotmail-using consumers the full seamless sync experience on their phones.
This does still leave Hotmail stuck behind proprietary protocols, in contrast to the IMAP available to Gmail. IMAP, like ActiveSync, supports push mail and mailbox syncing. The upside to ActiveSync is that it works for more than just mail; providing synchronization of contacts and calendars.
Taken together, these new features make for a compelling update for Hotmail users. Live Wave 4 should rolling out in June.
Read the comments on this post
Wednesday, 28 April 2010 10:02
Akuma
In addition to the security bulletins posted on this month's Patch Tuesday, Microsoft last night released a slew of nonsecurity updates for Windows. The most important update is another stability and reliability update for Windows 7 32-bit, Windows 7 64-bit, Windows Server 2008 R2 64-bit, and Windows Server 2008 R2 Itanium. Microsoft regularly releases Windows 7 and Windows Server 2008 R2 stability and reliability updates, and this one builds on those that preceded it, adding the following fixes:
- Windows Explorer crashes and then restarts when you access a third-party Control Panel item.
- You cannot connect to an instance of SQL Server Analysis Services from an application in Windows 7 or in Windows Server 2008 R2 after you install Office Live Add-in 1.4 or Windows Live ID Sign-in Assistant 6.5.
- Windows Explorer may stop responding for 30 seconds when a file or a directory is created or renamed after certain applications are installed.
- The Welcome screen may be displayed for 30 seconds when you try to log on to a computer if you set the desktop background to a solid color.
- You are not warned when you delete more than 1000 files at the same time. Then, the files are deleted permanently and are not moved to the Recycle Bin.
The second update is for those who install Microsoft Office 2010 and need to have certain fonts replaced with newer versions. Some font files are not updated and the user sees an "Error 1907" message. This issue occurs because many font files in Windows Vista and in Windows Server 2008 are marked as system-protected files and cannot be changed or deleted. The fix is available for Windows Vista 32-bit, Windows Vista 64-bit, Windows Server 2008 32-bit, Windows Server 2008 62-bit, and Windows Server 2008 Itanium.
The third update is for computers with BitLocker enabled that intermittently stop responding during shutdown and do not turn off completely. This problem does not occur if BitLocker is enabled on a data drive, but disabled on the system drive. The fix is available for 32-bit, 64-bit, and Itanium versions of Windows 7 and Windows Server 2008 R2. However, you'll have to request it for these two operating systems as Microsoft is still working on rolling it into Service Pack 1.
The fourth update enables Internet Information Services (IIS) 7.0/7.5 handlers that are mapped to a "*." request path to handle requests whose URLs do not end with a period. The fix is available for Windows Vista 32-bit, Windows Vista 64-bit, Windows Server 2008 32-bit, Windows Server 2008 64-bit, Windows Server 2008 Itanium, Windows 7 32-bit, Windows 7 64-bit, Windows Server 2008 R2 64-bit, and Windows Server 2008 R2 Itanium.
The last update is for Windows Installer (MSI) 4.5. If the user tries to use an embedded chainer to add multiple packages to an MSI package with custom actions, the installation process hangs. The fix is available for Windows XP 32-bit as well as 32-bit, 64-bit, and Itanium versions of Windows Vista and Windows Server 2008. However, you'll have to request it for these two operating systems as Microsoft is still working on rolling it into Service Pack 3.
Read the comments on this post
Wednesday, 28 April 2010 05:40
Akuma
Monday saw the release of the eighth edition of Microsoft's Security Intelligence Report, a sizable examination of malware trends and software vulnerability data, covering the second half of 2009. The 248-page report makes interesting reading, and paints a detailed picture of the malware patterns seen around the world. It also contains information on the efficacy of various strategies to mitigate the malware problem.
The report, the first to include Windows 7 in its analysis, makes interesting reading. It shows that the security improvements that Microsoft has made in Windows Vista and Windows 7 appear to be working well, and that even though users are now tending to update the core operating system, applications (both first- and third-party) are often lagging behind, remaining unpatched for years.
|
|
