João Saramago

Julie188 writes with this snippet from Network World “Office 2010 is still in beta and a patch is already out. Microsoft is trying to fix a bug in the email program Outlook 2010 Beta that creates unusually large e-mail files that take up too much space. The Outlook product team has offered a bug fix for both 32-bit and 64-bit systems that fixes the problem going forward, although previous emails will remain super-sized. This could be a problem for email programs that limit message sizes, such as Gmail or BlackBerry.”

Read more of this story at Slashdot.

Link to the original site

The Register:

A vulnerabilidade reside num sistema conhecido por Virtual DOS Machine, que a Microsoft introduziu em 1993 com o Windows NT, segundo a nota publicada por Tavis Ormandy, da Google. Utilizando código escrito para a VDM, um utilizador standard pode injectar o código que quiser no kernel (núcleo) do sistema, tendo a possibilidade de fazer alterações em partes sensíveis do sistema operativo. Esta vulnerabilidade permite, a utilizadores sem privilégios, assumir o controlo da maioria das versões do Microsoft Windows (…) A vulnerabilidade existe em todas as versões de 32 bits dos sistemas operativos Microsoft desde 1993, e já foi desenvolvida uma prova de conceito para XP, Server 2003, Vista, Server 2008, e 7. Presumivelmente, o Windows 2000 também é vulnerável.

in Windows plagued by 17-year-old privilege escalation bug.

Por outras palavras, assim que for lançado um programa para explorar esta vulnerabilidade, uma ferramenta do tipo ‘chave-na-mão’, as organizações que mantêm estações e servidores de terminais Windows-Qualquer-Coisa, vão correr um risco de segurança significativo porque, a partir do momento que algum utilizador ganhar privilégios sobre as máquinas, vai poder (a) instalar os programas que quiser, (b) alterar as configurações como bem entender, e (c) ter acesso a informação indiscriminadamente nesses sistemas.

Solução? Ainda não foi lançada uma correcção de segurança para este problema. Mitigação? Desactivar, onde for possível, os subsistemas MSDOS e WOWEXEC. Como? Utilizando, por exemplo, uma Group Policy que desactiva a execução de aplicações de 16 bits — Windows Components\Application Compatibility\Prevent
access to 16-bit applications.

Para quem não estiver familiarizado com a configuração de Group Policies, estão disponíveis alguns vídeos no YouTube que podem ajudar a configurar, designadamente, o Windows Server 2003, o Windows Server 2008, e, finalmente, o Windows XP Professional. Para o Windows NT, está disponível uma nota de suporte da Microsoft para desactivar estes componentes.

Como é muito óbvio, recomenda-se vivamente a aplicação destes workarounds.

Link to the original site

By Joe Wilcox, Betanews

Why don’t you clam up and do something already?

On Sunday, I asked question “Should you dump Internet Explorer, NOW?” and quickly offered yes as the answer for all versions of the browser. Reaction to the post surprised me. As I write, there are more than 155 comments. Clearly, IE is a sensitive topic with readers — and also with Microsoft, which has once again taken a “security by PR” approach to the problem rather than to offer a real solution.

I first started talking about Microsoft’s “security by PR” strategy more than five years ago. Rather than manage the problem — a current zero-day threat affecting Internet Explorer 6, 7 and 8 — Microsoft is trying to manage the reaction. That simply is the wrong approach to quality customer service or instilling users with confidence about using the Web browser.

Quick recap: On January 12, Google disclosed security breaches, affecting more than 20 companies, that were traced back to China. Two days later, McAfee pegged a previously publicly unknown Internet Explorer exploit as one of the mechanisms used in the attacks, which the security software firm dubbed “Operation Aurora.” On January 15, McAfee and Microsoft reported that code for the zero-day exploit was in the wild, potentially putting millions of Windows PCs at risk. Meanwhile, the French and German governments recommended that their citizens switch — at least temporarily — to another browser.

Microsoft’s security by PR reaction to the exploit is the problem. Quickly summarized before I more throughly explain:

• Microsoft used the Aurora exploit as a marketing tactic, recommending that customers switch from IE6 and Windows XP; what timing with IE8 and Windows 7 as newer available products.
• Early, cleverly-word blogs or statements made it seem like only IE6 is vulnerable to the Aurora exploit, when newer Microsoft browsers are exploitable, too.
• Microsoft tried to diminish the risk by asserting that the Aurora exploit had only affected businesses, which is absurd considering how much more they have to lose than consumers.
• Over the U.S. holiday weekend, Microsoft posted new blogs and videos that offered “duck and cover” fixes. Meanwhile some executives defended IE by blaming other Web browsers.

Security by PR

Marketing Tactic. In a January 15 post warning about Aurora becoming a real zero-day exploit, Microsoft “recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP [Data Execution Protection]. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows.” The post also recommended that IE users disable JavaScript.

In comments to my “Dump IE?” post, AnthonySPT defended Microsoft: “How many more years should Microsoft support IE6, when they have released several new replacement versions?” That’s a good question. According to Net Applications, IE6 usage share was 20.99 percent in December — or about the same as IE8 (20.88 percent).

Commenter bourgeoisdude responded: “As they will support Windows XP through 2014 (extended support), and XP came with IE6 installed, they will have to support it that long, unfortunately. Yeah, it sucks.”

I, too, find it strange that so many businesses continue using IE6. Based on my conservations with IT staff at companies doing so, legacy dependency, most often some ActiveX controls, is usually the reason. How’s that for irony, given how much ActiveX has been an attack vector for IE exploits and how much Microsoft tried to diminish the plug-in architecture’s usage in versions 7 and 8. Microsoft and its customers still pay for past security sins.

Blaming IE6. Microsoft could possibly justify blame IE6 if that browser only was vulnerable. The wording of blog posts, different versions of security advisory 979352 and videos about the exploit sure seem to lay all the blame on IE6. From a January 14 blog post: ”Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time.” Restated in yet another Microsoft security blog post, yesterday: “As we’ve previously reported, attacks remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6.”

But the 979352 security bulletin lists in section “affected software” IE7 and IE8 running on Windows XP, Vista, 7, Windows Server 2003 and 2008. Meanwhile, over the weekend, security researchers reported the Aurora exploit running in IE7 on Windows Vista. Microsoft’s response: Hunker down behind IE8. From yesterday’s blog post:

We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers. Additionally at this time, we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims.

Only businesses affected. In one of the two videos accompanying the aforementioned blog post from yesterday, Jerry Bryant, Microsoft’s senior security communications manager, says: “These attacks are not widespread. We have not seen any focused on consumers. In fact, it’s only been a very limited number of corporations that have been targeted.”

He downplays the Aurora exploit’s severity by saying only a small number of corporations are affected. At first glance, this seemingly smart PR spin is anything but. The majority of Microsoft customers are businesses, which have much more to lose if exploited than consumers. If, for example, criminals steal 1 million social security numbers from a single company, the damage is more far-reaching than exploitation of  even a few thousand consumer PCs. How would Microsoft executives react if someone stole the source code to Windows 7 or the designs for Natal?

Duck and cover. Besides emphasizing IE6 blame and diminishing IE7 and IE8 risk, Microsoft retreated to its security technology of greatest strength: DEP. The company was right to tell IE7 users to turn on DEP, which is on by default in IE8 (In most, but not all, circumstances). In comments to my earlier post, there has been fierce debate about the effectiveness of DEP, as a security deterrent.

Yesterday, security researcher Dai Zovi generated buzz with tweet: “And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn’t opt in.” In a very good blog explaining the effectiveness and limitations of DEP, Larry Seltzer writes about the tweet: “Dai Zovi is not a black hat and hasn’t released his exploit, so don’t expect this work to end up hacking innocents any time soon. But this does prove that the IE7 port isn’t all that hard. The bad guy versions may be done already.”

According to Net Applications, IE 7 usage share is only 15.53 percent, even less than Internet Explorer 6. The question: What about IE8? According to a Security Dark Reading post by Kelly Jackson Higgins early this afternoon: “Chaouki Bekrar, CETO of VUPEN Security, says his team was able to bypass DEP on IE8 and execute arbitrary code.”

I will praise Microsoft for telling customers to turn on DEP, but the larger PR maneuverings diminish the guidance. Microsoft should have stepped up sooner with promise to fix the problem. By the way, whether or not that fix is made available for IE8 and Windows 7 will demonstrate whether there was more risk than Microsoft’s talk.

Microsoft finally responds

While I was writing this post, Microsoft acknowledged in another blog post that an out-of-band security patch would be coming for the Aurora exploit.

But the reasons are bad and themselves reveal how much Microsoft is stepping up because of public relations. George Stathakopoulos, GM of Microsoft Trustworthy Computing Security, writes: “Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.”

Translation:

• “The significant level of attention this issue has generated” (Microsoft is trying to fix a huge public relations problem).
• “Confusion about what customers can do to protect themselves” (Microsoft cannot control the PR information).
• “The escalating threat environment” (Microsoft has stopped denying — at least to itself — that there is a real problem that will get worse).

Microsoft also didn’t give a timeframe for releasing the fix, but presumably it would come before the next Security Tuesday in February.

Wrapping up, two clarifications are in order. I am not asserting in this post that Internet Explorer is any more or less secure than any other browser. My purpose here is only to assess Microsoft’s mishandling the messaging by making security by PR the priority. Additionally, my January 17 “Dump IE?” post was written to stir up discussion about the exploit, particularly assertions by Microsoft and some bloggers that Internet Explorer users upgrade from IE6. I took the more extreme position to generate debate, because I see it as a highly effective tool for resolving problems. Likewise, this post is intended to stir up debate about IE security and how Microsoft publicly handles it.

Copyright Betanews, Inc. 2010

Link to the original site

An anonymous reader noted a bit from Ars saying Microsoft will be switching internal focus from Windows 7 to Windows 8 in fiscal year 2010. Microsoft’s fiscal year starts in July, which is only eight months away. According to Microsoft’s roadmaps, the release of Windows 8 is scheduled for 2012.”

Read more of this story at Slashdot.

Link to the original site

By Scott M. Fulton, III, Betanews

Since the first public news of Windows 7’s development back on October 2007, we’ve heard about a component of the operating system called MinWin — a tantalizingly titled element that sounds like some kind of portable Windows kernel. Now Windows 7 is actually residing on paying consumers’ desktops, and inside of it — and inside of Windows Server 2008 R2 — is the MinWin kernel architecture…and yet few have been made clear as to what it actually is.

A few weeks ago in Los Angeles, Microsoft technical fellow Mark Russinovich — absolutely the world’s leading authority on Windows performance and architecture — took time to explain to developers attending PDC 2009 in Los Angeles exactly what this is. In summary, it’s a way to graft onto Windows some semblance of the architectural layering it should have had, if its architects in the 1980s had any foresight into how Windows would be used thirty years later. It enables current and future Microsoft developers to evolve new configurations of the operating system, without having to rewrite core services or worry about breaking dependencies between those services and upper-level APIs.

“If you look back at the evolution of Windows, it’s evolved very organically, where components are added to the system and features are added to the system without, in the past, any real focus on architecture or layering,” Russinovich explained. “And that’s led us to do some hacks with Windows, when we want to make small footprint versions of Windows like Server Core, or Embedded Windows, or Windows PE — the pre-installation environment. What we do [instead] is take full Windows, and start pulling pieces off of it. The problem with that is, the pieces that are left sometimes have dependencies out to the pieces that we’ve removed. And we don’t really understand those dependencies.”

Perhaps “Windows” is a poorly fitting name for what the operating system should be at its core. The breakthrough with Server Core, introduced back in Windows Server 2008, is that it minimized the number of running services to just those that enabled the operating system to be self-sustaining, and perform its roles as a server to the outside world. But even those services contain dependencies to libraries that involve graphical functionality, even if none of those services use that functionality. Conceivably, a breakthrough above and beyond Server Core itself would be a completely minimalistic kernel, upon which those roles could be added modularly, without having to involve libraries that presume the computer operator needs graphics, a mouse, and sound.

MinWin is the first critical step in that direction. “We want to get more rigorous about this,” said Russinovich, “because every time we evolve Windows, we end up breaking those versions that we’ve sliced-and-diced. We’d like to have a Server Core that we understand, that totally depends on itself and not things outside of itself, so that we can evolve things outside it while we evolve Server Core, and not be worried about breaking Server Core, or having to redefine it with every release.”

The basic MinWin in Windows 7 is comprised of about 161 files, whose total footprint on disk is about 28 MB. Before you go thinking you could carry that around in the cheapest thumb drive you’ve got, realize that MinWin doesn’t even issue a command prompt. It runs the kernel, basic system services, and the TCP/IP stack, and that’s it.

Operating system functions are implemented through APIs; and since Windows 3.1, those APIs form the collective library of libraries known as Win32. The principal division of labor in Win32 has historically been vertical, not horizontal, dividing core system kernel functions from “user” input and interactive functions, from graphics and display functions. Even though Windows architecture has evolved to the point where the whole graphics part is essentially deprecated for modern apps, GDI32.DLL is presumed to be present.

For Microsoft’s engineers to implement a more horizontal layering, they needed to create a scheme whereby API functions operate as though the typical division of labor still existed, even when it doesn’t. Here is where that most blessed word “virtual” enters the picture. Under the new MinWin architecture, the handful of core functions in the new KERNELCORE.DLL handle essential system services. Any other calls to APIs outside that realm are “forwarded,” like unresolved DNS addresses in the Internet naming scheme, to libraries outside the core.

But whereas APIs used to “resolve” to the same core sets of libraries that existed since the ’80s, under the new MinWin architecture, all that’s changed. Revealing the gulf between the mindsets of what constituted efficiency 25 years ago and efficiency today, Russinovich explained something incredible: In the old days of Windows, APIs were bunched together in groups that may not have had any logical bearing with one another, simply to reduce the length of the boot path. Bigger API collections meant fewer references to their filenames.

“We want to get away from that, and really make the definition of the logical DLLs, these files on disk, separate from the API sets that they implement, so that we can compose them dynamically,” said Russinovich. “In other words, we want people to call virtual DLLs that implement APIs, and then what happens on the system is that those virtual DLLs are mapped to logical DLLs that actually implement this functionality. So it doesn’t matter from a programmer’s perspective if a virtual DLL’s implementation is in this logical DLL or that one, it’s up to us behind the scenes to figure out how to best combine virtual DLL implementations into logical DLLs.”

There are performance costs to the implementation of logical DLLs, one of which being the creation of “artifacts” in the dependency trails that tools such as Russinovich’s own Dependency Walker can trace. Also, processes now have to be endowed with a map that associates virtual DLLs with logical DLLs. And the files for the virtual DLLs have to physically exist on disk, even though their instructions are comprised completely of no-ops.

But the benefits outweigh the costs, including expediting API requests through virtual, dynamic placement. And now Microsoft’s own developers, mindful of what Russinovich calls the three-year “cadence” between major product release cycles, are freer to innovate different form factors and implementations of Windows for new classes of hardware and new configurations.

MinWin can boot as a separate operating system process unto itself, but it doesn’t actually have any console of its own. In this PDC 2009 demonstration, an outside process actually has to test the waters to see that MinWin has a heartbeat.

One potential payoff down the road for MinWin may yet come from an improved Server Core. As Russinovich demonstrated, even the command prompt up until Vista relied upon a high-level process associated (for no important reason) with graphical functions, the Client/Server Runtime Subsystem (CSRSS). The new MinWin architecture now enables each running process to have access to a command subsystem called CONHOST that is closer to the core, without messing around with libraries they won’t even use. A future Windows release (“Server 2011?”) could substitute the existing Server Core with a horizontally-layered architecture based on a MinWin foundation.

And another possible permutation for the client edition — one which Russinovich did not mention, but which is foreseeable nonetheless — involves a foundation layer built on MinWin whose basic purpose is to manage the hardware and run system services, topped by a virtual layer also built on MinWin that runs applications and provides the user environment. Such a scheme would be worlds more secure than the system we use today.

Copyright Betanews, Inc. 2009

Link to the original site

Jan writes “Microsoft has open sourced the Windows 7 USB/DVD Download Tool by releasing it under the GPLv2 license. The code is now available on CodePlex, Microsoft’s Open Source software project hosting repository, over at wudt.codeplex.com. The actual installer for the tool is now again available for download at the Microsoft Store (2.59MB). (Microsoft previously took responsiblity for the violation.)”

Read more of this story at Slashdot.

Link to the original site

Microsoft’s Professional Developers Conference is currently under way, and as usual, the technical fellows at Microsoft gave speeches about the deep architecture of Windows – in this case, Windows 7 of course. As it turns out, quite some seriously impressive changes have been made to the very core of Windows – all without breaking a single application. Thanks to BetaNews for summarising this technical talk so well.

Link to the original site

As Windows 7’s market share passes 3.6%, up from 1.9% the day before launch, llManDrakell notes an experiment they did over at Sophos. They installed Windows 7 on a clean machine — with no anti-virus protection — with User Access Control in its default configuration. They threw at it the next 10 virus/worm samples that came in the door. Seven of them ran; UAC stopped only one baddie that had run in the absense of UAC. “Lesson learned? You still need to run anti-virus on Windows 7.”

Read more of this story at Slashdot.

Link to the original site

CWmike writes “Microsoft said today that computers in countries with high rates of software piracy are more likely to be infected because users are leery of applying security patches. ‘There is a direct correlation between piracy and the malware infection rate,’ said Jeff Williams, head manager of the Microsoft Malware Protection Center. Highlighting research that showed worms to be the most prevalent computer security problem today, Williams said the link between PC infection rates and piracy is due to the hesitancy of users of pirated software to use Windows Update. China’s piracy rate is more than four times that of the US, but the use of Windows Update in China is significantly below that in this country. Same for Brazil and France. But Microsoft’s own data doesn’t always support William’s contention that piracy, and the hesitancy to use Windows Update, leads to more infected PCs. China, for example, boasted a malware infection rate — as defined by the number of computers cleaned for each 1,000 executions of the MSRT — of just 6.7 per thousand, significantly below the global average of 8.7 or the US’s rate of 8.2. France’s infection rate of 7.9 in the first half of 2009 was also below the worldwide average.”

Read more of this story at Slashdot.

Link to the original site

oranghutan writes “Computerworld is reporting Canonical has made available the Release Candidate of its latest Linux-based operating system, Ubuntu 9.10, on the same day Microsoft launched the long-awaited Windows 7. ‘The upcoming Canonical release, which is code-named Karmic Koala, is the latest version of the popular flavor of the Linux OS. The development release on Thursday pushed the OS one step closer to final release, which is due on Oct. 29, according to the company’s release schedule Web page. An image of the OS is available for download on Ubuntu’s Web site. Test versions of Karmic Koala RC available for download include the server, desktop and netbook versions’”

Read more of this story at Slashdot.

Link to the original site