Category Archives: Microsoft

Microsoft steps in a huge steaming pile of privacy issues

March 22, 2014 jrivett Leave a comment

In yet another of the endless examples of why companies shouldn’t let lawyers make decisions, Microsoft has undone whatever goodwill they might have had from customers who value the privacy of their email.

A Microsoft employee apparently leaked Windows 8 information to a reporter. In typical big-corporation fashion, this leak caused the software giant to go into full-on freakout mode. Ignoring common sense entirely, they dug into the reporter’s Hotmail account, looking for clues to the identity of the leaker. Apparently the lawyers were consulted, and the lawyers said, “Go right ahead and look! The Terms of Service for Hotmail mean the law is on our side.” And they’re right. But that doesn’t mean it was a good idea. Now that this incident has come to light, the public backlash is just beginning for Microsoft.

Of course, this problem is not limited to Microsoft. Almost all email services operate this way. Whoever provides the service can access any part of it at any time, even if it’s encrypted as part of the service. The only way to get around this exposure while using a typical email service is to add your own encryption – on both ends of every email exchange – commonly referred to as end-to-end encryption. Lavabit was one of the few email services to offer this kind of security, and they closed down recently rather than comply with access requests from the NSA.

Update 2014Mar29: Microsoft, in damage control mode, has made changes to its privacy policies. A statement by Microsoft General Counsel Brad Smith on the ‘Microsoft on the Issues’ blog makes it clear that they will no longer look at customer data in situations like this. Smith also states that Microsoft will work with the EFF and other digital rights organizations to help avoid problems like this in the future.

Malware, Microsoft, Patches and updates, Security, Windows XP

MSRT will still be updated for Windows XP after April 8

March 21, 2014 jrivett Leave a comment

Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.

Previously, it was assumed that MSRT would stop being updated for Windows XP once support for that O/S ends in April. A few weeks ago, Microsoft confirmed that it will continue to update MSRT on Windows XP computers until July 15, 2015.

This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for March 2014

March 12, 2014 jrivett Leave a comment

Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.

As expected, one of this month’s updates fixes the recently-reported zero-day vulnerability in Internet Explorer.

Microsoft, Security, Windows XP

Ouch! newsletter: The End of Windows XP

March 8, 2014 jrivett Leave a comment

This month’s Ouch! (PDF) provides a useful overview of what you need to know if you’re still using Windows XP.

The SANS Ouch! newsletter is aimed at users, so it may not be useful for IT professionals. On the other hand, it’s a great place to send users looking for information adapted to their level of understanding.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification of March updates from Microsoft

March 7, 2014 jrivett Leave a comment

Patch Tuesday for March 2014 happens on March 11. Microsoft currently plans to publish five new bulletins and associated patches starting at 10am PST on that date. The patches will address vulnerabilities in Windows, Internet Explorer, and Silverlight. Two of the patches are flagged as Critical.

One of the patches will fix the Internet Explorer vulnerability recently reported here.

Microsoft, Windows XP

Windows XP will nag you to upgrade after support ends

March 3, 2014 jrivett Leave a comment

Microsoft will prod you to upgrade your Windows XP computers after support for that O/S ends in April.

According to Ars Technica, a message will pop up on the 8th of every month, starting on March 8, 2014. Although this may be viewed as a nuisance by some users, at least the message has a “don’t bother me again” checkbox.

Microsoft is also working on making the transition easier with migration tools and a web site that tells visitors whether they are in fact running Windows XP. And they are encouraging tech-savvy people to assist friends and family with upgrading.

The Windows XP end-of-support site is a good starting point for anyone still running XP.

Microsoft, Security, Windows

Microsoft EMET protection software bypassed

February 25, 2014 jrivett Leave a comment

When a new Windows vulnerability is discovered, and particularly when exploits for that vulnerability are discovered in the wild, a common refrain from Microsoft is “use EMET”. EMET is security software that protects Windows systems from certain types of behaviour common to vulnerability-based attacks.

Installing and configuring EMET properly provides a level of protection beyond that of regular anti-malware software. Well, that was the idea, anyway.

Now it appears that attackers have found a way past EMET. The EMET bypass was discovered by security researchers at Bromium Labs and the details published in a whitepaper.

Malicious hackers are likely to start using this new information soon. Microsoft is working with Bromium Labs, but it may not be possible to prevent the bypass by improving EMET, in which case EMET will be reduced to a minor speed bump for attackers.

Microsoft, Windows 7, Windows XP

Windows 7 Pro OEM available until at least February 2015

February 23, 2014 jrivett Leave a comment

We previously posted about Microsoft fiddling with Windows 7’s lifecycle dates. At the time, it seemed clear that Microsoft would be foolish to stop making Windows 7 available to computer builders in October 2014 as originally stated.

Microsoft recently updated the lifecycle dates for Windows 7 again, and now Windows 7 Professional OEM will be available until at least February 23, 2015 (a year from today). No specific cut off date is provided on the lifecycle page for Windows 7 Pro, but a footnote states that Microsoft will provide at least one year of notice before any cut-off date is actually set.

Meanwhile, other versions of Windows 7 (Home, Ultimate) will no longer be available as of October 31, 2014, as originally planned.

Anyone still running Windows XP and planning to upgrade to Windows 7 will find that Win7 is no longer available in retail stores. And now we know that even OEM packages for all but the Pro version will stop being available in October 2014.

Internet Explorer, Malware, Microsoft, Security

Internet Explorer vulnerable to new attack

February 14, 2014 jrivett 2 Comments

Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.

Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.

The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.

Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.

For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday, February 2014

February 11, 2014 jrivett Leave a comment

It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.

The summary bulletin has all the technical details, and Dustin Childs has posted a friendlier summary over at the MSRC blog.

As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.

boot13

Category Archives: Microsoft

Microsoft steps in a huge steaming pile of privacy issues

MSRT will still be updated for Windows XP after April 8

Microsoft updates for March 2014

Ouch! newsletter: The End of Windows XP

Advance notification of March updates from Microsoft

Windows XP will nag you to upgrade after support ends

Microsoft EMET protection software bypassed

Windows 7 Pro OEM available until at least February 2015

Internet Explorer vulnerable to new attack

Patch Tuesday, February 2014

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.