Category Archives: Microsoft

Active attacks targeting Internet Explorer

Update 2012Sep22: As promised by Microsoft, patches for Internet Explorer versions 9 and earlier were made available yesterday. The patches are available through regular update channels, including Windows Update and Microsoft Update. Security Bulletin MS12-063 has all the details, including links for downloading the updates separately.

Update 2012Sep21: A fix for this issue, promised earlier this week by Microsoft, was announced yesterday. Anyone using Internet Explorer for web browsing is strongly encouraged to install the fix immediately. A proper (i.e. fully tested) patch will be available from Microsoft later today.

Update 2012Sep19: Another bulletin from Microsoft promises an ‘out of cycle’ fix for this issue in the next few days. Meanwhile, the list of sites known to contain the exploit code is growing.

Update 2012Sep18: Microsoft has issued a security bulletin that goes into some detail about this issue and suggests workarounds. Apparently you can install the ‘Enhanced Mitigation Experience Toolkit’, or configure Internet Explorer to either prompt before running ActiveX scripts or prevent them from running altogether.

A newly-discovered vulnerability in most versions of Internet Explorer is being exploited in current, ongoing attacks.

Anyone using IE 6, 7, 8 or 9 on Windows XP, Vista or 7 is potentially at risk. To become infected, a user need only visit a web site that contains the exploit code. Typically, trojan malware is then installed silently on the user’s computer. The computer is then open to further attacks as well as remote control by the perpetrators.

Internet Explorer 10 is not affected.

The exploit code may be placed on a web site without the knowledge of the site owner, if the site is not secure.

This vulnerability and the associated attacks are serious enough to warrant extreme caution when using Internet Explorer. Some experts are recommending discontinuing the use of Internet Explorer until a fix becomes available.

Microsoft has issued a bulletin that provides additional details.

Windows 8 Internet Explorer shipping with vulnerable Flash

Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.

Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.

Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.

Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.

Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.

Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.

If you are using Windows 8 or plan to start using it soon, your options are:

  • Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
  • Disable Flash in Internet Explorer 10, assuming this is even possible.
  • Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.

Windows 8 annoyance lists start appearing

Since I’ve yet to bite the bullet and download an evaluation copy of Windows 8, I’m relegated to passing along reviews from elsewhere. Luckily, there’s no shortage of those.

First up is an article from laptopmag.com, entitled ‘8 Worst Windows 8 Annoyances and How to Fix Them‘. Here are the highlights:

  • No more Start menu. Why, Microsoft? Why not make it optional? Then, if I’m using a tablet, I’ll turn on the new UI; and otherwise leave it off.
  • Desktop apps (basically, all the software you currently run on Windows) are harder to find, since they are all jammed behind one pane of the new UI.
  • Shutting down the computer involves more steps and it’s not immediately obvious what those steps are.
  • The new Windows Mail app only supports IMAP, not POP. Why, Microsoft? IMAP certainly has its uses, but for most users, POP more closely matches what they really want, and how they conceptualize email. IMAP can be very confusing for users.
  • Even Windows 8 itself reverts to ‘desktop mode’ for many activities. So what’s the point of the new UI? Is it just there to confuse people and make everything take longer? The constant transitions between the new UI and the desktop are jarring for users.

Next, a PCGamesN contributor has an entertaining rant on why he’s uninstalling Windows 8. Just as I plan to do soon, this poor sod forced himself to install Windows 8 in order to evaluate it. Highlights:

  • The new UI, and the way it’s forced on the user only to revert to the desktop for many operations, is a disaster.
  • The core apps – the ones Microsoft expects you to use every day – are awful. This includes the the email client, the messaging client, the calendar, the media player and the Metro version of Internet Explorer (there’s a desktop IE as well).

Fun stuff! Thanks Microsoft, for giving bloggers such a rich source of disgust.

As predicted, Windows XP holdouts likely to upgrade to Windows 7

I’ve been saying for a while that corporate/business/enterprise customers are going to avoid Windows 8. IT departments have no interest in helping countless users re-learn Windows basics because of an ill-conceived and unavoidable user interface decision by Microsoft.

Enterprise IT folks are not interested in performing Windows upgrades on thousands of PCs unless there is a good reason to do so. When Microsoft stops developing security patches for Windows XP in April 2014, that will be a good reason to upgrade machines still running XP. Thankfully, there are alternatives to Windows 8.

After a lot of early problems with networking, compatibility and drivers with Windows 7, that O/S has emerged as the next go-to O/S for Windows-based PCs. Moving a user from Windows XP to Windows 7 will not involve a lot of re-training, drivers have matured, and software compatibility issues have mostly been resolved. Windows 7 sales are likely to exceed Windows 8 sales in the coming months, no matter what Microsoft does to encourage people to skip Windows 7.

Apparently, the attendees of a recent TechMentor conference held at Microsoft’s headquarters agree. According to those folks, Windows 7 is going to be the next Windows XP, with 7 assuming the mantle of ‘most solid and reliable Windows O/S’ for enterprise users.

My own plans are to evaluate Windows 8 on a test PC, but switch my Windows XP machines to Linux if possible, and Windows 7 if not. Windows 8 has a lot to prove before I will even consider using it on any of my main PCs.

Usability expert pronounces new Windows 8 UI confusing

Apple fans like to accuse Microsoft of stealing ideas from Apple. They also like to give Steve Jobs credit for inventing things actually invented by others. A recent example of this is the apparent belief among some Apple diehards that Jobs invented tablet computing.

Another common misconception is that Apple (and Jobs) invented the graphical user interface and mouse. In fact that honour goes to the wonderfully creative folks who worked at the Xerox Parc research facility in Palo Alto in the 1980s. Jobs saw a demonstration of a graphical interface at Parc and soon afterward, the Mac appeared on the scene.

In fact, all creative work builds on what came before, whether we’re talking about art or technology. These days, there’s far too much emphasis on ownership of ideas, with hopelessly broken patent and copyright systems making lawyers rich and causing untold misery for everyone else. Don’t get me started.

Raluca Budiu is a computer usability expert who previously worked at both Xerox Parc and Microsoft. She was recently interviewed by laptopmag.com, and was asked about the Windows 8 UI. What she says will surprise nobody who has given any thought to the new tablet/touch-focused UI. It’s confusing. It’s cognitively jarring. It’s more work than previous Windows UIs. Her comments were based on her own personal use of the new O/S and not the result of any kind of formal study, but I think we can agree that her observations have merit. I hope she decides to study the new UI in detail; the results could encourage Microsoft to provide workarounds for some of the more awkward UI issues in Windows 8.

Low prices for Windows 8 will end after January 31, 2013

I was encouraged by Microsoft’s recent announcement that pricing for Windows 8 was going to be lower than previous Windows offerings. In particular, $40 for the retail Windows 8 Pro Upgrade is a lot more reasonable than I had expected. Of course, that’s the download-only version; the retail box will be priced at $70. The non-upgrade version of Windows 8 Pro will be $70, which is still better than it was for Windows 7.

Alas, these prices are only going to be in effect for a brief period, from the retail release on October 26, 2012 to January 31, 2013. After that, the non-upgrade Pro version will increase from $70 to $200 (gag), while the Pro Upgrade price will increase from $40 to something higher (exactly what remains unclear). These prices are all in US dollars.

In related news, Microsoft has revamped their licensing for Windows. Among other changes, users will now be able to – for the first time! – legitimately install Windows on a self-built PC without paying full price for a retail version. The new license type is called “Personal Use License for System Builder (PULSB)” and although pricing is not yet know, it will hopefully be significantly lower than the full retail version. Ed Bott has additional analysis over at ZDNet, and he’ll be posting more as his analysis continues. ARS Technica has more info on the new licensing and PULSB.

Windows 8 prevents site blocking using HOSTS file

Another day, another reason to hate Windows 8. And I haven’t even installed it yet. According to ghacks.net, using the Windows HOSTS file to block web sites will no longer work reliably in Windows 8.

Modifying the Windows HOSTS file is a simple and effective way to fiddle with the way domain names are translated into IP addresses. I use it on development PCs to allow access to locally-hosted web sites using their public URLs. It can also be used to redirect unwanted web sites to LOCALHOST, effectively blocking them. This can be used as a rudimentary form of ad blocking, although there are some risks involved.

Microsoft apparently doesn’t want people using the HOSTS file that way, because it silently updates the file, even if it’s marked as read-only, removing entries for facebook.com and ad.doubleclick.net (a major advertising source), and presumably others.

It turns out that the culprit is Windows Defender, which is enabled by default in Windows 8. Exactly why Windows Defender is doing this is not certain, but it’s safe to assume that Microsoft was pressured to do this by Facebook, Doubleclick, and others. Microsoft will probably claim that it was done for reasons of security, in which case it will be interesting to hear their explanation.

Meanwhile, disabling Windows Defender apparently resolves this issue. You should probably use real anti-malware software anyway. There are plenty of free alternatives.