boot13It looks like Microsoft has finally relented, and will bring the Start menu back to Windows 8. There’s no official word on a time frame for the change.
Windows 8.1 Update 1 available starting April 8
Microsoft recently announced the release date for Windows 8.1 Update 1: April 8, 2014, which is also Patch Tuesday for April. Windows 8.x users will be able to download the update via the Windows Update service.
This update brings back some of the mouse/keyboard and desktop features missing from the original version. Still missing, however, is the Start menu.
Millions of computers still running Windows XP
With less than a week to go before Microsoft ends support for Windows XP, over 27% of Internet-connected computers are still running the venerable O/S, according to an Ars Technica report.
Microsoft has clearly been unable to convince XP users to switch to another O/S, and the days and weeks following April 8 will likely be filled with stories about new malware and attacks on XP-based systems.
Roundup of recent Linux exploits
Linux proponents often say that Linux is safer than Windows, and in some respects, it’s true. Linux is inherently more secure than most versions of Windows. Actual Linux viruses are rare, since it’s very difficult for them to propagate. It’s also much more difficult to hide malicious activity on Linux systems than it is on Windows systems.
But don’t be fooled: Linux is not invulnerable. Now that it’s the basis for Mac OS X, and generally growing in popularity, Linux has become much more of a target. The Linux kernel currently sits at the top of the CVEDetails Top 50 products with distinct vulnerabilities list, with Mac OS X at number four and Windows XP at the fifth spot.
Not all vulnerabilities are exploited. Many exploits are never seen outside of research labs. Serious Linux vulnerabilities that are exploited ‘in the wild’ usually see patches within days of discovery.
A large proportion of the world’s web servers run Linux; a single compromised Linux server can affect all web visitors, so keeping them patched and clean is critical. But there seems to be a certain amount of complacency among some Linux system administrators, and Linux servers often stay unpatched and/or misconfigured for long periods of time, providing windows of opportunity for targeted attacks. Worse still, the reliability of Linux servers is such that Internet-facing servers are sometimes neglected completely.
Several recent stories highlight these issues.
A critical bug in the GnuTLS library, common to most Linux distributions, allows malicious parties to bypass security measures and eavesdrop on encrypted communication. This bug may have existed as far back as 2005. A patch for the GnuTLS vulnerability was made available in early March 2014.
The Windigo malware has been around since about 2011. It lies in wait on Linux web servers, infecting Windows visitors with malware, redirecting visitors to malicious web sites, serving ads for porn sites, and sending out spam. Typically, Windigo is installed on Linux servers by way of stolen credentials, rather than software vulnerabilities and related exploits. As many as 35,000 Linux servers have been affected, including high profile sites like kernel.org. Since the affected Linux systems are typically web servers, Windigo’s reach is potentially huge.
An extremely critical vulnerability in PHP that was discovered two years ago remains unpatched on many Linux servers. Exploits designed to take advantage of this bug can give attackers control of entire web sites. A patch for this vulnerability was made available soon after discovery of the bug.
Sites running out of date versions of Linux are susceptible to a new mass compromise that is taking over web sites and serving up fraudulent web pages and advertisements.
The lesson is that while Linux is a secure operating system, it must be kept patched to be truly secure. In particular, anyone administering a Linux-based web server has a responsibility to the Internet in general to keep their server patched.
New Microsoft Word vulnerability already being exploited
Earlier today, Microsoft announced in a security advisory that it was seeing evidence of attacks targeted against certain versions of its flagship word processing software.
The vulnerability can be exploited using a specially-crafted RTF file. Opening such a file can give the attacker full access to the user’s computer.
According to Microsoft, Word 2003, 2007, 2010, and 2013 are all affected. Since Word is the default editor in Outlook, simply opening an affected email can lead to a successful attack.
Microsoft is working on a patch, but until it’s ready, their advice is to install and configure EMET. They are also providing the usual ‘Fix It‘ stopgap, which in this case just disables the ability to open RTF files in Word.
There’s a less technical overview of this issue over at the MSRC blog.
This vulnerability is identified as CVE-2014-1761.
Java 8 released
Oracle recently announced the availability of Java version 8.
The new Java includes a range of new features, most of which are only of interest to developers. There are some security improvements, but again, these will not be visible to the user and are mostly of use for developers of new Java software.
You can see the list of changes on the What’s New in JDK 8 page (warning: technical). The release notes may also be of interest.
Oddly, the main Java download page still points to older versions (Version 7 Update 51). You can get Java 8 from the Java SE downloads page.
Update 2014Apr15: Oracle clarified their position on the availability of Java 8 in a special FAQ. Basically, Java 8 is for developers, and Java 7 is for regular users. At some point, Oracle will decide Java 8 is ready for general use.
Microsoft steps in a huge steaming pile of privacy issues
In yet another of the endless examples of why companies shouldn’t let lawyers make decisions, Microsoft has undone whatever goodwill they might have had from customers who value the privacy of their email.
A Microsoft employee apparently leaked Windows 8 information to a reporter. In typical big-corporation fashion, this leak caused the software giant to go into full-on freakout mode. Ignoring common sense entirely, they dug into the reporter’s Hotmail account, looking for clues to the identity of the leaker. Apparently the lawyers were consulted, and the lawyers said, “Go right ahead and look! The Terms of Service for Hotmail mean the law is on our side.” And they’re right. But that doesn’t mean it was a good idea. Now that this incident has come to light, the public backlash is just beginning for Microsoft.
Of course, this problem is not limited to Microsoft. Almost all email services operate this way. Whoever provides the service can access any part of it at any time, even if it’s encrypted as part of the service. The only way to get around this exposure while using a typical email service is to add your own encryption – on both ends of every email exchange – commonly referred to as end-to-end encryption. Lavabit was one of the few email services to offer this kind of security, and they closed down recently rather than comply with access requests from the NSA.
Update 2014Mar29: Microsoft, in damage control mode, has made changes to its privacy policies. A statement by Microsoft General Counsel Brad Smith on the ‘Microsoft on the Issues’ blog makes it clear that they will no longer look at customer data in situations like this. Smith also states that Microsoft will work with the EFF and other digital rights organizations to help avoid problems like this in the future.
Opera 20 and subsequent updates
Ah, the perils of switching RSS feed clients. In the process of moving from The Old Reader to Feedly, I apparently missed one feed: Opera Desktop. Mea culpa.
Because of my blunder, I also missed the release of version 20 of Opera’s Webkit-based browser, as well as two subsequent updates. Version 20 was released on March 4, 20.0.1387.77 was released on March 13, and 20.0.1387.82 was released on March 20.
Version 20 adds more customization of the Speed Dial page, drag and drop between Speed Dial and the bookmark toolbar, and several other cosmetic changes. There’s still no bookmark sidebar.
The 20.0.1387.77 and 20.0.1387.82 updates fix some issues related to stability.
MSRT will still be updated for Windows XP after April 8
Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.
Previously, it was assumed that MSRT would stop being updated for Windows XP once support for that O/S ends in April. A few weeks ago, Microsoft confirmed that it will continue to update MSRT on Windows XP computers until July 15, 2015.
This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.
Firefox plugins are being phased out
Recently, Mozilla announced that they plan to gradually eliminate plugins from Firefox.
Plugins are used in Firefox to allow certain types of content to be embedded in a web page. Common plugins are those for Flash, Adobe Reader (PDFs), Java, Silverlight and Shockwave. According to Mozilla, plugins are often a source of performance and security issues, and they are being made increasingly redundant, given new technologies like HTML5.
It’s important to distinguish between Firefox plugins and Firefox extensions. Extensions provide new functionality to the browser, and include SEO tools, debugging tools, media helpers, interface customizations, and so on. Mozilla has no plans to phase out extensions, only plugins. A post over at ColonelPanic provides additional information about the distinction between plugins and extensions.
For now, the main thing you need to know about plugins in Firefox is that they can now be configured to remain inactive until explicitly activated by the user. I’ve changed all my Firefox plugins to ‘Ask to activate’ and so far it’s working well. It means there’s an extra step whenever I want to display embedded content, but it also means that content doesn’t do anything automatically, and I always know exactly what’s generating that content (Java, Flash, etc.) I highly recommend doing this. From the Firefox menu, select ‘Add-ons’ to configure your plugins.