Windows 7 Pro OEM available until at least February 2015

We previously posted about Microsoft fiddling with Windows 7’s lifecycle dates. At the time, it seemed clear that Microsoft would be foolish to stop making Windows 7 available to computer builders in October 2014 as originally stated.

Microsoft recently updated the lifecycle dates for Windows 7 again, and now Windows 7 Professional OEM will be available until at least February 23, 2015 (a year from today). No specific cut off date is provided on the lifecycle page for Windows 7 Pro, but a footnote states that Microsoft will provide at least one year of notice before any cut-off date is actually set.

Meanwhile, other versions of Windows 7 (Home, Ultimate) will no longer be available as of October 31, 2014, as originally planned.

Anyone still running Windows XP and planning to upgrade to Windows 7 will find that Win7 is no longer available in retail stores. And now we know that even OEM packages for all but the Pro version will stop being available in October 2014.

Extremely critical security flaw may affect Macs

Apple recently patched a critical vulnerability in iOS, the operating system that runs all iPhones. Now it appears that the same flaw may affect all Macs running OS X as well. So far there is no official confirmation from Apple, but security experts are warning Mac users to avoid using public networks until we know more.

Update 2014Feb24: Apple released a patch for iOS that fixes this flaw on iPhones. Meanwhile, it looks like the flaw does affect Macs (OS X). A security researcher at ImperialViolet has created a proof-of-concept test page (no longer functional). Steer your Mac web browser to that page; if you get an error message, your browser is not affected by the flaw. Vulnerable Mac browsers will see a message to that effect. Tests on my own Mac show Safari as vulnerable, while Firefox is not.

Update 2014Feb25: TechDirt has an amusing article on the surprising lack of information coming from Apple. There’s a general sense of dissatisfaction with Apple, and increasing clamour for information – any information – on how this issue affects Macs.

Update 2014Feb26: Apple has released an update for OS X that addresses this issue. OS X 10.9.2 includes several other security fixes and bug fixes.

Emergency update for Flash

On February 20, Adobe announced a new version of Flash that addresses critical security vulnerabilities. Security bulletin apsb14-07 describes the vulnerabilities.

We strongly recommend upgrading to this new version of Flash (12.0.0.70) as soon as possible, especially if you have Flash enabled in a web browser and you use that web browser for web surfing.

As usual, Google Chrome will update itself to the latest version of Chrome, and Internet Explorer 10 and 11 will be updated to the latest Flash by way of Windows Update.

Ars Technica has more details.

Internet Explorer vulnerable to new attack

Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.

Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.

The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.

Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.

For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.

Patch Tuesday, February 2014

It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.

The summary bulletin has all the technical details, and Dustin Childs has posted a friendlier summary over at the MSRC blog.

As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.

Windows 8.1 update 1 news

Assorted rumours and leaks about the upcoming ‘Patch 1’ for Windows 8.1 are starting to coalesce into a solid picture of the update:

  • It’s likely to be released in April 2014.
  • This will be a free update.
  • It may be available via Windows Update.
  • The update is focused on improving the user interface for keyboard/mouse users:
    • ‘Metro’ window title bars with context menus
    • optional boot to traditional desktop
    • the return of the Start menu
    • search and shutdown options are easier to find
    • ‘Metro’ apps optionally shown in taskbar
    • show taskbar within ‘Metro’ apps

Followup 2014Mar17: Peter Bright over at Ars Technica looked at a leaked version of the upcoming Windows 8.1 update, and posted his observations. Although Microsoft seems to have made progress in reducing the memory requirements of Windows 8.x (allowing it to actually run on many mobile devices), he’s unconvinced that the user interface changes will placate desktop users. Case in point: there’s still no Start menu.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.