Service Pack 2 for Windows 7 cancelled

With the pile of post-SP1 updates for Windows 7 growing and no end in sight (at least until 2020), Microsoft has decided to forsake IT workers by cancelling plans for SP2. This means that installing Windows 7 is going to become increasingly tedious: install Windows 7, install SP1, then install 100+ (and growing) patches.

Is this yet another attempt by Microsoft to get IT administrators to throw in the towel and upgrade to Windows 8? Maybe. Luckily, IT workers have plenty of tools available to create new, slipstreamed installation media for Windows 7. That means one unattended install for Windows 7, SP1 and all the updates available at the time the media was created. Microsoft stopped officially supporting slipstreaming in Vista and Windows 7, so the process is a bit more difficult, but it’s both possible and worth the effort.

Java still vulnerable even with recent batch of security fixes

We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.

Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.

So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.

Microsoft tries to convince businesses to switch to Windows 8

A recent post at Microsoft’s Windows for your Business blog reads – as one might expect – a lot like PR hype for Windows 8. Even the subtitle: “Identifying your unique Windows 8 adoption path” assumes that the reader will be upgrading to the new O/S.

The gist of the article is that Windows 8 is going to be a really good thing for “the enterprise”, meaning businesses and corporations. Having read this article and much of the material linked from it, I remain unconvinced.

This list of features found only in the pricey ‘Enterprise’ edition of Windows 8 is supposed to get IT managers all excited about Windows 8, but I don’t see anything particularly compelling there. Not enough to upgrade from Windows 7, anyway. Sure, if you’re still running Windows XP in your IT shop, you might want to consider Windows 8, but right now, Windows 7 looks like a much safer bet. Thanks to Microsoft’s surprisingly generous support windows, Windows 7 is going to be around for a long time.

Java on the desktop: safe or not?

Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.

ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.

On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.

Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.

Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.

Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.

Windows 8 Store Rules could be a problem for some games

Microsoft is apparently applying a strict set of rules to the Windows Store, which is making its debut on desktop PCs with the arrival of Windows 8.

By the current rules, many popular PC games would not be acceptable for the Windows Store, including Skyrim. Games not available through Windows Store would still be available in the usual way, but they would be limited to running on the Windows desktop rather than on the new user interface. But who cares whether a game will run on the new UI? Most PC games take over the entire screen when they run anyway.

I’m betting this goes one of four ways:

  1. Game developers ignore the Windows Store and sell their games the same way as before. Windows Store becomes increasingly marginalized and irrelevant.
  2. Microsoft figures out how to sell mature content in Windows Store, and game developers gradually give in and start using it.
  3. The Windows Store restrictions remain in place, Microsoft phases out support for desktop gaming, and PC gamers revert to Windows 7 in disgust. Windows 8 retail sales drop to zero, joining business sales levels.
  4. Microsoft relents, recognizing that the only way to keep Windows Store relevant is to allow people to buy what they actually want there.

See Techdirt’s coverage of this issue for more details and links.

Update 2012Oct27: Microsoft is apparently paying attention. They have decided to adjust their rules to allow inclusion of mature games, although the change will not take effect until as late as December 2012.

Lack of interest in Windows 8 runs rampant in the business world

The Verge reports on findings from a Forrester study (as interpreted by The Wall Street Journal) showing that companies are significantly less interested in Windows 8 than they were in Windows 7.

Clearly, businesses have settled on Windows 7 to get them from the impending demise of Windows XP to the next (post Windows 8) version. Microsoft’s extended support for older operating systems is a real boon for IT departments, but there’s a danger that eventually Microsoft will give up and adopt a support model more like Apple’s, in which you’re practically forced to upgrade the O/S every other year.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.