Patch Tuesday for November 2012

Another month, another Patch Tuesday. As discussed in the advance warning post, this month’s crop consists of six patches with nineteen fixes for Windows (including Windows 8), Office, Internet Explorer and .NET:

Windows users are encouraged to install the critical updates as soon as possible via Microsoft Update.

More details at the Microsoft Security Response Center.

DirectX 11 only for Windows 8

Microsoft has traditionally been pro-consumer in terms of backward compatibility. They expended a lot of resources to make sure that new versions of Windows would be compatible with older hardware, for instance.

A rare exception to this was Microsoft’s failure to make DirectX 10 compatible with Windows XP. Given the huge number of Windows XP systems still out there when DirectX 10 was introduced in 2006 (and even now), this move almost certainly hurt everyone involved, including Microsoft, game developers and consumers. As a Windows XP gamer, I occasionally encounter games that require DirectX 10, at which point I put the box back on the shelf.

Despite claims to the contrary, it’s clear that a big part of Microsoft’s DirectX 10 decision was that they wanted people to upgrade to Windows Vista. I’m sure a few gamers upgraded Windows because of this, but to the vast majority it was just another stupid roadblock and a reason to be angry at Microsoft.

Game developers were left with a difficult decision. They could continue developing for DirectX 9, but in doing so they would not be able to use the new features of DirectX 10. They could develop two versions of their games, one requiring DirectX 10 and the other, compatible with DirectX 9, but this would add a lot of work and complexity to the process. Or they could stop developing for DirectX 9, but this would eliminate a huge potential market: Windows XP gamers. None of these choices are ideal. For the most part, DirectX 10-only game titles are still relatively rare.

Unfortunately, Microsoft has made a similar decision for DirectX 11: it will only be available on Windows 8. Once again, this decision is likely to do more damage than anything else.

Advance warning for November 2012 Patch Tuesday

It’s that time of the month again. Microsoft has issued its advance warning for this month’s Patch Tuesday. The patches themselves will become available, as usual, on the second Tuesday of the month. That’s November 13, 2012, at approximately 10 a.m. PST.

The patches this month affect Windows, Internet Explorer, Office and the .NET Framework. There are six planned bulletins, with 19 total issues being addressed. Four of the bulletins are rated Critical. For all the details, see the related Technet security bulletin.

As always, Windows users should install these patches as soon as possible on or after November 13.

‘Ransomware’ prevalence increasing in North America

A new white paper from Symantec discusses the increase of ‘ransomware’ in North America. Ransomware is malware that – once installed on a user’s computer – prevents normal operation and presents the user with warnings that appear to be from regional law enforcement organizations. The warnings threaten further legal action if the user fails to pay a fine. The warnings look sufficiently legitimate to fool many users, who then pay the ‘fine’.

If you start seeing one of these warnings on your computer, do not pay the ‘fine’. Instead, have the malware removed from your computer by a knowledgeable technician.

More details from ARS Technica.

‘Impervious’ Adobe Reader X/XI is actually vulnerable

A working exploit for the latest versions of Adobe’s PDF Reader software (X and XI) is being made available to malicious hackers for $50,000 via underground forums.

Starting with Version X, Adobe’s Reader software has employed a ‘sandbox’ that supposedly insulates the operating system from attacks originating in Reader content. The exploit code reportedly gets around the sandbox.

Adobe is investigating, but no patches are available yet. Since this threat is active, anyone using Adobe Reader X or XI should exercise extreme caution when opening PDF documents or clicking links to PDF documents from unknown sources. Another option is to uninstall the Adobe software and use an alternative like Foxit Reader.

More details from KrebsOnSecurity.

Vulnerabilities in Sophos anti-malware products

Security researcher Tavis Ormandy has discovered several security vulnerabilities in Sophos security products. The holes were patched within a few weeks of the initial reports, but Ormandy maintains that Sophos’ response was too slow. The vulnerabilities, if unpatched, can allow attackers to gain full control of computers running affected Sophos software.

Regardless of whether you agree with Ormandy’s conclusions about Sophos, it’s clear that if you run Sophos security products, you should make sure they are fully patched.

No surprise: advertisements in Windows 8

When Microsoft introduced the ‘Modern UI’ on the XBox 360 a while ago, it seemed obvious to most people that the new UI was just an excuse to shove more advertising into the faces of users. It changed a perfectly functional, text-based navigation system into an attention-grabbing, image-oriented, and ultimately wasteful navigation system. Visual ads are much more effective than text ads, and the current XBox 360 interface delivers them relentlessly.

A bit of background: Microsoft has long been jealous of Google’s ability to make massive amounts of money through advertising. Microsoft has tried to emulate Google by mirroring the services Google provides with Bing, Bing Webmaster Tools, and so on. When the new XBox 360 UI – the one filled with ads – first appeared, Microsoft may have expected backlash from users. When no such backlash materialized, Microsoft must have decided they could get away with the same thing in Windows.

So, when Microsoft announced that Windows 8 would have the same interface as the XBox 360, I immediately assumed we’d be seeing ads in Windows 8. Sure enough, we’re starting to see reports of advertising appearing in the apps built into Windows 8.

But here’s the problem: XBox 360 users spend very little time looking at the user interface. 99.9% of the time, they’re looking at full screen content in the form of video and games. The interface ads barely register. That’s not the case with Windows applications, where most desktop users spend all their time. If I need to use a certain type of application, and I have a choice between one that shows me ads all the time, and one that doesn’t, guess which one I’m going to choose? Business IT departments are going to really hate this as well, and it’s going to be yet another reason for them to avoid Windows 8 completely.

Adobe Flash security updates

Yesterday, Adobe announced a new version of Flash that includes fixes for several security holes in earlier versions. Anyone who uses Flash to view web-based video, which includes anyone who uses YouTube, should install the latest version of Flash as soon as possible.

The latest version of Flash for Windows is 11.5.502.110. Adobe also made available updates for older versions of Flash that address the same security vulnerabilities, but we recommend updating to the latest version.

A new version of Google Chrome, also announced yesterday, includes these security fixes. A similar patch for Internet Explorer 10 in Windows 8 was made available by Microsoft.

These updates resolve buffer overflow vulnerabilities that could lead to code execution, memory corruption vulnerabilities that could lead to code execution, and a security bypass vulnerability that could lead to code execution.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.