Windows 10 DVD player is $15

There’s no ‘Media Center’ edition of Windows 10, and there’s no DVD player software included with Windows 10. Now comes word that you can purchase the Windows 10 DVD player from the Windows Store for $14.99. If you’re considering doing this, please don’t. Instead, download and install the excellent, freeware VLC Player, which aside from being able to play just about any media you can throw at it, can also play DVDs.

Update 2015Aug11: Apparently, if you upgrade from a Media Center version of Windows to Windows 10, you are warned about the features you’re about to lose. Better still, you will apparently be credited with a free copy of the Windows 10 DVD player, so you should be able to install it from the Windows Store for free.

WordPress 4.2.4 security release

The latest WordPress release resolves several security issues, including an SQL injection that could be used to compromise a site.

The WordPress 4.2.4 release notes have additional details.

WordPress sites with the auto-update mechanism enabled should be updated automatically in the next day or so, but if you don’t want to wait, you can install the update manually from the site’s dashboard.

July security roundup

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

Windows 10 lands

You can now download the release version of Windows 10 directly from Microsoft. The tools on that page allow you to upgrade the computer you’re using, or to create bootable disc or thumb drive images, which can then be used to install Windows 10 from scratch on another computer. Both the Home and Pro versions are available, in 32 and 64 bit form.

If you’re running Windows 7 or 8.x, and you choose to perform an upgrade from the site linked above, you’ll get the Home version if you’re currently running one of the Home variants, and Pro otherwise.

It’s still not completely clear what happens when you don’t have a legitimate Windows 7 or 8.x license. At some point, you’ll be asked to enter a license key, and without one, presumably Windows 10 will stop functioning or suffer from reduced functionality. The same goes for in-place upgrades; as Microsoft has said, if you have a non-valid install of Windows 7 or 8.x and upgrade it to Windows 10, it will continue to be non-valid, with all that entails.

Update: My Windows 10 test computer is running whatever version is being provided via the Windows Insider program. It looks like the final release version, and has the build number Microsoft planned to use for the release: 10240. Because I joined the Windows Insider program (which involved having updates pushed to the computer regularly, and being asked to provide ratings and feedback), I’m now running Windows 10 Pro on a computer that previously ran Windows XP, and it didn’t cost anything, and it’s completely legit. Of course, if I ever want to stop logging in to Windows 10 with my Microsoft ID, I’ll have to purchase a Windows 10 license.

We’re finally running out of IP addresses

Some of you may remember dire predictions, years ago, that the Internet would soon run out of IP addresses. These predictions turned out to be somewhat early. A variety of factors combined to decrease the rate at which new address blocks were required. Still, it was clear that the limit would be reached, so the Internet Engineering Task Force (IETF) got to work designing a new IP address scheme. The new scheme is called IPv6, and supports a virtually unlimited number of addresses. The current IPv4 address system supports up to 4,294,967,296 unique addresses.

A typical IPv4 address: 96.49.181.168
A typical IPv6 address: 2001:db8:85a3::8a2e:370:7334

Now, according to American Registry for Internet Numbers (ARIN), the organization that doles out IP address blocks, we’re about to run out of IP addresses at last.

Before you start to panic, you should know that reaching this limit only really affects Internet Service Providers (ISPs). These organizations are the ones who buy IP blocks, then provide them to regular users. New ISPs, and ISPs that need to expand, are going to find it increasingly difficult to obtain the addresses they need.

There’s more good news: since we’ve seen this problem coming for a while now, most network hardware and operating systems are fully compatible with IPv6, including Windows XP and newer. When it’s time to make the switch, it will happen gradually, and will involve enabling IPv6 on devices and in operating systems where it’s currently disabled. Of course, there are likely to be glitches during the transition, but given the amount of testing already done, these should be resolved quickly. In most countries, the transition to IPv6 has already begun, with adoption as high as 35% in Belgium.

Deciding whether to upgrade to Windows 10

Windows 10 is scheduled for release on July 29. Microsoft really wants people to upgrade, offering the new O/S for free to anyone running legitimate installs of Windows 7 and 8.x, at least until July 28, 2016. Anyone who’s been running the Windows Insider Preview version of Windows 10 will also be able to install the release version for free. It sounds enticing, but is it right for you?

Questions remain

Unfortunately, there are still some unanswered questions regarding the free Windows 10 upgrades. How long will a ‘free’ install of Windows 10 remain free? If I try to reinstall it from scratch a few years from now, will I be forced to pay for it? What if my computer’s hard drive fails and I have to replace it and reinstall Windows 10? Microsoft has yet to produce definitive answers to these questions.

But the biggest unknown is the issue of forced updates. Windows 10 updates will be installed on ‘Home’ versions without allowing the user any choice whatsoever. That includes security updates and other bug fixes, but also new and changed features. ‘Pro’ users will be able to delay updates for several weeks, but have no way to prevent them indefinitely. While forced updates are arguably a good thing for most (especially non-technical) users, many power users find this prospect alarming. I don’t want Microsoft messing with my computer when I’m asleep. I want to be the only person who installs updates. I don’t want to see mysterious WAN bandwidth spikes that turn out to be huge, unwanted Windows 10 updates. Note: there may be a way to block certain updates indefinitely, according to Ed Bott, but the details are sketchy.

How to decide?

Is Windows 10 right for you? If you want the latest version of Windows, with the most up to date technologies and support for current hardware, and you don’t mind that the user interface is a hodgepodge of old and new (touch/tablet/mobile) style elements, you don’t mind forced updates, and your hardware supports it, then by all means upgrade to Windows 10.

If you’re running Windows 8.x, there’s no reason to hold back, since Windows 10 is basically Windows 8.2, and it addresses many Windows 8.x problems, including the lack of a Start menu.

The decision is not so easy for Windows 7 users. Windows 7 support (mostly in the form of security updates) will continue until January 14, 2020, so there’s no urgency. If you don’t like the new user interface, with its focus on touch and mobile devices, stay away. If you want to be able to use newer apps – the ones designed for the new UI – then you’ll have to upgrade. Support for Windows 7 by software and hardware makers is sure to decline over the next few years, which may force your hand.

I’ve been using the Windows 10 Insider Preview on a test machine, and so far, I like it. That machine was previously running Windows XP, which of course is no longer getting security updates and is increasingly risky to use. Upgrading to Windows 10 resolved a long-standing display issue on that computer, and I’ve had no new problems, aside from a few glitches and Explorer crashes that seem to have been resolved in later builds. I expect the computer to update automatically to the release version of Windows 10 at some point soon after July 29, but I’m ready to switch back to XP if Microsoft’s answers to the above questions prove unsatisfactory.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.