Wednesday, 26 November 2014

Windows 10 Update - Taking it fast or slow

This post is a little late, as I wanted to comment on Microsoft's new update process when it was first released late last October. Like many others, I was pretty busy with the massive update from Microsoft for this November Patch Tuesday. 

You you can read more about about this series of Microsoft security patches and updates at my Computerworld blog found here

Windows 10 has not been officially released yet, but already we have seen a number of updates and in fact it looks like there is at least two update channels or tracks offered by Microsoft now.

As you can see from the following screen shot, you can choose either a "Slow" or "Fast" track for your Windows 10 updates.



Gabe Aul on his Windows blog says this about the new two-track update process;

"To put this into perspective, it’s helpful to understand what we call “ring progression”. Every day our build process compiles the latest changes our engineers have made and produces a build that is automatically sent out to our “Canary ring” – people in OSG who want to be the first to get started using and testing the newest code. Once we have validated with that group that the build is stable enough to use by more people, it is sent out to the next ring – all of OSG – where we validate it with that audience. From there we send it to tens of thousands of people here at Microsoft, and after it proves stable enough there, we make it available to you."

In addition to the two publicly available update tracks provided by Microsoft as part of the Windows Insider (Technical Preview) program there is a few more layers or rings (one is called the Canary Ring) that covers the initial builds from developers and internal testers.

Microsoft has provided a nice illustration of this process in the following diagram.

In addition, it looks like there is an Enterprise track as well, which you can find here.

It looks like Ars Technica is following this story as well, which can read more about here.




Monday, 24 November 2014

Windows 10 finally comes clean with its versioning

One of the quirks of the Windows operating system family lies with its naming conventions - both internally and externally. Yes, we had Windows 2000, then XP, then Vista, then Windows 7 and recently version 8 and subsequently 8.1. I am sure that most of those who read this blog knows that the actual (reported) version for each operating system has almost nothing to do with its name. 

For example, here are the OS versions that Windows reports back for each released version for the past 14 years;

Operating system     Version number
Windows 8.1                      6.3*
Windows Server 2012 R2      6.3*
Windows 8                        6.2
Windows Server 2012          6.2
Windows 7                        6.1
Windows Server 2008 R2      6.1
Windows Server 2008           6
Windows Vista                     6
Windows Server 2003 R2     5.2
Windows Server 2003          5.2
Windows XP 64-Bit Edition    5.2
Windows XP                      5.1
Windows 2000                   5

Noting that Windows NT (or NT 4) had a 4.x version number. And so, it looks like we have been doing version 6.x since the release of Windows Vista. There has been a number of reasons for this, most of which relate to application compatibility. One of the primary reasons for an application to fail, was that a poorly coded version check (generally to see if the OS was later than 2K) misread the version number and prevented an otherwise OK application from starting correctly.

In fact, we get into some truly weird scenarios with Windows 8.1 where the Windows API GetVersionEx has been modified to report the wrong version to developers. You can read more about this versioning behavior on MSDN here, but I have included an interesting quote here;

"In previous versions of Windows, calling the GetVersion(Ex) APIs would return the actual version of the operating system (OS), unless the process had been mitigated by an app compat shim to give it a different version. This was done on a provisional basis and was relatively incomplete in terms of the number of processes that Microsoft could reasonably shim in a release. Many applications fell through the cracks because they didn’t get shimmed due to poorly designed version checks."

Now it seems, and this is a rumor, but Microsoft may be aligning its reported OS versioning information with the operating system name in Windows 10. Here is a quick snap-shot of the latest build from Microsoft


Has Microsoft finally come clean about its reported version? When I get the latest version, I will run some code level tests - and, we will see.

Watch this space.






Friday, 21 November 2014

Patching Bad: The new reality of systems updates.


I have been chatting with my colleagues about the stability of Microsoft patching over the past few weeks.  Remember the days when Microsoft would ship patches that would break your desktop or server environment? Or, update a critical component to your line of business applications (LOB) such as Microsoft XML (MSMXL) that "dropped" your trading floor?

Well, over the past few years Microsoft has really upped its game and we have seen very few problems. In fact, it looks like most system administrators have been just shipping out the latest Microsoft patches, with very little testing. Maybe a quick loop through the IT department prior to a full-scale deployment. And the number of issues raised,  has (in general) been pretty minimal. When you did a cost analysis of testing each patch or update against an application or workstation build portfolio, it really looked like a detailed testing plan lost out to a "reactive find and fix" strategy after each update.

That thinking may be changing.

Over the past few months, we have seen a number of patches that have caused Blue Screens of Death (BSoD's) and recently a
Microsoft security update (KB2984972) that attempted to resolve a Remote Desktop Protocol (RDP) security vulnerability also broke their Microsoft App-V virtualisation technology. In addition to these issues, Microsoft has also had to re-release (redo) four updates for this past October Patch Tuesday release. 

Some are even calling Microsoft's Patch Tuesday, "Black Tuesday" due to all of the compatibility and retracted patches.

This RDP update left some Microsoft App-V users with a "Loading MyApp 100%" message that stopped any App-V converted application from starting or running correctly. This particular issue has now been resolved by Microsoft with a series of registry fixes. You can find the update here

This bug has been fixed, but Microsoft's patching reputation is now at risk....


References:

Microsoft Sources Registry Edits to Fix KB2984972 Breaking App-V Packages

Four more botched Microsoft patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388

Wednesday, 19 November 2014

Microsoft Delivers Out of Bound Security Update to Kerberos Authentication


Earlier this month, I posted an update on the November Patch Tuesday security releases from Microsoft, which you can read about here. In that posting, I detailed that although it was a massive update of sixteen patches, two updates were not ready for release.  The first of those two patches, MS14-068 has now been released by Microsoft and is the fifth patch rated as critical for November by Microsoft.

The Microsoft security update MS14-068 attempts to resolve a privately reported vulnerability in the Kerberos Key Distribution Centre (KDC) authentication system. Once a system has been compromised through this vulnerability, an attacker could impersonate any account (including domain administrator) with the potential to create, edit, or delete any system account. In addition to the severity of this potential security issue, Microsoft has reported limited targeted attacks of this particular vulnerability.

This patch updates a significant number of operating system files (DLL’s) and also updates the SChannel library which was included in the update MS14-066 

This is definitely a "patch now” Microsoft update

Chris Goettl has a great blog on these issues which you can find here

Additional references for this Microsoft update can be found at the Knowledge base article KB2992611

Monday, 17 November 2014

Microsoft Security Intelligence Report Version 17 - Now Released


 Microsoft has been publishing their Security Intelligence Report for a few years now - we are now on Issue 17. Last week, the latest update has been released and is available from the Microsoft download center here.

This latest report covers a great detail of the territory that marks out the major security issues of our time; 
  • including security credentials
  • application, operating and browser security
  • and the dangers of expired anti-virus and anti-malware software
One of the real surprises in this lengthy security briefing is the risk of running expired anti-malware software is sometimes actually worse than not running with any protection at all.

The following diagram details each of the risk profiles for anti-malware software. 


As you can see from the diagram, The "red" bar representing expired software was almost as high as the "pink" bar with no protection.

Referencing the latest version of the Microsoft SIR document, the authors note;
"Computer users who experience malware infections because of expired security
software are likely to conclude that the protection offered by such products is
largely illusory. An examination of infected and clean computers with security
software from one such vendor, Vendor A, shows that expired security software
misses far more infection attempts than it catches".
Microsoft offers free anti-virus and anti-malware protection, that may not suit all of your needs, but according to the data collected here, it is much better to enable these tools on your desktops than continue to use other expired software. You can get the latest definitions here

And, if you are using Microsoft Windows 8.1 you are automatically covered if you have enabled automatic updates.