Wednesday, 11 March 2015

Massive March Microsoft Update


It looks like we have a massive March Microsoft Update for this months Update Tuesday. With five updates rated as critical and the remaining nine rated as important by Microsoft.

I have posted my latest update on my Computer World column: Patch Tuesday Debugged. You can find the full story here:

Two of the critical updates were related to the Microsoft VBScript engine - using the core OS or Internet Explorer (IE) as attack vectors for malicious hackers that could lead to remote code execution scenarios.

In addition, we saw an update to the Windows kernel mode driver, which I have advised to test thoroughly an then maybe wait a little while as these kinds of updates have caused issues in the past. The final update MS15-031 addressed the industry wide FREAK issue with an update to the Windows SChannel component.


I will post another preview of Microsoft Patch Tuesday next month (April) so, please watch this space.

Tuesday, 17 February 2015

Windows 10 means Microsoft 2.0

A little while ago, I was reading an article from Cliff Saran on Computer World titled Windows 10: Microsoft at the crossroads which I consider some required reading for those following the recent change of fortunes for Microsoft. 

I think that Microsoft has suffered from an image problem for the past few years. I won't go into the details, but I think that Windows 8 was a really good example of a company that stopped listening properly to their existing and prospective customers.

I think that has Microsoft has changed. And, more importantly it continuing to change.

Cliff's article details the different ways that Microsoft is handling both the release and the upkeep of their next version of the Windows operating system. As Forrester has noted that roughly 10% of users have migrated to Windows 8.x and even fewer enterprise customers have plans to move to Windows 8.x, Microsoft needed to change it's game. 

And, I believe it has done so with Windows 10 in three major ways. 

Windows 10 will be a subscription model
First, Windows 10 will be a free upgrade for the first 12-months. After that we can assume that Microsoft will charge a monthly or yearly subscription. This is fundamental change for Microsoft from a license perspective with a move away from monolithic upgrades to a newer version. Windows 10 will then operate on a subscription basis - just like Office 365. Which for Office, seemed to work pretty well. (Disclaimer: our company uses it, and things seem OK so far.) 

Microsoft Universal Apps
Microsoft has released a really cool augmented visualization tool called HoloLens that solves some the nasty VR issues (like being sick in front of your friends) and allows computer generated graphics (think Skype video-chats and your current MineCraft project) to be over -layed onto your living room or office space. Cool, but the key ideas behind this technology is that Microsoft is creating a form of universal applications that can be displayed on any medium including; desktops, tablets, phones and even the HoloLens. Think responsive websites but taken to the next level for all of the Microsoft application eco-system. You can read more about Microsoft Universal Apps strategy here

Business as Usual Migrations and Updates
The third key component of the new Microsoft strategy is a managed approach to continuous cycles of innovation. Since you are now buying a subscription with Windows 10, Microsoft will need to keep adding features to ensure that you stay with Windows. Recognizing that enterprise customers will need a mixed or more flexible approach, Microsoft will support a "consumer paced" update cycle, a four month delayed cycle and a way for customers to opt-out of certain features or all future updates. Gartner has a great diagram that illustrates the the new Microsoft update process as shown below;



With these core changes, I can now understand why Microsoft didn't call it Windows 9. In binary, 1 and 0 means the number 2. 

As I see it, Windows 10 is really Microsoft 2.0


Monday, 9 February 2015

Microsoft Malware Protections in the Cloud - MAPS

When I first received my invite to join Google mail (Gmail) years ago, I was immediately surprised by what was missing: a global SPAM directory or registry. I thought to myself - this is the first time that someone knows what people are flagging as SPAM. Once you have a few (or maybe a few thousand) users complaining about a particular email (SPAM) from a particular sender (a SPAMMER) then you could be pretty sure that the email in question was SPAM. It was a crowd-sourced SPAM filter - updated dynamically by now millions of users every day. That omission was quickly corrected by Google, and now I have to say that their collective SPAM filter is very good. As is the more recent incarnation of Hotmail, Outlook.com

Which brings me to the next surprise. If Microsoft knows what people are using, and what kind of errors are occurring on the Windows desktop and server platforms, why doesn't Microsoft have the best crowd-sourced anti-malware and anti-virus system in the world? Who needs a monthly virus definition from Symantec (if you pay your money) when you should have daily, dynamic scans of your systems updated through the collective experience (wisdom) of hundreds of millions of other users?

Well, now you can. Sort of. You can now receive the benefit of other users' experience and dynamic updates through the Microsoft Active Protection Service (MAPS).

The Microsoft Active Protection Service is the cloud service that enables: Clients to report key telemetry events and suspicious malware queries to the cloud, whilst providing real-time blocking responses back to the client.
The MAPS service is available for all Microsoft's antivirus products and services, including:
  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions
You can join the MAPS program through the free Microsoft anti-virus/malware program using the Settings tab as shown here:

To help manage your privacy concerns, Microsoft reports all data through an encrypted connection and apparently only relevant data is included in the analysis process. If you are an enterprise customer, your data is most likely blocked by your corporate firewall, and therefore your particular threat landscape won't be included in Microsoft's updates.

If you need to find out more about the related confidentiality agreement from Microsoft you can look at the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details

To give you an idea of how this malware telemetry is being exploited, you can see from the following chart that System Center Endpoint Protection is actually contributing roughly 10% of the malware signatures reviewed and included in Microsoft updates. 

That means people like you and I adding to the system - resulting in 10% fewer malware attacks and fewer security incidents.

You can read more about the Microsoft Cloud Protection effort here on the Microsoft Malware Protection home blog page.




Monday, 26 January 2015

Compatibility Challenges coming for Google Chrome

January is a big month for both Microsoft and Google with Microsoft doing a big reveal on Windows 10 and the Google Create conference kicking off in sunny Mountain View. 

A highlight of the Google conference included an update to the Google Web Kit (Project) which is used by Google's web based products such as Google Wallet and AdWords.

Google's Ray Cromwell talked about the project's future direction and how future releases expected in the fourth quarter this year. Unusually one of the main topics was a break in backward compatibility for the Google Web kit. This is an unusual move for this Google team, as backward application compatibility was rigorously maintained through all previous versions since the project's inception back in 2006.

In his presentation on the planned updates to Google Web Kit, Chris Cromwell said;
“Now, because IE6, IE7, and IE8 are dead and there’s certain legacy things that we don’t want to support anymore because we need to target newer browsers and this new world of mobile, we want to deprecate these things,”
IE6, IE7 and IE8 are dead? Really?

I took the liberty of having a quick skim on some browser usage compilation sites and found that in fact IE8 is not dead. Especially if you are using a desktop.
Browser Usage Pie Chart 2014


You can find these results here. In fact I have always been suspicious of these market share reports, in that they under-report IE browser usage.

Many organizations that are likely to user a browser like IE8 (or even worse IE6) would lie behind a firewall that in some cases will remove usage tracker information from a particular user. 



Maybe the imminent death of IE8 is just wishful thinking on the part of the Google team. 

Monday, 19 January 2015

Google's 90-Day Exposure Policy

Google and Microsoft Vulnerability Exposure and Disclosure

At the beginning of this month, I wrote a post about Google's new policy of researching vulnerabilities of other companies' technology and platforms, and then posting the details of the flaws and (more controversially) some sample exploit code.

Microsoft has responded with a blog posting from Chris Betz that called for better Coordinated Vulnerability Disclosure (CVD) where Chris comments that;
"Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp."
You can read more about Microsoft's disclosure approach (CVD) here

I am still struggling with my views on this topic, as I feel that Google may have slightly over-played their hand here, by publishing sample code and releasing the information the day before a patch was to be released from Microsoft. Google says that 90 days is enough to sort out a bug and deliver a patch. Really? For who? And, does Google have to support four desktop and server operating systems with over a billion users?

"Not my problem" says Google. 
Yeah, and not cool, either" I would say.

Chris Goettl, the Patch product manager from Landesk has this to say: 
"There was no public code examples or disclosure before Google announced this, and no known attacks were in the wild.  In this case I think Google acted irresponsibly. In the increasingly more dangerous Cyber world we live in, companies like Microsoft and Google should be setting examples to follow. This example is not an example I would urge vendors to follow."

I agree.

And now Google has published another Windows flaw, and this one is even worse (more dangerous) than the first reported issue. This flaw may result in an information disclosure scenario where Windows does not check the user identity when performing cryptographic operations. You can read more about this flaw here.

To their credit, Microsoft has been working on this issue, had developed a patch, but at the last minute encountered some compatibility issues with the security update. The fix is now scheduled for the February Patch Tuesday update cycle. 

Given that it takes some organizations between thirty and sixty days to fully deploy a patch to all their affected system, it looks like Google's "90-day disclosure policy" is  more like a "90-day exposure policy".