Monday 18 May 2015

New posting on Computerworld: Critical Updates to Office and IE

With this May Microsoft Update Tuesday, we see Microsoft delivering 13 security bulletins with three rated as critical and the remaining ten rated as important by Microsoft.

This May release from Microsoft see an update to Office (and its web components), Internet Explorer and some low level system components. Include the Internet Explorer and Office updates as part of your standard testing and deployment plan, however I would suggest waiting a little while before deploying MS15-044 as it updates two key system files; GDIPLUS.DLL and Win32K.sys.

I was hoping for a little respite from the ongoing onslaught of large patches from Microsoft, but with 13 patches to deploy this month, there is no let up in the continuing drum-beat of security patches and application updates.

Here is our monthly overview info-graphic on this month's Microsoft Patch Tuesday.



To find out more about this month’s updates and the potential impact on your application portfolio, head over to Qompat Spine

Or, you can have a read of my monthly posting at Computerworld found here

Monday 27 April 2015

IE rages into the night

We are seeing another major 'end of life' (EOL) scenario for a primary Windows component. This time it's Internet Explorer and it's not for the usual "gosh, it's over 10 years old" reason. Take the latest Windows operating system (hint: Windows 8.1 Update) and the latest production version of IE (this time IE 11) and look to January 16, 2016 and what do you get?

EOL! 

"What, but Windows 8.x and IE11 are only a few years old?" 

I thought that we had at least another five years of support and then maintenance after that. You could be forgiven for thinking this way as Microsoft has traditionally followed a multi-year release, production, and support model.  However, things are changing. Following on from Microsoft's IE support statement page found here, we will find that; 
"Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates"
Microsoft generally allows for five year's Mainstream and then five year's Extended Support. So even though IE11 is a relatively young browser, you will need a plan to move this browser by next Christmas. Microsoft is helping though with two key technologies; Enterprise Mode and Site Discovery

Microsoft describes Enterprise Mode as;
"A compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer."
The Microsoft Site Discovery toolkit includes a collection of free tools to facilitate the identification and metrics of internal site usage for enterprise customers.

And just last week, Microsoft has made a number of improvements to both technologies which can be found here. The updated Enterprise Mode now supports IE7 where;
"If you put a site in IE7 Enterprise Mode, it will automatically use Enterprise Mode with IE7 document mode if there’s a DOCTYPE in the markup, or fall back to IE5 document mode if there isn’t a DOCTYPE." 
In addition, Microsoft has renamed the original Enterprise Mode for IE to 'IE8 Enterprise Mode', to differentiate the new features. The new Site Discovery update for March found here allows for improved privacy and security settings. Microsoft has also updated several Group Policies for improved management as illustrated by the following diagram;

This reduced lifecycle is not due to something wrong with IE, rather it's part of the new update and maintenance strategy for Microsoft. I think that we will see IE12 or 'Spartan' follow the same fate as Windows 10. Microsoft will continue to deliver 'Features as a Service' (FaaS) with major version numbers fading into the background. IE12 and Windows 10 may be the last 'version' that Microsoft ever delivers. 



Tuesday 21 April 2015

MS15-034 - Patch now to resolve critical HTTP vulnerability

This month's Patch Tuesday posting included eleven updates with four rated as critical and the remaining seven as important by Microsoft. Each month, I am now posting my views on Microsoft's Patch Tuesday on the on-line ComputerWorld blog found here. The latest update titled, "Microsoft releases 11 critical updates and fixes critical HTTP flaw" provides a brief overview of each update and some recommended actions.

This month, the Microsoft update MS15-034 attempted to resolve a critical security vulnerability in Microsoft IIS web server. Though the updated only affected a single file, we are now seeing active exploits of this security vulnerability at Internet-wide scales.  The Internet Storm Centre has reported active attacks on their honey-pots, with the following comment on their related newsgroup page;

"Update: We are seeing active exploits hitting our honeypots from 78.186.123.180. We will be going to Infocon Yellow as these scans use the DoS version, not the "detection" version of the exploit. The scans appear to be "Internet wide"."

The ISC have also provided a quick test to see if you are vulnerable to this HTTP vulnerability that includes;


GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615

If the server responds with "Requested Header Range Not Satisfiable", then you may be vulnerable.

I would recommend running this quick test, and then updating your servers as a priority with the Microsoft update MS15-034.

Thursday 16 April 2015

A revolutionary new way to resolve your app compatibility issues

How much time, money, and energy does it cost your company to resolve all the issues pertaining to compatibility, virtualisation suitability, and corporate standards? Wouldn't life be so much simpler if you could automate this process in a fraction of the time? And from wherever you are, even if you're not in the office? Even on a mobile device? And if your tech team were freed up from these annoying laborious issues, think about all the more constructive tasks they could be getting on with the improve your company's performance.

Well here at Qompat we have been developing an app that does all these things and more. Qompat Spine is a unique, cross-platform, cloud based app that assesses, remediates, and converts your applications in minutes.

Once you have signed up, you create a Project according to your individual requirements:

















Then you simply drag and drop your apps onto the Uploader:

















You will then see an executive summary that gives an overview of your app statuses:

















You may drill down further to inspect issues within these apps, and our filtering system allows you to autoselect or manually select whichever issues you want to fix:

















Reports are generated for you to view, export, and print:

















Notifications will give you a progress update, and alert you when your files are ready to download:

















If you would be interested in trying it out for yourself, feel free to email us, or visit our website for more information.

Wednesday 1 April 2015

To be IE, or not to be IE

Microsoft has released more information on their new web browser, currently code-named Spartan. You can read more about Spartan on the newly minted wikipedia page here

The new browser will be completely different from Microsoft IE, with a different rendering engine and a different code-base. 

The IE team provided a few different reasons for these changes:

  • Project Spartan was built for the next generation of the Web, taking the unique opportunity provided by Windows 10 to build a browser with a modern architecture and service model for Windows as a Service. This clean separation of legacy and new code will enable us to deliver on that promise. Our testing with Project Spartan has shown that it is on track to be highly compatible with the modern Web, which means the legacy engine isn’t needed for compatibility.
  • For Internet Explorer 11 on Windows 10 to be an effective solution for legacy scenarios and enterprise customers, it needs to behave consistently with Internet Explorer 11 on Windows 7 and Windows 8.1. Hosting our new engine in Internet Explorer 11 has compatibility implications that impact this promise and would have made the browser behave differently on Windows 10.
In addition to these changes, I think that there may be some customer confusion about which browser to use, and when. Enterprise customers may still need the legacy compatibility support for their internal enterprise systems while Spartan will be used for the "rest of the web". The web is a messy place, with compatibility issues of its own. I am not sure that a simple distinction of "if it's internal, use IE11 and if not, use Spartan" will work.

That said, Microsoft has updated Windows 10 at its fastest pace ever, and the new browser has been updated as well. Some key elements in the new browser include;

  • Cortana is built-in and ready to assist: Cortana in Project Spartan is a digital personal assistant that helps make Web browsing easier.
  • Inking and sharing so you can capture and communicate your thoughts: Now with new inking capabilities, Project Spartan enables you to write or type directly on the page, comment on what’s interesting or clip what you want – then easily share this “Web Note” via mail, or a social network. 
  • Distraction-free reading with Reading List and Reading View: Project Spartan helps with a new Reading List to collect everything you want to read, including the ability to save any webpage or PDF for convenient access later.
  • A new engine for the modern Web: Project Spartan’s new rendering engine is built around the idea that the Web “just works,” while being fast, more secure, and more reliable. 
However, if you are currently in the UK (like me) you will not be able to see all of these benefits, until worldwide distribution later this year. You can read more about this latest update to the Windows 10 Insider program here

This may all sound interesting from a simple technical perspective. However, if you have been watching my patch updates for a while (years?) and see how often IE is completely refreshed/updated each month, this may not be good news for you. Also, I think we have to ask the question, "Will anyone care?". There are already a number of very good, and fast evolving browsers out there. Microsoft is going to have work pretty hard to woo customers back to a new browser. 

Actually, it's kind of exciting to watch.

Wednesday 11 March 2015

Massive March Microsoft Update


It looks like we have a massive March Microsoft Update for this months Update Tuesday. With five updates rated as critical and the remaining nine rated as important by Microsoft.

I have posted my latest update on my Computer World column: Patch Tuesday Debugged. You can find the full story here:

Two of the critical updates were related to the Microsoft VBScript engine - using the core OS or Internet Explorer (IE) as attack vectors for malicious hackers that could lead to remote code execution scenarios.

In addition, we saw an update to the Windows kernel mode driver, which I have advised to test thoroughly an then maybe wait a little while as these kinds of updates have caused issues in the past. The final update MS15-031 addressed the industry wide FREAK issue with an update to the Windows SChannel component.


I will post another preview of Microsoft Patch Tuesday next month (April) so, please watch this space.

Tuesday 17 February 2015

Windows 10 means Microsoft 2.0

A little while ago, I was reading an article from Cliff Saran on Computer World titled Windows 10: Microsoft at the crossroads which I consider some required reading for those following the recent change of fortunes for Microsoft. 

I think that Microsoft has suffered from an image problem for the past few years. I won't go into the details, but I think that Windows 8 was a really good example of a company that stopped listening properly to their existing and prospective customers.

I think that has Microsoft has changed. And, more importantly it continuing to change.

Cliff's article details the different ways that Microsoft is handling both the release and the upkeep of their next version of the Windows operating system. As Forrester has noted that roughly 10% of users have migrated to Windows 8.x and even fewer enterprise customers have plans to move to Windows 8.x, Microsoft needed to change it's game. 

And, I believe it has done so with Windows 10 in three major ways. 

Windows 10 will be a subscription model
First, Windows 10 will be a free upgrade for the first 12-months. After that we can assume that Microsoft will charge a monthly or yearly subscription. This is fundamental change for Microsoft from a license perspective with a move away from monolithic upgrades to a newer version. Windows 10 will then operate on a subscription basis - just like Office 365. Which for Office, seemed to work pretty well. (Disclaimer: our company uses it, and things seem OK so far.) 

Microsoft Universal Apps
Microsoft has released a really cool augmented visualization tool called HoloLens that solves some the nasty VR issues (like being sick in front of your friends) and allows computer generated graphics (think Skype video-chats and your current MineCraft project) to be over -layed onto your living room or office space. Cool, but the key ideas behind this technology is that Microsoft is creating a form of universal applications that can be displayed on any medium including; desktops, tablets, phones and even the HoloLens. Think responsive websites but taken to the next level for all of the Microsoft application eco-system. You can read more about Microsoft Universal Apps strategy here

Business as Usual Migrations and Updates
The third key component of the new Microsoft strategy is a managed approach to continuous cycles of innovation. Since you are now buying a subscription with Windows 10, Microsoft will need to keep adding features to ensure that you stay with Windows. Recognizing that enterprise customers will need a mixed or more flexible approach, Microsoft will support a "consumer paced" update cycle, a four month delayed cycle and a way for customers to opt-out of certain features or all future updates. Gartner has a great diagram that illustrates the the new Microsoft update process as shown below;



With these core changes, I can now understand why Microsoft didn't call it Windows 9. In binary, 1 and 0 means the number 2. 

As I see it, Windows 10 is really Microsoft 2.0


Monday 9 February 2015

Microsoft Malware Protections in the Cloud - MAPS

When I first received my invite to join Google mail (Gmail) years ago, I was immediately surprised by what was missing: a global SPAM directory or registry. I thought to myself - this is the first time that someone knows what people are flagging as SPAM. Once you have a few (or maybe a few thousand) users complaining about a particular email (SPAM) from a particular sender (a SPAMMER) then you could be pretty sure that the email in question was SPAM. It was a crowd-sourced SPAM filter - updated dynamically by now millions of users every day. That omission was quickly corrected by Google, and now I have to say that their collective SPAM filter is very good. As is the more recent incarnation of Hotmail, Outlook.com

Which brings me to the next surprise. If Microsoft knows what people are using, and what kind of errors are occurring on the Windows desktop and server platforms, why doesn't Microsoft have the best crowd-sourced anti-malware and anti-virus system in the world? Who needs a monthly virus definition from Symantec (if you pay your money) when you should have daily, dynamic scans of your systems updated through the collective experience (wisdom) of hundreds of millions of other users?

Well, now you can. Sort of. You can now receive the benefit of other users' experience and dynamic updates through the Microsoft Active Protection Service (MAPS).

The Microsoft Active Protection Service is the cloud service that enables: Clients to report key telemetry events and suspicious malware queries to the cloud, whilst providing real-time blocking responses back to the client.
The MAPS service is available for all Microsoft's antivirus products and services, including:
  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions
You can join the MAPS program through the free Microsoft anti-virus/malware program using the Settings tab as shown here:

To help manage your privacy concerns, Microsoft reports all data through an encrypted connection and apparently only relevant data is included in the analysis process. If you are an enterprise customer, your data is most likely blocked by your corporate firewall, and therefore your particular threat landscape won't be included in Microsoft's updates.

If you need to find out more about the related confidentiality agreement from Microsoft you can look at the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details

To give you an idea of how this malware telemetry is being exploited, you can see from the following chart that System Center Endpoint Protection is actually contributing roughly 10% of the malware signatures reviewed and included in Microsoft updates. 

That means people like you and I adding to the system - resulting in 10% fewer malware attacks and fewer security incidents.

You can read more about the Microsoft Cloud Protection effort here on the Microsoft Malware Protection home blog page.




Monday 26 January 2015

Compatibility Challenges coming for Google Chrome

January is a big month for both Microsoft and Google with Microsoft doing a big reveal on Windows 10 and the Google Create conference kicking off in sunny Mountain View. 

A highlight of the Google conference included an update to the Google Web Kit (Project) which is used by Google's web based products such as Google Wallet and AdWords.

Google's Ray Cromwell talked about the project's future direction and how future releases expected in the fourth quarter this year. Unusually one of the main topics was a break in backward compatibility for the Google Web kit. This is an unusual move for this Google team, as backward application compatibility was rigorously maintained through all previous versions since the project's inception back in 2006.

In his presentation on the planned updates to Google Web Kit, Chris Cromwell said;
“Now, because IE6, IE7, and IE8 are dead and there’s certain legacy things that we don’t want to support anymore because we need to target newer browsers and this new world of mobile, we want to deprecate these things,”
IE6, IE7 and IE8 are dead? Really?

I took the liberty of having a quick skim on some browser usage compilation sites and found that in fact IE8 is not dead. Especially if you are using a desktop.
Browser Usage Pie Chart 2014


You can find these results here. In fact I have always been suspicious of these market share reports, in that they under-report IE browser usage.

Many organizations that are likely to user a browser like IE8 (or even worse IE6) would lie behind a firewall that in some cases will remove usage tracker information from a particular user. 



Maybe the imminent death of IE8 is just wishful thinking on the part of the Google team. 

Monday 19 January 2015

Google's 90-Day Exposure Policy

Google and Microsoft Vulnerability Exposure and Disclosure

At the beginning of this month, I wrote a post about Google's new policy of researching vulnerabilities of other companies' technology and platforms, and then posting the details of the flaws and (more controversially) some sample exploit code.

Microsoft has responded with a blog posting from Chris Betz that called for better Coordinated Vulnerability Disclosure (CVD) where Chris comments that;
"Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp."
You can read more about Microsoft's disclosure approach (CVD) here

I am still struggling with my views on this topic, as I feel that Google may have slightly over-played their hand here, by publishing sample code and releasing the information the day before a patch was to be released from Microsoft. Google says that 90 days is enough to sort out a bug and deliver a patch. Really? For who? And, does Google have to support four desktop and server operating systems with over a billion users?

"Not my problem" says Google. 
Yeah, and not cool, either" I would say.

Chris Goettl, the Patch product manager from Landesk has this to say: 
"There was no public code examples or disclosure before Google announced this, and no known attacks were in the wild.  In this case I think Google acted irresponsibly. In the increasingly more dangerous Cyber world we live in, companies like Microsoft and Google should be setting examples to follow. This example is not an example I would urge vendors to follow."

I agree.

And now Google has published another Windows flaw, and this one is even worse (more dangerous) than the first reported issue. This flaw may result in an information disclosure scenario where Windows does not check the user identity when performing cryptographic operations. You can read more about this flaw here.

To their credit, Microsoft has been working on this issue, had developed a patch, but at the last minute encountered some compatibility issues with the security update. The fix is now scheduled for the February Patch Tuesday update cycle. 

Given that it takes some organizations between thirty and sixty days to fully deploy a patch to all their affected system, it looks like Google's "90-day disclosure policy" is  more like a "90-day exposure policy".







Thursday 15 January 2015

January Patch Tuesday ComputerWorld Posting

I have posted my latest update on my Computer World column: Patch Tuesday Debugged.

January was a pretty light update, with a single critical update and seven patches rated as Important. Most of the patches looked like pretty low-impact for most systems.
However, you may want wait a little while before deploying the kernel driver update.

You can find the full story here:

I will post another preview of Microsoft Patch Tuesday next month (Feburary) so, please watch this space.

Tuesday 13 January 2015

Microsoft Changes is Patch Communication Strategy

As I have mentioned in this blog before, Microsoft is changing how it views and communicates with the world. And, given the recent challenges in communicating Patches with its Patch Tuesday release cycle (Microsoft holds back two security bulletins), it appears that Microsoft has decided how it communicates what patches are going to be released through the (now defunct) Advance Notification Strategy (ANS).

The ANS was a Patch Tuesday preview that was published initially one week in advance of the actual security update and patch release process. The ANS contained a basic list of the number of patches and what platforms would be affected by the updates. Recently (the past four months), this preview period was shortened to four days as the ANS was published on a Friday, rather than a week prior Tuesday.  I found this a useful service, but apparently the feedback that Microsoft received indicated otherwise as you can see with Chris Betz's latest blog posting;

"We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page."

Yes, this means no more Advance Notification Service. Actually, premier customers can still access this service and Microsoft has created a new web-based dashboard service for a customized patch view called myBulletins. In addition, the Microsoft Deployment Priority matrix has been discontinued and the Exploitability Index has been upgraded to include more threat scenarios.

I found the Advance Notification Service really helpful as it allowed me to plan the week. Finding out if you had to deal with four or fourteen patches a few days in advance is helpful - but, maybe it was a real pain for Microsoft. I have already had a bit of play with the myBulletin service and have found it .... well, pretty incomprehensible. As I have to cover most Microsoft products (like all my peers) the dash board listed forty-five pages worth of information. Hmmm...

I will see how this Patch Tuesday goes and report back...

Thursday 8 January 2015

Microsoft sweeps away IE for a clean Spartan look

For those who have followed the trials of tribulations of Internet Explorer (IE) over the past few years you may not be surprised to hear that Microsoft may now end the IE lineage with the release of a new browser currently called "Spartan". IE is dead, long live IE. 

Microsoft IE has a lot of history and some will say a lot of "baggage" with repeated security issues, compatibility and standards compliance issues cropping up over the years. I think some of these negative views are little unjustified as the security landscape has changed rapidly and dramatically over the past years. Microsoft has also made great strides in both rendering and JavaScript standards compliance. In fact, the Microsoft you see today, the one that embraces standards, open software and even other OS platforms (apparently Microsoft loves Linux) is very different from the striving, slightly isolationist monolith that it was (or was represented as by the press) even a few years ago.

Today, Microsoft is really different. And, maybe now is time for a change. Time for a new browser

The new browser codenamed "Spartan" will probably run along side IE11 (my educated guess) with the release of Windows 10. And there probably will be a parallel development and support path for both browser options for a while.  Microsoft has to support IE10 (and potentially IE11?) for a while, but not as long as you might think.

Generally, Microsoft will offer 5-6 years of mainstream support for its products. For example, Windows 8 was released on 10/30/2012 and mainstream support will end on 1/9/2018.

If you check the Microsoft Support Lifecycle Support page (found here) for IE you will find something very different from any other product or platform;
"Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates."

This is a big change, from previous support narratives, but given the nature of the security landscape and the rapid pace of change of Internet standards, an understandable stance to take.  Given that we are now in 2015, and Windows 10 is currently scheduled for release in late 2015, Microsoft's venerable browser may disappear quicker than you think.

Monday 5 January 2015

Google lights the fuse on a Microsoft time-bomb

As the first post of the year, I wonder if this entry will set the tone for 2015. That is, one company publishing another company's security vulnerabilities before they can be fixed - potentially exposing us users.


Google, through it Project Zero program has published a Windows 8.1 vulnerability that allows certain users to gain administrative privileges through an elevation of privileges attack.  Google has a 90-day embargo policy where if it discovers a bug, it will notify the affected vendor and give them 90 days to respond (i.e. fix the bug or close the security hole).  If the company (in this case Microsoft) does not respond in time, then Google will publish the vulnerability with a sample exploitation. 

Reading from the code example given on Google's development site, you can follow these steps yourself;
  1. Put the AppCompatCache.exe and Testdll.dll on disk
  2. Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables). 
  3. Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll". 
  4. If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run. 
There are a number of opinions about this kind approach to security. Google has the following to say about this;
"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security — it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face..."
To be fair, Google is not just researching vulnerabilities in Microsoft products, it is targeting Apple as well. However, what Google has done here, is to set a time-bomb. Once the vulnerability has been published by Google, then the bug will automatically be released 90-days after. Regardless of the impact or the effort from the affected vendor. If the issue is fixed, fine. If not, then you can add this to your list of worries.

However, as a user who is now more exposed and potentially compromised by this security issue, I feel a little less comfortable with this approach. In this case, it's not what Microsoft didn't do, its what Google has done.

You can read the specifics about this issue here