When MS published its Advance Notification for the first-ever “Update Tuesday” coming August 12, it listed 9 security bulletins therein. Of these 9, 6 affect modern Windows Desktops (Window 7, 8, and 8.1). Of the remaining 3, Bulletin 3 applies to MS Office (OneNote 2007 SP3 only), 4 to SQL Server (2008 & R2, 2012, and 2014), and 7 to MS Windows Server (2003, Server 2008 & R2, Sever 2012 & R2). SharePoint Server (2013 & SP1) is also subject to Bulletin 7, and Media Center TV Pack for Vista goes ditto for Bulletin 2. We’ll get more details tomorrow when the updates actually get released.
9 Security Bulletin Items for August: 2 Critical, involving IE versions 6-11 (Bulletin 1) and Windows graphics (Bulletin 2).
The big items in this mix include Bulletin 1, which applies to every modern version of Internet Explorer (6 through 11), is rated Critical (Remote Code Execution), requires a restart, and is getting some play on various rumor and security sites (most notably, Qualys), all of which admonish admins to apply to particular fix sooner rather than later because it allows malicious Web pages to engineer system takeovers. Ditto for Bulletin 2, which permits remote code execution by exploiting bugs in the graphics execution pipeline (and explains why the little-used Media Center TV pack for Vista falls within its purview), and is also rated Critical (Remote Code Execution).
The remaining bulletins (3-9) are rated Important (four of those 6 present “Elevation of “Privilege” vulnerability impacts, and the other two present “Security Feature Bypass”). Of the 9 bulletins, 4 absolutely require a restart, and the remainder are all labeled “May require restart,” so it looks like post-applications restarts are a virtual certainty. Other updates to be part of the August 12 release — at least according to WinBeta.org — include touchpad improvements designed to increase tracking precision, support for the Wi-Fi Alliance’s Miracast Receive technology (which supports wireless connections between playback devices and TV screens, projectors, and so forth), and various “other minor fixes” still TBD.
EMET is Microsoft’s Enhanced Mitigation Experience Toolkit, a free security software add-in designed to detect and counter zero-day attacks on Windows systems. More specifically, the software can detect and foil “exploitation techniques that are commonly used to exploit memory corruption vulnerabilities…by diverting, terminating, blocking and invalidating … the most common activities and techniques adversaries might use in compromising a computer” (to quote somewhat out of order from the EMET page in Microsoft’s Security TechCenter). I’ve been covering (and using) EMET myself since the version 3.x days, and was running version 4.1 until 5.0 came along on July 31, 2014 (here’s a link to a description of EMET I wrote back in September 2012).
The banner from the EMET page enjoins readers to “deploy today” — good advice!
You can download EMET 5.0 from the MS Download Center, where you’ll also find more information about the software, run-time requirements, installation instructions, and more. Be sure to check it out, and at least give it a try on some test machines or in a hurry-up pilot. I think most admins will find it a valuable (and not terribly resource intensive) addition to their existing software security solutions.
Yesterday, MS Senior MarComm Manager Brandon LeBlanc posted some interesting info about the upcoming updates to Windows 8.1 and Windows Server 2012 R2 scheduled for August 12 (next week) over on Blogging Windows. In a post entitled “August updates for Windows 8.1 and Windows Server 2012 R2” he revealed a new approach to making functionality and UI changes to the latest Windows versions — namely, exchanging the practice of “waiting for months and bundling together a bunch of improvements into a larger update” (a la Service Packs for older Windows versions, or Windows 8.1 Update 1 released in April 2014) for a practice of “us[ing] our already existing monthly update process to deliver more frequent improvements along with the security updates normally provided as part of ‘Update Tuesday.’ …despite rumors and speculation, we are not planning to deliver a Windows 8.1 ‘Update 2′” [emphasis mine, because I plan to write further about both bolded elements in the paragraphs that follow].
Lots of interesting tidbits about future Windows updates in this recent Blogging Windows post.
Here’s what’s interesting to me about this post, to my way of observing and thinking:
- Looks like there’s a change of terminology regarding the regular “second Tuesday of the month” for pushing Microsoft updates: the traditional term for this until now has been “Patch Tuesday,” but now it looks like MS is seeking to use the more all-embracing term “Update Tuesday” instead.
- Also looks like functionality and UI updates will start flowing out on a more-or-less constant basis henceforth. This helps to get those changes into user’s hands faster, to be sure, but I can see it creating headaches on several fronts: it means constant compatibility testing for enterprises that seek to avoid being (unpleasantly) surprised by changes of any kind, and it also means that documenting, teaching, and testing individuals who work with the Windows UI and its tools and utilities (I’m thinking certifications here as well as books, how-tos, help files, and more) gets even more tricky than it already is.
- If indeed there is some bundling of functionality updates emerging next Tuesday, to reflect changes and additions since April 2014, MS is choosing not to acknowledge this, and is opting instead to simply identify it as one of an upcoming and regular series of such changes and additions to Windows going forward on an as-they-come basis from now on.
All in all, it looks like we’re moving to a constant update cadence for Windows now, for good and/or for ill. This should be an interesting situation to watch, learn from, and get used to. I’m sure nobody understands all the implications just yet, but we’ll be figuring it out as it moves along in the months and years ahead. Get ready!
IT pros who need to upgrade end users with the latest version of Windows 8.1 have a few days left to install Windows 8.1 Update before August 12.
Microsoft next week will update Windows 8.1 again with some minor improvements as part of its monthly Patch Tuesday upgrade release.
The new update will include enhancements such as providing the touchpad with three new end user settings, the ability to leave the touchpad on when a mouse is connected and enable right clicks on the touchpad. The update will also enable end users to double tap and drag content using the touchpad.
The company will also update Miracast to enable a Windows 8.1 computer to become a Miracast receiver. Miracast is a wireless technology that enables a PC to project the contents of the screen to a TV, projector or streaming media player.
Other improvements include reducing the number of login prompts for SharePoint Online.
For IT pros who intend to update their systems, they must complete the Windows 8.1 Update by August 12. In April, Microsoft granted IT pros a reprieve due to a bug in the original Windows 8.1 Update.
The company said it will deliver the Windows 8.1 update automatically through the existing Windows Update and through the Windows Server Update Services channels. Enterprise IT pros can update their Windows 8.1 computers and tablets on August 12.
Microsoft continues its fight to gain market share for the Windows 8 operating system but it remains a slow proposition Windows 8 and 8.1 hold only 12.4% of the operating system market, according to Net Market Share’s July desktop operating system survey. Windows 7 market share continues to rise and is now 51.2% market share, significantly more than Windows 8 and 8.1 Windows XP, which has slowly declined as organizations invest in new PCs and upgrade the ancient operating system is now at 24.8%. Mac OSX 10.9 is 4.1% while the remainder is 7.5%.
Over the weekend, a new version of the PowerShell App Deployment Toolkit appeared online at CodePlex. Labeled Version 3.1.5, this latest iteration to a substantial collection of PowerShell scripts designed to help sysadmins deploy Windows applications in an enterprise setting includes numerous useful facilities worth investigating. These scripts integrate nicely with System Center, but can also function independently (or with other .NET-based management consoles and suites). And best of all, they’re free (Open Source, actually) for commercial use. Here’s the page header info from the project’s home page at CodePlex:
This latest update at CodePlex is worth checking out, and should be helpful for most sysadmins charged with application deployment on Windows networks.
New features in this latest update include a handy “Send-Keys” function that permits PowerShell scripts to send keystroke sequences to an application Window to help automate in-app post-install configuration and customization, and several improvements to the “Execute-Process” script designed to implement recently promulgated MS best practice recommendations. Numerous bug fixes are also included as indicated on the afore-linked project home page as well. The project includes a reasonably detailed 61-page MS-Word file that serves as a user manual, and also presents a handful of readable and informative “Example Projects” that explore deployment of Adobe Reader in a variety of runtime situations (including SCCM 2007 and 2012, as well as standalone PowerShell-only).
Worth checking out!
With the upcoming release of Windows 8.1 Update 2 reportedly immanent, expected to fall on Patch Tuesday in August (8/12/2014), there’s certainly been a lot of fuss and bother lately about what’s coming (or not) for upcoming Windows releases including that particular one. With a variety of Russian and Chinese leakers posting sometimes irreconcilable (or incorrect) suppositions, separating the fruit from the nuts can sometimes be challenging. That’s why I was relieved and delighted to find a rumor roundup story from Windowsmaster Woody Leonhard over at Infoworld entitled “What we know about the next versions of Windows” to lay things out in workmanlike fashion.
1. Windows 8.1 Update 2
Woody confirms that what we know about the upcoming update — scheduled less than a week from today — is best summarized as “not much.” Nobody’s leaked credible details or particulars, and most rumors have agreed that there won’t be much new visible functionality making it onto the scene with that update. Russian-speaking readers may be pleased to learn that Windows 8.1 Update 2 is highly likely to include support for the Ruble currency character, which isn’t even available as a Unicode character at this point in time to my great surprise and astonishment.
A character layout map for the rouble symbol, probably headed for Unicode representation no later than year’s end.
2. Windows 8.1 Update 3?
Woody has some interesting things to say about a possible Windows 8.1 Update 3, which is represented as a “fallback patch in case work on the next big version of Windows falls behind.” In such an event, it would probably include the recently promised and much-ballyhooed return of the Start Window, along with “Modern UI app in a desktop window” (a la Stardock ModernMix), both of which MS has promised to deliver in some form or fashion sometime sooner or later (this is where things get muddier still, in case you hadn’t noticed).
3. Threshold versus Windows 9 versus Plan 9 from Outer Space…
The second page of Woody’s roundup is where things get really wonky, bizarre, and interesting. My favorite sentence: “Perhaps there are updates and there are Updates, if you know what I mean” (capitalization his, and worth noting). He notes that the next big version may not even be called Windows 9, however popular that terminology may be outside Microsoft right now. He also notes that the number of versions — which he labels as Metro, desktop, consumer, and corporate — isn’t completely clear, and then tosses in the OEM version Windows 365 which is currently tied to Bing but upgradeable online. How many versions does this mean? Nobody knows right now.
He also points out that a Brandon Paddock tweet via @BrandonLive on 6/27 equates the next update (3, not 2) of Windows 8.1 with Threshold, and that Chinese leaker Faikee opined in a Neowin discussion on July 16 that it’s really a “Plan B” (or “Plan 9″ if you prefer) in case the next major release of Windows gets delayed (which puts it in the same hopper as other rumors already reported under the Windows 8.1 Update 3 heading). From there, Woody goes on to point out some inconsistencies he spotted in various purported screenshots of leaked future Windows versions to emphasize the indisputable fact that nobody seems to have a definitive handle on future Windows versions right now. His summary of circumstances is both apt and a little scary: “There are no legitimate leaked screenshots of any future version of Windows, no leaked builds. We have unattributed reports of planned features, many of which contradict each other.”
If there’s one limited ray of sunshine amidst this morass of muddy madness, I would guess that the situation demonstrates the apparent success of Microsoft’s attempts to shut down leaks, and to make things more difficult for would-be leakers. Though we know less now than is typical for this stage in various Windows development cycles, maybe that’s a good thing? Woody demurs, and closes his article with “It’s almost like living under the Sinofsky lock-down, all over again. We need a Myerson glasnost.” I’d settle for a clearer sense of future plans, features, and directions.
The Bromium Labs Research Brief entitled “Endpoint Exploitation Trends H1 2014” released on July 22 shows Microsoft’s Internet Explorer in the lead for a crown it probably doesn’t want — namely, “the historic high number of security patches in over a decade” (press release). Here’s a graph snipped from that documents that counts publicly reported vulnerabilities for a number of browsers and popular related tools and technologies (2013 in light blue; 2014 in salmon).
MSIE overtakes Firefox, Chrome and Java (ahead in 2013) to take the lead for reported vulnerabilities in the first half of 2014.
[Report: Pg3; data originates from the US NIST National Vulnerability Database, aka NVD]
The report states further: “The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash, and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers” (page 3). Furthermore, Bromium’s analysis shows that attackers have been able to bypass Microsoft’s Address Space Layout Randomization (ASLR) technology using a technique called Action Script Spray to dynamically create return-oriented programming (ROP) chains, and reports that two such exploits have already been identified in 2014. Likewise, data execution prevention (DEP) blocks seem less effective than initial descriptions (and tests) of the technology promised.
One potentially positive trend documented in the report is a shortened time frame between the day an exploit is reported to the day a patch becomes available. A figure on page 4 of the report shows that lag times (in days) have decreased dramatically for IE9 (over 90 days), to IE10 (over 10 days), to IE11 (under 5 days). But on page 7 of the report, Bromium muddies the waters a bit with this remark: “Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received.” To buttress the second possibility, Bromium’s researchers point to the increasing popularity of “use-after-free” vulnerabilities in zero-day exploits — a point worth learning more about, and pondering carefully (see this Mitre CWE definition for more info).
What does this portend for Windows system and security administrators? Alas, it means the common perception that IE remains a source of security vulnerability remains as true (or truer) today than it has been in the past, and that erecting defense in depth around (or avoiding or banning) its use is a top priority. And I thought newer generations of IE were supposed to be more secure than older ones? Go figure!
A recent post over on Paul Thurrott’s SuperSite for Windows just reminded me about an essential item in any Windows admin’s repair and recovery toolkit — namely a USB 3.0 to SATA adapter or drive caddy of some kind. The “drive end” (SATA) represents the most common form of SDD and hard disk coupling in use on Windows machines nowadays, while a USB 3.0 port is available on most modern machines and combines high rates of speed for data transfers (the theoretical limit of 5 or 6 Gbps is seldom approached, but USB 3.0 is generally an order of magnitude faster than USB 2.0 or 2.1 in everyday use). Thurrott’s post is entitled “Tools of the Trade: USB 3.0 to SATA Adapter” and features an Anker device available from Newegg for $21.99, depicted here:
The secret to this choice of device, which is eminently suitable for traveling/field use, is that it accommodates an external power supply. That’s because while it is possible to buy USB to SATA adapters that either feature one or two USB connectors (the second one is used to boost power levels, as a single USB Port can deliver only 2.5 to 5.0 Watts), you can only use such devices to attach lower-power SATA drives via USB. In practice, this means 2.5″ notebook drives such as SSDs, SSHDs, or conventional hard disks. Even then, higher-capacity 2.5″ HDs (1 TB and above) might still demand too much power to be served by such an inexpensive and light-duty adapter (here’s a $12.55 part from Newegg that illustrates this kind of thing).
For shop or depot use, I’d recommend something I’ve written about before — namely, a one or two SATA connector-equipped drive caddy (see the 4/19/2013 post here entitled “MyFaves: HDD Docking Station” for more details). These devices are bigger and less portable, but also offer a more substantial tool for mounting either 2.5 or 3.5″ SATA drives of all kinds and sizes (I’ve got a 3.0 TB Toshiba drive mounted in my $58 Thermaltake BlackX Duet that I use for backups and my enormous collection of music files). A dual drive unit like this one also offers an easy way to mount two drives, so that you can image one drive directly to another (or use a tool like Paragon Software’s Migrate OS to SSD 4.0, to transfer a UEFI boot disk image from a source to a target disk without losing boot capability in the bargain).
Whether you go for the portable Anker device that Thurrott recommends, or an equivalent like the FiveStar SATA IDE Adapter ($21 at Newegg), or even the more substantial drive caddies best suited for shop or depot use, if you work regularly with imaging, building, recovering, or repairing Windows disks, you’ll find such devices invaluable elements in a well-stocked Windows PC toolkit. Highly recommended.
By Diana Hwang
That’s saying a lot since Microsoft has always had been likened to the Evil Empire and whomever was at the helm was Darth Vader.
No, Nadella is not short, green and wrinkled with big ears (far from it), but he is the intelligent yet humble public and behind-the-scenes persona that gets Microsofties to focus on the company’s big picture strategy just as Yoda guided Luke and the rebels throughout the Star Wars series. (Just for the record, I’m a fan of the old Star Wars – Episodes IV, V, and VI).
Nadella has led the $86.8 billion company for six months now, and he’s focused on a few key messages: mobility, cloud, productivity, and melding digital life and work experiences.
What does it all mean? Everything Microsoft does is about helping people be more productive and getting things done.
But here’s an interesting tidbit that came up during Microsoft’s fourth quarter and fiscal year 2014 earnings call this week: Nadella confirmed Microsoft will consolidate multiple Windows operating system into one version.
“We will streamline the next version of Windows from three operating systems into one, single converged operating system for screens of all sizes,” Nadella said during the call.
It’s about time. There is absolutely no need to have separate OSes for PCs, tablets and smartphones. Why? Because technology like CPUs and screens have improved so much that devices are much more mobile friendly. They can handle the full Windows workloads while offering workers a full day of battery life
As a result, the streamlined Windows OS built on a single core could generate other beneficial results like developers being more motivated to create more relevant business apps for the Windows Store.
The converged Windows also furthers along Microsoft’s universal apps vision. Developers won’t need to spend more time building separate Windows PCs, tablets and Windows Phone apps. This is especially important as Windows Phone and Windows tablets have a miniscule market share compared to Apple iOS and Google Android devices.
If developers can create one Windows app that works across a PC, tablet or smartphone and simply optimize it for the screen, it becomes a decent value proposition. It’s the next step for continuing this vision of the universal app Microsoft unveiled at Build 2014 this past spring. Developers can now view the world of Windows devices not in a segmented fashion but as a whole.
“We will unify our stores, commerce and developer platforms to drive more coherent user experiences and a broader developer opportunity,” Nadella said on the financial call. He promised the next wave of Windows enhancements in the coming months.
With Microsoft simplifying its engineering teams and refining its vision, the industry will closely watch how well it can execute its strategy.
The numbers don’t lie
No matter how promising the strategy, it all comes down to the bottom line.
For the fourth quarter 2014, Microsoft posted revenue of $23.38 billion and net income of $4.6 billion. For its fiscal year 2014 ended June 30, Microsoft posted revenue of $86. 8 billion and net income of $22 billion.
Microsoft attributed much of its growth to cloud services such as Office 365 and Azure. The commercial cloud annual revenue run rate doubled and hit $4.4 billion. Microsoft said it added over 1 million subscribers to Office 365, bringing the number to 5.6 million users.
But Microsoft also took a $700 million operating expense hit from the acquisition of Nokia. Just last week, Microsoft laid off 18,000 workers, of which 70% of those impacted occurred in the Nokia Devices and Services division.
The company created a new phone hardware segment to account for revenue from its smartphone business. It contributed $1.99 billion in revenue this quarter to Microsoft’s bottom line, driven by sales of its Lumia 500 and 600 series smartphones.
Microsoft will continue to compete with its OEMs to create new devices like Surface and as Nadella says, the company will “responsibly make the market for Windows Phone.”
“However, we’re not in hardware for hardware’s sake, and the first-party device portfolio will be aligned to our strategic direction as a productivity and platform company,” Nadella said.
It remains to be seen how successful Microsoft will be. Just like Star Wars Episode VII is expected to be released in 2015 with the old cast of characters returning but with some new twists. Microsoft too is coming back to its original successful productivity roots but with some new twists as well.
May the Force be with you.
It looks like there’s been a bit of misplaced hullaballoo in the wake of yesterday’s 7/22/2014 Microsoft earnings call for Q4, during which CEO Satya Nadella is quoted as saying: “We will streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes” (source Mary Jo Foley, All About Microsoft, ZDNet). Though this sounds very much like one OS image for all possible variants, including phones, tablets, PCs, and game consoles, that’s not exactly how things should play out, according to many sources (including MJF’s aforelinked article on this subject).
Globzer’s “hypothetical” wallpaper for Windows 9 aka Threshold, where the One Windows strategy should find more tangible expression from MS.
Here’s a more reasonable interpretation of what’s going on with Windows and what Nadella sought to say:
1. One development team for Windows versions/variants — namely the Unified Operating System Group led by Terry Myerson.
2. One single, common Windows “core” — also called the NT Core, this common collection of code applies to Windows Phone, Windows 8, Windows RT, and Windows Server. According to MJF “…each OS builds on top of this core using different pieces that make sense for the form factor/hardware…” in use.
3. One unified Windows Store — By combining the Windows Phone Store and Windows Store, MS is working toward a single store for all of its platforms, where it’s likely that Windows 9 (aka “Threshold”) may be where the initial results of such efforts go on display.
4. One single unified Development effort — Perhaps best understood as “code once for all Windows platforms” this effort captures MS’s ongoing work to consolidate a core set of APIs to enable applications to run on Windows Phone, Windows (desktop and server), and the Xbox. MS’s initial efforts enable developers to reuse some code as they write what MS calls “Universal Windows apps,” but there’s still substantial work to be done in this area.
It’s tempting to try to translate this into a single installable Windows version that somehow enacts a “one image fits all platforms” approach. Ain’t gonna happen! As MJF points out, Nadella steered emphatically clear of any such promise when he said “Our SKU strategy will remain by segment. We will have multiple SKUs for enterprise, we will have for OEM, we will have for end-users… We will be disclosing and talking about our SKUs as we get further along.” ‘Nuff said!