Next Tuesday’s 17 security bulletins will address 64 known vulnerabilities across all current Windows versions plus MS Office, Internet Explorer, Visual Studio, the .NET Framework, and GDI+ (current version of the graphics device interface code for C/C++ that handles basic 2-D graphics on-screen). Nine of those 17 bulletins are rated as “critical,” which is Microsoft’s most dire security label for updates.
Check out this partial screencap from the Microsoft Security Bulletin Advance Notification for April 2011, just released yesterday (4/7/2011).
As is usual for advance notifications, the details are not yet exactly clear, nor will they be clarified until Patch Tuesday arrives and the actual April 12 Security Bulletin is released. It seems pretty clear that IT admins should prepare some lab time, so they can start assessing the impact of rollouts on their production environments. With nine critical updates in this mix, it’s a sure bet that some or all of those items will be on their “must-handle” lists at around 11 AM PDT Tuesday, when MS traditionally releases its bulletin and pushes the updates into the Windows Update environment.
Every now and then, MS offers major discounts to the academic population to stimluate interest in and uptake of their products. Apparently, now is one of those times. By visiting the Microsoft for Students page, individuals currently registered at an accredited college or university can request and obtain an e-mail from MS with further instructions to take advantage of this offer (a 54% discount or thereabouts). Also available, Microsoft Office Professional Academic 2010 ($79.95) and the Microsoft Office Language Pack ($9.95). If you’ve got a student in the family, or happen to be a student yourself, this is a pretty good deal: one worth taking up, if you’re eligible.
Analysts attribute Microsoft’s desire to cash in on the tablet/touchscreen device boom currently underway in the computing and telecomm industries right now to a possible speed-up in the release schedule for Windows 8 now widely speculated (for example, see CNNMoney.com’s 4/4/2011 story “Brace yourself: Windows 8 is coming soon“). The cause for the raft of Windows 8 rumors now swirling around in cyberspace is a series of screenshots taken from a private test beta test release of Windows 8 leaked on the Winreview.ru Website over the weekend. The site is now closed down, so that even though Google still lists (and caches) pages for the site, you can’t actually access the “real thing” right now.
Before this takedown occurred, however, WindowsUpdate8.com grabbed a few tantalizing screenshots from Winreview.ru, as did the CNNMoney page cited in the preceding paragraph and inserted into this blog as well.
It’s going to be really interesting to see if MS will mount a major offensive to get Windows 8 out the door in time for 2011 holiday buying season, which begins in earnest in November of the year. Frankly, I’ll be suprised if they can pull if off, but the whole tablet and smartphone market opportunity given them lots of reasons to go for the gold as it were. But only time will tell: Microsoft, as usual, won’t comment on the record about software still in early stages of development.
My Dad is 87 years old, and still in good health, and he’s got a Dell D630 notebook PC that he uses daily to read e-mail, check his investments, and do some very light Web surfing. He’s by no means a savvy PC user, and when I try to pilot him through Windows GUI stuff by phone, he has no idea what a title bar is, a menu layout, the notification area, and other landmarks on the screen so necessary to steer users around. Thus, I must often take control of his system in northern Virginia from my desktop in Texas to diagnose and fix the problems he sometimes encounters. Case in point: last year, it took me about 45 minutes to finally understand that he’d maximized his Internet Explorer window and couldn’t see or access the other on-screen controls, simply because he didn’t know how to tell me what he was seeing on-screen, and couldn’t understand my instructions, either.
Until recently, I’ve used the built-in Remote Desktop Connection (RDC) in Windows 7 to jump from my machine to his across the Internet. It works, but it does blank his screen so he can’t see what I’m doing and learn from what I can show him. But about two weeks ago, his ISP (Cox Cable) switched its networks over to IPv6 addresses, and I can no longer use RDC to access his machine. My edge router device is IPv4 only, and tunneling doesn’t cut it when I enter an IPv6 address in the RDC computer name field. That’s how I found myself looking for a better remote control option, and one that was preferably free for non-commercial use.
Enter TeamViewer, the brainchild of German software company TeamViewer GmbH. The company makes a complete, fully-featured package available for free for non-commercial use on the theory that people like me who use it to support friends and family members over the Internet will be more inclined to recommend or demand use of the paid-for commercial version in the workplace as they get to know and like the product. For my own part, I’m already sold on this logic as well as the products the company puts forward:
- TeamViewer Full Version: Remote control software that works through firewalls, NAT, and even across IP versions (IPv4 to IPv6, as when I go from my machine to my Dad’s; plus IPv6 to IPv4 as well). Within the TeamViewer window, anything you can do directly via local access becomes available through remote access, quickly and transparently. There are also no keyboard sequences or special tricks to change focus from the remote connection to the local desktop or vice-versa: the software knows where the cursor is (inside or outside the TeamViewer window) and behaves appropriately, with cut’n’paste capability in both directions. Also includes all the other items mention below, except for TeamViewer Manager, which is only available for commercial or trial use with 5-users, and comes as a separate software module, and Team ViewerMSI, only available by corporate license. TeamViewer encrypts all communications, using 1024 bit RSA for authentication and credentials exchanges, and 256 bit RSA for subsequent data transport once a session is established. It also works with all major VPN technologies.
- TeamViewer QuickSupport: Small, basic end-user module (what runs on my Dad’s PC) that requires no installation, configuration, or admin level access to provide the receiving end of a remote access connection. Dead simple to run and use; perfect for non-PC-savvy users like my Dad. A corporate version can be customized wih logo and welcome text if buyers so choose.
- TeamViewer Host: Sets up a system service on a remote computer with login/logout and remote reboot facilities. Deisgned for server access and maintenance, it also makes a peachy add-in for home office computers to which remote users want to connect while on the road.
- QuickJoin: A remote presentation delivery tool that enables remote viewers to login to online meetings and presentations. Much smaller footprint than Windows Live Meeting, GoToMeeting, On24, or other remote meeting software I’ve used to attend and deliver Webinars of late.
- TeamViewer Portable: Runs the software from a UFD (USB Flash Drive) so that you can take very little with you on the road, yet gain access to your home base from any Internet-connected machine. I love portable software like this, and this particular implementation works quite nicely.
- TeamViewer Manager: A database-based software tool that stores remote host/client information in a centralized database, with distributed access to its contents to authorized users, and a powerful logging and reporting facility. It’s not inappropriate to think of this as an IT/admin console for an entire collection of TeamViewer installations and accounts across an entire enterprise.
- TeamViewer MSI: An alternative installation package for TeamViewer host, designed for deployment via Group Policy Objects (GPOs) in an Active Directory environment, as is typically found in larger corporations or organizations.
Beyond the functionality, small footprint, and nice collection of different modules for different usage scenarios, what I like best about TeamViewer is their pricing model: client and remote host connections are essentially free. Buyers of commercial licenses only pay for the number of simultaneous seats they need for on-shift support staff to maintain active TeamViewer connections at any one time. Thus, even an enterprise that runs three global shifts of support staff only needs to buy 30 seats, if that’s the maximum number of support staff that will be using the toolset during any single shift. This is vastly different, and more affordable, than most other remote access and remote support solutions available in today’s marketplace.
check TeamViewer out. It’s free for trial or non-commercial use. I predict that once you get to know this little gem, you’ll start factoring it into your future on-the-job software acquisition planning.
I’ve recently finished work on a forthcoming book about phishing attacks entitled Cyberheist, and have also updated my CISSP Study Guide and Computer Forensics JumpStart titles in the past three months. If there’s one lesson I’ve absorbed into the marrow of my bones as a result of these projects, it’s that unleashing old disk drives to others is an invitation to security disasters. That’s because a competent forensics analysis of a disk drive — even one that’s been erased and reformatted — can turn up all kinds of interesting remnants of its former contents for anybody who has the right tools and knows how to use them.
Thus, when I found myself in the situation of needing to recycle some old disk drives that “the boss” (my wife, Dina) told me needed to get themselves gone from our house, I turned to the Internet to find a usable drive wipe utility that would perform an acceptable drive wipe on some drives that never had financial or other sensitive information written to them (those I would crush or incinerate). After a few false starts that showed me that you really have to try out a drive wipe utility for yourself to see if it does what you want it to (wipe an entire drive clean, in my case), I settled on the free version of a tool named Active@ KillDisk to do the job (the free version does a one-pass erase only, the $49.95 Windows and $59.95 Suite versions support 17 different standard drive-wipe algorithms). The drives in question contained photos, music files, and archives of books and other writing projects, so I wasn’t overly worried about accidential disclosure anyway. Users with more sensitive data should probably take the “crush or incinerate” route, or purchase a commercial drive wipe tool that does multiple erase passes (the DoD recommends a minimum of seven “erase and write random data pattern” passes over a drive to consider it “clean for re-use” — they also recommend “crush or incinerate” for proper drive disposal too, BTW).
Here’s what the GUI for the program looks like:
I mounted my old drives into USB enclosures, plugged them into a laptop USB port, fired off the program and let it chunk all night to wipe each of the two 3.5″ PATA drives I’m taking to Goodwill this coming weekend. Safe enough for non-sensitive data, and easy enough to use, though very time consuming (22 hours for a 200 GB drive, and 29 hours for a 300 GB drive). Check it out!
With six or seven computers around my office at any given time, in various states of (dis)repair, I find myself devoting at least three or four hours a week to system checkups, diagnoses, updates, and repairs or upgrades. When something like Windows 7 SP1 comes along that number hits a temporary spike but otherwise, this is a pretty consistent number (it also includes fiddling with new programs, drivers, and other aspects of PC maintenance).
This weekend, I cranked up my favorite problem child PC, an HP HDX 9203W (aka “The Dragon”) for which HP doesn’t support Windows 7 (they stopped updating software for this machine at Vista). When I ran my usual weekly Secunia check, I realized this machine had been off since before last Patch Tuesday (March 8th) because a slew of updates was waiting for me to install on that machine, including the ultimate Patch Tuesday (PT) tip-off, the Windows Malicious Software Removal Tool x64 – March 2011 (KB890830). But every time I tried to run the whole batch up updates en masse the update process would hang and never even get to downloading files. In other words, something in the batch was causing the update process to fail.
I started knocking off the March PT elements one at a time. All of the important updates went through single-file without a hitch:
- Update for Windows 7 for x64-based systems (KB2524375)
- Update for Windows 7 for x64-based systems (KB2505438)
- Security Update for Windows 7 for x64-based systems (KB2479943): This is the one that Secunia noticed was missing, and what clued me in to the need for a visit to Windows Update.
- Windows Malicious Software Removal Tool x64 – March 2011 (KB890830)
It was the optional update for Silverlight [Security Update for Microsoft Silverlight (KB978464)] that was hanging. Next, I tried a couple of different installation techniques: by itself from Windows update, then from the standalone KB download link, both without success. Along the way, Windows 7 continued to perform the installation after I triggered a system restart with a new pre-shutdown message “Installing update. Do not power off your PC until installation is complete.” No dice for any scenario.
After reading up on Silverlight, I learned that MS issues a new version of the install executable each time it issues a Silverlight update. So I used a workaround to fix the problem instead: I uninstalled the old version that I couldn’t patch for whatever reason, then simply installed a brand-new version with changes already incorporated. This went without a hitch, and Windows Update even gave the system a clean bill of health when I performed a post-install check to make sure everything had worked as it should have. I’m still not sure why the Silverlight update wouldn’t install on the Dragon, but at least I found a way around that problem and have caught the machine up. It will be interesting to see if I need to go through the same manuevers the next time a Silverlight security update hits.
Holy moly! Firefox 4 hit the streets on Tuesday, March 22, and quickly blew away IE 9 download numbers from the previous week. By the end of the first day, the count topped 4.7 million (ahead of IE 9′s 2.35 million in its first 24 hours, as tallied in this CNET story), and it topped 10 million by the end of Day 2 (Wednesday, 3/23: PC Magazine reports that it hit this milestone by 4:30 PM Eastern time that day). As I write this blog, the number at the FireFox 4 Download Stats page is climbing up from 24 million, as shown in this screen cap:
That’s an impressive daily run rate so far. Already at just after 9 AM CDT (-06:00 UCT) the daily average is over 6 million for the first four days, and with 15 hours left to go in that day, it could conceivably wind up somewhere between 7 and 8 million per day by the time the clock hits midnight (a straight-line extrapolation says it will be just over 7 million but that doesn’t factor any acceleration in). But the current tally clearly demonstrates that the daily rate is accelerating from day 1, and might conceivably go as high as 175% of the first day’s numbers by the end of today, day 4. This may not wind up as high as the 8 million copies of Firefox 3 downloaded in 2008 on its first day outing, but it’s certainly sustaining itself quite nicely.
In seeking to explain why Firefox is zooming past IE9, the aforecited PC Mag article provide an entirely credible hypothesis that with over half of all PC users still running Windows XP, Firefox 4 has a much bigger audience than IE 9, which runs only on PCs with Windows Vista or Windows 7 installed (Vista’s market share is now just over 11% and Windows 7 is clocking in at just over 23%, but XP still enjoys a market share of over 55%, according to today’s Operating System Market Share numbers at Netmarketshare.com). What that really means is that the total percentage of users that Firefox 4 can reach is almost three times as large as the one IE 9 can serve. Seems like an entirely plausible analysis to me!
I’m running Firefox 4 on several machines now, and I already like it much better than version 3.6.3 I had been running previously. It’s more streamlined, and much faster than its predecessor. With snappy svelte new versions of Chrome, IE 9, and Firefox 4 all recently on the streets, the browser game has certainly picked up lately, hasn’t it?
As of March 16, Ryan Gavin at Microsoft reported that IE9 more than 2.35 Million downloads of IE occurred in the first 24 hours following its release on Monday night, March 14, 2011. He also reports that this works out to 27 downloads every second over that period. Wow!
These numbers represent more than double the download rate for the IE9 Beta upon its release, and quadruple the rate for the IE9 Release Candidate as well.
So far, I’m running IE9 on a single machine in my office (on my HP i7 quad core notebook). I’m still learning how to drive the UI and haven’t quite learned all the ins and outs yet, but I can say I like the more compact layout better than IE8. It also runs perceptibly faster than IE8 does on equivalent hardware. It still doesn’t keep up with the latest Chrome in its support for HTML5, though matters on that front have improved somewhat. I’m going to take this one slow and get to know the program better before I roll it out to all my machines.
I run Secunia PSI on all of my networked PCs (which means “all my PCs,” in fact). Every now and then, the program smacks me with forcible reminders of how interesting it can be for network admins to keep up with an ever-changing landscape of patches, fixes, and updates.
Two cases in point on my production PC this morning:
- Secunia informed me that my Citrix WebApp plug-in was out of date and that a newer version was available. But because I’m not a licensed Citrix user at present (I was working as a contractor for a chemical company last year, and got the plug-in from them so I could use their VPN) I wasn’t able to download the latest version (no license, no access, as is perfectly understandable). I ended up having to find the directory in which the plug-in resided, and then having to manually delete same, to clear the warning on my machine. No big deal: I’m not using it anymore anyway.
- Secunia also let me know that a new version of Chrome 10.x was out (and wow! the first one only shipped last week: those Google guys move fast!). I clicked the About menu entry in the program and it informed me that Chrome was up-to-date. So I had to go to the Chrome download page, then download and install the latest version to clear that warning.
It just goes to show you that when it comes to keeping up with software updates, it’s not always a push-button, completely automated affair. Sure, Secunia will indeed update lots of stuff for you, but there’s always something that automation doesn’t catch (my lack of Citrix download access on the one hand, and Chrome’s refusal to recognize it needed updating on the other). That’s when an admin has to step in, figure out what’s broke, and fix it the old fashioned way: diagnosis, analysis, repair, and post-assessment. I guess we should all be glad: otherwise, somebody in Pune or Hyderabad would be taking care of my machines for me, and I’d be out of a job.
[Note to the wonderful folks at Secunia, whose PSI is a real Godsend to me: my final remark about being out of a job is purely metaphorical, all my systems are in my home, and not part of a commercial enterprise. Please! Don't take my licenses away.]
In reading Michael Horowitz’s “Defensive Computing” blog on ComputerWorld this morning (it’s entitled “Windows 7 Restore: less trustworthy than XP?” I was reminded how things can go wonky in a hurry when Microsoft changes its rules for system behavior. And for those who didn’t follow along from XP to Vista and thence to Windows 7, some of those rule changes can lead to some nasty surprises along the way.
Case in point: automatic system restores in Windows 7. As Horowitz quotes from MS documentation in his blog “System Restore in Windows 7 creates a scheduled restore point only if no other restore points have been created in the last 7 days.” XP makes restore points every day by default schedule, so I can see where dropping down from daily to weekly might be problematic, especially on volatile test systems where getting back to a stable state will be easier if users can expect restore points to be less than a week old.
I have several things to say about this phenomenon:
- It’s good to be aware of this default, and to make changes if it doesn’t work for your needs. One way to do that is to check out the How-to Geek’s instructions “Change How Often System Restore Creates Restore Points in Windows 7 or Vista,” where you find step-by-step instructions for using Task Scheduler to create Restore Points at a frequency and time of your choosing. Another way to do this is to use some kind of virtualization tool to run volatile OSes, which may then be captured with regular snapshots.
- When Windows 7 (or Vista) makes an image backup using the built-in backup utility, it captures a restore point at the same time it makes that backup. By scheduling image backups at a higher frequency than once a week, you’re guaranteed to do likewise for restore points. Here’s a screen cap from one of my fairly busy test machines that shows that both automatic and image backup restore points can be collapsed into a single snapshot (see first two entries below).
- I’ve been messing about with boot/system drive SSDs for over a year now, and I’ve learned to flout conventional wisdom and/or typical advice to turn off System Restore for such drives. Yeah, sure, it means more writes on those drives and probably a shorter lifetime, but I’ve learned the hard way that the convenience and quick fixes that restore points can deliver outweigh the extension to drive life that turning restore points off for SSDs can afford. Besides, I’m pretty sure I won’t be using those drives for more than 3-5 years anyway, and the “10,000 write limit” should last quite a bit longer than that.
When it comes to Windows 7 restore points, if you don’t like the default behavior, you can — and probably should — take steps to change it. Then you won’t have to be unpleasantly surprised to learn that your most recent restore point is 7 days old, because you can take steps to ensure it will never be any older than whatever frequency you schedule for restore point creation (using Task Manager, or some other automated scheduling tool) or system image backups (using the built-in utility).