The Bromium Labs Research Brief entitled “Endpoint Exploitation Trends H1 2014” released on July 22 shows Microsoft’s Internet Explorer in the lead for a crown it probably doesn’t want — namely, “the historic high number of security patches in over a decade” (press release). Here’s a graph snipped from that documents that counts publicly reported vulnerabilities for a number of browsers and popular related tools and technologies (2013 in light blue; 2014 in salmon).
MSIE overtakes Firefox, Chrome and Java (ahead in 2013) to take the lead for reported vulnerabilities in the first half of 2014.
[Report: Pg3; data originates from the US NIST National Vulnerability Database, aka NVD]
The report states further: “The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash, and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers” (page 3). Furthermore, Bromium’s analysis shows that attackers have been able to bypass Microsoft’s Address Space Layout Randomization (ASLR) technology using a technique called Action Script Spray to dynamically create return-oriented programming (ROP) chains, and reports that two such exploits have already been identified in 2014. Likewise, data execution prevention (DEP) blocks seem less effective than initial descriptions (and tests) of the technology promised.
One potentially positive trend documented in the report is a shortened time frame between the day an exploit is reported to the day a patch becomes available. A figure on page 4 of the report shows that lag times (in days) have decreased dramatically for IE9 (over 90 days), to IE10 (over 10 days), to IE11 (under 5 days). But on page 7 of the report, Bromium muddies the waters a bit with this remark: “Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received.” To buttress the second possibility, Bromium’s researchers point to the increasing popularity of “use-after-free” vulnerabilities in zero-day exploits — a point worth learning more about, and pondering carefully (see this Mitre CWE definition for more info).
What does this portend for Windows system and security administrators? Alas, it means the common perception that IE remains a source of security vulnerability remains as true (or truer) today than it has been in the past, and that erecting defense in depth around (or avoiding or banning) its use is a top priority. And I thought newer generations of IE were supposed to be more secure than older ones? Go figure!
A recent post over on Paul Thurrott’s SuperSite for Windows just reminded me about an essential item in any Windows admin’s repair and recovery toolkit — namely a USB 3.0 to SATA adapter or drive caddy of some kind. The “drive end” (SATA) represents the most common form of SDD and hard disk coupling in use on Windows machines nowadays, while a USB 3.0 port is available on most modern machines and combines high rates of speed for data transfers (the theoretical limit of 5 or 6 Gbps is seldom approached, but USB 3.0 is generally an order of magnitude faster than USB 2.0 or 2.1 in everyday use). Thurrott’s post is entitled “Tools of the Trade: USB 3.0 to SATA Adapter” and features an Anker device available from Newegg for $21.99, depicted here:
The secret to this choice of device, which is eminently suitable for traveling/field use, is that it accommodates an external power supply. That’s because while it is possible to buy USB to SATA adapters that either feature one or two USB connectors (the second one is used to boost power levels, as a single USB Port can deliver only 2.5 to 5.0 Watts), you can only use such devices to attach lower-power SATA drives via USB. In practice, this means 2.5″ notebook drives such as SSDs, SSHDs, or conventional hard disks. Even then, higher-capacity 2.5″ HDs (1 TB and above) might still demand too much power to be served by such an inexpensive and light-duty adapter (here’s a $12.55 part from Newegg that illustrates this kind of thing).
For shop or depot use, I’d recommend something I’ve written about before — namely, a one or two SATA connector-equipped drive caddy (see the 4/19/2013 post here entitled “MyFaves: HDD Docking Station” for more details). These devices are bigger and less portable, but also offer a more substantial tool for mounting either 2.5 or 3.5″ SATA drives of all kinds and sizes (I’ve got a 3.0 TB Toshiba drive mounted in my $58 Thermaltake BlackX Duet that I use for backups and my enormous collection of music files). A dual drive unit like this one also offers an easy way to mount two drives, so that you can image one drive directly to another (or use a tool like Paragon Software’s Migrate OS to SSD 4.0, to transfer a UEFI boot disk image from a source to a target disk without losing boot capability in the bargain).
Whether you go for the portable Anker device that Thurrott recommends, or an equivalent like the FiveStar SATA IDE Adapter ($21 at Newegg), or even the more substantial drive caddies best suited for shop or depot use, if you work regularly with imaging, building, recovering, or repairing Windows disks, you’ll find such devices invaluable elements in a well-stocked Windows PC toolkit. Highly recommended.
By Diana Hwang
That’s saying a lot since Microsoft has always had been likened to the Evil Empire and whomever was at the helm was Darth Vader.
No, Nadella is not short, green and wrinkled with big ears (far from it), but he is the intelligent yet humble public and behind-the-scenes persona that gets Microsofties to focus on the company’s big picture strategy just as Yoda guided Luke and the rebels throughout the Star Wars series. (Just for the record, I’m a fan of the old Star Wars – Episodes IV, V, and VI).
Nadella has led the $86.8 billion company for six months now, and he’s focused on a few key messages: mobility, cloud, productivity, and melding digital life and work experiences.
What does it all mean? Everything Microsoft does is about helping people be more productive and getting things done.
But here’s an interesting tidbit that came up during Microsoft’s fourth quarter and fiscal year 2014 earnings call this week: Nadella confirmed Microsoft will consolidate multiple Windows operating system into one version.
“We will streamline the next version of Windows from three operating systems into one, single converged operating system for screens of all sizes,” Nadella said during the call.
It’s about time. There is absolutely no need to have separate OSes for PCs, tablets and smartphones. Why? Because technology like CPUs and screens have improved so much that devices are much more mobile friendly. They can handle the full Windows workloads while offering workers a full day of battery life
As a result, the streamlined Windows OS built on a single core could generate other beneficial results like developers being more motivated to create more relevant business apps for the Windows Store.
The converged Windows also furthers along Microsoft’s universal apps vision. Developers won’t need to spend more time building separate Windows PCs, tablets and Windows Phone apps. This is especially important as Windows Phone and Windows tablets have a miniscule market share compared to Apple iOS and Google Android devices.
If developers can create one Windows app that works across a PC, tablet or smartphone and simply optimize it for the screen, it becomes a decent value proposition. It’s the next step for continuing this vision of the universal app Microsoft unveiled at Build 2014 this past spring. Developers can now view the world of Windows devices not in a segmented fashion but as a whole.
“We will unify our stores, commerce and developer platforms to drive more coherent user experiences and a broader developer opportunity,” Nadella said on the financial call. He promised the next wave of Windows enhancements in the coming months.
With Microsoft simplifying its engineering teams and refining its vision, the industry will closely watch how well it can execute its strategy.
The numbers don’t lie
No matter how promising the strategy, it all comes down to the bottom line.
For the fourth quarter 2014, Microsoft posted revenue of $23.38 billion and net income of $4.6 billion. For its fiscal year 2014 ended June 30, Microsoft posted revenue of $86. 8 billion and net income of $22 billion.
Microsoft attributed much of its growth to cloud services such as Office 365 and Azure. The commercial cloud annual revenue run rate doubled and hit $4.4 billion. Microsoft said it added over 1 million subscribers to Office 365, bringing the number to 5.6 million users.
But Microsoft also took a $700 million operating expense hit from the acquisition of Nokia. Just last week, Microsoft laid off 18,000 workers, of which 70% of those impacted occurred in the Nokia Devices and Services division.
The company created a new phone hardware segment to account for revenue from its smartphone business. It contributed $1.99 billion in revenue this quarter to Microsoft’s bottom line, driven by sales of its Lumia 500 and 600 series smartphones.
Microsoft will continue to compete with its OEMs to create new devices like Surface and as Nadella says, the company will “responsibly make the market for Windows Phone.”
“However, we’re not in hardware for hardware’s sake, and the first-party device portfolio will be aligned to our strategic direction as a productivity and platform company,” Nadella said.
It remains to be seen how successful Microsoft will be. Just like Star Wars Episode VII is expected to be released in 2015 with the old cast of characters returning but with some new twists. Microsoft too is coming back to its original successful productivity roots but with some new twists as well.
May the Force be with you.
It looks like there’s been a bit of misplaced hullaballoo in the wake of yesterday’s 7/22/2014 Microsoft earnings call for Q4, during which CEO Satya Nadella is quoted as saying: “We will streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes” (source Mary Jo Foley, All About Microsoft, ZDNet). Though this sounds very much like one OS image for all possible variants, including phones, tablets, PCs, and game consoles, that’s not exactly how things should play out, according to many sources (including MJF’s aforelinked article on this subject).
Globzer’s “hypothetical” wallpaper for Windows 9 aka Threshold, where the One Windows strategy should find more tangible expression from MS.
Here’s a more reasonable interpretation of what’s going on with Windows and what Nadella sought to say:
1. One development team for Windows versions/variants — namely the Unified Operating System Group led by Terry Myerson.
2. One single, common Windows “core” — also called the NT Core, this common collection of code applies to Windows Phone, Windows 8, Windows RT, and Windows Server. According to MJF “…each OS builds on top of this core using different pieces that make sense for the form factor/hardware…” in use.
3. One unified Windows Store — By combining the Windows Phone Store and Windows Store, MS is working toward a single store for all of its platforms, where it’s likely that Windows 9 (aka “Threshold”) may be where the initial results of such efforts go on display.
4. One single unified Development effort — Perhaps best understood as “code once for all Windows platforms” this effort captures MS’s ongoing work to consolidate a core set of APIs to enable applications to run on Windows Phone, Windows (desktop and server), and the Xbox. MS’s initial efforts enable developers to reuse some code as they write what MS calls “Universal Windows apps,” but there’s still substantial work to be done in this area.
It’s tempting to try to translate this into a single installable Windows version that somehow enacts a “one image fits all platforms” approach. Ain’t gonna happen! As MJF points out, Nadella steered emphatically clear of any such promise when he said “Our SKU strategy will remain by segment. We will have multiple SKUs for enterprise, we will have for OEM, we will have for end-users… We will be disclosing and talking about our SKUs as we get further along.” ‘Nuff said!
Although the ThinkPad 10 has been a “known entity” since late 2013, and listed at the Lenovo Store since March or April of 2014, it was only last week — while I was away from my office on vacation, as fate would have it — that Lenovo finally opened the product page for actual orders. Having now visited same to check things out, I will cheerfully admit to having a soft spot for ThinkPad products (I own two Ivy Bridge era i7 notebooks, including the X220 Tablet and a T520 notebook, each upgraded with OCZ Vertex SSDs and Plextor mSATA SSDs and 16 GB RAM). At present, however, the only model available is a 2GB RAM/64 GB SSD despite promises of a 4GB RAM/128 GB SSD model on the ThinkPad 10 Tech Specs page. I’m a little disappointed, but not terribly surprised, given that it’s taken quite some time for Lenovo to bring the product to market since it first announced the platform (I do plan to wait for the heftier model to become available before ordering one myself).
A side view of the Lenovo ThinkPad 10 sitting inside the Ultrabook Keyboard dock with its drop-in, single-angle docking connector.
The present offering includes a quad-core Intel Atom Z3795 quad-core CPU running Windows 8.1 Pro 32-bit (x86), 2.0 GB LPDDR3 RAM, and offers 1920×1200 screen resolution (somewhat better than “full HD” at 1920×1080; graphics come from integrated Intel HD circuitry in the Atom family that’s on par with Intel 3xxx capabilities on other CPUs). The base unit as described currently retails for $692.55 at the Lenovo Store, including an instant rebate of $36.45. The all-important keyboard cover accessory (called an “Ultrabook Keyboard” on the Accessories page) will set you back an additional $120, a protective case costs $55, and an external battery costs $30. This puts a reasonable configuration in the $800-850 price range, which is about $200-250 more than a similarly equipped Dell Venue 11 Pro Tablet (which supports i3 and i5 models at the top end of the feature/price spectrum at prices up to $1,180, including a keyboard dock with a second battery).
At the moment, the same dollars that the entry-level ThinkPad 10 will cost you would also buy you a 64-bit Venue 11 Pro model with twice as much RAM (4GB instead of 2) and SSD storage (128 GB instead of 64). Given those economics, it looks like Lenovo will have to bring lots of usability and capability options into the mix to give the Dell Venue 11 Pro a run for that money. I’m going to have to compare them side-by-side to see which option makes the most sense for business/professional users.
It doesn’t seem like that much time has gone by since the release of Windows 7, but free mainstream support for that operating system from Microsoft comes to an end on January 13, 2015. On July 2, 2014, MS Support posted a notification entitled “Products Reaching End of Support in the Second Half of 2014” (thanks to Mary Jo Foley and a recent ZDnet post for alerting me to this). Title notwithstanding, the second heading on page provides the lead-in for this discussion, and reads “Key Products Transitioning from Mainstream Support to Extended Support.” The explanation for Extended Support proffered there is very much worth repeating here, to help put this transition into its proper context:
Extended Support lasts for 5 years and includes security updates at no cost, and paid hotfix support. Additionally, Microsoft will not accept requests for design changes or new features during the Extended Support phase.
The following screen cap shows a list of Windows 7 products moving to extended support (for the complete list, which also includes specific releases of MS Dynamics, Exchange Server 2010, Windows Embedded and Phone, Windows Server 2008 including R2, and Windows Storage Server 2008 also including R2, please consult the notification page):
Any and all Windows 7 versions transition to Extended Support on 1/13/2015.
Does this mean that the end of life for Windows 7 is at hand? No, as the MS explanation clearly states, it still has 5 years of life left once it attains Extended Support status. But with the relentless forward march of technology continuing unabated after that, the requirement for paid hotfixes, and the absence of new features or design changes Windows 7 can’t help but be left behind in the face of new hardware and software that is certain to appear during that time window. Will enterprises want to risk being left behind to avoid migration? I have to believe the answer will shade from “Fine by us” as the 5-year-clock starts ticking, but enterprises will become increasingly less complacent — tending more toward “urgent” to “desperate” — as the 60-month window of ongoing but limited support for Windows 7 starts closing.
What does it all mean? For those enterprises who migrated to Win7 more than two years ago, it means they probably already expected to start planning the next migration at about that time (January 2015). For those who’ve completed their migrations (or haven’t yet done so) it means they must face a compressed migration schedule as their next technology lifecycle turns over.
Here’s a nice graphic from the Microsoft Security Response Center’s latest blog post, entitled “July 2014 Security Bulletin Release;” it summarizes the items pushed out via Windows Update yesterday, July 8, and presents a new look and feel for security bulletin stuff.
Sharp colors and simple labeling let you absorb the latest security bulletin deployment priorities at a glance (full-size original).
And now that MS has stopped e-mailing advance notifications and update information to users, in response to a Canadian governmental anti-spam initiative, they’ve set up something called the MyBulletins “security bulletins customization free online service,” which enables registered users to create custom dashboards so they can track security bulletins related to products and platforms deployed on their systems and networks. Here’s a snipped of what my dashboard looks like, after I registered interest in Windows 8.1 and 7, various .NET Framework releases, Windows Server 2012 and R2, and so forth.
MS now offers a way to customize a security bulletin dashboard to track only products and platforms of interest to IT professionals.
On the face of things, I’d say that MS has come up with a reasonable and perhaps even more usable alternative to its now-obsolete and unavailable e-mail notifications for security bulletins. Check it out, and see for yourself!
At the end of last week, ZDNet’s Mary Jo Foley posted a story on the upcoming next major Windows release, code-named Threshold, often called Windows 9. She slipped an interesting remark right past me therein, called into sharp relief by a follow-up story I read this morning on Gidgets.com. Here’s a paragraph from MJF’s story that lays out an interesting hypothetical situation surrounding that upcoming release:
The Microsoft OS team is hoping to get as many Windows 7 users moved to Windows 7 Service Pack 1 and Windows 8 users to Windows 8.1 Update in preparation for (hopefully) getting them to move to Threshold once it is out. It’s still early in the Windows development cycle for Microsoft to have decided on packaging, pricing and distribution, but my sources say, at this point, that Windows Threshold is looking like it could be free to all Windows 8.1 Update, and maybe even Windows 7 Service Pack 1, users.
Here’s one cut at a logo for the next generation of Windows for the desktop (Windows 9 Logo Wallpaper).
This certainly poses one interesting and compelling way for Microsoft to stimulate wholesale upgrades to Windows 9 for a large majority of users. With Windows 7 SP1 now representing over 50% of the installed Windows based, and Windows 8.* versions accounting for roughly 12% or so of what’s left over, this could provide a straightforward way to achieve critical mass for the next major Windows release. Certainly, Apple experienced higher conversion rates when they stopped charging for major releases of OS X, so there’s no reason to expect that Windows behavior would differ significantly. That said, a great many more enterprise desktops, notebooks, tablets, and so forth run Windows than MacOS, and we all understand that even if it’s cheap for such organizations to migrate, there are many other factors (and a great deal more time, effort, and expense) involved in making wholesale migrations at the large end of the scale.
This is undoubtedly an interesting hypothetical to consider, and possibly even a positive inducement for some parties to make the move up to Windows 9 from earlier versions. But from an enterprise perspective, it is only one small consideration among a host of others that can’t help but involve significant time, effort, and expense in planning and implementing an OS migration. I’d have to guess that a free upgrade wouldn’t impact corporate and large organization lifecycle planning much, if at all. It should be interesting to keep an eye on this, and to see what it morphs into in the months ahead. If other rumors about Windows 9 have any merit, we should be hearing more about the new OS later this year, and witness the developer and consumer preview releases late in 2014 and early 2015 respectively, with a GA release about a year from now. There is still plenty of time for things to change and for rumors to coalesce into actual, announced plans and releases. Stay tuned!
In poring over Paul Thurrott’s SuperSite for Windows this morning, I found a tantalizing recommendation amidst his tweets to a HooToo device called the HT-UE01 3-port USB 3.0 Hub with GbE Converter. This is a case where a picture tells the story (or at least, explains the motivation for owning such a device) rather nicely, so here ’tis, straight from the Amazon product page:
Most compact Win8 tablets offer at most 2 (usually 1) USB 3.0 port and no wired Ethernet; this device adds the latter and provides 3 more of the former.
At about $29, the device isn’t exactly dirt-cheap. But it won’t break the bank, either, and offers a compact and portable way to add more ports to the current crop of thin-and-light tablets that are increasingly available, such as the Surface family from MS, the Dell Venue 8 and 11 Pro models, the upcoming ThinkPad 10, and the Fujitsu Q704 series. I’ve found that I like to use a mouse, a Bluetooth keyboard, and one or more fast UFDs when I’m on the road (not much access to wired GbE on the plane just yet), so the added USB ports are quite welcome. This device looks like a worthwhile addition to one’s traveling tablet kit when away from the office. Check it out!
Over the past few months, I’ve blogged repeatedly about issues related to installing (or rather, failing to install) the Windows 8.1 Update 1 for Windows 8.1. Windows experts such as Woody Leonhard (at InfoWorld) and Paul Thurrott (at his SuperSite for Windows) have dug into those details, and I blogged about them repeatedly myself here (especially in connection with KB 2919355). Recent rumors are divided, however, about whether or not the upcoming Windows 8.1 Update 2 (which most sources indicate should become available in August 2014) will be released through the Windows Store or through Windows Update.
Who knew that Windows Update would prove preferable to the Windows Store?
As some readers may be aware, Windows 8.1 itself was promulgated through the Windows Store, and there were plenty of issues with that delivery mechanism, too. While the majority of users were able to download and install the update from the Store without difficulty, an unspecified minority (estimates range from below 1% to as high as 2-3%) found themselves unable to get completely through the installation process. Some of that minority, in fact, found themselves stuck between the old version and the new, requiring a complete reinstall of Windows to regain access to their desktops and file systems. Ouch!
This morning, WinBeta.org is reporting that MS is “testing Windows 8.1 upgrades for Windows 8 users via Windows Update.” In covering the same phenomenon, Paul Thurrott produces this memorable conclusion to his posting entitled: “Microsoft Works to Get Windows 8/RT Users updates to 8.1:”
Given the experience of the Store-based Windows 8.1 update, I suspect that’s the last time we’ll see Microsoft do such a thing. I expect all future Windows updates to ship via Windows Update, as God intended.
I’m not sure if distribution of Windows Updates is a matter for divine providence, but I have to agree that Windows updates, patches, and fixes seem to work better when delivered through the Windows Update service. Perhaps that means that rumors about the upcoming Windows 8.1 Update 2 distribution through the Windows Store will not pan out, much to everybody’s relief — including Mr. Thurrott’s, as well as mine!