Microsoft to patch zero-day IE bug now under attack
Eight updates will plug holes in IE, Windows, Office, SharePoint and Silverlight
ComputerWorld by Gregg Keizer October 3, 2013
Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.
“The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505,” confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.
Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.
“IE is always top of the list,” said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.
Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.
“Once it went into Metasploit, I anticipated an early release of a patch by Microsoft,” said Storms today. “Obviously the patch is done, but Microsoft’s and its partners’ telemetry must have shown that there were no reasons to go out-of-band.”
Historically, Microsoft has issued “out-of-band” updates — those outside the normal monthly release schedule — only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.
The early date of October’s Patch Tuesday — always the second Tuesday of the month — may have played a part in Microsoft’s decision to hold the update and not go out-of-band, Storms said.
The IE update was just one of four rated “critical” by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft’s advanced notification distributed today.
Experts recommended that customers install the Windows updates as soon as possible after their release. “Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update,” warned Storms.
Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.
The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn’t interested in developing further.
Because the Office-related vulnerabilities were ranked as “important” even though Microsoft said hackers could exploit them to plant malware on customers’ PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.
“Being exploited via a drive-by is not going to happen,” said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.
Microsoft will release next week’s security updates on Oct. 8 around 1 p.m. ET.
How to Uninstall Windows 8, Install Windows 7 on Your PC
Has Windows 8 got you down? It’s not easy, but you can switch your new PC back to Windows 7. We show you the step-by-step (and the pitfalls).
PC MAG by Brian Westover April 8, 2013
If you’re fed up with the Windows 8 operating system that came on your new laptop, and just want to switch back to Windows 7, I’ve got good news, and bad news. The good news is that it is possible. You can remove Windows 8, install Windows 7, and go about your life as if Windows 8 never happened. The bad news is that it’s a complicated endeavor.
In addition to the expected BIOS wrangling, drive formatting, and reinstalling device drivers, Microsoft has actually added extra layers of complexity. The BIOS has the added obstacle of the Unified Extensible Firmware Interface (UEFI). Drives are partitioned and protected so that it’s difficult to reclaim all of the space on your hard drive. And finally, manufacturers are spotty at best when it comes to offering Windows 7 drivers and rarely support users in making the switch. The result is a snarled Gordian Knot of complications, but there’s not necessarily a sword available to simplify the issue. This guide, however, should help you navigate the many twists and turns.
If you don’t want to remove Windows 8 completely but still want to have your familiar Windows 7 experience, want to avoid compatibility issues with programs and games, or need a feature that’s gone missing in the new OS, there are other options. Your best bet is actually running Windows 7 on a virtual machine—and we can suggest several.
If you’re ready to embark on the journey back to Windows 7—it feels wrong to simply call it a downgrade—then gather your supplies, muster your courage, and let’s dive in.
A Few Words of Warning
Microsoft does offer downgrade rights, complete with support services and a clear downgrade path to Windows 7, but only for systems with Windows 8 Pro. If you’ve just got plain old Windows 8—and most mainstream systems do—you’re on your own. Switching between the two operating systems is still very doable, but you’ll be doing it without Microsoft’s blessing.
Related to this, you may also run into trouble getting support from your manufacturer, as most do not provide legacy support for Windows 7 on systems that were factory-shipped with Windows 8. This extends to drivers. You’ll need to do your homework as to what your devices are, what drivers they require, and whether or not there are Windows 7 drivers available. Unfortunately, this will vary from model to model, and even from one configuration to the next.
Do Your Driver Homework
Start by opening the device manager in your control panel. It will provide you with a list of all the different devices found on the system, from touchpad and keyboard to networking and Wi-Fi adapters. Don’t skip this step, because you can’t use the device without a working driver—meaning that without the proper drivers, you can easily find yourself stuck with a nearly unusable machine.
By digging into the properties of each device individually, you should be able to find the specific part model name, and information about the drivers. Some searching online will help you discover whether or not Windows 7 drivers are available for each part, but you will often need to track do each driver individually. The one exception to this is when the manufacturer offers two versions of the same model PC—both a Windows 8 configuration, and a Windows 7 version.
The first place to check is the PC manufacturer’s product support page. By looking up your specific PC model number, you should be able to locate a list of all the needed drivers for the laptop’s hardware. If you’re lucky, the manufacturer support page includes drivers for both Windows 8 and Windows 7, giving you everything you need for your entire PC. With one of our test PCs, this was all we needed to do, because all the device drivers were available.
If not, you’ll need to take it one device at a time. Find the name of the manufacturer for each device and search for that company’s website, which should have its own driver download page. If even this doesn’t seem to help, you can always fire up your search engine and search for “[Device name] + Windows 7 Driver.” That should bring up plenty of resources.
Be aware, however, that for some newer devices, drivers may not be available for Windows 7 and older operating systems. If this is the case, you may be out of luck—which is why you’re looking all of this up beforehand.
Back up everything. Tech journalists often preach the importance of regularly backing up, but this is more than the usual preparation against hypothetical disaster—you’re about to overwrite your hard drive. Everything on that drive will be gone. Files, programs, and the original operating system, all gone. Just because you want to ditch Windows 8 now doesn’t mean you won’t change your mind in the future. Additionally, you may want a way to revert back to Windows 8 should you ever need to take advantage of the warranty—there’s worry that some manufacturers will void the warranty on the system if Win 8 is removed.
First, you’ll need Windows 7 installation media, either on disc or on a USB Key. Yes, Microsoft still sells it, as does Amazon. In addition to your installation media, you’ll need a valid Windows 7 Product Key, the 25-digit alphanumeric code used to activate your copy of Windows. If you’re installing from a brand-new copy of Windows, you’re fine to use the product key that was included, but if you’re using an older copy (or a copy of a copy) you’ll need to pay for a new valid key.
You will also need a USB key (separate from your installation media) with drivers loaded on it. This is the result of the aforementioned homework—you really don’t want to install Windows 7 without it.
Disable UEFI and Enable Legacy Boot
Unlike past PCS, which would let you access the BIOS at startup, you’ll need to first enable Advanced Startup Mode.
Commence Installing Windows 7
With Legacy Boot enabled and your boot order changed, you should now be able to boot into your installation media to begin installing Windows 7.
The first thing you’ll see is a prompt to begin installation.
Start the installation process, choose your language and region, and press “Install Now” to begin the process.
You’ll be asked to agree to Microsoft’s software license, and then to choose between an Upgrade or Custom installation. In this instance, you’ll want to choose Custom.
The next step is to choose the destination drive for the installed OS. At the very least, you’ll want to install Windows 7 to your C: drive. If you want to wipe Windows 8 completely off of your system, this is the time to do it. Select the various partitions on the hard drive and go through the process of deleting each, and consolidating the free space. This all handled in the installer, which gives you the option to delete or format each partition as it’s selected. But beware—this is the Rubicon of OS installation. Once those drives are gone, they are gone, and rebooting the system without finishing the Windows 7 installation will leave you with a PC that has no operating system. Next, the installer will go through the process of extracting and expanding all of the necessary installation folders. Kick back and relax for a while, because this part is automatic. During this process, the PC will also restart on its own—don’t panic, that’s just part of the installation process.
Finally, your laptop will boot into Windows, and you should see a more familiar version of the Windows logo come up.
Once you boot into Windows, you’ll be asked to provide a 25-digit Product Key. You can proceed without one, but you’ll be forever hounded by warnings about using a pirated version of Windows, even if it’s a brand new store-bought copy.
Install Drivers from USB key
Once you’ve got Windows 7 installed on your system, it’s time to install your drivers. As a rule, I always start by installing networking drivers—once you’ve got your Wi-Fi or Ethernet connection up and running, you can hunt down the rest and troubleshoot online as needed.
Once you’ve got your drivers installed for everything else (trackpad, graphics processing, USB 3.0 ports, Bluetooth, etc.) do one final reboot. Viola! You’ve now got a pristine Windows 7 PC, ready and waiting for all of your software and files.
Hopefully, this little guide has helped you to navigate the minefield of switching from Windows 8 to Windows 7 without the loss of a limb. Enjoy your Start Menu, and bask in the light of a tile-free existence, free to use Windows as you always have. With any luck, the next version of Windows will be a little easier to adjust to.
Tech firms squirm over their role in Prism surveillance
PC World by Ellen Messmer July 28, 2013
The disclosures about the National Security Agency’s massive global surveillance by Edward Snowden, the former information-technology contractor who’s now wanted by the U.S. government for treason, is hitting the U.S. high-tech industry hard as it tries to explain its involvement in the NSA data-collection program.
Last week, a gaggle of 22 large U.S. high-tech firms—including Apple, Facebook, Google, Microsoft, and Yahoo which have acknowledged they participate in NSA data-gathering efforts in some form, if not exactly as Snowden and some press reports have described it—begged to be freed from the secrecy about it in their pleading, public letter to President Obama, NSA director Keith Alexander, and a dozen members of Congress.
The July 18 A letter from America’s high-tech powerhouses, which was also signed by almost three dozen nonprofit and trade organizations as well as six venture-capital firms, begged for “greater transparency around national security-related requests by the US government to Internet, telephone, and web-based service providers” in terms of how much information the government demands on high-tech customers and subscriber accounts and how.
The letter begged for the U.S. government to make the amount of requests the government makes related to national security for individual customer information public.
“This information about how and how often the government is using these legal authorities is important to the American people, who are entitled to have an informed public debate about the appropriateness of those authorities and their use, and to international users of US-based service providers who are concerned about the privacy and security of their communications.,” the letter to President Obama, Congress, the NSA director and Director of National Intelligence, stated yesterday.
Firms on the defensive
The revelations last month from Snowden about NSA’s extensive involvement in U.S. high-tech firms for purposes of information collection has suddenly put the U.S. high-tech industry on the defensive as they struggle to offer an explanation about all this to their global users while still bound by secrecy under the U.S. Patriot Act. There’s no indication yet from the White House or others in government that any change in the NSA spying program, which relies on the participation of U.S.-based firms, will change.
“This should be debated in a public setting,” said John Dickson, principal at security firm Denim Group and a former U.S. Air Force officer, about the situation in which NSA’s global surveillance is tied so clearly to U.S.-based companies. He noted the U.S. government has actually said little but the media much.
This is all putting tremendous pressure on the U.S. high-tech industry, especially abroad in Europe where privacy questions may be making U.S. industry seem less competitive. This week Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs at Microsoft, A issued a public statement that sought to clarify Microsoft’s participation in the U.S. government’s content gathering methods.
“”Recent leaked documents have focused on the addition of HTTPS encryption to Outlook.com instant messaging, which is designed to make this content more secure as it travels across the Internet,” Microsoft counsel Smith wrote. “To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.”
Microsoft’s SkyDrive and Skype A is handled somewhat similarly in terms of government requests, Smith said. As far as enterprise and document storage for business customers, “we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so,” Smith stated in his July 16 post. “We have never provided any government with customer data from any of our business or government customers for national security purposes.”
Smith added Microsoft got four requests related to law enforcement in 2012. “We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.”
Is Prism even effective anymore?
In the meantime, it’s safe to assume in this NSA leaks debacle that “the bad guys have switched tactics” and probably wouldn’t use U.S.-based high-tech services, Dickson points out. And in this atmosphere of rising cyber-nationalism, the possible role of China’s government and its own high-tech industry have to be asked, too, he noted.
Former head of the U.S. Central Intelligence Agency and the NSA, Gen. Michael Hayden, recently charged forward on that topic in an interview with The Australian Financial Review.
Hayden said he believes that China-based network vendor Huawei conducted clandestine activities and shared with the Chinese state “intimate and sensitive knowledge of the foreign telecommunications systems it is involved with.” According to the published report, Gen. Hayden said the Huawei is a significant security threat to Australia and the U.S., has spied for the Chinese government, and intelligence agencies have evidence of this.
A Huawei spokesman, John Suffolk, Huawei’s global cyber security officer, is quoted by the Australian publication yesterday as calling Hayden’s remarks “unsubstantiated and defamatory” and that any critics of the company should present any evidence publicly.In an opinion piece on CNN.com today, Gen. Hayden railed openly against Edward Snowden as a national security threat, saying he “fled to China with several computers’ worth of data from NSANET, one of the most highly classified and sensitive networks in American intelligence.”
Hayden acknowledged that one aspect of the fallout from Snowden’s leaks is that “the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law.”
Hayden’s remarks on CNN also seem to sarcastically criticize the Europeans now complaining about the NSA activities and how they may violate European data-privacy laws. “Others, most notably in Europe, will rend their garments in faux shock and outrage that these firms have done this, all the while ignoring that these very same companies, along with their European counterparts, behave the same way when confronted with the lawful demands of the European states.”
Hayden continued: “The real purpose of those complaints is competitive economic advantage, putting added burdens on or even disqualifying American firms competing in Europe for the big data and cloud services that are at the cutting edge of the global IT industry.”
As if all this weren’t enough, former President Jimmy Carter also spoke out yesterday on NSA global surveillance, suggesting the NSA data collection practices were harming democracy. Former president Carter also said Edward Snowden’s revelations didn’t really harm national security and and was actually “beneficial” because “they inform the public.”
Army admits restricting soldiers’ access to NSA coverage
Netcom spokesperson tells the Monterey Herald that the Defense Department routinely takes preventative “network hygiene” measures to prevent unauthorized disclosure of classified information.
C/Net News by Steven Musil June 27, 2013
The U.S. Army has apparently opted to restrict Army personnel access to The Guardian’s Web site after the newspaper broke stories about the National Security Agency’s confidential surveillance activities.
The Army is filtering “some access to press coverage and online content about the NSA leaks,” Gordon Van Vleet, a spokesman for the Army’s Network Enterprise Technology Command, told the Monterey Herald. Netcom is charged with operating and defending the Army’s computer networks.
Van Vleet told the Herald that the Department of Defense routinely takes preventative “network hygiene” measures to prevent unauthorized disclosure of classified information.
“We make every effort to balance the need to preserve information access with operational security,” he wrote, “however there are strict policies and directives in place regarding protecting and handling classified information.”
Despite earlier reports that the restrictions were limited to the Presidio in Monterey, Van Vleet confirmed that the censorship was “Armywide.” Presidio sources told the Herald that the base’s information assurance security officer had informed employees that The Guardian’s site had been blocked and any accidental download of classified information would result in “labor intensive” hard drive cleansing.
CNET has contacted Netcom for comment and additional information and will update this report when we learn more.
A pair of articles published earlier this month by The Guardian and Washington Post alleged that several Internet companies, including Google, Apple, Yahoo, Microsoft, and Facebook, provided the NSA with “direct access” to their servers through a so-calledGoogle, Apple, Yahoo, Microsoft, and Facebook, program. Subsequent reporting by CNET revealed that this was not the case, and the Washington Post backtracked from its original story on PRISM.
Facebook, Microsoft reveal surveillance request figures
Facebook says it received almost 10,000 US government requests for user data in the second half of 2012
The Guardian / UK by Reuters June 15, 2013
Facebook and Microsoft have struck agreements with the US government to release limited information about the number of surveillance requests they receive, a modest victory for the companies as they struggle with the fallout from disclosures about a secret government data-collection program.
Facebook on Friday became the first to release aggregate numbers of requests, saying in a blog post it received between 9,000 and 10,000 US requests for user data in the second half of 2012, covering 18,000 to 19,000 of its users’ accounts. Facebook has more than 1.1 billion users worldwide.
The majority of those requests are routine police inquiries, a person familiar with the company said, but under the terms of the deal with the justice department, Facebook is precluded from saying how many were secret orders issued under the Foreign Intelligence Surveillance Act. Until now, all information about requests under Fisa, including their existence, were deemed secret.
Microsoft said it had received requests of all types for information on about 31,000 consumer accounts in the second half of 2012. In a “transparency report” Microsoft published earlier this year without including national security matters, it said it had received criminal requests involving 24,565 accounts for the whole of 2012.
If half of those requests came in the second part of the year, the intelligence requests constitute the bulk of government inquiries. Microsoft did not dispute that conclusion.
Google said late on Friday it was negotiating with the government and that the sticking point was whether it could only publish a combined figure for all requests. It said that would be “a step back for users”, because it already breaks out criminal requests and national security letters, another type of intelligence inquiry.
The disclosures about Prism, and related revelations about broad-based collection of telephone records, have triggered widespread concern and congressional hearings about the scope and extent of the information-gathering.
“We hope this helps put into perspective the numbers involved and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive,” Facebook wrote on its site.
Facebook said it would continue to press to divulge more information. The person familiar with the company said that it at least partially complied with US legal requests 79% of the time, and that it usually turned over just the user’s email address and internet protocol address and name, rather than the content of the person’s postings or messages.
It is believed that Fisa requests typically seek much more information. But it remains unclear how broad the Fisa orders might be.
Among the other remaining questions are the nature of court-approved “minimisation” procedures designed to limit use of information about US residents. The NSA is prohibited from specifically targeting them.
“If they are receiving large amounts of data that they are not actually authorised to look at, the question then becomes what are the procedures by which they determine what they can look at?” said Kevin Bankston, a lawyer at the Centre for Democracy & Technology. “Do they simply store that forever in case later they are authorised to look at it?”
In addition, some legal experts say recent US laws allow for intelligence-gathering simply for the pursuit of foreign policy objectives, not just in hunting terrorists and spies.