Windows 7 enters its final year of free support

Up to three years of paid support will be available after the cut-off.

Licensing and support lifecycles are not really the easiest topics to illustrate.

Enlarge / Licensing and support lifecycles are not really the easiest topics to illustrate. (credit: Peter Bright)

Windows 7's five years of extended support will expire on January 14, 2020—exactly one year from today. After this date, security fixes will no longer be freely available for the operating system that's still widely used.

As always, the end of free support does not mean the end of support entirely. Microsoft has long offered paid support options for its operating systems beyond their normal lifetime, and Windows 7 is no different. What is different is the way that paid support will be offered. For previous versions of Windows, companies had to enter into a support contract of some kind to continue to receive patches. For Windows 7, however, the extra patches will simply be an optional extra that can be added to an existing volume license subscription—no separate support contract needed—on a per-device basis.

These Extended Security Updates (ESU) will be available for three years after the 2020 cut-off, with prices escalating each year.

Read 3 remaining paragraphs | Comments

Windows 10 to get disposable sandboxes for dodgy apps

Enlarge (credit: F Delventhal)
Microsoft is building a new Windows 10 sandboxing feature that will let users run untrusted software in a virtualized environment that’s discarded when the program finishes running.
The new feature was revealed in a bu…

Enlarge (credit: F Delventhal)

Microsoft is building a new Windows 10 sandboxing feature that will let users run untrusted software in a virtualized environment that's discarded when the program finishes running.

The new feature was revealed in a bug-hunting quest for members of the Insider program and will carry the name "InPrivate Desktop." While the quest has now been removed, the instructions outlined the basic system requirements—a Windows 10 Enterprise system with virtualization enabled and adequate disk and memory—and briefly described how it would be used. There will be an InPrivate Desktop app in the store; running it will present a virtualized desktop environment that can be used to run questionable programs and will be destroyed when the window is closed.

While it would, of course, be possible to manually create a virtual machine to run software of dubious merit, InPrivate Desktop will streamline and automate that process, making it painless to run things in a safe environment. There's some level of integration with the host operating system—the clipboard can be used to transfer data, for example—but one assumes that user data is off limits, preventing data theft, ransomware, and similar nastiness.

Read 3 remaining paragraphs | Comments

Xen patches 7-year-old bug that shattered hypervisor security

Critical vulnerability allowed some guests to access underlying operating system.

(credit: ||read||)

For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open-source project, was finally made public Thursday along with a patch.

As a result of the bug, "malicious PV guest administrators can escalate privilege so as to control the whole system," Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenant of virtualization.

"The above is a political way of stating the bug is a very critical one," researchers with Qubes OS, a desktop operating system that uses Xen to security sensitive resources, wrote in an analysis published Thursday. "Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly."

Read 3 remaining paragraphs | Comments

Xen patches 7-year-old bug that shattered hypervisor security

Critical vulnerability allowed some guests to access underlying operating system.

(credit: ||read||)

For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open-source project, was finally made public Thursday along with a patch.

As a result of the bug, "malicious PV guest administrators can escalate privilege so as to control the whole system," Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenant of virtualization.

"The above is a political way of stating the bug is a very critical one," researchers with Qubes OS, a desktop operating system that uses Xen to security sensitive resources, wrote in an analysis published Thursday. "Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly."

Read 3 remaining paragraphs | Comments