Oct 11 2017

Krebs on Security 2017-10-11 10:18:40

Microsoft on Tuesday released software updates to fix at least 62 security vulnerabilities in Windows, Office and other software. Two of those flaws were detailed publicly before yesterday’s patches were released, and one of them is already being exploited in active attacks, so attackers already have a head start.

brokenwindowsRoughly half of the flaws Microsoft addressed this week are in the code that makes up various versions of Windows, and 28 of them were labeled “critical” — meaning malware or malicious attackers could use the weaknesses to break into Windows computers remotely with no help from users.

One of the publicly disclosed Windows flaws (CVE-2017-8703) fixed in this batch is a problem with a feature only present in Windows 10 known as the Windows Subsystem for Linux, which allows Windows 10 users to run unmodified Linux binary files. Researchers at CheckPoint recently released some interesting research worth reading about how attackers might soon use this capability to bypass antivirus and other security solutions on Windows.

The bug quashed this week that’s being actively exploited resides in Microsoft Office (CVE-2017-11826), and Redmond says attackers could seize control over a vulnerable system just by convincing someone to open a booby-trapped Word file. Another Office vulnerability, (CVE-2017-11776), involves a flaw in Outlook’s ability to encrypt messages; SEC-Consult has more details on this bug.

Another critical flaw (CVE-2017-11779) addresses a scary vulnerability in the domain name system (DNS) component of Windows 8 and Windows Server 2012. According to research from Bishop Fox, the security firm credited with finding and reporting the bug, this flaw could be exploited quite easily to gain complete control over vulnerable systems if the attacker controls or compromises a local network (think Wi-Fi hotspot).

Normally, Adobe uses Microsoft’s Patch Tuesday (the second Tuesday of each month) to release its own fixes for Flash Player, Reader and other products. However, this time around the company has no security updates available. Adobe did release a new version of Flash that includes bug fixes (v. 27.0.0.159), but generally speaking only even-numbered Flash releases include security fixes.

For additional commentary on October’s bundle of updates from Microsoft, see these blogs from security vendors Ivanti and Qualys. For those looking for a straight-up list of which patches deserve priority, check out the always useful roundup from the SANS Internet Storm Center.

Sep 21 2017

If Bill Gates really thinks ctrl-alt-del was a mistake, he should have fixed it himself

An IBM keyboard signed by ctrl-alt-del inventor, David Bradley (credit: Ross Grady)

Once again, Bill Gates has bemoaned the creation of the ctrl-alt-del shortcut. Talking at Bloomberg Global Business Forum, Gates reiterates that he wishes IBM had created a dedicated button for the feature. We're republishing this piece from 2013, because we still think that Gates' telling of the story is a little misleading; for IBM it was a feature, not a flaw, that ctrl-alt-del requires two hands, and if Microsoft really wanted a single button ctrl-alt-del for Windows NT, it was Microsoft, not IBM, with the market dominance to achieve that.

Speaking at Harvard earlier this month, Bill Gates was asked why you have to press ctrl-alt-del before you can enter your password and log in to Windows. After explaining the security rationale, Gates then said that it was a "mistake," and that it was due to IBM refusing to add a single button to take the place of the three finger salute.

It's a nice story, but it doesn't really add up.

Read 28 remaining paragraphs | Comments

Sep 20 2017

Microsoft: Windows getting more stable, faster, and lasting longer on battery

Enlarge / With Windows breaking less often, scenes like this should become a thing of the past. (credit: Lee Adlaf)

Windows 10 is getting better and better, Microsoft insists, as it works to build confidence in the operating system in the run up to the next major update. The company says that the Creators Update (version 1703) has seen a 39 percent drop in driver and operating system stability issues relative to the Anniversary Update (version 1607).

Performance is better too; according to Microsoft's telemetry, boot time is 13 percent faster, logging in 18 percent faster, and facial recognition 30 percent faster. There are incremental improvements in battery life, too, from 2.5 to 5 percent longer life watching videos in the Movies & TV app, and a 17 percent improvement in the Edge browser.

The subtext to these numbers is that Microsoft is still working to convince customers, especially corporate customers, that the new Windows development model is working, and that the company is hearing the feedback. The Anniversary Update was rapidly deployed, and it hit a number of issues soon after launch, causing problems for both consumers and enterprise users alike.

Read 3 remaining paragraphs | Comments

Jul 26 2017

Microsoft expands bug bounty program to cover any Windows flaw

Some bugs aren't worth very much cash. (credit: Daniel Novta)

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty schemes, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, it was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft's bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows' wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an on-going, continuous scheme no longer tied to any particular timeframe.

Read 2 remaining paragraphs | Comments