Windows 7 enters its final year of free support

Up to three years of paid support will be available after the cut-off.

Licensing and support lifecycles are not really the easiest topics to illustrate.

Enlarge / Licensing and support lifecycles are not really the easiest topics to illustrate. (credit: Peter Bright)

Windows 7's five years of extended support will expire on January 14, 2020—exactly one year from today. After this date, security fixes will no longer be freely available for the operating system that's still widely used.

As always, the end of free support does not mean the end of support entirely. Microsoft has long offered paid support options for its operating systems beyond their normal lifetime, and Windows 7 is no different. What is different is the way that paid support will be offered. For previous versions of Windows, companies had to enter into a support contract of some kind to continue to receive patches. For Windows 7, however, the extra patches will simply be an optional extra that can be added to an existing volume license subscription—no separate support contract needed—on a per-device basis.

These Extended Security Updates (ESU) will be available for three years after the 2020 cut-off, with prices escalating each year.

Read 3 remaining paragraphs | Comments

New Windows 10 build silences Cortana, brings passwordless accounts

Though as ever, Home users are special.

New Windows 10 build silences Cortana, brings passwordless accounts

The latest Insider build of Windows 10, 18309, expands the use of a thing that Microsoft has recently introduced: passwordless Microsoft accounts. It's now possible to create a Microsoft account that uses a one-time code delivered over SMS as its primary authenticator, rather than a conventional password.

In the new Windows 10 build, these passwordless accounts can be used for logging into a machine locally. The initial sign-in will use SMS, and it will then prompt you to configure biometric or PIN authentication. Your face, fingerprint, or PIN will be used subsequently. This capability is in all the editions, from Home up to Enterprise. A few previous builds had constrained it to Home only.

While SMS-based authentication has security issues of its own, Microsoft seems to feel that it's a better bet for most home users than a likely insecure password. Removing the Windows login password is part of the company's broader efforts to switch to using a mix of one-time passwords, biometrics, and cryptographic keys.

Read 3 remaining paragraphs | Comments

Windows 10 October 2018 Update is back, this time without deleting your data

Microsoft is opening up about some of its testing procedures, too.

This message, shown during Windows upgrades, is going to be salt in the wound.

Enlarge / This message, shown during Windows upgrades, is going to be salt in the wound.

Just over a month since its initial release, Microsoft is making the Windows 10 October 2018 Update widely available today. The update was withdrawn shortly after its initial release due to the discovery of a bug causing data loss.

New Windows 10 feature updates use a staggered, ramping rollout, and this (re)release is no different. Initially, it'll be offered only to two groups of people: those who manually tell their system to check for updates (and that have no known blocking issues due to, for example, incompatible anti-virus software), and those who use the media-creation tool to download the installer. If all goes well, Microsoft will offer the update to an ever-wider range of Windows 10 users over the coming weeks.

For the sake of support windows, Microsoft is treating last month's release as if it never happened; this release will receive 30 months of support and updates, with the clock starting today. The same is true for related products; Windows Server 2019 and Windows Server, version 1809, are both effectively released today.

Read 8 remaining paragraphs | Comments

Another Windows 0-day flaw has been published on Twitter

And on GitHub there’s a proof-of-concept that’ll render your system unbootable.

SandboxEscaper, a researcher who back in August tweeted out a Windows privilege escalation bug, has published another unpatched Windows flaw on Twitter.

The new bug has some similarities to the previous bug. Windows services usually run with elevated privileges. Sometimes they perform actions on behalf of a user, and to do this they use a feature called impersonation. These services act as if they were using a particular user's set of privileges. After they've finished that action, they revert to their normal, privileged identity.

Both this bug and SandboxEscaper's previous bug depend on improper use of impersonation—specifically, the services in question (last time it was Task Scheduler, this time it's the "Data Sharing Service") revert their impersonation too quickly and end up performing some actions with elevated privileges when they should in fact have been impersonated. The last bug allowed one file to be written over another. In this case, it's a call to delete a file that is improperly impersonated, ultimately giving regular unprivileged user the ability to delete any file on the system, even those that they should have no access to.

Read 3 remaining paragraphs | Comments