Windows 10 support extended again: September releases now get 30 months

And Microsoft is offering enterprises dedicated app compatibility support.

Article intro image

Enlarge / Licensing is not really the easiest topic to illustrate. (credit: Peter Bright)

In its continued efforts to encourage corporate customers to make the switch to Windows 10, Microsoft is shaking up its support and life cycle plans again. Support for some Windows 10 releases is being extended, and the company is offering new services to help detect and address compatibility issues should they arise.

The new policy builds on and extends the commitments made in February this year. Microsoft has settled on two annual feature updates (the "Semi-Annual Channel," SAC) to Windows 10, one finalized in March (and delivered in April) and the other finalized in September (and delivered in October). Initially, the company promised 18 months of support for each feature update, a policy that would allow customers to defer deployment of feature updates or even skip some updates entirely. Going forward, the September releases are going to see even longer support periods; for Windows 10 Enterprise and Windows 10 Education, each September release will receive 30 months of servicing. In principle, an organization that stuck to the September releases could go two years between feature updates.

Customers of Windows 10 Home, Pro, and Pro for Workstations will continue to receive only 18 months of updates for both March and September releases.

Read 9 remaining paragraphs | Comments

Microsoft obliquely acknowledges Windows 0-day bug published on Twitter

Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018

A privilege escalat…

A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system.

Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.

The tweet links to a GitHub repository that contains a write-up of the issue and demonstration code to exploit the flaw. The bug lies in the Task Scheduler service: it includes an improperly secured API that allows an attacker to overwrite most files on the system with contents of their choosing. By overwriting a file that's subsequently loaded into a privileged SYSTEM-level process, the attacker can run code of their choosing with SYSTEM privileges. The proof of concept overwrites a file used by Windows' printing subsystem—Windows will then run the attacker's code when an attempt is made to print.

Read 1 remaining paragraphs | Comments

Windows 10 to get disposable sandboxes for dodgy apps

Enlarge (credit: F Delventhal)
Microsoft is building a new Windows 10 sandboxing feature that will let users run untrusted software in a virtualized environment that’s discarded when the program finishes running.
The new feature was revealed in a bu…

Enlarge (credit: F Delventhal)

Microsoft is building a new Windows 10 sandboxing feature that will let users run untrusted software in a virtualized environment that's discarded when the program finishes running.

The new feature was revealed in a bug-hunting quest for members of the Insider program and will carry the name "InPrivate Desktop." While the quest has now been removed, the instructions outlined the basic system requirements—a Windows 10 Enterprise system with virtualization enabled and adequate disk and memory—and briefly described how it would be used. There will be an InPrivate Desktop app in the store; running it will present a virtualized desktop environment that can be used to run questionable programs and will be destroyed when the window is closed.

While it would, of course, be possible to manually create a virtual machine to run software of dubious merit, InPrivate Desktop will streamline and automate that process, making it painless to run things in a safe environment. There's some level of integration with the host operating system—the clipboard can be used to transfer data, for example—but one assumes that user data is off limits, preventing data theft, ransomware, and similar nastiness.

Read 3 remaining paragraphs | Comments

Microsoft claims to make Chrome safer with new extension

Enlarge (credit: Chrome’s unsafe content warning.)
Chrome already provides effective protection against malicious sites: go somewhere with a poor reputation and you’ll get a big, scary red screen telling you that you’re about to do something unwise….

Enlarge (credit: Chrome's unsafe content warning.)

Chrome already provides effective protection against malicious sites: go somewhere with a poor reputation and you'll get a big, scary red screen telling you that you're about to do something unwise. But Microsoft believes it can do a better job than Google, and it has released a Chrome plugin, Windows Defender Browser Protection, that brings its own anti-phishing protection to Google's browser.

Microsoft justifies the new plugin with reference to a 2017 report that claims that the company's Edge browser blocked 99 percent of phishing attempts, compared to 87 percent by Chrome and 70 percent in Firefox. The plugin brings Edge's protection to Chrome, so if the theory holds, it should bump the browser up to 99 percent, too.

The new extension doesn't appear to disable Chrome's own checking (or at least, it doesn't seem to be doing so for me), so at the very least isn't likely to make you less safe, and with phishing being as widespread as it is, the extra protection probably doesn't hurt.

Read 1 remaining paragraphs | Comments