Microsoft aims to stop drive-by downloads on Patch Tuesday

Microsoft aims to stop drive-by downloads on Patch Tuesday

and third-party security experts warned that users could be subjected to drive-by downloads because of flaws in Windows and Internet Explorer that received fixes on Patch Tuesday this week.

Hackers are likely to use social engineering tricks to lure users to infected Web sites and media files, they warned. The vulnerabilities are among 10 security updates that patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint.

Microsoft TechEd event to shed light on cloud computing plans

One bug in particular – a Windows kernel TrueType font parsing vulnerability – was rated as the most serious Patch Tuesday fix by Joshua Talbot, security intelligence manager for Symantec.

“Exploiting this – likely through a drive-by download attack – would give an attacker near system-level privileges. It’s doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar Web pages, which could contain a malicious font.”

The TrueType vulnerability was contained in Security Bulletin MS10-032, one of the ten issued by Microsoft Tuesday.

However, Microsoft MCTS Training rated three other bulletins as being even more important than this one, with two of them involving potential drive-by downloads, which occur when users authorize a download without understanding the consequences, or that simply occur without the user’s knowledge.

MS10-033, a critical bulletin, “is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file,” Microsoft said.

With this vulnerability, hackers may use media files to lure users into downloading malicious code.

“This could result in a drive-by download where the user visits a specially crafted Web site, and in this case it would be like a media file that could start streaming or the user could open a specially crafted media file that got sent to them via e-mail or some method like that,” Microsoft security official Jerry Bryant said in a video accompanying the announcement.

These bugs are on par with some of the most critical ones observed on Patch Tuesday, says Andrew Storms, director of security operations at the security vendor nCircle.

Rather than making businesses vulnerable on the server side, this month’s most serious bugs mainly target end users, he said.
“What looks to be a normal movie file that you click on and watch could have embedded malware inside and take control of your system,” Storms said.

Similarly, the new bulletin MS10-035 involves flaws in Internet Explorer which could also result in drive-by downloads.

A third critical bulletin, MS10-034, involves ActiveX Kill Bits and affects Windows 2000, XP, Vista and Windows 7.
Kill Bits ensure that vulnerable ActiveX controls can no longer be exploited through Internet Explorer.

Typically, Kill Bits are issued for third-party software, rather than for software created by Microsoft, according to Storms. What is unusual about MS10-034 is that two out of the six Kill Bits being issued are for Microsoft ActiveX controls.

“What that means is Microsoft has found one of their ActiveX controls to be vulnerable as well,” Storms said. “Today they found two. That’s unusual. We haven’t seen that from Microsoft since last summer.”

Overall, this was a record-setting month for Patch Tuesday.

“This is the largest Microsoft MCITP Certification patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year,” Talbot of Symantec said. “This month’s release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together.”

Microsoft offers Windows 7, Office 2010 via download stores

Microsoft offers Windows 7, Office 2010 via download stores
Microsoft has for the first time allowed selected partners to sell its flagship software products as downloads. The move sees Microsoft selling Windows 7, Microsoft MCTS Training Office 2010 and other flagship titles via ESD (Electronic Software Delivery) at online stores including the PC Advisor Software Shop.

ESD is the practice of delivering software without the use of physical media, typically by downloading via the internet. Digital distribution bypasses conventional physical distribution media, such as paper or DVDs, reducing costs and waste. As broadband connections have become more widespread software downloads have become an increasingly popular method of purchasing programs.
Get your job scheduler out of the 90’s: Download now

Traditionally Microsoft has sold the majority of its operating system software via OEM (original equipment manufacturer) deals. Manufacturers would buy Windows licences from Microsoft and pass the cost of the OS on to customers when they buy desktop PCs and laptops. Similarly, Office licences have typically been sold in large chunks to enterprises.

As digital media has become more capacious, Microsoft has targetted consumers with software DVDs sold from high street stores, with download purchases available only direct from Microsoft. Thus the decision to allow selected third-party vendors is a significant move by Microsoft.

PC Advisor has available for download a range of Microsoft MCITP Certification products including upgrades and full versions of all flavours of Windows 7 and Microsoft Office 2010. This is the first time that Microsoft has allowed third parties to sell downloads of its products in the UK, and follows a matter of weeks after the company first trialed ESD in France and Germany.

Windows 8 Wish List of Features and Functions

Windows 8 Wish List of Features and Functions
Use Roles in Windows 8
Level the Playing Field with a Help Desk in the Cloud: Download now
for more info on MCTS Training, MCITP Certification login in to Certkingdom.com
When installing Windows Server, the base operating system is installed first and then an administrator can select the “role” the server will play. For example, an admin can choose the Web role, which installs features such as the Internet Information Services (IIS) Web server, or the Hyper-V role, which installs Microsoft’s hypervisor. Multiple roles can be installed on a server.

The client OS should have roles too, writes Cherry, because they make “installation fast and easy and reduce the OS surface area, which can reduce security threats and maintenance such as patching.”

Implementing roles into the client OS should be easy given its high-degree of componentization, writes Cherry, adding that possible client OS roles could be e-mail and Web browsing, student, business desktop, business mobile and gamer.

“An interesting side effect of adding roles might be faster start-up times,” writes Cherry. “If a person had a small netbook, and only installed the e-mail and Web browsing role, the OS might be able to start faster, because it only has to load the components for that role, and it doesn’t have to install other components for features that are not needed.”

Integrate Windows Phone 7 UI

The user interface for Windows Phone 7, internally called “Metro,” incorporates capacitive touch screens and a new feature called “Tiles” that work as visual shortcuts for an application or its content. Users can pin any Tile they want to the phone’s Start page.

Incorporating the “Metro” Shell into Windows 8 would be extra work for IT (organizations don’t want to retrain users for UI changes), but would help tie future versions of Windows Phone 7 and Windows together, writes Cherry. Users could then choose between the Windows Phone 7 “Metro” interface and the classic Windows 8 desktop interface.

The Metro shell would also “begin the process of making the Windows client more viable as a tablet with a UI that can better handle touch rather than relying on a mouse or a stylus for navigation,” writes Cherry.

Meaningful Error Messages

Windows error messages are often cryptic, showing hexadecimal error code such as 0xe0000100. In Windows 8, Cherry calls for error messages that make sense to the common user.

“You end up having to put code in a search engine to find out what the problem is,” says Cherry.

“If you can’t explain in an error message what went wrong and clearly indicate what to do about it, then you shouldn’t have an error message.”

More Powerful Power Management

Faster start-up times for Windows are on nearly everyone’s wish list, and Windows 8 is no exception. It also “needs to sleep, hibernate and wake up quickly and reliably, writes Cherry.

Cherry defines “start-up time” as the time between turning on the power to a machine that was stopped until you actually start performing useful work.

“On my Dell Precision T3400 with Windows 7 64-bit & after pushing the power button it is eight seconds until the BIOS has started and Windows 7 begins to load,” writes Cherry.

“At approximately the 15-second mark the ‘Starting Windows’ message and animation starts. At the 54-second mark, the Windows logon appears, and after logging on there is a 41-second period where all I can really do is watch the ‘donut’ cursor. After one minute and 50 seconds Outlook can be started, and mail can be sent and received with an Exchange server at the two minute 23 second mark. It takes 2.5 minutes to start Windows 7.”
Connecting to the Cloud with F5 and VMware VMotion: Download now

Cherry calls for more speed and accuses Microsoft of trying to convince users that continually “hibernating” their system is the answer to faster start-up. This is an illusion, he writes, and warns that “hibernate” has its own set of problems such as occasionally preventing network cards from resuming correctly.