Daily Archives: August 22, 2010

MCITP, mcitp certification, MCITP Training, MCSE, MCSE Certification, MCSE Training, Microsoft, Uncategorized

Microsoft Issues New Windows Security Advisories

Leave a comment

Microsoft Issues New Windows Security Advisories
Microsoft issued even more details about Windows security concerns, even after releasing its August security update on Tuesday.

Late yesterday, Microsoft MCTS Training announced two security advisories. One is new, while the other updates a previously issued advisory. Meanwhile, IT pros already are tying to cope with this month’s massive security update.

The updated advisory simply states that Microsoft has concluded its investigation into a security advisory issued in February. That problem concerns the Transport Layer Security and Secure Sockets Layer (TLS/SSL) protocols in general, and the Windows Secure Channel security package in particular.

The issue was addressed with critical security bulletin MS10-049  in Microsoft’s August patch. It’s designed address the flaw in Windows Server 2008, Windows 7 and 12 other supported versions of the Windows OS, including XP and Vista.

Left unpatched, the Windows Secure Channel vulnerability could allow attackers the ability to perform “man-in-the-middle” attacks via TLS/SSL connections. The problem is of general concern, and Microsoft’s issuance of a fix suggests that broad industry engagement occurred, according to Jason Miller, data and security team manager at Shavlik Technologies.

“In recent months, we have heard of Microsoft working with other vendors such as Adobe to address vulnerabilities as a whole and not as a one-company issue,” Miller said. “The release of MS10-049 shows that Microsoft is again working with the industry with vulnerability management.”

Miller added that the fix from Microsoft had long been in the works. The TLS/SSL vulnerability was “not just Microsoft’s problem” as it affected the “IT industry as a whole,” he said.

Windows Service Isolation Flaw
Next up, Microsoft issued a new security advisory on Tuesday concerning a Windows Service Isolation feature that could enable elevation-of-privilege exploits. The operating systems involved include Windows XP, Windows Vista and Windows 7, as well as Windows Server 2003 and Windows Server 2008.

Microsoft said that an attacker could use this feature to elevate processes running on a Windows-based “NetworkService account” to the “LocalSystem account” on a server. It could give the attacker the ability to take control of a system.

At-risk Microsoft products include the Windows telephony application programming interfaces, SQL Server and Internet Information Services (IIS) in Windows Server 2003 and Windows Server 2008.

Because there is no known vulnerability and only a “potential” likelihood of such attacks at this time, Microsoft did not specify whether the issue would warrant further actions, such as the issuance of workarounds or patches. However, in this Knowledge Base article, the software giant describes various access control tools in both IIS and SQL that can restrict entry into the NetworkService account.

No Security Advisory for Clipboard Issue
On Wednesday, Microsoft provided an updated statement on the zero-day Windows kernel-level clipboard vulnerability uncovered last week by independent security researchers. The software giant said it will not release a security advisory for the heap overflow problem affecting all supported Windows versions.

For this issue to be exploited, it has to be an inside job, according to the rationale of the Microsoft security team. Redmond said “an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system.”

This assessment rules out the prospect that an urgent out-of-band patch will arrive soon. However, Microsoft MCITP Certification promised that the issue would be fixed in a future security update. Microsoft Security Response Center spokesperson Jerry Bryant wrote that Microsoft “will continue monitoring the threat landscape and alert customers if anything changes.”

MCITP, mcitp certification, MCITP Training, MCSE, MCSE Certification, MCSE Training, Microsoft

Microsoft Extends UTD Discount for Windows and Office

Leave a comment

Microsoft Extends UTD Discount for Windows and Office
Microsoft has extended its “up-to-date” (UTD) discount upgrade offer for Windows and Office licensees through next month.

The extension of the UTD upgrade offer “through September 30, 2010” was announced on Tuesday by Eric Ligman, global partner experience lead for the Microsoft Worldwide Partner Group. He provided a description of how the UTD offer works in a blog post back in January. At that time, Microsoft had said that the offer would expire in July.

The terms of the deal only apply under Microsoft’s “open value subscription” (OVS) three-year licensing program. Users can upgrade their copies of the Professional editions of Windows or Office to the current Professional editions, and Microsoft grants a half-off discount for the first year of the OVS subscription only. The cost reverts back to the nondiscounted price in years two and three of the OVS subscription.

This nondiscounted price is called the “estimated retail price” by Microsoft. In this case, according to Microsoft’s volume-licensing lingo, “retail” doesn’t mean the box price as found in retail stores. It’s the price set by Microsoft’s partners, who buy Open Value Subscription licenses from Microsoft. Consequently, the estimated retail price can vary, depending on the partner offering it, but it’s typically lower than store box prices.

The UTD discount plan permits upgrades to current Windows and Office Professional editions from releases that are two generations removed. Microsoft MCTS Training uses the math expression, “N-2,” as a shorthand explanation for this concept. The N-2 release for the current Windows 7 product is Windows XP. The N-2 release for the current Office 2010 product is Office 2003.

The older software being upgraded can be based on OEM, retail or volume licenses, but only the Professional editions qualify. In addition, if IT shops have some current releases mixed in, they will have to pay again for those licenses under the OVS program. To qualify under OVS licensing, organizations need to have more than five PCs but less than 250 PCs.

OVS is unlike other open-value licenses in that it does not require the purchase of Software Assurance (SA), according to Paul DeGroot, research vice president at Directions on Microsoft MCITP Certification . SA is a licensing option that lets organizations upgrade to the next version of a product within the SA contract’s time period. OVS costs less “because you never pay for the licenses,” DeGroot said in an e-mail. However, after the three-year subscription period is over, organizations will either have to buy the licenses, renew the OVS or just stop using the software.

OVS allows “true downs” in calculating annual licensing costs. So, licensing costs can go down as the number of PCs running the software declines in an organization. This kind of licensing might prove to be valuable for small companies that downsize the workforce, for instance.