Microsoft patches dangerous Windows flaw

Microsoft patches dangerous Windows flaw
As expected, Microsoft MCTS Training on Monday issued an out-of-band patch for a dangerous flaw affecting all supported versions of Windows, and recommended that customers patch their computers immediately.

The USB rootkit hole is a vulnerability in Windows Shell, allowing attackers to infect systems through hidden files on USB drives or shared network files.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” Microsoft said in its patch notice. “The security update addresses the vulnerability by correcting validation of shortcut icon references.”

Microsoft to issue patch for dangerous USB rootkit hole

Most customers have automatic updating enabling and thus will receive the update without taking any manual action.

“For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service,” the company said.

The patch can be applied to 14 versions of Windows, including various versions of Windows 7, Vista, XP and Windows Server. Microsoft did not promise that the patch would work with older releases and took the opportunity to remind customers that they should “migrate to supported releases to prevent potential exposure to vulnerabilities.”

The vulnerability surfaced a couple of weeks ago, shortly after the most recent Patch Tuesday. Microsoft at first offered only a workaround that was deemed “highly impractical” by one security researcher, but felt the vulnerability was critical enough to issue a patch before its next regularly scheduled Patch Tuesday, which occurs next week.

The vulnerability has already been exploited in the wild, with “an uptick in infections in the past few days,” says Jason Miller, data and security team leader at Shavlik Technologies.

“If you have applied the workarounds suggested by Microsoft MCITP Certification, you should remove them as soon as your systems are patched,” Miller says. “The most surprising aspect of this release is how close we are to the regularly scheduled patch Tuesday. With a release this close to Patch Tuesday, it is safe to assume you should patch this security bulletin immediately.”

VMware aims to displace Windows with cloud-based desktop apps

VMware aims to displace Windows with cloud-based desktop apps
VMware is developing a new hosted service with the code name “Project Horizon” that will allow delivery of cloud-based desktop applications to any sort of user device, and perhaps further its goal of diminishing the importance of Microsoft’s Windows operating system.

The subscription service, previewed at VMworld this week, will help deliver the right applications and data to users, whether they have an iPad, Android phone, Windows machine or a Mac, according to VMware. Partners will be involved in Project Horizon, presumably to deliver the end-user applications.
Storage in the Virtual Era: Download now

See the hottest virtualization products at VMworld

Details on Project Horizon are scarce, but the key seems to be a security model that extends on-premise directory services to public cloud networks, giving each user a “cloud identity,” as VMware puts it.

Project Horizon may also play a role in VMware’s long-term project to diminish the importance of the operating system, particularly the Windows operating system sold by Microsoft, its greatest rival. (See also: VMware says Windows still matters … sort of)

Project Horizon — to be available as a hosted, subscription service sometime in 2011 — will create a “permissions and control structure that worries less about the operating system” than current technologies do, says Noah Wasmer, a director of product management for VMware.

“The role of the operating system is getting diminished every day on the server side,” and a similar shift is beginning to happen on the desktop, claims Vittorio Viarengo, vice president of desktop marketing for VMware. For users, “Windows is becoming the offline mode” as they increasingly use applications hosted entirely over the Web, he says.

Microsoft MCTS Training, of course, presents a different argument. Virtualization, particularly on the server side, is just a feature of the operating system, rather than a replacement of the OS, in Microsoft’s view. Even on the PC, Microsoft MCITP Certification provides virtual desktop technology within the Windows desktop operating system.

To state the obvious, operating systems and virtualization technologies have co-existed for decades, for example on IBM’s mainframe, and will continue to do so for the foreseeable future.

But VMware’s attempts to move from being a company that simply virtualizes operating systems to one that provides the broader operating frameworks for data centers and desktops is interesting, nonetheless.

Horizon “securely extends enterprise identities into the cloud and provides new methods for provisioning and managing applications and data based on the user, not the device or underlying operating system,” VMware says.

Project Horizon aims to provide access to various types of applications including software-as-a-service, legacy applications and mobile apps. One example mentioned by Wasmer is a calendar and contacts application. But VMware is trying to build up interest in the project without getting too specific about it. Wasmer mentioned the phrase “cloud-based desktop,” but whether Project Horizon will be robust enough to replace existing desktops remains to be seen.

“We’ll deliver whatever applications users need to be productive, on whatever operating system they happen to be using,” Wasmer says.
Magic Quadrant for Application Delivery Controllers: Download this special report

A more immediate example of VMware’s attempts to displace the operating system, at least the server operating system, is “vCloud Director,” a private cloud building tool that was formerly known as Project Redwood. VMware has announced that vCloud Director will become available Sept. 1, and will essentially extend the resource pooling capabilities in the vendor’s vSphere virtualization platform.

VMware says this allows IT to create “logical pools of compute, networking and storage resources with defined management policies, SLAs and pricing,” and offer computing services to users in a fully automated self-service system.

VCloud Director takes the basic unit of consumption — the virtual machine — and turns it into a “virtual data center,” while giving users a catalog of services that can be deployed within a virtual data center, says Bogomil Balkansky, VMware’s vice president of product marketing.

VCloud Director will be available in packs of 25 virtual machines for prices starting at $3,750.