Microsoft confirms zero-day bug in IE6, IE7 and IE8

Second time in two years it’s had to deal with late-December vulnerabilities

Microsoft on Saturday confirmed that Internet Explorer (IE) 6, 7 and 8 contain an unpatched bug — or “zero-day” vulnerability — that is being used by attackers to hijack victims’ Windows computers.

The company is “working around the clock” on a patch, its engineers said. They have also released a preliminary workaround that will protect affected IE customers until the update is ready.

In a security advisory issued Dec. 29, Microsoft acknowledged that attacks are taking place. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8,” the alert stated.

Newer versions of IE, including 2011’s IE9 and this year’s IE10, are not affected, Microsoft said. It urged those able to upgrade to do so.

According to multiple security firms, the vulnerability was used by hackers to exploit Windows PCs whose owners visited the website of the Council on Foreign Relations (CFR), a non-partisan foreign policy think tank with offices in New York and Washington, D.C.

On Friday, FireEye corroborated earlier reports that the CFR website had been compromised by attackers and was hosting exploit code as early as Dec. 21. As of mid-day Wednesday, Dec. 26, the site was still conducting “drive-by” attacks against people running IE8, said Darien Kindlund, senior staff scientist at FireEye, in a Friday blog.

Kindlund added that the malware hidden on the CFR website used Adobe Flash Player “to generate a heap spray attack” against IE8. It wasn’t clear whether Flash also contained a zero-day bug, or whether the attackers leveraged an already-known and previously patched vulnerability that had not been fixed on the victims’ PCs.

On Saturday, Jaime Blasco, the labs manager at AlienVault, weighed in on the IE zero-day as well, noting that the exploit was able to circumvent Microsoft’s anti-exploit technologies, DEP (data execution prevention) and ASLR (address space layout randomization), and successfully compromise Windows XP and Windows 7 PCs running IE8. He identified the IE bug as a likely “use-after-free” vulnerability, a type of memory management flaw.

AlienVault, said Blasco, had begun looking into the “watering hole” attacks stemming from the CFR website at the beginning of the week, and had alerted the Microsoft Security Response Center (MSRC) that it suspected IE harbored a zero-day vulnerability.

In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.

The CFR did not immediately reply to a request for comment on its site’s current status.

Other researchers claimed that attacks using the IE vulnerability started as early as Dec. 7, and alleged that Chinese hackers were responsible for the CFR website hack.

In an email to Computerworld and in a follow-up blog Saturday, Microsoft said it is working on a patch for IE6, IE7 and IE8. The company did not set a timetable for an update’s release, however.

Jonathan Ness and Cristian Craioveanu, engineers on Microsoft’s security team, provided some details on the IE flaw in a separate post to the Security Research & Defense blog. “We’re working around the clock on the full security update,” Ness and Craioveanu wrote.

They also announced the availability of a “shim” that can protect IE6, IE7 and IE8 users if they’re running the most up-to-date versions of those browsers.

Shim is a term used to describe an application compatibility workaround. Microsoft has applied shims in the past to help customers ward off active attacks against IE.

The shim will be used as the foundation for a soon-to-be-shipped “Fixit,” Microsoft’s name for the one-click workarounds it often publishes to automate processes, including security mitigations, that most users would feel uncomfortable doing on their own.

To apply the available shim, for instance, users must download the small files from the SRD blog, then enter one or more strings in Windows’ Command Prompt.

This was the second year in a row that Microsoft has had to deal with an emergency update in the waning days of December.

In 2011, the company issued a Dec. 28 security advisory about a flaw in its ASP .Net programming language that hackers could use to cripple website servers. On Dec. 29, 2011, Microsoft released an “out-of-band,” or emergency, update.

Microsoft reminded customers that IE9 and IE10 do not contain the vulnerable code, and are safe to use. Windows XP users, however, cannot use either of those browsers, as Microsoft has limited IE9 to Vista and Windows 7, and IE10 to Windows 7 and Windows 8.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com

 

 

Consumer Reports makes case for Windows 7 PCs

Consumer Reports makes case for Windows 7 PCs
May be smarter to search for new PC with older OS rather than deal with Windows 8

Windows 7 may be the better choice as a PC operating system on new systems than the just-released Windows 8, Consumer Reports magazine said this week.

Why, when and how to migrate to Windows 8

“Windows 7 generally received favorable reviews when it was released,” Consumer Reports’ Donna Tapellini said in a piece Tuesday on the consumer watchdog’s website. “[Three years] after its 2009 launch, there still haven’t been a lot of complaints. If you’ve been happy with Windows 7 and even Windows XP up until now, there’s no compelling reason to switch to Windows 8.”

Consumer Reports does not evaluate and rate operating systems, as it does, say, clothes washers, cars or even computers. Instead, it staked out its position this fall when it praised Windows 8 as great for tablets, but because of its split personality, not for everyone.

Tapellini argued that several factors make Windows 7 a better choice for some consumers even two months after it was superseded by Windows 8.

Since Microsoft devoted so much time and resources building touch and gesture support into Windows 8, it makes little sense to opt for the OS unless the new PC offers a touch-sensitive screen, Tapellini said.

Others have pointed out that while Windows 8 doesn’t demand touch, it’s a tough sell without it. Many consumers have already figured that out. Earlier this month, for instance, research firm NPD Group said its retail tracking showed touch-sensitive PCs selling best among Windows 8 machines, even though their prices were higher and they were in short supply.

Tapellini also pointed out that Consumer Reports’ testing had found that some Windows 8 systems performed poorly, something she attributed to driver issues.

Although Windows 7 PCs have largely disappeared from brick-and-mortar retail chains like Best Buy, they can still be found at many e-tailers and direct from some computer makers, Tapellini said.

Consumer Reports’ highest-ranking Windows notebook, the Windows 7-powered Samsung NP900X3C-A01US Ultrabook, for example, is still available through Amazon.com for $1,139. The Samsung’s rating of 82 (out of a possible 100), puts it above Apple’s highest-rated laptop, the 15-in MacBook Pro with a Retina screen and Consumer Reports’ top-rated Windows 8 portable, the Dell XPS 12 Convertible Touch Ultrabook. Dell’s hybrid — part tablet, part notebook — earned a 75; the MacBook Pro pulled 78.

Microsoft will allow OEMs (original equipment manufacturers) to sell Windows 7-equipped PCs until October 2014, two years after Windows 8’s launch, so there’s no immediate danger of the older operating system vanishing.

In fact, most enterprises will continue to migrate from the 11-year-old Windows XP, which will be retired in April 2014, to Windows 7 rather than bet on Windows 8, research firms have predicted.

Buyers who take Consumer Reports’ advice, in other words, will have plenty of company.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com

 

Windows RT users happy with the device, so far

Despite an unending stream of FUD being hurled at the Surface tablet, people who have bought it seem pretty enamored with their purchase, according to reviews piling up on BestBuy.com and Staples.

Microsoft launched the Surface tablet in its retail stores, all 65 of them, before expanding to Best Buy (1,900 stores total) and Staples (1,400 stores) earlier this month.

So far, sentiments for the device are fairly positive. On Best Buy’s website, the Windows RT tablet sports a 4.7 out of 5 rating, based on 28 customer reviews. Only one customer was unhappy with the device and rated it one out of five stars.

“No Outlook so not full MS Office, all other tablets have version of word, excel, and powerpoint, so very disappointing,” wrote customer gates77. He liked screen customization, but also noted “Battery life wasn’t to [sic] good and typecover isn’t as good as some logitech keyboards. Can’t load any of my windows 7 programs.”

The most popular feature about Surface RT seems to be Windows 8. “Windows 8 runs like a charm, the Windows Apps Store is growing by the day and I am able to use all my favorite apps such as iHeartRadio, NY Times, USA Today, Kayak, Netflix, Endgadget, eBay, ESPN…” wrote Cricketer from New York on Staples.com.

“The live tiles are a great innovation,” wrote Philipm785 of Atlanta. “They provide genuinely useful information without having to launch the apps and the multiple sizes and custom groupings that can be easily scrolled and zoomed are way easier to get around than the multiple screens of tiny uniform icons you get on iOS.”

The hardware is also receiving kudos. “It’s a perfect laptop replacement for those who don’t need lot of processing power. Don’t wait for the surface pro. The battery life is all day,” wrote desiboy of New York on BestBuy.com.

“I gave away my Android tablet after using this for a while,” wrote MZach of NC. “The keyboard and touchpad are unobtrusive but there when you need them and the keyboard has cursor keys!”

Even people giving 5-star reviews have complaints, include volume output, the “primitive” email app, lack of apps and x86 support, Flash support in IE10, and the price itself.

It’s encouraging to see, but I’m actually not totally surprised. Early adopters tend to be enthusiasts. As it moves beyond the early adopter stage and away from Microsoft enthusiasts into the mass market, that score will drop as more cons pile up. We’ll see what people say when the much more expensive x86 models arrive next year.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com

 

 

16 of the most useful cloud management tools

16 of the most useful cloud management tools
A growing set of services allow customers to more easily track their cloud usage

One of the biggest concerns users have with public cloud resources is not knowing how much they will cost, given the pay-as-you-go model.

“IT shops are becoming cost centers for service delivery,” says William Fellows, a researcher at the 451 Group. “But they’re looking for ways to determine how their clouds are running, how much it’s costing and whether it’s a good value.”

Vendors provide some services around tracking usage. Amazon Web Services, for example, last week announced more granular data, allowing users to track their services hour by hour.

But there is a growing ecosystem of cloud management tools. Some help companies manage, track and optimize their use of public or private cloud resources. Others help companies automate and deploy cloud resources. And others act as a platform for managing public cloud resources.

Below is a list of 16 cloud management tools, broken up by category: cost tracking, automation and provisioning, and cloud management platform. This is not intended to be an all-inclusive list, but rather an overview of some of the players.

Cost tracking

Cloudability: Provides cost usage metrics, as well as predictions of how much of certain resources users are consuming and which ones are under-utilized. The company’s application programing interface (API) allows users to import metrics into various other tools for storage and analysis. Cloudability works across multiple public cloud providers as well.

More information: Cloudability


Cloudyn: Israeli-based Cloudyn provides tracking of cloud resources and recommendations of how to optimize cloud usage. It offers a free reserved instance calculator, which helps customers calculate costs related to reserving virtual machines in AWS’s public cloud, and has a premium enterprise version that will provide recommendations of which cloud resources to use and alerts of underutilized cloud resources. The company claims that it helps customers avoid an average of 40% of their costs by optimizing their cloud usage. Cloudyn recently announced a partnership with Scalr to help customers automate the provisioning of cloud resources based on recommendations from Cloudyn’s analysis tools.

More information: Cloudyn


Cloud Cruiser: Venture-backed Cloud Cruiser provides cost tracking and optimization analysis across a variety of IT platforms, from on-premise systems to colocation to private and public clouds. The Cloud Cruiser system allows users to measure usage and allocate costs, creating a chargeback billing model within an IT organization. The company was founded in 2010 by Dave Zabrowski, a former HP enterprise division vice president and general manager.

More information: Cloud Cruiser


Newvem: Israeli startup Newvem has focused its efforts entirely on Amazon Web Services and providing cloud metrics and optimization recommendations. Newvem Analytics software collects data from customers’ use of AWS resources and provides metrics of usage patterns, as well as recommendations of more efficient resource allocation based on past use. Newvem recently launched a partnership with Datapipe, which is a provider of cloud and managed hosting services that also customizes cloud deployments for users, acting as a “gateway” to public cloud vendors, including Amazon Web Services.

More information: Newvem


Provisioning/automation
Chef: An open source systems integration framework that includes a library of configuration management tools. Developed by venture-backed Opscode, it integrates with existing applications, including various databases and LDAP directories, and allows for the discovering and provisioning of public or private resources. It has “cookbooks” which include “recipes” for launching OpenStack private cloud instances and AWS public cloud resources, for instance, and it also works across VMware and Rackspace environments, among others.

More information: Opscode Chef


enStratus: Based in Minneapolis, enStratus’s technology enables consumption of multiple types of cloud resources from a single platform. Key features include the ability to manage public or private cloud environments, including security controls such as key management, automation of cloud resource provisioning and installing spending caps for specific projects. It’s delivered either as an on-premise application or a software-as-a-service hosted platform and works across most of the leading cloud providers including: Amazon Web Services, AT&T Synaptic Storage, Bluelock, Cloudscaling OCS, Citrix CloudStack, CloudSigma, EMC Atmos, Eucalyptus, GoGrid, Google Storage, HP Cloud Services, Joyent Cloud, Nimbula, OpenStack, OpSource, Rackspace, ServerExpress, Tata InstaCompute, Terremark, VMware and Windows Azure.

More information: enStratus


Puppet Labs: Puppet Labs’ software is meant to help users automate repetitive tasks, such as deploying applications and managing infrastructure. Within the Puppet Enterprise software, users can discover resources, provision them, configure and manage operating systems and applications, and update patches across public or private clouds. A trial version of the software allows users to manage up to 10 nodes for free.

More information: Puppet Labs


RightScale: Founded in 2006, RightScale is a platform for managing and deploying cloud resources across public and private environments, providing users tools to configure, monitor, automate deployments, and govern controls and access. It works across a variety of public and private platforms including Amazon Web Services, Rackspace, Software, Microsoft Azure, Datepipe and private cloud platforms including CloudStack, Eucalyptus and OpenStack.

More information: RightScale


GigaSpaces Technologies: GigaSpaces is a platform for automating application deployment to a variety of environments, including public and private clouds, as well as physical hardware. The company’s newest product is Cloudify, which it markets as a private platform as a service (PaaS) for deploying applications to public cloud environments without requiring changes to the code. It uses a relationship the company just inked with Chef to automate these tasks.

More information: GigaSpaces


Cloud management
BMC:
Fresh off news of a partnership with Amazon Web Services that certifies BMC as a manager of AWS cloud resources, BMC seems armed with ammunition to take to the enterprise market by being able to enable management of various private cloud platforms and AWS’s public cloud.

More information: BMC


Capgemini: Another AWS Partner, Capgemini provides similar services to BMC, including consulting and tools for migrating applications or starting new workloads in AWS’s cloud.

More information: Capgemini


CA Technologies: CA Technologies cloud management tools, including CA AppLogic, allow users to deploy and scale existing applications across public and private cloud environments with build in monitoring features using a graphic user interface (GUI) that requires no changes to the application’s code. CA has recently enhances its support to deploy management of AWS workloads too.

More information: CA Technologies


Hewlett-Packard: HP has been making a lot of announcements recently about its Converged Cloud Strategy, which it says is a common platform across public and private clouds for users. Based on OpenStack code, the idea is to manage private clouds build on HP servers and have the ability to scale up into HP’s recently launched public cloud, all with the same platform. The company has emphasized its support for multiple types of hypervisors on the private cloud side, but has not talked as much about enabling workloads across multiple public cloud providers though.

More information: HP cloud


IBM: IBM SmartCloud is the omnibus suite of services that provide a range of features, from monitoring the health and status of cloud resources, while also allowing automated connections to compute and storage resources from IBM or other vendors.

More information: IBM SmartCloud


ServiceMesh: ServiceMesh manages public, private and hybrid clouds across a common platform, but allowing separate policies for different environments based on access controls and auditing. It charters on a per-virtual machine basis.

More information: ServiceMesh


VMware IT Business Management Suite: Optimized for VMware environments, the company’s ITBM provides usage metrics for centralized management of a private cloud, allowing CIOs to become “IT service brokers,” the company says. ITBM allows users to set alerts based on cost and service level, and it allows granular information about past, present and predicted future use by individuals and departments as well.

More information: VMware ITBM


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com

Microsoft mulls Internet Explorer information disclosure leak

Microsoft says the impact of the issue has been exaggerated by a company seeking to portray its competitors in a bad light

Microsoft refuted claims on Thursday that an information disclosure leak in its Internet Explorer browser poses a privacy risk, arguing that the company publicizing the issue is seeking to put its competitors in an unfavorable light.

Spider.io, a U.K. based company in the advertising analytics field, alleged that two unnamed companies are improperly using a flaw that allows them to track whether display advertisements, sometimes buried far down in web pages, are actually viewed by users.

The information disclosure leak in IE versions 6 through 10 is said to allow a display advertisement rigged with JavaScript to find out the position of a mouse cursor, which combined with other data can reveal whether a display advertisement is within the “viewport,” or the window of the browser in which a person sees content.

Spider.io charged in a video that using such a flaw is improper, and that it uses a different method to collect the same data on display ad visibility.

Microsoft disagrees with Spider.io. “The underlying issue has more to do with competition between analytics companies than consumer safety or privacy,” wrote Dean Hachamovitch, corporate vice president for Internet Explorer.

Spider.io’s CEO, Douglas de Jager, said via email that it is a notable data leak and that Microsoft’s accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics.

Spider.io also alleged the issue could be used by an attacker to figure out what keys a person is clicking on a virtual keyboard, which are sometimes displayed in software products to avoid using the physical keyboard, which could be monitored with malicious software. Microsoft rejected the allegation, saying there’s no way for an attacker to know what kind of content is below a cursor.

It’s not uncommon for the security community to be somewhat in flux about whether to call a problematic issue in software a security vulnerability or not, and debate often ensues on how to classify an issue.

Still, Microsoft said it is contacting companies that are using the information leak as part of their ad-tracking metrics. It appears Microsoft does regard it as a minor issue that could be remedied in some way.

 


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Microsoft’s beef with Apple over SkyDrive for iOS is justified

Apple and Microsoft must have missed sniping at each other, because this is petty.

It’s been a while since Apple and Microsoft took cheap shots at each other. I guess they got bored. One news outlet reports Apple is being difficult about approving the newest version of SkyDrive for iOS.

The Next Web reports that the two are at loggerheads over a new version of SkyDrive, which has a paid storage option because Microsoft doesn’t pay Apple a 30% cut of subscription revenue generated by paid storage services.

RELATED: Windows Phone 8 having trouble attracting developers

Microsoft may have some Windows Phone 8 momentum after all

A main sticking point is that Microsoft does not want to pay Apple the 30% cut, which runs in perpetuity regardless of whether users continue to use an iOS device or not, because the billing is done through their Apple account.

So if a user signed up for the enhanced-capacity drive on their iOS device and then moved to a non-iOS phone (say, a Windows Phone), Apple would still collect 30% of their fee for storage even though they aren’t using the iOS device any more. Microsoft is understandably not keen on this.

The problem is not limited to just SkyDrive. AllThingsD reports that this fee is also applied to Office 365 subscriptions sold through Microsoft Office for iOS, which Microsoft has all but acknowledged will be launched sometime next year.

A spokesperson for Microsoft responded to a query with this comment:

“Similar to the experiences of some other companies, we are experiencing a delay in approval of our updated SkyDrive for iOS. We are in contact with Apple regarding the matter and hope to come to a resolution. We will provide additional information as it becomes available.”

Apple, as usual, isn’t talking.

This problem could easily spread to other apps. Third-party developers that use SkyDrive would also be hit with the 30% fee, and they aren’t going to like that perpetual fee, either.

How this plays out will be very interesting. Microsoft could practice what it preaches and offer policies for the Windows Store similar to what it wants from Apple. This would be a key point of differentiation and potentially competitive.

If Apple continues to play hardball and extends the same courtesy to DropBox and other cloud storage apps, Apple could be the one shut out and shunned. Will it happen? Who knows? Tim Cook does not strike me as unreasonable, and now that this is out and in the media, the pressure may come down on Apple.

Now the real test for Microsoft will be how it behaves when the shoe is on the other foot.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Tablet smackdown: iPad vs Surface RT in the enterprise

IPads are already making their way into businesses via bring-your-own-device efforts with Microsoft Surface RT tablets hoping to follow suit as employees lobby for their favorite devices. But which one makes more sense from an IT perspective?

Read Network World’s other tech arguments.

The two products are roughly similar in price ($500), run touch-centric operating systems, are highly portable and weigh about a pound and a half.

The two most significant differences are that Surface RT comes with both a keyboard and a version of Microsoft Office – Office 2013 Home & Student 2013 RT – which expand the potential corporate utility of the devices.

Third-party keyboards are available for iPads as are third-party versions of Office-compatible productivity suites but they represent more work for IT. A rumor says Microsoft is working on a client that will allow accessing Office from an iPad through Microsoft’s service Office 365.

Office on Surface RT has its limitations. It lacks Outlook but includes Word, Excel, PowerPoint and OneNote, and the Surface RT version requires a business license in order to be used for work. Still, having it installed out of the box is a leg up and gives workers the opportunity to tap into the productivity suite. The keyboard is a big plus.

Bullet Apple iOS vs. Google Android: It comes down to security
Bullet Cisco, VMware and OpenFlow fragment SDNs
Bullet Cloud computing showdown: Amazon vs. Rackspace (OpenStack) vs. Microsoft vs. Google
Bullet Cisco Catalyst 6500 vs. Cisco Nexus 700

When it comes to numbers of applications iPad has far more than Surface RT, and neither one has the number of business applications that support traditional Windows operating systems. Surface RT is a Windows operating system that can’t run traditional Windows apps except for the Office suite specifically crafted for the platform.

Instead, Surface RT has its own class of applications called Windows Store apps, mainly because they can only be bought from the Window Store. They are tailored for touch tablets and must be vetted by Microsoft before they get into the store’s inventory.

They can be developed using XAML, with code-behind in C++, C#, or Visual Basic, and Microsoft has a provision for sideloading custom business apps to Surface RT without submitting them first to Microsoft. Even so, that’s a lot of work to get apps natively on the devices.

Both iPads and Surfaces support virtual desktops, which goes a long way toward making traditional apps available on them. Hosted virtual desktops (HVD) can be costly, Gartner says in a report called “Bring Your Own Device: New Opportunities, New Challenges”. Its research found that “shifting to an HVD model increases the onetime costs per device by more than $600.” Plus proper licensing of iPads for business use is complicated, the report says.

Managing Surface RT is possible via Windows cloud-based management Intune and Exchange ActiveSync for messaging. IPad also supports Exchange ActiveSync. Third-party mobile device management platforms can configure and update iPads as well as monitor compliance with corporate policies. They can also wipe or lock lost and stolen machines. OS X server can do all this as well.

Surface RT comes with security features iPad doesn’t. These include both hardware-based secure boot that checks that the system hasn’t been tampered with and also trusted boot that fires up anti-malware before anything else. That way malware can’t disable the anti-malware before it gets the chance to do its job. The same hardware security module can act as a smartcard for authentication, and Surface RT has full disk encryption.

The iPad has disk encryption but lacks the secure boot features of Surface RT. Its secure boot chain is based on read-only memory and its hardware security module doesn’t do double duty as a smartcard.

NOTE: There is another version of Surface that runs on x86 processors and supports any application that Windows 7 supports. It’s not available until next year, but is actually a tablet-sized full Windows laptop with all the touch capabilities of Surface RT.

That device would beat iPad hands-down if it cost the same, but it is likely to cost hundreds of dollars more than Surface RT.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Microsoft plans patches for IE10, Windows 8 next week

Will fix first bugs in company’s newest browser, again address Windows 8 and Windows RT flaws

Microsoft today announced it will deliver seven security updates next week to patch 11 vulnerabilities, including the first that apply to Internet Explorer 10 (IE10), the company’s newest browser.

As it did last month, Microsoft will also patch Windows 8, Windows RT and Windows Server 2012, its new desktop, tablet and server operating systems.

Five of the seven updates will be marked as “critical,” Microsoft’s highest threat ranking, while the remaining pair will be labeled “important,” the Redmond, Wash. developer said in an advance warning published today.

Andrew Storms, director of security operations at nCircle Security, put the IE update atop his tentative to-do list. Others did, too, including Paul Henry, a researcher with Arizona-based Lumension.

In an email Thursday, Henry said that the bugs in IE9 and IE10 — the only versions directly affected — were “use-after-free” memory management vulnerabilities.

By the IE update’s critical label, it’s likely that the bug(s) can be exploited by hackers using “drive-by” attacks, those that execute as soon as an unsuspecting user surfs to a malicious or compromised website.

Although IE9 and IE10 — the latter is the latest in Microsoft’s browser line and so far has shipped in final form only for Windows 8, Windows RT and Server 2012 — will be patched, other still-supported editions will get fixes as well.

“Microsoft is making ‘defense-in-depth’ changes to the other browsers,” said Storms of IE6, IE7 and IE8.

Microsoft has infrequently issued code changes meant to beef up security of a product even though it’s not technically vulnerable to attack.

“The general idea is that the vulnerability is on a new platform, and that during its due diligence, Microsoft found the same [flawed] code in older platforms,” said Storms. “But because they couldn’t actually execute the vulnerability on those [older versions], they’re making changes just in case something in the future is found that can exploit the bug.”

This will be the second month running that Microsoft patches IE: In November, it quashed three critical bugs in IE9. At the time, Storms argued that Microsoft had probably also found one or more of those flaws in IE10, but had managed to fix them before it shipped the browser on Oct. 26.

Other updates will tackle one or more critical vulnerabilities in Windows — including one applicable to Windows 8 and Windows RT; at least one critical bug in Word 2003, 2007 and 2010 on Windows; and some critical flaws in Exchange 2007 and 2010.

That last caught Storms’ eye.

“Exchange is one of the most highly-critical business applications, and it’s not something you want to shut down, especially in December,” Storms said.

But he wasn’t ready to tell companies to pass on the Exchange update. “They may well release some easily-performed mitigations next week,” Storms said, referring to Microsoft’s habit of offering work-arounds to keep software secure until a patch can be applied. “We’ll have to wait and see. This one may have the typical risk-reward equation…. Is it worth the risk to patch or better to leave it alone?”

If companies apply the Exchange update and break their mail systems, especially during a very busy time of the year for retailers, it could be chaos.

Henry, who regularly talks with Microsoft after they’ve issued their advance notification, said that the Exchange update will address new vulnerabilities in the Outside In code libraries that Microsoft licenses from Oracle.

Exchange uses the libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. In the past, Outside In bugs have resided within the Exchange code base that parses those attachments.

Oracle patched two low-threat Outside In bugs in a massive Oct. 16 security update.

If Microsoft ships all seven of the planned updates — occasionally it holds one back at the last minute — the company will have issued 83 security bulletins in 2012, a 17% drop from 2011’s 100 updates, said Storms.

The individual patch count, however, will slip just 5%, with 196 in 2012 compared to 206 the year before.

Microsoft will release the seven updates at approximately 1 p.m. ET on Dec. 11.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Is Windows 8 really a sitting duck for malware?

A report claims so, but given Microsoft’s attempts to harden the OS, that seems dubious.

A new report released by the security firm Websense Security Labs claims Windows 8 will become one of the top three most-hacked platforms in 2013 because of its newness and Microsoft’s efforts to encourage development for the radical new platform.

Yeah, that didn’t make sense to me, either.

It took a chat with the folks at Websense to make, er, sense of what they were saying, but I do see their point. With a new operating system on the market that will hopefully gain significant ground and Microsoft attempting to woo developers like never before, there’s lots of potential for exploit.

“Microsoft’s efforts to produce an extremely developer friendly platform will be embraced by the cybercriminal community, and vulnerabilities will be exploited,” the company said in its 2013 Security Predictions. “If they deliver on their promise, the rate of threat growth on Microsoft mobile devices will be the highest.”

That’s a big “if.” Android, another platform Websense sees as a major target in 2013, is far more insecure. But in the case of Windows, there is, for lack of a better word, an installed base of malicious code and talent who know their way around Windows operating systems, and they are going to bring that to bear on Windows 8.

They will try to get around security systems that have been tightened up. Good luck with that. BitDefender recently ran tests on Windows 8 and found that a system with just Windows Defender, which is hardly a suitable security program, stopped 85% of the malware samples used in the tests.

The bad guys aren’t just about code; they understand how people write code and how malware works. So it’s not just malware samples, it’s accumulated and applied knowledge that they bring to Windows 8, says Websense. And given the common code between PC Windows 8 and Windows Phone 8, malware could easily move across platforms.

The other two platforms that will be big targets in 2013 are also mobile operating systems: Android and iOS. According to the firm, Android will be targeted because of its open nature. Websense expects attack techniques used on the desktop platform to continue to migrate over to Google’s operating system.

iOS should be a lot more stable due to its closed nature. However, with the growing popularity of iOS devices in professional environments, IT should consider this a prime platform for targeted attacks, Websense said. And most malware that does exist for iOS targets jailbroken phones.

Websense made seven predictions for 2013, most of them centered around cybercriminals attacking mobile devices. You can find the entire report, in PDF format, here. Free registration is required to view it.

 


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

2013: Year of the hybrid cloud

2013: Year of the hybrid cloud
Hybrid clouds, cloud brokers, big data and software-defined networking (SDN) predicted to be the major trends in cloud computing in 2013.

The time for dabbling in cloud computing is over, say industry analysts. 2013 is the year that companies need to implement a hybrid cloud strategy that puts select workloads in the public cloud and keeps others in-house.

“Next year has to be the year that enterprises get serious about having real cloud operations as part and parcel of their IT operations,” says John Treadway, vice president at Cloud Technology Partners, a consultancy.

10 cloud predictions for 2013

Careers in the cloud

Treadway says that in the last year, he and his colleagues have worked with many large enterprise clients who have implemented half-baked, haphazard cloud infrastructure schemes – most of them private and developed in-house.

They have some virtualization, explained Treadway. And they may even have some automation. “But when you peel back the onion you can’t find the type of cloud infrastructure where you can request a resource and have it provisioned automatically on the fly. There is still a lot of human labor involved in those processes,” Treadway says.

He expects most of these in-house private clouds to be abandoned in favor of more strategic hybrid mixes of public cloud services and more commercially packaged private clouds services like those based on OpenStack standard or VMware’s vCloud.
Prediction 1: Hybrid clouds will take off

“I’m convinced 2013 is going to be the year of the hybrid cloud infrastructure,” says Tracy Corbo, principal research analyst at Enterprise Management Associates.

“Cloud infrastructure outages happen. That’s a fact that is not going to change. So it only makes sense for an enterprise to take a look at the workloads they can put in the public cloud where there lies the bigger risk of outage and data loss and those that should be placed on a more controlled private cloud,” Corbo says.

Meeting the challenges of hybrid cloud computing infrastructures

That hybrid infrastructure as a service (IaaS) split is likely to be divided between the systems of engagement (customer service systems, for example) and the systems of record (like back-end financials), explains Chandar Pattabhiram, former marketing executive at Cast Iron, a cloud integration company purchased by IBM, and currently vice president of marketing at Badgeville, a company specializing in gamifying cloud applications.

Hybrid cloud deployment is not a new concept. Research published by Gartner shows that the hype surrounding hybrid cloud reached its peak last summer. According to Gartner’s research scheme, early adopters take on a technology at the peak of the hype cycle, then there’s a period of disillusionment when stories of early adoption failures come out. That’s followed by a slow adoption phase, when vendors begin delivering on second- and third-generation services. Finally, there’s the phase where adoption becomes mainstream.

Amazon is still the uncontested leader in the public IaaS cloud space, with expectations that it will continue to pull down more than $2 billion annually in that market. But vendors with long and strong ties to the enterprise are all rolling out public offerings alongside their private cloud services.

For example, HP jumped into the public cloud market last summer when it rolled out its OpenStack-based HP Cloud Services. According to Dan Baigent, senior director of business development for HP Cloud Services, there is certainly a “pent-up” need for public IaaS. “We expect to see the most interesting growth patterns in that space,” he says, arguing that HP’s long-standing relationship with enterprise customers will help it make inroads there. It’s difficult for enterprises to support multiple clouds from different vendors, Baigent says, and getting both parts of the hybrid cloud from the same provider can simplify that prospect.

Treadway argues that many public cloud vendors will go under. “It’s very hard to play in the Amazon game. The margins are small and if you don’t offer a differentiating value, you are very likely going to fail,” Treadway says.

Lydia Leong, research vice president at Gartner, agrees that 2013 will see some corrections to the public cloud market, pointing to Web hosting vendor GoDaddy quietly closing the doors on its public cloud operation in October as a prime example. “These closures certainly don’t give any kind of signal that cloud computing is a failure. They simply demonstrate that it doesn’t make sense for every vendor to compete in that market,” she says.
Prediction 2: Hybrid-cloud management becomes key

If hybrid clouds are the deployment of choice, EMA’s Corbo says the IT industry has to make significant inroads on how to manage that type of environment in terms of resource provisioning, scalability and performance.

“It’s unfortunate that the IT industry seems to build infrastructure, and managing it is always an afterthought,” Corbo says.

IDC issued a report in August that said the worldwide cloud systems management software market grew dramatically, totaling an estimated $754 million in 2011, an increase of 84.4% over 2010. The top two vendors, CA Technologies and VMware, benefited from market demand for a range of capabilities beyond self-service provisioning.

These include automated infrastructure orchestration and virtualization management used to enable dynamic infrastructure resource pooling and sharing across multiple workloads and user groups, and the ability to track cloud resource consumption to support life-cycle management, capacity planning and chargeback.

IDC listed the other top players in that market – determined by revenue – as HP, IBM and BMC. That said, more than 63% of the revenue these companies raked in came from sales to companies managing private clouds only.

IDC expects most successful cloud systems management software vendors will offer customers a wide range of capabilities beyond self-service portals and automation and will be architected to support heterogeneous hypervisor and hardware platforms, as well as a range of hybrid cloud scenarios.

RightScale, a company that bucks Corbo’s assertion that management is an afterthought, has offered a service since 2006 that integrates with multiple clouds and allows users to view federated cloud deployments from a single dashboard. The company boasts of a 4.7 million customer base supporting a variety of public and private cloud platforms, including Amazon Web Services, Windows Azure, Google Compute Engine, Datapipe, HP, Logicworks, SoftLayer and Tata. On the private cloud side, RightScale can be used to manage workloads on the OpenStack, CloudStack and Eucalyptus platforms, all of which are open source.

Other startups that have jumped into this space include Cohuman, Okta, Scalr, Tier 3.

Brian Donaghy, CEO of Appcore, a cloud services company in Des Moines, Iowa, that offers a portfolio of private, public and hybrid services, says that developing the skills to manage a multi-cloud environment will make IT professionals a hot commodity in the next year as well.
Prediction 3: Cloud brokerages and integration hubs will explode

Early adopters of the cloud tended to take on the technology when they were building singularly focused greenfield applications. “So the issues associated with integrating either legacy systems or other cloud-based application was not so urgent,” says Martin Capurro, a product manager at Savvis Direct, a public cloud service offered by national telco CenturyLink. “They are now.”

IDC predicts that by 2015, nearly $1 of every $6 spent on packaged software, and $1 of every $5 spent on applications, will be consumed via the software as a service (SaaS) model. As enterprises buy more and more of their applications as SaaS, issues of integrating the applications themselves, developing security and auditing processes across them, and figuring out how to create B2B links with partners using the same applications will all need to be addressed.

Cloud service brokerage (CSB) schemes set up by cloud providers themselves seek to address the first problem while systems integration services and integration hubs seek to address the latter two.

10 SaaS delivery companies to watch

“CSB” was the phrase for cloud arbitrage that Gartner coined in 2009. More recently, NIST has defined this category of service providers as “an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.”

Practically speaking, CSBs are the middlemen that aggregate SaaS applications in the cloud and supply a portal by which its customers can buy, access and somewhat control the use of multiple multi-tenant cloud applications within their own companies. The broker negotiates a good price that is passed onto the customer, provides a single point for end users to sign onto these applications and presents the IT department with one monthly bill.

According to Treadway, integration hubs – defined as single integration points between multiple cloud applications – are much needed today, but are more difficult to pull off than CSBs. That’s because many custom-built cloud applications are not built using standard APIs, which means that linking them to any other application requires a spaghetti network of connections that is nearly impossible to maintain, he says. The problem is further exacerbated by the proliferation of devices most cloud applications are now required to support.

Almost every major player in the IT space that bases a big chunk of its business on integration has a play in this market, as well. Startups include Cordys and Informatica.

“The advice I give clients is to make sure they have a comprehensive integration strategy developed upfront, and only build or buy applications that have standard APIs and were built within a service-oriented architecture,” Treadway says.

Prediction 4: Big data analytic tools will get better

Big data — the voluminous amount of unstructured or semi-structured data a company creates for which it is cost prohibitive to load into a relational database for analysis — just gets bigger and bigger in the cloud and businesses are realizing they can’t afford to ignore that fact.

Using very geeky predictive modeling and data mining principles, big data analytics tools let users digest volumes of transactional data and other streams like those collected from Web server logs, social media reports and mobile-phone call records that have not previously been tapped by business intelligence tools.

Cloud Illustration: Stephen Sauer

“What they want is actionable analytic big data tools that give them the right information to make business decisions in real time,” Treadway says. But innovation in this space, he says, is random at best.

According to CB Insights, a consultancy that tracks venture capital activities, analytics companies have taken the majority of $1.1 billion in big data venture capital funding deals on record since the second quarter of 2011. These analytics companies include those offering real-time data, such as Metamarkets, and others offering analytics solutions, such as Datameer.

But established companies are also investing in this area. Take HP’s acquisitions of both Vertica (a data analytics firm bought in February 2011 for an undisclosed amount) and Autonomy (a U.K.-based information management software firm bought in August 2011 for $10.3 billion). Prior to HP’s spree, IBM and EMC had already bought big data analytics databases, scooping up Netezza and Greenplum, respectively.

“It’s invaluable to our customers to be able to have the ability to put a wrapper of knowledge around the hordes of data coming into a company through its cloud deployments,” HP’s Baigent says.
Prediction 5: “SDN” will become just “networking”

The idea of software-defined networking rocked the networking world in 2012.

Inside the SDN scheme, the control plane gets decoupled from the data plane in network switches and routers. The control plane runs as software on servers and the data plane is implemented in commodity network equipment.

In July, cloud server software giant VMware plunked down $1.05 billion in cash and another $210 million in assumed unvested equity for Nicira, an SDN startup that had lured high-profile talent away from both Juniper and Cisco.

Cisco’s initial reaction to the prospect of SDN was called Cisco Open Network Environment (Cisco ONE), which is a architectural scheme designed to enable Cisco networks to be flexible and customizable to meet the needs of newer networking and IT trends such as cloud, mobility, social networking and video. And then Cisco made some announcements with the OpenStack community in support of its open source SDN projects, and in November, the company agreed to pay $1.2 billion in cash to acquire Meraki, a San Francisco-based provider of networking systems that can be managed from the cloud.

“All of these moves just point to the eventual realization that software-defined networking is just going to collapse back into a new definition of networking that is going to evolve in 2013,” says Terremark CTO John Considine.
Prediction 6: Gamification will drive sales and customer service.

Gartner predicts that by 2014, 70% of all Fortune 2000 companies will have at least one cloud-based application that employs game theory to influence employee or customer behavior. According to Badgeville’s Pattabhiram, many of them already do, and next year will simply be the year that people sit up and take notice of how effective those applications are in driving business opportunity.

Gamification is the concept of applying the psychology of game-design thinking to non-game applications to make them more fun, engaging and addicting. The psychological carrots include the need for public recognition and the thrill of competition. The applications in the business world include boosting sales, encouraging collaboration and information sharing among employees and partners, and increasing customer service satisfaction.

There are more than 50 gamification products, platforms and services available on the market including Badgeville, BunchBall, Crowd Factory, Gamify.it, Hoopla, Kudos, Objective Logistics and Rypple (a Salesforce.com company) to name only a very few.

Pattabhiram contends that the potential benefits of gamification to the enterprise, should it be implemented next year, are behavior management, rewarding participation, controlled social mechanics and behavior analytics.
Prediction 7: Hybrid security options will bloom

IDC security analyst Phil Hochmuth has no doubt that there will be security breaches in the cloud next year, whether we get wind of them or not, mainly because of the fact that using hard-to-control mobile devices is the dominant means by which employees are accessing the cloud.

“That is one of the biggest reasons we are seeing most vendors take on a hybrid delivery model for their security products,” Hochmuth says. Under this scheme, security vendors are offering – and enterprises are deploying – the traditional appliance-based security products for on-premise access and then enlisting a SaaS product – most of the time from the same vendor to help facilitate unified security management policies — to shore up secure access from mobile clients. IDC predicts that over the next three years, hybrid deployments will comprise 60% of all deployments, a market the firm says will balloon to $3.3 billion by 2016.
Prediction 8: Data sovereignty issues will multiply

Controversy about the jurisdiction and legality of data stored in the cloud and outside of a customer’s home country will erupt as cloud adoption grows in 2013, says Jim Reavis, executive director of the Cloud Security Alliance.

But don’t expect government policy changes to help mitigate the problem, Reavis says. Greater customer awareness of data residency options, such as format-preserving encryption, will help mitigate these concerns and technological innovation will have a greater impact on solving this global policy question than government action.

Prediction 9: IaaS-based services will expand

EMA’s Corbo predicts there will be an increase in services delivered as part of standard IaaS offerings.

“You will see IT folks thinking hard and long about what other infrastructure services can be off-loaded into the cloud,” Corbo says. Specifically, she expects to see growth in the areas of WAN optimization (a service is already offered by a startup called Aryaka and mainstays such as Cisco and Akamai have made some movement in this direction) and load balancing as a service in the cloud (Amazon and Rackspace both offer these services).

“It’s not a question of being able to do this stuff in-house. It’s a matter of figuring out if it’s cheaper and more efficient to do it in the cloud,” Corbo says.
Prediction 10: Prepare for more outages and shakeouts

Corbo and Gartner’s Leong were in sync on their prediction that if customers are asking the public cloud infrastructures to take on more and more responsibilities, then they should be prepared to accept more downtime as well.

Outages are bigger risk than breaches

“Outages will happen as a matter of course,” Leong says. “It can’t really be helped when you take into consideration all of the permutations of all the services riding on these infrastructures. There is no way every contingency can be tested for.”

CSA’s Reavis warns that customers should be prepared for other kinds of failures in the cloud in 2013 as well: business failures.

Since we are in a natural part of the entrepreneurial business cycle for cloud, we can expect to see several cloud startups get acquired, change their business focus or go out of business entirely, Reavis says.

“These shakeouts will have differing consequences impacting the availability of customer data and information systems. Customers need to make sure they are mitigating these risks through a combination of building redundancy in cloud security architectures and performing due diligence in cloud business relationships,” he says.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com