Tag Archives: Gregg Keizer

Microsoft slates critical IE, Windows patches for Tuesday

July 8, 2014 Lindsay Leave a comment

One month left for businesses to migrate from Windows 8.1 to Windows 8.1 Update

Microsoft today said it will ship six security updates to customers next week, patching all versions of Internet Explorer (IE) and nearly all supported editions of Windows.

The IE update, one of two classified as “critical” — Microsoft’s most serious threat ranking — will patch IE6 on Windows Server 2003, IE7, IE8, IE9, IE10 and the newest, IE11.

It’s unlikely that July’s IE update will match June’s in size: Microsoft fixed a record 60 flaws in the browser on June 10. (Originally, Microsoft said it had patched 59 IE bugs last month, but a week later acknowledged it had forgotten to add one to the list, and so upped the count to an even 60.)

Windows 7 users who have not freshened IE11 with a mandatory April update will not receive next week’s browser fixes.

According to Thursday’s advanced notice, which briefly described the July updates, the second critical bulletin will patch all client editions of Windows — from Vista to Windows 8.1 — and all server versions except for those running on systems powered by Intel’s Itanium processors. Windows Server 2008 and Server 2012 systems provisioned by installing only the Server Core — a minimal install with many features and services omitted to lock down the machine — are also exempt from Bulletin 2, Microsoft said.

Of the remaining four updates, three were labeled “important” by Microsoft — the threat step below critical — while the fourth was pegged “moderate.” All will offer patches for some or all Windows editions, both on the desktop and in the data center.

Security researchers pointed to the two critical bulletins as the obvious first-to-deploy for most Microsoft customers.

They also remarked on Bulletin 6, the single moderate update, which will patch Microsoft Service Bus for Windows Server. The bus is a messaging and communications service that third-party developers can use to tie their code to Windows Server and Microsoft Azure, the Redmond, Wash. company’s cloud service.

“The odd one out this month is the Moderate Denial of Service in ‘Microsoft Service Bus for Windows Server,'” said Ross Barrett, senior manager of security engineering at Rapid7, in an email. “It’s part of the Microsoft Web Platform package and is not installed by default with any OS version.”

Although Microsoft did not mention it in today’s advance notice, or in the blog post by the Microsoft Security Response Center (MSRC), enterprises have one more month to deploy April’s Windows 8.1 Update and Server 2012 R2 Update before losing patch privileges for devices running Windows 8.1 or servers running 2012 R2.

Hardware powered by Windows 8.1 or Server 2012 R2 must be updated before Aug. 12, the next scheduled Patch Tuesday, to receive that month’s updates, as well as any future security fixes.

Or in some cases, even present patches, said Chris Goettl, a program product manager at Shavlik, in an email.

“One thing to watch out for [next week] will be [something similar to] the many exceptions we saw last month,” Goettl cautioned. “Many of the updates we saw in June required other updates to be in place, depending on the platform. For those running Windows 8.1 or Server 2012 R2, they need to be prepared for more of these updates to require Update 1 before they can apply them. Microsoft has stated they would delay a hard enforcement until August, but more and more of the patches [have] had variations that required Update 1. So look out for that cut over — it’s coming quick.

Best Microsoft MCTS Certification, Microsoft MCP Training at certkingdom.com

Microsoft

Windows XP hack resurrects patches for retired OS

May 28, 2014 Lindsay Leave a comment

But security researcher who tried the hack isn’t sure the fixes will actually keep exploits at bay

A simple hack of Windows XP tricks Microsoft’s update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.

What’s unclear is whether those patches actually protect a Windows XP PC against cyber criminals’ exploits.

The hack, which has circulated since last week — first on a German-language discussion forum, then elsewhere as word spread — fools Microsoft’s Windows Update service into believing that the PC is actually running a close relation of XP, called “Windows Embedded POSReady 2009.”

Unlike Windows XP, which was retired from security support April 8 and no longer receives patches, Embedded POSReady 2009 is due patches until April 9, 2019.

As its name implies, POSReady 2009 is used as the OS for devices such as cash registers — aka point-of-sale systems — and ATMs. Because it’s based on Windows XP Service Pack 3 (SP3), the last supported version of the 13-year-old OS, its security patches are a superset of those that would have been shipped to XP users if support was still in place. Many of POSReady 2009’s patches are similar, if not identical, to those still offered to enterprises and governments that have paid Microsoft for post-retirement XP support.

Jerome Segura, a senior security researcher at Malwarebytes, an anti-malware software vendor, tried out the hack and came away impressed.

“The system is stable, no crashes, no blue screens,” Segura said in an interview, talking about the Windows XP virtual machine whose updates he resurrected with the hack. “I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8.”

The Internet Explorer 8 (IE8) update Segura applied appeared to be the same one Microsoft released May 13 for other versions of Windows, including POSReady 2009, but did not deliver to Windows XP.

But although he has run the hacked XP for several days now without any noticeable problems, he wasn’t willing to give the trick a passing grade.

“[POSReady 2009] is not Windows XP, so we don’t know if its patches fully protect XP customers,” Segura said. “From an exploit point of view, when those vulnerabilities are exploited in the wild, will this patch protect PCs or will they be infected? That would be the ultimate proof.”

Microsoft, not surprisingly, took a dim view of the hack.

“We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers,” a company spokesperson said in an email. “The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.”

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Microsoft, Tech

Microsoft dings Ballmer’s bonus over Windows 8, Surface RT struggles

October 4, 2013 Lindsay

The penalty is equivalent to half the cost of a cup of coffee at McDonalds to the average American

Microsoft’s board of directors reduced outgoing CEO Steve Ballmer’s bonus for the 2013 fiscal year, citing poor performance of Windows 8 and the $900 million Surface RT write-off, according to a filing with the U.S. Securities and Exchange Commission.
Microsoft CEO Steve Ballmer
Microsoft CEO Steve Ballmer (Photo: Microsoft)

The Redmond, Wash., company’s proxy statement spelled out the salaries and bonuses of several of its top executives, including Ballmer, new Chief Financial Office Amy Hood and Chief Operating Officer Kevin Turner, as well as now-departed managers such as former CFO Peter Klein and Office chief Kurt DelBene.

Microsoft paid Ballmer $697,500 in salary and awarded him a $550,000 performance bonus, for a total of $1.26 million for fiscal year 2013.

The bonus was less than Ballmer could have earned.

“Our Board of Directors approved an Incentive Plan award of $550,000 which was 79% of Mr. Ballmer’s target award,” stated the proxy. One hundred percent of the target would have been $696,000.

The 79% was considerably lower than Ballmer’s comparable number for the 2012 fiscal year, when he was granted a bonus representing 91% of his target.

Microsoft’s board cited both company wins and losses under Ballmer’s stewardship, but the latter included some failures that were the root of its bonus decision.

“While the launch of Windows 8 in October 2012 resulted in over 100 million licenses sold, the challenging PC market coupled with the significant product launch costs for Windows 8 and Surface resulted in an 18% decline in Windows Division operating income,” the proxy noted. “Slower than anticipated sales of Surface RT devices and the decision to reduce prices to accelerate sales resulted in a $900 million inventory charge.”

Some analysts have speculated that the $900 million write-off was the proverbial straw that broke the board’s back, and triggered Ballmer’s ouster. In an interview with the Wall Street Journal last week, however, John Thompson, the lead independent director and the head of the committee in charge of the search for a new chief executive, backed Ballmer’s explanation for his sudden retirement: He did not want to remain in the job through the long course correction to a “devices-and-services” strategy.

The proxy statement’s commentary on the strategy change, as well as the corporate reorganization announced in July, was Ballmer-neutral. “The company continued to make progress in its devices and services strategy,” the filing read.

Last year, Ballmer’s bonus was pegged at 91% of his target as the board ticked off several issues during that fiscal year, including a 3% decline in revenue for the Windows and Windows Live Division, and a fiasco where Microsoft failed to offer a browser choice screen to Windows 7 customers in the European Union.

Ballmer’s 2013 bonus of 79% was an even lower percentage than that of Steven Sinofsky last year. Then, the former Windows chief — who was ousted in November 2012 — received 90% of his target award, even though he, like Ballmer, was cited as responsible for the EU browser choice screw-up.

Other top-tier executives received 100% or more of their target bonuses for 2013.

Kevin Turner, the COO, received a cash award of $2.1 million, or 100% of his target, and Satya Nadella, who now leads the Cloud and Enterprise group, received $1.6 million, or 105% of his target. Amy Hood, the new CFO, was handed $457,443, 100% of her target incentive, and as part of her promotion, received a stock award in May of 103,413 shares that will vest over the next three years. At Thursday’s closing price, those shares had a paper value of $3.5 million.

In total compensation for the 2013 fiscal year, Turner remained Microsoft’s highest-paid executive at $10.4 million, down slightly from 2012’s $10.7 million.

Eight of the company’s top executives, including Turner and Hood, were handed additional stock grants Sept. 19, the same day Microsoft announced a retention bonus designed to keep upper management from jumping ship during the CEO search. Turner, for example, received grants currently worth $20.3 million. Hood’s award was valued at Thursday’s closing bell at nearly $3.9 million.

No one should cry for Ballmer’s lowered bonus: According to the proxy, he controls 4% of the company, with stock holdings worth $11.3 billion at Thursday’s price. Only co-founder and chairman Bill Gates holds more: 4.5%, or $12.8 billion.

The $146,000 that Ballmer did not get in his 2013 bonus is literally pocket change to the billionaire. The amount represented 0.0013% of Ballmer’s Microsoft holdings, and an even smaller percentage of his total wealth. To put that into perspective, 0.0013% of $42,693, the U.S. per capita personal income in 2012, is 55 cents, or just over half the price of a coffee from McDonalds “Dollar Menu.”

Ballmer and Gates are both on the directors slate for re-election next month when Microsoft hosts its shareholders meeting.

According to a report by the Reuters new service earlier this week, some of Microsoft’s biggest investors have urged the board to push Gates out of the chairman’s role because they are concerned he will block the board from making drastic changes and handcuff the new CEO to the devices-and-services strategy, which they question. Gates is also on the special search committee tasked by the board to recommend Ballmer’s replacement.

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Microsoft, Tech

Microsoft takes Outlook Web App native on iPhone, iPad

July 23, 2013 Lindsay

Microsoft takes Outlook Web App native on iPhone, iPad
Just as with Office Mobile — the truncated Excel, PowerPoint and Word — OWA requires an Office 365 subscription

Microsoft today launched Outlook Web App (OWA) for iOS, a “native” app that reprises — and amplifies — the in-browser OWA corporate workers have long used on devices that don’t support the full-fledged Outlook client.

The new app, which comes in iPhone and iPad flavors, offers the same functionality as the browser-based OWA, letting users access email, calendars, contacts and other inbox data housed on a company’s Exchange server.

But because the apps are iOS-native — in other words, they’re written specifically for Apple’s mobile OS, not simply a Web app in disguise — they can tap the hardware, adding features like gesture support and voice control.

The native app approach also means it can be used when offline, unlike the in-browser OWA which requires an Internet connection.

Wes Miller, an analyst with Kirkland, Wash.-based Directions on Microsoft, was impressed. “In terms of packaging this is a really neat idea, with a very, very good [user] experience,” said Miller, who ticked off several examples, ranging from push notifications to the hardware integration.

There are caveats.

As it did last month with Office Mobile for iPhone, Microsoft is dangling the iOS OWA carrot to tempt customers into subscribing to Office 365, the rent-not-own plans introduced earlier this year. Only customers with active Office 365 accounts can use OWA on the iPhone or iPad, even though the app itself is free to download from Apple’s App Store.

More important, if apparently temporary, is the requirement of Exchange Online, the off-premises, hosted Exchange service included with virtually every non-consumer Office 365 plan. Businesses that still run their own on-premise Exchange servers are out of luck for now.

“We are planning to deliver OWA to Exchange 2013 on-premise customers at a future date, but we have no additional details to share today,” a Microsoft spokeswoman said in answer to questions today.

“That’s a deal-breaker for some customers,” said Miller in a Tuesday interview before Microsoft clarified that it would offer OWA to organizations with an in-house Exchange infrastructure, a category that includes most medium- and large-sized companies. What remains unknown is when those Office 365 users will get their hands on OWA for iOS.

Microsoft’s approach to iOS apps has taken some licks from outsiders who view the Office 365-only strategy as misguided. “Anyone [with Office 2013] should be able to access the app,” Forrester analyst Frank Gillett said last month about Office Mobile for the iPhone. “They’re continuing the artificial advantaging of one product over another to change customer behavior. We think that’s a major mistake.”

Gillett’s point may be a month old, but it applies equally to OWA for iPhone and iPad: Microsoft customers who have adopted Office 2013 in perpetual license form rather than as a subscription are barred from running the new app.

Even so, Miller argued that the limitation is consistent with Microsoft’s claim that it is now a “devices and services” company, not one which sells packaged software.

“Where they don’t sell devices, they’ll try to sell services,” said Miller, referring to Office 365.

OWA for the iPhone and the iPad can be downloaded from the App Store.