Archive for the ‘Microsoft’ Category

MS Finds Some Bug In Chrome – What Bug? Don’t Know

Friday, September 22nd, 2017

[$7500][765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14

From Stable Channel Update for Desktop Thursday, September 21, 2017

As of 22 September 2017, 17:14 ESDT, the URL 765433 displays only a lack of access notice, for me.

Unlike hackers, who have a tradition of sharing information, Microsoft and Google believe what they know is unknown to others. That works, sort of, if your’re an ostrich, not so well in cybersecurity.

I mention this posting mostly to list some of the tools Google uses for bug testing:

AddressSanitizer

AFL

Control Flow Integrity

libFuzzer

MemorySanitizer

UndefinedBehaviorSanitizer

Enjoy!

Unpatched Windows Vulnerability – Cost of Closed Source Software

Friday, September 8th, 2017

Bug in Windows Kernel Could Prevent Security Software From Identifying Malware by Catalin Cimpanu.

From the post:

Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.

Continue on with Cimpanu for a good overview or catch Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1).

Symantec says proactive security includes:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware & Software
  • Constant Vulnerability Assessment and Remediation
  • Malware Defense

But since Windows is closed source software, you can’t remedy the vulnerability. Whatever your cyberdefenses, closed source MS Windows leaves you vulnerable.

Eternal (possibly) vulnerability – the cost of closed source software.

It’s hard to think of a better argument for open source software.

Open source software need not be free, just open source so you can fix it if broken.

PS: Open source enables detection of government malware.

MS Streamlines Malware Delivery

Tuesday, June 27th, 2017

Microsoft is building a smart antivirus using 400 million PCs by Alfred Ng.

Malware delivery takes a giant leap forward with the MS Fall Creators Update:


If new malware is detected on any computer running Windows 10 in the world, Microsoft said it will be able to develop a signature for it and protect all the other users worldwide. The first victim will be safe as well because the virus will be set off in a virtual sandbox on the cloud, not on the person’s device.

Microsoft sees artificial intelligence as the next solution for security as attacks get more sophisticated.

“If we’re going to stay on top of anything that is changing that fast, you have to automate,” Lefferts said.

About 96 percent of detected cyberattacks are brand new, he noted.

With Microsoft’s current researchers working at their fastest pace, it can take a few hours to develop protections from the first moment they detect malware.

It’s during those few hours when people are really hit by malware. Using cloud data from Microsoft Office to develop malware signatures is crucial, for example, because recent attacks relied on Word vulnerabilities.

Two scenarios immediately come to mind:

  1. The “malware” detection is “false,” the file/operation/URL is benign but now 400 million computers see it as “malware,” or,
  2. Due to MTM attacks, false reports are sent to Windows computers on a particular sub-net.

Global security decision making is a great leap, but the question is in what direction?

PS: Did you notice the claim “96 percent of detected cyberattacks are brand news…?” I ask because that’s inconsistent with the documented long lives of cyber exploits, Website Security Statistics Report 2015 (WhiteHat Security).

Impact of Microsoft Leaks On Programming Practice

Tuesday, June 27th, 2017

Mohit Kumar’s great graphic:

leads for his story: Microsoft’s Private Windows 10 Internal Builds and Partial Source Code Leaked Online.

The use of MS source code for discovery of vulnerabilities is obvious.

Less obvious questions:

  • Do programmers follow leaked MS source code?
  • Do programmers following leaked MS source code commit similar vulnerability errors?

Evidence for a public good argument for not spreading leaked MS source code anyone?

Skype/Microsoft – Invasion of Privacy

Thursday, June 1st, 2017

I first noticed this latest invasion of privacy by Skype/Microsoft yesterday.

A friend tried to share an image via Skype and when I went to look at it, I saw a screen similar to this one:

I say “similar to this one” because yesterday I closed the window and got the image via email.

Today, I had a voice message on Skype, which I cannot access without supplying my birthday!

The

“We need just a little more info to set up your account.”

is a factual lie. My account is already set up. Has been (past tense) for years.

This information is required” is that color in the original, no editing.

Anyone else experiencing a similar invasion of privacy courtesy of Skype/Microsoft?

The “blue screen of death” lives! (Humorous HTML Links)

Monday, May 29th, 2017

A simple file naming bug can crash Windows 8.1 and earlier by Steve J. Vaughan-Nichols.

From the post:

In a blast from the past, a Russian researcher has uncovered a simple bug in the NTFS file system that consistently crashed Windows Vista to 8.1 PCs.

Like the infamous Windows 95/98 /con/con bug, by simply entering a file name with “$MFT” the file-system bug locks up Windows at best, or dumps it into a “blue screen of death” at worse.

The bug won’t deliver malware but since it works in URLs (except for Chrome), humorous HTML links in emails are the order of the day.

Enjoy!

Patched != Applied / Patches As Vulnerability Patterns

Tuesday, May 9th, 2017

Microsoft’s Microsoft Security Advisory 4022344 in response to MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more by taviso@google.com, was so timely as to deprive the “responsible disclosure” crowd of a chance to bitch about the notice given to Microsoft.

Two aspects of this vulnerability merit your attention.

Patched != Applied

Under Suggested Actions, the Microsoft bulletin reads:

  • Verify that the update is installed

    Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

    For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.

    For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.13704.0 or later.

  • If necessary, install the update

    Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.

    For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.

    For more information on how to manually update the Microsoft Malware Protection Engine and malware definitions, refer to Microsoft Knowledge Base Article 2510781.

Microsoft knows its customers far better than I do and that suggests unpatched systems can be discovered in the wild. No doubt in diminishing numbers but you won’t know unless you check.

Patches As Vulnerability Patterns

You have to visit CVE-2017-0290 to find links to the details of “MsMpEng: Remotely Exploitable Type Confusion….”

Which raises an interesting use case for the Microsoft/MSRC-Microsoft-Security-Updates-API, which I encountered by by way of a PowerShell script for accessing the MSRC Portal API.

Polling the Microsoft/MSRC-Microsoft-Security-Updates-API provides you with notice of vulnerabilities to look for based on unapplied patches.

You can use the CVE links to find deeper descriptions of underlying vulnerabilities. Those descriptions, assuming you mine the sips (statistically improbable phrases), can result in a powerful search tool to find closely related postings.

Untested but searching by patterns for particular programmers (whether named or not), may be more efficient than an abstract search for coding errors.

Reasoning that programmers tend to commit the same errors, reviewers tend to miss the same errors, and so any discovered error, properly patterned, may be the key to a grab bag of other errors.

That’s an issue where tunable subject identity would be very useful.

The Line Between Safety and Peril – (patched) “Supported Products”

Saturday, April 15th, 2017

Dan Goodin in NSA-leaking Shadow Brokers just dumped its most damaging release yet reports in part:


Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks.

Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson.

Microsoft has responded with: Protecting customers and evaluating risk:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
… (emphasis in original)

You are guaranteed to be in peril if you are not running patched, supported Microsoft products.

Even if you are running a supported product, know that 50% of all vulnerabilities are from failure to apply patches.

Unlike the hackers who may be in your system right now, liability of vendors for unreasonably poor coding practices or your company for data breaches caused by your practices, such as failure to apply patches, would be incentives for more secure software and better security practices.

If you are serious about cybersecurity, focus on people you can reach and not those you encounter at random (hackers).

Activists! Another Windows Vulnerability

Saturday, February 18th, 2017

If software vulnerabilities were the new it bleeds it leads, news organizations would report on little else.

Still, you have to credit The Hacker News with a great graphic for Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again! by Swati Khandelwal.

Microsoft is once again facing embarrassment for not patching a vulnerability on time.

Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
… (emphasis in original)

The Google report is more immediately useful but far less amusing that this post by Swati Khandelwal.

Swati reports that without an emergency patch from Microsoft this month, attackers have almost 30 days to exploit this vulnerability.

No rush considering the Verizon 2016 Data Breach Investigations Report shows hacks known since before 1999 are still viable:

Taking that into account, plus the layering of insecure software on top of insecure software strategy of most potential targets:


According to the Cisco 2017 Security Capabilities Benchmark Study, most companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of the security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products.
… (Cisco 2017 Annual Cybersecurity Report, page 5)

Small targets could be more secure by going bare and pointing potential attackers to bank, competitor and finance targets with a BetterTargetsREADME file. (Warning: That is an untested suggestion.)

Tooling Up: Adding Windows 10 to Ubuntu

Saturday, February 4th, 2017

In preparation for an exciting year, I have installed/upgraded several programs on Ubuntu but need to:

  • Generate OOXML files with MS Office
  • Run GIS software not otherwise available
  • Test IE/Office/Windows vulnerabilities
  • Use WebEx

That means a copy of Windows 10 to enable access to Office 365.

Abhishek Prakash’s How to Install Windows 10 in VirtualBox in Linux did the trick for me.

One caveat, my VirtualBox created by default an optical drive so when I added the Windows iso image as a second optical drive, starting the install reports no bootable media. Deleting the default optical drive, leaving only the Windows iso image fixed the problem.

The subscription/install of Office 365 went smoothly.

By default storing files on OneDrive. (1 TB)

Provocative name suggestions for encrypted core dumps?

Other than the glitch with the extra optical drive, it all went smoothly, albeit in Windows fashion, somewhat slowly at times.

Some traditions never change.

😉

Microsoft Giveth, Microsoft Taketh Away

Monday, June 13th, 2016

Microsoft Revoking Free Fallout 4 Copies Grabbed Due to Xbox Store Error by Ron Witaker.

From the post:

Yesterday afternoon, Fallout 4‘s Deluxe Edition Bundle showed up on the Xbox Store for a very attractive price – $0.00. As you can imagine, word of the error spread quickly, and while no numbers are available, you can bet that many people took advantage of the deal to grab a copy for their Xbox One. That version of the game typically runs $109.99, and includes the Season Pass for all the DLC.

Ron goes on to point out that Microsoft is revoking all licenses obtained due to this error.

With some exceptions, a sale is a completed act and not subject to revocation by only one of the parties.

Would be a stronger case if Fallout 4‘s Deluxe Edition Bundle had listed a price of at least $0.01. Can you say why?

Would costing $0.01 when purchased with other games make a difference?

Keep an eye out for litigation!

Universal Windows Hack, Going Once – $95K, Going Twice – $90K, Free at Exploit.in?

Saturday, June 4th, 2016

Swati Khandelwal reports a universal Windows hack in Hackers Selling Unpatched Microsoft Windows Zero-Day Exploit for $90,000.

John McAfee tweeted today the hack is free on Exploit.in.

mcafee-exploit-460

I know John is busy, running for U.S. president and all that stuff, but how long does it take to paste in a link?

I visited Exploit.in today and paged back to 01 May 2016 (the original report was 11 May 2016).

Nothing that I could identify as the hack, free or otherwise.

You?

PS: If you make factual claims on Twitter (read anywhere), include a link/citation. It will save everyone time and effort.

Unless your purpose is to waste the time/effort of others.

PPS: I nearly posted without including the image of John’s post. Including the image saves you from searching Twitter to see if John really posted such a claim. At least if you are willing to accept its not faked in some way (it’s not).

Took an extra minute or two but multiple that by the number of users who might otherwise search. That’s how much time including the image has saved.

Asking the Impossible, Avoiding the Obvious – MS on Ransom:Win32/ZCryptor.A.

Saturday, May 28th, 2016

Link (.lnk) to Ransom.

From the post:

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

The post goes onto note these avenues of infection:

Ransom:Win32/ZCryptor.A is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

If you think that sounds bad, consider one of the recommended means for avoiding Ransom:Win32/ZCryptor.A:

Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

And the other reasons for using the Internet would be? 😉

BTW, the bulletin avoids the most obvious solution to Ransom:Win32/ZCryptor.A:

Don’t run Windows.

Yes?

Something to bear in mind when the GAO wants agencies to upgrade from pre-Windows software to “modern,” but insecure software.

“Ethical” Botmakers Censor Offensive Content

Saturday, March 26th, 2016

There are almost 500,000 “hits” from “tay ai” in one popular search engine today.

Against that background, I ran into: How to Make a Bot That Isn’t Racist by Sarah Jeong.

From the post:

…I talked to some creators of Twitter bots about @TayandYou, and the consensus was that Microsoft had fallen far below the baseline of ethical botmaking.

“The makers of @TayandYou absolutely 10000 percent should have known better,” thricedotted, a veteran Twitter botmaker and natural language processing researcher, told me via email. “It seems like the makers of @TayandYou attempted to account for a few specific mishaps, but sorely underestimated the vast potential for people to be assholes on the internet.”

Thricedotted and others belong to an established community of botmakers on Twitter that have been creating and experimenting for years. There’s a Bot Summit. There’s a hashtag (#botALLY).

As I spoke to each botmaker, it became increasingly clear that the community at large was tied together by crisscrossing lines of influence. There is a well-known body of talks, essays, and blog posts that form a common ethical code. The botmakers have even created open source blacklists of slurs that have become Step 0 in keeping their bots in line.

Not researching prior art is as bad as not Reading The Fine Manual (RTFM) before posting help queries to heavy traffic developer forums.

Tricedotted claims a prior obligation of TayandYou’s creators to block offensive content:

For thricedotted, TayandYou failed from the start. “You absolutely do NOT let an algorithm mindlessly devour a whole bunch of data that you haven’t vetted even a little bit,” they said. “It blows my mind, because surely they’ve been working on this for a while, surely they’ve been working with Twitter data, surely they knew this shit existed. And yet they put in absolutely no safeguards against it?!” (emphasis in original)

No doubt Microsoft wishes that it had blocked offensive content in hindsight, but I don’t see a general ethical obligation to block or censor offensive content.

For example:

  • A bot created to follow public and private accounts of elected officials and it only re-tweeted posts that did contain racial slurs? With @news-organization handles in the tweets.
  • A bot based on matching FEC (Federal Election Commission) donation records + Twitter accounts and it re-tweets racist/offensive tweets along with campaign donation identifiers and the candidate in question.
  • A bot that follows accounts known for racist/offensive tweets for the purpose of building archives of those tweets, publicly accessible, to prevent the sanitizing of tweet archives in the future. (like with TayandYou)

Any of those strike you as “unethical?”

I wish the Georgia legislature and the U.S. Congress would openly used racist and offensive language.

They act in racist and offensive ways so they should be openly racist and offensive. Makes it easier to whip up effective opposition against known racists, etc.

Which is, of course, why they self-censor to not use racist language.

The world is full of offensive people and we should make they own their statements.

Creating a false, sanitized view that doesn’t offend some n+1 sensitivities, is just that, a false view of the world.

If you are looking for an ethical issue, creating views of the world that help conceal racism, sexism, etc., is a better starting place than offensive ephemera.

Internet Explorer 8, 9, and 10 – “Really Most Sincerely Dead”

Wednesday, January 6th, 2016

Web developers rejoice; Internet Explorer 8, 9 and 10 die on Tuesday by Owen Williams.

From the post:

Internet Explorer has long been the bane of many Web developers’ existence, but here’s some news to brighten your day: Internet Explorer 8, 9 and 10 are reaching ‘end of life’ on Tuesday, meaning they’re no longer supported by Microsoft.

Three down and one to go, IE 11, if I’m reading Owen’s post correctly. Past IE 11, users will be on Edge in Windows 10.

Oh, the “…really most sincerely dead…” is from the 1939 movie, Wizard of Oz.

Windows 10 covertly sends your disk-encryption keys to Microsoft

Wednesday, December 30th, 2015

Windows 10 covertly sends your disk-encryption keys to Microsoft by Cory Doctorow.

Cory gives a harrowing list of “unprecedented anti-user features” in Windows 10.

It is a must read for anyone trying to build support for a move to an open source OS.

Given the public reception of the Snowden revelations, are the “unprecedented anti-user features” a deliberate strategy by Microsoft to escape the clutches of both US and other governments demanding invasion of user privacy?

There has to be a sufficient market for MS to transition to application and OS support for enterprise level open source software and weaning enterprises off of Windows 10 would be one way to establish that market.

After all, GM isn’t going to call your local IT shop for support, even with an open source OS. Much more likely to call Microsoft, which has the staff and historical expertise to manage enterprise systems.

Sure, MS may lose the thin-margin projects at the bottom if it becomes entirely an open source organization but imagine the impact it will have on big data startups.

The high end/high profit markets in software will remain whether the income is from licensing or support/customization services.

That would certainly explain the recent trend towards open source projects at MS. And driving customers away from Windows 10 is probably easier than spiking the Windows/Office teams embedded at MS.

Corporate politics, don’t you just love it? 😉

If management talks about switching to Windows 10, you know the sign to give your co-workers from Helix:

run-like-hell

For non-Helix fans: RUN LIKE HELL!

Microsoft open sources Distributed Machine Learning Toolkit…

Friday, November 13th, 2015

Microsoft open sources Distributed Machine Learning Toolkit for more efficient big data research by George Thomas Jr.

From the post:

Researchers at the Microsoft Asia research lab this week made the Microsoft Distributed Machine Learning Toolkit openly available to the developer community.

The toolkit, available now on GitHub, is designed for distributed machine learning — using multiple computers in parallel to solve a complex problem. It contains a parameter server-based programing framework, which makes machine learning tasks on big data highly scalable, efficient and flexible. It also contains two distributed machine learning algorithms, which can be used to train the fastest and largest topic model and the largest word-embedding model in the world.

The toolkit offers rich and easy-to-use APIs to reduce the barrier of distributed machine learning, so researchers and developers can focus on core machine learning tasks like data, model and training.

The toolkit is unique because its features transcend system innovations by also offering machine learning advances, the researchers said. With the toolkit, the researchers said developers can tackle big-data, big-model machine learning problems much faster and with smaller clusters of computers than previously required.

For example, using the toolkit one can train a topic model with one million topics and a 20-million word vocabulary, or a word-embedding model with 1000 dimensions and a 20-million word vocabulary, on a web document collection with 200 billion tokens utilizing a cluster of just 24 machines. That workload would previously have required thousands of machines.

This has been a banner week for machine learning!

On November 9th, Google open sourced TensorFlow.

On November 12th, Single Artificial Neuron Taught to Recognize Hundreds of Patterns (why neurons have thousands of synapses) is published.

On November 12th, Microsoft open sources its Distributed Machine Learning Toolkit.

Not every week is like that for machine learning but it is impressive when that many major stories drop in a week!

I do like the line from the Microsoft announcement:

For example, using the toolkit one can train a topic model with one million topics and a 20-million word vocabulary, or a word-embedding model with 1000 dimensions and a 20-million word vocabulary, on a web document collection with 200 billion tokens utilizing a cluster of just 24 machines. (emphasis added)

Prices are falling all the time and a 24 machine cluster should be within the reach of most startups if not most individuals now. Next year? Possibly within the reach of a large number of individuals.

What are your machine learning plans for 2016?

More DMTK information.

It’s Official! Hell Has Frozen Over!

Wednesday, November 4th, 2015

Microsoft and Red Hat to deliver new standard for enterprise cloud experiences

From the news release:

Microsoft Corp. (Nasdaq “MSFT”) and Red Hat Inc. (NYSE: RHT) on Wednesday announced a partnership that will help customers embrace hybrid cloud computing by providing greater choice and flexibility deploying Red Hat solutions on Microsoft Azure. As a key component of today’s announcement, Microsoft is offering Red Hat Enterprise Linux as the preferred choice for enterprise Linux workloads on Microsoft Azure. In addition, Microsoft and Red Hat are also working together to address common enterprise, ISV and developer needs for building, deploying and managing applications on Red Hat software across private and public clouds.

I can’t report on the webcast because it requires Flash 10 and I don’t have that on a VM at the moment. Good cyber hygiene counsels against running even “patched” Adobe Flash.

The news release has the key points anyway:


Red Hat solutions available natively to Microsoft Azure customers. In the coming weeks, Microsoft Azure will become a Red Hat Certified Cloud and Service Provider, enabling customers to run their Red Hat Enterprise Linux applications and workloads on Microsoft Azure. Red Hat Cloud Access subscribers will be able to bring their own virtual machine images to run in Microsoft Azure. Microsoft Azure customers can also take advantage of the full value of Red Hat’s application platform, including Red Hat JBoss Enterprise Application Platform, Red Hat JBoss Web Server, Red Hat Gluster Storage and OpenShift, Red Hat’s platform-as-a-service offering. In the coming months, Microsoft and Red Hat plan to provide Red Hat On-Demand — “pay-as-you-go” Red Hat Enterprise Linux images available in the Azure Marketplace, supported by Red Hat.

Integrated enterprise-grade support spanning hybrid environments. Customers will be offered cross-platform, cross-company support spanning the Microsoft and Red Hat offerings in an integrated way, unlike any previous partnership in the public cloud. By co-locating support teams on the same premises, the experience will be simple and seamless, at cloud speed.

Unified workload management across hybrid cloud deployments. Red Hat CloudForms will interoperate with Microsoft Azure and Microsoft System Center Virtual Machine Manager, offering Red Hat CloudForms customers the ability to manage Red Hat Enterprise Linux on both Hyper-V and Microsoft Azure. Support for managing Azure workloads from Red Hat CloudForms is expected to be added in the next few months, extending the existing System Center capabilities for managing Red Hat Enterprise Linux.

Collaboration on .NET for a new generation of application development capabilities. Expanding on the preview of .NET on Linux announced by Microsoft in April, developers will have access to .NET technologies across Red Hat offerings, including Red Hat OpenShift and Red Hat Enterprise Linux, jointly backed by Microsoft and Red Hat. Red Hat Enterprise Linux will be the primary development and reference operating system for .NET Core on Linux.

More details at: The Official Microsoft Blog and the Red Hat Blog.

I first saw this in The Power of Open Source… Microsoft .NET and OpenShift by Chris Morgan.

A small pebble in an ocean of influences and motivations but treating Microsoft fairly during the ISO process for ISO 29500 (I am the editor of the competing ISO 26300) wasn’t a bad idea.

Getting Rid of “Get Windows 10!” (Public Service Announcement)

Tuesday, October 6th, 2015

There is a difference between commercial software and nagware. Or, there was once upon a time. To promote Window 10, a Microsoft ad has taken up residency in the system tray of Windows 7 and Windows 8 users.

To revert to a non-nagware version of Windows 7 or Windows 8, see: What is the “Get Windows 10” Tray Item and How Do You Remove It?

Bob Ducharme reports this worked for him.

I haven’t taken the Windows 10 plunge (onto a VM) but then I encountered this language in the Window 10 EULA:

Updates. The softwareperiodically checks for system and app updates, and downloads and installs them for you. You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice.
[emphasis added to last sentence]

If you are using Windows 10 to read email and surf the web, that may be ok.

If you are building mission-critical applications that rely on the stability of Windows system calls, that’s insane.

Ask you IT department about MS “updates” that have toasted applications in the past.

If Windows 10 becomes the dog that whatever came right after Windows XP did (I can’t even remember its name), perhaps Microsoft will adopt saner update policy for Windows (whatever).

Abandon All Hope Prior To IE 11

Wednesday, August 26th, 2015

Stay up-to-date with Internet Explorer

From the post:

As we shared in May, Microsoft is prioritizing helping users stay up-to-date with the latest version of Internet Explorer. Today we would like to share important information on migration resources, upgrade guidance, and details on support timelines to help you plan for moving to the latest Internet Explorer browser for your operating system.

Microsoft offers innovative and transformational services for a mobile-first and cloud-first world, so you can do more and achieve more; Internet Explorer is core to this vision. In today’s digital world, billions of people use Internet-connected devices, powered by cloud service-based applications, spanning both work and life experiences. Running a modern browser is more important than ever for the fastest, most secure experience on the latest Web sites and services, connecting anytime, anywhere, on any device.

Microsoft recommends enabling automatic updates to ensure an up-to-date computing experience—including the latest version of Internet Explorer—and most consumers use automatic updates today. Commercial customers are encouraged to test and accept updates quickly, especially security updates. Regular updates provide significant benefits, such as decreased security risk and increased reliability, and Windows Update can automatically install updates for Internet Explorer and Windows.

For customers not yet running the latest browser available for your operating system, we encourage you to upgrade and stay up-to-date for a faster, more secure browsing experience. Beginning January 12, 2016, the following operating systems and browser version combinations will be supported:

Windows Platform Internet Explorer Version
Windows Vista SP2 Internet Explorer 9
Windows Server 2008 SP2 Internet Explorer 9
Windows 7 SP1 Internet Explorer 11
Windows Server 2008 R2 SP1 Internet Explorer 11
Windows 8.1 Internet Explorer 11
Windows Server 2012 Internet Explorer 10
Windows Server 2012 R2 Internet Explorer 11

After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site.

I can’t comment on the security of IE 11 but it will create a smaller footprint for support. Perhaps some hackers will be drawn away for easier pickings on earlier versions.

You are already late planning your migration path to IE 11.

What IE version are you going to be running on January 12, 2016?

Windows 10: Steady as you go

Friday, July 31st, 2015

Windows 10: You might be wise to wait before upgrading by Graham Cluley.

If Windows 10 isn’t your first Windows rodeo, you know the reasons for Graham’s advice on waiting a while to upgrade to Windows 10.

For example, Microsoft delivers a massive Windows 10 patch to fix early bugs by Jamie Hinks.

Doesn’t hurt to let someone else debug the early version. 😉

Migrate or Lose Control of Your Windows XP/Server 2003 System

Tuesday, July 21st, 2015

Microsoft words it:

Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904).

But later makes the danger a little clearer:

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. (emphasis added)

Show of hands: How many of you visit untrusted sites with embedded OpenType fonts?

Microsoft rates this critical and for all versions of Windows.

No patch has been issued for Windows XP or Windows Server 2003.

WorldWide Telescope to the Open Source .NET Universe

Friday, July 3rd, 2015

Welcoming the WorldWide Telescope to the Open Source .NET Universe by Martin Woodward.

From the post:

At the .NET Foundation we strive to put code into the hands of those who use it, in an effort to create an innovative and exciting community. Today we’re excited to announce that we are doing just that in welcoming the WorldWide Telescope to the exciting universe of open source .NET.

I did my undergraduate degree in physics at a time when the Hubble Space Telescope (HST) was a new thing. I remember very well my amazement when I could load up one of about 100 CD-ROM’s from the Digitized Sky Survey to get access to observations from the Palomar Observatory and then later the HST, and compare them with my own results to track changes in the night sky. CD-ROM’s were a new thing back then too, but I wrote some VB code to capture data out of the JPEG images in the Sky Survey and compare it with my own images from the CCD in the back of the telescope on the roof of the University of Durham Physics department.

Fast forward to 2008 and Microsoft Research moved Robert Scoble to tears and wowed the auidence at TED when it released the WorldWide Telescope, giving the public access to exactly the same type of raw astronomical data through an easy-to-use interface. The WorldWide Telescope application is great because it puts an incredible visualization engine together with some of the most interesting scientific data in the world into the hands of anyone. You can just explore the pretty pictures and zoom in as if you are seeing the universe on some of the best telescopes in the world – but you can also do real science with the same interface.  Astronomers and educators using WorldWide Telescope have come to appreciate and beauty and power of tooling that enables such rich data exploration – truly setting that data free.

Today, I am thrilled to announce that the .NET Foundation is working together with Microsoft Research and the WorldWide Telescope project team to set the application itself free. The code, written in .NET, is now available as an open source application under the MIT License on GitHub. We are very keen to help the team develop in the open and now that WorldWide Telescope is open source, any individual or organization will be able to adapt and extend the functionality of the application and services to meet their research or educational needs. Not only can they contribute those changes back to the wider community through a pull request, but they’ll allow others to build on their research and development. Extensions to the software will continuously enhance astronomical research, formal and informal learning, and public outreach, while also leveraging the power of the .NET ecosystem.

The WorldWide Telescope represents a new community coming to the Foundation. It’s also great that we now have representation within the foundation from a project that is a complex system that building on-top of the .NET Framework with both a desktop client, as well as extensive server based infrastructure. The WorldWide Telescope is an important tool and I’m glad the .NET Foundation can be of help as it begins its journey as an open source application with committers from inside and outside of Microsoft.  We’re thrilled to welcome the community of astronomers using and contributing to the WorldWide Telescope into the exciting universe of open source .NET.

You can read more about the WorldWide Telescope on the website and more about the move to open source on the Microsoft Research Connections blog. The WorldWide Telescope team also have a very cool video on YouTube showing the power of the WorldWide Telescope in action where you can also find a wealth of videos from the community.

Remind me to put a new version of Windows on a VM in my Ubuntu box. 😉

Very cool!

Malicious Microsoft Office versions are in the wild

Monday, May 25th, 2015

Malicious Microsoft Office versions are in the wild

At first I wondered why this was news? 😉

After reading the post I realized they meant hacked versions of Microsoft Office, which in addition to the standard bugs and vulnerabilities, come with additional vulnerabilities installed by the people who hacked the official version.

I am untroubled by the presence of additional vulnerabilities in hacked versions of Microsoft Office as you know the saying, “…you get what you pay for.”

If you want Microsoft Office, then buy a copy of Microsoft Office. You won’t get much sympathy for security problems created while trying to cheat others. At least not from me.

If you want or need alternatives to Microsoft Office, try Apache OpenOffice or LibreOffice.

Even with “free” software, you should always use official or reputable distribution sites. A little bit of caution on your part will present attackers with a much smaller attack surface. Staff that don’t exercise such caution should be recommended to your competitors.

GQL and SharePoint Online Search REST APIs

Thursday, May 7th, 2015

Query the Office graph using GQL and SharePoint Online Search REST APIs

From the post:

Graph Query Language (GQL) is a preliminary query language designed to query the Office graph via the SharePoint Online Search REST API. By using GQL, you can query the Office graph to get items for an actor that satisfies a particular filter.

Note The features and APIs documented in this article are in preview and are subject to change. The current additions to the Search REST API are a preliminary solution to make it possible to query the Office graph, mainly intended for the Office Delve experience. Feel free to experiment with querying the Office graph but do not use these features, or other features and APIs documented in this article, in production. Your feedback about these features and APIs is important. Let us know what you think. Connect with us on Stack Overflow. Tag your questions with [office365].

An interesting development from Microsoft!

Early days so there is a long way to go before we are declaring relationships between entities inside objects and assigning the entities and their relationships properties.

Still, a promising development.

Turning the MS Battleship

Saturday, March 21st, 2015

Improving interoperability with DOM L3 XPath by Thomas Moore.

From the post:

As part of our ongoing focus on interoperability with the modern Web, we’ve been working on addressing an interoperability gap by writing an implementation of DOM L3 XPath in the Windows 10 Web platform. Today we’d like to share how we are closing this gap in Project Spartan’s new rendering engine with data from the modern Web.

Some History

Prior to IE’s support for DOM L3 Core and native XML documents in IE9, MSXML provided any XML handling and functionality to the Web as an ActiveX object. In addition to XMLHttpRequest, MSXML supported the XPath language through its own APIs, selectSingleNode and selectNodes. For applications based on and XML documents originating from MSXML, this works just fine. However, this doesn’t follow the W3C standards for interacting with XML documents or exposing XPath.

To accommodate a diversity of browsers, sites and libraries wrap XPath calls to switch to the right implementation. If you search for XPath examples or tutorials, you’ll immediately find results that check for IE-specific code to use MSXML for evaluating the query in a non-interoperable way:

It seems like a long time ago that a relatively senior Microsoft staffer told me that turning a battleship like MS takes time. No change, however important, is going to happen quickly. Just the way things are in a large organization.

The important thing to remember is that once change starts, that too takes on a certain momentum and so is more likely to continue, even though it was hard to get started.

Yes, I am sure the present steps towards greater interoperability could have gone further, in another direction, etc. but they didn’t. Rather than complain about the present change for the better, why not use that as a wedge to push for greater support for more recent XML standards?

For my part, I guess I need to get a copy of Windows 10 on a VM so I can volunteer as a beta tester for full XPath (XQuery?/XSLT?) support in a future web browser. MS as a full XML competitor and possible source of open source software would generate some excitement in the XML community!

How to install Spark 1.2 on Azure HDInsight clusters

Friday, March 20th, 2015

How to install Spark 1.2 on Azure HDInsight clusters by Maxim Lukiyanov.

From the post:

Today we are pleased to announce the refresh of the Apache Spark support on Azure HDInsight clusters. Spark is available on HDInsight through custom script action and today we are updating it to support the latest version of Spark 1.2. The previous version supported version 1.0. This update also adds Spark SQL support to the package.

Spark 1.2 script action requires latest version of HDInsight clusters 3.2. Older HDInsight clusters will get previous version of Spark 1.0 when customized with Spark script action.

Follow the below steps to create Spark cluster using Azure Portal:

The only remaining questions are: How good are you with Spark? and How big of a Spark cluster do you neeed? (or can afford).

Enjoy!

Cross Site Scripting zero-day bug [Or Feature?]

Thursday, February 5th, 2015

Internet Explorer has a Cross Site Scripting zero-day bug by Paul Ducklin.

From the post:

Another day, another zero-day.

This time, Microsoft Internet Explorer is attracting the sort of publicity a browser doesn’t want, following the public disclosure of what’s known as a Cross-Site Scripting, or XSS, bug.

With Microsoft apparently now investigating and looking at a patch, the timing of the disclosure certainly looks to be irresponsible.

There’s no suggestion that Microsoft failed to meet any sort of deadline to get a patch out, or even that the company was contacted in advance.

Nevertheless, details of the bug have been revealed, including some proof-of-concept JavaScript showing how to abuse the hole.

So, what is XSS, and what does this mean for security?

The bug violates the same origin policy (SOP) which Wikipedia describes as:

This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client side to prevent the loss of data confidentiality or integrity.

While phrased in terms of “security,” take note that this includes content from other sites as well. As one post I read on to the topic suggested that content can be intermingled, but that isn’t the same as manipulation of content from another source.

If you think of SOP as preventing programmatic, creative and imaginative re-use of content from other sites, suddenly it sounds a lot less like a feature doesn’t it?

Only if you follow the “cookie, cookie, me want cookie” philosophy of browser interaction is SOP even necessary. Once I authenticate to a remote site, if state is maintained at all it could be maintained on the server side. Rendering SOP, how did Eve in the The Diaries of Adam and Eve put it?, ah, superfluous.

Curious how security became intertwined with the desire of content owners to prevent re-use of content. That doesn’t sound like a neutral choice to me. Perhaps we should make another choice and evolve a different security model for web browsers.

A different security model that puts security in the hands of those best able to maintain it, that is server side. And at the same time, empower users, script writers and others to re-use any content they can load into their browsers. Imagine the range of services and capabilities that would add!

Better security, better access to content from any site. Sounds like a win-win to me. You?

In the meantime, thinks with IE may not be as grim as reported. Sean Michael Kerner reports in: Researcher Discloses Potential Internet Explorer XSS Zero-Day Flaw, that Microsoft has known about the bug since October 13, 2014 and doesn’t seem to be all that excited about it.

I make that to be 115 days, including February 4, 2015, so zero-day + 115 days. Rather long in the tooth for a zero-day bug I would say. 😉 You do know that “zero-day” doesn’t mean the day you read about it. Yes?

The bug was reported on the Full Disclosure list, for which neither of the posts cited gave a URL.

PS: Is anyone working on a fork of JavaScript that enables cross site scripting by design? The advantages for content re-use would be enormous. Users in charge of content on their own screens. What a concept.

Creating Excel files with Python and XlsxWriter

Wednesday, February 4th, 2015

Creating Excel files with Python and XlsxWriter

From the post:

XlsxWriter is a Python module for creating Excel XLSX files.

demo-xlsxwriter

(Sample code to create the above spreadsheet.)

XlsxWriter

XlsxWriter is a Python module that can be used to write text, numbers, formulas and hyperlinks to multiple worksheets in an Excel 2007+ XLSX file. It supports features such as formatting and many more, including:

  • 100% compatible Excel XLSX files.
  • Full formatting.
  • Merged cells.
  • Defined names.
  • Charts.
  • Autofilters.
  • Data validation and drop down lists.
  • Conditional formatting.
  • Worksheet PNG/JPEG images.
  • Rich multi-format strings.
  • Cell comments.
  • Memory optimisation mode for writing large files.

I know what you are thinking. If you are processing the data with Python, why the hell would you want to write data to XSL or XLSX?

Good question! But it also has an equally good answer.

Attend a workshop for mid-level managers and introduce one of the speakers saying:

We are going to give away copies of the data used in this presentation. By show of hands, how many people want it in R format? Now, how many people want it in Excel format?

Or you can reverse the questions so the glazed look from the audience on the R question doesn’t blind you. 😉

If your data need to transition to management, at least most management, spreadsheet formats are your friend.

If you don’t believe me, see any number of remarkable presentation by Felienne Hermans on the use of spreadsheets or check out my spreadsheets category.

Don’t get me wrong, I prefer being closer to the metal but on the other hand, delivering data that users can use is more profitable than the alternatives.

I first saw this in a tweet by Scientific Python.

The next generation of Windows: Windows 10

Wednesday, January 21st, 2015

The next generation of Windows: Windows 10 by Terry Myerson.

From the post:

Today I had the honor of sharing new information about Windows 10, the new generation of Windows.

Our team shared more Windows 10 experiences and how Windows 10 will inspire new scenarios across the broadest range of devices, from big screens to small screens to no screens at all. You can catch the video on-demand presentation here.

Windows 10 is the first step to an era of more personal computing. This vision framed our work on Windows 10, where we are moving Windows from its heritage of enabling a single device – the PC – to a world that is more mobile, natural and grounded in trust. We believe your experiences should be mobile – not just your devices. Technology should be out of the way and your apps, services and content should move with you across devices, seamlessly and easily. In our connected and transparent world, we know that people care deeply about privacy – and so do we. That’s why everything we do puts you in control – because you are our customer, not our product. We also believe that interacting with technology should be as natural as interacting with people – using voice, pen, gestures and even gaze for the right interaction, in the right way, at the right time. These concepts led our development and you saw them come to life today.

I had to find a text equivalent to the video. I was looking for specific information I saw mentioned in an email and watching the entire presentation (2+ hours) just wasn’t in the cards.

I will be watching the comment lists on Windows 10 for the answers to two questions:

First, will I be able to run Windows 10 within a VM on Ubuntu?

Second, for “sharing” of annotations to documents, is the “sharing” protocol open so that annotations can be shared by users not using Windows 10?

Actually I did see some of the video and assuming you have the skills of a graphic artist, you are going to be producing some rocking content with Windows 10. People who struggle to doodle, not so much.

The devil will be in the details but I can say this is the first version of Windows that has ever made me consider upgrading from Windows XP. Haven’t decided and may have to run it on a separate box (share monitors with Ubuntu) but I can definitely say I am interested.