East Valley Geeks

Computerworld – Although some had hoped that Microsoft would violate its own patching policy, the company yesterday stuck to its guns and declined to provide a fix for a critical bug to users running Windows XP Service Pack 2 (SP2).

On Monday, Microsoft shipped an emergency patch for the Windows shortcut bug that attackers have been exploiting for several weeks. The vulnerability affects all versions from Windows 2000 on, including XP, Vista and Windows 7.

But, per Microsoft’s practice, the oldest operating systems and service packs were denied the update.

“To be crystal clear, there is no security update for XP SP2,” said Microsoft spokesman Christopher Budd in a Webcast on the out-of-band patch that he hosted Monday afternoon.

Microsoft retired XP SP2, as well as the even older Windows 2000, from all support on July 13, when both editions exited the company’s final five-year “extended support” phase. Products dropped from extended support no longer receive security patches or other non-security fixes from Microsoft via its Automatic Update service and business patch mechanisms like Windows Server Update Service (WSUS).

Nonetheless, a few security researchers had held out a little hope that Microsoft would issue a fix for the Windows shortcut vulnerability to machines running XP SP2.

“The only question I had was whether Microsoft would try and release a patch for unsupported operating systems,” Andrew Storms, director of security operations at nCircle Security, said in an interview Monday. “There’s a ton of people still running SP2, and it just went end-of-life.”

Other researchers, including Jason Miller, data and security team manager for patch management vendor Shavlik Technologies, echoed Storms yesterday, saying that he had looked carefully for any sign that Microsoft was pushing a fix to Windows XP SP2 or Windows 2000. There wasn’t.

Wolfgang Kandek, CTO of Qualys, confirmed that. “The recently discontinued Windows 2000 and Windows XP SP2 are not covered by the patch,” said Kandek.

Microsoft declined to directly answer questions yesterday about whether XP SP2 users would be served the out-of-band update. “Microsoft does not comment on the possible vulnerability of out-of-support versions of products,” said Budd in an e-mail reply to those questions Monday. (source)

One of the greatest things about being a Mac instead of a PC is not having to deal with all the headaches of viruses, adware, trojans and all of the other havoc that hackers have been placing on Windows users for more than a decade.

Of course, that’s not to say that Macs have never been vulnerable – it’s just that hackers tend to go where the masses are, where their chances are greater that someone in the pack will click on the bad link or open the bad attachment.

Now, as the popularity of the iPhone and the iPad – both of which run iOS – has gone mainstream, the hackers are tapping iOS. And surely, they’re counting on users – who have long known about vulnerabilities to computers – to be naive about the vulnerabilities that are possible in the mobile world.

Also see: Your iPhone, iPad and iPod touch devices are all wide open to hackers

Today, Gizmodo posted an unsourced report about a security breach in iOS products that are being pushed through PDF files and the Web pages that load through the Safari browser. Gizmodo calls the vulnerability “easily exploitable” and explains that unsuspecting users who could be giving “total control” of their iPhones, iPod Touches or iPads to hackers. The blog reports:

It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device. The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.

Again, the Gizmodo post is unsourced, though it does link to a couple of other blogs that offer more technical details about what’s at work here. [Macstories and Digdog] Still, it’s important for iPhone and iPad owners to recognize that the invisible Apple security blanker that once came with being an Apple customer is going away.

The company is quick to boast the number of iPhones and iPads out there – now in the millions. And market tracking firms are also quick to note how the iPad has given Apple a huge head start in the tablet market and how the iPhone – even though it doesn’t have the largest market share – is the smartphone that competitors are targeting. But competitors aren’t the only ones placing that target on Apple’s back. Hackers are apparently eyeing it, too.

The Gizmodo post includes some information about a product that warns users when dangerous PDFs are about to be installed – but that requires you to jailbreak your device, which will void your warranty. It also notes that Apple has not yet responded to its inquiries about this particular vulnerability.

Hopefully, that’s because the security team is working double time to address the breach – and looking for ways to deal with breaches that are sure to surface in the future. (source)

Computerworld – MIcrosoft will ship a beta of Internet Explorer 9 (IE9) in September, a company executive said today.

If the timeline is accurate, the IE9 beta release will come a month later than earlier speculation, which had settled on August, a pick based in large part on PowerPoint slides purportedly from a Microsoft presentation that focused on Windows 8, the next iteration of the company’s OS.

Today, Kevin Turner, Microsoft’s chief operating officer, said that IE9 would reach beta this fall. “We’re really excited about IE9, which will be beta and coming out in September,” said Turner during the company’s annual day-long presentation to Wall Street analysts.

Turner also boasted of Internet Explorer’s recent turnaround, claiming that it had gained usage share the last two months.

According to Web analytics company Net Applications, IE did increase its global share by a record six-tenths of a percentage point during June. However, Net Applications had IE losing, not gaining, ground worldwide in May.

As of June 30, IE accounted for an estimated 60.3% of all browsers used during the month.

Since March, when the company debuted a rough-around-the-edges IE9 developer preview, the company has updated the bare-bones browser twice, most recently in late June.

After Turner’s announcement of a September beta for IE9, Microsoft declined to answer additional questions, including when during the month users could expect the more stable preview, or whether the beta would be open to everyone, as the developer previews have been. (full story here)

The next major version of Adobe Reader, presumably version 10, will include a sandbox architecture called “Protected Mode” to defend the system against vulnerability exploits in Reader.

Adobe Reader is widely-acknowledged to be the number 1 target for vulnerability exploit writers these days. An effective sandbox could be a powerful tool for Adobe to protect their users. Protected Mode will be turned on by default in Reader. Adobe is not providing a planned release date for the new version.

Similar in architecture to the sandboxes in Google Chrome and Microsoft Office 2010, Adobe Reader Protected Mode doesn’t stop vulnerabilities from being found or exploited; it limits their severity by limiting what they can do. ( full story here)