Windows

The H-Online: The Tuesday after the Easter weekend, 10 April, is set to be a busy one for system administrators as Microsoft and Adobe have sent out notifications that they will both be issuing fixes for critical vulnerabilities in their products. Microsoft’s April notification says there will be four critical advisories concerning Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Microsoft Server and Developer tools, which all lead to remote code execution. A fifth remote code execution vulnerability in Office is marked as important, as is a sixth information disclosure issue in Microsoft’s Forefront United Access Gateway. The critical bulletins will affect all versions of Windows, from Windows XP SP3 to Windows Server 2008R2. One critical bulletin for Internet Explorer covers IE 6, 7, 8 and 9 ...

The H-Security: Next week’s Patch Tuesday sees Microsoft planning to publish a total of six bulletins, including one that addresses a critical vulnerability in all versions of Windows from Windows XP service pack 3 to Windows 7 service pack 1 and Windows Server 2008 R2. The rating means that the hole enables attackers to infect a system via the internet and inject malicious code. Other bulletins will address a privilege elevation flaw which affects the same span of Windows versions. ...

The Register: Microsoft plans to publish nine updates next Tuesday – four of which are critical – as part of a Valentine’s Day edition of its Patch Tuesday update cycle. Highlights of the batch, which collectively address 21 vulnerabilities, include a critical update for Internet Explorer. There are also two critical fixes for Windows itself, plus one for Microsoft’s .NET framework. Three the five remaining “important” fixes grapple with remote code execution-type vulnerabilities, one of which involves Office. Flaws of this type are best addressed sooner rather than later because they might easily be exploited by malware slingers. ...

Windows Experience Blog wrote: If you’ve been reading the blog lately, you know that I’m trying to bring back Valentine’s Day as a cool hip holiday. It’s not my fault; really, I’m just a sucker for a love note. The best thing about a Valentine’s Day card, to be honest, isn’t the words (they are always cheesy) – it’s the thought. With that thought in mind, we headed to the wilderness to create this card for you. ...

The H-Online: The German Federal Office of Information Security (BSI (German), BSI English) has compiled security recommendations for Windows PCs that will probably sound familiar to regular readers of The H: Anti-virus software – including free solutions –, backups, security updates, an alternative browser such as Google Chrome and “a healthy level of mistrust” are the main components of its proposal for a secure Windows PC. As the UK lacks a governmental organization that makes such recommendations, as usually such organizations recommend policy for public projects, it is worth seeing what Germany’s BSI suggests. ...

MSDN: One of the things we talk quite a bit about with Windows 8 is making sure Windows is a safe, secure, and reliable computing environment. We have always provided a broad range of solutions for achieving these goals and work closely with a broad range of industry partners. We continue to enhance these capabilities with Windows 8 while making sure you always have choice and control over how to protect and manage your PC. With Windows 8 we are extending the protections provided by Defender to address a broader range of potential threats. Jason Garms, the group program manager of our reliability and security team authored this post that represents work across several teams. –Steven ...

The H-Security: Microsoft has released two updates for Windows and three for Office to close various security holes. All five updates have only been rated “important” by the company. A hole in WINS enables local attackers to escalate their privileges on a system. Another patch prevents a new variant of binary planting, or DLL hijacking, attacks that can cause Windows to load DLLs from shared network volumes without the user’s permission. This allows attackers to execute code on a computer via specially crafted DLLs. Microsoft has been struggling to contain the insecure DLL loading problem with numerous patches released since mid 2010. ...

Windows 8 News Blog: The recently created Building Windows 8 blog seems to be up in full swing, with new articles about the upcoming operating system being released regularly. Steven Sinofsky revealed in “Improving our file management basics: copy, move, rename, and delete” that Microsoft intents to improve file management processes under Windows 8. According to Steven, Microsoft had three goals to improve the copy experience: One place to manage all copy jobs: Create one unified experience for managing and monitoring ongoing copy operations. Clear and concise: Remove distractions and give people the key information they need. User in control: Put people in control of their copy operations. Consolidating the copy experience is a great idea. This means that you won’t have to deal with multiple copying windows when you run multiple copy or move operations in the operating system. All copy jobs are now consolidated in one screen. ...

The Hacker News: Microsoft has announced that it will release 13 bulletins to address 22 vulnerabilities in Windows, Office, Internet Explorer, .NET and Visual Studio on its next Patch Tuesday. Another “critical” bulletin affects Windows server operating systems, and addresses a code-execution risk on unpatched systems. Also of note is an update restricted to newer versions of Windows (Windows 7 and Windows 2008) that tackles a potential, though difficult to exploit, code-execution risk. ...

H-Security Online: Version 7.7 of QuickTime is now available for users running Windows XP SP2 or later and Mac OS X v10.5.8 Leopard. The maintenance and security update addresses a total of 14 security vulnerabilities in the multimedia application. QuickTime 7.7 closes holes on both platforms that could be used by an attacker to, for example, crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a victim must first open a specially crafted file or a malicious web site. A cross-origin issue that may lead to the disclosure of video data from another web site has also been fixed. The company notes that, for Mac OS X 10.6 users, these holes have already been addressed in 10.6.8; the latest version of Mac OS X, 10.7 Lion, is not affected. ...