AWS

Bulletin Severity Rating:Important - This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities. View the full article

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system. View the full article

I didn't think you could use a photo for a screen saver.

Windows 7 is seeing success in the marketplace which I am very happy about from a security perspective. The Microsoft Security Intelligence Report has shown us again and again that the more up-to-date a PC is, the less likely it is to be infected by malware and other potentially dangerous software. So Windows 7 making strides is helpful to the ecosystem overall from a security standpoint. Success comes at a price though, through greater scrutiny and misinterpretation of some of the technologies. One of those technologies is BitLocker. I've seen numerous claims the past few weeks about weaknesses in BitLocker and even claims of commercial software that "breaks" BitLocker. One claim is from a product that "allows bypassing BitLocker encryption for seized computers." This claim is for a forensics product and has legitimate uses; however, to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk. Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA). Another report discusses targeted attack vectors where the attacker must gain physical access to the computer, multiple times I might add. This research is similar to other published attacks where the owner leaves a computer unattended in a hotel room and anyone with access to the room could tamper with this computer. This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world. Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks. Our customers are confronted with a wide spectrum of data security threats that are specific to their environment and we work hard to provide capabilities and information to help the customer achieve the right balance of security, manageability, and ease-of-use for their specific circumstances. BitLocker is an effective solution to help safeguard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like most full volume encryption products on the market, BitLocker uses a key-in memory when the system is running in order to encrypt/decrypt data on the fly for the drives in use. Also like other encryption products, a determined adversary has significant advantages when they have physical access to a computer. We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. Using this method, a machine that is powered off or hibernated will protect users from the ability to extract a physical memory image of the computer. Windows 7 BitLocker continues to be a foundational component adding to any defense in depth strategy for securing systems, and specifically laptops. Even with the great enhancements made in Windows 7 such as BitLocker To Go, it still remains that BitLocker alone is not a complete security solution. IT professionals as well as users must be diligent when protecting IT resources and the best protection against these sorts of targeted attacks requires more than just technology: it requires end user education and physical security also play important roles. http://windowsteamblog.com/aggbug.aspx?PostID=530043 View the full article

Here's the December 2009 update to "What I Use". Changes include a return to the iPod platform after months of dabbling with Zune HD, my favorite iPhone apps, Office 2010, a broader mix of web browsers, Modern Warfare 2, and some Mac virtualization solutions. View the full article

I've started building out my support page for "Windows 7 Secrets," starting with some errata, additions, and notes to the initial printing of the book. I'll be adding more over time, including some reader-submitted errata and some major content updates. View the full article

In the latest episode of the Windows Weekly podcast, Leo and I discuss Windows Weekly video, the MIA Windows 7 USB/DVD tool, ATT vs. Verizon, web browser usage share, Office 2010 release date, the (fake) Black Screen of Death, and much more... View the full article

Switching to the Mac doesn't mean you have to give up on Windows 7. In fact, over 80 percent of Mac users run Windows too. Here's how to make it happen, either with dual boot or via a virtualization solution. View the full article

Ready for some World War II-era nostalgia? Then check out Call of Duty Classic for the Xbox 360, an Xbox Live Arcade title that brings the original game in the series to the console for the first time. View the full article

As we rush to the cloud computing future, it's important to remember that the computing platforms of today will continue forward. Microsoft's success creating today's platforms should help going forward. View the full article

I appeared on the most recent episode of the This Week in Tech (TWiT) podcast with Leo Laporte, Jerry Pournelle, and Dwight Silverman. Topics include the truth about Windows 7 market share, why B Dalton's was good for literacy, and the fate of Ezekiel the Z80... View the full article

The Xbox 360 product lineup drops down to just two models for this holiday selling season, the low-end Xbox 360 Arcade and the recently price-reduced Xbox 360 Elite, which features a 120 GB hard drive. View the full article

In the latest episode of the Windows Weekly podcast, Leo and I discuss more Office 2010 Public Beta news, Windows Home Server PP3, Google Chrome OS, captioning in digital video, and much more... View the full article

I shutoff the Usenet bot.

Netbooks are the fastest-growing segment of the PC industry and extremely popular with consumers. But are they a good investment for businesses too? View the full article

A look at the lessons Microsoft learned developing Windows 7 and how it will apply those lessons to Windows 8 and other future products. View the full article

In part 3 of my Office 2010 Beta review, I look at new two ways to get the suite: Office 2010 Starter edition and Click-2-Run... View the full article

Many expect Microsoft to become the next IBM, a huge, successful, and almost universally boring behemoth. This may still happen. But at least Microsoft is going kicking and screaming into this possible future. View the full article

Last week at PDC, as we were about to start talking to people about IE9, I saw the following notification from my Facebook account: From: Facebook [mailto:notification+mwm5axbx@facebookmail.com] Sent: Tuesday, November 17, 2009 10:05 AM Dina posted something on your Wall and wrote: "funny vid of u, you see it? http://www.facebook.com/l/ca339;hTTP://www.N70.InFO/2d" To see your Wall or to write on Dina's Wall, follow the link below: Thanks, The Facebook Team The message was from someone I know pretty well, and I believed the message. The address itself (http://www.n70.info/2d) wasn’t that suspicious; there are a lot of URL shortening services, and the .info domain has many legitimate sites on it. So I clicked the it: http://ieblog.members.winisp.net/images/Dean_facebook_smartscreen.png and thought – whew.

It's still a year away, but now that Google has shown off its plans for the Chrome OS, consumers--and other OS makers ike Apple and Microsoft--have a lot of thinking to do. Here's what Google is planning. View the full article

In the latest episode of the Windows Weekly podcast, Leo and I discuss the Professional Developers Conference (PDC) 2009, some Windows 7 OEM news, IE 9, Office 2010 public beta, Microsoft's open source code theft, and much more... View the full article

Microsoft this week unveiled a very early version of Internet Explorer 9 and major initiatives around performance, standards compliance, and hardware acceleration. View the full article

In part 2 of my look at the Office 2010 Beta, I examine some of the new user experiences that span the entire suite. View the full article

We’re just about a month after the Windows 7 launch, and wanted to show an early look at some of the work underway on Internet Explorer 9.

This week, Microsoft delivers the public beta version of the Office 2010 productivity suite. Find out what's coming in this eagerly-awaited release. View the full article