Lest you think Microsoft has finally plugged the many holes in the S.S. Internet Explorer, Patch Tuesday December includes four critical upates (Microsoft’s “critical” rating means they should be applied immediately) addressing newly discovered weaknesses, including an active zero-day exploit of the OLE (Object Linking & Embedding) platform. This particular chunk of code allows Microsoft apps like Office Word and Outlook to exchange documents between each other: when you insert an Excel spreadsheet into a Word document and it shows up as an editable spreadsheet, that’s OLE at work. In this case, the exploit allows hacked Office documents attached in Outlook emails to circumvent security, typically for the express purpose of installing other malware onto the victim’s machine.
What this means for you:
I can already see your eyes glazing over, and I don’t blame you. Microsoft’s bulletins are making me cross-eyed as well. Here’s what you need to do:
- Make sure your OS is patched. The updates should start arriving on computers as early as tonight. Unless your machine is being managed by an internal IT department and they’ve disabled this functionality, your Windows OS should be set to automatically download and patch all important updates from Microsoft. If you are not sure if your computer is set up this way, you can check by going to Control Panels -> Windows Update.
- If you must use Internet Explorer, avoid using it until you get fully updated with the latest round of patches (see #1). If it’s possible, consider using an alternative such as Firefox or Chrome. While neither is guaranteed free of security bugs, they are still faring better than IE in terms of exploits.
As always, avoid opening strange and/or unexpected attachments. If you regularly exchange documents with others via the internet, consider using a secure filesharing platform other than Dropbox or Drop or any of the numerous clones that offer free apps. Instead, look into options like Citrix Fileshare (we use it here at C2) for a much more secure and fully encrypted way to exchange documents.
Though its still used on over half of all Windows-based computers around the world, Microsoft has stopped providing certain versions of Windows 7, specifically Home Basic/Premium and Ultimate, to computer manufacturers worldwide. Once the current inventory runs out, the only computers that can be bought with Windows 7 will be business-class machines (such as Dell’s Optiplex and Latitude model lines) with the “Pro” or “Enterprise” version installed. Everything else will be Windows 8 or 8.1 until Microsoft launches Windows 10 mid-next year.
What this means for you:
While it’s true that the average consumer may have trouble purchasing a Windows 7 machine for the foreseeable future, Microsoft has no intention of cutting off support for Windows 7 like it did for Windows XP earlier this year. There is still a very large base of enterprise installations running contentedly on 7 and some companies have only just recently completed their migration from XP! Microsoft will continue to provide licensing avenues for companies that need to expand their existing Windows 7 fleets, and most IT organizations appear content to wait to see what Windows 10 has in store for their companies as opposed to switching their operations to the much maligned 8.
All this being said, if you need a new computer, don’t let the lack of 7 or the presence of 8 deter you from a purchase. As mentioned above, it is still possible to purchase Windows 7 Pro machines, though they come with a premium price as compared to the cheaper consumer lines that sold with Windows 7 Home. If you can’t get a Windows 7 machine, consider shopping for one that has 8.1 (not 8), which has multiple improvements (mostly under the hood) over its predecessor. Be prepared for some transition pain – mostly in learning how to navigate Windows 8’s dual-personality interface, but once you get settled in, the experience will largely be the same as what you enjoyed in Windows 7.
In the ever-escalating cloud services arms race, Microsoft just trotted out a whopper of a one-up over just about everyone in competition: Microsoft’s OneDrive VP just announced on the OneDrive blog that all Personal, Home and Education Office365 subscribers will have access to unlimited cloud storage for no additional cost. Lest you feel left out in the cold, business subscribers, Microsoft has plans to extend your storage in a similar fashion in 2015. All a part of its master plan, Microsoft envisions a future where everything is done in the cloud, and they want to make sure you are firmly rooted in their ecosystem.
What this means for you:
Before you rush off to move all your files to the cloud as Microsoft suggests, you should consider the implications. Cloud storage of any type is a double-edged sword: on the one hand, once you get your data uploaded, you can (supposedly) stop worrying about mechanical failures, such as hard drive crashes and sending your USB thumb drives through the wash. Another great benefit is your data is essentially accessible from anywhere on the internet. Setting up technology to provide this type of of service is not trivial. Even when you are as big as JP Morgan, it’s still possible to misconfigure your servers, so having a provider who is (probably) an expert at this is better than trying to do it yourself, especially if your company can’t afford a full-time IT professional.
On the other hand, your data is now stored on hardware (and a service) over which you have very little control, and which requires an internet connection. There is also the possibility that your data could be accessed without authorization, either by hackers who manage to penetrate the services security, or by the provider itself, who may be subject to government subpeona, or even by a provider employee with malicious intent.
Given the two sides of this very sharp sword, one must make a reasoned decision about whether to employ cloud storage as part of your technology profile. The most important factor will be the type of data you are planning to store: if any of the alphabet-soup laws apply (HIPPA for example), you may be severely limited in what you can legally store on a cloud-based service. Even if the laws don’t seem to directly apply, consider the consequences if any of your data were to be exposed on the internet for anyone to see: would it be damaging to your business or your clients? If so, you may want to rethink whether the cloud is ready for you.
If you thought you had data breach fatigue, prepare to be exhausted this week:
- Hacker tries to scam Internet with fake DropBox password database – DropBox refutes the claim, noting the “proof of hack” provided consisted of known stolen passwords from other sources.
- Kmart Hacked – Undisclosed Quantity of Credit Card Numbers Stolen – Sears-owned retail outlet may have been a victim of known point-of-sale malware “Backoff”, says no identity info stolen, just credit and debit card numbers.
- SnapChat denies it was source of potential racy photo leak – Third-party addon app “SnapSaved” blamed for providing an avenue for hackers to save pictures from SnapChat. SnapSaved admits to security breach, but downplays claims that hackers could provide a “searchable” database of photos.
- NATO Summit Gets Breached by Russian Hackers – Hackers whom security analysts believe to be Russian exploited a Zero-day flaw in Windows operating systems through a spearphishing campaign targeting Ukrainian government workers, leading to breaches on government servers and probably information leaks from Summit proceedings.
- Google Documents Flaw in SSL 3.0 Protocol – Google documents a serious flaw in encryption protocol SSL 3.0, immediately removes it from Chrome web browsers. Though outdated, SSL 3 is still widely used as a fallback protocol when newer protocols fail to function.
- 850K Records Exposed in Oregon Employment Dept Website Breach – State-run website exposes personal information on hundreds of thousands of job seekers. No financial information was exposed, but leaked info could lead to identity theft.
Obviously stung by the world’s tepid reception of Windows 8, Microsoft announced that the next version of their operating system will be skipping Windows 9 and heading straight to 10. The jump is meant to signify a considerable advancement in the base operating system: this version of Windows isn’t just an incremental upgrade or updated version of 8. Microsoft intends to unify the operating system across mobile devices and traditional workstations (much like Apple is attempting to do with iOS), providing app makers a simpler development environment and presumably a much larger market. Previously known as “Threshold”, Windows 10 won’t be available to the general public until 2015, but preview-builds will supposedly be available starting October 1.
What this means for you:
If you’ve been holding out on upgrading your Windows 7 machine in the hopes that something better than 8 would come along, your prayers (may) have been answered. Early reports suggest that 10 is a mix of the best of 7 and 8, though you may wonder what parts of 8 qualified as “best.” Most gratifying will probably be the return of the beloved Start Menu, but with an 8 twist – the ability to add tiles to the menu (like the ones on the 8 start screen). Another eagerly anticipated feature will be improved window management utilizing the poorly-documented “snap” features of 7 and 8, as well as multiple desktops (something Linux users have had for years).
How should you prepare for coming of the mighty 10? There are rumors that 10 may be free to current Windows 8 users, but Microsoft refused to confirm this. If you have Windows 8 and were contemplating downgrading, you may want to hold off just in the off chance you can get 10 for free. Early reports indicate that Windows 10 will have the same hardware requirements as Windows 8, so older hardware may be left behind, but anything made in the past 2-3 years should be fine. If you want prepare right now, a larger monitor may provide you with the most bang for your buck, as Windows 10 looks like it will make multi-tasking even easier. More windows open equals getting more done, right?
Normally I don’t blog about rumors, but this one is just too good to pass up. Leaked screenshots of Windows 9 show what looks like the return of the much missed Start Menu that has been a staple of Windows computing since Windows 95. Do you really need to know anything more about Windows 9? OK, how about the fact that Microsoft seems to be stepping back from their bold push with the Metro interface – you know, the start-up screen with all the tiles that everyone immediately skips past to use the “old-fashioned” desktop interface.
What this means for you:
For the majority of my clients, I’ve been recommending sticking with Windows 7 unless you have an utterly compelling business reason to get a computer with Windows 8. I’ve been using Windows 8 for the better part of a year, daily, and the only way I find it usable is to boot into desktop mode and essentially use it like a Windows 7 computer. And this is from a guy who lives and breathes technology change! Keep in mind that Windows 8 features a lot of under-the-hood changes that considerably improve every aspect of the OS (security, speed, efficiency etc.), however they are all overshadowed by the changes made to the user interface that were too jarring and counter-productive (and under-utilized) for the average business user. And let’s face it, if you work for a large company, your IT department probably just finished upgrading everyone to Windows 7 only a year or two ago, so you are probably only just now getting over the switch from XP to 7. Just like you skipped over Vista, you may want to give Windows 8 a pass and wait until 2015 for Windows 9.
Security holes in Adobe’s Flash and Oracle’s Java have become so commonplace, it’s actually helped to raise awareness about the necessity of keeping these platforms updated, but there’s a third platform that many of you probably use everyday without ever realizing that it too needs to be patched. Would it surprise you to know that it’s a Microsoft product? Microsoft’s Silverlight technology was originally built to compete with Flash, but it’s probably best known as the platform that delivers Netflix’s streaming content to your computer. Hackers, unfortunately, are very much aware of how widespread Silverlight is, and are currently pressing their attacks on older versions of Silverlight, seeing as their usual punching bags, Java and Flash, are now firmly in the security spotlight.
What this means for you:
If you’ve ever watched Netflix streaming content on your computer, you have Silverlight installed. Even if you don’t use Netflix streaming, there is a high probability Silverlight is installed on your computer, even if it’s a Mac. Depending on how long ago it was initially installed, it might be out of date, especially if you disallowed automatic updates of the software. The latest version of Silverlight is 5, and to make sure you are up to date, you can use this link here. While you are at it, double check to make sure Java and Flash are both up to date as well, but be careful of the “optional software” both companies push when you update their platforms. Oracle variously pushes the Ask toolbar or McAfee Security Scan, the former a very annoying adware-spawning toolbar, and the latter may be redundant if you already have a decent antimalware app installed. Adobe is a little less obnoxious, but it does offer to automatically install Google Chrome (and the Google Toolbar), which may be redundant if you already have it installed, or possibly very confusing to a less savvy computer user who thinks Internet Explorer is the web browser.
I shouldn’t have worried that my special “Microsoft Zero-day Warning” graphic was going to gather dust. Would it surprise you to hear that a serious security flaw has been found in all versions of Internet Explorer up to the latest, version 11? This particular loophole allows attackers to use a specially crafted Flash file downloaded from compromised websites (like the ones linked to in spam, scams and phishing emails) to gain full access to your computer, and will likely lead to a badly infected computer and theft of your personal information. Though there are some band-aids offered by Microsoft, as of now there is no word whether this hole will be plugged by an emergency patch released soon, or on “Patch Tuesday” (2 weeks from now), or even later than that. Because of the severity of the security flaw, even the Department of Homeland Security is recommending everyone avoid using IE until this is fixed. Oh, and remember Windows XP? It won’t be getting patched, so yet another burning reason to switch browsers, and upgrade as soon as possible.
What this means for you:
This flaw is being exploited “in the wild” as you read this, though not widespread yet, and has thus far been used to target government employees and defense contractors. Given how large the target surface is, this exploit is highly likely to spread beyond these focused attacks. Unless your work requires it (or disallows the use of other browsers), you should stop using Internet Explorer for anything except known work-related websites. And if you have to use IE, you can disable the Flash add-on until the hole is plugged. This article from Microsoft explains how to do this, but make sure you use the little drop-down to the right of the headline to switch to the appropriate version of IE for specific steps. Chrome, Firefox or Safari are good alternatives to IE, and who knows, you may find that they can permanently replace IE for most of your web browsing tasks.
In case you haven’t heard, about a third of the world’s computers are about lose official support from Microsoft on April 8. Any computer running Windows XP will no longer receive updates or fixes to any vulnerabilities discovered after the cutoff date. Microsoft will continue to provide limited support to its XP-compatible security products, like Security Essentials (their free anti-malware product), but that is set to end sometime in 2015. Most antivirus manufacturers have stated that they will continue to support XP-compatible versions of their apps into 2016, but without core patches to the XP operating system, their efforts will be merely fingers in a deteriorating dike.
What this means for you:
Though you may not know it, your company or the vendors that service you may be heavily reliant on XP. Case in point – one of my clients relies on XP workstations to monitor environmental-control equipment (think air-conditioning and heating) and building automation systems, and some of the computers running these applications haven’t been updated for years, and in some extreme cases, the hardware may be close to a decade old. Hardware failure aside, the lack of support for XP going forward will mean those computers will need to be replaced ASAP, and may be a cost you hadn’t considered in your 2014 or 2015 budget.
Windows XP powered computers are likely to show up in places where they are used regularly, but maybe not by a single individual and are thus overlooked during the part of the regular upgrade process: kiosks (lobby directories, ATMs, silent radios), point-of-sale systems, document scanning stations, etc. Make sure you comb through your organization’s infrastructure for these computers, as they will become vulnerability points for your entire operation and could lead to serious security breaches. Unfortunately, rectifying these obsoleted workstations won’t be cheap nor easy, especially if they power critical systems, but in some cases it may be possible to port XP-only applications to Windows 7 and run them in compatibility mode. Make sure you work closely with vendors who supply this older software to determine what, if any, plans they have to bring their platform to Windows 7, and if they have no plans, it may be time to consider a new vendor or service.
It feels strange to be writing about Microsoft and not mentioning a security loophole or zero-day exploit, but it is the day before April Fool’s after all. Fortunately for the iPad faithful, this isn’t a prank. On March 27, Microsoft launched iPad versions of it’s most used office productivity applications: Word, Excel and PowerPoint, all of them available for free download through the App store. “What’s the catch,” I hear you say? You can use them free, forever, to view documents, but if you want to create or edit documents, you need to have a subscription to Office365.com, the minimum of which is $70/year.
What this means for you:
The lack of any official MS Office software may have been one of the remaining tenuous barriers holding the iPad back from a complete domination of corporate boardrooms. Long a favorite of executives but usually relegated to email-only roles because of this lack, Office for the iPad may allow the C-suite to completely cut the cord on any vestigial Windows laptops they have been “forced” to carry around to do anything other than reading emails. I also know a lot of road warriors who may view the new apps with a mix of joy and trepidation, as it will conceivably allow for more effective work-related use of their iPad on those cramped, coach-fare flights. The excuse of “not being able to edit that Word document during the flight because all I have is my iPad” just won’t cut it anymore.
In all seriousness, this also marks a significant change in vision for Microsoft, a company that up until the new CEO’s arrival, had been a company that always put “Windows first”, even when it may have meant losing marketshare, as it has for so long in the iPad space. It’s still too early to tell whether this change in corporate values will lead to other transformations and products for other platforms (Office for Android anyone?), but this is certainly a step in new direction for the company.