Microsoft Patches 5 Zero-Day Vulnerabilities

Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not.

That's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install.

October's patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release.

The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system.

Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft.

Here's the list of Zero-Day Vulnerabilities:

1. CVE-2016-3298: An Internet Explorer zero-day flaw is a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to "test for the presence of files on disk."
2. CVE-2016-7189: A zero-day in the browser's scripting engine has been patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.
3. CVE-2016-3393: Another zero-day in Microsoft Windows Graphics Component has been addressed in MS16-120 that could be exploited over the web, or via an email containing malicious file or over a file-sharing app to conduct RCE attack.
4. CVE-2016-7193: A single zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.
5. CVE-2016-3298: The last publicly attacked zero-day has been patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.

Another bulletin rated critical is MS16-122 that patches a remote code execution flaw, CVE-2016-0142, in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email.

Microsoft also patched twelve vulnerabilities in Adobe Flash Player for Windows 8.1, Windows 10, and Server 2012 in MS16-127.

Rest bulletins rated important or moderate, including MS16-123, MS16-124 and MS16-125, patches five elevation of privilege vulnerabilities in Windows Kernel-Mode, four elevation of privilege vulnerabilities in Windows Registry, and an elevation of privilege flaw in Windows Diagnostics Hub respectively.

Adobe Patch Update

Adobe also released a new version of Flash Player today that patched a dozen of vulnerabilities in its software, most of which were remote code execution flaws.

Adobe has also published code clean-ups for 71(!) CVE-listed security flaws in Acrobat and Reader, along with a fix for a single elevation of privilege bug in Creative Cloud.

Users are advised to apply Windows and Adobe patches to keep away hackers and cyber criminals from taking control over your computer.

A system reboot is necessary for installing updates, so admins are advised to save work on PCs where the whole package of patches is deployed before initiating the process.

Read more

Microsoft certifies new PCs with Windows 7 to ease enterprises onto Windows 10

The special category of PC will run Windows 7 or Windows 8.1 on top of modern hardware.

Businesses are rushing toward Windows 10 as fast as they can, but they simply need more time. To accommodate them, Microsoft is trying something different: creating a transitional list of PCs built on the latest Intel Skylake hardware, but certified to run the tried-and-true Windows 7 and Windows 8.1 operating systems for now.

The program tacitly acknowledges that enterprises have a hardware budget they need to spend, and migrating a company from Windows 7 and Windows 8.1 can literally take years. Running an older OS on top of the latest hardware represents a “customer-first” approach to the transition, Microsoft said. 

Still, the carrot comes with a pair of sticks. Microsoft will support the list of Skylake PCs running Windows 7 and 8.1 for only 18 months, until July 2017. And while the Windows 7/8.1 integration is being designed with Intel’s Skylake in mind, new PCs based on upcoming chips—Intel’s Kaby Lake, Qualcomm’s 8996 chips, or AMD’s Bristol Ridge—will all require Windows 10.

Microsoft’s free upgrade to Windows 10 was really a grassroots campaign to lobby businesses to adopt the new OS—and continue their lucrative license fees and support contracts. The 200 million “active” devices that now run Windows 10 prove the strategy has partially worked. Still, over 55 percent of the world’s PCs run Windows 7, including businesses who consider it to be a stable operating system. Microsoft appears willing to be patient, as long as the migration does happen, eventually.

Businesses adopt Windows 10 at their own pace

Even as Windows 10 adoption seems to be slowing, it appears businesses are embracing it. “The interest is definitely there,” said Bob O’Donnell, chief analyst at TECHnalysis Research, who ran several surveys of businesses in the fall, both in the United States and abroad. “But the interest and when they can do [deploy] it are two different things.”

”Companies are generally positive toward Windows 10,” agreed Steve Kleynhans, an analyst at Gartner.

Kleynhans said the industry has wrestled with the same sort of transition pains in the past, such as when companies migrated off Windows XP. “I don’t think that Microsoft needs to push them,” he added. “Companies are moving as fast as they can.”

Hardware budgets, however, force a company to buy PCs before they may be ready to roll out. The budget and the process for rolling out new PCs isn’t usually aligned with the project of deploying a new operating system across a company, Kleynhans noted. A company may buy a traditional notebook now and deploy it with Windows 7, intending to upgrade it to Windows 10 in a year's time.

A widening gap between hardware and software

Microsoft says it’s doing its best to bridge the gap between users’ enthusiasm for new hardware with their attachment to old software. “What we wanted to address...was that customers are buying new hardware every day,” Terry Myerson, executive vice president of the Windows and Devices Group at Microsoft, in an interview.

Although PC sales continue to drop, they are still the platform of choice for most enterprises, and Windows comes with them. “We expect to see 300 million what we categorize as new PCs this year, and they want clarity as to where they can get fully-supported quality in those purchase decisions,” Myerson added.

Microsoft’s approach prioritizes keeping users on Windows first. If customers want the latest experience, they can turn to Windows 10. But now Microsoft and its partners have provided a “robust list of options” for customers to buy the latest hardware that will be patched and supported, while still running a tried-and-true OS, Windows 7 or Windows 8.1. “If you really value reliability and compatibility above all else, then there’s the option of buying hardware with the platform that was designed for it,” Myerson said.

The list of approved PCs includes several top brands:

• Dell Latitude 12  

• Dell Latitude 13 7000 Ultrabook

• Dell XPS 13

• HP EliteBook Folio

• HP EliteBook 1040 G3 

• Lenovo ThinkPad T460s

• Lenovo ThinkPad X1 Carbon

• Lenovo ThinkPad P70

The 18 months of support matters because running an aged OS running on cutting-edge hardware requires some finesse. Windows 7 was released in 2009, well before Intel even began designing the Skylake chips. That means Windows 7 or Windows 8.1 has certain expectations regarding hardware power states and interrupt processing, and any tweaks to the device drivers or firmware can cause issues, according to Microsoft. The support Microsoft and its partners will offer includes special testing to accommodate those quirks, as well as tools to help update the OS and BIOS once the customer decides to upgrade to Windows 10. 

Myerson said Microsoft worked together with its PC partners, including Intel, to create the list of approved PCs, as well as to jointly test BIOS updates and drivers. So far, there’s no indication that the list of Skylake PCs will include consumer models. Support of the Skylake Windows 7/8.1 PCs will include validation of Windows Updates to reduce regressions like security concerns, the company said. 

After the 18-month support timeframe ends on July 17, 2017, only the “most critical” Windows 7 and Windows 8.1 security updates will be addressed for those PCs, and “will be released if the update does not risk the reliability or compatibility of the Windows 7/8.1 platform on other devices,” Microsoft said in a blog post. Windows 7 remains on extended support until Jan. 14, 2020, and Windows 8.1 until Jan. 10, 2023.

Read more

How to turn your Android phone and Windows 10 PC into a dynamic duo with Cortana

• 
  
  
  
  

Cortana has some great tricks up its sleeve—including a few new ones—that make it a great companion for any Windows 10 user on Android.

One of the best features of Windows 10 is its integration with Cortana, Microsoft's personal digital assistant. Cortana is pretty powerful on its own, but until recently you needed a Windows 10 mobile device to experience the service's full power. That's changing, however, with Microsoft adding new features to Cortana for Android to help your Google-licious phone fit into a Windows 10 world.

Here are three useful Cortana features that turn your Android phone and PC into a powerful combo.

 Cortana for iOS was released in December, but does not have the new call and text features that are currently on Android. 

Missed-call alerts

Microsoft recently added the ability for Cortana for Android users to get missed-call notifications on their PC—or at least I only recently discovered it.

If your phone's in the other room while you're in front of your Windows 10 PC, Cortana will alert you to missed calls.

Text Messages

Send a text from Windows 10 with Cortana on your Android device.

Of course, knowing about missed calls isn't much use if you can't do anything about them. But Cortana for Android has the ability to send text messages from your PC without you ever touching your handset.(Windows 10 mobile devices have a similar feature.)

Alternatively, you can just tell Cortana on your PC, using voice or the keyboard, to "Send a text." That lets you initiate a text message, whether you've just missed a call or not. Similar to Google Now, you can specify the recipient, such as "Send a text to Lisa" or "Send a text to my wife."

The caveat is that you can only send texts and get missed call alerts from people in your contacts list.

Reminders

Cortana's ability to set reminders is one of my favorite features and is available on Android and iOS versions of Cortana. This feature isn't particularly original since you can set reminders on your phone any number of ways. What I like about Cortana is that the reminders pop-up on my Windows 10 PC as part of the native interface. I also have the ability to snooze them if I need a few minutes (or hours) before I can get to them.

In my tests, reminders worked flawlessly and the texting feature was very reliable. The ability to see missed call notifications, however, was hit-or-miss. It's early days for Cortana on Android so this will probably get better over time.

Remember that even if you do employ Cortana for Android that doesn't mean you have to give up on Google Now. I use both interchangeably depending on which personal assistant is best suited to a particular task.

Read more

From Today Onwards, Don't You Even Dare to Use Microsoft Internet Explorer

Yes, from today, Microsoft is ending the support for versions 8, 9 and 10 of its home-built browser Internet Explorer, thereby encouraging Windows users to switch on to Internet Explorer version 11 or its newest Edge browser.

Microsoft is going to release one last patch update for IE8, IE9 and IE10 today, but this time along with an "End of Life" notice, meaning Microsoft will no longer support the older versions.

So, if you want to receive continuous updates for your web browser and avoid being exposed to potential security risks after 12 January, you are advised to upgrade your browser to Internet Explorer 11, or its new Edge browser.

End of Life of Internet Explorer 8, 9 and 10 

"Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10," Microsoft says.

This move could be part of Microsoft's bigger plan to move its users to the new Edge browser, which is currently available only on Windows 10 PCs.

With the launch of Microsoft Edge last April, the company attempted to encourage Windows 10 users to switch to Edge if they are using its rival browser, such as Google Chrome or Mozilla Firefox, as the default web browser.

Edge has been designed completely separate to Internet Explorer, and promises speed and usability, with support for Cortana -- Microsoft's virtual assistant.

Around 340 Million Users Run Internet Explorer

For higher adoption of Edge, Microsoft is finally ending support for Internet Explorer 8, 9 and 10. However, an estimated 340 Million Windows users are still running Internet Explorer, and nearly half of those are believed to be using one of the expired IE versions.

Therefore, the older versions of the browser will receive KB3123303 patch today that will feature "nag box" asking users to upgrade their browser.

If you have "Automatic Updates" turned ON, you most likely upgraded to IE11 already. However, users with older IE browsers can turn "Automatic Updates" ON by clicking on "Check for Updates" in the "Windows Update" section of the Control Panel.

Read more

Microsoft Collecting More Data of Windows 10 Users than Initially Thought

After several controversial data mining and privacy invasion features within Microsoft's newest operating system, Microsoft continued convincing its users that Windows 10 is not spying on anyone and that the company is not collecting more data than it needs.

In addition, Microsoft also updated its privacy policy in order to clear how and when Windows 10 utilizes users' data.

But wait, before you convinced yourself by this statement, just have a look on the milestones (listed below) that Microsoft recently announced, revealing that Windows 10 is now actively running on 200 Million devices.

Microsoft Tracks Your Every Move

Here's the list of milestones that Microsoft just achieved:

• People spent over 11 Billion hours on Windows 10 in December 2015.
• More than 44.5 Billion minutes were spent in Microsoft Edge across Windows 10 devices in December alone.
• Windows 10 users asked Cortana over 2.5 Billion questions since launch.
• About 30 percent more Bing search queries per Windows 10 device compared to prior versions of Windows.
• Over 82 Billion photographs were viewed in the Windows 10 Photo application.
• Gamers spent more than 4 Billion hours playing PC games on Windows 10 OS.
• Gamers streamed more than 6.6 Million hours of Xbox One games to Windows 10 PCs.

Maybe Microsoft listed these statistics in order to illustrate just how popular its newest operating system has become, but what the company missed is:

Microsoft itself admitted that how deeply it is tracking Windows 10 users.

First noticed by Martin Brinkmann of gHacks, these statistics clearly indicate that Microsoft is not only keeping itself updated about the Windows 10 installation on different devices but is also tracking every single activity of its users by collecting more data than initially thought.

Playing a game? Microsoft tracks it. 

Asking Cortana a question? Microsoft tracks it. 

Opening Edge browser? Microsoft tracks it, too.

"While it is unclear what data is exactly collected," Brinkmann says, "it is clear that the company is collecting information about the use of individual applications and programs on Windows at the very least."

This is the actual dirty side of the free Windows 10 upgrade that we many times talk about, and with time, it will be more shocking to you because the most worrisome part of Windows 10 is that there's no easy way to turn this data collection off.

Read more

Microsoft Keeps Backup of Your Encryption Key on its Server — Here's How to Delete it

Have you recently purchased a Windows computer?

Congratulations! As your new Windows computer has inbuilt disk encryption feature that is turned on by default in order to protect your data in case your device is lost or stolen.

Moreover, In case you lost your encryption keys then don't worry, Microsoft has a copy of your Recovery Key.

But Wait! If Microsoft already has your Disk Encryption Keys then what’s the use of using disk encryption feature? Doesn't Encryption mean Only you can unlock your disk?

Microsoft Probably Holds your Encryption Keys

Since the launch of Windows 8.1, Microsoft is offering disk encryption as a built-in feature for Windows laptops, Windows phones and other devices.

However, there is a little-known fact, highlighted by The Intercept, that if you have logged into Windows 10 using your Microsoft account, your system had automatically uploaded a copy of your recovery key to Microsoft’s servers secretly, and you can't prevent device encryption from sending your recovery key.

Note: Do not get confuse device encryption with BitLocker. Both works same but have different configuration options. BitLocker offers users a choice whether or not they want to backup their Recovery keys on Windows server.

Why Should You Worry?

• If a hacker hacks your Microsoft account, he can make a copy of your recovery key before you delete it (method described below).
• Any Rogue employee at Microsoft with access to user data can access your recovery key.
• If Microsoft itself get hacked, the hacker can have their hands on your recovery key.
• Even Law Enforcement or Spy agencies could also request Microsoft to hand over your recovery key.

"Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees," said Matthew Green, a cryptography professor at Johns Hopkins University.

How to Delete your Recovery Key from your Microsoft Account?

Although there's no way to prevent a new Windows computer from uploading the recovery key at the very first time you log into your Microsoft account, you can delete the existing recovery key from your Microsoft account and generate a new one.

Follow these simple steps in order to remove your recovery key from your Microsoft account:

Step 1: Open this website and log in with your Microsoft Account

Step 2: You will find list of recovery keys backed up to your Microsoft Account

Step 3: Take a back of your recovery Keys locally

Step 4: Go ahead and delete your recovery key from Microsoft Account.

Important Fact: Green also pointed out that even after deleting the recovery key from your Microsoft account, there is no guarantee that the key has been removed from the company's server.

Instant Solution: To solve this issue, Windows users are recommended to stop using their old encryption keys and generate a new one without sharing it with Microsoft.

How to Generate a New Encryption key (Without Sending a copy to Microsoft)?

Sorry for Windows Home Edition users, but Windows Pro or Enterprise users can create new key by decrypting whole hard disk and then re-encrypt the disk, and this time in such a way that you will actually get asked how you want to backup your Recovery Key.

Step 1: Go to Start, type "Bitlocker," and click "Manage BitLocker."

Step 2: Click "Turn off BitLocker" and it will decrypt your disk.

Step 3: Once done, Click "Turn on BitLocker" again.

Step 4: Then Windows will ask you: How you want to backup your Recovery Key. Make sure to DO NOT SELECT "Save to your Microsoft Account." That's it.

Congratulations! 

Finally, the new Windows device you purchased specially for disk encryption feature has now enabled the feature, and Microsoft no longer can unlock it.

Read more