SP1 for Windows 7 delivers critical security updates and improves performance.
For those of you rocking Windows 7 -- likely the majority reading this -- Microsoft wants you running Service Pack 1 (SP1), so beginning today it will roll out automatically on Windows Update, the software giant announced in a blog post. You can avoid SP1 by disabling automatic updates, but unless you have a very specific reason to do so, you might as well upgrade, if you haven't already. SP1 contains several security patches, bug fixes, and performance tweaks to keep Windows 7 operating at peak form.
Remember when you could insert a USB key into a Windows machine and have it auto-run any application stored on the device? Of course you do, it was only patched out for non-Windows 7 users yesterday! It’s hard to believe that such an obvious vector for possible infection has been left open for so long, but Redmond has finally rolled out an update to prevent this from happening in the future. Hit the jump to find out why.
Starting November 1st, Microsoft began making its free Security Essentials antivirus software available to Windows users through its Microsoft Update service, a move which has sparked outrage among at least two AV vendors.
"This will end up in action taken, especially in Europe," Panda Chief Executive Juan Santana told CNet in an interview. Santana went on to say that Panda "will monitor the situation," and Panda isn't the only one. Trend Micro isn't happy about the move either.
"Commercializing Windows Update to distribute other software applications raises significant questions about unfair competition," Carol Carpenter, general manager of the consumer and small business group at Trend Micro, told Computerworld last week. "Windows Update is a de facto extension of Windows, so to begin delivering software tied to updates has us concerned. "Windows Update is not a choice for users, and we believe it should not be used this way."
In a blog post on Monday titled "Microsoft just doesn't get it... Security is about diversity," Panda took things a step further in its criticism of both Security Essentials and how it's being distributed.
"Microsoft recently started installing its Microsoft Security Essentials (MSE) free antivirus product via the Operating System update mechanism to computers which don’t already have an antivirus installed. Basically Microsoft is saying they are worried about the security of its users and they need to make sure they are protected... We agree with Microsoft; it’s better to have some protection than not having any at all. However the way the guys in Redmond are executing the idea is risky from a security perspective and could very well make the malware situation much worse for Internet users. That’s why we encourage Microsoft to continue using Windows/Microsoft Update but instead to push all free antivirus products available on the market, not just MSE."
You can read the entire blog post here, then hit the jump and tell us whether you agree with Panda and Trend Micro, or if competing AV vendors should 'leave Microsoft alone!'"
Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.
The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”
If you’re a Windows user and you haven’t done your updates for this patch Tuesday, put it on your to-do list. The Redmond software giant has pushed out updates that patch several major security holes in Internet Explorer, one of which already has a code exploit in the wild. The fixes address problems that could allow remote attackers to gain control of a system running previously installed malware found on the internet.
Security firm Tipping Point disclosed three of the IE vulnerabilities this past summer through their Zero Day Initiative. "Vulnerabilities in IE are generally pretty serious because all you have to do is go to a web page or get referred to one that has malicious code on it,” said Tipping Point’s Jason Avery. Patches today also covered several holes in Office and Integrated Windows Authentication and Indeo Codec in XP and Server 2003. So get updating everyone.
Microsoft was clearly caught off guard recently when British security firm Prevx claimed that recent security updates to Windows were causing an epidemic of “black screens of death." Affected users reportedly found themselves stuck with a black, non-functional desktop and only a single Explorer window. Prevx indicated the problem stemmed from registry changes made by the updates. Redmond had a look at those claims, and is now saying the updates are not responsible.
"The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports," Microsoft said in a statement. According to the software giant, Prevx made no effort to contact Microsoft before going public with the erroneous claims.
Prevx, for its part, posted a correction saying that through some re-testing they were able to confirm that the security patches played no part in the errors. Hopefully they do that “re-testing” first next time.
Microsoft launched Windows 7 with full DirectX 11 support, but until now, Vista users running ATI’s newest 5000 series cards were left out in the cold. Its not like you’ve been waiting months to play the newest DX11 titles, but at least you now have the comfort of knowing that you don’t need to upgrade your OS in order to take advantage of your new GPU.
DirectX 11 isn’t a massive leap forward over the DirectX 10.1 found in Vista SP2, and in fact, is actually a superset implemented using WDDM (Windows Display Drive Model).Windows XP users will need to continue making do with DirectX 9 because it is not compatible with WDDM, and Microsoft has been pretty clear that this isn’t likely to change anytime soon.
The platform update KB971644 should be delivered to Vista users automatically via Windows update. Now all you need is an Radeon 5870. DirectX 11 support in Vista seems as good a reason as any don’t you think?
This week, Microsoft is releasing another series of test (aka "fake") updates for Windows 7 (Redmond released test updates for Windows 7 Beta 1 back in February). As with the test updates for Windows 7 Beta 1, the test updates for Windows 7 RC are designed to make sure that the Windows 7 update mechanism is working properly.
The release started Tuesday, so you may already have some test updates set to arrive on your system. Most will install automatically, but KB970420 must be installed manually through Windows Update. According to PC World, as many as ten test updates may be sent. Look for the phrase "Test Update" when you review Windows Update history.
Speaking of Windows Update and Windows 7 RC, 32-bit users should make sure they've installed the update referred to in KB970789, released late last week. This fixes a major show-stopping bug affecting folders created under the root folder and the applications that try to access them.
Softpedia reports that pirated copies of Windows 7 will be provided with security updates, update rollups, and even service packs. What is Microsoft thinking? Is Redmond promoting piracy?
The idea of providing security and other updates to pirated copies as well as legit copies of Windows might seem crazy, but here's the reasoning, straight from Paul Cooke, director of Windows Client Enterprise Security:
Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft - Blaster, Zotob, Conficker and Sasser, just to name a few. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone.
Note that Cooke is laying the blame for many recent security problems where it belongs: on users and companies who will not upgrade their software to block such threats. By continuing the recent policy of allowing users of non-genuine Windows to receive security updates, Microsoft is saying, in effect, 'don't blame us if unpatched systems are compromised.'
However, don't think that Redmond's turning a patched eye to either casual piracy or software counterfeiting. Pirated copies of Windows 7 won't be eligible for some of Microsoft's goodies, and Softpedia points out that counterfeit copies of Windows often come with a "free" bonus: malware.
For your chance to sound off on security for software pirates, join us after the jump.
Windows Home Server's latest update, Power Pack 2, is now available via Windows Update, the TechNet Windows Home Server Team Blog reports. WHS users must have Power Pack 1 installed before they can receive Power Pack 2. If you missed Power Pack 1, get it here.
Power Pack 2 fixes a number of irritating bugs left over from Power Pack 1 and the original release, and adds new features. For an overview of what's new in Power Pack 2, join us after the jump.