Data Cube Systems

Microsoft has released its security updates for the month of September, but a couple of unpatched flaws have some security experts wondering if the software company will be forced to release an emergency patch sometime in the month ahead.

Security researchers believe that an unpatched flaw in the SMB (Server Message Block) 2 software that ships with Windows Vista and Windows Server 2008 could turn into a major headache.

Proof of concept code showing how the bug could be leveraged to crash a Windows machine was posted Monday to the Full Disclosure mailing list by Laurent Gaffie.

But security experts believe that more serious attacks are possible.

Kostya Korchinsky, a senior security researcher with security-assessment software vendor Immunity, said the flaw could be exploited in a privilege-escalation attack. This type of attack is used once the attacker has already found a way to run software on the victim’s machine. It gives the hacker a way of accessing system resources that would otherwise be prohibited.

A more dangerous “remote-code execution” attack “might be possible, but it would be a lot more difficult,” Korchinsky said. With remote-code execution, the attacker is able to run unauthorized software on the victim’s machine.

Security vendor SourceFire is examining the bug too. “We’re unwilling to call it a DoS-only, but we’re not willing to call it a remote-code-execution [flaw] either,” said Matt Watchinski, the company’s senior director of vulnerability research, referring to a denial of service attack.

SMB 2 is typically blocked at the firewall, so even if these attacks could be written, they would have a hard time spreading from company to company.

Gaffie said the flaw most likely works on Windows 7, Windows Vista and Windows Server 2008. Earlier versions of Windows do not use SMB 2 and are thought to be immune.

Meanwhile, Microsoft has yet to patch a flaw in its Internet Information Services (IIS) software that was disclosed last week. That bug could let an attacker crash an IIS server, or even install unauthorized software in certain configurations.

The flaw could be used in a remote-code execution attack, but only in very specific circumstances. For the attack to work, the victim must run the older IIS 5 software on Windows 2000 and allow the attacker to create an ftp directory on the server.

Although Microsoft says it’s seen a “limited number” of attacks that leverage this bug, Watchinski said it’s unlikely to affect most IIS users.

Microsoft issued five security patches Tuesday, fixing eight vulnerabilities in Windows.

Despite the fact that Windows 7 is almost cooked, a leaked Microsoft memo suggests that XP may live on past its May 30, 2009 retirement date.

The leaked internal memo outlines how Microsoft will grant HP the right to continue to downgrading Vista systems to XP.  The memo does however goes on too suggest that HP should be clear with customers about support:

It’s important to remind customers that Microsoft are still planning to retire XP Pro Mainstream support on April 14, 2009 and will only provide OS security updates beyond that date unless the customer has an Extended Hotfix Support contract. MS Extended Support for XP Pro ends on April 8th, 2014.

 

Unconfirmed rumors go further and suggest that Microsoft will allow HP to ship XP until April 30, 2010. If this XP extension has being granted to HP, it will almost certainly be extended to other OEMs too.

It is worth bearing in mind that the EULA for both Vista Business and Ultimate allow users to downgrade, so this will remain in effect for the entire lifetime of the OS.

With Windows XP still commanding a 63% market share, netbook popularity continuing to rise, and Windows 7 still several months away, Microsoft needs an OS to cater for those who won’t touch Vista with a 20 foot pole. Rather than give those folks an excuse to look at Linux, it’s in Microsoft’s interests to continue to make XP seem relevant. That said, since downgrade rights exist for Business and Ultimate, as well as volume licensing customers, I think that all this leaked memo is about is making sure that OEMs remind customers of the support implications of choosing to downgrade from Vista, so they know what they are getting into upfront.

I’ve spoken to a lot of people who have made the conscious decision to skip Vista. Some base these decisions on good judgment, others on more shaky judgments. It doesn’t really matter what the reason is. However, as I’ve pointed out many times before, anyone who is still using XP needs to have an escape route planned. The problem isn’t so much related to XP itself, but that vendors, in particular security vendors, are going to start dropping XP support in products as soon as they are having to support both Vista and 7.

My guess is that most of of those who are currently anti-Vista will move to Windows 7. While many have told me that they will be looking to Mac or Linux, I really don’t see this being realistically taken up by many.

A US woman who is suing Microsoft for allegedly charging her extra to downgrade from Windows Vista to XP had the lawsuit revised late last week.

Emma Alvarado of Los Angeles, California amended her complaint at the Seattle federal court last Thursday

However, according to Computer World, the revised lawsuit goes into much greater detail about how Microsoft allegedly profits from its Vista downgrade practices.

“Microsoft has used its market power to take advantage of consumer demand for the Windows XP operating system by requiring consumers to purchase a PC that includes a licence for the use of the Vista operating system and to pay money (as part of the overall purchase price of the PC) to downgrade to the Windows XP Professional operating system,” reads the suit.

Her complaint hinges on allegations that Microsoft forced individuals running Vista Basic to first upgrade to Vista Business or Vista Ultimate and then pay for a download licence fee for XP Professional.

The suit also points out that XP Professional - Microsoft’s most expensive edition of the operating system - was the only version users were allowed to downgrade to from Vista.

Alvarado, who is seeking class action status in the lawsuit, claimed that Microsoft adjusted its rules to “inflate its sales figures for Vista”.

She also cited a $130 fee incurred by a customer wishing to go through the downgrade process.

Microsoft once again dismissed the claims and repeated the statement it issued last month when the lawsuit landed at its door.

“Microsoft does not charge or receive any additional royalty if a customer exercises those [downgrade from Vista to XP] rights. Some customers may choose or need to obtain media or installation services from third parties to install the downgrade version.”

On Friday, Microsoft gave computer makers a six-month extension for offering Windows XP on newly-shipped PCs. While this doesn’t impact enterprise IT — because volume licensing agreements will allow IT to keep installing Windows XP for many years to come — the move is another symbolic nail in Vista’s coffin.

The public reputation of Windows Vista is in shambles, as Microsoft itself tacitly acknowledged in its Mojave ad campaign.

IT departments are largely ignoring Vista. In June (18 months after Vista’s launch), Forrester Research reported that just 8.8% of enterprise PCs worldwide were running Vista. Meanwhile, Microsoft appears to have put Windows 7 on an accelerated schedule that could see it released in 2010. That will provide IT departments with all the justification they need to simply skip Vista and wait to eventually standardize on Windows 7 as the next OS for business.

So how did Vista get left holding the bag? Let’s look at the five most important reasons why Vista failed.

5. Apple successfully demonized Vista

Apple’s clever I’m a Mac ads have successfully driven home the perception that Windows Vista is buggy, boring, and difficult to use. After taking two years of merciless pummeling from Apple, Microsoft recently responded with it’s I’m a PC campaign in order to defend the honor of Windows. This will likely restore some mojo to the PC and Windows brands overall, but it’s too late to save Vista’s perception as a dud.

4. Windows XP is too entrenched

In 2001, when Windows XP was released, there were about 600 million computers in use worldwide. Over 80% of them were running Windows but it was split between two code bases: Windows 95/98 (65%) and Windows NT/2000 (26%), according to IDC. One of the big goals of Windows XP was to unite the Windows 9x and Windows NT code bases, and it eventually accomplished that.

In 2008, there are now over 1.1 billion PCs in use worldwide and over 70% of them are running Windows XP. That means almost 800 million computers are running XP, which makes it the most widely installed operating system of all time. That’s a lot of inertia to overcome, especially for IT departments that have consolidated their deployments and applications around Windows XP.

And, believe it or not, Windows XP could actually increase its market share over the next couple years. How? Low-cost netbooks and nettops are going to be flooding the market. While these inexpensive machines are powerful enough to provide a solid Internet experience for most users, they don’t have enough resources to run Windows Vista, so they all run either Windows XP or Linux. Intel expects this market to explode in the years ahead.

3. Vista is too slow

For years Microsoft has been criticized by developers and IT professionals for “software bloat” — adding so many changes and features to its programs that the code gets huge and unwieldy. However, this never seemed to have enough of an effect to impact software sales. With Windows Vista, software bloat appears to have finally caught up with Microsoft.

Vista has over 50 million lines of code. XP had 35 million when it was released, and since then it has grown to about 40 million.  This software bloat has had the effect of slowing down Windows Vista, especially when it’s running on anything but the latest and fastest hardware. Even then, the latest version of Windows XP soundly outperforms the latest version of Microsoft Vista. No one wants to use a new computer that is slower than their old one.

2. There wasn’t supposed to be a Vista

It’s easy to forget that when Microsoft launched Windows XP it was actually trying to change its OS business model to move away from shrink-wrapped software and convert customers to software subscribers. That’s why it abandoned the naming convention of Windows 95, Windows 98, and Windows 2000, and instead chose Windows XP.

The XP stood for “experience” and was part of Microsoft’s .NET Web services strategy at the time. The master plan was to get users and businesses to pay a yearly subscription fee for the Windows experience — XP would essentially be the on-going product name but would include all software upgrades and updates, as long as you paid for your subscription. Of course, it would disable Windows on your PC if you didn’t pay. That’s why product activation was coupled with Windows XP.

Microsoft released Windows XP and Office XP simultaneously in 2001 and both included product activation and the plan to eventually migrate to subscription products. However, by the end of 2001 Microsoft had already abandoned the subscription concept with Office, and quickly returned to the shrink-wrapped business model and the old product development model with both products.

The idea of doing incremental releases and upgrades of its software — rather than a major shrink-wrapped release every 3-5 years — was a good concept. Microsoft just couldn’t figure out how to make the business model work, but instead of figuring out how to get it right, it took the easy route and went back to an old model that was simply not very well suited to the economic and technical realities of today’s IT world.

1. It broke too much stuff

One of the big reasons that Windows XP caught on was because it had the hardware, software, and driver compatibility of the Windows 9x line plus the stability and industrial strength of the Windows NT line. The compatibility issue was huge. Having a single, highly-compatible Windows platform simplified the computing experience for users, IT departments, and software and hardware vendors.

Microsoft either forgot or disregarded that fact when it released Windows Vista, because, despite a long beta period, a lot of existing software and hardware were not compatible with Vista when it was released in January 2007. Since many important programs and peripherals were unusable in Vista, that made it impossible for a lot of IT departments to adopt it. Many of the incompatibilities were the result of tighter security.

After Windows was targeted by a nasty string of viruses, worms, and malware in the early 2000s, Microsoft embarked on the Trustworthy Computing initiative to make its products more secure. One of the results was Windows XP Service Pack 2 (SP2), which won over IT and paved the way for XP to become the world’s mostly widely deployed OS.

The other big piece of Trustworthy Computing was the even-further-locked-down version of Windows that Microsoft released in Vista. This was definitely the most secure OS that Microsoft had ever released but the price was user-hostile features such as UAC, a far more complicated set of security prompts that accompanied many basic tasks, and a host of software incompatibility issues. In order words, Vista broke a lot of the things that users were used to doing in XP.

Bottom line

There are some who argue that Vista is actually more widely adopted than XP was at this stage after its release, and that it’s highly likely that Vista will eventually replace XP in the enterprise. I don’t agree. With XP, there were clear motivations to migrate: bring Windows 9x machines to a more stable and secure OS and bring Windows NT/2000 machines to an OS with much better hardware and software compatibility. And, you also had the advantage of consolidating all of those machines on a single OS in order to simplify support.

With Vista, there are simply no major incentives for IT to use it over XP. Security isn’t even that big of an issue because XP SP2 (and above) are solid and most IT departments have it locked down quite well. As I wrote in the article Prediction: Microsoft will leapfrog Vista, release Windows 7 early, and change its OS business, Microsoft needs to abandon the strategy of releasing a new OS every 3-5 years and simply stick with a single version of Windows and release updates, patches, and new features on a regular basis. Most IT departments are essentially already on a subscription model with Microsoft so the business strategy is already in place there.

As far as the subscription model goes for small businesses and consumers, instead of disabling Windows on a user’s PC if they don’t renew their subscription, just don’t allow that machine to get any more updates until they renew. Microsoft could also work with OEMs to sell something like a three-year subscription to Windows with every a new PC. Then users would have the choice of renewing on their own after that.

.

“The State of Maine is the latest organization to skip Windows Vista, which has been a near-disaster for Microsoft. An internal state document (dated September 15) uncovered by Infoweek reveals that Maine will not be upgrading its more than 11,000 personal computing devices from XP to Vista — ever. Instead, it’s going to wait until Windows 7 ships in 2010 and hope for the best. The news is in line with a survey that shows only 4% of businesses in the UK have upgraded to Vista, the story notes.

A commenter on the article makes the point that Maine’s signing an enterprise software license with Microsoft means that Redmond doesn’t really lose out on this deal; it simply allows the state to upgrade its equipment and software on its own time.