Has Windows 7 been cracked already?

MyDigitalLife reports that a valid, working Windows 7 Ultimate activation key has leaked.

Windows 7 Ultimate has been cracked, and can be permanently activated with OEM style instant offline activation which will pass Windows Genuine Advantage (WGA) validation, before even any Windows 7 is officially released according to Windows 7 release schedule. All hell breaks loose when a Windows 7 Ultimate OEM DVD ISO from Lenovo been leaked and posted on Chinese forum. The ISO was quickly grabbed to retrieve boot.wim, which was then used to retrieve the OEM-SLP product key and OEM certificate for Windows 7 Ultimate.

Although it may be true, there are plenty of problems with this post – just for starters, Windows 7 doesn’t have “Windows Genuine Advantage.” I also find it very hard to believe that an OEM key, easily retrievable from boot.wim, will validate Windows 7.

I can’t believe that MS made it so easy.

There’s more to this story than we’ve heard. Stay tuned.

UPDATE: The key has been quashed. I’m still surprised that ripping of an activation key is as simple as looking at boot.wim, although it looks like the ripped-off key only worked on Lenovo machines.

I just love this sentence in the Microsoft announcement: “Our primary goal is to protect users from becoming unknowing victims, because customers who use pirated software are at greater risk of being exposed to malware as well as identity theft.” Duh. Yeah, sure.

MS-DEFCON 3: Get patched now

With the Black Hat conference in full swing in Las Vegas, and detailed instructions for bypassing Microsoft’s killbit patches posted on the Web, it’s time to get everything patched.

Rub your lucky rabbit’s foot, bend over and kiss your keester, and install all of Microsoft’s outstanding patches. Yes, that includes the killbit patches I’ve been moaning about, and the patches Microsoft released two days ago. Susan Bradley’s Top Story in Windows Secrets Newsletter, released about an hour ago, convinced me that the bad guys are hovering, and a rash of infectious junk is about to hit the fan.

Specifically, you should install Windows Vista Service Pack 2/KB 948645 , the .NET Framework patch, KB 951847 , Office 2007 Service Pack 2 / KB 953195 , Windows XP Service Pack 3, KB 936929 , the old killbit patch KB 960715 , and the two new ones, MS09-034 / KB 972260, and MS09-035 / KB 969706.

If you get repeated notifications to install the killbit patches, check out this workaround.

Microsoft has screwed up the killbit patches so much that you may well break some of your old applications, but the fact that the security holes go all the way into the libraries means there are thousands of newly discovered infectious vectors. The only way you’re going to guard against them is by applying Microsoft’s horrendous updates. You can thank Microsoft’s use of ActiveX for that.

Do me a favor and boycott Internet Explorer, OK? Use Firefox. We’ll both sleep better at night.

We’re at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

Get all caught up, and stay tuned for more fixes, as a result of disclosures at the conference.

Yes you want Windows 7 on your netbook

I’ve been crowing about running Windows 7 Ultimate on an ASUS 1000H netbook for several months now. I know most of you don’t believe me, but Win7 works almost as fast as XP – and it’s much more capable in many different ways, not the least of which is security.

A site I’ve never heard of, Legit Mobile Reviews, just posted a detailed benchmark comparison of XP and Win7 on an ASUS 1005HA. Their conclusion:

Microsoft’s Windows 7 operating system can and will be run on netbooks without a significant performance difference in most areas when compared to Windows XP. Consumers will be able to enjoy the enhancements had since 2002 without fear of turning their netbook into a clunker!

Amen, bro.

If you own a reasonably recent netbook, you’re going to want Windows 7 Home Premium. Count on it.

Yahoo gets Binged

As expected, Microsoft and Yahoo just issued a joint announcement that explains how Microsoft will provide the search engine and Yahoo will sell the ads in the brave new world of second place search.

Details here.

Two more IE patches released: stick with Firefox, please

As I anticipated a few days ago, Microsoft has just released two Out of band patches and one security advisory for Internet Explorer.

If you are running the Windows 7 Release Candidate, you’re vulnerable, but the Windows 7 RTM version is clean.

SANS Storm Center has full details.

This is another screwed up patch-of-a-patch that didn’t work, only this time there are hundreds – probably thousands – of third-party programs that are affected. Brian Krebs in the Washington Post steps you through the Keystone Kops aspects.

In spite of what Brian says – and, yes, you should apply the security patches one of these days – you’re safe if you stick with Firefox. Just don’t do anything weird online, like allowing a web page to install a program, OK?

We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

The guys at the Black Hat Conference in Vegas this week are going to have a field day.

Microhoo coming soon

Industry insider Kara Swisher reports that a Microsoft-Yahoo deal should be announced within the next 24 hours:

Sources said Microsoft search technology will be used on Yahoo sites, although it is not clear if it will be branded as “powered by Bing” … In addition, sources said Yahoo would still sell search ads on its sites and on Bing too, although Microsoft’s AdCenter advertising sales technology will be underneath it.

This makes the deal much smaller than ones previously envisioned, which included Microsoft taking over both Yahoo’s search and its text-based search advertising businesses, in exchange for large payments and guaranteed revenue.

Apparently there’s no big infusion of cash involved.

Another out-of-band Internet Explorer patch

Microsoft just announced that it has two out-of-band patches coming this Tuesday.

One of them is for Internet Explorer 6, 7 and 8. The security hole is described in depth by Halvar Flake. Basically, there’s a hole a mile wide in the Windows Active Template Library, a library of functions that were developed for ActiveX. Apparently even simple VBScript programs can get at the hole. And since it’s in a freely distributable library, you may have received the buggy programs as part of a third party application.

Microsoft’s description of the bug says that it affects IE in Windows 2000, XP, Vista, Server 2003 and some versions of Server 2008. It doesn’t say squat about Windows 7.

The second hole is in Visual Studio, and apparently it’s directly related to this hole in IE.

The irony of it all is that this month’s Black Tuesday IE patch, MS09-032, was supposed to fix this hole, but it doesn’t. And it took Microsoft about a year to issue the fix in MS09-032. At least that’s what Halvar and cohorts say. I’m still stumbling on the fact that MS09-032 was supposed to be a killbit rollup: Microsoft’s docs don’t say anything about fixing a year-old security hole in the ATL.

Why is this being distributed as an out-of-band patch? Microsoft says there are no currently known exploits. And it looks like it took them a year to fix the original problem. Perhaps the spinmeisters want to minimize embarrassment at next week’s Black Hat conference in Las Vegas…

Windows 7 E a flash in the pan

I wrote about it in my column this week for Windows Secrets Newsletter.

I don’t think Windows 7 E will ever see light of day. It’s a ploy by Microsoft. A brilliant one at that.

Microsoft has just made a formal proposal to the EU, offering a so-called “ballot box” screen during Windows 7 installation that allows the user to choose which web browser they wish to install.

It’s a little more complicated than that, really. Microsoft is proposing that the “ballot box” appear when European customers crank up Windows for the first time. The ballot box draws on browsers stored on the Web. And the way you get to the Web is through IE, of course. Read the fine print:

European consumers who buy a new Windows PC with Internet Explorer set as their default browser would be shown a ‘ballot screen’ from which they could, if they wished, easily install competing browsers from the Web.

Gotcha. Note that the press release says nothing about boxed copies of Windows 7. And the offer’s only on the table if IE is installed as the default browser on new machines.

Brilliant.

I doubt that Windows 7 E will even survive the weekend, in the hearts and minds of European customers. It’ll be interesting to see what Microsoft does with all of those early orders for Windows 7 E: folks in Europe are paying extra for the full version of Windows 7, when all they’ll need (I bet) is the upgrade version.