Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Keizer: Windows 10 shows sign of enterprise upgrading

    Posted on March 2nd, 2018 at 20:15 woody Comment on the AskWoody Lounge

    Keizer’s Computerworld take relies on the numbers reported by Net Applications:

    Windows 10 actually slipped two-tenths of a percentage point in user share… during February, ending the month powering 34.1% of the world’s PC…

    Using the 12-month average of Windows 7’s user share decline, Computerworld forecasts that the aging OS will still account for about 35% of all active Windows editions in January 2020

    It’s clear which way the wind is blowing — but I wonder how many will abandon Win7 in 23 months?

  • Is it time to give up on 7-Zip?

    Posted on March 2nd, 2018 at 12:15 woody Comment on the AskWoody Lounge

    I’ve been a 7-Zip fan for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Zip to task for failing to keep up with key security features.

    On Jan. 28, I posted an article on Computerworld titled Multiple vulnerabilities in 7-Zip. Get it updated now!

    I thought that Igor Pavlov’s new release, version 18.01, took care of the major security problems. I was wrong.

    The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag. (Good overview of both technologies on the ISV Software Security page.)

    This was part of landave’s original complaint:

    I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

    So how bad is it? Microsoft Security Response Center engineer (not speaking in an official capacity!) Joseph Bialek says:

    What year is it @7zip ?? You guys still running on 90’s hardware??

    Stefan Kanthak, whom I quoted in the Computerworld Microsoft is distributing security patches through insecure HTTP links article, says in a private message:

    [7-Zip’s] INSECURE shell extension is loaded into explorer.exe, and allows an attacker to leverage its MULTIPLE shortcomings. For example Sun/Oracle made such a blunder when they deployed an outdated MSVCRT71.dll with their Java Runtime Environment, which allowed attackers to take advantage of its flaws.

    I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

    I’m not yet ready to throw my copy of 7-Zip in the bit bucket. But I wonder if that’s just inertia.

  • Keizer: Microsoft’s browsers are dying

    Posted on March 2nd, 2018 at 11:24 woody Comment on the AskWoody Lounge

    Er, dieing. Sorry.

    Gregg Keizer has a good look at the rapid decline of the IE (+ Edge) hegemony.

    Even though IE showed an uptick in usage last month, per Net Applications, the prognosis for Microsoft browsers is dismal:

    By the time Microsoft retires Windows 7, and for effective purposes, IE as well, Windows 10 should have reached a user share (of all Windows) of around 63.6%, assuming its climb continues on the past year’s trend line. If Edge hasn’t, well, edged up as a share of all Windows 10 by that time – and all evidence is that it will not – then Microsoft’s active browser share will be in the single digits, perhaps as low as 6%.

    Hard to imagine IE + Edge at 6%, but then again Windows Phone took a hard, fast fall, too.