Windows 7 going straight to Release Candidate

I’ve been pounding the living daylights out of Windows 7, and so far I’m very impressed – not as impressed by the feature improvements (of which there are a few of note) or the glittergrade, but by the stability of the beast. The beta beast.

I’ve frequently chided Steve Sinofsky for shipping software too early. (Going all the way back to Office XP, eh, Steve?). This time, based solely on what I’ve seen, I can’t help but cheer him on. I think Windows 7 is going to be a big hit. It might even take some steam out of the inexorable shift to open source and cloud computing – even the Mac. I never thought I’d say that about any modern version of Windows.

Steve just blogged about the future of the Windows 7 beta. Looks like the “Beta Refresh” will, in fact, be Release Candidate 1. I expect it to arrive in late March or early April. And I doubt that RC2 will be distributed to the unwashed masses.

There’s still a lot of work to be done between now and RTM. We still don’t have a clue as to which versions of Windows 7 will be available, how much they’ll cost, what kind of iron they’ll require, and what upgrade restrictions might be imposed. But, for the first time ever, I’m pretty confident Sinofsky and his kick-butt team will get it right.

Many months ago I predicted that Windows 7 would be widely available in shrinkwrapped boxes on store shelves by September 1. I’m beginning to think Microsoft may actually beat that target.

Windows 7 UAC insecurity “by design”

Microsoft’s taking a lot of flak over this one.

It’s trivially easy to change the User Account Control settings in Windows 7 with a program. Long Zheng has posted full details, along with a proof of concept demonstration.

By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate. The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.

The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

I wonder how long it’ll take MS to patch it?

.NET Framework 3.5 Service Pack 1 pushed in weird places

I just received an automatic notification on my 32-bit Vista machines, saying there’s a high priority update available. When I click through, I’m informed that Microsoft wants to update .NET Framework 3.5 to Service Pack 1.

That’s a little annoying, but here’s the weird part:

My Windows 7 Build 7000 machine isn’t getting nagged, and

Several of my Windows XP machines are getting nagged, but they’re running .NET Framework 2.0.

Where does Microsoft get off pushing a version upgrade of .NET Framework as a “high priority update”?

Thanks to SB for the heads-up!

UPDATE: Microsoft’s article

KB894199 identifies this as the anticipated “out of sequence” patch I wrote about a few days ago. The KB article says:

The Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features that build incrementally upon the .NET Framework 2.0, the .NET Framework 3.0, and the .NET Framework 3.5. It includes cumulative servicing updates to the .NET Framework 2.0 and the .NET Framework 3.0 subcomponents. The .NET Framework 3.5 Family Update provides important application compatibility updates.

So there’s something seriously out of whack: either the update is identifying itself incorrectly (Windows Update says it’s offering .NET 3.5 SP 1, when it may just be updating .NET 2.0 or 3.0), or somebody at Microsoft set things up so the wrong patch is pushed.

Either way, you would be well advised to avoid the patch until it’s all sorted out.

Cyber-Scams on the rise

The Wall Street Journal’s M.P.McQueen just posted a fascinating article about the way economic hard times have led to an increase of all sorts of scams, aided and abetted by computers, the Internet, and other techy henchmen.

Until recently, most attacks were scattershot, with spam emails blasted randomly to thousands of computer users at once. Now crooks are starting to single out specific targets identified through prior research, a tactic called “spear phishing.” In these attacks, emails are sent to the offices of wealthy families or to corporate money managers, for example. They address potential victims by name and company or appear to come from an acquaintance.

Interesting stuff.

Conficker update

A week ago, my Top Story in Windows Secrets Newsletter discussed what was known about the Conficker worm, how to protect your PC, and how to get disinfected. (Some vendors call the Conficker worm “Downadup” but they’re just two different names for the same thing.)

Much has happened since then. If you’re concerned about Conficker – and with many millions, if not tens of millions, infected, you should be – here’s what researchers have learned, and what you need to know.

CERT issued a Technical Cyber Security Alert that contradicts Microsoft’s advice about disabling Autorun. Since Conficker seems to be spreading rapidly via infected USB drives, and even camera memory cards, it would be well to heed CERT’s advice.

Eric Chien at Symantec has posted a series of blogs with many details about the worm. In order:

Downadup Statistics

Downadup Peer to Peer Payload Distribution

Downadup: A Lock with No Key

Downadup: Small Improvements Yield Big Returns

Downadup: Attempts at Smart Network Scanning

Downadup: Playing with Universal Plug and Play

SANS Internet Storm Center reports that Conficker has successfully infected Windows Embedded machines.

And lest you think some of the press is losing its perspective, drop by Rob Rosenberger’s Vmyths site for a hilarious, dead-on look at truth and fiction in the Conficker/Downadup milieu. Good on ya, Rob.

MS-DEFCON 2: Another out-of-sequence patch coming

This time we aren’t sure what to expect.

Microsoft Security Bulletin KB 894199 says that we’re going to get a bunch of patches on Tuesday, January 27. Most of them aren’t terribly interesting, although there’s a patch for Windows Home Server that could prove to be problematic.

What caught my eye about the announcement is this line:

New security content: To be announced

That’s enough to make me raise the warning flags. We’re headed to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Keep an eye out for a possible out-of-sequence patch, warn your friends that a patch is coming, so if something really bizarre happens it might not be their fault. And be ready to apply the patch if the proverbial stuff hits the fan.

More Seagate problems

If you have a 500 GB Seagate Barracuda model 3500320AS, don’t try to apply the patch I described two days ago.

Slashdot reports that the firmware patch offered by Seagate locks up the hard drives completely and “there has yet to be a successful update of the 3500320AS models.”

“While it would have been nice of them to validate the firmware beforehand, there is still a little hope that not everyone will lose all of their data.”

Check for bad Seagate drives

If you have a Seagate drive, or you’re not sure who manufactured the hard drive(s) on your computer, you need to check and see if your drive is vulnerable to a newly-discovered bug. It’s a nasty, data-eating bug in some Seagate drives’ firmware.

Quick, before everybody else does it, run over to Seagate Knowledge Base article 207931. About halfway down the page, click on the link to download Seagate’s drivedetect.exe program. Run the program and compare the results to the list of potentially bad drives listed in the Knowledge Base article. If you’ve got one of the stinkers, follow Seagate’s instructions to contact them and update the drive’s firmware.

One patch – hold off

As expected, Microsoft released just one security bulletin on Tuesday. MS09-001 (KB article 958687) deals with the way Windows handles Server Message Blocks.

So far, Zero Day Initiative has only found ways to crash an unpatched system, not infect it.

Sit back and see what happens. You have more important fish to fry. We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Windows 7 Beta available for download

Microsoft is having a hard time keeping up, but the Windows 7 beta is available for download in 32 bit (x86) and 64 bit flavors.

I’m currently seeing download speeds of about 60 KB per second – at which rate it’ll take about 12 hours to download the entire DVD.

If you have a spare machine, or a spare hard drive for a dual-boot setup, it’s well worth trying.

Windows 7 Beta and keys on MSDN

If you subscribe to MSDN, check the Subscriber Downloads section. You’ll find a copy of Windows 7 Beta available for download, as well as keys for validation.

At this moment, my connection is running about 150 KB per second, but it’s bobbing up and down. Microsoft’s servers are clearly taking a hit. If you’re an MSDN subscriber, get your copy now.

Everybody else will have to wait another 24 hours. Brandon LeBlanc has details on the Windows 7 blog.

It looks like this is the same version – Build 7000 – that’s been circulating for the past week and a half. No word as yet on whether Microsoft has solved the Windows Media Player 12 MP3 zapping bug. [Update: The fix, KB 961367, is on the MSDN Subscriber download site.] But general consensus is that the Win 7 Beta is well worth installing, if you have a rather hefty spare computer sitting around. You can also run it dual-boot. I am. It’s easy.

Does Microsoft have a winner in the wings? Could be. Watch here for running commentary.

30 GB Zunes with latest firmware bite the dust

From Gizmodo:

Apparently, around 2:00 AM today, the Zune models either reset, or were already off. Upon when turning on, the thing loads up and… freezes with a full loading bar (as pictured above). I thought my brother was the only one with it, but then it happened to my Zune. Then I checked out the forums and it seems everyone with a 30GB HDD model has had this happen to them

Happy new year, everybody!

UPDATE: If you own a 30 GB Zune, the problem went away. Ends up there was a slight, uh, programming problem. Years with 366 days – such as 2008 – drove the Zune’s firmware nuts. The problem only lasted a day. By January 1, all was well: if you let the battery drain and re-start, your Zune started working again. Oy.