Viewing entries tagged

Belgian Security Firm unveils 20 year old security risk in all Windows editions!

Belgian Security Firm unveils 20 year old security risk in all Windows editions!

Script bug

Belgian IT firm The Security Factory have unveiled a more than 20 years old Windows security issue. The bug makes it possible to hack file servers and thereby possibly introducing a new category of vulnerabilities.

The security problem is noteworthy because it requires no advanced hacking skills.
Simply create a new folder on a file server with a specific structure in the name is enough to install and take over that server through complete control over by malicious programs.

"The only requirement is that system administrators use scripts (eg for maintenance) which contain an up until now unknown but common vulnerability," explains Raf Cox of The Security Factory: "The vulnerability resembles the well known SQL injection' bug, but can be exploited on file servers, where the injection of malicious code wouldn't be epxected."


The Factory Security claims to have talked to Microsoft about the problem and the communication around it. Microsoft CEO Satya Nadella's Troopers allegedly identified the bug, but assume no action towards a security update release.

"Microsoft suggests that the security bug is related to the way the script is written, and thus is not a problem in the operating system itself," said Cox.

"At the same time Microsoft neglects to issue a warning towards users, resulting in many scripts remaining vulnerable and thus endangering all file servers running this type of script. Even an antivirus program will not provide a solution, because it has no script error detection."


The vulnerability is related to the way the Windows Command Shell (also known as the DOS prompt) the '&' (Ampersand) interprets scripts in which you are working with environment variables.

The '&' character serves as a separator between two consecutive commands on one line. If an environment variable contains this sign and displays or assigns it to another variable, the portion of the value after the '&' character will be interpreted as a new Windows command (or program) and then immediately executed.

Frank Lycops gives an example: "Suppose an environment variable A has the value T & Calc and you populate this variable ('echo% A%') or assign it to another variable (SET B =% A% '), then the command-shell (dos prompt) will launch " calc "(calculator )."

"So far there is no harm done. But the problem is more severe in case an environment variable in this way refers to a malicious program that is installed by a user on a computer."

"If a user creates a folder on a file server with a name 'T & Program' and copies a file 'program.exe' in thar folder (or even simpler through a script like program.cmd), then this program is launched with oftenen full access rights to all files on the system itself. "

Source: DataNews

Windows 8 users get Windows 9 for free?

Windows 8 users get Windows 9 for free?

Windows 8 users get Windows 9 for free !?

CEO Andreas Diantoro of Microsoft Indonesia said, according to the Indonesian Detik, that Windows 9 will become a free upgrade for users of Windows 8.

If something sounds to good to be true, it usually is. Yet, when Microsoft launched Windows 8, very cheap upgrades where introduced. Clever Marketing to move to 'free' then? Well, up until now, every second Windows version has been a milestone or otherwise a feature rich and stable redesign of a previous OS-release.
This time it's different, Microsoft has been pushing their cloud services like Office365 and OneDrive for some time now and as even consumers are warming up to SaaS. Future versions of Windows will likely be offered as free Baseline Software OS and a Cloud-OS version, on top of which users can enable further subscription based features to take 'offline'.

Windows 9

But let's not get ahead of things. According to Andreas Diantoro, users of Windows 8 will obtain Windows 9 as automatic Windows update.
Tomorrow, Microsoft will announce Windows 9, currently known by its codename Threshold.

By launching Windows 9, Microsoft is moving back towards the look and feel of Windows 7 through re-introduction of the start menu and less focus on the tiles.
However, the new OS will get Live Tile integration, a notification center and the digital assistant Cortana.
By April 2015 the official version of Windows 9 is expected to be released.

Microsoft Windows 9 Cortona

Which Benefits To Expect From Microsoft Office 2015?

Which Benefits To Expect From Microsoft Office 2015?

Microsoft is currently testing a technical preview of the new version of Office for Windows. Here are a few new options that you can expect as part of the upcoming Office suite with codename Office 16.

While Microsoft hasen't disclosed an official feature overview yet, some details of what appears to be a personal technical preview of the upcoming Office suite have leaked.
This technical preview is not the Metro-style version with touch capabilities of Microsoft Office for Windows, baptized by Microsoft watchers with the name Gemini.
Instead, it is the next version of Office for desktop PCs and devices with Windows.

Tom Warren from The Verge published several screenshots on September 18th, which are believed to come from the technical preview of Office 16.
Alongside new feature additions like Tell Me, Footnotes, and Endnotes, Microsoft is changing the look of Office Web Apps. The interface is now more flattened and there’s additional spacing to make it a little more finger-friendly.
The Office Web Apps changes may hint at the future direction for those particular apps. Microsoft is also making one final change to its Office Web Apps by including them in the navigation bar that switches between Outlook, SkyDrive, Calendar, and People sections.
It makes the apps a lot easier to find from, as they were previously buried away in the company’s SkyDrive cloud storage service.

Tell Me is a tool that is already part of Office Online and Office for iPad. This enables users to ask how they can accomplish specific actions without having to dive in the documentation.

There also will be an automatic image rotation option to help users drop images on the correct location in documents. Next to the theme colours light gray, dark gray and white,
black theme will become available as well.

Business options
In addition to the new options that take advantage of the leaked screenshots, there will be more changes that are particularly attractive to business users.

The Excel Data Model is silently updated to a version which is only fully supported in future versions of Excel.
Certain features in this model cannot be used in earlier versions of Excel, although users are still able to open all earlier spreadsheets.

Microsoft also adds panning and zooming to large graphs and smart art diagrams. In Project, users are allowed to have multiple timelines like a custom date range in a single view.

In the new version of Visio a system for management of information rights for Visio files is coming. This is very convenient for those who use the program for research and patent information.

Microsoft introduces a few changes to the look of Office 16 on smaller devices. The synchronization works finer. Instead of just a month, to download, e-mail users are able to choose between one day, three days, seven days or two weeks with the new Outlook.

Office 2015
Microsoft adds the ability to add or share recently used documents, both locally and in the cloud. The idea behind this is that it is easier for users to work with frequently used files and documents together. Users can share the files as read-only, to edit or as an attachment in an email.

Not all listed features will necessarily be released through Office 16. Currently the main focus of Microsoft are new functionalities in the cloud. That means that the attention is aimed primarily at Office 365.

There are rumors that Microsoft comes up with a public preview of Office 16 later this fall, perhaps in October. Sources say that the final version of the office suite appears in the spring of 2015, whether or not under the name of Office 2015.


Credits: smartbiz (Paul Verstegen), The Verge (Tom Warren, @tomwarren)