Newsletter Archives

• Web presence: Business social networking

  Posted on September 27, 2020 at 21:05 CDT by Tracey Capen • Comment in the Forums

  SMALL-BUSINESS WEBSITES

  By Will Fastie

  The major-league social networks such as Facebook and Twitter can be a big help in establishing your company’s persona on the Web — but often at a cost.

  I have an instructive tale about Facebook. The story is a bit dated, and hopefully the world’s mightiest social network has improved somewhat, but it will give you a small perspective into the intricacies of social networking — and the sorts of trouble they can pose.

  Read the full story in AskWoody Plus Newsletter 17.38.0 (2020-09-28).

  AskWoody Plus Newsletter, Small Business Computing AskWoody Plus Newsletter, Business Web presence, Faceboook, Google, Social networks

• Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

  Posted on March 8, 2019 at 07:03 CST by woody • Comment in the Forums

  Now I understand.

  Google releases patches for its Chrome browser all the time. As @b explained about 36 hours ago, Google sent out a special alert to get Chrome updated specifically to head off a 0day attack.

  I didn’t get too excited about it because Chrome automatically updates itself quite reliably, and because the threat didn’t seem to be all that great.

  A few hours ago, Clement Lecigne of the Google Threat Analysis Group added some key details:

  On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together.

  To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

  The second vulnerability was in Microsoft Windows. It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.

  We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

  Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.

  As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.

  Google’s vulnerability disclosure policy says, to a first approximation, that it gives software manufacturers 90 days to fix a security hole, and if no fix appears, they disclose the details.

  It’ll be interesting to see how Microsoft reacts.

  UPDATE: Catalin Cimpanu has a thorough timeline on ZDNet.

  Windows Patches/Security 0day, Chrome, Google

• Google shuts down Google+ network

  Posted on October 8, 2018 at 12:43 CDT by woody • Comment in the Forums

  Google’s just now confirming that an API bug might’ve exposed private profile data for 500,000 Google+ users. Their response is to shut down Google+.

  I didn’t realize Google+ has 500,000 users.

  Catalin Cimpanu has the details on ZDNet.

  UPDATE: Big revelations coming from the Wall Street Journal. Is it possible that Sundar Pichai didn’t testify in front of the US Congressional Committee because he was afraid of being tripped up by the then-secret breach?

  Other Google

• Microsoft security’s unseemly jab at Google

  Posted on October 19, 2017 at 08:29 CDT by woody • Comment in the Forums

  In yesterday’s Windows Security blog post Browser security beyond sandboxing, Microsoft’s Jordan Rabet (part of the “Microsoft Offensive Security Research team” – no, I didn’t make that up) took aim at Google. There’s a whole lot of technical discussion about the superiority of Edge in that article. There’s also a deep dig at Google.

  Catalin Cimpanu at Bleepingcomputer boils it down:

  The problem that Rabet pointed out was that the fix for the bug they reported was pushed to the V8 GitHub repository, allowing attackers to potentially reverse engineer the patch and discover the source of the vulnerability.

  It didn’t help that it took Google three more days to push the fix to the Chromium project and the Chrome browser, time in which an attacker could have exploited the flaw.

  Taking into account that this happened in mid-September, Microsoft had no reason to detail a bug in a Chrome version that’s not even current. Chrome 62 is the latest Chrome version.

  Paul Thurrott has a great article, turning Microsoft’s old words against itself.

  What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it. But it didn’t.

  It’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.

  If you’re interested in browser security, I suggest you read it.

  Windows Patches/Security Browser security, Google, Microsoft, Security

• The scale of tech winners

  Posted on October 14, 2017 at 16:01 CDT by woody • Comment in the Forums

  Fascinating piece from Ben Evans:

  Microsoft was working on smartphones and mobile devices 20 years ago, and now it’s killed Windows Mobile, acknowledged that the PC is going the way of the mainframe and, like IBM, has to make its way in a market shaped by other companies. There probably won’t be a technology that has 10x greater scale than smartphones, as mobile was 10x bigger than PCs and PCs were bigger than mainframes, simply because 5bn people will have smartphones and that’s all the (adult) people.

  Check it out.

   

  Other Amazon, Apple, Facebook, Google

• EU Anti-Trust investigation hits Google with biggest fine yet

  Posted on June 27, 2017 at 15:30 CDT by Kirsty • Comment in the Forums

  Google has been fined $2.7 Billion US, in its European Union anti-trust ruling, after a 7 year probe.

  From Financial Times:

  “Google’s strategy for its comparison shopping service wasn’t just about attracting customers by making its product better than those of its rivals. Instead, Google abused its market dominance as a search engine by promoting its own comparison shopping service in its search results and demoting those of competitors. What Google has done is illegal under EU antitrust rules”, said EU’s competition commissioner, Margrethe Vestager.

  Google is understood to be considering appealing the ruling. Other reports say that even if the fine is paid, it is unlikely to cripple Google/Alphabet financially, but Alphabet’s share price has dropped since the ruling was announced.

  You can read the European Commission press release here

  Other Anti-trust, EU, Google

• Google discloses actively exploited Win vulnerability

  Posted on November 2, 2016 at 05:43 CDT by woody • Comment in the Forums

  Many of you have asked for my opinion about the “Google endangers us all as an act of hubris” articles making their way around the web. Emil Protalinski at Venture Beat has a good synopsis.

  (One technical note: Emil says “Windows 10 Anniversary Update users are not affected by the vulnerability being exploited in the wild.” In fact, it looks like only those using Edge in version 1607, the Anniversary Update- or Chrome – are immune.)

  Long and short of it: I don’t think we know the pertinent details, and doubt that we ever will. I’ve been in this industry too long to start pointing fingers based on a heated exchange between Microsoft and Google. No doubt both have reason to beef. Who’s right? I dunno. I doubt that anyone does.

  I have just one observation to offer. Terry Myerson, in his damning post Our commitment to our customer’s security, ends the lengthy explanation with this note:

  Special thanks to Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance in investigating these issues.

  By all accounts, Mehta and Leonard are the ones who discovered the security hole.

  It just strikes me as odd.

  Looks like we’re going to get the fix on Nov. 8, as part of the regular Patch Tuesday.

  UPDATE: Confirming, based on the comments, that if you have Flash patched, you’re fine. The current infection vectors require Flash – although Windows itself needs to be patched, to cover an underlying problem. If that sounds obtuse, it is, but patching Flash (or not using Flash!) takes you out of harm’s way. For now.

  Windows Patches/Security Google, le contest pissant, Strontium

• Can Google and Apple take over the PC market?

  Posted on May 3, 2016 at 07:45 CDT by woody • Comment in the Forums

  Very important post by Paul Thurrott:

  Can Google and Apple take over the PC market?

  And some significant insight from Steve Sinofsky:

  This misses one point

  If you want to see the (bleak) future of Windows, I think they’ve nailed it. Google and Apple are going to roll over the PC market by building their mobile OS’s “up.” Microsoft’s lost by trying to shrink its dinosaur “down.”

  The transition’s going to take a while, but I’m convinced that my son’s going to grow up in a world where “Windows” elicits the same old-fuddy-duddy response as “IBM,” “BlackBerry,” “AltaVista,” and (dare I say it) “Yahoo!”

  BTW: Don’t get me wrong. Windows is going to be around for a long, long time. Microsoft may put the marketing name “Windows” on some other product. But Windows as we know it isn’t going to be at the forefront of worthwhile technological advances – indeed, hasn’t been for some time.

  Other Apple, Google

• Windows 10 search and Bing

  Posted on January 21, 2016 at 15:13 CST by woody • Comment in the Forums

  Fascinating mail from AA:

  I am a reluctant Windows 10 user (at work).

  When I use the Windows 10 search box at work, the default view when I click the box is to see a bunch of tiles about what is “popular now”.  To me this a distraction, so I typed the following string into the search panel:    “dont show bing news in search panel windows 10”.

  When my browser pops up (Chrome, with Google search set as its default search tool, but ignored in this case), I get a very Bing-centric set of responses, but no answers.

   

   

  If I open my browser on my own, and perform the same search directly, I get a very different (and more useful) response.

  

  This is not a gripe about how disable Bing – I know how to do that now.    But it’s disappointing to know that Bing’s answers are seemingly adulterated.  Sigh.

  As always, thanks for being a voice of sanity in the land of Windows.

  Other Bing, Google

• On the road to Windows 10: Edge now accepts Google as default search provider

  Posted on July 15, 2015 at 09:48 CDT by woody • Comment in the Forums

  My guess is that an intern at Google spent half a morning putting it together, but at least it’s a step in the right direction.

  InfoWorld Tech Watch

  Windows News Edge default search engine, Google

• Google’s latest zero-day disclosures further fuel feud with Microsoft

  Posted on January 12, 2015 at 07:52 CST by woody • Comment in the Forums

  … and the press has it all mixed up.

  So do you trust Microsoft? Do you?

  InfoWorld Tech Watch

  Windows Patches/Security disclosure, Google

• The OEMpire strikes back

  Posted on May 22, 2013 at 07:11 CDT by woody • Comment in the Forums

  Microsoft’s best buddies are increasingly going Google.

  InfoWorld Tech Watch.

  Windows News Google, Windows 8
• « Older Entries

  Newer Entries »