8 reasons not to avoid Windows 7

posted on August 21, 2009 by Bryant Zadegan

Windows7_v_rgb My thanks goes to Ed Bott, legendary Microsoft columnist and author, for pointing me to this rather depressing article on Wired this afternoon. Before you begin reading my rebuttal, I’d like to remind all of you that I quite like my Windows and quite hate my Apples, so if you’re an Apple fan, lover, loyalist, and/or propagandist, you can save yourself a lot of adrenaline-inspired organ damage by avoiding this article.

With that aside, let’s get to it.

Brian Chen, a self-admitted Mac user (I’ll explain why this is bad at the end) and writer for Wired Magazine, has come out swinging hard at Windows 7, likely out of his own fear of seeing Apple’s marketshare decrease once Windows 7 gains traction. His current piece, eloquently titled “7 Reasons to Avoid Windows 7” strikes at the most commonly misunderstood points in Windows without properly dissecting the logic behind any of Microsoft’s decisions. In this piece, I’ll be going through each of Mr. Chen’s points, one by one, in order to explain exactly why both Windows 7 should be embraced and why Mr. Chen’s writings should be avoided. Awesomeness exposes itself after the jump.

Read More »

Tags: , , , , ,

Microsoft lists UAC hack as malware

posted on July 30, 2009 by Maurice

As those involved in the Windows 7 community may know, Microsoft has failed to fix a crucial flaw in the User Account Control feature of the operating system which allows a specific whitelist of applications to inject code that can allow any application to silently elevate. The code was released about a month ago as a proof-of-concept by Leo Davidson showcasing the flaw elevating a command prompt window using the whitelisted explorer.exe process.

The company stands by UAC in its final form, but they’re taking it a step further by blocking the program that causes the exploit using their own security software.

Today, I just happened to download the zip file that causes the exploit when Microsoft Security Essentials greeted me with a nice dialog telling me that what I just downloaded is malware, specifically HackTool.Win32/Welevate.A and HackTool.Win64/Welevate.A (depending on architecture). While I’d agree that this can be considered a form of malware, it’s just a very bad way of dealing with the situation. However, Leo noted that Windows Defender in Vista did not detect this exploit, and Bryant confirmed that the same is true for Windows 7 (where the trick would actually work), so this seems to be exclusive to Microsoft Security Essentials.

It’s not clear what method the signatures take to detect it, but I promptly recompiled the source code under the Visual C++ 10.0 toolkit using VS 2010 Beta and the application ran undetected. Not a very good solution if it actually hash checks for the specific applications.

Leo, and I (or Bryant) will update our respective pages accordingly as we discover more. Bryant is seeking official word from Microsoft on what’s going on. Meanwhile, you can see the VirusTotal report here and grab the exploit here.

Update (~Bryant): let’s take a look at what’s going on here from a different approach. Microsoft says that the vulnerability here is not actually a vulnerability and is, in fact, by design. However, they’ve also classified Leo’s proof-of-concept as malware. Logically speaking, if a process whose sole purpose is to exploit a perceived vulnerability is marked as malware, then it’s reasonable to assume that the perceived vulnerability is indeed a significant problem. Basically, Microsoft contradicted themselves by listing the proof-of-concept as malware.

Update 2 (~Bryant): A friend of mine proposed one particular argument as a potential explanation to this issue, whereby this is a bug within Microsoft Security Essentials. The reasons I don’t believe this to be the case are:

  • This exploit was specifically named as HackTool:Win32/Welevate.A (A quick googling shows only three links; one is to the aforementioned virustotal link, the second and third to a Microsoft encyclopedia entry.
  • This particular label only applies to this specific proof-of-concept
  • A reasonable vulnerability assessment (”Medium”) was applied to this particular proof-of-concept, which makes sense given that this security vulnerability in UAC is only really an issue if either a user runs a malicious application or if some other internet-facing application were to be compromised. I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack many-fold.

Leo and Bryant contributed to this post.

Tags: , , , , , ,

Rafael accidentally discovers Trident in Windows 7 E

posted on July 16, 2009 by Bryant Zadegan

Internet Explorer 8 logo Rafael Rivera, as he usually does, put a massive amount of research into discovering workarounds for downloading Internet Explorer on Windows 7 E. He found and posted a rather ingenious workaround for users stuck in Europe with Windows 7 E(U-gimped). The trick, which you can read over at Within Windows, definitely succeeds in winning the “clever” label applied by Rafael, but what Rafael didn’t mention is that Windows 7 (or at least Windows Media Player) still has the Trident rendering engine somewhere within the stripped OS. This means a number of things:

  1. Bad: Upgrading from Windows Vista to Windows 7 E shouldn’t be a problem whatsoever, despite what Microsoft may say. This, unfortunately, doesn’t do much for Microsoft’s image in Europe (unless Steven can come and tell us specifically why Windows Vista can’t be upgraded to Windows 7 E)
  2. Good: Windows really does rely on Trident for at least a few non-browsing-related functions, which makes sense given how useful HTML can be for creating a UI. It also gives a sense of validity to Microsoft’s claims with regards to the EU.
  3. Bad (for browser peddlers, Microsoft, and the user. Good for the EU): The EU, in its limited comprehension of how a browser works, might now use this as “evidence” of Microsoft being deceitful.
  4. Good: Your shiny new better-than-Snow-Leopard OS won’t be as gimped as you originally thought.

This also means that any applications which use Trident for rendering any HTML to present an interface to the user will still work without needing a browser, which means that application developers should still be happy.

You can catch Rafael’s guide here. While you’re at it, if you’re a native of an EU-governed state, please email them a few one-fingered salutes on behalf of the rest of the world.

Update: Paul would like to note that Microsoft has been “very upfront” about Windows 7 E having the Trident rendering engine. The fact is, Microsoft hasn’t really done a good job at pushing this note around, and given Microsoft’s other communication issues (again, noted by Paul), I’m inclined to say that the existence of Trident actually is news.

In fact, Microsoft also posted about it on their legal blog… in typical legalese. The official statement is:

Most importantly, the E versions of Windows 7 will continue to provide all of the underlying platform functionality of the operating system—applications designed for Windows will run just as well on an E version as on other versions of Windows 7.

To those of us who assume things in the most unrealistically general sense, “underlying platform functionality” includes Trident, but this by no means makes it obvious that Trident will still be in Windows 7 E, thereby proving Paul’s previous point about communication being a problem.

Tags: , , , , , , , , , , ,

Why all this fussing over builds is meaningless

posted on July 15, 2009 by Bryant Zadegan

RTM! A few days ago, Long famously proclaimed that build 7600.16384 would be RTM (now retracted). Since then, another build has been compiled, and WZOR claims that this new build, 7600.16385, would be RTM. With this back-and-forth and soon-to-be-short-lived debate over which build will be released to manufacturing, I felt the need to drop by and remind people of a few things:

  1. RTM isn’t just this magical thing which is compiled and then immediately signed off. It takes roughly a week’s worth of testing (in the Windows world. Shane Nokes, who happens to have experience elsewhere, knows that Microsoft could sign a project off after only three days) before certifying that a build is worthy of RTM.
  2. 7600 will be RTM. Stop worrying about which compile of 7600 will be RTM; they only have very minor changes, if anything at all.
  3. There’s nothing new in these last few builds. There’s no new theme, no new components… nothing. What’s the point of worrying about which build is compiled if there’s literally no visible difference?

Of course, there’s much more to my little OP/ED here after the jump, so be cool and get to it.

Read More »

Tags: , , , ,

Quick look at HTC’s WinMo smartphones

posted on July 1, 2009 by Bryant Zadegan

htc

HTC’s been a fan of Windows Mobile for their phones for a while now. Even though they’re going with Android on their newer phones (such as the Hero, which we ignored for the sake of this video), their current Windows Mobile offerings still make for awesome fun. In this run-through, I take a rather quick look at HTC’s current US-bound Windows Mobile phones:

  • Snap, coming out on two different carriers (and two different bands) with different looks for each carrier
  • S743, for those who don’t like touch screens but love their candy bars
  • Touch Cruise, basically a standard Windows Mobile touchscreen phone
  • Touch Pro 2, a touchscreen phone with a full horizontal keyboard and other ridiculous features
  • Touch Diamond 2, essentially the same as the Pro 2 but with the keyboard swapped for a higher resolution camera.

All of them are solidly built. The only downside to these phones (except for the Snap, which is subsidized by both T-Mobile and Sprint) is the price, but when you consider that HTC makes some of the best Windows Mobile smartphones around, that price might not be a bad business expense. Sadly, if you’re aiming for the Touch Diamond 2 or Pro 2 with hopes of using that front-mounted camera, consider moving to Europe; two-way video calling isn’t offered in the USA.

You can catch the vanilla YouTube and YouTube HD videos after the break.

Read More »

Tags: , , , , , , , , , , , ,

Windows 7 Anytime Upgrade boxing hands-on (exc)

posted on June 25, 2009 by Bryant Zadegan

Update: Please, if you’re going to copy my images, don’t delete the watermark. I went through effort to get these pictures, and having them torn off (as is the case with ArsTechnica’s recent linkback)just means that I’ll have to present unsightly watermarks over the entire picture next time as opposed to keeping the images presentable by leaving the watermark in the corner. Update 2: ArsTechnica corrected their image accordingly. Thanks!

Just about everyone has seen the shots of the new Windows 7 retail packaging, but pictures of the new Anytime Upgrade packaging are much harder to come by. Impossible to find are any current examples of the packaging besides press shots and renders, so having said that, here are a few good hands-on shots I managed to take. For those wondering, yes, this means the boxes themselves are real, and that yes, Microsoft will indeed be pushing Anytime Upgrade through retail channels.

If you want some context as to how Microsoft arrived to this new box design, go ahead and check out Brandon LeBlanc’s post over at the Windows Team Blog. As for a physical size comparison: the full version boxes carry the same dimensions as the current Vista boxes.

(There’s nothing relevant inside the boxes themselves; just a fake key and a CD of Visio inside the retail box of which I was also taking some pictures.)

Have at it:

Retail Ultimate v. Anytime Upgrade UltimateInside boxes exposedBusiness AU v. Ultimate AUBusiness AU v. Ultimate AU side by sideBusiness AU v. Ultimate AU perspective shotBusiness AU v. Ultimate AU lower shot

On an unrelated note, we (the staff of AeroXperience) would like to wish our condolences to the Jackson family with regards to the recent, sudden, and highly tragic passing of Michael Jackson

Tags: , , , , ,

UAC in 7: Silent Attack Vector Multiplier (redux)

posted on June 12, 2009 by Bryant Zadegan

badUAC

Update: added a link to the original exploit

I really, really hate having to interrupt a good series bashing Apple, but this has to be said.

Long has resumed his crusade on fixing UAC, and normally, I would tell him to give it up for the sake of saving his own time. However, even though Mark Russinovich might not see UAC as a security boundary, the original UAC team sure as hell did, which makes me want Long to see this all the way through. (check the sidebar on the left)

“User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn.” –UAC Blog

Guys, just fix it. I don’t see why things have to be made so hard; the UAC team clearly calls it a security feature, so do them a favor, don’t make them feel like they’ve wasted their time, and fix the problem. Thanks, Long, for telling me that this can’t actually be fixed as it’s a design issue, so here’s a better solution: give the user the ability to chose which UAC setting he/she wants upon first run. Here are three good options:

  1. Always On
  2. Notify when programs try to change settings (give a warning with this option about the potential risk of compromise)
  3. Always Off (give a bigger warning with this option)

You’ll notice that I didn’t actually suggest the option which gets rid of the secure desktop: I personally believe that that particular option offers absolutely no benefit over having UAC off altogether.

I figured it had to be said.

(If you want to take this for a test run yourself, check Leo Davidson’s site for the original source code and binaries for the proof of concept exploit)

Mark & friends, I love you guys dearly, but I’ll be taking the original team’s word on this one. If you guys try editing it out, keep in mind the Internet Archive has a copy of the original statement.

Tags: , , , , ,

Mozilla, Opera complain again about IE8 in Windows 7

posted on May 8, 2009 by Bryant Zadegan

ie8-logoStan Schroeder over at Mashable decided to argue in favor of Mozilla and Opera’s complaints reegarding Internet Explorer 8 becoming the default browser when the user upgrades to Windows 7 RC via Express settings. It took me a few reads to realize he was serious, so I’ll spare you the hassle of reading through his post and summarize it for you:

wwwaaaaaaaaahhhhhhhhh!

Let’s look at a logic chain here:

  1. User installs third party browser and makes it the default on Windows Vista.
  2. User upgrades to Windows 7 down the road, chooses express upgrade options.
  3. IE8 replaces the Vista default as the new default browser.

So, Mozilla and Opera are arguing that a new Microsoft browser which was installed onto Microsoft’s OS shouldn’t become default when the user just wants to install Windows and be done with it? Think about it this way: A user chooses to go with express configuration settings because the user doesn’t want to deal with setting anything up on his/her own. The user, therefore, consents to using Microsoft’s default settings, and Microsoft’s defaults include setting up Internet Explorer 8 as the default browser. If the user really wanted to customize any settings, the user would go ahead and do so without any problems. Keep in mind that installing Windows 7 also means, by extension, installing Internet Explorer 8.

There is no problem here; all I see is whining, and it’s getting ridiculous. Mozilla and Opera should work on creating a compelling product, and while I agree that Opera is better than Internet Explorer 8 in many ways including memory management (Mozilla’s RAM issues prevent me from considering it for anything), the point is that Windows belongs to Microsoft, and thus, Microsoft can do whatever they want with it. These “dominant market position” arguments don’t fly because Mozilla and Opera are both using the argument selectively; you don’t see them making nearly as much noise about Apple and the iPhone/iPod touch/Mac.

Tags: , , , , , ,

If you’re running 7077, please upgrade to 7100

posted on April 25, 2009 by Bryant Zadegan

win7small Seems a few people have been pushing around the idea that 7077 is no different from 7100. Given that 7088 was the build that was jumped to 7100 and not 7077, it means there were still 11 builds worth of changes before a build was finally signed off as the release candidate for Windows 7.

If you’re running Windows 7 build 7077 (leaked earlier), you really do need to install 7100 if you want to give any relevant feedback. 7077 still has a few stability issues which, if reported, would be nothing more than a waste of time while being totally redundant. Granted, the build is stable, but when you’ve got a more stable build available to you, why hold back?

As everyone knows, 7100 already leaked via usenet/torrents, but if you want to give feedback, your best bet would be to just wait until 7100 is released via the usual channels (in this case, MSDN/TechNet on April 30 and worldwide on May 5).

Sorry for singling you out, Ed. You’re awesome, but I had to post this to suppress any confusion which might’ve resulted amongst our readers from your post.

Tags: , , , , , ,

The Ultimate Steal (no, really)

posted on April 20, 2009 by Bryant Zadegan

The Ultimate Steal

Microsoft has an obsession with providing awesome deals for students. They also have a slight tendency to shoot themselves in the feet. This is a good amount of both, and thankfully (if you’re a student), it’s in your favor.

Microsoft created the DreamSpark program to give such awesome tools as Visual Studio 2005 and 2008 Professional Edition free to budding Computer Science and Information Technology students with a Windows Live ID. Now, here’s where the fun begins:

Sometime last year, Microsoft added Windows Server 2003 Standard Edition R2 licenses to the DreamSpark program. Even later, they added Windows Server 2008 x86 Standard Edition licenses. Coupled with Vijayshinva Karnure’s step-by-step guide to converting Windows Server 2008 into the ultimate desktop OS published in February of ‘08 on his MSDN blog, the non-technical masses now have themselves a fully functional, relatively-easy-to-configure OS that’s more powerful and more advanced than Windows Vista. Granted, “easy to configure” doesn’t mean “easier to configure than Windows Vista,” nor do you get to have the Windows Media Center, but there’s sadly always a price to pay for FREE. Given a choice between Windows Vista SP1 upgrade for ~65 dollars and Windows Server 2008 Standard Edition for free, which would you choose?

As for the steps provided, I’m not sure if the academic license of Windows Server 2008 allows for Hyper-V, so if you don’t care for Hyper-V support (as instructed in Vijayshinva’s post) or for running any virtual PCs, you can skip steps 1 and 10 on the guide.

The next question: Does Microsoft even support converting the server OS into a workstation/desktop OS? Yep, and not just because of Vijayshinva’s post, but that alone would be a justification for the following reason:

All opinions posted here are those of the author and are in no way intended to represent those of his employer. All posts are provided "AS IS" with no warranties, and confers no rights.

-Every MSDN, Technet, and other individual Microsoft employee blog.

Microsoft doesn’t endorse the opinions of its employees, but Microsoft does fully endorse any factual matters being discussed regarding its products, including step-by-step guides, support… anything of a non-opinionated nature which doesn’t involve compromising its products (like hex edits). Is this a technical loophole? Sure, but there’s a second, much better reason for Microsoft to support converting Windows Server 2008 into a desktop operating system: The “Desktop Experience” feature.

The Desktop Experience feature was added to Windows Server 2008 in part because of the absurdly high number of requests Microsoft received from small businesses running a server as someone’s desktop machine (plausible in smaller networks where extra server hardware would be cost-prohibitive). The process for turning Windows Server 2003 into a more desktop-worthy operating system was a bit of a pain, so the desktop experience feature was simply intended to make it a bit easier to implement this usage scenario. It’s fully supported by Microsoft.

Now here’s where the DreamSpark deal beats The Ultimate Steal: unlike The Ultimate Steal (which is limited to university students), high school students can also take advantage of DreamSpark. So, if you’re a student at just about any university or high school, go ahead and nab yourself a copy and save 65 dollars. This is probably the only thing available on DreamSpark which is highly relevant to people who aren’t developers.

 

(If Microsoft decides to take down the steps, which I highly doubt, you can catch the full instructions on converting Windows Server 2008 from a barebones server operating system to a desktop operating system after the break.)

Read More »

Tags: , , , , , , ,
Advertisement (by Google)
Twitter icon   Follow Bryant on Twitter!   Twitter icon
Tag Cloud
Worthy Communities
HardwareGeeksJoeJoe NeowinStardock Windows ConnectedThe Windows Club
Latest Comments
Blogroll