Wednesday, 26 June 2013

Microsoft's Visual Studio update addresses the connected app

Visual Studio 2013 will allow developers to store settings in the cloud, where they can be accessed by multiple computers

Microsoft kicked off its Build conference in San Francisco this week by releasing a preview of the next version of its Visual Studio IDE (integrated development environment), as well as updates to other development tools.

"If you are interested in building a modern, connected application, and are interested in using modern development lifestyles such as 'agile,' we have a fantastic set of tools that allows you to take advantage of the latest platforms," said S. "Soma" Somasegar, corporate vice president in Microsoft's developer division, in an interview with IDG News Service.

Somasegar noted, for instance, how the new Visual Studio provides more tools to help developers build applications for Windows 8.1, a beta of which is also being released this week.

Microsoft is releasing a preview of Visual Studio 2013, the final version of which is due to be released by the end of the year. The company is also releasing Visual Studio 2012 update 3, and a preview of the .NET 4.5.1 runtime framework.

How user input and follow-up interactions are parsed by Facebook.
Many of the new features in Visual Studio 2013 address the kinds of mobile, connected applications that developers need to build these days, Somasegar said. For instance, it provides new tools to profile energy and memory usage, both of which must be considered when building applications for mobile devices. It also includes a new tool for providing metrics on how responsive an app is for users.

Visual Studio 2013 is also tackling the challenge of writing an application that relies on cloud services in some fashion. Microsoft is providing interface from Visual Studio to its Azure Mobile Services, which synchronizes data and settings for a program used across multiple Windows devices.

Visual Studio 2013 itself will also be easier to use across multiple devices. It will allow developers to define environmental preferences, or the settings and customizations for their own versions of Visual Studio, that then can be applied to other copies of the IDE. Microsoft can store these environmental settings in the cloud, so they can be downloaded to any computer connected to the Internet.

"People go through a lot of trouble to set up their environment. Once they go to a different machine, they must go through the same hoopla again to get to recreate the environment they are comfortable with," Somasegar said. "Once you set up your environment, we store those settings in the cloud, and as you go to another machine, you won't have to recreate your environment."

Another new feature, called Code Lens, provides "a class of information that, as a programmer, has been historically hard to get." It can show, for example, which part of a program is calling a particular method and what other methods that method calls. Visual Studio 2013 also expands its support for C++ 2011, the latest version of the C++ language. Visual Studio's feature for debugging the user's own code (as opposed to running a debugger against the entire set of code) now works with C++ 2011.

Beyond Visual Studio, Microsoft is building more developer hooks into the next release of its browser, Internet Explorer 11, which is expected to be released with Windows 8.1.

Microsoft has completed "a major revamp" of the tools the browser provides to developers. The browser will come with a source-code editing tool, as well as a number of built-in diagnostic tools, Somasegar said. The idea is that the developer won't have to toggle back and forth between the browser and the IDE. A Web application or page can be run, and mistakes can then be fixed, directly from within the browser.

With .Net, Microsoft worked on improving performance of the runtime environment. It can also provide more diagnostic information on how much memory a .Net program is using, and provide more information in a dump report should a program crash. Also, once a developer chooses a particular platform for a .Net project, such as an ASP.Net project, .Net will only display the components that can be used on that platform.

Microsoft is also releasing a white paper that offers a road map of where .Net is headed. The paper will be "one cohesive document that talks about .Net as it relates to Windows, Windows Phone, Windows Azure," Somasegar said. "It is a comprehensive document that shows people how to think about the future as it relates to their current .Net investments."

When Windows 8 and Windows RT were introduced, many Windows developers voiced concerns about the future of .Net, due in no small part to how little the platform was mentioned in Microsoft's initial instructions on building Windows 8 modern applications.

Somasegar said Microsoft has always encouraged, and will continue to encourage, the use of .Net as a way for developers to write "managed code" for Windows 8 and Windows RT modern applications, as well as for Windows desktop applications.

In addition to issuing previews of Windows 8.1 and Visual Studio 2013 this week, Microsoft is also releasing a preview of the latest edition of the company's application lifecycle management software, Team Foundation Server 2013.

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com



Saturday, 22 June 2013

Microsoft's $100k hacker bounty sounds great but has a lot of loopholes

Microsoft's $100k hacker bounty sounds great but has a lot of loopholes
Winning vulnerabilities and exploits must be novel, generic, reasonable, reliable and impactful -- whatever those mean

Microsoft is offering up to $100,000 for vulnerabilities found in Windows 8.1 that are paired with exploits, but it's pretty much up to Microsoft to decide who gets paid how much based on a set of subjective criteria.

In order to pull down the full amount, a submission must be novel, generic, reasonable, reliable, impactful, work in user mode and be effective on the latest Windows OS, according to details of the new bounty program. Each of those criteria is subject to interpretation.

It will be up to Microsoft to convince potential participants in the program that their submissions will be treated fairly, says Ross Barrett, senior manager of security engineering for Rapid7.

"A lot of people don't trust them," Barrett says. Microsoft could find an attack technique good but not novel, and then patch the vulnerability without paying. "That's paranoid, maybe, but that kind of paranoia tends to be par for the course in this industry," he says.

"If I were Microsoft I would make a point of making sure that somebody gets this [$100,000]. It would do wonders for their reputation. It's more about community relations."

It's also about economics, because $100,000 is "an almost insane amount of money" that will be hard to ignore, says Amol Sarwate, director of vulnerability labs at Qualys. In countries with weaker economies that amount would be even more significant, he says.

The sum is likely even more than researchers could make selling such exploits on the black market, he says, and submitting to the program doesn't run the risk of getting caught by law enforcement.

These cash bounty programs have work pretty well since TippingPoint (now part of HP) set up its Zero Day Initiative in 2005, Sarwate says, with others forming similar programs. Google's vulnerability program, for example, has paid out more than $800,000 since it started in 2010.

Many researchers are satisfied getting public credit for finding vulnerabilities, he says. Sarwate says this recognition is valuable to them -- so much so that citations of these credits routinely show up on the resumes of researchers who received them.

The effectiveness of Microsoft's big-payoff program is in luring in "ethically neutral" researchers who have discovered exploits and want credit for it immediately, says Barrett. For many researchers that is the true prize. But they may not want to take the option of responsible disclosure in which they submit the vulnerability to the company and wait for perhaps months for it to issue a patch and give credit because the process takes too long.

Instead, they may disclose irresponsibly -- posting the vulnerability to a public site where they get immediate credit, but the vulnerability is also available for criminals to exploit. It is these impatient researchers Microsoft can hope to attract, Barrett says; they may be willing to wait for credit if they are paid as well.

"It's aimed at people who go straight to the press with their exploits, and it tries to win them over," he says.


Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com


Sunday, 16 June 2013

Microsoft protects cloud with directory-integrated two-factor authentication

Active Authentication uses phones to improve security for hosted apps

Microsoft is upping the security on Azure with Active Authentication, a new service now in preview which allows enterprises to secure access to hosted applications such as Office 365 with two-factor authentication.

Active Authentication enables two-factor authentication for users stored on the Azure-based version Active Directory, and helps secure access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online as well as other apps that are integrated with the hosted directory service.

Developers can also use the Active Authentication development kit to build two-factor authentication into their custom applications and directories.

Active Authentication works by adding an extra step to the sign in process. After an employee, partner, or customer has entered their username and password, they are required to also authenticate with the Active Authentication app on their smartphone or via an automated phone call or text message.

More advanced authentication has become a hot topic during recent months thanks to high profile security breaches, like the theft of passwords that allowed hackers to get access to the Associated Press' Twitter account. The extra step reduces the risk of a breach, according to Microsoft.

Like many hosted services, Microsoft pitches Active Authentication as easy to set up and manage, as well as very scalable. IT staff can activate the service by adding it to their Azure Active Directory tenant and turn it on for users.

Active Authentication is based on Microsoft's acquisition of PhoneFactor, a deal announced last October.



Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com


Thursday, 13 June 2013

Microsoft patches critical IE vulnerabilities and actively exploited Office flaw

Microsoft patches critical IE vulnerabilities and actively exploited Office flaw
Patching the vulnerabilities in IE and Office should be a priority, security researchers said

A new batch of security updates released by Microsoft on Tuesday address a total of 23 vulnerabilities in Internet Explorer, Windows and Microsoft Office, including one that is actively exploited by attackers. The handling of digital certificates in Windows was also improved.

Only the security bulletin for Internet Explorer, identified as MS13-047, is rated critical. This bulletin addresses 19 privately reported vulnerabilities that affect all Internet Explorer versions, from IE 6 to 10, and could allow remote attackers to execute code on computers with the privileges of the active user.

In order to exploit one of these vulnerabilities attackers need to set up a maliciously crafted Web page and trick users into visiting it. However, on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Internet Explorer runs in a restricted mode called Enhanced Security Configuration that mitigates the vulnerability.

These Internet Explorer vulnerabilities might be a target for attackers who could try to reverse engineer the patches and build reliable exploits, said Wolfgang Kandek, the chief technology officer at security vendor Qualys.

According to a risk assessment table for the vulnerabilities that was published Tuesday on the Microsoft Research and Defense blog, Microsoft believes that its likely to see reliable exploits for the Internet Explorer vulnerabilities developed within next 30 days.

One of the vulnerabilities that Kandek is most concerned about affects Microsoft Office 2003 and Microsoft Office for Mac 2011 -- the most recent version of Office available for Mac OS X. This remote code execution flaw was addressed in the MS13-051 security bulletin, but is already being actively exploited in targeted attacks. Despite this, Microsoft only rated the security bulletin as important and not critical.

The vulnerability stems from an error in how Microsoft Office components process PNG files and can be exploited by tricking users to open specially crafted files or to preview specially crafted email messages with an affected version of Microsoft Office.

"The attacks we observed were extremely targeted in nature and were designed to avoid being investigated by security researchers," said Neil Sikka, a security engineer with the Microsoft Security Response Center, in a blog post Tuesday. "The malicious samples observed are Office documents (Office 2003 binary format) which do not include the malicious PNG file embedded directly in the document. Rather, the documents reference a malicious PNG file loaded from Internet and hosted on a remote server."

This vulnerability is a classic buffer overflow bug, said Andrew Storms, director of security operations at security vendor Tripwire, via email. "It's unfortunate that even the most recent version of the Mac Office product still contains such a well understood vulnerability. This probably should have been caught during Microsoft's development processes before release."

"It's disappointing to see that Mac users of Microsoft software get the short end of the stick when it comes to security," said Tyler Reguly, technical manager of security research at Tripwire, via email. "You have to wonder how a vulnerability that only affects Office 2003 is also in Office for Mac 2011. As a Mac user, I find this advisory very disconcerting."

Even though later versions of Office for the Windows platform are not affected by this vulnerability, Office 2003 is still used by a lot of people, which makes this a serious vulnerability, Kandek said.

Another security bulletin released Tuesday, MS13-049, addresses a denial-of-service vulnerability in the Windows TCP/IP driver that affects all versions of Windows except for Windows XP and Windows Server 2003. An attacker could exploit this vulnerability by sending specially crafted packets to a targeted system which could cause it to stop responding.

"Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter," Microsoft said in the security bulletin.

"Network admins will want to carefully review and prioritize MS13-049, a network based denial of service bug," Storms said. "Unfortunately, newer versions of Windows can be exploited by the bug via a remote attack surface -- diminishing the long-standing thought that newer software is more secure."

Another security bulletin, MS13-048, addresses a vulnerability in the Windows kernel that affects only 32-bit versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 8. In order to exploit this vulnerability an attacker would need to have access to the system in order to execute a specially crafted application or would need to trick a local user to execute it.

"This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system," Microsoft said in the security bulletin.

The last security bulletin, MS13-050, addresses a vulnerability in the Windows Print Spooler service that could allow an attacker authenticated as a local user to elevate his privilege when deleting a printer connection. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the system with system privileges, Microsoft said.

Microsoft also issued a separate update accompanied by a security advisory as part of its efforts to improve cryptography and digital certificate handling in Windows. This update improves the Certificate Trust List (CTL) functionality in Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012 and Windows RT.

The update allows administrators to configure domain-joined computers to use auto update without having access to the Windows Update site, configure domain-joined computers to independently opt in to auto update for both trusted and disallowed CTLs, as well as examine the set of roots in Microsoft root programs and to choose a subset of them for distribution via Group Policy, Microsoft said.

Microsoft did not patch the zero-day vulnerability disclosed recently by Google security engineer Tavis Ormandy, Kandek said. That vulnerability is an elevation of privilege (EoP) one and cannot be used for remote code execution, but it could be used in a chained attack together with other vulnerabilities, so attackers might attempt to use it, he said.

Microsoft probably already has a patch for it, but it hasn't been tested enough so it will release it next month, Kandek said. However, if the vulnerability starts to be widely exploited in the meantime, the company might release the patch sooner, he said.




Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Thursday, 6 June 2013

Microsoft : Hybrid cloud is good for IT, end users and corporate bottom line

At TechEd Brad Anderson, Microsoft vice president of Windows Server and System Center details hybrid cloud vision

Microsoft’s vision of corporations using hybrid cloud has benefits for IT departments and end users as well as cost savings, says Brad Anderson, Microsoft vice president of Windows Server and System Center.

IT departments can look forward to replicate data-center virtual machines to a cloud service provider where they can provide fault tolerance and high availability and be ready for recovery in case of a disaster, Anderson said during an interview at TechEd North America 2013. [Click here for a full transcript of the interview.]

BACKGROUND: Targeting cloud, Microsoft set to revamp major enterprise software platforms

RELATED: New services bolster Microsoft Azure as key enterprise cloud management system

With the service, IT will also have the capability to manage any mobile device – Windows, Android, iOS – from the cloud-based InTune mobile-device management service within Microsoft Azure. The advantage is that for businesses using System Center Configuration Manager, the interface is the same, so there is no learning curve, but management can be extended to BYOD devices.

“You could just use the tools that you’re using right now and now enable your users across their PCs, their Windows devices, their Apple devices and their Android devices,” he says.

This yields benefits for end users as well. “I can bring up a company portal, authenticate with my Active Directory ID and the combination of Active Directory and System Center will automatically bring for me a personalized experience on any kind of device enabling me to provision the applications and get access to the data I need to be productive,” he says.

New tools in Microsoft Office applications enable on-the-fly parsing and graphically representing data, as exemplified by new capabilities in Excel called GeoTracker and PowerPivotl, Anderson says. Users themselves can blend database information with data drawn from Web sources such as Twitter and Bing to create graphic depictions of the aggregate data.

A demonstration at the conference keynote showed attendees of TechEd distributed across a map of the world with bars on each location showing how many people came from each city relative to others that used the TechEd database plus Bing. Clicking on a city allowed drilling down to search the attendees from that city by job title.

Then using data from Twitter, a heat map of the world showed the increase of Tweets about TechEd from around the globe as the date of the conference neared.

The ability to take unlimited amounts of data, diverse sets of data, bring that all together and then bring this rich visualization on it that allows me to wallow in it,” Anderson says. “I can experiment, I can ask questions and I can literally sit there in a very visual experience, experiment and form hypotheses and theories and learn about what is happening in my infrastructure if I’m IT or if I’m operating a business what’s happening in that business and how I can differentiate and improve.”

Saving money is another key part of hybrid cloud, Anderson says, and many of the cost savings businesses can take advantage of in their private corporate networks are offshoots from what Microsoft has learned building Azure.

“We literally operate over hundreds of thousands of servers [in Azure] and we deploy hundreds of thousands of servers every year,” he says. “So for us just a relentless focus on decreasing complexity and decreasing costs by taking advantage of just industry-standard hardware is a lot of innovation that we’re doing in the public cloud and then bringing on premises.”

In particular, Azure has taught Microsoft to build storage networks on commodity hardware that is less expensive than traditional SAN gear, and that is now available to corporate customers in their private networks.

The ability to use corporate infrastructure management and device management tools across the cloud can also reduce expense.

“Everything from software defined networking, the innovations in storage where I get all of the benefits that traditionally have only come from a SAN but doing it on industry standard cost-effective hardware, the ability to unify my environment from a user enablement and endpoint protection to where I can manage my PCs, all my users’ devices as well as my anti-malware on one common infrastructure – all these things drive savings,” Anderson says.

Since many of these new capabilities are part of standard platforms such as Microsoft SQL Server, Windows Server and InTune, there is no extra cost to current customers. “It’s just Excel, it’s just SQL, it’s not additional licenses, it’s not additional hardware, you don’t have to rewrite your application” he says.

Anderson repeatedly uses the phrase “cloud-first engineering” to describe the principle behind moving features of Azure into the major Microsoft server platforms. He says that can protect business customers from scaling problems as well as giving it a thorough vetting before selling it as on-site products. “Develop the software, try it out, prove it out, battle-harden it in the cloud, then bring it on premises,” he says.

This is made real with Azure Pack, new features that overlays the Azure Web portal to the Windows Server and System Center on-premises products. It can be used with System Center, for example, to enable end users in a department to create new virtual machines within cloud infrastructure based on policies set up by IT. “It’s self-service, exactly as if you were to go to Azure,” Anderson says.

Azure Pack is the renamed package Microsoft introduced last year under the name Windows Azure Services for Windows Server. “So this is the evolution of that with a name that’s easier to remember and easier to say,” he says.


Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com


Sunday, 2 June 2013

Rude and overworked? Blame tech

Mobile devices to blame for a rise in bad manners, CIOs tell Robert Half Technology

IT execs say employees are getting ruder on the job, and they're blaming technology for the rise in bad manners. Specifically, mobile technology is leading to more breaches in workplace etiquette, according to survey data from Robert Half Technology.

The IT staffing specialist polled 2,300 CIOs from U.S. companies with at least 100 employees. The CIOs were asked what effect the increased use of mobile electronic gadgets has had on workplace etiquette, and 64% said etiquette breaches have increased. That's up from 51% who said the same thing in 2010. Nearly a third (32%) said etiquette lapses have stayed the same, and 4% noted a decrease.

Work behavior deemed potentially offensive includes: checking email while someone is trying to have a one-on-one conversation; leaving an unnecessarily long voice mail message; paying more attention to a laptop than to a speaker during a meeting; and not turning off a smartphone ringer during an in-person meeting.

Mobile devices have helped people become more productive at work, but also potentially more distracted, according to John Reed, senior executive director of Robert Half Technology (RHT). “If you're not fully engaged in a conversation or meeting, you may spend more time replying to emails than listening,” Reed said in a statement. “These devices can also make it easier to mistakenly offend colleagues when you fire off a communication too quickly, or use the wrong medium for the message.”

Meanwhile, a majority of IT executives today find themselves working outside of traditional business hours -- a practice made easier thanks to the proliferation of mobile devices. Polled by RHT, 73% of CIOs said they check in with work “often” or “somewhat often” on evenings and weekends. The remainder said they infrequently (12%) or never (14%) check in outside normal business hours. (1% said they didn’t know.)

With after-hours work a reality for most IT leaders, it makes sense that tech pros value the option to telecommute. Earlier this year, RHT reported that 23% of IT workers said the option to telecommute is very important when considering a new job opportunity, and another 52% said a remote working option is somewhat important.

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com