Microsoft moves to relegate Windows 7 to second-class status

Jared Newman@onejarednewman

• Nov 12, 2012 2:01 PM
• print

As Microsoft goes full speed ahead on Windows 8, a number of signs suggest that Windows 7 is fading fast in Redmond’s rear view mirror.

On Monday, Microsoft program manager Daniel Moth confirmed in a support forum that DirectX 11.1 will only work with Windows 8. The company has “no plan” to bring DirectX to earlier versions of Windows—including Windows 7.

DirectX 11.1, Microsoft’s API for 3D graphics, isn’t a major update from DirectX 11, but it adds features to take advantage of high-end graphics processors. It also includes native support for Stereoscopic 3D. The news will mainly affect gamers who want to keepupgrading their rigs but would rather not move to Windows 8.

That’s not the only indication that Microsoft is starting to leave Windows 7 behind. Reportedly, Microsoft won’t release a second service pack for Windows 7, unnamed sources told The Register last month, and the company does not plan to offer an Xbox Music app for its older operating systems. For Windows Phone 8 users, Windows 8 has a slick modern-style app for syncing and viewing media, whereas Windows 7 only has a more bare-bones Windows Phone app for the desktop.

To be clear, Microsoft will support Windows 7 through 2015, meaning that it’ll offer both security and non-security updates for free. Extended support, which provides free security updates but requires a subscription for other hotfixes, will continue through 2020.

But when it comes to individual applications and services, Microsoft is starting to move on. Even Internet Explorer 10, which is already available on Windows 8, is only getting apreview version for Windows 7 this month, with no word on final availability.

It’s not unprecedented that Microsoft would start treating its older operating systems as second-class software. After all, Office 2013 won’t support Windows Vista or XP, and neither will Internet Explorer 10. Still, the Microsoft’s willingness to leave Windows 7 behind in some areas shows just how eager the company is to push Windows 8, lest we forgethow big of a bet this new operating system is for Microsoft.

Ransom ware

Imagine someone getting access to your computer, encrypting all your family photos and other priceless files, and then demanding a ransom for their safe return. That is what ransomware is all about. Online  http://thehackernews.com/2012/11/latest-java-vulnerability-exploitation.html

Learn to Create Websites at w3schools.com

Excellent web based tutorial site for web development. It offers wide range of programming options for web designers..ranging from beginners to experts.
A glimpse 

HTML / CSS

Learn HTML
Learn HTML5
Learn CSS
Learn CSS3

JavaScript

Learn JavaScript
Learn HTML DOM
Learn jQuery
Learn AJAX
Learn JSON
Learn Google Maps

Server Side

Learn PHP
Learn SQL
Learn ASP
Learn ADO
Learn VBScript

ASP.NET

Learn ASP.NET
Learn Web Pages
Learn Razor
Learn MVC
Learn Web Forms
Learn .NET Mobile

Online password can be hacked tooo....easily.

No matter how unique or complex your alphanumeric code is, hackers can always find a way in, warns Mat Honan in a new Wired cover story

"You have a secret that can ruin your life," cautions Mat Honan in the newest issue of Wired: Your password.

Why it's time to kill the online password

That little six- to 16-character alphanumeric string controls your email, your bank account, and grants access to your address, credit card number, and perhaps even naked pictures of yourself. And no matter how complex or unique it is, your password simply isn't good enough. Over the summer, hackers destroyed the entirety of Honan's online life in a mere hour, cracking his Apple ID, Twitter account, Gmail password, and more. They wiped out years and years worth of files on his iPhone, iPad, and MacBook, and deleted every single picture he'd ever taken of his 18-month-old daughter. The problem with modern passwords, Honan says, is they're simply too easy to crack. Hackers can use sophisticated new programs to simply guess en masse, breaking into your accounts using shear force. (The new cracking tools even have number substitutions built in, meaning "p4ssw0rd" is just as bad as "password.") Honan's suggestion? Something entirely new. Here, an excerpt:

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets — a string of characters, 10 strings of characters, the answers to 50 questions — that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

Instead, our new system will need to hinge on who we are and what we do: Where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information — not just two, and definitely not just one.

This last point is crucial. It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.

And that, in essence, will be the future of online identity verification.

Android phones having zero day vulnerabilities

The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam.

Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC (Near Field Communications).

NFC is a technology that allows data to be sent over very short distances. For mobile devices, the protocol allows digital wallet applications to transfer money to pay at the register. While the technology has been slow to take off, despite the adoption by Google for its Wallet payment application, a number of recent high-profile announcements have boosted its adoption.

"Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation," MWR InfoSecurity said in a statement. "The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments."

The attacker, for instance, gets access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

How this Works:

1.) The first, a memory corruption flaw, was exploited via NFC (by holding two Galaxy S 3s next to each other) to upload a malicious file, which in turn allowed the team to gain code execution on the device.

2.) The malware then exploited a second vulnerability to gain full control over the device using privilege escalation. This undermined Android’s app sandbox model, allowing the attackers to install their customised version of Mercury, the company’s Android assessment framework.

3.) Mercury was then used to exfiltrate user data on the device (such as contacts, emails, text messages, and pictures) to a remote listener.

Researchers also said that,"Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent."

MWR Labs, which won $30,000 for its hack, is planning a more technical blog post detailing the process of finding and exploiting this bug.

Also, a Dutch research Joost Pol , CEO of Certified Secure, a nine-person research outfit based in The Hague hack into Apple's iPhone 4S from scratch, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.

They used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."

During the Pwn2Own attack, Pol created a web site that included an amusing animation of the Certified Secure logo taking a bite of the Apple logo. The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker's remote server. "If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage."

The duo destroyed the exploit immediately after the Pwn2Own hack. "We shredded it from our machine. The story ends here, we're not going to use this again. It's time to look for a new challenge," Pol said.He provided the vulnerability and proof-of-concept code that demonstrates the risk to contest organizers at HP TippingPoint Zero Day Initiative (ZDI).

http://thehackernews.com/2012/09/android-404-multiple-zero-day.html

XSS MAKES ALL FINANCIAL TRANSACTIONS VULNERABLE

Cross Site Scripting (XSS) is currently the most common vulnerability in the world. This is vulnerability of some host which allows anyone to inject code/scripts into the page. The injected scripts could be html tags, javascript script, vbscript scripts.

A Hacker with virtual name 'Human mind cracker' expose similar vulnerabilities in some big and Important sites, like Israel airline, Myspace, MTV website, Sweden government, Bangladesh bank, Nasa subdomain, Brown University, Afghanistan government website and Rome government website.

In a pastebin note, hacker disclose the vulnerabilities and exact working links. These Cross Site Scripting existence is because of the lack of filtering engines to user inputs at websites, forms and web servers.

Most of the time readers thinks that XSS is a very minor bug and having very less impact. But if implemented in a better way, that can harm all the visitors who will visit infected site.

One of the biggest risk here is to the administrator of such vulnerable sites (that most obvious belongs to government agencies, banking departments, educational administrations) fris upon receiving an email with a script or link that will use the XSS vulnerability on the administrator and will steal his files/data/passwords/cookies.

We know that XSS combined with Social Engineering always perform best for an attacker. Technology is changing, and hacker attacks are getting more sophisticated but with our aim we are keep on trying educate maximum number of people viaThe Hacker News. Be in touch, Be regular, Be Safe !

Follow @TheHackersNews