Microsoft updates trust list after private key for Xbox Live leaks

microsoft logo redwest a

On Tuesday, Microsoft updated their Certificate Trust List (CTL) after the private key for xboxlive.com was leaked to the Web. The company didn’t explain how the leak happened, but the exposed certificates were immediately revoked and replaced.

“Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks,” the software giant explained in their advisory.

“To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate.”

The newly updated CTL will be pushed to all supported versions of Windows.

Tod Beardsley, Security Research Manager at Rapid7, called the accidental disclosure cryptographic hygiene miss, “but on the whole, users are unlikely to be adversely affected, provided they update their local Certificate Trust List in the usual way.”

“It’s possible that private information such as passwords and payment information was exposed during the time the private key was both known and the public certificates haven’t been changed, but for most people, this would appear unlikely,” Beardsley added.

The reason it’s unlikely, Beardsley said, is because an attacker would need to have been aware of the private key and at least recording SSL sessions via a man-in-the-middle.

“This scenario would require the attacker to be somewhere along the path between the victim and Microsoft’s servers,” he said.

For customers running versions of Windows on mobile devices (Windows Phone 8 and 8.1, Windows 10 Mobile); desktop (Windows 8, 8.1, RT, RT 8.1, Windows 10); and server (Server 2012, Server 2012 R2) the CTL will be updated automatically via the CTL updater.

Systems running Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 will need to make sure they’ve installed the CTL updater service (KB 2677070).

While the compromised keys could’ve been used to perform man-in-the-middle attacks prior to them being revoked, it’s important to note they couldn’t be used to issue other certificates, impersonate other domains, or sign code, Microsoft says.

“The troubling part is that Microsoft was aware of the key disclosure for at least a week,” Beardsley said, noting the advisory stated the certificate has been disallowed since December 1.

“As unlikely as an active or passive man-in-the-middle attack is, it’s even less likely the private key happened to be disclosed on a regularly scheduled Patch Tuesday. I understand that incident response cannot be instantaneous, but hope that in the future the company is able to move faster on reissuing certificates when they are known to be compromised.”

In related news, Microsoft released 12 security bulletins on Tuesday, nine of them rated critical, which resolve 71 vulnerabilities.

One of the more standout vulnerabilities is MS15-127, which fixes a flaw that could allow remote code execution if an attacker sends a specially crafted request to a DNS server.

The flaw is given an exploitability rank of 2 by Microsoft, meaning exploitation less likely, but they don’t offer many details on the flaw itself other than to state that it’s triggered by DNS requests. For organizations running a Microsoft DNS server exposed to the public, it might be worth including this patch alongside the other priority fixes this month – just to stay safe.

Rapid7’s Adam Nowak also suggested MS15-124, MS15-125 and MS15-128 as bulletins to watch out for, as they address 33 vulnerabilities on their own.

“Since a wide range of products are affected this month almost all Microsoft users should be on alert. Microsoft’s update addresses the vulnerabilities by resolving underlying issues with how certain functions in VBScript handle objects in memory, preventing cross site scripting (XSS) from incorrectly disabled HTML attributes, proper enforcement of content types and cross-domain policies,” Nowak said.

Other patches released on Tuesday include fixes for more than 70 vulnerabilities from Adobe, and more than 50 from Apple on iOS, Safari, and Watch OS.

How to use Microsoft Edge’s casting feature to beam media to your TV

microsoft edge

As part of the Windows 10 November update Microsoft added casting support to its new browser, Edge. This allows you to send media you’re playing on Edge to a DLNA- or Miracast-compatible device in your house, such as a smart TV or an Xbox One console.

Here’s how to use it.

casttodevice
The first step in Edge casting is selecting the right menu option.

First, cue up whatever you want to stream to your device in Edge. For our example, we’re using the trailer for Star Wars: The Force Awakens. Next, click on the three horizontal dots in the upper right hand corner of the browser. From the drop down menu select Cast media to device.

castdevicelist
Choose the device you want from the list.

A small black window will appear listing all connected devices supporting DLNA or Miracast. Choose the one you want from the list.

After the few seconds it takes Edge to connect to your device, your selected media should begin to play. As you’re casting, you’ll need to keep the tab open in Edge with the video running. Once you close that tab, the media will immediately stop playing in the receiving device.

You can also disconnect from the receiving device by clicking the menu icon and selecting Cast media to deviceagain. Click on the receiving device listed in the black pop-up window and then clickDisconnect.

In my brief tests using a third-party DLNA receiver on my Android phone YouTube did not work very well, but Vimeo videos played just fine. Our earlier look at Edge casting also found problems with YouTube. You can’t stream digitally protected content either, like videos from Netflix or Hulu.

That’s about all there is to using this great new feature in Windows 10. Want more tips about how to take advantage of Miracast? Check out our tutorial on mirroring your device’s screen wirelessly to your TV.

Microsoft’s Cortana digital assistant launches on iPhone and Android

cortanaiosandroid

After a brief beta testing period, Microsoft’s Cortana assistant is available for everyone on the iPhone and Android phones.

Though Cortana lacks the deep operating system hooks of Android’s Google Now and iOS’s Siri, it could still be a useful companion for users of Windows 10 PCs. For instance, you can set time- or location-based reminders from the Windows 10 taskbar, and have those reminders pop up on the phone.

Cortana works better if you give it more access to personal data in Windows 10. Setting up the Windows Mail app allows Cortana to track flights and inbound packages, and you can specify favorite sports teams, weather locations, and news topics of interest in Cortana’s Notebook menu on the PC.

Why this matters: Cortana is arguably the centerpiece of Windows 10, but on mobile devices it never had much chance of luring people away from the iPhone and Android. So instead, Microsoft is taking the opposite approach, and hoping Cortana’s availability on those platforms will help keep people attached to their PCs.

Cortana on iOS vs. Android vs. Windows

Although Cortana is now available on more platforms, not all versions are created equal.

The Android version, for example, has some capabilities that aren’t possible in iOS. Users can view incoming phone calls on a Windows 10 PC, and send a call you later text message back to the phone. Android users can also say “Hey Cortana” to begin a voice command from the Android home screen or the Cortana app.

To take Android integration even further, Microsoft is partnering with Cyanogen, which offers a custom version of Android for phone makers who don’t want to make their own. This allows for toggling network modes, powering down the phone, and turning on quiet mode through Cortana voice commands, and launching “Hey Cortana” from any screen. The OnePlus One will be the first U.S. phone to get these features in mid-December, with other phones to follow.

This doesn’t leave Windows 10 Mobile with many unique selling points, aside from the ability to toggle settings from the phone and launch apps by voice. But by now, it should be obvious that Microsoft doesn’t care. The company is much more interested in selling cross-platform services than artificially propping up a platform that has continually struggled to gain traction.

Microsoft continues embracing Linux with new Azure certification

Microsoft partners with Linux for Azure certification - Microsoft News

In a partnership that would have seemed most unlikely back when Microsoft railed against open source, the software company has teamed with the Linux Foundation to offer a certification for managing Linux systems in the Azure cloud.

The new Microsoft Certified Solutions Associate Linux on Azure certification allows people to show that they have invested time in developing skills to run Linux servers in Microsoft’s cloud. It’s something of a surprising move, considering that Azure didn’t even support Linux virtual machines four years ago, but meshes with Microsoft’s current strategy of embracing open source technologies.

In order to acquire the certification, a candidate has to pass the Linux Foundation Certified System Administrator exam and the Implementing Microsoft Azure Infrastructure Solutions exam. Once they’ve done that, they can apply for the certification. Neither of those exams are new, but the resulting certification is.

That’s good news for people who have already passed one or both exams. Existing passes still count towards the certification, so people who have passed both exams just have to contact Microsoft about acquiring their certification.

Those folks who haven’t yet passed the exams will have to shell out several hundred dollars just to take the tests. Depending on their level of skill, certification seekers may want to undertake additional training to prepare for the tests, which will cost more money.

Wednesday’s news is yet another sign of Microsoft’s commitment to running Linux workloads on Azure.

According to John Shewchuk, a technical fellow at Microsoft, more than half of the images companies can deploy from the Azure Marketplace use Linux, rather than Microsoft’s technologies. It’s something he says is emblematic of Microsoft’s approach to Linux, especially under its new CEO, Satya Nadella.

“So now, to have half the Marketplace be Linux workloads, and to be doing work like this to get people certified, it really does represent a sea change in the engagement model [for Microsoft],” Shewchuk said in an interview. “And it’s clear that Satya has been at the core of much of this change.”

Why this startup is looking forward to competing with Microsoft — its investor

SkyGiraffe on an iPhone

Microsoft jumped deeper into the enterprise mobile app development space last week with PowerApps, a service that lets ordinary businesspeople build mobile applications that draw on company data.

Microsoft is entering a crowded market that’s already home to products from companies like Salesforce and Intuit. Launching a new product in a competitive market isn’t a first for the Redmond-based company, but there’s an extra wrinkle this time around: it’s in the same market as SkyGiraffe, the first startup invested in by the company’s Microsoft Ventures arm.

Like PowerApps, SkyGiraffe lets users quickly build applications that visualize and modify company data stored in a variety of systems. It supports integrations with products including SQL Server, Salesforce and Workday.

SkyGiraffe co-founder and CEO Boaz Hecht says he doesn’t see the two companies as head-to-head competitors. While he welcomes Microsoft’s entry into the market, he thinks businesses looking for enterprise-grade software are going to be more interested in SkyGiraffe.

“We haven’t had the opportunity to see a working product end-to-end, but as Microsoft describes it, PowerApps serves the equivalent of Excel consumers and/or maybe Excel power users,” Hecht said.

SkyGiraffe, meanwhile, is aimed at providing tools for IT departments and CIOs, he said. That difference in users is key to why Hecht thinks that his company’s product still has a big market opportunity.

Right now, SkyGiraffe has a number of features that PowerApps hasn’t launched yet, even if Microsoft says they’re on the roadmap. It integrates with a wide variety of mobile device management systems, including Microsoft Intune and VMware’s Airwatch, and also supports Android, which PowerApps doesn’t yet. (Microsoft says support for Google’s mobile OS is coming later.)

Hecht also said that he thinks one feature of SkyGiraffe will be particularly appealing to enterprises: businesses can keep their data in on-premises systems, without sending it out to the cloud. Right now, PowerApps requires that users — even those who have an Enterprise plan to access on-premises resources — send their data through the Azure cloud.

That may be a non-starter for some security-conscious companies, or just companies that don’t want to re-think their architecture. Microsoft said that businesses will be able to keep the entire PowerApps system on-premises once Azure App Service comes to the private cloud using Azure Stack. Until then, SkyGiraffe has the advantage.

“At SkyGiraffe, we are not in the business of asking our clients to change their existing IT infrastructure,” Hecht said. “We meet them exactly where they are — on-prem, in the cloud, or hybrid. Enterprises can achieve the business outcomes they need by using mobile applications – without fundamental structural changes.”

Microsoft, for its part, says the market is big enough for the companies to co-exist.

“The team at SkyGiraffe is doing great work and we are big fans of their solution,” Microsoft Ventures Principal Aya Zook said in an emailed statement. “The enterprise mobility space covers a broad range of customer needs and we believe there are great opportunities for both of our organizations. Microsoft Ventures takes an altruistic approach to supporting the startup ecosystem with a passion for helping them to make their ideas succeed. While we may have some overlap in our offerings, we see the startups of today as potential business partners of tomorrow.”

Linux Mint 17.3 ‘Rosa’ offers Linux Mint’s most polished desktop experience yet

mint

While other operating systems dabble with mobile or push the bleeding edge, Mint’s shaping up to be the Old Faithful of the Linux desktop world.

Linux Mint 17.3 “Rosa” continues a series of stable releases built on the Ubuntu 14.04 LTS code. Rather than hacking away on experimental features or adding all the latest low-level software, Mint’s developers have been spending their time polishing the Cinnamon and MATE desktops. “Rosa” is yet another solid release that will please fans of Mint and anyone who misses the more traditional Linux desktop.

The latest release of Linux Mint is now out. Linux Mint 17.3 “Rosa” is based on the stable Ubuntu 14.04 LTS code, just like the other Linux Mint 17 releases before it. It contains both updated software and improvements to the Cinnamon and MATE desktops.

What’s new? Polish, polish, and more polish

mate desktop
Linux Mint’s MATE desktop.

Linux Mint 17.3 bumps the underlying Linux kernel to version 3.19, which should offer improved hardware support. Version 4.2.0 of the kernel is also available in the repositories, but is known to cause problems with AMD’s proprietary fglrx graphics drivers and ndiswrapper, which is used to make some Windows Wi-Fi drivers work on Linux.

LibreOffice was updated to version 5, and the MDM display manager—the login screen—features improved high-DPI support and an on-screen keyboard for touch-screen devices. Linux Mint 17.3 contains a new selection of high-quality background wallpapers, too.

linux mint speed test
Linux Mint’s new speed test tools.

Linux Mint’s software installation tools were updated with a focus on speed and reliability. The Software Sources tool now automatically detects your location and runs a speed test to find the fastest mirror near your location to download packages from. The Update Manager tool will warn you if you’re using a mirror that’s out-of-date, corrupted, or just slower than an alternative mirror. The Driver Manager is more robust, will load faster, perform more checks, and provide more information.

Cinnamon and MATE see some real improvements, just as they did in Linux Mint 17.2. Cinnamon 2.8 offers the usual bug-fixes and performance improvements, of course. Aside from those, Cinnamon now has redesigned sound and power applets, a workspace switcher that provides a visual representation of your open windows, a system tray that supports “indicators” like Ubuntu’s Unity desktop does, and thumbnails of windows when you mouse-over them on the taskbar.

mate desktop wobbly window
MATE’s wobby windows caught in the act.

MATE 1.12 sees an improved application launcher with a frame, border, and shadow. Its Desktop Settings tool allows you to switch to other window managers more easily, and a help screen will explain the differences. Compiz and its fancy 3D effects were made easy to enable in a previous release, but it’s been improved again. Wobbly windows—where windows wobble about as you drag them around—have been activated by default to improve the “wow” factor. The latest version of MATE used here also includes improved touchpad configuration and multi-monitor support.

D-Link is finally shipping the last of the Ultra-series routers it announced at CES 2015

D-Link DIR-885L/R

As we look forward to CES 2016, D-Link is finally shipping the last of the radical-looking Ultra-series routers it announced at last year’s CES. The 4×4 DIR-885L/R promises to deliver top speeds of 2167Mbps on the 5GHz frequency band and 1000Mbps on the 2.4GHz band.

As with most higher-end 802.11ac routers today, the DIR-885L/R supports beamforming right out of the box. Beamforming enables the router to concentrate its signal in the direction of the client instead of simply broadcasting it everywhere. If the client is also capable of beamforming, the two devices can exchange information about their respective locations to optimize the signal path they use to communicate.

Read “All about beamforming, the faster Wi-Fi you didn’t know you needed” for an in-depth explanation of beamforming.

D-Link’s press release indicates that the DIR-885L/R supports multi-user MIMO, too, but a footnote explains that a firmware update will be needed first. And after the firmware becomes available, you’ll also need a client that supports MU-MIMO to derive any benefit from it. Here is an in-depth explanation multi-user MIMO.

The DIR-885L/R is powered by a 1.4GHz dual-core processor, 128MB of flash memory, and 512MB of DDR3 RAM. It’s equipped with USB 3.0 port and one USB 2.0 port, so you can share both a printer and a storage device over your network, and it has a four-port gigabit switch. Its four antennas are removable for upgrades.

Why this matters: We’ve seen routers get bigger, more powerful, and more expensive all year long. Priced at $280, the DIR-885L/R isn’t exactly cheap, but it’s less expensive than the so-called tri-band routers that support two independent 5GHz networks and one 2.4GHz network. So at least you’re not being forced to pay for features you might not benefit from.

We’ve pinged D-Link about getting a review unit it, and we’re working on long-overdue roundup of  802.11ac routers that we’ll post sometime before the end of the year, so stay tuned.

Microsoft website leak hints that Edge browser extensions are approaching release

extensionsarehere

We’ve all been waiting patiently for Microsoft to roll out extension support for Edge, because who wants to use a browser without personalized tweaks? Well, it looks like we might get a sneak peek at Edge extensions sooner rather than later, even though theywon’t officially show up until 2016.

Recently, Microsoft leaker h0x0d revealed a public Microsoft developer site showing a preview of Edge extensions with two sample downloads. The site was clearly published prematurely—a habit Microsoft has been getting into lately. (H0x0d also leaked a preview of some Microsoft Office apps back in May.)

It lacks final copy, such as a reference to which Windows 10 build Edge extensions are compatible with, as well as proper instructions on how developers can add extensions to Edge manually.

The site was taken down almost as soon as h0x0d publicized it—well before this writing. Nevertheless, the site remains in Google’s cache. The images won’t show up in Google’s saved version, so we’ll have to rely on h0x0d’s screenshot (pictured in this post) to imagine what the original site looked like. If you don’t recognize the domain (azurewebsites.net), this is a Microsoft-owned site for hosting Web apps built by Microsoft and users of the company’s Azure cloud services.

availableedgeextensions
Microsoft’s two sample Edge extensions.

As for the extensions, one is a Pinterest “Pin it!” button and the other is the Reddit Enhancement Suite. Both extensions are available on Chrome, and RES is also on Firefox, Opera, and Safari.

You can’t download the extensions from Microsoft’s site via the Google cache, but h0x0d did manage to grab the files and put them up for public download before Microsoft pulled the plug.

In a subsequent tweet, h0x0d said the code for the Edge extensions is very similar to Chrome. “Basically substitute ‘chrome’ with ‘msBrowser’, add few minor changes, done,”h0x0d said on Twitter.

Taking a look at the code you can even see some references to “crx”, which is the file type for Chrome extensions.

The extensions don’t work inside the current version of Edge, but presumably users in the fast ring will be able to manually activate extensions in an upcoming build.

Why this matters: If Edge’s architecture will really make it possible to turn Chrome extensions into Edge-compatible ones with a few minor tweaks, that could be very promising for the future of Edge’s extension catalog. Of course, that’s what Microsoft also hoped would happen with its approach to apps for Windows 10 mobile devices, and so far that hasn’t panned out. But extensions are far simpler than mobile apps—and Edge isn’t the only browser getting in line with Chrome. Mozilla announced a similar approach for Firefox in August.

Microsoft open-sources dead, but beloved Windows Live Writer as Open Live Writer

open live writer announce

Sometimes Microsoft creates a piece of software that doesn’t necessarily catch on with the general public but still wins over a dedicated core of users. Typically these programs die a long, slow death, but one such program will live on. Microsoft recently decided to open source Windows Live Writer, the blog writing software that the company ceased developing in 2012.

The program has been renamed Open Live Writer and you can download version 0.5from the project’s dedicated site. The software will now be under the auspices of the .NET Foundation, an open source software organization founded by Microsoft in 2014. Open Live Writer itself will be maintained by volunteers, including a core group from Microsoft.

olwscreen

If you’re a longtime Live Writer user and would like to try OLW out, you can run the new program alongside Live Writer without replacing the older software. That allows you to test out the new version, while still being able to return to the old version if a feature is missing or any bugs drive you crazy.

Why this matters: Live Writer is one of those programs you probably never heard of unless you used it. Those who did use the software really liked it as a way to write a blog post on the desktop and seamlessly upload it to their blogging service. It’s great to see Microsoft allow a program with a core group of users to go open source since it didn’t have any plans to develop it further. It seems unlikely that this foreshadows future open source projects for similarly beloved software like Windows Media Center or Windows Home Server, but it’s a nice gesture nonetheless.

Spot the differences

Although OLW is pulled directly from Live Writer code there are already a few differences between the two programs. The spell checker is gone, since it was old and built by a third-party that the OLW group didn’t have a license for, according to a post on Microsoft program manager Scott Hanselman’s personal site. Other removed features include the Blog This API used by Live Writer browser plugins, and the Albums feature that uploaded photos to OneDrive.

As far as upcoming features, the OLW team plans to integrate the Windows built-in spell çheck that first appeared in Windows 8—Hanselman says OLW on Windows 7 will probably never have spell check. The team also plans to add OAuth 2 support very soon so that Blogger users will be able to use OLW. Google currently allows OLW and LW to use an older authentication system for Blogger that will soon be shut down. Any Blogger user who wants to continue to use Live Writer will eventually need to switch to OLW.

Lastly, the group is working on supporting plugins for OLW.

A “What’s New” Tile in this update to Microsoft Band implies better future support

band 2 music

Microsoft may actually be paying more attention to its Band fitness wearable, if Thursday’s update is any indication.

Among Microsoft’s latest updates to the Band 2, the most interesting addition could be a “What’s New” tile, which will pop up when Band updates become available. It’s a tacit commitment to future updates, which would be a positive change for the neglected Band.

“The tile will automatically appear on your band when new updates are available,” said Microsoft. “Tap the tile to learn about great new features and functionality.”

The other new features in this updates include music controls. Because the Band 2 works with Android and iOS devices as well as Windows Phones, they’ll work with any music app that can be controlled through Bluetooth (not just its own Groove Music). The controls, however, appear to be limited to just play/pause, forward and back, and volume control—not anything more sophisticated, such as changing radio stations in Slacker, for example.

band 2 reminders
Microsoft’s new reminders urge you to get up and walk around a bit.

Microsoft will also offer users a reminder to get up and move around, as a way to keep the blood pumping. The Apple Watch already does this, but it’s a simple feature that can also be turned off at night. And if you’re looking for something a bit more hardcore, you can also now select your preferred exercise under the Exercise tile, rather than sticking to a generic workout.

Why this matters: We called the Band 2 an excellent fitness band, but a second-rate smartwatch. Many of its users call it a fitness band first, with some tacked-on smartwatch capabilities. Whatever your perspective, Microsoft’s history of improvements has been characterized by the “general bug fixes and improvements” scattered across its update history, without any indication that they were significant. The “What’s New” tile could signal that future Band updates will be more noteworthy.