Stephen Smith's Blog

Musings on Machine Learning…

Posts Tagged ‘windows xp

More Thoughts on Security

leave a comment »

Introduction

Last week I blogged on some security topics that were prompted by the Heartbleed security hole. Heartbleed was hot while it lasted, but in the end most servers were quickly patched and not a lot of damage was reported. Now this last week Heartbleed was completely pushed aside by the latest Internet Explorer security vulnerability. A lot of the drama of this problem was caused by speculation on whether Microsoft would fix it for Windows XP. Although the problem existed in all versions of Windows and IE, it was assumed that Microsoft would fix it fairly quickly for new versions of Windows, but leave Windows XP vulnerable.

The IE Problem

Microsoft’s Internet Explorer has had a history of problems with letting rogue web sites take over people’s computers by downloading and executing nasty code. The first cases of this was that IE would run ActiveX controls, which basically are compiled programs downloaded to your computer and then run in the Browser’s process space. These led to all sorts of malicious programs and viruses. First Microsoft tried to make ActiveX controls “signed” by a trusted company, but generally these caused so many problems that people have to be very careful which ActiveX controls to allow.

internet-explorer-ie10

With ActiveX controls blocked, malicious software writers turned to other ways to get their code executed inside IE. A lot of these problems date back to Microsoft’s philosophy in the early 90s of having code execute anywhere. So they had facilities to execute code in word processing documents, and all sorts of other things. Many of the new malicious software finds old instances of this where Microsoft unexpectedly lets you run code in something that you wouldn’t expect to run code. Slowly but surely these instances are being plugged one by one through Windows Updates.

The next attack surface is to look for bugs in IE. If you’ve ever tried running an older version of IE under Bounds Checker, you would see all sorts of problems reported. Generally a lot of these allow attackers to exploit buffer overrun problems and various other memory bugs in IE to get their code loaded and executing.

Another attack surface is common plugins that seem to always be present in IE like for rendering PDF documents or for displaying Adobe Flash based websites or using Microsoft Silverlight. All these plugins have had many security holes that have allowed malicious code to execute.

Plugging these holes one by one via Windows update is a continuing process. However Microsoft has taken some proactive steps to make hacking IE harder. The have introduced things like more advanced memory protections and ways to randomize memory buffer usage to make it harder for hackers to exploit things. However they haven’t trimmed down the functionality that leads to such a large attack surface.

internet-explorer-vml-bug-zero-day-vulnerability

The latest exploit that was reported in the wild last week got around all Microsoft’s protections and allowed a malicious web site to take over any version IE on any version of Windows that browsed that site. Then the malicious web site could install software to steal information from the affected computer, install a keyboard logger to catch typed passwords or install e-mail spam generation software.

Why the Fuss?

This new exploit was a fairly typical IE exploit, so why did it receive so much attention? One reason is that after Heartbleed, security is on everyone’s mind. The second is that Microsoft has ended support for Windows XP and publicly stated it would not release any more security updates. So the thinking was that this was the first serious security flaw that wouldn’t be patched in Windows XP and havoc would result.

However Microsoft did patch the problem after a few days, and they did patch the problem on Windows XP as well. After all Windows XP still accounts for about a third of the computers browsing the Internet today. If all of these were harnessed for a Denial of Service attack or started to send spam, it could be quite serious.

People also question how serious it is since you have to actually browse to the malicious web site. How do you get people to do this? One way is when URLs expire, sometimes someone malicious can renew it and redirect to a bad place. Another way is to register URLs with small spelling mistakes from real websites and get unwary visitors that way. Another approach is to place ads on sites that just take the money without validating the legality of the ad or what it links to. Sending spam with the bad URLs is another common approach to lure people.

How to Protect Yourself

Here are a few points you can adopt to make your life safer online:

  • Use supported software, don’t use old unsupported software like Windows XP. Windows 7 is really good, at least upgrade to that. If your computer isn’t connected to the Internet then it doesn’t really matter.
  • Make sure Windows Update is set to automatically keep your computer up to date.
  • Don’t click on unknown attachments in e-mails
  • If you receive spam with a shortened or suspicious URL link, don’t click on it.
  • Go through the add-ons in your browser and disable anything that you don’t know you use regularly (including all those toolbars that get installed).
  • When browsing unfamiliar sites on the web, use a safer browser like Google Chrome. Nothing is foolproof but generally Chrome has a better history than most other browsers.
  • Make sure you have up to date virus scanning software running. There are several good free ones including AVG Free Edition.
  • Make sure you have Windows Firewall turned on.
  • Don’t run server program you don’t need. You probably don’t need to be running an FTP server or an e-mail server. Similarly don’t run a whole bunch of database servers you aren’t using, or stop them when not in use.
  • Don’t trust popup Windows from unfamiliar or suspicious websites. I.e. if suddenly a Window pops up telling you to update Java or something, it’s probably a fake and going to install something bad. Always go to a company’s main site of something you are going to install.
  • Never give personally identifiable data to unknown websites, they have no good reason to know your birthday, phone number or mother’s maiden name.
  • Don’t use the same password on all websites. For websites that you care about have a good unique password.
  • Be distrustful of URLs that are sort of right, but not quite (often it’s better to go through Google than to spell a URL directly). Often scammers setup URLs with common spelling errors of popular sites to get unsuspecting victims.

Summary

There are a lot of bad things out on the Internet. But with some simple precautions and some common sense you can avoid the pitfalls and have an enjoyable web browsing experience.

 

Advertisements

Written by smist08

May 3, 2014 at 4:25 pm

Sage 300 ERP 2012 Supported Platforms

with 43 comments

Introduction

Whenever a new version is released, it is tested with the latest operating systems and usually bundled components are updated to the latest versions As always there will be a detailed list of all supported platforms and exact versions will be published on our website. This blog posting is a bit more informal and talks about what I think are interesting on the list. Some of this is my opinions on the various supported platforms and some of the pros and cons.

Browsers

We now have added support for Chrome, Firefox and Safari. We support IE 9 everywhere and are testing on IE 10 (need a released version before we can give a final say). We support IE 8 for Sage CRM and Quotes to Orders, but we don’t support IE 8 for the Web Portal in Sage 300 ERP.

Windows XP

We continue to support Windows XP at the SP3 level. Beware that Microsoft is currently scheduled to discontinue this support on April 8, 2014. They have extended this deadline several times already, so stay tuned. This will be dangerous since they say they will stop issuing security updates at this point. From our own surveys we know we have a large number of users still running on XP and that people may not want to have to buy new computers until absolutely necessary.

The worst thing about XP is that Microsoft doesn’t support IE 9 there and that IE8 is quite slow and buggy. The big benefit for Sage 300 ERP users is that now that we support the Chrome, Firefox and Safari browsers, that is, you don’t need to use IE 8 anymore for our products. We highly recommend that you install Firefox or Chrome (you can still use IE for other things like SharePoint if you need it). In fact the Sage 300 Web Portal no longer supports IE 8 so you will need to use one of these browsers to access it. For Sage CRM (and the Quotes to Orders function), we still support IE 8.

As another note, we don’t support using Windows XP as a web server for either Sage CRM or for the Web Portal in Sage 300 ERP. If you need a web server running Windows 7 works great or use a true server version of Windows.

Windows 7

This is the main client platform we support. Sage 300 ERP runs best here and we highly recommend using this client operating system.

We support the 64-Bit version equally to the 32-Bit version. In fact we recommend the 64-Bit version since this is the only way to take advantage of the memory in any newer computer.

Windows 8/Windows Server 2012

We are running our automated tests against the release previews of these products. We can’t officially support these until we can test against the released versions, but we are hoping that if the released version doesn’t spring a major surprise, then we can support these very quickly after their release.

Note that for Windows RT (the ARM processor version of Windows 8), you can only run true web components here, any VB UIs will not run.

Initial reviews of Windows 8 are rather mixed, but like MS Vista, it will start appearing on new computers whether you like it or not.

SQL Server 2012

With this release we will be both supporting SQL Server 2012 and making SQL Server 2012 available for purchase from Sage. Microsoft provides lots of information on all the new features there. The most obvious one is that the SQL Server Management Studio is now built on the Visual Studio 2012 platform. Besides some color and style changes it appears pretty much the same to me as the previous one, only now it takes much longer to start up. I think the idea is that it then leverages the better developer tools in VS for debugging and such.

Pervasive.SQL 11

We now support Pervasive.SQL 11. One notable “feature” of this product is that product licensing and activation are more stringent. You cannot share licenses and your computer must be on-line to validate your activation code. Otherwise checkout out Pervasive’s web site for new features like multi-core support.

Crystal 2011

We now fully support designing reports with Crystal Reports 2011. We now bundle the matching runtime for this version of Crystal. Beware that SAP has separated the runtime from the Crystal Reports product, so it is actually called “SAP Crystal Reports runtime engine for .NET Framework 4” (strangely rather than for Crystal Reports 2011).  The internal version of the runtime is Version 13.  Our current plans are to bundle SP3 of this runtime and its internal version is 13.0.3.612. Since we are just starting regression on the 2012 release, there is some chance that we will end up bundling SP4 if it comes out soon.

Generally this upgrade was fairly painless. We did tweak a small number of reports, but these tended to be things that were already wrong. We did find some reports with an incorrect page size, which was ignored by the previous runtime, but now worked and caused problems. Anyway you should try your customized reports and check for alignment issues, especially for things that print on pre-printed forms.

Virtualization

Here we support Citrix Xen Apps, VMware ESX 4.1 and ESXi 4.1, and Windows Server 2008 Standard R2 – Hyper V.

Just remember virtualization does add some overhead and if you are running multiple images on one server, beware memory use and CPU contention.

Office

For MS Office we support 2003, 2007 and 2010. Note that we only support 32-bit office because of the way our Financial Reporter Excel plug-in works.

Summary

I didn’t cover everything here; we support Oracle 11gR2 and MS Vista SP2 for instance. But to give you a flavor and some highlights of our upgraded platform support.

Written by smist08

June 23, 2012 at 5:47 pm