(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

It hasn't really been reported much, but just after Microsoft sort of stopped releasing patches for Windows XP last month, we now have to get going on the next phase-out: Windows 8.1! 

[In a first version of this diary, I stated that support ends tomorrow. As a reader points out in a comment, Microsoft announced earlier today that it extended the deadline by a month] [5]

As Microsoft wraps it in beautiful marketing speak: 

"Since Microsoft wants to ensure that customers benefit from the best support and servicing experience and to coordinate and simplify servicing across both Windows Server 2012 R2, Windows 8.1 RT and Windows 8.1, this update will be considered a new servicing/support baseline... beginning with the May Patch Tuesday, Windows 8.1 user's devices without the update installed will no longer receive security updates." [1]

To make things a bit more interesting, there are 3 different versions of what people commonly refer to as "Windows 8":

"Windows 8" , "Windows 8.1" and "Windows 8.1 Update". 

I guess in the old days, "Windows 8.1 Update" would be considered a "Service Pack". But then again, that would be something people are used to and not all that confused by, so Microsoft figured to mix it up and call this one "Windows 8.1 Update".

Sadly, there are reports that individuals have problems installing Windows 8.1 Update. You can now even deliver Windows 8.1 Update via WSUS, even though Windows 8.1 initially broke WSUS.  [2][3]

So with WSUS fixed, and Windows 8.1 Update only breaking some of your systems, you will now be in grant shape for making Windows 8.1 Update your new baseline as this will be the last patch Tuesday for Windows 8.1 Pre-update patches.

Haven't upgraded to Windows 8.1 and still not missing the "Start" button? You should be good until 2023. Lots of time to get used to the new interface. But Windows 8 will only be available for retail sale until end of October [4]. 

[1] http://blogs.technet.com/b/gladiatormsft/archive/2014/04/12/information-regarding-the-latest-update-for-windows-8-1.aspx

[2] http://blogs.windows.com/windows/b/springboard/archive/2014/04/16/windows-8-1-update-and-wsus-availability-and-adjusted-timeline.aspx

[3] http://support.microsoft.com/kb/2959977

[4] http://windows.microsoft.com/en-us/windows/lifecycle

[5] http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/12/windows-8-1-update-requirement-extended.aspx

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A cable broadband trade group and a lawmaker are urging the U.S. Federal Communications Commission to refrain from reclassifying broadband as a regulated utility, a move the agency's chairman says is still on the table.
This week's column was totally unintentional - at first it was just three separate roundups of some of the latest devices I've found interesting. But after I completed the reviews, I realized a common thread between all of them - these devices are really small (in fact, the M39p even has "Tiny" as part of its name). While some things in the world are getting larger (displays, smartphones, TVs, etc.), there's still room in the world for smaller gadgets that provide big performance.
What do enterprises want to see in OpenStack? With its latest distribution of the cloud hosting software, Red Hat is betting that they want a streamlined installation process and carrier-grade reliability.

Police in the Canadian city of Ottawa said they arrested a 16-year-old male charged with carrying out so-called "swatting" attacks that targeted 30 North American targets.

One of the targets included KrebsOnSecurity reporter Brian Krebs, who was previously on the receiving end of a vicious swatting attack that resulted in a team of police pointing guns at him as he opened the front door of his Virginia home. Krebs said the recent attacks were preceded by taunts from someone controlling the Twitter handle @ProbablyOnion. The last tweet made from that account, made on Thursday, stated: "Still awaiting for the horsies to bash down my door." The individual didn't have long to wait. That same day, the 16-year-old was arrested, according to press releases here and here issued by the Ottawa Police Service and the FBI, respectively.

Swatting refers to the act of knowingly giving authorities false information about bomb threats, the taking of hostages, or similar threats in progress with the goal of tricking heavily armed police to raid the location of an innocent person or group. According to authorities, the unnamed 16-year-old allegedly carried out swatting attacks on 30 targets, including schools in North America that responded with lockdowns or evacuations. The minor was charged with 60 criminal offenses, including public mischief, mischief to property, uttering death threats, and conveying false info with intent to alarm.

Read 1 remaining paragraphs | Comments

Google appears to be testing a dramatic Gmail redesign that could surprise users.
Ajenti 'Command' Field HTML Injection Vulnerability
The pressure is on Apple to produce a 5-in. or larger display iPhone, since the so-called "phablet" segment grew by 369% in the first quarter and represented 34% of all smartphones shipped.
For the third time in four weeks, Microsoft has backed away from a customer cutoff by postponing enforcement of the Windows 8.1 Update migration deadline until June 10.
One of the lead plaintiffs in a class-action lawsuit that accused Google, Apple, Adobe and Intel of conspiring to suppress wages by not poaching each others' employees is firing back against a settlement reached last month.

Maintainers of the Linux kernel have patched one of the more serious security bugs to be disclosed in the open source operating system in recent months. The five-year-old code-execution hole leaves computers used in shared Web hosting services particularly vulnerable, so users and administrators should make sure systems are running updated versions that contain a fix.

The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device.

"This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31)," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "A bug this serious only comes out once every couple years." As Ars reported in May 2013, the then-two-year-old CVE-2013-2049 continued to imperil users more than a month after Linux maintainers quietly released a patch for the gaping hole.

Read 4 remaining paragraphs | Comments

Linux Kernel 'n_tty.c' Memory Corruption Vulnerability
PHP FPM 'php-fpm.conf.in' Local Privilege Escalation Vulnerability

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Last week, a report from New York-based global investment news site BrightWire.com suggested that Apple's upcoming smartphone, the iPhone 6, will (finally) support near-field communications (NFC) technology. BrightWire.com cited "a source close to the matter."
Michael Keithley has more than two decades of experience as a CIO. However, the IT veteran says he's seeing more change now than ever before. CIO.com's Tom Kaneshige sat down with Keithley to talk about the challenges he and his colleagues face, the need to speak the same language as the business side and the reality of what lies ahead for CIOs who refuse to change their approach.
Motorola Mobility is hoping to build on the success of the Moto G with another affordable smartphone. But the new Moto E will face even greater competition in a segment, that thanks to increased competition between processor manufacturers, is turning into a hornets' nest.
If you happened to be at the Player's Championship golf tournament in Ponte Vedra Beach, Fla., last weekend, you had a chance to buy Google Glass eyewear.
Linux Kernel 'raw_cmd_copyin()' Function Local Privilege Escalation Vulnerability
Linux Kernel 'raw_cmd_copyout()' Function Local Privilege Escalation Vulnerability
[SECURITY] [DSA 2926-1] linux security update
[security bulletin] HPSBMU02931 rev.6 - HP Service Manager and ServiceCenter, Injection of Arbitrary Code, Remote Privilege Elevation, Remote Disclosure of Privileged Information and Cross Site Scripting (XSS)
For the kick-off of its annual Tech Ed user conference, being held this week in Houston, Microsoft released a bevy of tools and services to help administrators connect their internal operations to Microsoft's Azure cloud.
The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year a and that figure is nearly double the $2.2 million spent in 2010 a all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
By switching to a non-Microsoft browser, Windows XP users can halve the number of vulnerabilities that apply to the OS, according to a survey of flaws Microsoft fixed in the second half of 2013.
The chairman of the U.S. Federal Communications Commission will use all the tools at his disposal to stop broadband providers from dividing the Internet into fast and slow lanes, he wrote in a letter to Internet companies critical of his recent net neutrality proposal.
IBM Tivoli Netcool/OMNIbus Multiple Security Vulnerabilities
ESA-2014-027: RSA® NetWitness and RSA® Security Analytics Authentication Bypass Vulnerability
[ MDVSA-2014:086 ] libxml2
[ MDVSA-2014:085 ] ldns
[ MDVSA-2014:084 ] libpng
LinuxSecurity.com: Updated libxml2 packages fix security vulnerability: It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using [More...]
LinuxSecurity.com: Updated ldns packages fix security vulnerability: ldns-keygen creates a private key with the default permissions according to the users umask, which in most cases will cause the private key to be world-readable (CVE-2014-3209). [More...]
LinuxSecurity.com: Updated libpng packages fix security vulnerabilities: An integer overflow leading to a heap-based buffer overflow was found in the png_set_sPLT() and png_set_text_2() API functions of libpng. An attacker could create a specially-crafted image file and render it [More...]
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenSSH, the worst of which may allow remote attackers to execute arbitrary code.
Linux Kernel 'filter.c' CVE-2014-3144 Multiple Local Denial of Service Vulnerabilities
Serve the public trust, protect the innocent, uphold the law.
Yokogawa CENTUM CS3000 'BKCLogSvr.exe' Heap Based Buffer Overflow Vulnerability
Libxml2 Entity Substituton CVE-2014-0191 Denial of Service Vulnerability
ldns CVE-2014-3209 Local Insecure File Permissions Vulnerability
Samsung Electronics may finally be ready to launch a smartphone based on the Tizen open-source operating system, and is eyeing Russia and India for the event.
Dovecot Denial of Service Vulnerability
Mozilla last week said it would press forward on plans to put advertisements on Firefox's new tab page, but reassured users that the browser would not become 'a mess of logos.'
Storage is now marching down the same path as computing, approaching a future when all of an organization's storage systems can be mixed and managed as virtual pools.
Samsung Electronics' 72-year-old chairman Kun-Hee Lee is in a stable condition after suffering a heart attack.
Beware bold promises from a multibillion-dollar industry that can't prevent your IT systems from being routinely hacked
Here's a short history on computer science student enrollments. Leading up to the dot-com bust, computer science enrollments soared to new highs, and then they plunged. Like a rock.
Sixty years after bulky 'rabbit ears' TV antennas, engineers are designing tiny custom ones that can fit inside of wearable devices.
In this Reinvention Workshop held at the 2014 Premier 100 IT Leaders Conference, NASA Jet Propulsion Laboratory CTO Tom Soderstrom gives a glimpse into what rocket scientists see on the high-tech horizon.
[security bulletin] HPSBST03015 rev.3 - HP 3PAR OS running OpenSSL, Remote Disclosure of Information

GE patches gap in infosec capabilities with Wurldtech buy
Years after the infosec world noticed the chronic insecurity of SCADA kit, industrial giant GE has decided it needs to improve its in-house capabilities by announcing that it's to acquire Wurldtech. Founded in 2006, Wurldtech's product portfolio, sold ...

Internet Storm Center Infocon Status