Since 2002, when Microsoft launched its Trustworthy Computing initiative, security in the company's products have improved each year. But while the company has increasingly battened down Windows, Office and its other programs, the number of vulnerabilities in harder-to-patch third-party applications has grown dramatically, making overall security on the PC worse than ever.

More Risk In Third-Party Apps

Rather than go through the expense of battling Microsoft directly, many hackers now focus on low-hanging fruit, such as the Java and Adobe Flash browser plug-ins, which are often left un-patched even by users who conscientiously update Windows and Office. This trend was highlighted in a new study by Secunia.

The security vendor found Microsoft's highly effective automatic security updates now address only 8.5% of the vulnerabilities in a PC. The rest have to be patched through updates from various software developers, each with their own unique process. The complexity leads users who are not security savvy to forgo updates, vastly increasing their risk of infection.

"There is, to date, no one fix-it-all solution," warned Morten Stengaard, director of product management and quality assurance at Secunia, in the company's blog.

Theoretically, Microsoft could overhaul Windows to place each third-party application in its own container, making it more difficult for hackers to load malware in the operating system. However, such a massive change would require Windows software vendors to rebuild their own products, which would have a ripple affect on every corporate and consumer customer.

"Microsoft, to some extent, is hamstrung by legacy code and what they've done in the past," Jack Gold, analyst for J. Gold Associates, said. "They can't just rip everything up and start all over again very easily."

Fewer Flaws In Microsoft Apps

Ironically, the third-party threat is blossoming even as Microsoft continues to get its own house in order. In 2012, out of all the known vulnerabilities in the top-50 PC programs, Microsoft products accounted for only 14% of them, the study found. The rest were in other software. And the share of vulnerabilities on a Windows PC coming from third-party applications has been growing. In 2007, they accounted for 57% of the security flaws, compared to 86% last year, Secunia says.

"It's well known that they [Microsoft] have put great efforts into improving security of the operating system and the applications that they provide," Stengaard said in an interview. "What we're seeing is the long-term involvement and dedication is now paying off."

Windows, Office, Silverlight and other Microsoft products are not ironclad, of course. Given enough time, knowledgeable hackers can find their way in through these channels. But in the world of cybercrime, most hackers are not interested in a challenge. Instead, they look for the easiest way to break into as many PCs as possible, to enslave the machines into the many armies of remotely controlled botnets, or to steal credit-card numbers, social-security numbers and corporate intellectual property that will fetch a good price on the underground.

Including both Microsoft and third-party applications, the number of PC vulnerabilities has dropped by 5% since 2011, and by 10% among the top 50 applications. Since 2007, though, overall vulnerabilities are up 15%, Secunia found, and that jumps to a whopping 98% increase among the top 50 applications.

Where The Danger Lies

Applications most likely to provide an easy path into Windows machines include Java, Flash, Adobe Reader and Apple iTunes, according to Secunia. If these applications are not kept up to date, hackers can exploit known vulnerabilities that enable them to load their malware via the PC's system memory.

In addition, all these applications have very large user bases, which makes it easier for hackers to find targets.

Why PCs have so much outdated software varies. Sometimes it's because the update process is too cumbersome, so they don't bother. Other times, the vendor is slow in fixing flaws that hackers are already targeting. Updating Java, an open platform for running software on any operating, system has been a pain for a long time. However, Java steward Oracle is working to improve the process and is getting updates out quicker, most experts agree.

In 2012, Adobe had the worst record for updating applications, according to Secunia. The software maker released patches at a rate 80% slower than in 2011, based on the time it took the vendor to release updates of vulnerabilities reported by Secunia.

Overall, though, patch speed for third-party apps is increasing, Secunia said:

In fact, in 2012, 84% of vulnerabilities had patches available on the day of disclosure. In 2011, the number was only 72%. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.

Patching Is Critical

The vendor based its study on 6 million PCs, mostly in the U.S. and Europe, running its freeware called Personal Software Inspector, which checks for application vulnerabilities. Microsoft products accounted for 35% of the programs on the PCs.

If you take Secunia's study seriously, then the takeaway is clear. Even if patching all your software is getting more complicated,  making sure everything is always up to date is more important than ever.

Image by Fredric Paul.

Beginning Tuesday, Microsoft is reversing itself and adding Flash back into the Internet Explorer 10 browsers used by Windows 8 and Windows RT. The browser will use a "touch-enabled" version of Flash optimized with Adobe.

Specifically, Flash will be enabled with the Windows 8-style "Metro" environment by default, Microsoft said. It will continue to run, as it previously has, within the Windows 7-like desktop, the alternative user interface still used by some apps. Microsoft has also flip-flopped its security protocols, swapping a "whitelist" of approved Flash sites for a blacklist of sites which are now prohibited.

Usability vs. Security

Microsoft's decision has two key aspects: usability and security. On the usability side, people who use Windows 8 and Windows RT, including those who have purchased the two variants of Microsoft's Surface tablet, will be able to take advantage of the numerous Flash games available online. On the other hand, adding back Flash also opens IE users to Flash vulnerabilities that the browser might have previously weeded out.

Before today's change, Microsoft maintained a so-called "whitelist" of approved sites that could run Flash within the IE10 environment. Now, however, that so-called "Compatibility View List" will block (or "blacklist") those sites that don't meet Microsoft's criteria for usability and reliability, or security. On Windows 8, they'll be banished to the desktop via an ugly error message. On Windows RT, they won't run at all.

"We believe having more sites 'just work' in IE10 improves the experience for consumers, businesses, and developers," Rob Mauceri, the group program manager for Internet Explorer, wrote in a blog post. "As a practical matter, the primary device you walk around with should give you access to all the Web content on the sites you rely on. Otherwise, the device is just a companion to a PC. Because some popular Web sites require Adobe Flash and do not offer HTML5 alternatives, Adobe and Microsoft continue to work together closely to deliver a Flash Player optimized for the Windows experience."

A guide for developers provides some additional guidance - namely, that Microsoft isn't giving up its emphasis on HTML5 over Flash. And just because IE10 now supports Flash doesn't mean Microsoft will bless any old implementation. Any app that requires a double-click, for example, will be frowned upon, as will apps that call Flash for panning, zooming, rotating and swiping. The use of cameras and microphones powered by Flash code will also not be allowed.

Fortunately, fewer than 4% of sites on the Web fall on the CV blacklist, Microsoft said.

Security Headaches?

Microsoft's Mauceri wrote that the new version of Flash has been "optimized for touch, performance, security, reliability, and battery life. Adobe made substantial changes to the Flash player to align with the Windows 8 experience goals."

Unfortunately, that also means that IE10 will require Flash-specific patches, too. While Flash may not be as vulnerable as Java - recall that the U.S. Computer Emergency Readiness Team (US-CERT) recommended that Java be disabled in January, even after Oracle issued an out-of-band update - Flash is frequently patched. That's a double-edged sword: It means that Flash is constantly being attacked, even as Adobe and others constantly update it. In May 2012, for example, Adobe discovered and patched a vulnerability that could hijack Windows PCs. Adobe representatives did not respond to requests for comment via a Web form. According to Microsoft, any needed Flash updates will be delivered via Windows Update... no surprise there.

This is a big issue because from a security standpoint, Internet Explorer is a gateway into Windows PCs. And both Flash and Windows. are constantly in dynamic states of security. 

Microsoft should be congratulated for maintaining the CV blacklist as an additional layer of security, simply refusing to access sites that it knows harbor malware. Unfortunately, "innocent" sites that merely display their content in ways that are unfriendly to touch screens or IE10 may also be blocked. Developers can manually request their sites to be unblocked (with the number of visitors being one criteria) and use sites like Microsoft's IE-friendly Modern.ie to facilitate its removal.

A Microsoft spokesperson had this to say: "Adobe and Microsoft have worked closely together for some time to address security and reliability issues, sharing best practices like the SDL and ASLR as well as information on hangs and crashes. We are also working together on accessibility, manageability, and privacy. Flash updates with the Windows Update mechanism to distribute security updates from Adobe to meet expectations of Windows customers with regard to security updates and delivery of those updates."

Flash Is Dead. Long Live Flash?

Flash may not be inherently bad - but it sure has plenty of enemies. Adobe itself pulled the plug on mobile Flash development last year, and groups like OccupyFlash would like to eliminate it from the desktop, as well. (BlackBerry, for some reason, has chosen to cling to Flash in BB10.)

"Flash Player is dead," the site's manifesto reads. "Its time has passed. It's buggy. It crashes a lot. It requires constant security updates. It doesn't work on most mobile devices. It's a fossil, left over from the era of closed standards and unilateral corporate control of web technology."

That analysis is absolutely right. If Flash isn't dead yet, it's surely dying. But just as Windows users gripe about backwards-compatibility with their favorite apps and games, so must the Web hold on to Flash. For now, at least.

Image Source: Robot Unicorn Attack

Guest author Ed Lee is lead architect for virtualized storage vendor Tintri.

Virtualization and flash memory are disrupting the staid storage industry. First embraced in slick consumer products like the iPod, flash memory is now the new darling of enterprise IT. One reason is speed.  Flash is more than 400 times faster than rotating disks.

The other reasons are virtualization and cloud computing. Combined, these technology trends have strained the capabilities of traditional storage products. Those big metal boxes of enterprise storage, called arrays, were originally designed in the 1980s - before MC Hammer rocked parachute pants. Today’s input/output storage requirements are heavier and far more random than storage designers could have predicted 30 years ago. And with new technology comes new problems. IT systems that once hummed, “Can’t Touch This,” became hung up by traffic jams. With the highly random I/O of modern virtualization, flash trumps even the best spinning disks.

Well, nothing gets venture capitalists writing checks faster than IT managers with large budgets wringing their hands in frustration. So, enter the flash solutions from enterprise storage startups. Even the incumbent dinosaurs are showing some hustle. Just last spring, storage industry giant EMC's dropped an impressive $400 million to snap up XtremIO, a three-year-old flash company that has yet to ring up a single sale.

Too Much Flash?

So has flash been over-hyped? Yes, of course it has. Most promising new technologies are overhyped, but the best survive the disappointment that is sure to follow. The problem with most of the flash crowd is that they tout it as a cure-all for IT's performance woes – like a magic medicine show, it puts the performance back in your data center. But it's not magic. It does one thing really well - it eliminates contention for disk spindles. But flash by itself does nothing to ease storage management burdens, and in fact may actually contribute to increased infrastructure complexity. 

Like all new technologies, flash-based storage systems need to be designed into complete solutions rather than just point products.   

Speed Isn't Enough

Today, flash is central to nearly every next-generation storage solution coming to market. But smart IT managers know that speed alone doesn’t solve all of their storage problems, especially in a world of virtualization and cloud computing. In fact, flash-based vendors that offer systems that simplify storage management provide a much greater boost to IT performance than just making I/Os go faster.

Like many incremental improvements in component technologies – even order of magnitude performance boosts like flash – are too often hijacked by legacy vendors to create incrementally smaller and faster versions of the same old products. Don’t be blinded by flash. It’s cool, but it needs to be integrated with new approaches to building complete solutions.

Expect the enterprise storage conversation, pushed by the new demands of virtualization and cloud computing, to move beyond flash. It’s not just about the speed; it's about the solution.

Image courtesy of Shutterstock.

One small developer says that he's readied an open-source alternative to Microsoft's exFAT file system, providing companies and individuals with a free alternative to Microsoft's file system for flash drives.

Over the weekend, developer Andrew Nayenko announced fuse-exFAT 1.0.0, completing three years of development on the project. Tarball archives have been posted to Google's code site, where they can be compiled for GNU/UNIX based operating systems and Apple's OS X.

And that could mean a loss of revenue for Microsoft, which has been busy licensing its exFAT file system to a number of companies. Last week, for example, Microsoft licensed the exFAT tech to automaker BMW for an undisclosed amount. It has signed similar deals with Aspen Avionics, Canon, Panasonic, Research In Motion, Sanyo and Sony.

Why Is This Important?

A file system manages the locations of computer files stored on a drive; in Windows, for example, PCs have used the NTFS file system since the days of Windows 2000. (Microsoft planned to include a new file system into Windows 8, called ReFS, but that system has been reserved for Windows Server.) Apple uses its own Hierarchical File System, with an improved version, HFS+, in OS X. 

The vast majority of consumers and businesses never have to worry about which format is used on which drive, as products like USB keys and external hard drives can be read by both Apple and Windows systems. Those external devices -  including the SD cards used by most consumer cameras - are typically formatted with a file system called FAT32.

But as cards themselves increase in file size, the file system's role becomes more prominent; for example, SD HD cards up to 32GB are formatted with FAT32. But for the newer SD XC cards, from 32GB on up to a (largely theoretical) limit of 2 terabytes, the SD Card Association has flipped over to the exFAT file system.

That's important in an increasingly connected world. In a statement, BMW's project manager for CE device connections, Gottfried Schmid, explained that “with the support of the trend-setting file system exFAT, BMW is able to significantly increase the number of compatible CE devices and Mass Storage devices for our customers.” But the license agreements Microsoft has signed cover a number of traditional camera and phone manufacturers that are seeking legal shelter.

The Legal Mess

It's still too early to tell whether Nayenko has managed to reverse engineer exFAT using open-source technologies, however. Microsoft hasn't divulged many details of the the exFAT file system; in 2009, the SANS Institute attempted to reverse-engineer the exFAT file system to enable forensic examination, such as sensitive images that may have been stored on a camera. Microsoft maintains a licensing page specifically devoted to licensing exFAT technologies, and company representatives declined to comment when asked if Nayenko's technology violated the company's patents.

Nayenko is presenting the exFAT file system as a FUSE model, a loadable kernel module that essentially serves as a bridge to the actual kernel interfaces. FUSE is licensed according to the GNU public software license.

The few people who are aware of Nayenko's release have begun asking whether or not businesses or other commercial entities interested in using fuse-exFAT within their own products may legally do so. Last year, Nayenko said that he didn't believe that Microsoft could touch him. "Fortunately U.S. laws are not worlds [sic] laws," he wrote in a message to the Google newsgroup.

On Tuesday, he took a more laissez-faire approach. "I don't know," Nayenko responded, when I asked to interview him about the legal standing of fuse-exFAT. "You should consult a lawyer. I run this project just for fun and don't care about patents because I'm not a U.S. resident."

It's easy to draw comparisons between fuse-exFAT and Linux, and the battles between the open-source community and Microsoft in the late 1990s. Linux, however, was designed as a new OS kernel, not as a clone of existing Microsoft technology. While Nayenko may have designed a version of the exFAT file system that truly exists independently of Microsoft, any company selling products based on fuse-exFAT within the United States will probably face a legal challenge from Redmond.

Image source: Flickr/Le ciel azure