Security researcher Adam Gowdiak ([SE-2012-01] An issue with new Java SE 7 security features) notes recent claims by Oracle that it has substantially  improved Java security. Sadly, he points out, those improvements are only theoretical.

What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings.

That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

I’ve said it before and I’ll say it again: If you are concerned about the security of your PC and network you should seriously consider uninstalling Java from all PCs under your control.

If you use web-based apps that require Java, you should conduct an active search for alternatives. If you cannot find alternatives, you should consider running Java only in highly managed virtual environments.

The fact that Java uses deceptive techniques to distribute unwanted software with its security updates just adds insult to its serious potential for injury.

Several important deadlines for Windows 8 early adopters are looming next week.

Most importantly, the opportunity to order upgrades to Windows 8 Pro for $39.99 ($69.99 if you want a physical disk) will end on January 31. Beginning February 1, the price of that upgrade goes up to $199.99.

Likewise, the opportunity to qualify for a $14.99 Windows 8 Pro upgrade for any new PC you buy with Windows 7 preinstalled ends on January 31, 2013. You have until February 28, 2013 to redeem that offer. But remember, this only applies to a new PC preinstalled with Windows 7 Home Basic, Home Premium, Professional, or Ultimate and purchased from June 2, 2012 through January 31, 2013.

Finally, if you are running Windows 8 Pro, either as an upgrade or purchased on a new PC, you qualify for a free Windows 8 Media Center Pack. Installing this upgrade unlocks the Windows 8 Media Center component and the codecs required to play back DVDs in Windows 8. This offer ends on January 31, 2013 as well, after which the price for that add-on goes up to $9.99.

You can find the details of the no-charge Media Center Pack upgrade on this promotional page at Windows.com. The page contains installation instructions and notes that the offer is “valid from October 26, 2012, until January 31, 2013, and is limited to one product key per email address.”

If you ordered multiple free product keys via this offer, you might have seen this wording in the terms and conditions:

Your product key must be activated no later than January 31, 2013. Microsoft will only contact you at the email address you provide to send you your product key and to remind you when the activation period for your product key is ending.

And if you haven’t yet gotten around to using one of those keys, you’ll likely receive a message like this one, which reiterates those terms:

Does that warning mean your Media Center Pack key will no longer work beginning February 1?

I checked with a Microsoft spokesperson and was told that the keys will continue to work after the deadline passes, and that they will work later if you need to reinstall Windows. The e-mail messages are mostly a reminder to upgrade, I was told.

Update: A Microsoft spokesperson contacted me with additional information on this issue. Yes, you must activate those copies of the Media Center Pack by January 31. It’s possible (even likely) that the activation servers will continue to honor those keys for some period of time after January 31, but at some point in the near future an unactivated Media Center Pack key that was issued as part of this promotion will not be honored. (They will be usable for reinstallations, however.) Keys that are paid for, either before or after the deadline, will not expire.

My guess is that this legal requirement had to do with Microsoft’s payments to Dolby Corporation and others for licensing rights to the codecs that are included with the Media Center Pack. Each Media Center Pack key that is activated triggers a payment to those rights holders (my guess is the amount is somewhere between $7 and $10), and for accounting reasons Microsoft would really like to clear as many of them off its books as possible before the deadline passes. (If you’re curious about the background, I covered it in this post.)

There are a few cautions to keep in mind before you do this otherwise simple upgrade.

First, the new license key replaces your existing Windows 8 Pro license key. Make sure you keep a record of the existing license key so that you can use it if you need to reinstall Windows 8 Pro. You’ll find that key in the e-mail you received if you ordered the upgrade from Microsoft. If you can’t find that e-mail, use a tool like the free KeyFinder (get the version “without toolbar offers”) to locate and save it.

Second, some people have reported activation hassles after installing the Media Center Pack. The symptom is an error code 0xC004C4AA, which blocks online activation. I encountered this error on one of five test systems here and had to use a manual activation code from Microsoft Support to return my system to a properly activated state. If this happens to you, check out the Microsoft Community support forums.

For what it’s worth, I am continuing to use the Windows 7 version of Media Center with my CableCard-equipped tuners here. There’s nothing new in the Windows 8 Media Center, and it breaks support for some features, including compatibility with extender devices other than the Xbox 360.

If you’re still using Windows XP, please stop. Seriously, figure out how to migrate to Windows 7 or Windows 8. Or to an modern alternative platform if you don’t trust Microsoft.

Don’t take my word for it. Listen to Justin Schuh, an Information Security Engineer at Google, who wrote this interesting post recently on Hacker News:

I’m one of the lead devs on the Chrome Windows sandbox, and I can assure you that what we do with Vista+ on the security front is leaps and bounds ahead of what we’re stuck with on XP. DEP is unreliable and pretty worthless anyway without ASLR. You also don’t have things like SEHOP or other memory mitigations that are the first line of defense between your system and the average stale pointer exploit against WebKit.

As for the sandbox itself, we run as “Untrusted” integrity level under Vista+, which buys a solid layer of defense on top the SID, rights, and job based sandboxing we do on XP. Our GPU process sandbox in particular (used for accelerated graphics) relies heavily on Vista+ integrity levels due to deficiencies in the Windows XP driver and graphics model. Then there’s the fact that XP is lacking hundreds of security fixes that Microsoft has chosen not to backport.

Seriously, I’ve spent many weeks trying to wring every last bit of security I can out of XP, and I really do think that Chrome does the best anyone possibly could on that front. But in the end XP is just an OS that’s far past its security expiration date, and running it at all means taking a big risk.

Read that last sentence again and tell me why you’re not planning an update?

[Hat tip to Troy Hunt]

You know that $39.99 upgrade to Windows 8 Pro from any previous edition?

It’s about to go away.

As of January 31, 2013, the price of a Windows upgrade goes up dramatically. Here’s the official U.S. MSRP list (online and at retail) from Microsoft:

• Windows 8 Pro upgrade $199.99
• Windows 8 upgrade $119.99
• Windows 8 Pro Pack (upgrade from Windows 8 on a new PC, currently $69.99) $99.99
• Windows 8 Media Center Pack (add Media Center and DVD playback to Windows 8 Pro) $9.99

So if you’re thinking of upgrading, this might be a good time to stop thinking and start clicking.

Note that you’re allowed to purchase a total of five Windows 8 Pro upgrades at the $39.99 price. That total price tag is the same as a single upgrade will cost once the promotional offer ends.

And don’t expect Microsoft to relent and extend the promotional pricing. There were similar discounts available for Windows 7 in its early days that were never offered again.

Consider this a reward for being an early adopter.

Questions? I’ve got answers here:

Your top 10 Windows 8 questions of 2012, answered

And to answer the very first question in the comments, there are no changes to OEM pricing. The current promotions are for upgrades only. OEM prices were not discounted so there’s no “normal” price for them to return to.

[via The Windows Blog]

Copyright law is weird:

The [Bob Dylan] compilation, 50th Anniversary Collection, is a limited-edition, four-CD set that was only released in Europe. … The collection is a scrapbook of recordings from the first years of Bob Dylan’s career: unreleased home tapes, live performances from Greenwich Village folk clubs and outtakes from the sessions for his second studio album, The Freewheelin’ Bob Dylan. The packaging of the 50th Anniversary Collection is minimal — just four discs, a brown paper cover and a cursory list of the 86 tracks.

And only 100 copies.

Why the low-key release?

Dylan’s record label declined requests to talk about the collection or its unconventional release strategy.

But the subtitle, The Copyright Extension Collection, Volume 1, speaks for itself.

“Even record executives occasionally stray into honesty,” says James Boyle, a law professor at Duke University. “This is, in fact, a copyright extension collection. That’s what it is.”

Can’t blame them, but still… Copyright laws have become ridiculous.

Via Kaspersky and a bunch of other sources:

Nasty New Java Zero Day Found; Exploit Kits Already Have It

Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.

If you don’t recognize those names, they’re crimeware kits that allow bad guys to booby-trap web sites, which they then lure unsuspecting victims to visit using e-mail messages or poisoned seaarch results. As soon as you load the site in your browser, the exploit runs and you are compromised.

At the moment, there’s no fix for the specific exploit, although up-to-date antivirus software will usually block the exploit from the sites.

Instructions on how to disable the Java plugin are here. And yes, this can affect Macs as well as Windows PCs, so don’t assume you’re immune because you have a Mac.

If you have specific sites that require a Java-based plugin, consider using Chrome’s ability to block the Java plugin globally while selectively enabling Java for specific sites. Details here.

Other possible strategies:

• Disable Java in your default browser but enable it in a secondary browser. When you need to use Java, fire up the alternate browser and navigate to the Java-based app manually.
• Install Java in a virtual machine and install Java in that sandboxed installation. Although it sounds inconvenient, cleaning up a malware infection is worse.

Additional reading: How big a security risk is Java? Can you really quit using it?

This photo isn’t going to win any awards, but as a historical record it’s important.

It was taken one year ago today, at the 2012 International CES. Microsoft announced at the time that it wasn’t coming back this year, and they stayed true to their word.

At this year’s CES, a company called HiSense is showing their Google TV box in the same space. Irony?

Just in time for the start of CES, Apple issues a press release:

Apple today announced that customers have downloaded over 40 billion apps [a footnote makes it clear that this is “40 billion unique downloads excluding re-downloads and updates”], with nearly 20 billion in 2012 alone.  … Eddy Cue, Apple’s senior vice president of Internet Software and Services [said], “Developers have made over seven billion dollars on the App Store…”

That’s an average of 17.5 cents per download. And the number is decreasing. Back in 2011 it was more than 20 cents per download, leading GigaOm to conclude “The average iOS app publisher isn’t making much money.”

Apple’s PR trumpets a handful of success stories, but like so many digital content scenarios the real story is in the long tail.

If I were a software developer today, this would not make me feel good. In fact, it would probably send me out looking for a nice safe corporate gig where I could build free apps on behalf of some big brand.