——————————————————————————————————————-

Microsoft began enabling IPv6 protocol by default with the release of Vista. That policy continued with Windows Server 2008 and will with Windows 7. Apple, Linux, and Solaris are also shipping their latest distributions with IPv6 enabled.

Before continuing, I need to explain something. We all understand that IPv6 is important. I even mustered enough courage with Joe Klein’s (director of IPv6 security at Command Information) gracious help to write several articles about it. So that’s no longer on my radar.

What’s on my radar

I’m not sure why, but computers are now shipping with IPv6 enabled. My guess would be that most OS developers figured IPv6 networks would be more predominate by now. Or that there’s no down side to enabling IPv6, so why wait.

I do know of one Microsoft service that requires IPv6. It’s called Windows Meeting Space. It uses the peer-to-peer framework and IPv6 to setup ad hoc networks automatically.

What numbers are we talking about

The number of computers running IPv6 is staggering. Carolyn Duffy Marsan in a NetworkWorld article quoted Joe Klein as saying:

“We’re probably talking about 300 million systems that have IPv6 enabled by default. We see this as a big risk.”

What I’m wondering, is how many of the people using the 300 million computers realize IPv6 is enabled or know what it means?

What’s being exploited

In a concurrent article, Marsan asked experts what they considered the most serious issues of running a dual stack comprised of IPv6 and IPv4. Here’s what they said:

• Rogue IPv6 traffic: Attackers realize that most network administrators aren’t monitoring IPv6 traffic or they can’t. Because existing firewalls, IDS, or network management tools aren’t IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
• IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
• Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
• Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.

Leave IPv6 enabled or not

Whether to leave IPv6 “enabled or not” is about as clear as mud. There’s the yes camp and there’s the no camp with the whole gray area in between littered with other opinions. I thought I’d let the experts introduced in Marsan’s article present their views:

Tim LeMaster: Director of systems engineering for Juniper’s federal group mentions:

“If you’re not prepared for IPv6, then the prudent thing to do is not to allow it into your network,” LeMaster says. “But you shouldn’t be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats.”

Lisa Donnan: Vice president of advanced technology solutions at Command Information has a different viewpoint:

“We don’t recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you’ve got to plan, train, and implement IPv6.”

Sheila Frankel: Computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST) expresses a middle-ground viewpoint:

“Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats. The other thing they should do is to take their outward-facing servers, those that are external to the corporation’s firewalls, and enable IPv6 on them. That way, customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process.”

Frankel continues:

“IPv6 is coming. The best way is to face it head on and to decide you’re going to do it in the most secure manner possible.”

As soon as I started receiving computers with IPv6 enabled, I turned the protocol off. My rational was why take a chance when it’s not necessary. Apparently, my choice is paying off, as my client’s computers aren’t vulnerable to these new exploit vectors.

That works for me for the time being at least. I don’t pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what’s in your network and computer systems best interest.

How to disable IPv6

Thankfully, disabling IPv6 is quite easy. I’ve provided links to Web sites that explain the process for several of the operating systems, if you’re so inclined:

Disable IPv6 in Linux

Disable IPv6 in Windows Vista

Disable IPv6 in Mac OS X

Final thoughts

This is definitely a thorny subject and full of surprises. Just like every new and untested technological change. I can accept that. What’s hard to accept is that security once again appears not to be a main consideration. I hope it’s just a temporary oversight.

Original Article By Michael Kassner for Tech Republic:

IPv6: Oops - it’s on by default

* There will be two major release dates: August 6th and October 22nd.
* TechNet/MSDN subscribers will be able to download the English language version of Windows 7 Release To Manufacturing on August 6th, other languages will be available by October 1st.
* General availability (GA) for everyone else will be on October 22nd.
* Microsoft Partner Program Gold/Certified Members will be able to get the English language Release To Manufacturing via the Microsoft Partner Network (MPN) Portal on August 16th. Other languages to be available by October 1st.
* Microsoft Action Pack will see the English language Release To Manufacturing by August 23rd, and remaining languages by October 1st.
* Volume License (VL) customers with an existing Software Assurance (SA) license will be able to download Windows 7 RTM in English starting August 7th through the Volume License Service Center (VLSC). Other languages will go online within a couple of weeks.
* Volume License customers without an existing SA license will have to wait until September 1st.
* OEMs will start seeing RTM images about two days after the RTM code is finalized, so that could be by the end of the week.

——————————————————————————————————————-

Last week Google announced plans to release its own operating system, one based on their Cloud technology, and one intended to compete with Microsoft’s dominance in the operating system market. It generated a lot of comments in the discussion section, with mostly a wait and see attitude towards how it will affect those in a user support position.

This week, Microsoft responds with a challenge of its own. The Financial Times (on-line) reports in its headline, “Microsoft to step up Google battle.”

“Microsoft is set to broaden its battle with Google this week,” reports the Financial Times, “as it pushes ahead with online versions of some of its core software, including final plans for a ‘cloud’ operating system designed to extend Windows to the internet. The news comes days after Google took aim at Microsoft with the announcement of a PC operating system of its own, dubbed Chrome OS.”

“The rival moves point to an intensification of the battle between the technology giants, with Google trying to extend its internet platform to PCs, and Microsoft moving in the opposite direction. While Google’s PC operating system is not due to appear in new computers until the second half of 2010, Microsoft’s cloud operating system will be launched formally this year.”

I don’t know about you, but I’m looking at this from two perspectives.

First of all, as those who provide support to end users, we always try to remain a step ahead of the next generation of technology. We’d like to know what’s coming. We have to decide whether or not we’ll support it, and if so, what’s the best course of action.

But secondly, I must admit, I’m watching this from the seat of a spectator, not unlike at a sporting event. We see on the field before us, two titans of technology battling each other for market dominance. We all know that a lot of technology support professionals would like to see Microsoft knocked down a few notches and are critical for its reluctance to join the open source movement. Google, on the other hand, has gotten just about as big as Microsoft, but in their own niche of technology. Google, for instance, not only dominates the search engine market, but it has actually transformed itself from a noun to a verb - something not many companies have managed to pull off. (Xerox, of course, comes to mind.)

What’s your take on this Google versus Microsoft challenge? How does it affect your role as a user support pro?

And will Google eventually become a technology demon like Microsoft has become (at least in the eyes of some)? How big will it have to get, and how much of a market share will it have to gain before technology pros want to see Google knocked down a few notches? After all, the public loves rags to riches stories, like Google, but then again, they also love to see the mighty and powerful fall.

Article written by Joe Rosberg of Tech Republic

http://blogs.techrepublic.com.com/helpdesk/?p=825&tag=nl.e019

———————————————————————–

A couple of weeks ago, Tech Republic asked a series of poll questions about Microsoft Windows XP. That single blog post lead to close to 300 separate posts in the corresponding discussion thread. The poll results are very informative and definitely give us an indication about where the TechRepublic membership stands with regard to a potential operating system migration.

To put it politely and succinctly — most IT professionals are not looking forward to it. In fact, many are actively and passionately against the very idea.

Let’s take a deeper look at the results and see what we can glean with regard to the future of Windows XP.

Results

Figure A

Obviously there is a large installed base of Windows XP deployed worldwide.

Figure B

It looks like the real loser in this poll question is Windows Vista. The vast majority of respondents are either waiting for Windows 7 or planning to keep Windows XP.

Another interesting data point is the lack of consideration for Linux or Mac OS X. Despite what vocal and passionate proponents of those operating systems may advocate, IT professionals in the business space are only interested in Windows — at least for right now.

Figure C

Backing up the previous result is this question regarding which operating systems have been tested as a possible replacement for XP. A decent percentage of IT professionals have tested the potential of Linux, but the majority of respondents are still squarely in the Windows camp.

Figure D

While legacy applications are definitely a major consideration, they don’t seem to be the major obstacle to operating system migration.

Figure E

This is the first poll question to deal with the actual practical deployment of a new operating system. It is abundantly obvious that many IT professionals are not ready to implement a migration. Unless there is a catalyst that cannot be ignored, Windows XP is going to remain the primary operating system for many organizations for as long as it is feasible.

The discussion thread following the first blog post backs the response to this question. Many posters in the discussion were determined to keep Windows XP as absolutely long as they can.

Figure F

The two primary reasons Windows XP looks destined to remain a factor for some time to come is that it works and that Vista is not perceived as a viable replacement. Without some sort of catalyst to force a migration, the deployment of any operating system besides XP will be slow and methodical.

Format G

The concept of a methodical rollout is confirmed by the results of this poll question. Most IT professionals have no plans to roll out a company-wide deploy of a new operating system. Rather, new operating systems, if they are to be introduced at all into an organization, are mostly likely going to trickle in with new equipment.

Figure H

Once again, we see in the response to this poll question that operating systems other than some form of Windows are not really being considered. The implication is that IT professionals have very little interest in migrating away from Windows XP no matter what other operating system you ask them to consider.

Bottom line

Looking over the poll results, it leaves little doubt that the general consensus is against operating system migration until it is absolutely necessary. Windows XP is working just fine for many and, so far, no feasible or practical reason has presented itself as a catalyst that will drive IT professionals to consider a change. It looks like Windows XP is going to be around for longer than Microsoft may have suspected.

Original Article > IT professionals will not drop Windows XP quietly (if ever)

The Center for Internet Security (CIS) is well -known for developing security benchmarks for operating systems, applications, network devices, and now the Apple iPhone. I’ve read the iPhone benchmark and felt that TechRepublic’s 10 Things format would be the perfect way for me to pass along some of their advice. The complete document can be found at the CIS benchmark portal. So let’s make sure your iPhone is secure.

1: Make sure firmware is up to date

Like computer operating system software, keeping the iPhone’s firmware up to date is important in reducing the vulnerability footprint. The latest version of firmware is 2.2.1. Select Settings | General | About to determine what version the iPhone is using. If the iPhone is using an older version, follow the steps below to update the firmware:

1. Connect the iPhone to the computer.
2. Open iTunes.
3. Select iPhone under Devices in the source list.
4. Select Check For Update.
5. Select Download And Install.

2: Disable Wi-Fi when not in use

This is self-apparent, yet important enough to include in the list. Most people automatically disable Wi-Fi to conserve the battery. But knowing that disabling Wi-Fi eliminates an attack vector may be added incentive to turn Wi-Fi on only when needed. Use the following steps to disable Wi-Fi:

1. Tap Settings.
2. Tap Wi-Fi.
3. Turn Wi-Fi off.

3: Disallow automatic association to networks

By default, the iPhone retains association settings of the Wi-Fi networks it connects to, which allows the phone to automatically reconnect when within range. Automatic association isn’t recommended, as it’s easy to spoof trusted networks. Still, disallowing automatic association is kind of a pain, as doing so requires you to enter the passkey each time. I’ll leave this one up to you. To prevent automatic association use the following steps:

1. Tap Settings.
2. Select Wi-Fi (make sure Wi-Fi is on).
3. Tap the blue arrow of the network to forget.
4. Select Forget This Network.

4: Turn Bluetooth off when not being used

Features that make life easier for the user tend to make it easier for bad guys as well. Bluetooth is one such feature; it allows many conveniences, such as the use of wireless headsets and sharing information between phones. Yet attackers can also use it to Bluejack or Bluesnarf a phone.

For some reason, the iPhone isn’t set up to just turn off discovery. So the only way to prevent unwanted discovery and associations is to use the following steps to turn Bluetooth off:

1. Pick Settings.
2. Tap General.
3. Tap Bluetooth.
4. Turn Bluetooth off.

5: Disable location services until needed

Turning location services off doesn’t immediately increase security; it just prevents the user’s location from being published. I personally think disabling the service is a good idea for two reasons. First, it’s a significant battery drain. Second, disabling the service isn’t an inconvenience. It’s simple to turn the location service back on from within the application that needs positioning information. If so desired, follow the steps below to disable location services:

1. Tap Settings.
2. Tap General.
3. Turn Location Services off.

6: Set a passcode

Setting a passcode definitely increases the security of the iPhone. It makes it harder for someone to gain access to the iPhone because the phone automatically locks after a user-determined amount of inactivity. Setting a passcode is also required for feature seven to work. Use the following steps to set a passcode:

1. Select Settings.
2. Select General.
3. Tap Passcode Lock.
4. Enter a four-digit passcode.
5. Re-enter the same passcode.

7: Erase data if too many wrong passcodes are entered

After 10 wrong passcode attempts, user settings and any data stored on the iPhone will be erased if this setting is enabled. It’s a valuable feature because a four-digit passcode of just numbers will eventually be discovered, and this option ensures that any sensitive information will not get into the wrong hands. Use the following steps to turn erase data on:

1. Select Settings.
2. Tap General.
3. Choose Passcode Lock.
4. Turn Erase Data on.

8: Erase data before returning or repairing the iPhone

To some, this may be apparent, but many people don’t even think about removing sensitive data before selling or sending their phone in for repair. Use the following steps to prevent others from accessing your personal information:

1. Select Settings.
2. Tap General.
3. Choose Reset.
4. Select Erase All Contents And Settings.

9: Disable SMS preview

Even when the iPhone is locked, it’s still possible to preview a recently received text message. I immediately disabled SMS preview on my iPhone, as I do not want my text messages visible when the phone is locked. If you agree, use the following steps to turn off SMS preview:

1. Select Settings.
2. Tap General.
3. Choose Passcode Lock.
4. Turn Show SMS Preview off.

10: Disable JavaScript and plug-ins in Safari

Because the iPhone uses a fully functional Web browser, it is susceptible to all the same JavaScript and plug-in exploits that plague normal computers. I recommend disabling JavaScript and plug-ins, but doing so breaks certain Web page characteristics. It’s yet another balancing act between security and usability. If you want to err on the side of security, use the following steps to disable both:

1. Select Settings.
2. Tap Safari.
3. Turn JavaScript off.
4. Turn Plug-Ins off.

Final thoughts

Most of the above security enhancements are intuitive, but I’ve found that unless prodded, most people don’t take advantage of them. I can’t in good conscious say that applying all of these enhancements is the only way; that’s going to be up to you. I just wanted to make sure everyone knew what was available. I also want to thank CIS again for its diligence in preparing the iPhone security benchmark.

Original article published by Michael Kassner of Tech Republic

10 Ways To Secure The Apple iPhone

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

An entry on the MSRC blog provides more details:

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This KB article provides fix-it button that automatically enables the workaround.

One of the most prolific cross-site scripting exploits, called JSRedir-R, accounts for nearly half of all infected websites. It works by using hidden Javascript code that tries to exploit weaknesses in your web browser to infect your PC. Turning off Javascript in your browser will thwart the attack, but will also mean a great many sites that rely on Javascript no longer work.

To keep yourself safe, we recommend that you keep your anti-virus software up to date, and upgrade your web browser to Internet Explorer 8, which includes new security features to protect against cross-site scripting exploits.

You can download IE8 here >>>>

Internet Explorer 8

You could also install an alternative web browser such as Firefox which you can down load here >>>

Firefox Web Browser

Yesterday, Microsoft published Knowledge Base article 970789, which provides details of a problem that affects the 32-bit (x86) English-language version of Windows 7 build 7100. The problem, in short, is that the installer incorrectly sets access control lists (ACLs) on the root of the system drive. The longer version is described as follows:

================================

In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.

For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:

Access is denied.

Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.

================================

A hotfix is available as an important update that should be delivered and installed automatically by Windows Update, assuming you have set up automatic updates. On one test system that I checked just now, the update had already been installed overnight. On two other systems, the update had been downloaded but was awaiting installation.

The hotfix package fixes the security descriptor of the root of the system drive, but it does not repair applications that are already installed, nor does it affect the permissions of folders that were created after the installation.

If you installed the x64 version of Windows 7, you are apparently unaffected by this issue.

If you haven’t yet installed the Windows 7 RC, it’s important to install this hotfix after you set up Windows and before you install any programs or restore any backed-up data.

This sounds like a pretty serious bug, and I’m surprised that it slipped through into the release candidate.

Original Article From ZDNet

Windows 7 hasn’t even been released yet, but the buzz around it indicates that many individuals are chompin’ at the bit to upgrade as soon as it hits the market.

Despite this enthusiasm, however, much has been made of a recent survey by Dimensional Research. According to the survey, 84% of 1,100 IT professionals surveyed said they don’t plan to upgrade to Windows 7 in the next year, 16% do intend to upgrade in the next 12 months, and 42% expect to upgrade within 12 to 24 months. In addition, 43% said the current economic downturn is one of the reasons they will delay upgrading to Windows 7. That would seem to indicate that improvement in the economy over the next year might change the upgrade numbers. It’s also possible that this month’s discontinuation of mainstream support for Windows XP, which most of the companies are currently using on the desktop, may influence some to upgrade more quickly than they might otherwise.

Sooner or later, it’s likely that most home users and businesses will be upgrading from their current operating system to Windows 7. In this article, we’ll address 10 things you should keep in mind when you begin planning an upgrade to Windows 7.

Do I need to buy new hardware?

Many people equate upgrading the operating system to the need to buy a new computer or, at the very least, add RAM and perhaps a bigger hard drive to their present systems. That’s because traditionally, each new version of Windows has needed more disk space and memory than its predecessor.

Will you need to buy new hardware if you want to use Windows 7? That depends. Microsoft’s recommended hardware specifications for Windows 7 Release Candidate include a 1 GHz processor, at least 1 GB of RAM, DirectX 9.0 support, 16 GB of free disk space, and 128 MB of graphics memory (for Aero). Those requirements are pretty much the same as the published system specs for Vista Home Premium/Business/Enterprise/Ultimate (the only difference is that the Vista specs list 15 GB of disk space). Many beta testers report that Windows 7 runs faster on their low-powered machines (512 MB of RAM) than does Vista.

Rule of thumb: If your computer is powerful enough to run Vista acceptably, it will probably run Windows 7 as well or better. If you’re currently using XP on a computer with less than 512 MB of RAM or a processor that’s slower than 800 MHz, you’ll need to upgrade your hardware.

Can I upgrade directly from XP?

Many folks who are still running Windows XP want to know whether they can upgrade to Windows 7 without losing all their preferences and settings. The answer is, well, sort of. Microsoft is not providing a direct upgrade path from Windows XP to Windows 7. An in-place upgrade is available only if you’re running Vista SP1 or later. If you’re running XP, even if your hardware is sufficient, you’ll have to do a clean installation of Windows 7. However, you can use the Microsoft Deployment Tool 2010, which includes the User State Migration Tool, to transfer your user settings for the desktop and applications to the new Windows 7 installation.

Can I do a Vista in-place upgrade?

If you’re running Windows Vista, note that you must install SP1 or SP2 before you can do an in-place upgrade to Windows 7. If you try to upgrade a Vista computer that doesn’t have a service pack installed, you’ll get a message informing you that “to upgrade to Windows 7, the computer needs to be running Vista with Service Pack 1.”

Can I upgrade from Windows 7 beta to final release?

Many people are currently running either the public beta of Windows 7 (build 7000) that was released in January or one of the subsequent builds that has been leaked to various peer-to-peer sites since then. Many of them are wondering whether they’ll be able to do an in-place upgrade to the RC and/or final release.

Microsoft has recommended that beta testers go back to Vista and upgrade from it to the final release, but that’s something many will resist. Another option is to do a clean install, but again, many folks are using Windows 7 now on their mission-critical desktops and notebooks, and they don’t want to have to start all over. In deference to them, Microsoft representatives have said that it will be possible to upgrade from the beta, but it won’t be easy; it will involve a number of steps. The installer will tell you “no” when you attempt to do an upgrade from an earlier build of Windows 7. There’s a procedure to bypass the version check so you can do the upgrade anyway.

Microsoft asks that you do this only if you “absolutely require” it. It’s likely that you’ll have a much more stable OS if you do a clean installation.

Will there be driver compatibility issues?

A big complaint about Windows Vista was driver incompatibility. Too many people upgraded their OS from XP to Vista only to find that a favorite peripheral, such as a printer or scanner, would no longer work. Vista also introduced a new display driver model, WDDM, which required video card vendors to write completely different display and video miniport drivers. And security enhancements in Vista affected how the OS handles drivers. Even though Vista was in development for five years, many hardware vendors did not have Vista drivers ready for all of their products when the OS was released.

Now that Vista has been out for more than two years, most hardware vendors have updated their drivers to work with it. Because Windows 7 uses the same driver models as Vista, the vast majority of hardware devices that work with Vista will work with Windows 7. For Vista drivers that won’t install on Windows 7, you can usually solve the problem by installing in Compatibility Mode. To do this, right-click the driver’s setup file, select Properties, click the Compatibility tab, enable compatibility mode, and select the appropriate operating system from the drop-down box.

Will there be application compatibility issues?

As with drivers, most applications that run on Windows Vista will run on Windows 7. You may need to enable Compatibility Mode on some applications, as described above. Interestingly, some applications that ran on XP and would not run on Vista will run on Windows 7. Microsoft reported in March that it had identified at least 30 old applications that will run on Windows 7 although they failed to do so on Vista. These are being referred to as “rescued applications.”

What if I have apps that won’t run on Windows 7, even in Compatibility Mode?

There may be some XP applications that you can’t get to run on Windows 7, even using Compatibility Mode. In the past, that might have been considered a reason not to upgrade. However, you may still be able to enjoy all the benefits of Windows 7 without giving up your favorite apps, thanks to a new compatibility feature called XP Mode. XPM is a host-based virtualization solution that will reportedly be made available at no cost to users of Windows 7 Professional, Enterprise, and Ultimate editions.

XPM includes a fully licensed copy of XP that runs in a virtual machine on your Windows 7 computer. This differs from just installing XP on Virtual PC or VMware. The virtualized applications appear like local applications on the Windows 7 desktop because they’re published to the Win 7 host operating system. With XPM, you will be able to run any XP application on Windows 7.

Should I wait for Windows 7 release to buy a new computer?

Some individual computer users may be wondering if they should wait until Windows 7 is released to buy a new computer, to ensure that the system will work with the new OS. An advantage of waiting is that after Windows 7 is released, you’ll be able to buy a computer that has it preinstalled, so you won’t need to upgrade.

However, if you need a new system now, there is no need to suffer with an outdated, slow, or defective system. A Vista system purchased now will in all likelihood run Windows 7 with no problems. But even though you don’t need to wait until the final release, you might want to wait until June 1 to make your purchase. Buying a Vista system after that date will make you eligible for a free Windows 7 upgrade license. (This applies to Vista Home Premium, Business, or Ultimate editions.)

Which edition of Windows 7 should I choose?

A big complaint about Vista is that there are too many editions to choose from. Windows XP offered only two retail editions: Professional and Home. (XP Media Center edition and Tablet PC edition were available only to OEMs.) But Vista offers a large and sometimes confusing array of options: Home Basic, Home Premium, Business, and Ultimate. (Starter is available only in “emerging markets,” and Enterprise is available only to volume licensing customers.)

Windows 7 will also have both Home Basic and Home Premium editions. The equivalent of Vista Business edition will revert to the Professional moniker. As far as we can tell, Enterprise and Ultimate editions will be the same, except that the former is sold only through volume licensing. There will also be a Starter edition, which will be installed on low-powered netbooks.

A major change is that each successive Windows 7 edition will include all features of the lower cost ones. Many Vista Business and Enterprise users were annoyed that they didn’t get Windows Media Center, DVD Maker, and other consumer-oriented features that came in Vista Home Premium. Since Home Premium couldn’t join a domain and lacked support for EFS and some other business-oriented features, if you wanted both, you had to buy Ultimate. Windows 7 Pro will include everything that’s in Windows 7 Home Premium, and Enterprise will include everything that’s in Business edition. Companies will be able to easily block the consumer features when they deploy Pro (or Enterprise) on their networks.

Most people will find that either Home Premium or Pro will fit their needs. If you need BitLocker or the ability to boot from a VHD, you’ll want Enterprise or Ultimate.

What are the main reasons to upgrade to Windows 7?

Why upgrade to Windows 7 rather than stay with Windows XP or Vista? If you’re still running XP, an important consideration is the fact that Microsoft ended mainstream support for XP on April 14. Although critical security updates will still be provided at no cost until 2014, additional support is provided only to customers who pay for a support contract with Microsoft.

Windows 7 also provides the improved graphical user interface (Aero) you get with Vista. Search is improved, and consumers with children will appreciate the parental controls feature. The most important reason to upgrade from XP is security; both Vista and Windows 7 provide much better security.

If you’re using Vista, some of the new features and functionality you’ll get with Windows 7 include a more streamlined GUI with a more functional taskbar that features Jump Lists; new and more sophisticated versions of Paint, Wordpad, and Calculator; easier windows management with snap-to docking; elimination of the sidebar (while maintaining support for gadgets); and new built-in troubleshooting tools. While Windows 7 still focuses on security, User Account Control (UAC) is far less in your face and more user-configurable than in Vista. Windows 7 also has built-in support for touch (if you have a touchscreen monitor). Keyboard fans will find a number of new keyboard shortcuts to help you avoid use of the mouse in many situations.

For administrators, Windows 7 offers new tools such as PowerShell v2, improved Group Policy, and VHD image management and deployment.

According to an advisory from the Google Chrome team, there’s an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

[ SEE: Command injection flaw found in IE: Or is it Firefox? ]

The skinny:

• If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice.

The “high severity” vulnerability affects Google Chrome versions 1.0.154.55 and earlier.

It can be exploited by malicious hackers to launch universal cross-site scripting (UXSS) attacks without user interaction under certain conditions.

[ SEE: Mozilla caught napping on URL protocol handling flaw ]

IBM’s Roi Saltzman, the researcher credited with finding and reporting the issue to Google, has released an advisory (word .doc) to explain the attack vectors and impact.

He warns that the flaw opens the door to two major attack vectors:

• Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
• Enumerate victim’s local files and directories

“It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” Saltzman said.  Proof-of-concept code for this issue is publicly available.

Microsoft maintains the problems are not related to vulnerabilities in its code.