I may need to look into this for home use again. The USB key was the reason I stopped using it at home since it was nearly impossible to find a consumer level device without a TPM and I got tired of the USB requirement for 7. Of course it has been a few years since I bought a laptop.

I have used both TrueCrypt and BitLocker and like them both, but to be completely honest, BitLocker is the better option for a business with several computers because of the recoverability. I hated having to know our employee's TrueCrypt passwords so I could work on their systems.

Also, I may be one of the few who actually likes Windows 8-8.1.1 (*gasp*) so this would not be an issue for me.

Correct. But there is a downside. In order to use BitLocker without one, you will require using a USB drive for unlocking the system. A big security risk with using that method in a company environment would be how many simply leave the key in the computer. That would be like leaving the key to your house in the keyhole on the outside of your house. If you have to go that route, you can also add a password with the USB drive to unlock.

Source: Experience

If I were a musician with a large following such as say Metallica (just an example). I would just look to google and say goodbye. Why should I be forced to something in another service just because I use YouTube for the music videos? Especially when anyone can currently upload to YouTube for free. I would then pull all my videos and music from the play store, YouTube, etc... and then start a campaign against this sort of thing with my cult fan-base. Considering some of the stores then revoke the music from those with subscriptions to Google Play and/or do not allow re-download if you forget to back up your local DRM (Had this happen with a couple of services) even though you paid for the service, who would be the one to suffer long term? I bet at that point, you would see a bunch of people leaving or using a service less and less.

Just my opinion anyway. Take it for what it is worth.

Think about what their thought process might mean for some Android devices:

Before we establish your call, you must watch a 30 second Ad. Only after the first 10 seconds will you be able to skip. You can skip every 20 Ads.

Just look what happened to YouTube.

If they started playing audio for the ads, I would be pissed. That would be worse in my opinion that the stupid drive by audio bombing advertisements that seem to pop up randomly on sites. At least chrome tells you which tab it is. This is also why I turn flash off unless I know an activity I am doing requires it. Which in most cases is very little.

For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...

And the previous comment that this was in reply to is now gone....

So you can be the one responsible to fix other vendor's software and web sites when they fail to run on other browsers. Have fun with that. Not everyone can switch and still function. It may not be the fault of the company using IE. Also, you have to look at organizations like Hospitals that are under regulations that may make it impossible or expensive to recertify equipment. A good example is the FDA regulating product certification systems. Changing out a system design can cost tens or hundreds of thousands of dollars to recertify a design.

I have my fun with Linux and use it in various ways, but it isn't always the easiest thing to just swap out in a workstation setting. You apparently have very limited knowledge of the various industries and exist in a world where your way is the only correct way. You can go have fun with your copy of Linux, but don't assume it fixes everyone's issue without understanding what they do. If they can switch and still function, great. For purely desktop/laptop environments, Microsoft still has ~90% market share.

I saw it show up on my WSUS server today for XP on up.

This response was supposed to be a general "what should I do" not "what can I do" type of question. I used the browser topic as a sample, but yes they have released the patch. If a vulnerability was published today, you cannot just assume tomorrow they will have a patch ready to ship and hence why the question was asked how to handle a situation of such.

It depends on the size of the shop and the IT staff. As a one man IT shop, I would be the one creating, testing, and implementing. Not saying everyone is bad at that, but I happen to know my scripts and GPO objects. In the workaround, they clearly gave instructions for running the fix at a command line. That part would not be difficult to do and if it were serious enough for a large organization, they would most likely already have a rapid test process in place for a vulnerability like this. You would still have to educate the users on a new browser should you push one out, but at least you can reduce the time needed for IT to go to every computer and manually install the software. You wouldn't have to instantly switch it to default.

As for the GPOs to manage the other browsers, it depends on how they store files. But to prove you wrong on Chrome not having them, here: https://support.google.com/chr...

EMET should have been a 3rd option, but I wouldn't recommend every shop immediately go out there and implement it without understanding it. There are many complicated things that it helps mitigate and improperly implemented could cause more headaches to the help desk. That being said, I have started to research it for other reasons so I won't knock it being a worthwhile investment.

Also, you better hope you are on the latest version of EMET, because 4.1 has been bypassed and it is only a matter of time for newer versions: http://bromiumlabs.files.wordp...

Now go back into your hole since you are too afraid to stand behind anything other than AC for your post name.

In the case of the browser, there are a couple of things I would have done:

1) IT should have selected a viable alternative. Whether it is Chrome, FireFox, etc... IT should be deciding on one to use. You are right in not wanting to bog down the help desk with these calls. By selecting one you can send a message out to your users stating that to improve security, reliability, and performance of your system, we will begin rolling out a new web browser for everyone to use. Be sure to include time for a quick training session. There are various methods for pushing software out behind the scenes as well to install it without bothering many of the workers.

2) Used something like Group Policy to push out the workaround and disable the DLL in question. This could have easily been done using a login script or GPO. Then you could sit tight waiting on a patch for your existing browser. You may still want to remind everyone to be on the lookout for anything suspicious and report it should something happen.

The sad fact is that nothing is bulletproof. It could just as easily be Chrome or Safari next week. Don't forget Safari had a nasty SSL flaw not too long ago too. You are right in not wanting to scare your users, but that is where I say you need to put effort into education on the basics of security. Let them know you have their back. And above all, be creative.

I would recommend the use of either Windows Software Update Services (WSUS) or in combination with System Center Configuration Manager (SCCM). WSUS allows you to approve/unapprove all the updates you want to allow in your network. You can group specific computers to a specific set of approved updates if you would like. You can also use SCCM to manage the change control, what was approved, and what was installed. SCCM can also be used to deploy updates in certain circumstances.

Of both of the options, WSUS is free and can be installed on Windows 2k3 or newer. SCCM is now licensed through the System Center package which may or may not be worth looking into if you want to look at the other built in components to it.

I completely agree. I should also mention there have been XP updates in the past (though not like a full service pack) that required you to run before any other update would show up. But alas, nobody probably remember the updates to Windows Update that did this.

The point Microsoft is making here is that 8.1 is going to be supported, but it requires this one update for any future updates. This is probably due to many of the new features and changes to the UI they have implemented. They also probably could have worded it better.

That being said, they need to fix the current issues with their patch first. Namely the TLS issue because if you do not have 2K8 R2 or higher for a WSUS server then you have to turn off SSL because lower versions cannot support TLS 1.2.

Probably not entirely true right now because most of their development has not touched the SDKs for these platforms. It is still a work in progress and their new Unified App framework will most likely make your desire a reality. The fact that they went from Windows CE during the Windows Phone 7.X and earlier days to an NT kernel for 8 shows this progress in the phone space for Microsoft. It also helps that they are migrating from XAP apps to Appx. The new Xbox One uses something based off Windows 8 components (At least kernel, not sure of anything else). Even the Windows for ARM called RT (Big fan of mine by the way for all the haters out there).

They are getting there, but it is not an overnight accomplishment. That would be like saying tomorrow PS3 games will work without recompiling on an Xbox. They have to update headers and references to SDKs they are using to make it work on another platform. This is where Microsoft is really wanting to head with the Unified Apps. They want to have their framework on everything so you do not have to recode. Even better that they are open sourcing good portions of the .NET framework. That would potentially mean that even Android/Linux could use the same app in some ways.

Just saw that. This will be interesting to see. I hope it means only the framework and not 3rd party libraries because that could make licensing or detecting 3rd party libraries interesting. I know I would want my library to still be separate unless I give you the code.