Confirmed: Microsoft to cut the cost of Windows 8.1 for low-end devices

A few days back, it was stated that Microsoft would be slashing the price of Windows 8.1 for low end devices by up to 70%. The cut will lower the price of $50 per device to $15 for devices under $250 which will be a noticeable improvement for vendors and consumers, according to the previous report, and it appears that the information is accurate.

While Microsoft did not come forward and say “We slashed prices by 70%” the company’s Joe Belfiore posted up on the Windows blog that “We’ll enable our partners to build lower cost hardware for a great Windows experience at highly competitive price points.” This clearly aligns to the previous report of the prices being cut on lower-end devices.

The cut in price will help to accomplish several goals. First, it will help OEMs shave more dollars off their products and that will help them to lower the price of consumer products. Second, it should help to move more Windows 8.1 licenses, and while it will help Microsoft’s bottom line, albeit to a lesser degree, it should help Microsoft gain more market share with it’s latest version of Windows. Finally, it will help Microsoft compete against ChromeOS products that are pushing hard on the floor to lower prices for entry-level products.

As the competition for What about Windows RT? next generation devices continues to heat up, especially in the tablet space, this price cut will go a long way to help assert Microsoft’s presence in this space. Microsoft has recently shown that low cost Windows Phone devices are critical to helping the platform grow and this cost cutting move could be a move by the company to extend that trend to Windows products.  

Another interesting perspective comes up too with the lower price point. If Microsoft is selling proper Windows 8.1 to OEMs at $15 a license for low-end devices, what does this do for Windows RT? Think about it, from a vendor’s perspective, if RT and 8.1 licenses are close in price, unless ARM chips are considerably less expensive than Intel silicon, the value for OEMs is not there. More so, it is easier for OEMs to market devices running Windows 8.1 as they don’t have to educate the consumer on the differences between Windows RT 8.1 and Windows 8.1

Source: Microsoft

Report a problem with article
Previous Story

Nokia Lumia 630 press shot leaked as launch nears

Next Story

Microsoft confirms Facebook Messenger app coming to Windows Phone

46 Comments

Commenting is disabled on this article.

Further confirmation that Windows-8 was designed strictly for the touch-centric devices; which tend to be on the lower end of the PC pricing continuum. As for laptops and desktops using a mouse and keyboard...Windows-9 (when released)??

Great, here comes a flood of crappy laptops... This will just put a big divide between the low end and midrange...

I don't think there's any thought of a Starter version any more. From the Spring Update confirmation article:

Hardware requirements for Windows 8.1 have also been lowered in the update to make way for cheaper devices, Windows 8.1 will be able to be installed on devices with just 1GB of RAM and 16GB of storage; coupled with the recent news on slashing pricing for OEMs by 70% will go a long way to make this possible as Microsoft positions itself to better accommodate devices in the low end market.
The should continue down this optimization road; benefits everyone and I love it!

To the point of RT's value: it comes with Office and is very malware-resistant. I'm not saying that Bay Trail isn't a better way to go for a low end device -- I love my Dell Venue 8. If it had a kickstand, it would be perfect!

RT and WP will become one and I expect we'll see it on everything from <4" up to 8" mini tablets, maybe a few 10" as well. Full Windows will run on anything from 8" and up of course.

My sense is that the long-game is to deprecate "full" Windows for regular users, relegate Desktop Windows to power users/server only, and make RT the standard Windows that everyone uses day to day.

George P said,
RT and WP will become one and I expect we'll see it on everything from <4" up to 8" mini tablets, maybe a few 10" as well. Full Windows will run on anything from 8" and up of course.

If MS will release a 8" Surface with 8 Pro and Wacom digitizer I will buy it right away.

LambdaLambdaLambdaFn said,
My sense is that the long-game is to deprecate "full" Windows for regular users, relegate Desktop Windows to power users/server only, and make RT the standard Windows that everyone uses day to day.

exactly.
win32 will still live 10 to 20 years for enterprise users and servers.

but most small business users and home users will run a Windows RT-like OS in the short term (5years).

LambdaLambdaLambdaFn said,
My sense is that the long-game is to deprecate "full" Windows for regular users, relegate Desktop Windows to power users/server only, and make RT the standard Windows that everyone uses day to day.

I agree in the end consumers are trending more and more to low cost tablets for their daily web surfing and email/social interactions. The need for a full desktop system for them is less and less, once MS can merge phone and RT and have one store with the ability to run the same apps that also sync between each other then we're talking.

The desktop will still be here but for work/productivity use and hardcore gaming a bit as well. The store needs to grow with better tablet apps but I expect it will as the market grows.

George P said,

I agree in the end consumers are trending more and more to low cost tablets for their daily web surfing and email/social interactions. The need for a full desktop system for them is less and less, once MS can merge phone and RT and have one store with the ability to run the same apps that also sync between each other then we're talking.

The desktop will still be here but for work/productivity use and hardcore gaming a bit as well. The store needs to grow with better tablet apps but I expect it will as the market grows.

even hardcore gamers won't need the desktop and win32 forever.

at some point every game should be released as WinRT app.

even productivity apps like photoshop will run on WinRT (but there will be a desktop for winRT apps)

RT is dead and slow and steadily it is going to be phased out by MS. RT has been completely rejected by consumers and I don't see any other manufactures on RT bandwagon. MS this move of cutting the price is clear indication of MS struggling on windows platform and for this demise no one else but MS himself is to be blamed.

There is still hope for MS by kicking out everyone related to failed win 8 project from Sinofsky to Ballmer. Let's hope Nadella has some sense left and undo this crap of Win 8 created by disillusioned previous MS management.

Auditor said,
RT is dead and slow and steadily it is going to be phased out by MS. RT has been completely rejected by consumers and I don't see any other manufactures on RT bandwagon. MS this move of cutting the price is clear indication of MS struggling on windows platform and for this demise no one else but MS himself is to be blamed.

There is still hope for MS by kicking out everyone related to failed win 8 project from Sinofsky to Ballmer. Let's hope Nadella has some sense left and undo this crap of Win 8 created by disillusioned previous MS management.


windows 8 has fared better than vista did (in terms of licenses sold) and microsoft jumped back higher with windows 7.
this isn't the "demise" of windows at all. it's just a hurdle that ms will have to get through. however, on the other hand, windows 8 has laid the groundwork for the future of microsoft's mobile platform and I'm sure it can only get better from here on out.

if they hadn't built windows 8, ms wouldn't be making inroads at all in the tablet marketshare. could it have been executed better? sure, but I think windows 8 was a necessity.

Auditor said,
RT is dead and slow and steadily it is going to be phased out by MS. RT has been completely rejected by consumers and I don't see any other manufactures on RT bandwagon. MS this move of cutting the price is clear indication of MS struggling on windows platform and for this demise no one else but MS himself is to be blamed.

RT is being merged with WP. The longer the process goes, the more it seems like MS had planned to merge them from the beginning and it makes sense. Merging RT and WP will mean a single OS that handles both tablets and smartphones. WP will gain some features of RT and RT will gain some of WP.

In the end, that merged os will be stronger thanks to both and should help MS really push forward in the tablet space.

Auditor said,
RT is dead and slow and steadily it is going to be phased out by MS. RT has been completely rejected by consumers and I don't see any other manufactures on RT bandwagon. MS this move of cutting the price is clear indication of MS struggling on windows platform and for this demise no one else but MS himself is to be blamed.

There is still hope for MS by kicking out everyone related to failed win 8 project from Sinofsky to Ballmer. Let's hope Nadella has some sense left and undo this crap of Win 8 created by disillusioned previous MS management.

People are so short sited about RT. As a consumption OS it's amazing. Honestly, most users don't need anything more than what it offers. For their price points it's very valuable.

That doesn't make any more sense than saying iOS will be phased out in favor of OS X. They're two different beasts that serve different functions.

Auditor said,
RT is dead and slow and steadily it is going to be phased out by MS. RT has been completely rejected by consumers and I don't see any other manufactures on RT bandwagon. MS this move of cutting the price is clear indication of MS struggling on windows platform and for this demise no one else but MS himself is to be blamed.

Windows RT (or whatever it will be called when it merges with Windows Phone) is not dead, it's the future of Windows.

Microsoft wants people to migrate from Windows x86 to Windows RT within a few years to eliminate malwares from the average user's PC.

people haven't rejected Windows RT. They just don't understand what it is, and Microsoft can't do proper marketing to explain the benefits of Windows RT when it comes to security because of the risk of destroying the Windows (x86) reputation.
but those who have adopted Windows RT find it more powerful than iOS/android.

at some point, laptops aimed at general public will run a run a Windows RT-like OS, even on x86 hardware, because Microsoft wants to phase out win32/unsandboxed app support in non-professional environments.


people who say that Windows RT is dead have definitely no clue about microsoft's strategy in the long term.


If Microsoft is selling proper Windows 8.1 to OEMs at $15 a license for low-end devices, what does this do for Windows RT?

I wish Microsoft could communicate freely about the security benefits of using Windows RT instead of Windows x86/x64.

unfortunately, competitors would seize this opportunity to say "Microsoft has recognized that windows in not secure" (even though Linux and osx are as vulnerable to malwares as Windows).

I also hope OEMs or MS will release sub $300 laptops running Windows RT.

power users will continue to prefer Windows 8 (x86/x64), but for average users who just need a browser with Flash Player and Office, laptops running WindowsRT would be a better choice, as this OS is idiot-proof (no risk of getting toolbars/adware after installing a free screensaver that an advertisement proposed you to download, since WindowsRT won't let apps do nasty things outside their sandbox).

even chromeOS isn't as secure and idiot proof, because it still allows the user to install potentially malicious extensions injecting ads or stealing passwords.

definitely, if Microsoft wants to beat ChromeOS on the security ground, it needs to push Windows RT.

link8506 said,
I wish Microsoft could communicate freely about the security benefits of using Windows RT instead of Windows x86/x64.
Their value message is going to be muted by the lack of applications no matter what that message is. That's changing quickly. RT's value is only really recognized when the user can feel as if the next app that's released will be available to them in a reasonable period of time.

Don't get me wrong. I love my RT device. But it's real value is only realized through a vast app store for many.

MrHumpty said,
Their value message is going to be muted by the lack of applications no matter what that message is. That's changing quickly. RT's value is only really recognized when the user can feel as if the next app that's released will be available to them in a reasonable period of time.

Don't get me wrong. I love my RT device. But it's real value is only realized through a vast app store for many.


half of the people around me never install apps on their phone or tablets.

even I have less than 4 apps installed on my phone, and 0 third party apps on my Surface.

everything I need is built-in: IE with Flash, Office, printer support, skype, bing news. I play games only on my xbox, and I don't need fancy apps.

don't forget that if people need apps on device like the iPad in the first place, it's because popular video streaming services can't on iOS/Safari work without Flash.

If Windows RT didn't have flash player, I would need to download apps for each multimedia service I want to use (music, video on demand, ...)

But I don't need to, because every websites work just as they do on the desktop.

I don't think Windows RT needs more apps to be more successful. It just need a better name and lot of marketing.

look at chrome OS. How many apps does chrome OS have? Yet some analysts say it's selling well, despite having no apps and less features than Windows RT.

link8506 said,

I wish Microsoft could communicate freely about the security benefits of using Windows RT instead of Windows x86/x64.
unfortunately, competitors would seize this opportunity to say "Microsoft has recognized that windows in not secure"

That's what's called a own goal. RT has no security benefits over the competition, only over Microsoft's other Windows product.

link8506 said,

(even though Linux and osx are as vulnerable to malwares as Windows).

That's manifestly fallacious. Windows has ten's of millions of malware, rootkits, viruses, and other nasties written for it, GNU/Linux has virtually none, and certainly none that are active. OSX has very few as well, and none active that I know about.

Now it's true that any OS can potentially be infected with malware - no one can deny that, but the difficulty is spreading it. Most software on Linux is installed through peer reviewed open source repositories, so it's very very unlikely anything will get through there. I couldn't speak for OS X, but Apple's store probably has a similar effect.

I've seen malware more times on Windows PC's than dare to count, and often not just one, but multiple. That includes, Windows 8, 7, Vista, and XP. Some of that stuff is so hard to find and remove that most people don't even know it's on their system; even with security software installed. So when you hear people bragging that their Windows machine has never had malware, take what they say with a grain of salt. They might not even know they do; that applies to power users and techies too.

link8506 said,

I also hope OEMs or MS will release sub $300 laptops running Windows RT.

That would be a wise decision. Currently, Windows laptops are expensive.

link8506 said,

but for average users who just need a browser with Flash Player and Office, laptops running WindowsRT would be a better choice

That's really no different to ChromeOS. Why pay for a licence at all?

link8506 said,

even chromeOS isn't as secure and idiot proof, because it still allows the user to install potentially malicious extensions injecting ads or stealing passwords.

I've seen Win32 x86 code running on RT, so it's not impossible for current malware to shift to it. At the moment RT's marketshare is so small it has security through obscurity.

link8506 said,

definitely, if Microsoft wants to beat ChromeOS on the security ground, it needs to push Windows RT.

The only problem with running RT on laptops is, it would confuse the heck out of consumers even more than RT on tablets.

simplezz said,

That's manifestly fallacious. Windows has ten's of millions of malware, rootkits, viruses, and other nasties written for it, GNU/Linux has virtually none, and certainly none that are active. OSX has very few as well, and none active that I know about.

He said that OS X and Linux are as vulnerable to malware as Windows, not that they were as exploited as Windows. They absolutely are just as vulnerable, just not as frequently exploited.

Take a look at any bug tracker for open source software. The list of exploitable vulnerabilities found daily is terrifying.

simplezz said,

That's what's called a own goal. RT has no security benefits over the competition, only over Microsoft's other Windows product.

that's wrong.

on Windows RT, users can't install unsandboxed apps.
malwares developers can't write malwares targeting a fully patched Windows RT.

however, any developer can write malicious software targeting fully patched OSX, Linux, Windows x86 operating systems and even ChromeOS through malicious extensions.


That's manifestly fallacious. Windows has ten's of millions of malware, rootkits, viruses, and other nasties written for it, GNU/Linux has virtually none, and certainly none that are active. OSX has very few as well, and none active that I know about.

you clearly have no security background.

the number of malware targeting a platform has no relation to the platform security level. For example, Windows Mobile 6.5 had no malwares for years, yet it's far less secure than android.

and yes, there are LOTS of malwares infecting Linux. Most of the time it is malwares targeting servers, but recently, malwares developers have been targeting desktop Linux users through browser/plugin flaws with drive-by exploits (usually flash/java flaws, but Firefox flaws can lead to such exploits too)

http://arstechnica.com/securit...-windows-mac-linux-devices/

Another example: on OSX there are much more malwares today than 8years ago when OSX was much less secure but less popular.


Now it's true that any OS can potentially be infected with malware - no one can deny that, but the difficulty is spreading it.

actually it's wrong. Sandboxed OSes such as Windows RT, WP, iOS are not vulnerable to malwares.
(I'm not talking about 0day exploits, that's another matter)


Most software on Linux is installed through peer reviewed open source repositories, so it's very very unlikely anything will get through there. I couldn't speak for OS X, but Apple's store probably has a similar effect.

as long as an OS allows the average user to install things coming from unknown source the user is likely to be infected.

software repositories won't prevent the user from being infected by pirated software (often the source of malwares) or downloads from the internet.


I've seen malware more times on Windows PC's than dare to count, and often not just one, but multiple. That includes, Windows 8, 7, Vista, and XP. Some of that stuff is so hard to find and remove that most people don't even know it's on their system; even with security software installed. So when you hear people bragging that their Windows machine has never had malware, take what they say with a grain of salt. They might not even know they do; that applies to power users and techies too.

that's why it's time to migrate to a sandboxed platform like Windows RT that doesn't allow users to infect themselves with adware and malwares.

linux/osx offer no protection against these threats.
if they had 90% of market share, then you would think that windows is more secure than these platforms because malware writers would almost always target Linux or osx, and almost never windows.



That would be a wise decision. Currently, Windows laptops are expensive.

not really, you can find <$300 windows laptops.

but no Windows RT laptop is available yet.


That's really no different to ChromeOS. Why pay for a licence at all?

chrome OS has no apps, no Office, and can't even print to a local printer without sending everything to google cloud print servers.

there are LOTS of reason to want to pay $15 more to get Windows RT instead of ChromeOS.


I've seen Win32 x86 code running on RT, so it's not impossible for current malware to shift to it. At the moment RT's marketshare is so small it has security through obscurity.

???
windows RT on ARM can't run x86.

maybe you're talking about jailbreaked Windows RT with x86 emulator.

Edited by link8506, Feb 23 2014, 6:32pm :

link8506 said,

Windows RT, users can't install unsandboxed apps.
malwares developers can't write malwares targeting a fully patched Windows RT.

If apps can access things like contact lists, internet, etc, they are potentially malware. The same applies to Windows Phone. If something can access sms, phone dialing etc, it can be abused.

To claim a sandboxed app can't act as malware is ludicrous and shows your nativity:
http://nakedsecurity.sophos.co...13/windows-phone-8-malware/

If something can be sideloaded, it can be malware.

link8506 said,

however, any developer can write malicious software targeting fully patched OSX, Linux, Windows x86 operating systems and even ChromeOS through malicious extensions.

And the same for RT. Getting in onto the stores is another matter.

link8506 said,

the number of malware targeting a platform has no relation to the platform security level.

The fact that so much malware targets and infects Windows PC's is indicative of how insecure it is for users doing serious or private things such as banking, let alone businesses and the potential financial impact of malware infections.
http://www.techwatch.co.uk/2010/04/27/nhs-hit-by-malware/

link8506 said,

and yes, there are LOTS of malwares infecting Linux.
http://arstechnica.com/securit...s-windows-mac-linux-devices

Let's take a look at that link shall we:

Researchers have uncovered a piece of botnet malware that is capable of infecting computers running Windows, Mac OS X, and Linux that have Oracle's Java software framework installed.

Capable is not the same thing as actively infecting machines. There has been malware written in the past for Linux, but none were successful.

You see the variety of Linux makes it very hard to pin down. Different distros, different core software, different kernel versions, different system paths, directory structures, and different repositories. Users have to manually install Java. And whenever they update their system everything gets updated at the same time, including Java. That's right, the Java malware your article talks about relies on a unpatched critical vulnerability:


takes hold of computers by exploiting CVE-2013-2465, a critical Java vulnerability that Oracle patched in June.

That's right, Windows update only updates itself, not third party applications, so lots of software on Windows is full of exploits and vulnerabilities. That's the difference with GNU/Linux.

link8506 said,

Most of the time it is malwares targeting servers

The only attacks I've seen involve SQL injection or buffer overflows, not actual malware running on the servers.

link8506 said,

but recently, malwares developers have been targeting desktop Linux users through browser/plugin flaws with drive-by exploits (usually flash/java flaws, but Firefox flaws can lead to such exploits too)

I'd like to see you provide evidence of a single drive-by attack on Linux users. The drive-by malware I've ever seen or heard of was on Windows, and mostly related to IE and ActiveX.

link8506 said,

Another example: on OSX there are much more malwares today than 8years ago when OSX was much less secure but less popular.

I haven't heard of anything recently. However, Windows malware reports are almost a daily occurrence. In fact most people don't even report on them any more because there's so many of them.

link8506 said,

actually it's wrong. Sandboxed OSes such as Windows RT, WP, iOS are not vulnerable to malwares.
(I'm not talking about 0day exploits, that's another matter)

Yes they are vulnerable. iOS has had them, and I posted a link to an article about Windows Phone 8 malware above. You clearly don't understand how malware works. Even the Kinect has malware.


software repositories won't prevent the user from being infected by pirated software (often the source of malwares) or downloads from the internet.

The reason people pirate software is because it costs money. In the FOSS world, all the software is Free and Open Source. There's no reason to pirate.

I've already told you, Linux users get their software from peer reviewed repositories, not randomly downloading from the internet like Windows.


chrome OS has no apps, no Office, and can't even print to a local printer without sending everything to google cloud print servers.

1. https://chrome.google.com/webstore/category/apps
2. https://chrome.google.com/webs.../app/69-office-applications
3. Cloud printing works great. Get a cloud enabled printer and you're good to go.


there are LOTS of reason to want to pay $15 more to get Windows RT instead of ChromeOS.

I don't see any. In fact Metro alone is reason enough to avoid it.

rfirth said,

He said that OS X and Linux are as vulnerable to malware as Windows, not that they were as exploited as Windows. They absolutely are just as vulnerable, just not as frequently exploited.

The reason they aren't exploited is due to user behaviour and difficulty with which malware targeting Linux would have. Linux users get their software from peer reviewed repositories, not randomly downloading off the internet like Windows.

And an OS and users are much more vulnerable if there are millions of pieces of malware floating around, as in the case of Windows. One only has to look at the number of infections, it's in the hundreds of millions. I've yet to see a single successful and widespread Linux malware. Until that happens, I'll never agree that Linux is just as vulnerable as Windows as you put it. You can play semantics all you want, but the reality is, Windows PC's everywhere are infested with malware, and Linux machines are not.

rfirth said,

Take a look at any bug tracker for open source software. The list of exploitable vulnerabilities found daily is terrifying.

Bug trackers aren't just vulnerabilities. Most of them are innocuous. The fact that so many eyeballs are looking at them means more are discovered and fixed. But I suppose you'd prefer proprietary software were vulnerabilities go unnoticed and unpatched for years at a time; all the while software in the wild is exploiting them.

simplezz said,
The reason they aren't exploited is due to user behaviour and difficulty with which malware targeting Linux would have. Linux users get their software from peer reviewed repositories, not randomly downloading off the internet like Windows.

Some of us Linux users do get software outside of their repositories, either due to the repository being outdated or just not having whatever particular program. Simple matter to con someone into adding a repository to their system that contains malware.. "Add this PPA for the Linux version of ____!" and done, infected. "Linux users" is also a gross generalization, it's like saying "every Windows user" is the victim of malware, when that's certainly not the case. As far as difficulty goes, it's no more difficult than any other OS. If I can trick you into doing something, doesn't matter what OS you're on, you're boned. Add this PPA, run this script, double click this .deb. Zero day in whatever browser that's looking for *Nix users. Done, dead. Stupid people are stupid regardless.

simplezz said,
And an OS and users are much more vulnerable if there are millions of pieces of malware floating around, as in the case of Windows. One only has to look at the number of infections, it's in the hundreds of millions. I've yet to see a single successful and widespread Linux malware. Until that happens, I'll never agree that Linux is just as vulnerable as Windows as you put it. You can play semantics all you want, but the reality is, Windows PC's everywhere are infested with malware, and Linux machines are not.

Only due to marketshare. On the desktop end, it's primarily money motivated, be it ads, ransomware or whatever. Who's going to focus on the near-nothing percentage? On the server end, not so much, those get nailed all the time. Even Linux HQ got knocked offline for a few weeks due to a rootkit. That aside, just look at Android, which is also running Linux. Big userbase, big malware issue. If SteamOS takes off, you'll probably see more Linux based malware show up too, it's only a matter of time until the bad guys notice.

simplezz said,
The fact that so many eyeballs are looking at them means more are discovered and fixed. But I suppose you'd prefer proprietary software were vulnerabilities go unnoticed and unpatched for years at a time; all the while software in the wild is exploiting them.

That's assuming there's "many eyeballs" actually looking at the code. Some significant bugs have gone undiscovered for years in Linux too.

simplezz said,

If apps can access things like contact lists, internet, etc, they are potentially malware. The same applies to Windows Phone. If something can access sms, phone dialing etc, it can be abused.

that's why on a sandboxed environment like WP, Microsoft doesn't offer 3rd party apps capabilities such as SMS access, web browser extensions, ...

same on Windows RT.

so far, 0 documented malware on WP/WindowsRT. Compare that to android, or even chromeOS (vulnerable to malicious extensions)


To claim a sandboxed app can't act as malware is ludicrous and shows your nativity:
http://nakedsecurity.sophos.co...13/windows-phone-8-malware/

did you at least read this article?

it's very old, an there is no information about this thing on google.
all the articles about it say that it was supposed to be presented in november 2012, then nothing.

all we know is that this guy pretend he was able to bypass the contact and picture file picker to access photos and contacts without user approval (no full system or data access, just the photos and contacts)

something that thousands of malwares actively do on android.

even if this guy has really discovered a flaw, he said he was going to report it to MS, so it's real, it's already fixed since 2012.

fact is, even is there can be 0day flaws on sandbox isolation, this kind of flaw is unusual, and has never been used on WP, WindowsRT or iOS.

On android however if is happening quite frequently (rootkits exploiting the android <2.2.2 root elevation flaw were common)

and I guess you didn't hear about this:
http://arstechnica.com/securit...majority-of-android-phones/


If something can be sideloaded, it can be malware.

that's wrong.
sideloaded apps, as long as they are sandboxed, won't be able to attack the system without relying on a 0day flaw, which is much more difficult to achieve than writing a malware for a desktop Linux or osx/windows x86 because this doesn't require any flaw exploitation.


The fact that so much malware targets and infects Windows PC's is indicative of how insecure it is for users doing serious or private things such as banking, let alone businesses and the potential financial impact of malware infections.
http://www.techwatch.co.uk/2010/04/27/nhs-hit-by-malware/

OSX and desktop Linux distros are not safer than Windows x86.
http://venturebeat.com/2013/02...ers-that-breached-facebook/

remember that at each security contest, osx was owned through Safari 0day flaws.
http://www.zdnet.com/blog/secu...ler-hacks-safari-again/5846
http://www.neowin.net/news/cha...safest-computing-experience

but I guess you think you know better than this security researcher...


Let's take a look at that link shall we:

Capable is not the same thing as actively infecting machines. There has been malware written in the past for Linux, but none were successful.

yeah right:
https://www.securelist.com/en/...4/A_cross_platform_java_bot

When launched, the bot copies itself into the user's home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:
1.For Windows - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2.Mac OS - the standard Mac OS service launchd is used
3.For Linux - /etc/init.d/

next time, please at least read the article before making me waste my time.

http://arstechnica.com/securit...servers-to-attack-visitors/

http://arstechnica.com/securit...ites-running-apache-tomcat/

http://arstechnica.com/securit...-a-linux-server-looks-like/


The only attacks I've seen involve SQL injection or buffer overflows, not actual malware running on the servers.

ignorance is bliss! (see the above links)



I'd like to see you provide evidence of a single drive-by attack on Linux users. The drive-by malware I've ever seen or heard of was on Windows, and mostly related to IE and ActiveX.

IE has close to 60% market share, so obviously, it is a more interesting target than a browser on an OS with 0.9% market share on desktops.

yet IE has less flaws than competitors:
http://www.gfi.com/blog/resear...ar-security-battle-in-2011/


Yes they are vulnerable. iOS has had them, and I posted a link to an article about Windows Phone 8 malware above. You clearly don't understand how malware works. Even the Kinect has malware.

kinect malwares?
ROFL

seriously, I don't think you're on the right position to tell me I don't know about malwares


The reason people pirate software is because it costs money. In the FOSS world, all the software is Free and Open Source. There's no reason to pirate.

lol!
so video games running on Steam Linux have magically become free and open source?


I've already told you, Linux users get their software from peer reviewed repositories, not randomly downloading from the internet like Windows.

if Linux had 90% market share, the repository model would not work because it's not the same thing to review 5000 apps and 50 000 000 apps.

furthermore, companies such adobe would not let their software be distribute through repositories. Which means there would be a lot of app needing manual patches.

btw, since windows vista it is possible for developpers to deploy signed updates without user intervention, and without requiring a repository.

if 3rd party devs don't use this feature on windows, what makes you think they are going to waste their time submitting their software to the dozens of distribution specific repositories?

simplezz said,

The reason they aren't exploited is due to user behaviour and difficulty with which malware targeting Linux would have. Linux users get their software from peer reviewed repositories, not randomly downloading off the internet like Windows.

And an OS and users are much more vulnerable if there are millions of pieces of malware floating around, as in the case of Windows. One only has to look at the number of infections, it's in the hundreds of millions. I've yet to see a single successful and widespread Linux malware. Until that happens, I'll never agree that Linux is just as vulnerable as Windows as you put it. You can play semantics all you want, but the reality is, Windows PC's everywhere are infested with malware, and Linux machines are not.


Bug trackers aren't just vulnerabilities. Most of them are innocuous. The fact that so many eyeballs are looking at them means more are discovered and fixed. But I suppose you'd prefer proprietary software were vulnerabilities go unnoticed and unpatched for years at a time; all the while software in the wild is exploiting them.


yeah right
"Linux community finally fixes 6-year-old, critical bug"
http://www.networkworld.com/community/node/65263

Anatomy of a 22-year-old X Window bug: Get root with newly uncovered flaw
http://www.theregister.co.uk/2...s_privilege_escalation_bug/


furthermore, these last few years at several occasions critical flaws were patched silently in the Linux kernel (without any mention in the changelogs), which means most distros were continuuing to use vulnerable kernels for months without knowing they missed critical updates.


and even worse, nobody knows how the Linux kernel.org servers were hacked two years ago:
http://arstechnica.com/securit...-how-did-it-happen-and-why/

Geezy said,
What security benefits? Windows RT shares the same holes that the x86 version does.

yes, and so far, how many exploits in the wild did you spot?

I haven't ever heard of any PoC of exploit code targeting browser flaws in Windows RT. There will be at some point. But exploit binaries are not compatible, and persistence is more complicated.

actually, the fact that Windows RT has the same code base as Windows x86 (and the same flaws) means that Windows RT benefits from the same code review as Windows x86, which is the most reviewed piece of software by security experts in the world.

if someone finds a 0day exploiting Windows x86, it might not be exploitable on windows RT because a lot of components have been removed (big parts of the .Net framework and windows media player were not ported to windows RT), and even if the exploited component exists on Windows RT, thanks to secure boot, every executable, dll, drivers and so on must be digitally signed by Microsoft to be executed on each reboot, making the malware less likely to execute again after reboot.

chrome OS is similar on that point, making it harder for malwares to persist after a reboot than on a classic Linux or windows OS that allows to run unsigned code by default.

so yes, sandboxing + mandatory signature checking makes Windows RT much more secure than any OS.

and lack of browser extension support makes it more secure than chrome OS (malicious extensions completely defeat the chrome OS security model, and they can spread between machines thanks to google account synchronisation, as has happened to this journalist : http://arstechnica.com/securit...send-adware-filled-updates/ )

link8506 said,

yeah right:
https://www.securelist.com/en/...4/A_cross_platform_java_bot
When launched, the bot copies itself into the user's home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:
1.For Windows - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2.Mac OS - the standard Mac OS service launchd is used
3.For Linux - /etc/init.d/

I don't even have a /etc/init.d directory on my machine, I use systemd But nice try haha.

link8506 said,

next time, please at least read the article before making me waste my time.

And I already told you:

The attackers used vulnerability CVE-2013-2465 to infect users with the malware.

1. This bot relies on out of date and vulnerable software, perfect for the Windows environment, not so much on Linux, where the package manager would automatically update it with the rest of the system.
2. The vulnerability applies to Sun's Java. I use OpenJDK.

So let's get this straight. The user would have to had explicitly installed Sun's binary version of Java through the repositories, completely ignored all system updates, and explicitly run this java program with root privileges. LOL.

The fact is there's no evidence that this program has ever been successfully used. It was sent to Kaspersky Lab for analysis.


Blah blah blah. All servers. And I don't see any actual evidence of infections, just analysis by anti-virus companies. Show me an instance of a real live malware infection on a GNU/Linux desktop PC. I'm Waiting...


ignorance is bliss! (see the above links)

You have yet to provide anything but a piece of malware sent to security researchers. None of which was successfully being spread on desktop GNU/Linux machines.


IE has close to 60% market share, so obviously, it is a more interesting target than a browser on an OS with 0.9% market share on desktops.

Not according to StatCounter:
http://gs.statcounter.com/#bro...w-monthly-201301-201401-bar

It's a more interesting target because it's full of holes and only gets an refresh once a year if it's lucky. There's a zero day attack against it every other month. And Microsoft are not exactly known for patching it quickly.


kinect malwares?
ROFL
seriously, I don't think you're on the right position to tell me I don't know about malwares

In that article about Windows Phone 8 malware, it explains, that the same guy created malware for the Kinect.


lol!
so video games running on Steam Linux have magically become free and open source?

There are many FOSS games available. I play OpenArena myself.


if Linux had 90% market share, the repository model would not work because it's not the same thing to review 5000 apps and 50 000 000 apps.

You don't understand how FOSS works.


furthermore, companies such adobe would not let their software be distribute through repositories. Which means there would be a lot of app needing manual patches.

We don't want proprietary rubbish like adobe on our systems thanks Windows is welcome to it


btw, since windows vista it is possible for developpers to deploy signed updates without user intervention, and without requiring a repository.
if 3rd party devs don't use this feature on windows, what makes you think they are going to waste their time submitting their software to the dozens of distribution specific repositories?

All installation goes through the package manager. That's how GNU/Linux works. And third party devs don't have to submit it themselves; just provide a single source tarball through git or whatever, and the repo maintainers take care of the rest.

Max Norris said,

Some of us Linux users do get software outside of their repositories, either due to the repository being outdated or just not having whatever particular program.

I don't. Everything I need is in the main arch repo. For everything else there is AUR. And I'm talking about the majority, because that's how a successful malware spreads.

Max Norris said,

Simple matter to con someone into adding a repository to their system that contains malware.. "Add this PPA for the Linux version of ____!" and done, infected. Add this PPA, run this script, double click this .deb. Zero day in whatever browser that's looking for *Nix users. Done, dead.

Really? My system doesn't accept PPA's. Your malware just failed. My system doesn't run or accept .deb files, your malware just failed. /etc/init.d doesn't exist on my system, link8506's javabot just crashed because it's trying to install itself in a different init system. That's a prime example of why malware can't succeed on GNU/Linux - Variety!

I'm sure you could convince a few people to run it, and if you're lucky enough to find a compatible system, it might succeed. But that's not on the scale of Windows malware which infects millions of machines. And that's the difference between Windows and Linux.

Max Norris said,

"Linux users" is also a gross generalization, it's like saying "every Windows user" is the victim of malware, when that's certainly not the case.

So it's unfair to say the the majority of GNU/Linux desktop users get their software from peer reviewed repositories. If you have evidence to the contrary, please elaborate.

Max Norris said,

As far as difficulty goes, it's no more difficult than any other OS. If I can trick you into doing something, doesn't matter what OS you're on, you're boned. Stupid people are stupid regardless.

Except that it is much more difficult for the reasons I listed above. Windows is a very homogeneous environment, that is to say, IE is present all installations, the directory structures are reliable, it's easy to add things to startup even across different versions etc. It's not like that in GNU/Linux, it's a heterogeneous environment, which makes it very hard for malware and viruses to propagate and be successful. Out of date third party software is also another source of vulnerabilities on Windows. Something that Linux package managers solve very well.

Max Norris said,

Only due to marketshare. On the desktop end, it's primarily money motivated, be it ads, ransomware or whatever. Who's going to focus on the near-nothing percentage? On the server end, not so much, those get nailed all the time. Even Linux HQ got knocked offline for a few weeks due to a rootkit. That aside, just look at Android, which is also running Linux. Big userbase, big malware issue. If SteamOS takes off, you'll probably see more Linux based malware show up too, it's only a matter of time until the bad guys notice.

Having a curated store or a peer reviewed repository results in significantly less problems than say Windows x86, where things are installed and run from random sources.

And let's take a look at Android shall we? In terms of number of devices sold, it eclipses Windows easily. Malware is often reported by security firms, but little actual evidence of its existence. Most of it is on third party stores in China etc, not Google's Play store.

simplezz said,
I don't. Everything I need is in the main arch repo. For everything else there is AUR. And I'm talking about the majority, because that's how a successful malware spreads.

One example for one relatively small distro. Doesn't apply to them all. Successful malware spreads because people are gullible enough to run something they shouldn't, plain and simple.

simplezz said,
Really? My system doesn't accept PPA's. Your malware just failed. My system doesn't run or accept .deb files, your malware just failed. /etc/init.d doesn't exist on my system, link8506's javabot just crashed because it's trying to install itself in a different init system. That's a prime example of why malware can't succeed on GNU/Linux - Variety!

Don't be dense, that was just an example using the most popular distro. Any why limit this to the init systems? Something wrong with hooking into your user's login script which then wouldn't even need admin permissions to begin with? Or, you know, just actually look at the environment and adjust itself according to what's available? Oh look, Systemd, guess I should adjust what the script is doing. Bash scripts are pretty flexible things, not terribly hard. Again, just an example.

simplezz said,
I'm sure you could convince a few people to run it, and if you're lucky enough to find a compatible system, it might succeed. But that's not on the scale of Windows malware which infects millions of machines. And that's the difference between Windows and Linux.

Again, see above, it's not hard to see what's available on the particular system it's running on. Besides, even though compatibility between distros is a problem, there's quite a lot of common elements too, never mind if I've already conned whatever user into running the thing in the first place, they've probably already given it admin rights too, because you know, this new Linux game requires a few libraries that you're missing.

simplezz said,
So it's unfair to say the the majority of GNU/Linux desktop users get their software from peer reviewed repositories. If you have evidence to the contrary, please elaborate.

I didn't say that. I said don't pretend that's the only place. There's quite a few Linux oriented programs that can have you arbitrarily add repositories to your package manager to stay current, never mind pre-packaged installers ready to go. I can give some bigger name examples if needed.


And again, see above, it's really not hard to figure out what's available and where it's at on a Linux system.. lots of built in tools to tell you exactly that. Systems already have been successfully attacked with rootkits and whatnot so it's obviously possible.


Sorry but I don't go for that "lets bury our heads in the sand and pretend it doesn't exist" approach that's frequently taken up by people with an agenda.

simplezz said,

I don't even have a /etc/init.d directory on my machine, I use systemd But nice try haha.

did you just try to convince yourself that Linux can't be hacked just because this specific example is targeting only a specific implementation?

it would have been trivial to infect any Linux distro through user session logon scripts.


And I already told you:


1. This bot relies on out of date and vulnerable software, perfect for the Windows environment, not so much on Linux, where the package manager would automatically update it with the rest of the system.

because you think that if Linux had 90% market share people would always run updated components? And not run software coming from outside the repositories, like games, productivity software, ...?

look android. Is every android device running the latest version?

furthermore, there have been several example in the past of distributions failing to distribute updated components.

for example:
http://www.ubuntu.com/usn/usn-1617-1/

this security updates from october 2012 fixes a lot of 0day webkit flaws in the GTK+ library.

such as this one:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3625

which allowed remote code execution.
reported to apple 2012/07

fixed in Ubuntu 3months later.

or this one:
http://code.google.com/p/chromium/issues/detail?id=105867

reported to google in november 2011.
fixed in google chrome a few months later.
fixed in Ubuntu 11 months after initial report.

these are just some examples. It's common for Linux distributions to use outdated components that do not include the latest security fixes (see my earlier post about kernel flaws)

in that specific example, that meant that any gtk+ based browser or app containing a webview renderer was vulnerable to 0day remote code execution flaws. For a whole year.
and nobody cared.

and explicitly run this java program with root privileges. LOL.

wait, you think that malwares need root privileges to infect the current users?

nowadays, windows/osx/linux malwares can infect user profiles without root privileges, and they can do lots of nasty things such as sending user's keystrokes to a remote server. No need for root privilege for that.


The fact is there's no evidence that this program has ever been successfully used. It was sent to Kaspersky Lab for analysis.

sure. The number of desktop Linux user is so small that at most only a few dozens users were infected by this specific malware.


Blah blah blah. All servers. And I don't see any actual evidence of infections, just analysis by anti-virus companies. Show me an instance of a real live malware infection on a GNU/Linux desktop PC. I'm Waiting...

see the above link concerning the java exploit.
furthermore, Flash player 0day flaws were also exploited to infect Linux machines a few months ago (can't find the link)

and webkit flaws, or Firefox flaws can be exploited too.


these numbers don't match the reality. They count each request, not each visitor.

furthermore, enterprise users do not appear on these statistics, as their usage of the internet is typically limited at professional sites (which don't use tracking services like statcounter). Most enterprises are using IE with java, which is why IE and Java flaws are so valuable to spy on government and big enterprises.


It's a more interesting target because it's full of holes and only gets an refresh once a year if it's lucky.

that's Ubuntu you're talking about.


a zero day attack against it every other month. And Microsoft are not exactly known for patching it quickly.

flaws are typically affecting older versions of IE.

and even then, they are rather uncommon these last few years. It's been a very long time since the last 0day in the wild affecting the last version of IE.

and Microsoft typically releases a temporary fix within 5days when a flaw affects a previous version of IE.



In that article about Windows Phone 8 malware, it explains, that the same guy created malware for the Kinect.

lol yeah kinect is basically a high tech webcam.

if you plug a webcam on a machine running windows/osx/linux, you can create a malware that can turn on the camera a record things.

saying it's a kinect malware is as stupid as saying there are logitech webcam malwares spying on users.

there are many FOSS games available. I play OpenArena myself.

so why is Valve wasting its time with Steam on Linux when everyone wants nothing more than tuxracer?


You don't understand how FOSS works.

I do. You don't.
you think that FOSS is viral. It's not.
look at android. It's no longer a FOSS distro.
lots of google components are proprietary. And most apps on the store are too.

and android is the most popular Linux distro.
it's what any Linux distro would become with enough popularity (proprietary software, lots of malwares, drive-by attacks,...)

Kalint said,
Somebody scurrrrrred of Google

I think this will pretty much accomplish what microsoft did to the growth of the linux-based notebooks back when xp was around. (crush them out of the market).

Kalint said,
Somebody scurrrrrred of Google
TBH, with 8" devices coming with office and serious price reductions. Along with the improved Win8.1 Touch Experience and the imminent incoming keyboard/mouse improvements. Google is going to start being scared by MS in the tablet market. So much value is offered off of the 8" devices it's kind of insane.

aviator189 said,

I think this will pretty much accomplish what microsoft did to the growth of the linux-based notebooks back when xp was around. (crush them out of the market).

In the Linux-based netbooks case, each OEM created different and often horribly crippled interfaces for them, something which hasn't happened with ChromeOS. If they had preinstalled something like U/Xbuntu, Mint etc, things would be completely different. Although it wouldn't have changed the fact that most of the netbooks were woefully underpowered by poor-performing atom processors.

ChromeOS on the other hand is consistent from device to device, and very usable. So you're really comparing Apples to Oranges there.

simplezz said,

In the Linux-based netbooks case, each OEM created different and often horribly crippled interfaces for them, something which hasn't happened with ChromeOS. If they had preinstalled something like U/Xbuntu, Mint etc, things would be completely different. Although it wouldn't have changed the fact that most of the netbooks were woefully underpowered by poor-performing atom processors.

ChromeOS on the other hand is consistent from device to device, and very usable. So you're really comparing Apples to Oranges there.

Despite that, I think we'll see a similar trend with this move.

simplezz said,

In the Linux-based netbooks case, each OEM created different and often horribly crippled interfaces for them, something which hasn't happened with ChromeOS.

Sounds like Android... which is what everyone is talking about, I would think... not Chrome OS.

Kalint said,
Somebody scurrrrrred of Google

Google offers nothing special other than the illusion of a replacement device until people realize they still need a computer. Microsoft will crush Google like a fly. Coming soon!

nickcruz said,

Google offers nothing special other than the illusion of a replacement device until people realize they still need a computer. Microsoft will crush Google like a fly. Coming soon!


Yeah... Microsoft isnt up against a bunch of people making linux in their basement anymore.

Kalint said,

Yeah... Microsoft isnt up against a bunch of people making linux in their basement anymore.

News to those who choose to be ignorant. "The people in the basement" making Linux have always been developed by corporations who provide the resources to develop Linux.

By the way the most innovative of technologies started īn a garage or basement. A basement makes no difference if the person or group has the passion to build it. The same is required in state of the art facilities. It does not guarantee innovation if there is no passion pour into it.

nickcruz said,
News to those who choose to be ignorant. "The people in the basement" making Linux have always been developed by corporations who provide the resources to develop Linux.

By the way the most innovative of technologies started īn a garage or basement. A basement makes no difference if the person or group has the passion to build it. The same is required in state of the art facilities. It does not guarantee innovation if there is no passion pour into it.

That's quite a romantic view of a utility OS.

nickcruz said,

News to those who choose to be ignorant. "The people in the basement" making Linux have always been developed by corporations who provide the resources to develop Linux.

By the way the most innovative of technologies started īn a garage or basement. A basement makes no difference if the person or group has the passion to build it. The same is required in state of the art facilities. It does not guarantee innovation if there is no passion pour into it.

Looky here... talking about ignorance on Neowin. Brave sir!