Sunday, June 29, 2008

Vista SP1 'Update' Released for OS Reliability

Three months after the initial release of Windows Vista Service Pack 1, Microsoft has issued what it calls a "reliability update" to sweep out any glitches that may pop up in a complex stack of applications on the new OS version.

Per a Knowledgebase article, posted late Tuesday night, the update is ready now on the software giant's download servers and it will roll out automatically in July's patch cycle through Windows Update. Microsoft published the update because "issues have been reported by customers who use the Error Reporting service or Microsoft Customer Support Services," according to Redmond.

Microsoft routinely releases such updates but this one is significant because it's the first involving Vista SP1.


Among the applications that this update will help run more efficiently is Windows Media Player and the Excel spreadsheet program. The Windows Media Player fix will help prevent the "stuttering" of audio and video files when streaming content. In Excel's case, the update corrects an error message that some users have complained about, Redmond said. After workstations have been in operation for a while or even idle, some users who tried to resume working in Excel 2007 received an error message saying, "EXCEL.EXE is not a valid Win32 application."

The update is supposed to fix interoperability issues with Apple's Quicktime media player. A support forum note said that the update is designed to reduce the "number of crashes that may be caused by the Apple QuickTime thumbnail preview in Windows Live Photo Gallery."

This update would also, among other things, resolve crash issues by addressing interruptions on e-mail programs, especially when using a POP3 e-mail client app such as Windows Mail or Mozilla Thunderbird.

Meanwhile, what remains to be seen is how the update will mesh with third-party applications. For instance, Microsoft intentionally blocked certain applications -- such as security products from Trend Micro, Zone Labs, BitDefender and Novell -- from running after SP1 was installed. SP1, however, gives security software vendors a more secure way to communicate with Windows Security Center. Malicious software detection applications can work with kernel patch protection on 64-bit versions of Vista.

Microsoft did mention that the update would improve stability for crashes related to Checkpoint Software Technology's ZoneAlarm Internet Security Suite and SpySweeper, a product from Webroot Software Inc.

The update will require a restart once it is applied. Updates for 32-bit or 64-bit versions of the OS can be downloaded, Redmond said.


Apple fixes Safari ‘carpet bomb’ bug
Apple posts 1.1.2 update for iPod nano
Microsoft Highlights First Unique Windows 7 Feature: Pervasive Multi-Touch

Hyper-V Made Available

Microsoft's first major push into the virtualization space officially kicks off today, as Hyper-V has been released to manufacturing (RTM).

As of noon ET, Hyper-V will be available for download from the Microsoft Download Center, according to Arun Jayendran, a senior product manager for Windows Server marketing. It will be available through Windows Upgrade on July 8.

The unexpected announcement is in keeping with recent Hyper-V development; ever since late last year, Microsoft has been ahead of its scheduled timetable for Hyper-V availability. When Windows Server 2008 hit commercial availability in February, Microsoft officials predicted that the Hyper-V gold (or final) code was expected in about 180 days (it originally shipped with a beta version). That would have put delivery of the hypervisor in the August timeframe.


Despite the early release, Jayendran said Hyper-V is ready to go, and has been thoroughly vetted. There have been "more than 1.5 million downloads of the Hyper-V beta. We had more than 140 customers in the TAP [Technology Adoption Program]." He also pointed out that three of Microsoft's most heavily-traveled Websites -- Microsoft.com, MSDN.com, and Technet.com, with a combined 42 million page views per day-- have been running on Hyper-V for months.

"We've talked to lot of customers deploying the beta version of this product. Customers are saying it's easy to use, has good performance, and stability and reliability are very good," Jayendran added.

Hyper-V is a bare-metal hypervisor, meaning it sits directly on hardware and controls the creation and operation of virtual machines (VMs). It's intended to compete directly with ESX, the flagship hypervisor of industry leader VMware. Microsoft hopes to make inroads in the market by offering Hyper-V as part of Windows 2008; no additional licenses are needed. ESX, conversely, carries a hefty pricetag. VMware, however, owns a huge share of the market -- as much as 80 percent or more, according to most estimates -- putting Microsoft in the unfamiliar role of underdog, trying to grab market share from the dominant player in the industry.

Microsoft's other hypervisor, Virtual Server 2005, is a Type II, or hosted, hypervisor. It sits on top of an operating system, creating additional overhead, making it a poor choice in most cases for enterprise environments. Microsoft also has a PC virtualization product, Virtual PC, which allows users to run other Microsoft OSes within an OS like Windows XP or Windows Vista.

Microsoft will also offer a standalone version of Hyper-V, independent of Windows 2008. Called "Hyper-V Server", it will retail for $28, with availability in late 2008, according to Jayendran.

The other key piece of Microsoft's virtualization strategy, System Center Virtual Machine Manager 2008, is slated for release in the early fourth quarter of this year, according to Microsoft. The last beta for VMM 2008 came out in April. VMM 2008 is Microsoft's enterprise-level management product for virtual environments. One way it distinguishes itself from VMware's management product, VirtualCenter, is that it can manage physical as well as virtual machines. In fact, VMM 2008 can manage VMware's own ESX servers.

Hyper-V slides into an increasingly crowded marketplace. Along with ESX, there are a number of vendors, with most offerings built around the Xen open source hypervisor. Chief among those are Citrix, which offers the commercial XenServer; Sun; Virtual Iron; Novell, which has a close partnership and technology interoperability agreements with Microsoft; Red Hat; Oracle and others.


VMware Pioneers Decouple Dynamic Analysis
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu)

VMware Pioneers Decouple Dynamic Analysis

Researchers at VMware have pioneered a novel technique in dynamic analysis, one that separates the running program from the analysis tool, by use of virtual containers.

Such an approach can vastly speed the dynamic analysis of programs, noted Jim Chow, a VMware engineer who was a member of the research team.

"Separating analysis from execution is great because we can parallelize" the operations of each program, Chow said.


Chow presented the work at the USENIX 2008 conference being held this week in Boston. USENIX designated the paper describing the work, "Decoupling Dynamic Program Analysis From Execution in Virtual Environments," as the best paper submitted for this year's conference. Chow, Tal Garfinkel and Peter Chen conducted the research.

Dynamic analysis is a technique of studying a software program to find bugs and security bugs. The process usually involves either instrumenting the program -- that is, adding hooks that can measure certain conditions as the program runs -- or periodically stopping the program and examining its state.

Dynamic analysis can be good for finding such hard-to-trace problems as race conditions, or those circumstances in which a program locks up due to two processes vying for the same resource.

The problem with most commercial and open source dynamic analysis tools is that they slow the performance of the application being studied, sometimes by a factor of 100 or more, according to Chow. Factors such as context switching between the program and the analysis tool also contribute to this slowness.

The team's approach is to use the VMware virtual environments. The program under study runs in one virtual environment, while the analysis tools run in a second virtual environment on the same machine. Running the two programs in parallel, each with its own thread, means performance can be improved.

"Decoupled analysis moves analysis off the computer that is executing the main workload by separating execution and analysis into two tasks: recording, where system execution is recorded in full with minimal interference, and analysis, where the log of the execution is replayed and analyzed," the paper states.

The research team created a program called Aftersight to analyze software; however, further work is needed to bring Aftersight up to speed with the execution of the program itself, Chow said.

The research team tried the software on VMware's own ESX Server, the Linux kernel and the Putty secure shell client. Bugs were found in all. "We replay all the inputs that the machine saw, then that replayed execution will go through all the same instructions," Chow said.

USENIX, which stands for the Advanced Computing Systems Association, is an association for sharing information among technicians, scientists, system administrators and engineers on developments in the field of computer scientists.


Microsoft Advisory Targets SQL Injection Attacks
The beat goes on
Apple ships iPhone SDK beta 8
Hyper-V Made Available

Security Certification Rules Could Shake Up IT Management

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget (OMB), would have a major impact on how government and industry recruit, train and manage their IT staffs, a security expert said Wednesday.

"They are going to affect every one of us in the field," contractors and government employees, said George Datesman, a senior manager at Noblis Inc., a nonprofit high-tech consultant.

Datesman -- who holds a master's degree in criminology and has 30 years experience in law enforcement, including a stint with the Justice Department -- said at a Digital Government Institute conference on cybersecurity that OMB is finalizing minimum requirements for professional certification. He had no time frame for their release.


As IT security has become professionalized, a number of certifications have achieved general recognition industrywide, including a suite from the International Information Systems Security Certification Consortium (ISC2). ISC2 maintains and administers examinations for:

CISSP: Certified Information Systems Security ProfessionalISSEP: Information Systems Security Engineering Professional ISSAP: Information Systems Security Architecture ProfessionalSSCP: Systems Security Certified Practitioner

Organizations awarding certifications would have to be accredited to meet a federal mandate. Datesman likened the situation to the law-enforcement field, which still is sorting out how to fully implement requirements for increased professional training and education 30 years after the movement began. Not only would there be new hiring requirements, there also could be increased responsibility and legal liability for workers and their employers.

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply-and-demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification, for example, requires five years' experience. "You don't mint them out of college," he said.

The requirement is likely to drive up the cost of recruiting professionals, not only in government but among government contractors, who also would have to meet the requirements in staffing government contracts. Government contract language also would have to change to reflect the requirements.

Other practical considerations would be the need to formally define IT security roles and jobs and spell out the knowledge, skills and abilities needed for each. Certification and training also would have to be verified by employers, possibly creating a backlog much like that for background checks in issuing personal-identity verification cards to government workers and contactors under Homeland Security Presidential Directive 12.

No amount of education and certification will completely fulfill the need for IT security professionalism, Datesman said.

"When we did this in law enforcement 30 years ago, what we learned was that 60 percent of what they needed to know is learned on the job," he said.


Insurance.Com Certified to Display TRUSTe Privacy Seal of Approval
Microsoft Warns on Safari ‘Carpet Bombing’ Flaw
Microsoft Advisory Targets SQL Injection Attacks
Apple ships massive Mac OS X 10.4 security upgrade

Microsoft Advisory Targets SQL Injection Attacks

Microsoft on Tuesday issued a new security advisory after the discovery of "a recent escalation in a class of attacks" targeting Web sites. The exploits are associated with Microsoft's Active Server Pages (ASP) and the ASP.NET 2.0 Framework, with SQL Server used as an entry vector for so-called SQL injection attacks.

ASP lets developers create dynamic Web pages, supporting interactive browser-based applications and e-commerce by connecting with a relational database (such as SQL Server) on the back end.

Even though Microsoft's technologies are used in the attacks, the fault lies with Web site developers that haven't followed the best practices for security, according to Redmond.


"[The attacks] do not exploit a specific software vulnerability, but instead, target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," wrote Bill Sisk, security response communications manager for Microsoft in an e-mail to Redmondmag.com on Tuesday.

Microsoft's advisory describes three tools that can help protect individual Web sites from SQL injection attacks, according to Sisk. You can also find links to these tools at Microsoft's data platform blog here. According to Redmond, the free and downloadable tools come with detection and defense features.

SQL injection attacks are becoming increasingly common. In April, security consultancy White Hat identified isolated cases of SQL-based Web sites injected with malicious JavaScript code. Perhaps the worst of it was seen January, when a widespread barrage of SQL injection attacks occurred. At that time, tens of thousands of Windows- and SQL-based workstations were affected, as well as several thousand Web sites with .gov and .edu domain suffixes. Many of the problems were remedied before serious damage could be done.


With Yahoo! Deal Uncertain, Microsoft Tries to Show Off Advertising Prowess
Apple ships massive Mac OS X 10.4 security upgrade
Vista SP1 ‘Update’ Released for OS Reliability
GLSA 200805-14 Common Data Format library: User-assisted execution of arbitrary code

Cisco Making 'Green' a Company Priority

If enterprise IT organizations are going to meaningfully reduce their carbon footprints, they're going to do so first by tackling low-hanging fruit -- e.g., power-hungry servers, storage and networking gear.

Cisco Systems Inc. has already made much of its green bona-fides, at least with respect to its IronPort appliance product line.

This week, Cisco took an even more ambitious step, pledging to reduce its carbon footprint by 25 percent over the next four years.


"We are innovators at Cisco, and we believe that the best way to achieve a more sustainable impact is to rely on innovation and our technology to help us solve problems," Cisco EcoBoard co-chair Laura Ipsen told Cisco's in-house PR organ, Cisco News. "Our No. 1 goal here is to use less energy -- and we're going to do that by drawing on the power of technology to make things smarter."

In many cases, Cisco plans to rely on its own technology, Rx, to execute on its ambitious greenhouse gas (GHG) reduction schedule. Not that the networking giant won't also take concrete steps to eliminate some of the most glaring sources of GHG emissions.

For example, officials pointed out, Cisco's labs and datacenters -- which contribute significantly to its overall GHG emissions -- will eventually make use of several energy-saving measures, starting first with a switch to more efficient lab or testing equipment.

The company also plans to invest in "smart" power distribution units that can actually power down machines when they aren't in use. It will also make aggressive use of virtual network storage and, of course, "greenify" its mechanical and electrical systems.

Elsewhere, Cisco plans to increase its use of collaborative technologies (such as Cisco TelePresence and Cisco WebEx) to help reduce business travel, which officials say accounts for more than a quarter of its overall GHG footprint. (On that note, Cisco claimed it has already decreased air travel-related emissions by "at least 10 percent per employee.")

Cisco also plans to deploy its Cisco Connected Workspace technology -- which Cisco said helps create a "hybrid" office environment -- at additional sites around the world. At Cisco's San Jose, Calif. headquarters, officials claimed, Cisco Connected Workspace has "significantly" cut back on per-employee electrical demands.

"Every corporation has a responsibility to help address climate change and to minimize the impact of its operations on the environment," said Cisco CEO John Chambers in a statement.

Chambers outlined Cisco's ambitious vision at his company's Cisco Live! Confab, held this week in Orlando.

"Cisco is approaching this challenge not only by curbing our own company's greenhouse gas emissions but also by taking advantage of the power of networking technology to better manage our environmental concerns," he said.


Making Computex Green. Literally.
With Yahoo! Deal Uncertain, Microsoft Tries to Show Off Advertising Prowess
Yahoo! May Face a Proxy Battle After All

Tuesday, June 3, 2008

Microsoft Warns on Safari 'Carpet Bombing' Flaw

As if Windows users didn't already have enough good reasons to avoid Apple's Safari Web browser, Microsoft this week provided another, more important one: It can be used to trigger a so-called "carpet bombing" attack on users' PCs and running applications that could be used to take over the machine.



According to the search researcher who discovered the problem, the Safari carpet bombing flaw is actually one of three separate security issues he found in the browser in mid-May. Nitesh Dhanjani says he reported the flaws to Apple at that time, and Apple has pledged to fix one of the other flaws he discovered, but does not feel the carpet bombing flaw is "security related."



Dhanjani disagrees. "It is possible for a rogue Web site to litter the user's desktop [with executable applications]," Dhanjani writes in a blog post describing the flaw. "This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location. The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."



Apple's response to Dhanjani suggests that the company isn't interested in tackling this problem anytime soon. "We can file that as an enhancement request for the Safari team," Apple told him. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."



On Friday, Microsoft announced that it was taking the flaw more seriously because it is a "blended threat" that combines a Safari flaw with how the Windows desktop handles executables. "Microsoft will take the appropriate measures to protect our customers," a Microsoft security advisory reads. "This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers' needs."



Microsoft recommends a workaround while it works on a solution: Reconfigure the default location where Safari downloads content to the local drive, as doing so will prevent the flaw from being exploited. I have a more elegant solution: Simply avoid Safari all together and use a browser that's written by developers who understand the security nuances of Windows better. I recommend Mozilla Firefox, but Internet Explorer 7 is acceptable as well.


Windows Mobile Sales to Jump 50 Percent, Microsoft Says
Microsoft Highlights First Unique Windows 7 Feature: Pervasive Multi-Touch

Microsoft Extends XP Home Licensing to Include Nettop Devices

At the Computex show this week in Taipei, Taiwan, Microsoft announced that it would extend its support of Windows XP Home Edition to include a coming generation of so-called Nettop devices. Previously, Microsoft had announced its intention to extend support of XP Home to Ultra-Low-Cost PCs (ULCPCs), which are sometimes referred to as Netbooks.



Put more simply, where Netbooks are low-cost mobile computers, Nettops are low-cost desktop PCs. Like Netbooks, Nettops are aimed both at emerging markets and at multi-PC households.



"Customers and partners have made it clear to us that they want Windows on their Netbooks and Nettops," said Microsoft corporate vice president Steven Guggenheimer. "We are committed to providing Windows solutions for these devices, helping to ensure a high-quality experience for both our partners and customers."



Microsoft originally planned to stop selling Windows XP after June 30, 2008 but recently extended that date only for XP Home and only on Netbooks. This week's announcement brings Nettops into the XP fold as well.



Not surprisingly, many of the companies that have seen success in the Netbook business are working on Nettop PC designs as well. Asus, for example, will soon begin selling a low-cost Eee Box PC that compliments its popular Eee PC portable device. Over 20 PC makers are working on XP-based Netbook and Nettop offerings, Microsoft says.


Microsoft Talks Windows 7 … But Doesn’t Say Anything

Court Docs: Yahoo 'Threw Sand in the Gears' of Microsoft Bid

One year before Microsoft publicly revealed its $44.6 billion bid for Yahoo, a deal which valued the company at $31 a share, the software giant privately offered to purchase Yahoo for a more princely $40 a share. Yahoo unceremoniously rejected Microsoft both times, but recently revealed court documents contain some damaging information that will likely rile activist Yahoo shareholders even more: During this year's merger saga, Yahoo executives enacted a controversial employee severance program designed solely to thwart Microsoft.



The plan--which would have raised Microsoft's cost of acquiring Yahoo by as much as $2.1 billion--was "highly unusual" according to a complaint filed by Yahoo shareholders, because it applied to every single Yahoo employee instead of just key employees. As such, it was clearly aimed solely at "throwing sand in the gears of Microsoft's plans for a smooth integration." Thanks to the added cost, Microsoft never got seriously about raising its per-share bid for Yahoo, shareholders assert.



Yahoo says that the plan was "unprecedented" but necessary. "We believe we did the right thing for our employees and our shareholders," a Yahoo spokesperson said.



Since breaking off merger talks early last month, Microsoft and Yahoo have continued discussing other possible deals, but it appears that an outright purchase is off the table for now. But many Yahoo shareholders are outraged to discover the lengths that Yahoo's board went to in order to avoid a purchase by Microsoft, a purchase they say would have been hugely advantageous to shareholders. Some shareholders, lead by billionaire investor Carl Icahn, are now seeking to overthrow the Yahoo board, arguing that they worked to "thwart Microsoft's advances at shareholders' expense."



The court documents reveal other interesting tidbits about Yahoo and Microsoft. Back in October 2007, the Yahoo board discussed the possibility that an industry giant would try to purchase the company thanks to three years of falling stock prices. As a result, Yahoo created a press release stating that it would entertain buyout offers but felt that it was "not the right time" to sell the company. Also, when Microsoft CEO Steve Ballmer contacted Yahoo initially in late January this year about the buyout offer, he told Yahoo CEO Jerry Yang that he was willing to keep the negotiations private. But when Yang told Ballmer that Yahoo would take its time responding, Ballmer decided to go public.


Icahn and I Will: Investor Launches Yahoo! Proxy Battle