Thursday, August 28, 2008

Microsoft Announces SP-1 for Forefront Client Security

As Microsoft continues to navigate the ever-bumpy road of security, the software giant this week released its first service pack for Forefront Client Security, a member of its Forefront family of security products.

The Client Security app helps protect against nasty bugs that can come from the Internet or various client attachments.

"Forefront Client Security helps organizations better protect users against malware and spyware across multiple Microsoft platforms -- from small businesses to large enterprises," Microsoft explained in a press release. The app uses a single console to help IT administrators manage the security of "enterprise deployments of more than 10,000 clients," it added.

Service Pack 1 helps address client protection across the following network elements, according to Microsoft's Forefront team blog:

"Agent protection on Windows Server 2008 -- Server and CoreServer role support and protection for Windows Server 2008 (except Core, which is Client only)Agent protection and server roles on Hyper-VAgent protection on cluster serversAgent protection on Home editions of Windows Vista or later, Windows XP SP2 or later, Windows 2000 SP4, and Windows Server 2003 SP1 or laterNAP Integration"

Forefront Client Security was first released in May of 2007. As agent software, it runs on PCs, laptops and various other client devices. It features anti-virus and anti-spyware solutions that can run in real time or on a schedule.

In addition, Forefront Client Security scans the security posture of managed devices to determine if they need to be reconfigured or need a patch. It is deployed from a single management console for reporting and alerts and to manage policies for client security.

Microsoft offers a trial evaluation copy of Forefront Client Security that will automatically prompt the user to install Service Pack 1. The evaluation copy can be accessed here.

The Forefront family of tools includes as many as 10 products, all of which work exclusively within the Microsoft environment and integrate with Microsoft's operating systems and software.

The Forefront family of products is poised to make another splash with the anticipated release next year of an integrated security solution code-named "Stirling." The new suite will integrate multiple levels of security -- client, server, network, and edge -- using next-generation Forefront security products.

Microsoft Remedies Windows Server Update Glitch
Apple ships massive Mac OS X 10.4 security upgrade
WSUS Blocking: A Real Problem, Microsoft Says

Microsoft Unveils More Mojave Details for Skeptics

Some people think Microsoft's Mojave Experiment, revealed in July, was rigged marketing exercise, but Microsoft begs to differ, according to a Tuesday blog post. In the experiment, a retail salesperson demonstrated a so-called "new" operating system, although it was really Vista.

This week, Microsoft provided a few more details about the experiment that generated a reported 89 percent "satisfaction" rating for Vista among the 120 consumers surveyed. The new details are available at the Mojave Experiment Web site, but you have to sift through multiple floating videos to hear them.

Some have questioned the hardware used in the experiment. It turns out that the computers used to demonstrate Mojave (really Vista) were one-year-old HP dv2000 laptops with Intel Core Duo CPUs and two gigabytes of RAM running Vista Ultimate, according to Microsoft.

The hardware issue is important for those using Windows XP, who may face a hardware upgrade in order to use Vista. It's a sticking point that has caused some upgrade resistance, at least in the budget-strapped enterprise. There also have been complaints about the lower end Windows Vista Home Basic consumer-grade OS being a less-than-adequate upgrade from XP, and that it lacks the fancy Aero graphical user interface.

The Mojave demo showed these Vista features:

Gadgets running on Vista, such as an analog clock or a display of local weather information; An Apple OS X-like flip through of currently running programs;Ways to restrict your kids' computer time, and check their Web-browsing history, giving new meaning to spyware;Windows Media Center, where you can record live TV to your computer; andA photo-stitching demo showing how to take four adjacent photos and make a single panoramic view.

Despite Microsoft's greater transparency on the project, the Mojave Experiment had the makings more of a focus group than a research experiment. The sample size of 120 people was just too small to be statistically significant.

In addition, some have pointed out that it was just a demo conducted by a sales person. People may have formed different opinions if they had actually tried to use the operating system themselves in a day-to-day setting.

The Mojave Experiment: A Vista Love Fest
When Vista sales aren’t Vista sales

Microsoft Updates IE Patch Due to VML Flaw

Microsoft this week released an update to a 2007 Internet Explorer patch covering Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7.

The update comes as Redmond issued Internet Explorer 8 Beta 2 this week. It follows the company's cumulative general security patch release for August, which included critical fixes for Microsoft's browser application.

The software giant says this latest IE security update, which was published on Wednesday, "resolves a privately reported vulnerability" in the Vector Markup Language (VML) implementation in Windows. The main purpose of VML is to allow servers to communicate with one another and share structured data, particularly via the Web.

The patch, first released in August 2007, was designed to stave off remote code execution (RCE) exploits. RCE attacks occur when an end user or administrator opens up a maliciously crafted Web page or Hypertext Markup Language file.

The updated IE patch addresses the kill bit for ActiveX controls, as well as the way certain strings in cascading style sheet (CSS) files are configured and aggregated for Web publishing.

The patch applies to IE 5.01 and IE 6 Service Pack 1, and Windows XP Home and Professional Editions, but Microsoft added a fix for the latest version of IE 7 with this update. Microsoft suggests that IT pros and users with the applicable version of IE install the patch immediately.

Security experts mainly see this rerelease as routine. However, it's important for Microsoft to have all of its ducks in a row ahead of its much-heralded IE release, especially when the company banks on having improved security in Internet Explorer. Microsoft has not officially announced a release date for the non-beta version of Internet Explorer 8.

"Overall, unpatched systems and lack of user awareness, coupled with the number of people freely roaming the Internet, makes these [RCE vulnerabilities] more profitable and more easily exploitable than the remote attacks from days-gone-by," said Tyler Reguly, a security engineer for nCircle, a San Francisco-based network security firm. "We're seeing a lot of the same things we've seen in the past in regards to what's being patched as far as IE, and it's as important as ever for [Microsoft]."

IE Is Least-Patched Browser, Report Says
Apple fixes Safari ‘carpet bomb’ bug
Seven Critical Fixes Expected on Tuesday
Apple finally patches dangerous DNS flaw

Web Sites Rife with Unpatched Vulnerabilities

Although the overall number of vulnerabilities being discovered in software appears to be leveling off or even dropping, two recent reports on Web security say that the overwhelming majority of Web sites studied still have unpatched vulnerabilities that could expose visitors to malicious code.

"It's part of a trend that has been going on since 2006," Tom Stracener, senior security analyst at Cenzic's Intelligent Analysis Lab, said of the focus on Web vulnerabilities. "There is a tremendous focus on it in the research community."

According to a trend report for the second quarter of 2008 released this week by Cenzic, seven of 10 Web applications analyzed engaged in unsafe communications practices that could lead to exposure of sensitive information during transactions. Cross-site scripting is the most common injection flaw, with 60 percent of sites analyzed being vulnerable to the attacks. About 20 percent had SQL injection applications.

Meanwhile, WhiteHat Security reported similar findings. The company released its fifth Web site Security Statistics Report this week, also covering the second quarter of the year. It reported that cross-site request forgery vulnerabilities are present in about 75 percent of Web sites.

"On a positive note, 66 percent of all vulnerabilities identified have been remediated, underscoring the value of a consistent Web site vulnerability management program," WhiteHat reported. But it also reported that 82 percent of sites have at least one security issue, with 61 percent having issues rated as high, critical or urgent under the Payment Card Industry Data Security Standard.

Cenzic reported that although the overall number of vulnerabilities reported in the second quarter was down slightly, the number of Web vulnerabilities remained nearly constant. The Web accounted for about 73 percent of all vulnerabilities reported in the second quarter, up from 70 percent the previous quarter.

"It should be noted, however, that the frequency with which security issues are reported does not reflect the frequency of their distribution in the wild," the report said. "For example, cross-site scripting comprised roughly 23 percent of the total application vulnerability volume, yet this vulnerability is very common in proprietary Web applications."

Interactive Web formats that emphasize user-generated content, often placed under the broad title "Web 2.0," are becoming an increasingly important area of interest for researchers and hackers. Cenzic reported an increasing focus on client-side Web-enabled tools, such as ActiveX controls, QuickTime, Flash players and other media players, often embedded in applications.

"Attacking client-side applications or browser plug-ins is increasingly becoming a means for distributing malware, rootkits and backdoors," the report said.

GLSA 200805-19 ClamAV: Multiple vulnerabilities
Speedy Mac helps you open things quicker
Security Woes Up, as PHP and OSS Make the List

Wednesday, August 27, 2008

Microsoft Releases Internet Explorer 8 Beta 2

Microsoft released its Internet Explorer 8 Beta 2 test product today, and the company spilled a lot of pixels explaining the beta's new features, with some details for Web developers. The public release of the new beta can be accessed here.

The IE8 development team seems to have spent considerable time on the browser user experience with this upgrade. The company's IE blog states that the team focused more on "flow," or how people typically use the browser, when adding features.

"We also knew that adding features has an impact only if they're 'in the flow' of how people actually use the product," the IE blog explains.

From a description of the features, most of which are not new with this release, it seems as if Microsoft did execute that plan. Many of the features have an on-the-fly nature to them. For instance, the browser will start performing a search without the user having to type the whole word or phrase. It displays an image as part of the search results.

Microsoft also partnered with other search vendors to improve the search capabilities in IE8 Beta. Those partners include "Live Search [Microsoft], Wikipedia, Yahoo!, Amazon, and more," according to a Microsoft Web page listing IE8 Beta's features. Oddly, the No. 1 search firm, Google, didn't make that short list.

Microsoft is also doing a lot with RSS feeds in the IE8 Beta, somewhat along the lines of a mashup. Users bring together feeds on the fly in the browser using "Accelerators," which can display different services on the same page. One example of an Accelerator is a map that displays by simply placing the cursor over a text address on a Web page and selecting a map feed service.

Web Splices are another RSS feed-like element in IE8 Beta. Developers can create the Web Splices on a Web site to help users track frequently updated content. A green icon lets the user know that a Web Splice is available.

Microsoft appears to be showing some interest in protecting user browsing information from third-party vendors that may track user clicks without using cookies. IE8 Beta 2 has something called "InPrivate Browsing" that will prevent browser retention of things like cookies, browsing history, user names and passwords, forms data, temporary files, and browsing history. Microsoft gives a few scenarios why this feature is important. However, others are calling it "porn mode."

IE8 Beta 2 has a "Compatibility View" function that shows up as a broken page icon near the browser's URL address bar. This feature will let users toggle between displaying a particular domain in either IE7 or IE8 modes. No browser restart happens when users toggle between the modes.

The default standard DOCTYPEs will map to "IE8 Standards mode," as Microsoft calls it, in IE8. However, things may not display properly in the browser. Developers can opt out of IE8 Standards mode by inserting code in the head or inserting a meta tag after the head with an attribute that reads "IE=EmulateIE7." This approach is Microsoft's way of giving Web developers a little more time to update their sites for IE8.

IE8 Beta 2 is currently available in English, Chinese, German and Japanese, in both 32- and 64-bit versions. It works with Windows Vista and XP, as well as Windows Server 2003 and 2008.

Check Microsoft's install advice before upgrading to IE8 Beta 2. There are some quirks to watch out for, particularly for Windows XP Service Pack 3 users. Most of the time, it's a simple upgrade without having to uninstall IE8 Beta 1 first. With XP SP3 users, it's a little different.

"The only time we encourage you to manually uninstall Internet Explorer 8 Beta 1 prior to upgrading to IE8 Beta 2 for Windows XP users is if you happened to install Windows XP SP3 after installing IE8 Beta 1," stated Microsoft's IE8 team.

WinPwn beta hacks iPhones for Windows users
openSUSE 11.0 Beta 3
Microsoft Warns of ActiveX Exploit in Access

BitLocker Password Exploit Is 'Very Unlikely,' Sisk Says

Redmond responded on Tuesday to an independent security vendor's discovery of a hard-drive encryption vulnerability affecting Microsoft's BitLocker function, Intel/HP's BIOS and several other products and programs.

Microsoft acknowledged the threat, which was described by representatives of Kolkata, India-based iViZ at the Defcon 16 event. Redmond offered some explanations and workarounds.

"We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct," wrote Bill Sisk, security response communications manager for Microsoft, in an e-mail sent today. "This theoretical attack is only possible in targeted situations, and while probable, [it's] very unlikely."

Sisk's comments come as a retort to an announcement on Monday from iViZ, a security penetration testing company. iViZ said that it had discovered a new class of a preexisting vulnerability that allows attackers to steal computer boot passwords. The exploit bypasses the security of preboot authentication software, such as Microsoft's BitLocker hard-disk encryption tool.

The premise of iViz's argument lies in the fact that programmers who might be unaware of such bugs tend to code boot password features in a way that doesn't expunge critical information from the hard drive. It's a circumstance that could lead to "inadvertent leakage and theft," according to the company's announcement. Even the most thorough hard-drive encryption scheme may not be able to block this vulnerability.

To that end, Sisk added that the software giant has addressed such issues in Windows Vista Service Pack 1, and he encouraged "customers to update their systems accordingly."

BitLocker, first released in January 2007, is designed to guard personal and private data on mobile PCs. It comes with other protection options that can be customized to meet the needs of various end users.

"Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use," wrote Sisk. "If a system is in 'Sleep mode' it is, in effect, still running."

In that vein, Microsoft encourages IT pros concerned about such bugs to consult best practices on data encryption in BitLocker, previously published by Redmond here.

Among other things, Microsoft's guidance expounds on the balance of security and usability when using BitLocker in hibernate mode.

Valve catches achievement command exploit
Microsoft Warns of ActiveX Exploit in Access
GLSA 200805-17 Perl: Execution of arbitrary code

VoIP Adoption Soaring -- But Not Revenues

If consumer Voice-over-IP (VoIP) is surging, why are VoIP equipment revenues -- especially in a market segment that includes gargantuan players such as Cisco Systems Inc. and Alcatel-Lucent -- softening?

It depends on how you look at it, market watchers say.

First, if there's any softening, it's happening in the service provider segment. Second, service providers are still buying more VoIP gear than ever before (on a year-over-year basis). It's just that the VoIP equipment segment's second quarter performance fell off a bit from the torrid pace it set in Q1.

According to market watcher Infonetics, the worldwide VoIP market was down by 4 percent, thanks largely to a double-digit decline in the session border controller (SBC) and softswitch segments. That's the first-ever sequential decline for SBC, which dropped 14 percent between Q1 and Q2 of 2008.

If there's any softening, however, it's quarter-to-quarter, not year-over-year. Compared to 2007, the overall VoIP market is up by 3 percent -- spurred by strong gains in the media server and (surprise!) SBC segments.

For the rest of 2008, Infonetics projects, the VoIP should post strong growth.

"While down in the first half of 2008, we expect the carrier VoIP equipment market to bounce back in the second half, ending the year on a positive note. The five-year outlook looks good as well, as demand for VoIP networking gear continues unabated, driven by a long term migration from circuit switched to packet telephony," said Stéphane Téral, principal analyst for VoIP and IMS at Infonetics Research, in a statement. "Similarly, while the session border controller segment saw its first sequential decline this quarter -- due to a pause in deployments in North America and Europe where large service providers are maxing out their installed base rather than purchasing new equipment -- we expect it to pick up nicely in the second half of the year,"

In fact, Infonetics projects robust VoIP market growth through 2011, with the combined VoIP and IMS segments nearly doubling in revenues over the next four years. During that period, Infonetics says, IMS core equipment -- particularly for home subscriber servers (or HSS) and call session control function (CSCF) servers -- should account for most of that growth.

During the quarter just past, Alcatel-Lucent -- which seems to be hitting its post-merger stride -- rocketed up the charts, posting 173 percent sequential growth in DS0 shipments and landing in the No. 3 spot for DS0s and revenue.

Cisco, for its part, has had mixed results in the VoIP service provider segment. According to a recent survey of service provider customers, for example, Cisco ranks as one of the top five VoIP vendors in the industry, alongside rival Alcatel-Lucent and VoIP specialists Acme Packet and Sonus. Cisco was tops, overall, in terms of brand recognition, but trailed other players in the technology, product roadmap, security, management and price-to-performance categories.

Piper: 10.5 to 11 million iPods in June quarter
Survey: Cisco’s VoIP Execution a Mixed Bag

Troubles in Terrorist Database

A variety of technical flaws in an upgrade of the system that supports the government's terrorist watch list has drawn congressional fire and raised concerns that the entire system might be in jeopardy.

The concerns are over a program called Railhead, which was intended to improve the sharing, fusing and analysis of terrorism-related intelligence governmentwide. Railhead was being designed to be the successor to the Terrorist Identities Datamart Environment, which is the central repository for information on international terrorists.

Lockheed Martin hastily built the relational database management system using an Oracle platform in the aftermath of the 2001 terrorist attacks. But in the years since, the system has suffered from a growing number of contractors and government employees attempting to expand and enhance the database without properly taking into account its architecture and design rules.

As a result, dozens of undocumented and duplicate database tables make search queries increasingly unreliable, according to a preliminary investigation report submitted to the House Science and Technology Committee's Investigations and Oversight Subcommittee.

The Railhead program was developed to address many of those problems and improve the database's ability to share and combine information for government analysts. But the Railhead program, led by Boeing and SRI International, has run into significant design and execution problems.

Initial plans to replace the existing database were scrapped in favor of converting the system to use Extensible Markup Language. But one of two Railhead design teams raised concerns that XML would substantially increase the size of data files and slow transmission times to the 30 networks that access the system.

Concerns about the system's security, the fact that certain data wouldn't move to the new system, and issues concerning whether the system would properly handle unclassified but sensitive data compounded the design delays. Recent software testing failures, though normal for a project of this nature, raised further questions about whether its overall design had deeper flaws.

The problems came to a head in recent weeks. The government has fired most of the 862 contractors from a variety of companies who were working on the project, according to a report in the Aug. 22 Wall Street Journal. Next steps for the program, valued at half a billion dollars, are now up in the air. Calls to Boeing; SRI International; and the Office of the Director of National Intelligence, which is responsible for the system, were not returned.

Rep. Brad Miller (D-N.C.), chairman of the House subcommittee that conducted the investigation, has sent a letter to ODNI's inspector general requesting an investigation into the technical failures.

Colombian hostage rescue revives trade debate
Microsoft Advisory Targets SQL Injection Attacks
Information Commissioner slams UK gov’t database plans

Xen Hypervisor Gets an Update

The open source hypervisor Xen has a new version, 3.3, that includes a number of upgrades and enhancements that make it more enterprise-worthy and start to move it beyond the datacenter.

Xen is a free, open source hypervisor first released in December 2005. It is used as the basis for many virtualization implementations, including Citrix's XenServer, and offerings from vendors such as Virtual Iron, Sun, Oracle and Novell among others.

The improvements in the latest version cut across a number of areas, including performance and scalability, efficiency, security, and portability. One long-awaited feature is "memory overcommit," which allows more virtual machines (VMs) to be loaded on a physical server. In addition, VMs can now be moved to servers with different CPUs and still function properly, regardless of the CPU's virtualization support. In terms of "green computing," Xen 3.3 features better power management.

This latest release also unveils the Xen Client Initiative (XCI), an effort to port Xen to laptops, PDAs and other mobile devices. According to a press release announcing Xen 3.3, the XCI has three primary uses initially:

"Using Xen to run 'embedded IT' VMs that allow remote support, security and service of PCs through embedded IT applications without any impact on the user's primary desktop OS; 'instant on' applications that can be immediately available as separate VMs from the user's primary desktop OS; and 'application compatibility' VMs, which allow legacy PC applications to run as VMs, alongside the user's primary desktop OS."

The XCI is a new initiative for, the group that manages the Xen project. was formerly XenSource, until it was bought by Citrix last September. It exploits a growing field within virtualization, moving beyond server consolidation and into the end user community.

One analyst quoted in the press release said that Xen is on a strong growth curve:

"'The community has made security and performance key criteria for the evolution of Xen,' said Zeus Kerravala, SVP, Enterprise Research, Yankee Group. 'This has been a successful strategy, according to recent Yankee Group survey data showing Xen's rapid growth.'"

Xen is not used by VMware and Microsoft, which have their own proprietary hypervisors. Microsoft, however, has made sure its hypervisor, Hyper-V, works very smoothly with Xen-based products. In fact, any VM created on one platform can be seamlessly transferred to the other.

Virtualization is the process of breaking the bond between physical hardware and software. It allows, for example, multiple operating systems, such as Windows Server 2008 and Linux, to be run on the same physical server. Another common use is to run Windows desktop OSes, such as XP or Vista, on a Mac computer.

Xen 3.3 can be downloaded here.

Microsoft Virtualization Launch Planned for Fall 2008
GLSA 200806-06 Evolution: User-assisted execution of arbitrary code
GLSA 200807-15 Pan: User-assisted execution of arbitrary code

Tuesday, August 26, 2008

IT Spending Rises Despite Tough Economic Times

Last week, market watcher Gartner Inc. issued a report in which it projected that IT spending should eclipse $3.4 trillion this year. That's a year-over-year growth rate of 8 percent.

That may seem at odds with another recent Gartner survey, this time of CIOs, that suggested a slowdown in IT hiring is possible -- not what you'd expect when IT spending is rising.

Gartner principals insist that ongoing economic uncertainty doesn't seem to have adversely impacted IT spending.

"The U.S.-led economic downturn shows no sign of causing a recession in IT spending," said Jim Tully, vice president and distinguished analyst at Gartner, in a statement. "In subsequent years we will see reduced growth, but the fundamentals remain strong. Emerging regions, replacement of obsolete systems and some technology shifts are driving growth."

There's a caveat, of course: One reason IT spending seems so strong is because it's measured in dollars, a currency that has undergone a period of protracted decline relative to others. According to Gartner, that helps to account for much of the "growth" measured by its survey. On an adjusted basis -- i.e., measured in terms of "constant currency" -- IT spending is growing at about 4.5 percent.

Aside from its surprising spending projections, the Gartner report does contain a few other twists. For example, researchers say it looks like we're transitioning away from traditional IT leasing or buying models toward a services-based model.

"Organizations are switching from company-owned hardware and software assets to per-use service-based models. This will impact the industry in various ways," Tully said. "The projected shift to cloud computing, for example, will result in dramatic growth in IT products in some areas and in significant reductions in other areas. In general, assets will be utilized with greater efficiency, and we are assuming that the overall effect on market growth will be neutral. We also recognize that there is considerable upside potential for higher growth."

The two biggest IT budget categories are software (which is poised to grow by fully 10 percent in 2008) and IT services (with an estimated 9.4 percent growth). This isn't surprising, according to Gartner, which concluded that the IT services sector actually benefits from ongoing innovation in software technology -- i.e., new software typically requires labor-intensive services to implement.

"Most companies updated their software systems during the period 1997 through 2001, so we are in the middle of an upgrade cycle that should extend past the end of this decade," said Joanne Correia, managing vice president at Gartner, in a release.

"However, the replacement of systems does not automatically equate to new software market growth," she continued, citing the growth of Software-as-a-Service (SaaS), cloud computing, SOA, Web 2.0 and open source software as particularly disruptive technologies. "Many of these factors are impacting market growth as enterprises replace assets with per-use services."

According to Gartner, most of today's IT spending gets funneled toward services rather than discrete products. It's a trend that's only going to get more pronounced over time.

"Spending in IT services is being supported by two main factors," said Kathryn Hale, research vice president at Gartner, in a statement. "Businesses are investing in improvements to internal processes aimed at reducing costs, while often maintaining some of the prior interest in innovation. The second factor is that globalization allows IT services providers to mitigate the risk of weakening demand by operating in more markets."

On the hardware side, sales of PCs are fueling most of the growth. Currently, PC revenues account for about 60 percent of total hardware spending. What's surprising, according to Gartner, is that PC sales should continue to soar -- in spite of disruptive technologies such as virtualization and Web 2.0 -- with no let-down in sight.

"The market growth outside of the U.S. and the effects of the weak dollar are major factors in growth in U.S. dollar terms. In addition to regional shifts, a strong shift to mobile PCs is occurring," Tully said.

MatrixStore 2.1 - hardcore video archiving for pros
IT Cost Cuts in 2008 May Be a Trend, Study Says
NPD Reports Nintendo’s Solid U.S. Sales for February

Security Software: How Suite It Is

The writing's on the wall, it seems, for purveyors of security point solutions. Gone is the day of the best-of-breed anti-virus, firewall, e-mail security or encryption vendors. These days, it's a security suite play.

Late last month, Sophos Plc. -- a vendor that first cut its teeth (and made its name) as a purveyor of anti-virus software -- spent almost $340 million for Ultimaco Safeware, a specialty provider of endpoint protection technology. Analysts say the move is consistent with Sophos' strategy of diversification -- namely, away from its anti-virus roots and toward security suite-dom -- and of a piece with a general industry trend.

The important point, according to industry watchers, is that customers want integrated and highly manageable security tools. A smorgasbord of best-of-breed tools is no longer enough.

It's been a long time since Sophos was just an anti-virus vendor. Today, it markets anti-virus, anti-spyware, anti-spam and Network Access Control (NAC) offerings for a variety of devices. Prior to the acquisition of Ultimaco Safeware, however, Sophos didn't have a completely coherent endpoint security strategy.

Ultimaco Safeware gives it that, just as past acquisitions -- including ActiveState and Endforce -- gave Sophos credible e-mail security and NAC technologies, too.

More importantly, it helps Sophos keep up with other security suite players. "This is an industry-wide trend, with enterprises trying to rationalize the endpoint security products and management consoles they use and endpoint security providers offering more than AV capabilities to remain competitive," wrote Gartner analysts John Girard, Arabella Hallawell and Eric Ouellett in a recent research bulletin.

Once Sophos successfully integrates the Ultimaco Safeware assets, it will be able to tout a coherent, credible suite offering of its own. That could invite other challenges, however. "[Sophos] will...own a suite of technologies that addresses broad end-user data protection needs," the Gartner trio wrote. "Sophos will have to work hard to ensure that this premium-priced deal pays off in the long term. The mobile data protection market is growing fast compared with traditional end point security, and with higher price points. But mobile data protection's higher price points will likely decrease substantially as encryption functions are bundled into endpoint suite licenses."

There's a sense in which Sophos' move will also compel its competitors to sit up and take notice. At least one of Sophos' competitors -- Trend Micro -- has an existing relationship with Ultimaco Safeware. "Moreover, AV providers including Symantec and Trend Micro will likely accelerate their encryption end point strategies, partly due to pressure from this acquisition," the analysts wrote. "The Sophos acquisition will likely eventually terminate Ultimaco's relationship with Trend Micro, under which the two companies have used each other's data loss prevention...and encryption technologies."

There's also the question of integration: Like many of its competitors, Sophos has cobbled together its security suite by dint of acquisition. A flesh-out-by-acquisition strategy places a premium on integration, and it may be difficult to integrate and and reconcile three separate technology pedigrees (ActiveState, Endforce and now Ultimaco Safeware).

"Despite the ongoing convergence in these markets, enterprise IT buyers should not expect a rapid integration of newly acquired products into mature product releases," the Gartner trio wrote. "Providers have generally been slow to integrate new technologies so that they can be actively managed by AV/endpoint security consoles."

Skype won’t say if it decrypts VoIP calls
Cloud Computing To Bring Security App Shift, Report Says
PC Tools launch iAntiVirus beta

Monday, August 25, 2008

Browser Security Gets Focus in ZoneAlarm 8.0 App

Check Point Software Technologies today released a new solution to address Internet security woes. The company unveiled Version 8.0 of its ZoneAlarm Internet Security Suite for detecting browser threats.

John Gable, Check Point's ZoneAlarm product manager, stressed the problem of Internet security above all.

"It's not as important for people to fall in love with the product as it is for them to know that browser security is becoming increasingly important, with more than a third of attacks coming via the Internet," he said in an interview with "I think what separates us though is that we're a lot more paranoid, if you will, at the security level and I think this product will reflect that."

Gable cites ease of use and processing speed, as well as the new ZoneAlarm's boot protection that activates detection mechanisms as the system powers up to stave off dormant exploits. The product also includes antivirus protection and soft and hard firewall functions.

The company is marketing its ZoneAlarm Internet Security Suite as something for use by enterprise professionals when automated exploits get past other security products.

Gable believes that a systemic problem in the IT security community is that endpoint security is not tested well. The lifecycle and value of security fixes, as well as the lifecycle and risk of exploits, have not been thoroughly considered.

The new release can complement Microsoft's current and upcoming versions Internet Explorer browser programs from a security perspective, Gable said.

"IE is a trusted application [and] therefore a very common vector, but, because parts of its code are built into the OS, once you hack into IE, you can do anything you want," he said.

In early July, ZoneAlarm users experienced interoperability problems with Windows-based systems, although Check Point promptly issued a fix. At the time, users had Internet log-on problems after applying a Microsoft Windows domain name system (DNS) patch.

Check Point subsequently offered Windows users free downloads of full versions of ZoneAlarm ForceField, a virtual browser security app. ForceField will be integrated into the Internet Security Suite for commercial use in the fall.

Phishing scam targets MobileMe users
Windows DNS Patch Strands ZoneAlarm Users
Apple fixes Safari ‘carpet bomb’ bug
Microsoft’s DNS Fix Leads to More Problems

Citrix XenApp 5.0 Adds New Features, Ramps Performance

As the market for hosted desktop and application virtualization heats up, Citrix Systems has upped the competitive ante by adding a new set of performance-related features to its flagship XenApp product, formerly known as Presentation Server.

XenApp is an application virtualization product for Windows desktops enabled by centralized servers in the data center. The solution can work on premise but is also optimized for remote access and branch office deployment. XenApp 5 is integrated with another product, the Citrix Branch Repeater, which accelerates application delivery for those remote locations.

Since XenApp is network-dependent, a key challenge for vendors in this market segment is to continually upgrade performance and improve both response and start-up times associated with specific applications. According to Bill Hartwick, Senior Director of Product Marketing, XenApp 5 offers a number of new features designed to optimize both.

Other announced enhancements include an improved load-balancing capability for prioritizing server resources and a feature called Linked Profiles which Hartwick says reduces application packaging and maintenance costs by allowing isolated applications to communicate. In addition, simulated application sessions can be now initiated by admins to test transaction time under different network and workload conditions.

XenApp is a key component of the Citrix Delivery Center, an end-to-end product portfolio which also includes XenDesktop, XenServer, and an array of WAN optimization products. XenApp 5 will be available in early September. Per CCU pricing is $350 for the Advanced Edition, $450 for the Enterprise Edition, and $600 for the Platinum Edition.

Microsoft Virtualization Launch Planned for Fall 2008
Cover Stream 2.2 is available now
Citrix To Enhance Virtualization Interop

Vista Ramp Up Is Happening Now, Study Says

Businesses may have been slow to adopt Microsoft Windows Vista, but expect that to change by late 2008 to 2009, according to a Forrester Research report led by Benjamin Gray, published last week.

The new report, "Corporate Desktop Operating System Trends, Q4 2007 Through Q2 2008," takes a slightly more favorable view of Microsoft's flagship operating system than a previous Forrester report on the subject by Thomas Mendel. Forrester's earlier report said that Vista had been "rejected" by the enterprise crowd.

The new desktop report suggested that foot dragging on Vista by businesses had come about from factors such as the economy, "Vista's perception problems" and past incompatibilities. Those issues will diminish with time, making 2009 "a big year for change," the report predicts.

The study found an indication that businesses are already shifting to Vista. For example, conversions from Windows XP to Windows Vista are on the rise, from five percent in 4Q 2007 to 8.8 percent in 2Q 2008. The study called that finding "a new trend." Previously, Vista upgrades were associated mostly with "Windows 2000 shops."

IT administrators should move to Vista for security reasons. They also need to stay current with software lifecycles and aim for compatibility targeting Windows 7, Microsoft's next-generation operating system, the report concludes.

Some IT administrators may be talking about waiting to upgrade until Windows 7 makes its appearance, estimated at around 2010 or so. However, the report's authors recommend against doing that.

"IT managers must stay the course and migrate to Windows Vista sooner rather than later," the report states.

That conclusion echoes a previous Forrester report by Gray et al. called "Building the Business Case for Windows Vista."

The desktop report had a few good words to say about enterprise use of Apple's Macintosh OS. It found Mac OS use rising from a 3.6 percent in Oct. 2007 to 4.5 percent in June 2008. The study's authors concluded that Apple gained success in the enterprise "without even trying to break into the market."

That said, Microsoft Windows still held 94.9 percent of the market, and Linux tanked at just 0.5 percent, according to the report.

Forrester's desktop report was based on "more than 50,000 clients" connecting to Forrester's Web site. To get the complete report, go here.

Enterprise Adoption of Vista at ‘Single Digits,’ Report Says
Forrester: Vista rejected like ‘new Coke’ by enterprises
The Mojave Experiment: A Vista Love Fest

Saturday, August 23, 2008

Small Business Server 2008 Hits Metal

Microsoft on Thursday released Windows Small Business Server 2008 (SBS 2008) to hardware manufacturers, with an eye toward achieving a full product launch on November 12. The release was slightly ahead of the September RTM date predicted at the July Microsoft Worldwide Partner Conference in Houston.

The new server offering is part of the Microsoft Windows Essential Business Server 2008 product line. It's an integrated server offering that encompasses a number of Microsoft technologies, including Windows Server 2008, Exchange Server 2007 and SharePoint Services 3.0. It also includes security and online apps.

SBS 2008 will be sold in two editions, Standard and Premium. The Premium Edition adds a second Windows Server 2008 to the mix, plus a copy of SQL Server 2008.

Microsoft produced the Premium Edition to meet the line-of-business demands of customers and partners, explained Joel Sider, senior product manager of Microsoft's Windows Essential Server Solutions, in a July interview.

SBS 2008 is designed for businesses with up to 75 users and perhaps little to no internal IT support. Microsoft's large community of partners will play a big role in providing support for the product.

SBS 2008, formerly code-named "Cougar," is essentially new technology. It was "rebuilt from the ground up," according to Microsoft's official blog. Microsoft's earlier product, SBS 2003 R2, is about six years old and based on 32-bit technology.

When released in the fall, SBS 2008 will be available only as 64-bit technology. Microsoft is claiming a number of improvements in the product, including easier setup and administration, faster backups, improved remote access, and more flexible licensing. Each edition of SBS will include five Client Access Licenses (CALs). Customers can buy additional CALs, as needed, when they add users or device connections to SBS 2008.

Hardware makers currently planning on integrating Microsoft SBS 2008 into their product lines include Dell, Fujitsu-Siemens, HP and IBM, among others.

Microsoft Changes Virtualization Licensing Rules
Partners: An ‘Essential’ Element in Microsoft’s SMB Plans
When Vista sales aren’t Vista sales
IceWarp Server 9.3 adds iPhone web interface

Red Hat Hacked, Company Issues Security Advisory

In a sign that hackers have no problem taking advantage of open source solutions, Linux-based product distributor Red Hat issued a "critical" security advisory on Friday, saying that its servers had been compromised.

In the advisory, Red Hat warned that hackers had somehow taken control of its systems by tampering with code. The attack was discovered last week. The intrusion was not systemic and didn't affect the company's content distribution programs. Consequently, malicious code was not uploaded to users of Red Hat's products.

There were early indications that something might be awry on the week of August 12, when scattered reports indicated that Red Hat's flagship Fedora OS was rebooting continually, causing intermittent outages. The culprits have yet to be identified.

The hackers got hold of a small number of OpenSSH packages relating only to Red Hat Enterprise Linux. OpenSSH, or Open Source Secure shell, is a set of programs that provide encrypted code transference over a network using secure shell protocol. OpenSSH is a free software alternative to a commercial solution produced by Finish IT company SSH Communication Security, which patented the SSH protocol technology.

Security experts say that this hack has lasting implications for the Linux movement and open source security.

"It's true that hackers can and will take advantage of a development and distribution program that's not like Windows," said Reuben Davis, a consultant for Affiliated Computer Services, a large IT services outsourcer. "Intruders capitalize on the geek factor of Linux and there are no licensing restrictions or elaborate security programs backed by big R&D teams; it's an anonymous community."

Microsoft Security Engineer Robert Hensing weighed in on the Red Hat security problem in his blog on Friday.

Hensing said he couldn't "imagine what the fallout would be" if programs such as Windows Update and Automatic Update servers "got pwnd [owned] like [RedHat]." 

"It's like the package signing server and stuff….[Red Hat] seems to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones," he added.

DSA 1576-2: New openssh packages fix predictable randomness
Word 2002 SP3 Subject to Remote Attacks
Tuesday Patch Cycles To Include Risk Assessments

Report Outlines SMB SaaS Strategies for Vendors

Software as a service (SaaS) for the small to medium-size business (SMB) market has opened potential opportunities for vendors, and a report released last week by Forrester Research offers some advice for gaining entry.

The report, "Forrester's SaaS Maturity Model," describes a six-step approach to help service providers and independent software vendors (ISVs) assess their SaaS business goals and technical means of achieving a successful SaaS business.

SaaS is going global. Forrester says that North America has the highest adoption rates, the Pacific Rim has the most pilot projects and the European business community has shown significant interest in SaaS. The most notable success for SaaS has been in providing customer relationship management apps to SMBs, such as those provided by However, other hosted apps may gain momentum.

Forrester's SaaS Maturity Model describes levels of sophistication of hosted services. It provides tips for making business and technical assessments, with basic questions such as "Who does what for whom?" and "What is the approach for customizing processes, data and user interfaces?"

The maturation range of the Forrester model is from 0 to 5, with 0 being a simple outsourcing of an application by a single enterprise customer. A level 0 operation is not considered to be a true SaaS implementation, according to Forrester's definition. Level 5, at the top, relates to dynamic service applications with a "build for change" approach to application development. By contrast, Forrester puts's initial CRM operation at level 3.

The SaaS Maturity Model aims to match the technical foundations of the service provider or ISV with its business goals. The report warns that "targeting the highest maturity level is not necessarily the best fit for every vendor."

The Forrester SaaS Maturity Model can be accessed here.

Service Level Agreements Too IT-Centric, Forrester Report Warns
Cloud Computing To Bring Security App Shift, Report Says
Quark launches extensive online help resource
Forrester: Vista rejected like ‘new Coke’ by enterprises

Wednesday, August 20, 2008

Microsoft Details SharePoint-SQL 2008 Integration

Microsoft really wants SharePoint users to upgrade to SQL Server 2008, which was released to manufacturing on August 6. Yesterday, the company's SharePoint hosting and development blog pointed out that IT admins don't have to wait for the documentation to do so.

IT administrators typically look for Microsoft's "supportability statement" document before performing system upgrades. The document for Microsoft Office SharePoint Server (MOSS) 2007 is currently available, and it includes information about upgrading to SQL Server 2008 that was published on July 31.

The document describes MOSS 2007 hardware and software dependencies, along with precautions on upgrading from SQL Server 2005 to SQL Server 2008. For instance, you need to have the latest SharePoint service packs in place before installing SQL Server 2008.

"Office SharePoint Server 2007 supports SQL Server 2008," the document says. "However, you must install Windows SharePoint Services 3.0 SP1 or later and Office SharePoint Server 2007 SP1 or later before you install SQL Server 2008."

IT admins have to download and run the setup program, as well as "the SharePoint Products and Technologies Configuration Wizard," to perform the MOSS 2007 SP1 install.

The SharePoint Hosting and Development blog provides some upgrade tips and suggests that the "upgrade from [SQL Server] 2005 to 2008 is a pretty simple process." IT admins will have to install ".NET 3.5 SP1 and hotfix KB942288-v4" first in order to move to SQL Server 2008.

Microsoft's blog provides a list of features describing why IT admins should upgrade, but most of the benefits seem to apply just to improvements in SQL Server 2008. One potential benefit is data compression, which can be automated by default. Compression can reduce your backup size, although SharePoint stores data in the binary large object (blob) form, which doesn't compress as well as other data types.

"That said, you can probably see up to 30% [size reduction] on your blob-laden content databases and perhaps 90-95% on your other databases," the blog estimates.

Other improvements include a Resource Governor for SQL Server maintenance and administration, although the blog cautions that it "should not be used to control SharePoint's usage of SQL."

Those interested in Microsoft's supportability statement for MOSS 2007 -- which goes by the descriptive title, "Determine hardware and software requirements (Office SharePoint Server)" -- can access it on Microsoft TechNet here.

EU to probe Microsoft’s ODF move
Microsoft Launches Free Collaboration Tools for Researchers
Nintex Offers Reporting Solution for SharePoint
Apple ships massive Mac OS X 10.4 security upgrade

DNC To Feature Microsoft Tools

The Democratic National Convention in Denver next week will no doubt be filled with the usual politics, patriotism and speeches. But this year's convention will also offer up something new: a series of products from Microsoft designed to make this cornerstone of the political process more accessible.

Microsoft was approached in June 2007 by both the Democratic and Republican national committees to develop an infrastructure for the parties' conventions. Both convention committees had the goal of using innovative technology to, in effect, "tear down the walls of the convention centers," said Joel Cherkis, general manager of government solutions for Microsoft.

The Democrats' convention committee initially had "very standard requests," Cherkis said. They wanted e-mail, content collaboration, Web conferencing, instant messaging and videoconferencing.

They also needed an infrastructure that would be able to handle a surge in staff 30 to 60 days before the convention began, he said.

Once the infrastructure was in place, Microsoft focused on adding more innovative components that would open up the convention to the world outside Denver's Pepsi Center, Cherkis said.

The Democrats will use Microsoft's Silverlight to stream the convention proceedings onto the Web. NBC used Silverlight for similar purposes for the Olympics this summer at It requires users to download a small plug-in, similar to the Adobe Flash player, Cherkis said.

Silverlight can adapt video quality based on the bandwidth available, Cherkis said. "People in network-constrained environments can still get a rich video stream without having to pause for buffering," he said. Microsoft partnered with Level 3 Networks to provide the streaming technology for Silverlight.

This will be the first convention to offer streaming high-definition video "gavel to gavel to anybody with Internet access," Cherkis said.

Microsoft is also introducing Surface, a combination of hardware and software in a 30-inch tabletop device with a touch interface. Microsoft Surface will function as a sort of digital concierge, Cherkis said, and will show users transportation routes and hotel and restaurant information. It will also provide information and images from past conventions that have been made available by the Library of Congress, he said.

"We found that people tend to gather around the device," he said. Microsoft will install Surface units in high-traffic areas around the convention hall.

Microsoft also developed other applications for the convention, including a delegate tracking system, a delegate voting system and a credentials management system, as well as a podium operations system which will store information on speakers, bios and speeches.

The company is working with the Republican convention committee to develop a similar infrastructure. More information is available here.

Microsoft joins E For All 2008
Microsoft Highlights First Unique Windows 7 Feature: Pervasive Multi-Touch

Microsoft-Novell Linux Deal To Grow by $100M

Microsoft plans to pour an additional chunk of money into its business and open source technology collaboration with Novell, according to an announcement issued by the companies today. The deal calls for Microsoft to buy $100 million more in support certificates for Novell SuSE Linux Enterprise Server. Microsoft's expects to have the new investment in place by Nov. 1, 2008.

The certificates are sold to companies and provide Novell's integration support, assuring the interoperability of Novell's open source Linux system with Microsoft's proprietary Windows Server. The deal furthers a near two-year-old arrangement between the companies that protects Microsoft's intellectual property while fostering product interoperability.

The two companies are targeting large businesses that run heterogeneous computing environments. In those environments, open source servers may need to work with Microsoft's solutions, or the companies may lack the expertise to add open source solutions on their own.

Microsoft's investment expands an initial five-year deal with Novell that was announced in November of 2006. At that time, "Microsoft purchased $240 million of Novell certificates," according to Microsoft's announcement. About 65 percent of those certificates have been sold thus far.

In addition to assuring interoperability, Microsoft emphasizes its own intellectual property (IP) protection in its collaboration with Novell. Customers can be assured of not being sued by buying the certificates, which Microsoft calls "IP peace of mind."

"Our increased investment in the relationship with Novell is intended to give these customers and partners the best possible Windows-Linux interoperability solution, while also extending their existing Windows Server investments and helping to give them IP peace of mind," explained Kevin Turner, Microsoft's chief operating officer, in a prepared statement.

Microsoft agreed not to sue Novell over alleged Linux patent violations when it initially announced its collaboration arrangement with the company in a deal that is still highly controversial. A Microsoft executive later told Fortune magazine that open source software violated 235 of Microsoft's patents, causing much outrage among the open source community. Subsequent to its Novell deal, Microsoft cut similar intellectual property deals with other Linux vendors, including Xandros, Linspire and LG Electronics. However, some Linux vendors fought back.

Microsoft has been trying to be more accommodating with other software vendors -- at least in terms of enabling interoperability. In February, Microsoft issued its general interoperability principles and released some of the protocol documentation needed to create application programming interfaces between Microsoft and non-Microsoft software products. However, Microsoft still protects its intellectual property in ways that do not suit some open source licensing, such as the GNU General Public License.

Novell and Microsoft's collaboration gained steam back in September of last year, when the two companies opened an Interoperability Lab in Cambridge, Mass. The lab provides an enterprise-like environment to test a mixture of technologies. The companies currently are working on projects encompassing virtualization, systems management, identity federation and document format compatibility using open source solutions and standards.

Run Linux in Windows
Microsoft Joins Apache Software Foundation

Microsoft's Dhillon Joins TASER

In what might seem to be a shocking business move, Jas Dillon, former head of business development and M&A at Microsoft, has been named chief strategy officer and general manager of the new TASER Virtual Systems Division.

A former CEO and Fortune 100 mogul, Dhillon will oversee "all new product and business development" for TASER International, according to an announcement issued yesterday by the Scottsdale, Ariz.-based maker of electric stun devices. Dhillon will be in charge of enhancing the company's strategy and growth plans.

TASER doesn't consider its devices to be "simple weapons," according to company spokesperson Hilary Gibeaut. They have networking capabilities too.

"Every device we make is a microprocessor-controlled device, capable as serving as a node on a network," she said. "Our devices generate information about how they are used, and many of our new devices can be remotely activated by a local user, or a user over a network. To truly take advantage of these capabilities, the software infrastructure becomes the glue that ties the hardware together. Think of the iPod/iTunes ecosystem that Apple has developed."

Dhillon will work on a number of TASER product lines. One of them is TASER AXON, which Gibeaut described as "a tactical networkable computer that combines advanced audio-video record/capture capabilities with tactical communications." AXON is worn by public safety personnel and first responders to record event communications including radio and video.

Another project is TASER XREP, a microprocessor-controlled electronic projectile that can maximize incapacitation from long range. In addition, Dhillon will oversee the development of several unnamed, unannounced products in TASER's evolving product line.

"As our emerging technologies gain greater communication and computational capabilities, the development of sophisticated software architectures and a fully integrated product roadmap are imperative strategic initiatives for TASER International," said TASER Founder and CEO Rick Smith in a prepared statement.

Dhillon served as a senior executive at Microsoft and was a key part of the software giant's "transition to a software plus service business model," according to TASER's press release. He also led a team responsible for "business development, strategy, product innovation and mergers/acquisitions for Microsoft Office Live."

When Vista sales aren’t Vista sales
Microsoft Releases SQL Server 2008 to Manufacturing, IT Pros
Nintex Offers Reporting Solution for SharePoint

Vulnerability Management Needed for Security, Study Says

Companies can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group. The study presents solutions for IT pros, helping them prioritize their patch management strategies for operating systems, applications and network security frameworks.

Ignoring the issues won't work, according to Derek Brink, author of the study and vice president and research fellow for IT security at the Boston-based Aberdeen Group.

"Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed," Brink said. "Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done."

Aberdeen's study -- titled "Vulnerability Management: Assess, Prioritize, Remediate, Repeat" -- describes what some respondents are doing to foster an effective vulnerability management program.

The "best-in-class" firms described in the study shared several common characteristics. For example, 70 percent of respondents in this category have consistent policies for managing patches and vulnerabilities. Moreover, 67 percent say they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.

For every dollar invested in vulnerability management programs, companies can avoid $1.91 in vulnerability fix-related costs, for a marginal return on investment of 91 percent, according to the report.

The report suggests four essential steps to implementing a vulnerability management program that pays off.

The first step is to understand the computer processing environment -- how it works, what IT assets are essential and what threats pose the greatest risk to the organization.

Second, prioritization is important. IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes. Run an initial risk assessment. As with Patch Tuesday hotfixes, know what requires the greatest attention and what's critical versus important.

Third, the report recommends that a good way to preemptively fix problems as well as plug holes is to test fixes, patches and repairs after installing software upgrades. This process is called remediation. IT pros suggest remediation should be automated, wherever possible, with manual oversight of test results conducted by trained employees.

The last step is to repeat steps one through three and then monitor the results. Companies should review the success of the remediation and create a report for auditing and compliance reasons.

When asked about Microsoft's recent appeal to its tech peers, channel partners, security vendors and academia to collaborate on security initiatives, Brink said the move underscores the need to increase the efficiency and effectiveness of an important, never-ending task: security.

"It's a task which is consuming far too high a percentage of limited IT resources," Brink said. "The fact that leading vendors are calling for collaborative, industry-wide frameworks to address threats and vulnerabilities is strong evidence of the level of pain being expressed by their top customers in this area."

Brink added that security pros can expect that their vendors will work to address the pain in the near term through individual point solutions. In the longer term, vendors will work through broader, standards-based approaches that reach across the technology communities.

Apple finally patches dangerous DNS flaw
Tuesday Patch Cycles To Include Risk Assessments

Microsoft Unveils 'Ultimate' Support Service

Microsoft today rolled out the highest level of its enterprise support programs to date, adding a new offering called "Microsoft Services Premier Ultimate." The offering builds upon the company's existing Premier services program.

Ultimate has much the same support elements as the Premier program, which is described here (PDF). One difference is that Ultimate provides "pre-agreed proactive services -- with unlimited problem resolution support" for a fixed price, according to a press release issued by Microsoft.

However, the so-called unlimited problem support is not without a hitch. Microsoft's announcement states that it "may be subject to restrictions," without elaborating.

The Ultimate support package contains basic features in Premier, including "proactive IT health assessments" plus account management -- all on a 24-hours, seven-days-a-week basis.

In general, Microsoft's support programs have four components to them, according to Paul DeGroot, senior analyst at Kirkland, Wash.-based Directions on Microsoft. One of them pertains to break-fix issues. Another is proactive advisory support, where nothing is necessarily broken but you want it to work better. A third is called account management in which a person is on the case and can escalate the problem. The last component is do-it-yourself assistance, including Web support through TechNet and Microsoft Developer Network.

Premier programs mix these components, depending on customer need, he added.

"In the case of Ultimate, it is trying to shift the customer -- from a situation where they are calling for a lot of break-fix support to the advisory support where they are improving the quality of their IT systems so that they don't break as frequently," DeGroot said.

"There's kind of a deal here," he added. "Microsoft is saying you'll get unlimited break-fix support -- in other words, in Standard Premier there's some form of limit, there's a certain amount of hours or certain number of incidents -- we'll let you buy unlimited amount of support incidents so you don't have to worry about that, but we're going to give you lots of advice on how to stop your stuff from breaking in the first place."

The idea of Ultimate is that it will eventually reduce Microsoft's service calls, especially as things get executed better, he explained. DeGroot said that Ultimate is a program typically aimed at larger companies involved in e-commerce or finance operations, where "they count hours of downtime in millions of dollars per month."

Microsoft essentially conceives of its Ultimate program as a kind of risk assurance program.

"Customers told us they wanted risk reduction, support planning simplification and easy administration in an increasingly complex IT environment,” explained Luca Barone, general manager of support and health offerings for Microsoft Services, in a prepared statement.

Microsoft provided no details on cost or availability of the Ultimate offering. Ultimate contracts and pricing are all "custom designed," according to an article by veteran Microsoft watcher Mary Jo Foley.

Microsoft's vast partner community does not offer Premier or Ultimate services, which are delivered by Microsoft's own engineers.

Yahoo: Burn your DRMed tracks to CD now
Microsoft Rolls Out SP1 for .NET and VS 2008
Microsoft Offers Vista Support to Small Businesses

Microsoft Changes Virtualization Licensing Rules

Microsoft has made substantial changes to its virtualization licensing program, changes that will lower the cost of using virtualization for many customers.

In a document released yesterday, Microsoft relented on a key issue that should ease the financial burden of virtualization: the 90-day license transfer restriction. Under that rule, a program, such as Exchange Server, could be moved from one physical server to another, but could not be moved again for 90 days without paying an additional license fee for the new host server.

In effect, it meant that companies with two or more servers could not move Microsoft products to different servers without buying a license for each server. With virtualization, programs are moved around frequently, so the 90-day restriction was a stumbling block to adoption of Microsoft virtualization technologies.

Under the new program, licenses are able to traverse multiple servers, instead of individual ones. Microsoft explains in its document (all emphasis in original):

"Effectively, the changes mean instead of counting instances or processors and licensing by server, you are able to count instances or processors and license by server farm."

"Instances" means single copies of a program. With that block removed, companies may be more willing to try Hyper-V, Microsoft's new hypervisor that was released to the public in June.

The changes aren't all-encompassing, however. For example, the new rules only affect customers with Volume License agreements; since those agreements are for companies that have a minimum of five copies of a product, many small and medium-sized businesses, that don't need multiple copies, can't take advantage.

There are other restrictions, as Microsoft details:

This change does not apply to software licenses for the Windows Server operating system, Client Access Licenses (CALs), or Management Licenses (MLs).

This means that if you want virtualized instances of Windows Server 2003 or Windows Server 2008, for instance, you will likely have to pay for each server that may host the OS, assuming that the OS may move around.

Chris Wolf, a Burton Group analyst and columnist for Virtualization Review magazine, says in a blog entry that the changes are good, but they could have gone even further: "I think many enterprises will appreciate the application licensing flexibility that [Microsoft's] policy change has provided. Still, let's not forget about the small IT shops that do not have volume licenses...why restrict server OS mobility? Lifting the 90 day licensing transfer restriction across all product lines is simply the right thing to do."

The licensing changes go into effect Sept. 1.

Installing And Using OpenVZ On Fedora 9
Installing And Using OpenVZ On CentOS 5.2
Microsoft Virtualization Launch Planned for Fall 2008

Nintex Offers Reporting Solution for SharePoint

In early August, Bellevue, Wash.-based Nintex rolled out a solution for those concerned with governance in Microsoft Office SharePoint Server and Windows SharePoint Services 3.0 environments. The new Nintex Reporting 2008 product promises a glimpse under the SharePoint hood, providing business intelligence reports on system usage via graphical dashboards.

According to an August 8th press release, "Nintex [Reporting] 2008 collects and analyzes SharePoint site structure, content, and usage data for adoption monitoring, capacity planning, and a variety of other governance applications."

SharePoint provides a means of collaborating and sharing documents across an enterprise. By helping with governance, Nintex Reporting 2008 aims to assist CIOs and IT administrators with SharePoint resource planning. However, having effective governance capabilities in place can also help with SharePoint development strategies.

For instance a Forrester Research study indicated that "developmental governance is crucial to success" in application development for SharePoint, according to John R. Rymer and Rob Koplowitz in "Now Is The Time To Determine SharePoint's Place In Your Application Development Strategy."

SharePoint has gained traction in the market lately with business users. The product competes with front runners such as Vignette, Plantree (portals), Lotus Notes and Domino, according to Forrester.

Nintex Reporting 2008 installs and configures with a Web browser that points to 75 out-of-the-box interactive charts and graphs. The company claims that Nintex Reporting 2008 is extensible and minimizes the impact on the SharePoint environment.

A demo of Nintex Reporting 2008 online and a trial version of the software can be accessed here.

Solar power solution for modern Apple laptops ships
Microsoft Expands SharePoint Learning Kit, Partners With Houghton
Open Source: A ‘Growing Challenge’ to Microsoft
Singapore Airlines offers iPod, iPhone integration

Monday, August 18, 2008

Microsoft Extends Exam Retake Offer to June 2009

The Microsoft Learning Group has extended its popular "Second-Shot" exam retake program. According to information posted on the Microsoft Learning Web site, the program this time will continue until June 30, 2009.

The exam retake program provides MCP test takers with a second chance to pass a failed exam, and can be taken once for every paid exam. Test takers must register prior to taking an exam in order to obtain an electronic voucher for an exam retake if the tester fails an exam.

Exams and exam retakes can only be done through Microsoft's testing provider, Prometric. Any MCP or Dynamics exam can be retaken. (Exams taken in beta do not qualify for this program; as well, academic versions of the exams prefixed with a 072 don't qualify for this offer.)

Microsoft has run the exam retake offer several times in the past; the most recent program concluded on June 30, 2008.

To find out more and to register for the exam retake program, go here and here.

Microsoft Extends XP Home Licensing to Include Nettop Devices
33 Million Licensed Americans May be Unfit for Roads
EA extends deadline for Take-Two acquisition

Cisco and HP Partner for UC

Cisco's relations with the world's largest technology vendor, Hewlett-Packard Co., have been somewhat nebulous, notwithstanding the "strategic relationship" that both companies notched back in 2002. There's a reason for that. In spite of a few noteworthy cases of collaboration, Cisco and HP also compete in the enterprise networking segment, where the latter company's ProCurve division has tried to chip away at Cisco's dominance.

Given HP's size and technology heft, however, there's bound to be ample opportunity for partnering. Both companies demonstrated as much recently, when Cisco unveiled a partnership with HP to push its unified communications (UC) products to global customers.

The term "partnership" in this context is more than a buzz word, too: Cisco and HP pledged to develop joint training programs for their respective employees, as well as collaborate to engineer global marketing and sales programs.

According to Cisco officials, it's a no-brainer move, given HP's extensive reach. Two years ago, after all, Hewlett-Packard surpassed IBM to become the world's largest technology vendor.

HP has since notched a couple of important milestones, in 2007 becoming the first technology vendor to crack the $100 billion mark, and just three months ago picking up services giant Electronic Data Systems (EDS).

"Many of our customers have trusted relationships with HP for managing a wide array of unified communications and other applications," said Rick McConnell, vice president of Unified Communications Market Development for Cisco, in a statement. "Cisco is committed to working closely with HP to provide our mutual customers more integrated, adaptive collaboration solutions that meet their specific business needs today and tomorrow."

So just what do Cisco and HP have in mind? Call it hand-holding, UC-style. HP services personnel will be trained to help customers identify appropriate UC starting points -- as well as ideal UC solutions -- to achieve particular business results. In addition, officials said, HP services folks will be trained in deploying, managing and supporting integrated HP and Cisco UC solutions.

HP officials, for their part, position the accord as HP covering its bases, so to speak. The technology giant has global strategic alliances with both Cisco and Microsoft, after all, and also integrates Microsoft-based UC offerings. (Microsoft's UC stack is second only to Cisco's, according to market watchers)

"Companies are increasingly transforming their communication and collaboration environments to speed decision making and lower costs. They need to do this without diverting valuable technology resources and driving up operational expenses," said Dan Socci, vice president of network solutions for HP. "HP works with industry-leading unified communications technology providers such as Cisco and Microsoft to provide solutions tailored to meet the specific needs of customers."

Quark launches extensive online help resource
WNS Acquires Aviva India BPO Arm
Unisys Offers Free Unified Communications Trial

Survey: Cisco's VoIP Execution a Mixed Bag

The good news for Cisco is that a recent survey of service provider customers has named it one of the top five voice-over-IP (VoIP) vendors in the industry, along with rival Alcatel-Lucent and VoIP specialists Acme Packet and Sonus.

The survey, conducted by market watcher Infonetics Research, found that Cisco is also tops in brand recognition.

The bad news for Cisco is that survey respondents familiar with the ins and outs of the different vendor offerings rated Sonus as tops in technology, product roadmap, security, management and price-to-performance.

According to Infonetics, carriers cited three over-riding technical challenges associated with their deployments: competition, migration to IMS, and reductions in capital expenditures (or capex).

"Service providers are operating in a capped capex environment now -- meaning, generally they purchase equipment only when they need it," said Stéphane Téral, principal analyst at Infonetics, in a statement. "There are some areas in which most carriers are increasing their capex, though: growth areas tied to additional revenue, such as VoIP."

Right now, VoIP is still a work in progress. The top retail VoIP service for business and residential customers alike is voice-over-broadband, for one thing. In addition, fully 40 percent of respondents won't complete their migrations to Class 4/tandem switching until after 2009. This suggests "they have enough capacity to handle international voice traffic growth," according to Infonetics.

While Cisco was tops in brand recognition, and Sonus was tops in just about everything else, respondents also singled out specialist Acme Packet. More than half (55 percent) of service providers are currently using that vendor's session border controllers.

The Gold-Laying UC Egg
Companies Ditch ATM, Frame Relay — Finally
Hotels Wi-Fi Mostly Free, Survey Shows

Sunday, August 17, 2008

Thursday, August 14, 2008

WSUS Blocking: A Real Problem, Microsoft Says

Microsoft yesterday closed its investigation into an update blocking issue, disclosed in June, that affected users of Microsoft Windows Server Update Service (WSUS) 3.0 or Microsoft WSUS 3.0 Service Pack 1. The blocking problem was relegated to client systems that had Microsoft Office 2003 installed, and it prevented those systems from getting security updates and other patches.

Microsoft's conclusion? It confirmed that the WSUS blocking issue really is a problem after all. The company recommends that IT shops affected by the problem install an update. A description of the problem and link to get the update can be accessed here (Knowledge Base Article 954960).

The update only applies to users of System Center Essentials and System Center Configuration Manager 2007. Those products are the only ones that use WSUS, according to Microsoft's Knowledge Base Article.

The fix to the blocking problem was originally provided on August 1 via the Microsoft Download Center. However, Microsoft revised its Knowledge Base Article yesterday simply to alert users that the update is now available via Microsoft Update. Those who got the update on August 1 don't have to reinstall it.

While the blocking issue seems to be a security issue, that's something that the technicians at Microsoft vigorously contend.

"In this case, Microsoft is communicating an issue that affects your ability to perform updates, including security updates," the Knowledge Base Article states. "Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."

So it's not a software security issue in the sense of fixing software that's innately insecure. However, if left unfixed, the WSUS problem can wreak havoc by leaving Office 2003 unpatched.

Microsoft Remedies Windows Server Update Glitch
New PLAYSTATION 3 system software updates on the way
Apple ships massive Mac OS X 10.4 security upgrade

SQL Injection Attacks on the Rise

According to security researcher MessageLabs, the number of SQL injection attacks spiked sharply last month, helping account for a near doubling of the number of malicious Web sites it identified and blocked each day. This amounts to a record-high threat level, the security researcher said.

Why SQL injection attacks and why now?

"An emerging theme for threats [in July] seems to be new variations on old attack methods," said Mark Sunner, chief security analyst for MessageLabs, in a statement. "Following on from June, Web-based malware continues to be a treacherous threat and organizations would be smart to build their Web security defenses in preparation for what could be on the horizon."

If July was any indication, more SQL injection, cross-site scripting and other familiar attacks could be on the horizon.

SQL injection vulnerabilities are the very stuff of low-hanging fruit. They're almost certainly widespread, stemming as they do from design trade-offs, development deadlines, functional requirements, a lack of imagination or developer indifference.

They're also easy to test for, security experts said, in part because of a bevy of free, publicly available testing tools, including a plug-in for the popular Firefox Web browser. Consequently, researchers said, the onus is on development teams to proactively identify and patch SQL injection flaws before attackers -- using, in some cases, the same tools -- beat them to it.

"The root cause is unvalidated input, which can lead to SQL injection, among other things, including cross-site scripting, passive manipulation, and other things," said a CISSP with a prominent consulting and services firm who asked to remain anonymous. "The point is that there are tools out there [such that] if you point them to a Web site, they will try [injecting SQL into] every Web site they can find. There's even a Firefox extension."

That's part of the rub, according to this CISSP. "This is just one of several tools designed for site designers to scan their own Web sites. But that's part of the problem: It's freely available and anyone can use it -- the bad guys can use it just as easily as the developers themselves."

How does a SQL injection vulnerability become a reality? This CISSP -- who, in a former career, logged almost a decade as a software engineer -- said it's a question of dueling pressures. "Developers are under pressure to release software that fulfills functional requirements. Security requirements are generally not part of functional requirements. The No. 1 rule is to release the software that does its job by this date. If you can't do anything else, do that," he said. "The way we'd like to see development going is you'd like to have a security guy involved from the beginning. You'd like to have developers knowing or caring enough, or having time [enough], to test these things themselves."

Not that attackers are foregoing innovation altogether, of course. According to MessageLabs, spammers are ceaselessly innovative. They'd previously exploited Google's hosted applications (i.e., Google Docs, Google Pages and Google Calendar) to disseminate spam, for example. Last month, spammers were targeting Google's "Sites" feature, which lets them build URLs (derived from Web pages consisting of random letters and numbers) that are more difficult to block using conventional anti-spam tools.

"Google Sites is yet another way that spammers have programmatically defeated CAPTCHA [Completely Automated Public Turing Test to Tell Computers and Humans Apart] mechanisms, a validation technique that is designed to defend against automated sign-up tools frequently used by spammers by requiring the user to enter a string of letters," Sunner said. "While Google Sites spam accounts for only 1 percent of all spam currently, we anticipate that this technique's popularity will rival that of its predecessors, Google Docs, Calendar and Pages spam. If this is the case, then we may see spam levels increase in the months ahead."

CAL gets a visit from spammers
Microsoft Advisory Targets SQL Injection Attacks