Wednesday, December 24, 2008

SQL Injection Hits Amid the Holidays

Redmond continues to investigate a new zero-day bug affecting popular database application SQL Server.

While Microsoft spokesman Bill Sisk on Tuesday did acknowledge that hackers using this exploit could gain access over a whole enterprise processing environment through this increasingly common SQL injection attack, he said Microsoft is not aware that any such incursions have occurred leveraging this particular unpatched hole.



The exploit in question is triggered using a SQL Server extended stored procedure command as an entry point into an infected system. Extending stored procedure is a process by which the database interacts with the operating system via a linked library function during the application's runtime. Such a process is key to continued maintenance of any given database powered by SQL.

According to the software giant, the remote code execution exploit affects SQL Server 2000, versions of SQL Server 2005, SQL Server 2000 Desktop Engine apps and Windows Internal Database, also known as WYukon.

The recent glut of zero-day bugs for Windows products -- which includes a vulnerability for Internet Explorer that got patched last week -- has reignited debate among some security pros about disclosure of proof of concept exploits versus purposely releasing malicious bugs into the wild -- research for the common good versus research for notoriety or the sake of vindictiveness.

The SQL flaw, for which Microsoft put out the security advisory late Monday was first made public in mid-December by Austria-based SEC Consult advisory, which said the SQL flaw makes it possible for hackers to target the vulnerability remotely on Web sites that link search boxes, customer databases or other Web apps to SQL Server. It was SEC Consult's report that eventually led to this patch, as the independent research shop claims they told Microsoft about the flaw in April and by mid-December seemed to grow weary of the software giant dragging its feet.

Lag time or not, disclosure of an unpatched flaw of this magnitude is a "no-no," according to Eric Schultze, Chief Technology Officer of Shavlik Technologies.

"This is an example of irresponsible disclosure,"В he said. "The person or people that found that issue did take the proper steps to report it to Microsoft; however, they grew impatient.В This so-called security researcher has therefore placed thousands of servers and potentially untold number of person's privately identifiable information at risk for purposes of their own popularity."

This development is particularly important to security pros because while the SQL Server injection is by itself a rather complicated vector through which to hatch a nefarious hack, a seasoned interloper could in theory use remote code execution through the embattled Internet Explorer and then deploy the SQL Server bug.

"The recent zero-day Internet Explorer bug has highlighted the large number of Web sites vulnerable to SQL injection," added Schultze. "These Web Sites are now vulnerable to more serious attacks using this zero-day SQL flaw.В  In other words, what was bad has now become worse."

There had been some strides made to protecting customers before this advisory. On the week of Dec. 15, Microsoft released the latest beta versions of its Code Analysis Tool and Anti-Cross Site Scripting Library for developers, a critical part of which is a tool to identify vulnerabilities to SQL injection attacks and other incursions.

Going forward, Microsoft will address the SQL issue further either through a new service pack release, another off-cycle patch release or by way of its regular monthly security rollout.

The channel through which future hotfixes or workarounds are deployed will be based on customer needs, the advisory said.



Microsoft Releases SQL Server Security Tools
Jonas Brothers 3-D Concert Movie To Feature New Track, ‘Love Is On Its Way’
Kate Beckinsale Gives Us ‘Nothing But The Truth’ On Her New Movie, Talks ‘Twilight’

Friday, December 19, 2008

First Look: MySQL 5.1 Open Source Database

MySQL 5.1 was released by Sun Microsystems in April, but I decided to test it out this month. I downloaded the Windows version of this open source database management app and gave it a spin.

The setup script added the MySQL server component with minimal interaction on my part. A wizard helped me perform the initial configuration and define a root password. After that, MySQL was fully functional and I was able to get to work right away.



I tested MySQL with a GUI frontend. Database operations were very fast during my test run, even with my larger databases. I did not encounter any bugs or problems during the tests.

I was extremely impressed with how easy it was to deploy MySQL 5.1 on a Windows system. In contrast, installation on other platforms (such as Linux) has typically been much more difficult.

MySQL 5.1 includes extensive documentation, with a SQL language reference in addition to MySQL troubleshooting tips. The language reference is an exceptional addition to the package, since many software manuals only teach the user how to operate the software itself.

By default, MySQL 5.1 uses a command line environment for running SQL statements. SQL code must by typed directly into the terminal by the user. When SELECT and SHOW queries are executed on the command line, the data are presented in a nice tabular format. However, distortion can occur if your terminal window is not wide enough. It can cause the text to wrap to the next line.

Expert users may prefer the command line. Other users may wish to install a front-end, such as phpMyAdmin or HeidiSQL, which can make working with databases and tables easier. MySQL has powerful server-side and clustering functionality. However, it is also very useful on the client side for smaller applications, especially when combined with a GUI front-end.

MySQL 5.1 is definitely worth a try, with its many new features listed here. The database app works with Windows x64, Mac OS X and various forms of Linux and UNIX OSes. You can download Version 5.1 at this link.



Do All Video Game Movies Suck? ‘Max Payne’ Stars Hope Not
Fortinet Helps DBAs Sniff Out DB Exploits
Open Source Thriving in Enterprise

Window 7 Beta 1: Soon To Be Unwrapped?

The public release of Microsoft Windows 7 Beta 1 is expected next month, but speculation that it might appear earlier -- at least for testers -- popped up on Friday from a few sources. Windows 7 is currently distributed to the public only as a "pre-beta" release.

Microsoft hasn't published a public-facing time line for Windows 7. Still, the company has already indicated that Beta 1 of the new OS will be available in mid-January for attendees of MSDN Developer Conference events.



Sleuthing by veteran Microsoft watcher Mary-Jo Foley turned up a build date of Dec. 12 for the latest version of Windows 7. Private testers currently may have that build (known as "6.1.7000.0.081212-1400") in their hands, leaving open the possibility that the beta could be accessible before Christmas, but probably just for private testers rather than the public, Foley suggested.

Microsoft isn't saying exactly when Windows 7 Beta 1 will be publicly released, but one blogger summed up the sentiment at Redmond. James O'Neill wrote that "It might be before Christmas, but then again it might be after."

Foley and others have postulated that the Beta 1 public release of Windows 7 will happen when Steve Ballmer gives his keynote address at the Consumer Electronics Association's CES event on Jan. 7.

More confusion was spawned by a Web site publishing glitch. A Neowin.net article pointed out that Microsoft added a "Download the Windows 7 Beta" link on its Windows 7 Web site (see screenshot clip below).

Window 7 Beta 1: Soon To Be Unwrapped?

That link was present, but inoperable, early on Friday, Dec. 19. However, the link has since been removed from Microsoft's site. An updated Neowin article described the link's initial appearance as a "publishing error" by Microsoft.



Vista SP2 Goes Out in Limited Beta
SP2 Beta Available for Vista and Windows Server 2008
Paramore’s ‘Twilight’ Song ‘Decode’ Premieres On Stephenie Meyer’s Web Site

Thursday, December 18, 2008

Enterprises Ill Served by Antivirus Alerts, Study Finds

How do you know that your antivirus (AV) program is working? A report released on Tuesday by network security firm Promisec Inc. found that AV solutions from McAfee, Symantec and CA fail to disclose when they aren't functioning.

AV software was missing or disabled at more than 25 percent of 100,000 workstations at the companies polled, as estimated by Promisec. Network administrators didn't get software alerts in those cases.



The report described some reasons for the drop offs. Individual users disabled the programs, considering them a nuisance. In other situations, AV software was installed but not deployed.

The study's results pose a serious issue for the enterprise, according to Gary Morse, president of Razorpoint Security Technologies.

"You've got a CIO sleeping well at night, thinking everything is secure when nothing could be further from the truth," he said in a prepared statement. "New viruses come out every day, and it could be just a matter of time before a disaster occurs."

IT pros should ensure that a Web gateway or equivalent protection program is put in place. The gateway can filter the network's Internet traffic and shield PCs from malware.

Peter Firstbrook, a research director at Gartner, said that the problem with AV software is real but he believes that the 25 percent figure reported by Promisec is too high.

"It's possible for the antivirus software's agent to be corrupted so it doesn't report something's wrong," he said. "This percentage is inordinately high but either way enterprises shouldn't be relying on vendors to tell them workstations are up-to-date or corrupted. This is an internal thing."



Beware of Hotel Internet Connections
‘High School Musical 3′ Scares Up Second Box-Office Win Over Halloween Weekend

Microsoft Releases SQL Server Security Tools

Microsoft on Tuesday released the latest beta versions of its Code Analysis Tool and Anti-Cross Site Scripting Library for developers, a critical part of which is a tool to identify vulnerabilities to SQL injection attacks and other incursions.

Both releases come just days after a zero-day flaw impacting SQL Server 2000 and Microsoft Internet Information Services (IIS) servers emerged.



The flaw, as described by Austria-based SEC Consult advisory, makes it possible for hackers to target the vulnerability remotely on Web sites that link search boxes, customer databases or other Web apps to SQL Server. According to the advisory, the SQL vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable Web application. SEC Consult came to this conclusion after successfully executing arbitrary code on one of its lab machines.

Microsoft is still investigating the flaw, but -- unlike the recently discovered zero-day Internet Explorer bug -- as of Tuesday there were no reports of the vulnerability being exploited in the wild.

However, the release of these tools (designed to complement a previous workaround released in June) comes amid alarming growth in SQL Server injection attacks. Expert say such attacks exploit security vulnerabilities and insert malicious code into a database serving as the back-end of any Web site. While it may not be as urgent as fixing as IE, recovering from a SQL injection attack can be difficult. There are numerous cases of Web site owners cleaning up their database only to be hit again a few hours later because a replicating attack mechanism is written into the coding and can't be wiped off by rebooting or via anti-virus software, as other exploits can.



Microsoft Ups Exploit Code Warning
Fortinet Helps DBAs Sniff Out DB Exploits
Paramore’s ‘Twilight’ Song ‘Decode’ Premieres On Stephenie Meyer’s Web Site

Off-Cycle Internet Explorer Security Update Released

As expected, Microsoft on Wednesday released its second out-of-cycle patch in three months -- this time to plug a widely discussed and "critical" vulnerability in Internet Explorer.

This new patch, as described in Microsoft Security Bulletin MS08-078, is designed to thwart a remote code execution exploit that can occur if a user visits a specially crafted Web page using Internet Explorer.



The patch applies to IE5.01, IE6 and all versions of IE7 running on Windows 2000 Service Pack 4, Windows XP and XP Professional, Vista, and Windows Server 2003 and 2008.

The speed of the release represents the fastest turnaround possible for such a widely deployed solution as Internet Explorer, especially given its development, testing and packaging requirements, according to Wolfgang Kandek, chief technology officer of security firm Qualys.

"Moving any faster than this would require having specific mechanisms in the base code of the application, allowing it to push out changes in a less disruptive way, and would require an extensive rewrite of Internet Explorer," Kandek said. "Other browser providers have an edge here as they already have update mechanisms included in their products."

Wednesday's rollout makes 2008 the year with the most off-cycle patches since 2006. October's interim patch release was the first in 18 months.

Microsoft's fast reaction has renewed discourse in the blogosphere and among security experts about patch scheduling. The normal rate for security rollouts, according to experts, is usually a two-week to four-month window, depending on immediacy.

The quick release in this case was not typical, according to Tyler Reguly, security engineer at nCircle Inc.

"There are people who feel that the speed at which this patch release was handled is how all patch releases are handled. I disagree with this," Reguly said. He added that "I feel that the monthly patch cycle is the right move."

There's a possible solution for those who might want a quicker response.

"If anything, Microsoft should be considering a public beta patch program," Reguly said. "I believe that this would silence many of the critics who want every patch to be handled like MS08-078."



Zero-Day IE 7 Flaw Discovered
‘Twilight’ Event Turns Ugly When Thousands More Fans Show Up Than Expected

Wednesday, December 17, 2008

Zero-Day IE Exploit To Get Out-of-Cycle Patch

After tackling the most disclosedВ vulnerabilities in theВ history of Patch TuesdayВ last week, Microsoft will now end 2008 with a "critical" out-of-cycle patch for Internet Explorer, according to an advance notification issued Tuesday for a new security update slated for release on Dec. 17.

According to Microsoft, the new patch will address an increasingly pervasive vulnerability that allows remote code execution in numerous versions of IE.



The new patch will affect IE 5.01, IE 6 and all versions of IE 7 sitting on Windows 2000 Service Pack 4, Windows XP and XP Professional, Vista, and Windows Server 2003 and 2008.

The emergency fix is a direct response to a zero-day IE 7 bug found in the wild last week, one day after Microsoft released what appeared to be a comprehensive IE patch addressing four separately reported private vulnerabilities.

Ben Greenbaum, senior research manager of Symantec Security Response, said that while the timing isn't ideal, Microsoft responded properly to what was becoming a growing security threat as the attacks widened in both geographical and technological scope.

"Nobody likes to do a patching of this importance and size, especially in a large IT environment, at a time when everyone's either gone or getting ready for the holidays," Greenbaum said. "It's one of those things, though, where you could be coming back to a big mess in January. From our standpoint, we would recommend an immediate patch in the event that [Microsoft] releases the update on Wednesday."

For its part, Microsoft maintained on Tuesday that it was aware only of attacks that attempt to use the vulnerability against IE 7. Nonetheless, the company said it "encourages customers to test and deploy this update as soon as possible."

The fix is vital for Microsoft as IE is currently used by 69 percent of the world's surfers and is arguably one of the company's most recognizable brands outside of the Office suite.

Shavlik Technologies CTO Eric Schultze said this out-of-cycle rollout constitutes an "all hands on deck" response from Microsoft.

He added, "Specifically, attackers were loading the exploit on legitimate Web sites so that even users who visit only non-nefarious Web sites might also get infected. Based on this level of data, it's my belief that Microsoft decided the issue warranted an out-of-band patch release."



‘Valkyrie’ Director Bryan Singer Finally Speaks Out About Tom Cruise Film
‘Twilight’ Tuesday: Anna Kendrick Says It Was ‘Easy To Get Googly Eyed’ At Robert Pattinson
Microsoft Ups Exploit Code Warning

Microsoft Exec Urges IE8 Readiness

Microsoft won't say exactly when it will ship the Release Candidate of its Internet Explorer 8 browser but it's "just around the corner," according to a senior company official.

Dean Hachamovitch, general manger of the company's Internet Explorer team, on Tuesday called on developers to ensure a good customer experience prior to product's final release. "In short, developers, start your engines," Hachamovitch said in a phone interview.



Currently, Beta 2 of IE8 is available to the general public. Hachamovitch said that Microsoft has been listening to user feedback and added improvements to the Release Candidate version. The Release Candidate represents the final test stage preceding general product release.

"We took the feedback from Beta 2 and we acted on it, and people are going to see that in the Release Candidate," Hachamovitch said. "The feedback from the last build has been pretty positive," he added.

Despite declining to be pinned down on a precise release date, Hachamovitch previously suggested in an IE blog that it would appear sometime in the first quarter of 2009.

The Release Candidate is the "call to action," he said, a signal that IE8 effectively is completed as a product. Hachamovitch added that developers should expect the final product to behave like the Release Candidate version.

Microsoft says it took extra care to stay true to standards with IE8. Because of that, Web developers who designed their sites to work with earlier versions of Internet Explorer might have to address some display alignment problems when their site's markup is parsed in IE8.

If preserving the old format is important, developers can add an HTML tag to tell visiting IE8 browsers to stay compliant with the earlier (or "legacy") IE versions. Adding this tag will take just "10 minutes of work," Hachamovitch said. Microsoft added a "compatibility view" button in IE8 that lets users toggle between the legacy and IE8 views of the page.

"When developers get IE8 Release Candidate and look at their site, if it works fine, then they're done," he said. "If it doesn't work right, they should try the compatibility view button."

If pressing the compatibility view button results in a better user experience, then Web developers need to take action. In that case, Web developers should "add the tag so their visitors by default will get that compatible experience," Hachamovitch said.

Microsoft explained in further detail how developers can ensure such compatibility in this IE blog post.

Hachamovitch pointed to a number of improvements in IE8, including built-in dev tools that facilitate "rapid iteration" of development projects. Microsoft also opened up extensions in IE8, providing an open search capability. IE8 also enables an improved AJAX experience because of Microsoft's support for HTML 5 functionality.

Developers should have high expectations about IE8's support for cascading style sheet (CSS) standards, Hachamovitch said. Microsoft has promised to include CSS 2.1 support in IE8. However, doing so is kind of a moving target as "CSS 2.1 is a standard that's still under construction," Hachamovitch explained.

The W3C committee is still editing CSS 2.1 but Microsoft has contributed substantially to the standard's development.

"To date, Microsoft has contributed over 2,500 tests to the W3C," Hachamovitch said. He added that by the time IE8 Release Candidate 1 is released, "there's going to be over a thousand more" tests submitted.

On the security front, while browsers such as Mozilla Firefox and Opera have adopted a fast-patching approach, Microsoft is relying on its Windows Update to deal with threats. Given the broad community of browsers, not only is it important to update IE for security reasons, Hachamovitch said, but corporations also need to have the ability to manage and control that deployment.

Hachamovitch pointed to other security features in IE8, explaining that the "cross-site scripting filter is probably one the most innovative pieces I've seen in years in terms of really protecting people from a problem on the Web."

Microsoft plans to issue an updated security bulletin for Internet Explorer on Wednesday to help address a recently reported zero-day security issue found in the browser, as described here.



Fact-Checking Oliver Stone’s ‘W.’ — Is The Film True To Life?
Will Smith Still Interested In Playing Barack Obama — If He’s Not ‘Too Old’
IE8 Release Candidate Coming on 1Q 2009

Microsoft Delivers SQL Server 2005 SP3

Microsoft ratcheted up its product support for SQL Server 2005 by releasing Service Pack 3 (SP3) on Monday, along with SP3 Cumulative Update 1. On the same day, the company also released Cumulative Update 11 for SQL Server 2005 Service Pack 2 (SP2).

If that weren't enough, the company offered incentives for Microsoft's partners and Microsoft Dynamics customers to jump to SQL Server 2008, which was released as a product last summer.



Microsoft is updating its price list on January 1, 2009 and will replace the runtime for SQL Server 2005 with that of Microsoft SQL Server 2008, according to a Microsoft Dynamics blog.

"Customers who have licensed Microsoft SQL 2008-Runtime and are current on the Business Ready Enhancement Plan as of January 1, 2009 will be entitled to an upgrade to Microsoft SQL Server 2008," the blog explained.

Features in SQL Server SP3 include "supportability enhancements," plus improvements in the database engine, notifications services, replication and reporting services, according to an MSDN library Web page. SP3 contains all previously released cumulative updates for SQL Server 2005.

KnowledgeBase articles for SP3 are available through the release notes here.

For SQL users not opting for SP3, Microsoft released Cumulative Update 11 for SQL Server 2005 SP2, which contains all of the hot fixes for SP2, without the new features in SP3.

However for those who are moving from SQL Server SP2 to SP3, Microsoft offers a caveat. Be sure to apply SP3 Cumulative Update 1.

"If you are upgrading from SQL Server 2005 SP2 Cumulative Update 10 or from SQL Server 2005 SP2 Cumulative Update 11, you must apply a post-SP3 cumulative update after you upgrade to SP3 to obtain all the fixes," according to Nick MacKechnie's blog.

For those wanting more than just blog advice, Microsoft's "Books Online" release for Microsoft SQL Server 2005 is available here. It provides primary documentation, including setup and upgrade instructions for SP3.

Microsoft also released a new Feature Pack for SQL Server 2008 on Monday that provides optional add-ons for the database solution. The December Feature Pack can be accessed here.

For more information and links to documentation, visit the Swiss IT Professional and TechNet Blog.



Heavy Patch Tuesday Expected Next Week
‘Kilimanjaro’ SQL Server CTP To Begin in January
Lil Wayne Documentary, ‘The Carter,’ To Premiere At Sundance Film Fest Next Month

Tuesday, December 16, 2008

W3C Advances Web Accessibility Guidelines

The World Wide Web Consortium (W3C) has updated its set of recommendations for designing Web pages so they can easily accessed by those with disabilities.

Version 2.0 of the Web Content Accessibility Guidelines (WCAG) provides techniques to help prepare Web pages so they can be read by those who are blind, deaf or have cognitive limitations. Such users may use screen readers, Braille displays, audio text readers and other assistive technologies.



Released last week, version 2.0 updates the first version of the guidelines, published in 1999.

"Version 2.0 of the Web Content Accessibility Guidelines goes a long way toward promoting [the] goal of global harmonization of accessibility requirements," said David Capozzi, the U.S. Access Board executive director, in a statement. The Access Board hopes to further the goal in its rulemaking to update its [S]ection 508 standards in the coming year."

Section 508 of the Rehabilitation Act requires agencies to give disabled employees and members of the public equal access to all available information.

Developed by the W3C's Web Accessibility Initiative working group, the new version of the Web Content Accessibility Guidelines both simplifies and extends the first set of the recommendations. It divides the recommendations into four categories, each group aimed to make the Web page more:

Perceivable: This group of recommendations advises how to render Web pages in such a way that the content can be transposed into other formats, such as braille, large-type, or read-aloud.

Operable: This group of recommendations advises how to set up Web pages that they can be easily navigated.

Understandable: This group of recommendations offers tips on how to shape content so it can be easily understood.

Robust: This group of recommendations advises how to future-proof Web pages, as well as make them digestible by the widest possible range of assistive technologies. In addition to the guidelines themselves, the W3C also offers a quick reference guide, a set of techniques for implementing the suggestions, and a document that details the recommendations in exhaustive detail.



ISO/IEC Publishes Office Open XML Standard
Do All Video Game Movies Suck? ‘Max Payne’ Stars Hope Not

Cisco Warns of Increasing Attack Sophistication

Cisco Systems Inc. this week released the 2008 edition of its Cisco Annual Security Report, a summary of the state-of-the-art in network security, as well as a look at the threats ahead.

The report highlighted the increasing sophistication of Internet-based attacks, largely because cyber-criminals themselves are becoming increasingly sophisticated. Indeed, the Cisco report noted, there's a sense in which cyber-criminals are becoming professional and increasingly focused on profit-making -- as opposed to mischievous, malicious or destructive -- activities.



"Every year, we see threats evolve as criminals discover new ways to exploit people, networks and the Internet. This year's trends underscore how important it is to look at all basic elements of security policies and technologies," said Patrick Peterson, Cisco fellow and chief security researcher, in a statement that accompanied the report's release. "Organizations can lower their risk of data loss by fine-tuning access controls and patching known vulnerabilities to eliminate the ability for criminals to exploit holes in infrastructures. It is important to upgrade applications, endpoint systems and networking equipment to help ensure that corporate systems run smoothly and minimize risk."

The report singled out the threat posed by spam, which Cisco researchers said accounts for 200 billion messages -- or about 90 percent -- of daily e-mail traffic. The U.S. is the biggest overall producer of spam (generating more than 17 percent), followed by Turkey (9.2 percent), Russia (8 percent), Canada (4.7 percent), Brazil (4.1 percent), India (3.5 percent) and Poland (3.4 percent).

Cisco researchers also expect that targeted spear-phishing -- which today accounts for about 1 percent of all phishing attacks -- will become more prevalent, accelerated by a trend in which criminals personalized spam in an effort to make messages seem more credible. This jibes with research from Symantec subsidiary MessageLabs, which -- in its own year-end report -- highlighted an increase in direct targeting (via highly personalized spam) of businesses and organizations. Here as elsewhere, the goal is to pass a credibility threshold and entice a user into opening a malicious attachment or visiting a malicious Web site. To that end, the e-mail messages used in such attacks contain content that might reasonably be relevant to their intended recipients.

The report also focuses on botnets, which Cisco said have "become a nexus of criminal activity on the Internet." In 2008, especially, botnets (and, by implication, their operators) got more sophisticated, using a new kind of "IFrame" attack to inject malicious code into legitimate Web sites. Legitimate traffic is then redirected to illegitimate sites, where -- more often than not -- users are tricked into downloading malware.

Elsewhere, Cisco researchers singled out an increase in the use of social engineering (similar to targeted spam attacks that try to pass themselves off as legitimate) to trick users into opening files or visiting malicious Web links. This practice will continue to grow, according to Cisco, which warned that in 2009, "social engineering techniques will increase in number, vectors and sophistication."

Another intriguing social engineering-like attack is "reputation hijacking," where criminals use real e-mail accounts -- typically created with established Web mail providers -- to send spam. "'[R]eputation hijacking' offers increased deliverability because it makes spam harder to detect and block," the report noted, adding that in 2008 (per Cisco's own estimates) such traffic accounted for less than 1 percent of all spam worldwide but comprised 7.6 percent of all e-mail traffic carried by the top three Web mail providers.



‘Twilight’ Event Turns Ugly When Thousands More Fans Show Up Than Expected
Guillermo Del Toro Says ‘Hobbit’ Script Is Coming Together ‘Magically’
Spam Attacks on the Rise in Q3

'Kilimanjaro' SQL Server CTP To Begin in January

The Professional Association for SQL Server (PASS) on Monday unveiled a limited community technology preview (CTP) of "Kilimanjaro," which is expected to begin in January.

Kilimanjaro is the code name for an upcoming Microsoft SQL Server implementation designed to address the business intelligence (BI) needs of organizations. PASS is seeking database administrators (DBAs) for the trial.



The CTP is being sponsored by Dell and MaximumASP in addition to PASS, according to a PASS announcement. Participants will get a free Microsoft SQL Server 2008 trial account, accessible online. The account will include a "Hyper-V image, reporting and analysis services, integration services, and full system admin rights."

The Kilimanjaro CTP will start in mid-January and last from four to five weeks. Participating organizations need to have one DBA on hand in an IT environment running more than 25 PCs and have "SQL Server installations across their organization," according to PASS.

Kilimanjaro was first unveiled at the Microsoft Business Intelligence Conference in Seattle, held in October. At that time, Microsoft promised it would include easy-to-use analysis tools in Kilimanjaro, described under their code name, "Gemini."

According to a Microsoft announcement, the Gemini tools "will enable information workers to slice and dice data and create their own BI applications and assets to share and collaborate on from within the familiar, everyday Microsoft Office productivity tools they already use."

Registration for the Kilimanjaro CTP will be open until Dec. 31, 2008. Applicants have to fill out a survey form and will be notified in early January if accepted. The form page can be accessed here.

Microsoft expects to release the full Microsoft SQL Server Kilimanjaro product in the "first half of calendar year 2010," according to its announcement. A separate SQL Server project supporting data warehouse-type applications, code-named "Madison," will appear in about the same time frame as Kilimanjaro, according to a Microsoft executive.



Microsoft Demos New SQL Server Features at PASS
‘High School Musical’ Star Ashley Tisdale Is Ready To Pass The Torch To New Co-Stars
U.S. Is Biggest Malware Culprit, Reports Say

Monday, December 15, 2008

Microsoft Offers IE Security Workaround, But No Fix

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser. Still, Microsoft does not plan to issue a fix for the exploit until sometime next year.

The attack code originated on Chinese servers and initially only affected IE7, but it emerged that IE5.01, IE6, IE7 and IE8 Beta 2, have also been exploited.



On Monday, Redmond continued to investigate what it called "huge increases" in attacks exploiting the "critical" vulnerability in Internet Explorer. A blog post on Saturday explained that some of the attacks originated from compromised porn sites.

Microsoft is stressing that avoiding questionable Web destinations may not be an adequate defense in itself.

"This class of attack, along with other more classical forms of website intrusion, mean[s] that even trusted sites can end up serving malicious content, causing you[r computer] to get infected. Other researchers confirmed that attacks were increasingly coming from compromised Web sites," the blog said.

Research by other companies confirmed an uptick in incursions using IE as the vector. Antivirus software maker Trend Micro Inc. issued a statement on Monday indicating that as many as 10,000 sites have been compromised by this IE browser flaw over a week's time.

In response, Microsoft added a third addendum to its security advisory over the weekend. The addendum lists possible workarounds and solutions to serve as stopgap measures until a comprehensive IE fix for this exploit becomes available in 2009.

The attacks come as Redmond fights for increased browser market share. A recent survey found that IE8 was the safest, but least popular, Web browser in a beta comparison with Mozilla Firefox and Google Chrome.

Users should turn to other browsers besides IE until this problem can be fixed, according to Wolfgang Kandek, chief technology officer of security firm Qualys. However, Kandek contends that no browser is safe unless patched in real time or patched frequently, a technique known as "fast patching."

"Recent research has shown that Firefox fast patching offers significant advantages over IE, Opera and others," he said. "Opera has added fast patching in their newest release and Google Chrome has had it from the get-go."



‘Zack And Miri Make A Porno’: Boffo, By Kurt Loder
‘Twilight’ Sneak Peek To Premiere At International Rome Film Festival
Zero-Day IE 7 Flaw Discovered
IE8: ‘Safe’ but Scorned in Bug Battle Contest

Microsoft Mobile GUI Has Debut on Apple iPhone

Microsoft Live Labs announced on Saturday that its Seadragon Mobile graphical user interface (GUI) is now available for the Apple iPhone as a technical preview release, but Windows Mobile users will have to wait to get it.

The application, released at version 1.0, provides a GUI that lets users access photos and text via a mobile touch-screen interface. Microsoft acquired the technology when it bought Seattle-based Seadragon Software in February of 2006.



Microsoft released Seadragon Mobile to the Apple platform first because of its hardware support. A Blackberry or Nokia device would typically lack the requisite GPU, explained Alex Daley, Microsoft Live Labs group product manager, cited in an article by Todd Bishop.

The announcement issued by Microsoft Live Labs did not indicate when users of Microsoft's mobile platform might get their hands on Seadragon Mobile.

The Seadragon Mobile interface lets users scroll and zoom into archives of images. However, it currently lacks "browse Photosynth functionality," according to a blog. Microsoft Photosynth is a service that assembles shared digital photos into three-dimensional panoramic views.

Photosynth and Microsoft Silverlight both feature a "deep zoom" capability, which allows users to smoothly scroll through and magnify images. The technology can be enabled on Web sites using Seadragon Ajax, an application written in JavaScript that provides a deep zoom viewer. Microsoft released Seadragon Ajax last month.

Seadragon Mobile is currently available as a free download from the Apple iTunes App Store here.



‘Saw’ Through ‘Saw V’ In One Night: 10 Hours Of Torture
‘Friday The 13th’ Producers Lead Us Through Exclusive Photos From Upcoming Reboot
Live Mesh Apps Unveiled by Microsoft Lab
PDC: First Look at Live Mesh and Live Framework

Saturday, December 13, 2008

Google Addressing Web App Security With 'Native Client'

Google is exploring a way to run code fast and natively in a Web browser without worrying about security issues. To that end, the search giant unveiled its new Native Client open source project on Monday.

Native Client, abbreviated by Google as "NaCl," is currently available for testing as research release version 0.1. The solution promises to reduce data transfers between Web servers and the browser client to better run Web applications in x86-based machines.



"With the ability to seamlessly run native code on the user's machine, you could instead perform…actual image processing on the desktop CPU, resulting in a much more responsive application by minimizing data transfer and latency," according to Brad Chen, a member of the Google Native Client team, writing on the Google Code Blog.

Chen pointed out that these tasks can be performed today using "a combination of JavaScript and server side processing." However, that approach is "painfully slow" because of the data chunks that must be transferred.

On the other hand, local CPU processing of data using Web applications poses security issues, which is the main question that Google is trying to address with the release of Native Client.

"To help protect users from malware and maintain portability, we have defined strict rules for valid modules," Chen wrote. "Our approach is built around a software containment system called the inner-sandbox [that] uses static analysis to detect security defects in untrusted x86 code."

These security measures specify a set of structural criteria for all modules. For instance, "modules may not contain certain instruction sequences," according to Chen. The goal is to help developers to create "safer and more dynamic applications that can run on any OS and any browser," Chen wrote. 

The initial release of Native Client is a hefty download that includes compilation tools and runtime. It also has a software development kit to write portable code modules that will work in Firefox, Safari, Opera and Google Chrome.

Currently, Native Client is not supported in Internet Explorer. While Microsoft's ActiveX technology allows code to run natively, a Google white paper (PDF) explains that it requires the "manual establishment of trust relationships through pop-up dialog boxes…[that] have been inadequate to prevent execution of malicious native code."

The white paper asserts that in contrast to ActiveX, "NaCl is designed to prevent such exploitation, even for flawed NaCl modules."

Some readers of the Google Code Blog have compared the Native Client technology with an Adobe solution code-named "Alchemy." The Alchemy solution lets developers run C and C++ code via the Adobe Flash platform.

Native Client will run on any Windows, Mac or Linux system with an x86 processor. Chen explained that Google is "working on supporting other CPU architectures (such as ARM and PCC) to make this technology work on the many types of devices that connect to the Web today."

The test software can be downloaded at the Google Native Client Web page here.



IE8: ‘Safe’ but Scorned in Bug Battle Contest
Heath Ledger’s Family Say His Golden Globe Nomination Is ‘Deeply Appreciated’

DataDirect Releases ADO.NET Drivers

DataDirect Technologies this week upgraded its ADO.NET database drivers, which provide connectivity between .NET-based applications and DBMSes from Oracle, IBM, Microsoft and Sybase.

While critics question the need for third-party database connectivity tools when free options are available from DBMS providers, DataDirect says its connectors offer higher performance and are easier to develop against and administer.



"People are more circumspect on their spend, we all are," said Jonathan Bruce, director of .NET programming at Bedford, Mass.-based DataDirect, a subsidiary of Progress Software Corp. He singled out the performance benefits of the lower memory footprint and CPU utilization of the DataDirect solution, which is based entirely on managed code.

DataDirect has an established presence via OEM relationships, as well as with large enterprises, and the company is always competing against free alternatives, explained Gartner analyst Mark Driver.

"The hard part is competing against free, which will always limit your buying audience," Driver said. "They do well with those who want to bundle their technology into another solution and they want a contract in place; they want that one throat to choke."

The new DataDirect Connect for ADO.NET drivers has a starting price of $1,500 for a single core server. It offers new .NET-based APIs for bulk data transfer, improved performance using statement caching and a component that provides connection statistics. The latter feature is a wizard that developers can plug into Microsoft's Visual Studio, Bruce said.

"We give specific guidance on how to configure our providers and our drivers so you can use them more effectively with all the levers and connection options we give you according to how you answer a given question in the wizard," Bruce said. It also takes into account the general semantics of an application, he added.

The upgrades should appeal to database developers and DBAs alike, Bruce said. Developers partial to Microsoft's Common Programming Model can also leverage the bulk copy features.

"When you take a database pattern and extended it to our bulk APIs, now not only can you program a generic stance across multiple data sources -- which is an extremely difficult thing to do in ADO.NET if you don't have the right providers -- we now also allow you to do all of the bulk operations you would expect with ADO.NET," he said.

DBAs will probably be interested in the statement caching and the bulk semantics feature as well, Bruce said, "because they hold ultimate responsibility of ensuring both features work effectively."



Sync Framework: It’s Still at Version 1.0
‘Twilight’ Tuesday: Stars Answer More Of Fans’ Burning Questions … Like What It’s Like To Kiss Robert Pattinson

Open Source Advocate Dick Hardt Joins Microsoft

Digital identity pioneer and open source entrepreneur Dick Hardt will join Microsoft as partner architect, according to his "Identity 2.0" blog on Tuesday.

Although there was no official word from Microsoft as of Wednesday, Hardt wrote that he was "recruited" by the software giant because he is an "independent thinker."



According to his blog, Hardt will be focusing on "consumer, enterprise and government identity problems," which is not far off the beaten path for the founder of Sxipper Inc. The company, pronounced "skipper," specializes in identity products, including a popular browser add-on for Firefox that streamlines forms and remembers multiple log-in names and pesky passwords.

"My open source, open web and digital community experience will continue to guide my thinking," Hardt stated in his blog. "For me, this is an opportunity to workВ on the identity problems I have been toiling over for the last six years, but now with massive resources."

The 45-year-old entrepreneur is has been credited as an open source advocate and supporter of "Identity 2.0," a term describing user-centric digital identities, according to Wikipedia. Hardt founded ActiveState in 1997 to develop tools for "open source programming languages and anti-spam software." He reportedly sold ActiveState in 2003 to UK-based Sophos for $23 million.

"I have worked with open source and internet technologies for 15 years," he wrote in his blog. "And, at ActiveState, [I] bridged the gap between them and Microsoft."

Hardt wrote that he has not "sold out" by joining Microsoft, and will continue to serve as "chair" of Sxipper. He described the opportunity at Microsoft as a chance to learn how "big enterprise and big software" work.

"I'm also excited about changes that are afoot at Microsoft such as Azure and to work beside a bunch of really smart people." He added he will be joining friends Jon Udell, Dana Boyd and Ray Ozzie in the new endeavor.



‘Star Trek’ Director J.J. Abrams Clears Up Confusion With William Shatner
Web PI Gains XP, Windows 2003 Support
‘Twilight’ Event Turns Ugly When Thousands More Fans Show Up Than Expected
‘IP Peace of Mind’ Year 2 for Microsoft-Novell

Thursday, December 11, 2008

First Look: Lunascape Multiengine Web Browser

Web developers have traditionally kept multiple browsers on their computers to facilitate testing, but a fairly new Japanese-made experimental browser called Lunascape rolls the three most important engines into one. According to the company's Web site, Lunascape was first released in December of last year, with its latest release happening in June.

Lunascape's main feature is the ability to switch back and forth between different rendering engines in real time. The three most important rendering engines to test for are Gecko (Mozilla Firefox), Webkit (Safari, Konqueror, Google Chrome and others) and Trident (Microsoft Internet Explorer). Much to the chagrin of developers, these browsers often render the same code differently.



Switching between browser rendering engines is nothing new. IE Tab, a popular Firefox extension offering similar functionality, has been available for years. Lunascape stands out because it adds Webkit support to the mix. To see for myself, I tried the 5.0.0 alpha3 release of Lunascape.

Transitioning between engines is a fairly smooth process. I used WebFX to test this out, a site that has many browser-specific scripts that can be used as proof-of-concept tools for testing DHTML capabilities. My test consisted of viewing different scripts using all three browser rendering engines, and Lunascape did the job fairly well.

I found the tabbed browsing in Lunascape to be rather buggy, but the experience wasn't too bad for an alpha-phase project. From a developer's perspective, I found Lunascape's ability to switch between rendering engines quickly to be useful, although this alpha release is not ready for serious production use.

Lunascape has an interesting niche as a hybrid browser, but its usability suffers badly in the current alpha version. First of all, Lunascape does not respond to keyboard shortcuts that are nearly universal in other browsers. For example, while CTRL + T opens a new tab in Internet Explorer, Firefox and Chrome, it does nothing in Lunascape. Middle-clicking on a link opens it in a new tab in most browsers, but Lunascape ignores this action.

Lunascape has a nice little RSS ticker that can fetch and display RSS content. Unfortunately, the ticker shared space on the screen with the tab bar. With several tabs open, there was barely any space left for the ticker, which made this feature almost useless. Lunascape will pop up a message balloon whenever RSS content gets updated. I quickly found a way to turn it off. I just don't like having parts of my other applications covered by pop-ups.

Another area that could be improved is the Lunascape start page. This was obviously built to resemble the Firefox start page, but I could see the potential for trouble. With the prevalence of malicious phishing sites, many knowledgeable people are understandably wary of sites intentionally designed to resemble popular or frequently seen destinations, even in applications that are benign. A quick redesign of the start page would go a long way toward assuring security.

Lunascape is an interesting experiment, and it has the potential to be useful once some more work goes into it. Right now, it is Windows only and is probably going to stay that way because of Trident. I doubt Microsoft would look kindly on a third-party port of the Internet Explorer rendering engine. Gecko and Webkit, by contrast, are open source and can be freely ported.

The Lunascape browser can be downloaded for free here.



First Look: Google Chrome
‘Valkyrie’ Director Bryan Singer Finally Speaks Out About Tom Cruise Film
IE8: ‘Safe’ but Scorned in Bug Battle Contest
‘High School Musical 3′ Named Most Likely To Succeed At Box Office

IE8: 'Safe' but Scorned in Bug Battle Contest

Internet Explorer 8 -- Microsoft's latest release, currently at the Beta 2 stage -- was declared to be the safest but the least popular browser, according to a browser security survey.

On Wednesday, Utest, a social-networking and software testing company, announced the results of its Bug Battle browser contest. The event included participation from 1,330 security pros, hobbyists and tech enthusiasts, who found an alarming 672 bugs in the world's top three Web browsers.



Contest participants scavenged for bugs in IE8, Firefox 3.1 and the new Google Chrome browser, which just emerged from its beta stage.

A post-contest survey found that Internet Explorer was the only browser program not to receive a single "excellent" rating. Despite that result, IE8 was a relatively safer browser to use. Google Chrome clocked in with the most vulnerabilities (297 bugs). Open source counterpart Firefox had 207 bugs. Testers found just 169 bugs in IE8.

Apple's Safari and Opera were not rated. At the time of the contest, IE8, Chrome and Firefox 3.1 were all still in various beta releases.

Regardless of user preference, browsers generally represent a big attack vector and security concern.

"The browser is the most popular vehicle for getting exploits on client machines with the ultimate goal of controlling the machine for monetary purposes," said Wolfgang Kandek, chief technology officer for security firm Qualys. "Patching for browsers should be immediate and continuous and be removed from the OS level and included in the browser itself."

In other browser security news, Microsoft is continuing to investigate a remote code execution (RCE) vulnerability in IE7 that was publicized a day after the release of its December security patch. A security bulletin posted on Wednesday indicated that the company was "aware only of limited attacks."

On Thursday, Redmond described the RCE vulnerability as having originated from China. Microsoft's security bulletin suggested some possible workarounds for the problem.

The RCE vulnerability affects IE7 installed on the following operating systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008.



First Look: Google Chrome
‘Twilight’ Event Turns Ugly When Thousands More Fans Show Up Than Expected
‘Punisher: War Zone’ Star Ray Stevenson Says Batman, Iron Man Wouldn’t Stand A Chance Against Frank Castle

VMware, HP Expand Virtualization Pact

VMware will expand its strategic relationship with Hewlett-Packard to include the joint development of software that manages datacenter resources.

The companies plan to offer integrated physical and virtual datacenter management and automation software solutions that rely on technologies in HP's Business Technology Optimization (BTO) software, VMware officials said.



The new tools will bring even greater management capabilities to the emerging concept of a virtual datacenter operating system (VDC-OS), they said. The agreement expands on the integrated software offerings the companies announced earlier this year, which let datacenter operators automate the management of heterogeneous environments.

As a first step, VMware will work with HP to integrate HP's BTO software with VMware vCenter Lab Manager, which provides self-service access to a library of preconfigured, virtualized applications. Users access applications on demand while the information technology staff maintains administrative control.

With vCenter Lab Manager, organizations can reduce hardware costs, automate manual provisioning tasks, and accelerate application development and test cycles, VMware officials said.

VMware and HP will also develop and market enhanced virtualization management offerings for VMware vCenter Lab Manager and HP BTO users based on HP Discovery and Dependency Mapping software. The approach will help users better manage their VDC-OS environments.

A VDC-OS is designed to help organizations pool all types of hardware resources -- including servers, storage tools and networks -- into an internal enterprise cloud that acts like a single, giant computer. A VDC-OS can also safely and automatically move workloads to external clouds when additional capacity is needed.

Such a system should be highly elastic, self-managing and self-healing, and it should help businesses and government agencies benefit from the flexibility and efficiency of remotely monitored data centers, VMware officials said.



Find ‘Twilight,’ ‘Watchmen’ Exclusives And More Movie Sneak Peeks On MTV’s New ‘Spoilers’ Series
Microsoft Releases Virtual Machine Manager
The Sounds Of Scary, By Kurt Loder

Wednesday, December 10, 2008

U.S. Is Biggest Malware Culprit, Reports Say

Microsoft server and tools exec Bob Kelly told an investment banker audience how Microsoft plans to take advantage of opportunities in the enterprise IT market. His talk, given on Wednesday, was part of Barclays investment bank's Capital Technology Conference.

Kelly, who is Microsoft's corporate vice president of infrastructure server marketing, gave the calculator-pushing crowd what they like -- numbers.



He first presented a diagram showing Windows Server 2008 as the base (or "socket") of Microsoft's server and tools strategy. More than 500,000 people are already trained to use Windows Server 2008, Kelly said. Next up the stack are security, virtualization and management solutions, SQL Server, and development tools, with services topping the heap.

When you add up that stack, it represents an $85 billion to $90 billion software market opportunity. Microsoft already holds $13.2 billion worth of that market, he said. When you add Microsoft's services strategy on top of that, the market moves from $90 billion to $400 billion plus, Kelly explained.

If those figures weren't enough to excite the number-crunching crowd, Kelly touted some of Microsoft's upcoming products, such as Windows Server 2008 R2, currently in beta release. Kelly said that when it is released as a product, Windows Server 2008 R2 "will increase CPU support by four times." He said that represents enough capacity to run the "largest workloads on the planet."

The R2 product is scheduled for release sometime in 2010, according to Microsoft's product roadmap. However, Microsoft demonstrated Windows Server R2 at its WinHEC event last month, where Microsoft Corporate Vice President of the Windows Server Division, Bill Laing, suggested it could appear in late 2009. The demo at WinHEC showed that the R2 server could scale up to handle 256 logical processors.

Kelly also confirmed that the Live Migration feature of Microsoft's Hyper-V hypervisor will ship with Windows Server 2008 R2. That feature, which allows IT administrators to transfer a running virtual machine to another physical server, initially had been killed off at the time of Hyper-V's product launch.

Another product aimed at boosting Microsoft's enterprise IT market share will be the version of Microsoft SQL Server that's code-named "Kilimanjaro," which Kelly said would appear sometime in the first half of 2010. Kilimanjaro is aimed at supporting the business intelligence needs of organizations.

He added that Microsoft plans to release "another version of SQL Server" that will address the data warehouse enterprise market within the "same time frame" as Kilimanjaro.

Finally, Microsoft plans to release an improved development environment with its Visual Studio 2010 product, which will feature lifecycle management capability for developers.

Kelly handled a number of audience questions, but always with a common theme. He stressed that the most important need enterprises have is a common management platform to handle operations. Microsoft management solutions fall under its System Center product portfolio.

Systems management is a bigger concern for IT than deploying virtualization solutions, he said. Desktop virtualization currently represents a "nascent" field with not a lot of deployment going on. Server virtualization will see greater growth, Kelly said, although research has shown that virtualization is currently used on less than 15 percent of servers sold.

Still, Microsoft can beat its competition in the virtualization space by offering its hypervisor at "one third the price of the competition," Kelly said.

Finally, an audience member questioned how Microsoft will cope in a "slower growth market." Kelly was bullish on Microsoft's prospects. He said that Microsoft will respond by "growing faster than the market." The company has an advantage with its volume-pricing approach, he said, adding that niche players are more likely to get hurt in slow-growth economy.

"We are very confident that even in a market like this, it plays to our strengths," Kelly said.

An audio transcript of Kelly's talk is available at the Microsoft Investor Relations Web page here.



Microsoft Exec Lays Out Enterprise Strategy at Barclays Event
‘What Just Happened’: Reeling, By Kurt Loder
PDC: Microsoft Previews Windows Server 2008 R2

Microsoft Exec Lays Out Enterprise Strategy at Barclays Event

Microsoft server and tools exec Bob Kelly told an investment banker audience how Microsoft plans to take advantage of opportunities in the enterprise IT market. His talk, given on Wednesday, was part of Barclays investment bank's Capital Technology Conference.

Kelly, who is Microsoft's corporate vice president of infrastructure server marketing, gave the calculator-pushing crowd what they like -- numbers.



He first presented a diagram showing Windows Server 2008 as the base (or "socket") of Microsoft's server and tools strategy. More than 500,000 people are already trained to use Windows Server 2008, Kelly said. Next up the stack are security, virtualization and management solutions, SQL Server, and development tools, with services topping the heap.

When you add up that stack, it represents an $85 billion to $90 billion software market opportunity. Microsoft already holds $13.2 billion worth of that market, he said. When you add Microsoft's services strategy on top of that, the market moves from $90 billion to $400 billion plus, Kelly explained.

If those figures weren't enough to excite the number-crunching crowd, Kelly touted some of Microsoft's upcoming products, such as Windows Server 2008 R2, currently in beta release. Kelly said that when it is released as a product, Windows Server 2008 R2 "will increase CPU support by four times." He said that represents enough capacity to run the "largest workloads on the planet."

The R2 product is scheduled for release sometime in 2010, according to Microsoft's product roadmap. However, Microsoft demonstrated Windows Server R2 at its WinHEC event last month, where Microsoft Corporate Vice President of the Windows Server Division, Bill Laing, suggested it could appear in late 2009. The demo at WinHEC showed that the R2 server could scale up to handle 256 logical processors.

Kelly also confirmed that the Live Migration feature of Microsoft's Hyper-V hypervisor will ship with Windows Server 2008 R2. That feature, which allows IT administrators to transfer a running virtual machine to another physical server, initially had been killed off at the time of Hyper-V's product launch.

Another product aimed at boosting Microsoft's enterprise IT market share will be the version of Microsoft SQL Server that's code-named "Kilimanjaro," which Kelly said would appear sometime in the first half of 2010. Kilimanjaro is aimed at supporting the business intelligence needs of organizations.

He added that Microsoft plans to release "another version of SQL Server" that will address the data warehouse enterprise market within the "same time frame" as Kilimanjaro.

Finally, Microsoft plans to release an improved development environment with its Visual Studio 2010 product, which will feature lifecycle management capability for developers.

Kelly handled a number of audience questions, but always with a common theme. He stressed that the most important need enterprises have is a common management platform to handle operations. Microsoft management solutions fall under its System Center product portfolio.

Systems management is a bigger concern for IT than deploying virtualization solutions, he said. Desktop virtualization currently represents a "nascent" field with not a lot of deployment going on. Server virtualization will see greater growth, Kelly said, although research has shown that virtualization is currently used on less than 15 percent of servers sold.

Still, Microsoft can beat its competition in the virtualization space by offering its hypervisor at "one third the price of the competition," Kelly said.

Finally, an audience member questioned how Microsoft will cope in a "slower growth market." Kelly was bullish on Microsoft's prospects. He said that Microsoft will respond by "growing faster than the market." The company has an advantage with its volume-pricing approach, he said, adding that niche players are more likely to get hurt in slow-growth economy.

"We are very confident that even in a market like this, it plays to our strengths," Kelly said.

An audio transcript of Kelly's talk is available at the Microsoft Investor Relations Web page here.



‘High School Musical’ Star Corbin Bleu Doesn’t Think Franchise Should Graduate To College
U.S. Is Biggest Malware Culprit, Reports Say
‘What Just Happened’: Reeling, By Kurt Loder

Zero-Day IE 7 Flaw Discovered

Though Microsoft on Tuesday closed the books on its 2008 patch rollout cycle, it once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday by Bojan Zdrnja, a security analyst and researcher at the SANS Internet Storm Center.

Found in the wild a day after Microsoft released an IE patch addressing four separately reported private vulnerabilities, the bug creates an Extensible Markup Language (XML) tag then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."



According to Zdrnja, the exploit could crash the browser if successful. This would force a restart that would allow malicious code to piggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP or Windows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is "investigating new public claims of a possible vulnerability in Internet Explorer" without mentioning this exploit in particular. Microsoft continued that when it concludes its investigation, it will take action that "may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotline at (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release of zero-day exploits, including this one, continues to reinforce the importance of practicing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may prompt Microsoft to reconfigure its patch release frequency to respond more rapidly to wild exploits in an increasingly real-time environment, security experts agree that such a pursuit would be in vain. Neither Microsoft nor any other company can realistically develop a patch for a single processing environment; rather, it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is today and still provide the same level of quality," said Eric Schultze, chief technology officer of Shavlik Technologies. "In my former life working at Microsoft in the Security Response Unit, I saw Microsoft attempt to create and release patches quickly. Sometimes this leads to quality issues. In one instance, Microsoft released an Exchange Server patch four times within one day. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a "no-support, use-at-your-own-risk" sign-up so people can download patches prior to or during the the quality assurance and testing phases. "This would allow users to test patches on their environment and make their own decision to use them," nCircle's Reguly said. "You would still have the standard monthly patch release, but it provides a nice middle ground for those that want something faster."



UPDATE: Adobe Patches Reader Flaw
‘Valkyrie’ Director Bryan Singer Finally Speaks Out About Tom Cruise Film
SMB Exploit Took 7 Years To Fix, Security Pros Say

First Look: NexentaCore OS

Recently, I read about NexentaCore, a new experimental operating system that seeks to merge the functionality of a Linux user environment with the OpenSolaris OS kernel, supporting the ZFS file system. I downloaded NexentaCore, currently at version 1.01, and tried it out using VirtualBox.

While I found it strange that the CD ISO image of the NexentaCore OS was packaged inside of a zip file, it posed no problems getting the software.



NexentaCore had a fairly slow startup, but the installer was very nice once it got going. Partitioning is handled automatically (or manually, if the user would prefer doing it that way instead). After setting up the root password and a single user account, the system is ready to go.

NexentaCore is not a full desktop-oriented distribution with an OpenSolaris kernel. Rather, it is a pure command line environment more suited to server applications. As the name indicates, the distro includes only the "core" operating system, with none of the extras included with other alternatives (GUI, extra software, etc.).

GUI support could be installed if a user wanted to take the time to manually set it up, but a command line environment is fine for managing a server. NexentaCore would be a great OS to run headless and manage through SSH (Secure Shell).

NexentaCore struck me as an OS with more customization potential than alternatives. Users can start out with the essentials and then add the tools that he or she needs, without introducing excessive bloat. It represents a better approach than starting with a general-purpose server OS and then having to strip it down to only what is necessary.

All essential command line GNU tools (cp, mv, ls, vim, etc.) are available out of the box, so using the operating system felt like working on a typical Linux console. Despite the GNU tools, I found nothing immediately obvious to suggest a relation to Ubuntu or even Debian. Although the developer states that it is built on an Ubuntu base, I thought NexentaCore had a very generic feel when I was testing it.

NexentaCore's main strength is the presence of the extremely useful APT package management system. This wonderful tool (also found in Debian and its derivatives) will download a package, fetch its dependencies and set it up with only a single command. With this tool, I was able to build a working virtualized server stack in only a few minutes, comparable with a conventional LAMP (Linux + Apache + MySQL + PHP or Perl) server but with OpenSolaris instead of Linux.

This ease of deployment, combined with native support for the excellent ZFS file system (something that still requires FUSE on Linux) and trimmed-down footprint would make NexentaCore a viable option for server deployment scenarios when it becomes more mature.

NexentaCore could still use some improvement. The installation process took a long time to start, and, even after being installed, NexentaCore took several minutes to boot. I was not expecting excellent performance in a virtualized environment, but NexentaCore was still slower than my Linux virtual machines. I also noticed that the boot process produced no output. While that's not a problem in and of itself, it is inconvenient because many system administrators prefer watching each process load to make sure it starts correctly. However, these setbacks are fairly minor and in no way inhibit the usefulness of the OS.

If you want a lean and mean server OS, give NexentaCore a try. The OS can be downloaded here.



First Look: Fedora 10 OS
‘Twilight’ Event Turns Ugly When Thousands More Fans Show Up Than Expected
Seth Rogen’s ‘Green Hornet’ Will Tell Hero’s Origin Story Because ‘No One Knows Anything About The Green Hornet’

Tuesday, December 9, 2008

Multicore Chips Hitting 'Memory Wall,' Report Says

The silicon industry's plans to use multiple processor cores on the same chip to improve computer processing performance may have hit a bump on supercomputing highway. The technique, called multicore processing, may face limitations due to memory-handling issues, according to a Sandia National Laboratories study as described by a November IEEE article.

Expectations are high to exploit the multicore technique, since chip-processing speeds aren't getting any faster. Microsoft, for one, had placed a spotlight on multicore development techniques at its Professional Developers Conference in Los Angeles, which took place in October.



According to the IEEE account, tests conducted on 8-, 16- and 32-core microprocessors at the Sandia National Laboratories in New Mexico produced some "distressing results."

Sandia scientists hit a performance wall at about eight cores, after which "there's no improvement," said James Peery, director of computation, computers, information and mathematics at Sandia. In fact, he said, performance actually degraded so that at 16 cores "it looks like two."

The problem is especially vexing for informatics applications used in national security functions and the scientists discussed the study results with chipmakers, according to the IEEE article.

The crux of the problem is a "memory wall" that creates a "disparity between how fast a CPU can operate on data and how fast it can get data," the article explained. The number of cores might increase, but the number of connections to the computer does not keep pace. The core connections are not properly fed with data.

Since chipmakers see multicore architectures as essential to future high-performance computing, Peery suggested that they look to "tighter, and maybe smarter, integration of memory and processors," including stacking memory chips on top of processors.

Intel, whose Tera-scale multicore test chip was pictured in the IEEE article, agreed that the problem is in the processor, not in the multicore architecture. An Intel spokesperson said on Monday that the company has been on top of the situation.

"Intel's work on stacking memory could be key to resolving long-term multicore memory bottlenecks but this is not discussed in the article," the Intel spokesman said in an e-mailed response. "We've been talking in public about the need to integrate memory closer to the processors for more than two years now, showing directionally what will need to happen [and] are confident that the industry will work around the memory bandwidth issue."

There are, the Intel response indicated, "very fast memory bandwidth subsystems" available now, "but reasonable cost as well as performance needs to be achieved."



‘Twilight’ Trailer Reactions: Some Fans Are Still Speechless, Others Just Can’t Breathe
WinHEC: Windows Server 2008 R2 Pushes Processor Limits
AMD Releases Next-Gen Opterons

December's Patch Arrives, Addressing 28 Security Bugs

December's Patch Tuesday will be a historic security update release. But it won't be because of the size and scope of the eight patches, which contain six "critical" and two "important" items. Rather, the patch will be remarkable because of the vulnerability count, weighing in at a bulky 28 bugs. Moreover, of those 28 vulnerabilities, 23 are rated as critical to fix.

This December patch addresses the largest and most wide-reaching collection of bugs since Microsoft's inception of Patch Tuesday in 2003.



"What a way to end the year, eight bulletins and a whopping 28 CVEs," said Andrew Storms, director of security at nCircle, in an e-mailed statement. "The Microsoft elves have been busy and delivered everyone plenty of work to do this holiday season. All but one of the bulletins deals with client-side applications and includes all the usual suspects: IE, Office, ActiveX and GDI."

Additionally, in the last patch cycle of 2008, seven of the eight fixes are related to remote code execution (RCE) vulnerabilities and represent a mix of fixes for Windows operating systems as well as a bevy of Microsoft Office applications. In fact, all of the critical items are RCE related. There is one elevation of privilege consideration in the important group of patches.

Ben Greenbaum, senior research manager of Symantec Security Response, said the sheer number of vulnerabilities being patched is what grabbed his attention. Unlike some of the lighter rollouts, each exploit has the potential to be dangerous if not patched, he added.

"While Web-based attacks seem to be the main choice for opportunistic attackers, targeted attacks are often carried out via malicious Word and Excel files attached to e-mail messages," Greenbaum said. "While both of these vectors have vulnerabilities patched by the release, the number of vulnerabilities in Word and Excel provides attackers additional means to carry out these kinds of attacks."

Critical Fixes
First up is a critical Windows fix for the graphic device interface. It resolves two privately reported vulnerabilities triggered when a user opens a specially crafted Windows Metafile (WMF) image or WMF-coded document. If an attacker got through using this exploit, they could gain access rights to install, change and delete, or they could change privileges to muck up a Windows-based system. The fix addresses Microsoft Windows 2000 Service Pack 4, Windows XP, Vista, and both 2003 and 2008 editions of Windows Server.

The second critical fix covers Vista and Windows Server 2003 and 2008, and deals with Windows search. It involves an exploit where a specially crafted and embedded search file placed into Windows Explorer could create an opening for an RCE incursion.

With more attacks becoming browser-based, critical item No. 3 is a mainstay in the annual cycle of patch releases. It's a cumulative hotfix for Internet Explorer, touching on versions of IE ranging from IE5.1 to IE6 and IE7. The exploit takes place when a user clicks on "evil Web pages," according to security mavens. The applicable OS versions for this patch are Windows 2000 SP4, Windows XP, Vista, and both 2003 and 2008 editions of Windows Server.

The fourth critical item on the slate deals with multiple vulnerabilities. It addresses an eye-opening five privately reported vulnerabilities, plus one publicly reported bug. The issue lies within the ActiveX control mechanisms for several Microsoft Visual Basic programs. The fix affects Microsoft Office FrontPage and Microsoft Office Project. Other apps covered include Office FrontPage 2002 SP3, Office Project 2003 SP3, Office Project 2007 and Office Project 2007 SP1.

Fifth in the critical mix is a wide-ranging hotfix for the ubiquitous word processing app Microsoft Word. The fix addresses eight privately reported vulnerabilities in Microsoft Office Word as well as Microsoft Office Outlook. All it takes is initializing a corrupt Word or Rich Text Format (RTF) file and the hacker can then make short work of an infected workstation and, by extension, the network. The patch covers several versions, such as Word 2000 SP3, Word 2002 SP3 and each release of Word 2007. Also addressed in this fix are Word 2004 and 2008 for Mac, Office Word Viewer, PowerPoint 2007 and Word for Microsoft Works 8.5.

The sixth and last critical bulletin touches on three related vulnerabilities that can be triggered if a user opens up a malicious Excel file. It addresses vulnerabilities in Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP3, as well Excel 2007. Additionally, Excel 2004 and 2008 for Mac and the Excel Viewer are covered.

Important Fixes
The No.1 important bulletin is a cumulative update for SharePoint Server 2007 programs. This fix addresses an elevation of privilege vulnerability where a hacker could change access parameters in SharePoint, enabling further entry into a compromised system.

Microsoft specifically described this fix as resolving a privately disclosed vulnerability. The fix lessens the possibility of an attacker bypassing "authentication by browsing to an administrative URL on a SharePoint site."

"We believe that overall attackers will start to focus their attention on SharePoint and these new collaboration services as their deployment numbers grow and as operating systems mature and become safer out-of-the-box," said Wolfgang Kandek, chief technology officer at security firm Qualys.

The second important item and last fix in the slate addresses two privately disclosed plug-in vulnerabilities in most Windows Media Center applications. The affected solutions include Windows 2000 Server, Windows Media Player 6.4 for Windows 2000 Server, Windows Media Format Runtime 7.1 and 9.0 versions, as well as Windows Media Services 4.1.

For Windows XP-based systems, the affected solutions include Windows Media Player 6.4, Windows Media Format Runtime 9.0, 9.5 and 11.

For Windows Server 2003-based systems, the Windows Media Center components on the slate include Windows Media Player 6.4 and Windows Media Format Runtime 9.5.

For Vista and Windows Server 2008-based system, the fix affects Windows Media Format Runtime 11.

As an addendum to the advanced bulletin, where five of the updates require restarts, it now appears that all of the patches either "will" or "may" require restarts.

IT pros who want information on general updates and other nonsecurity content can find it at this knowledgebase article. The KB article describes getting updates via Microsoft Update, Windows Update and Windows Server Update Services.



Heavy Patch Tuesday Expected Next Week
‘Madagascar: Escape 2 Africa’ Knocks ‘High School Musical 3′ Off Box-Office Peak

Open Source Thriving in Enterprise

According to a new survey from business intelligence (BI) specialist Actuate Corp., open source software (OSS) doesn't simply have a token presence in the enterprise; it has truly arrived. The survey paints a picture of a thriving OSS ecosystem, with an enterprise adoption rate that hovers at nearly 50 percent in the United States, and exceeds 60 percent in France and Germany.

Actuate's findings support those of market watcher Gartner Inc., whose study found that fully 85 percent of respondents (in a sample that included companies in North America, Europe, Asia-Pacific and other regions) have adopted OSS technologies. Anecdotal accounts also peg open source adoption rates in the EU as higher than those in the United States.



Not surprisingly, Linux spearheads the enterprise open source push: Nearly half (45.6 percent) of respondents say they've deployed Linux. The Apache Web server -- which has nearly as much brand currency as Linux itself -- is second in Actuate's tally, in use by about 44 percent of respondents.

Other OSS standouts include the Tomcat application server (used by almost 33 percent of adopters), Mozilla's Web browser (27.6 percent), MySQL database (27.2 percent) and the Eclipse IDE (25.8 percent). The PHP scripting language is used by just over one-fifth (21.6 percent) of respondents, and the JBoss application server is used by one-seventh (14.7 percent).

The Actuate survey paints a somewhat unsurprising portrait of the ways OSS is commonly deployed. For example, just over three-quarters (75.6 percent) of respondents say they use OSS to support their application development efforts, while more than half (53.9 percent) use OSS operating system platforms. Elsewhere, nearly half (47.9 percent) use MySQL or other OSS databases, 41 percent use OSS middleware (such as Tomcat, JBoss, Mule or other technologies), and more than a third (35.5 percent) use OSS "personal productivity tools" (including OpenOffice, among others.)

Finally, more than a quarter (26.3. percent) of survey-takers say they tap OSS technologies to power their enterprise reporting or BI efforts.

Respondents cite a range of benefits, primarily OSS' "no cost" licensing model. Fully 60 percent of respondents rated OSS' cost as its most attractive feature, while just over half (50.8 percent) cited its flexibility. "Vendor independence" (cited by 43 percent of respondents), "access to source code" (42.6 percent) and "built on open platform(s)" (40.0 percent) also rated highly.

Intriguingly, nearly one-third (32.6 percent) of respondents lauded OSS because it's "not locked into Microsoft," while -- in a similar vein -- 31.8 percent cited OSS' "standards-based technology" as a strong selling point. Open source proponents like to trumpet both the involvement of the OSS community and the quality of OSS code, which they claim comprise additional selling points. Respondents to the Actuate survey, on the other hand, rate both factors a comparatively low 23.6 percent and 20.6 percent, respectively. Indeed, a still-oblique OSS support story complicates the OSS adoption narrative. Nearly half (48.2 percent) of respondents cited questions about the availability of long-term support as a barrier to OSS adoption, while 43.3 percent singled out the "availability of long-term maintenance" as a similar concern.

Nevertheless, a clear majority (53.8 percent) of respondents feel that OSS' benefits outweigh its drawbacks.

OSS still has some ground to make up in other areas. Just 10.2 percent of respondents said that open source software is a "preferred" option when procuring software; more than a third (37.9 percent) said that it's an "explicitly considered" option. On the other hand, nearly half (43.2 percent) said OSS isn't considered as a procurement option, while 8.7 percent said that their parent organizations actually have policies which prohibit the use of OSS.

A Tale of Two Hemispheres
OSS adoption is greatest in Germany, where nearly two-thirds (63.6 percent) of respondents say they're using open source software. France is another big OSS booster, where 61.6 percent of respondents have adopted open source technologies. Adoption is only 41.1 percent in the United Kingdom.

This coincides to a degree with the experiences of OSS vendors. Vincent Pineau, general manager of the Americas with OSS data integration specialist Talend, said that U.S. companies have been slower -- compared to firms in Germany and other continental European nations -- to warm up to the value of "commercial" or "enterprise-grade" open source. That's a scheme in which a vendor such as Talend provides not just indemnification -- which Pineau said is a must-have in the U.S. market -- but service, support and accelerated development cycles.

"U.S. companies are coming to that right now. My counterpart in Europe has gone past that issue about a year-and-a-half ago. In the European Union, the big companies have already come to that," he says.

Nick Halsey, vice president of marketing and product management with OSS reporting specialist JasperSoft, agreed. "JasperReports was founded in Romania, and iReport -- the graphical design tool for JasperReports -- was started in Italy, so we were strong in Europe for years before the U.S.," he said.

Halsey and other industry players expect that the ongoing economic crisis could lead to a sharp surge in interest in OSS technologies.



Survey Indicates Strong Demand for Networking Talent
Survey Highlights Open Source Perceptions, Pitfalls
‘Twilight’ Takes A Big Bite Out Of The Box Office With Record-Breaking Opening Weekend
Do All Video Game Movies Suck? ‘Max Payne’ Stars Hope Not