Friday, April 30, 2010

IE 8 XSS Vulnerability To Get Fixed in June

Microsoft is preparing a security update in June for the IE XSS filter in Internet Explorer 8.

The update will address a flaw in IE 8 that could enable cross-site scripting (XSS) attacks by hackers. Security Response Center spokesman David Ross said last week in this blog post that the change will address the "script tag attack scenario" that was described at a Blackhat Europe presentation earlier this month.

At that conference, security researchers David Lindsay and Eduardo Vela Nava presented their findings on how the IE 8 XSS filter could be abused, resulting in universal cross-site scripting (UXSS) attacks.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plug-ins and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Chenxi Wang, security and risk management analyst at Forrester Research, said this vulnerability is brought on when the XSS filter incorrectly disables certain Hypertext Mark-up Language (HTML) attributes. Consequently, it becomes possible for a specially crafted Web page to be loaded, allowing an attacker to execute scripts in a user's browser.

"This mistake made by the cross-site scripting filter in IE actually caused a cross-site scripting error to occur," she said. "This is interesting, because the mission of the XSS filter is to prevent this type of error to happen, but in effect it actually caused an additional XSS attack."

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

Fortunately, the researchers who found this security hole worked directly with Microsoft, according to both Wang and Talbot. Microsoft subsequently released its initial update in January and again in March (MS10-018).

Security experts applaud the prospect of a more substantive fix release in the early summer. Microsoft's David Ross said that the company looks "forward to continuing to improve the Internet Explorer XSS Filter going forward to address new attack scenarios and the evolving threat landscape."

"Like many security issues -- take malware as an example -- attack vectors are always a moving target," Ross wrote. "The role of the browser maker is to do everything we can to keep people safe without them having to do a lot of extra work."

Kurt Cobain Biopic ‘In The Works,’ 16 Years After His DeathMicrosoft Warns of SharePoint Security Flaw

Microsoft Warns of SharePoint Security Flaw

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Microsoft plans to issue a security update to fix the vulnerability. In the mean time, the security advisory contains a workaround that describes steps to restrict access to "SharePoint help.aspx XML files." Restricting access to those files prevents exploitation of this vulnerability, according to the advisory.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw -- to be fixed in June -- that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the [cross-site scripting filter] introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

Microsoft Issues March Patch, New IE AdvisoryKurt Cobain Biopic ‘In The Works,’ 16 Years After His Death

Microsoft Reports 'Record' 3Q Revenue

Microsoft today announced "record" overall revenue of $14.5 billion in its fiscal third quarter.

The revenue was 6 percent higher than last year's 3Q revenue figure. Net income for the quarter (which ended on March 31, 2010) was $4 billion, up from $3 billion in the same period last year.

Windows 7 sales drove revenue for the company, while Microsoft continued to show an operating income loss in its Online Services Division. Other business segments had relatively flat revenues quarter to quarter. For instance, the Server and Tools Division had a 2 percent revenue increase in the third quarter compared with the same period last year.

The star of the quarter was the Windows and Windows Live Division. Microsoft reported $4.4 billion revenue in the third quarter for that division -- a 28 percent increase compared with last year's 3Q revenue result.

"Strong demand for Windows 7 is the primary contributor to our performance," explained Peter Klein, Microsoft's chief financial officer, in a Webcast discussing the financial results. "As evidence of that strong demand, an internal and external check showed that over 10 percent of all PCs worldwide are already running Windows 7."

Microsoft released Windows 7 in late October. Klein suggested that the 10 percent adoption rate of Windows 7 after about six months meant that Microsoft still had a yet-to-be-tapped market on its hands.

Overall, Microsoft is seeing continued strong spending on its products from consumers, according to Bill Koefoed, Microsoft's general manager of business relations. Spending by small and midmarket businesses rose more than 15 percent year over year, he added, although he was more cautious about future enterprise spending.

"Within the enterprise segment, we saw the beginning of a recovery and IT hardware spend, but as we have discussed on past calls, we continue to see lengthened sales cycles," Koefoed said.

Windows licensing grew 35 percent for consumers and 15 percent for businesses. Koefoed said that the 15 percent figure leads Microsoft to believe that a business PC refresh cycle has begun. The business PC refresh cycle will continue into Microsoft's 2011 fiscal year, according to Klein.

Annuity revenue in the Server and Tools Division was relatively flat, representing about 50 percent of that business, according to Koefoed. He described good results for Microsoft's management and Windows server products, saying that "System Center server revenue grew over 20 percent and the Windows Server premium mix remains over 20 percent this year."

The Online Services Division, which includes Bing and the MSN Web portal, generated revenue but it was offset by a $713 million loss in operating income. Still, Koefoed said that Bing has had 10 consecutive months of market growth since its launch. Microsoft expects to complete its search partnership deal with Yahoo in the United States by the end of this calendar year and by the end of 2012 globally. Microsoft will start seeing revenue from the Yahoo partnership in the second half of this fiscal year, according to Klein.

Koefoed depicted progress in Microsoft's overall software-as-a-service and cloud computing push. He said that Microsoft now has 40 million paid seats for its commercial online services.

The Webcast and Microsoft's fiscal third-quarter financial results can be accessed at the Microsoft Investor Relations Web portal here.

Microsoft Outsources IT To InfosysRicky Gervais To Return As Golden Globes Host In 2011

Thursday, April 29, 2010

VMware, Salesforce Partner To Build Java Dev Platform in the Cloud

Virtualization company VMware and software-as-a-service provider have joined forces to build a platform for building and running Java applications in the cloud, the two companies announced this week. The new platform, dubbed VMforce, combines VMware's vSphere virtualization platform, the SpringSource Java development framework and Salesforce's cloud computing platform.

The new platform is aimed squarely at enterprise Java developers. It will run on the Tomcat-based SpringSource tc Server, which was developed by VMware's SpringSource division. It will provide access to the SpringSource Tool Suite, an Eclipse-based integrated development environment (IDE) for creating Java apps. And it will support plain old Java objects (POJOs), Java Server Pages (JSPs) and Java Servlets.

The two companies are billing the new combined development and deployment environment as "the trusted cloud for enterprise Java developers." The VMware vSphere virtualization platform will provide the virtualization layer, as well as access to the vCloud orchestration technology. The vCloud tech will "on-ramp the Java application onto the cloud, automate the wiring of the application to the database and manage the underlying vSphere virtualization platform," the companies said.

The combined services will also give Java jocks access to the database, the new Chatter collaboration service, as well as's community and services, including search, identity and security, workflow, reporting and analytics, its Web services integration API, and mobile deployment.

The announcement of the partnership was made jointly by CEO Marc Benioff and VMware chief exec Paul Maritz. "IT is drowning in a sea of complexity," Maritz said during a launch presentation in San Francisco. "We have to remove that complexity and lower cost… but this is not just about reducing cost, it's about enabling new ways of doing business."

"It's the best of both worlds," Benioff said. "This is a transformational developers are going to love VMforce because they can now use Java for the first time. developers can incorporate Java into their apps...Java developers will love it because they'll be able to easily write and deploy enterprise quality apps into the cloud five times faster and at half the cost of traditional environments."

Benioff said that VMforce was designed to facilitate the development of applications for "Cloud 2," which he believes will be a platform for enterprise-level applications and services that more closely resemble social platforms, such as Facebook, and employs more mobile applications. Chatter, the company's social networking app, was introduced earlier this year. Developers working on VMforce will be able incorporate pre-built Chatter social networking and collaboration services into their applications, including profiles, status updates, groups, feeds and document sharing.

Rod Johnson, general manager of VMware's SpringSource division, was also on hand at the launch event. He and Salesforce vice president of technology Parker Harris demoed the IDE, drag and drop deployment in the cloud, the VMforce management console and the Chatter social application.

In a blog posting following the launch event, Ovum senior analyst Tony Baer characterized the partnership as "the marriage of two suitors that each needed their own leapfrogs: VMware transitions into a ready-made cloud-based Java stack with existing brand recognition, and steps up to the wider Java enterprise mainstream opportunity."

The companies issued no hard release date or pricing plan for VMforce, but promised to release a developer preview in the second half of 2010.

‘The Social Network’ Is ‘Not Really About Facebook,’ Rooney Mara SaysVMware’s SpringSource Adds Lightweight Messaging for the Cloud

U.S. IT Pros Concerned About Cloud Security

Nearly half of U.S. IT professionals canvassed in a survey released today believe that the operational and security risks of cloud computing outweigh its benefits.

That finding comes from the first annual "IT Risk/Reward Barometer" report by ISACA, or Information Systems Audit and Control Association. The ISACA is a trade group consisting of enterprise IT administrators and IT audit specialists.

Despite the hype and enthusiasm surrounding cloud computing, many working in the enterprise space are still wary of adopting the technology, according to the March ISACA survey, which tapped into the opinions of more than 1,800 IT pros.

About 45 percent of respondents said that the security risks of a cloud scenario, at least in the short term, exceed the operational benefits. Only 17 percent were bullish on cloud computing. The remaining 38 percent indicated that they thought the risks were appropriately balanced.В 

But the report dug deeper. Only 10 percent of respondent organizations plan to use cloud computing for mission-critical IT services. Moreover, one-fourth of the respondents, or 26 percent, do not plan to use the cloud at all.

"The cloud represents a major change in how computing resources will be utilized, so it's not surprising that IT professionals have concerns about risk vs. reward trade-offs," said Robert Stroud, vice president of IT service management and governance for the service management business unit at CA Inc.В В 

Money concerns may also serve as a check. The cloud represents a new untested venture for many IT shops amidst a general economic downturn. The survey backed up this assertion. Budget limits were considered to be the greatest hurdle to addressing security and business process risks according to 44 percent of respondents.

Cloud computing was one theme of the ISACA's survey, but there were other notable results. For instance, the report found that 50 percent of respondents think their employees do not protect confidential work data appropriately.

Microsoft Updates BPOS, Announces BPOS FederalArcade Fire, Spike Jonze Collaborating On Film, Rep Confirms

IDC: Oracle Faces Host of Java Challenges

James Gosling's disclosure this week that he has left his position as CTO of Oracle's client software group again threw a spotlight on the database giant's stewardship of Java. According to analysts at IDC, keeping the "Father of Java" on the payroll is the least of Oracle's Java challenges.

"What is at stake with the Oracle ownership and control over Java is not whether Java will be invested in or evolved, which is a certainty," said Al Hilwa, program director in IDC's application development software group. "The question is whether Java can be evolved in a way that broadens its appeal and keeps it competitive and compelling against the steady onslaught of new languages, platform technologies and programming metaphors, and against Microsoft, owner of the powerful and well-managed .NET franchise, with its attendant tooling and rich ecosystem."

In a recently published IDC update, Hilwa, along with colleague's Maureen Fleming, program director in IDC's process automation and deployment group, and Melinda-Carol Ballou, program director in IDC's ALM and executive strategies group, scrutinize the Java and application platform-related information Oracle shared in its customer event on January 27, 2010, shortly after closing its acquisition of Sun Microsystems.

In the IDC update, the analysts concluded that one of the key challenges facing Oracle is the fragmentation of Java runtimes and frameworks. They refer to a "pattern of complexity resulting from layering and forking the Java platform code" into the various editions, which has "simultaneously allowed it to adapt into new territories… while at the same time undermining its elegance and practicality by growing intolerably complex."

Another challenge: multiple integrated development environments (IDEs), Java Virtual Machines (JVMs) and Web servers. Oracle inherited the JRockit JVM when it acquired BEA, and it's the strategic JVM for the Oracle WebLogic Suite. Now it has the Sun's Hotspot JVM, which is more broadly adopted. The company now has three IDEs to deal with: its own JDeveloper, which it sees as strategic; Sun's NetBeans IDE, which has a devoted following; and the Eclipse IDE, which Oracle supports with the Oracle Enterprise Pack for Eclipse. And it also has to two Web application servers (WebLogic and Glassfish).

"People should keep in mind that Oracle has bet the company on Java," Hilwa said. "Oracle has anchored the architecture of its next-generation packaged applications (Oracle Fusion Applications) with its Java-based application and integration platform middleware (Oracle Fusion Middleware). I'd argue that Java is more important to them than it was to Sun. Java was almost like a side business to Sun. But the future success of Java is fundamental to the success of Oracle as a vendor of anything other than databases. People should be comforted by that fact."

"What remains to be seen," he added, "is how Oracle will implement processes that are acceptable to the community. I think Oracle wants to be seen as a good steward of Java, but also a strong steward, the kind that makes the hard decisions for the betterment of Java. My guess is that Oracle believes that Java needs to be more actively steered by its steward, and that the process could be managed more tightly."

This IDC update, "Oracle Sips Its Java: Examining Oracle's Road Map for Sun's Development Tools and Middleware Products," is available to IDC clients and on sale on the IDC Web site.

Oracle Reassures Developers about Future of MySQL‘Transformers’ Director Michael Bay Breaking Into Reality TV

Tuesday, April 27, 2010

Free Service Checks Windows 7 Application Compatibility

Small-to-medium businesses (SBMs) trying to assess if older applications will run on Windows 7 Professional edition can take advantage of a free online remediation service.

The service, called AOK4SMB, is offered by Microsoft Gold Certified Partner ChangeBase AOK. Users can upload packaged applications to the AOK4SMB Web portal to test the compatibility of those applications with Windows 7 Professional. The service is currently available and free for up to three applications until the end of July 2010.

ChangeBase is running this service as a pilot to see if there's a demand for it, so there's no charge at present. The service has a few limitations. It does not address incompatibilities that may arise in running 32-bit applications on 64-bit Windows 7 Professional. It also doesn't work for Internet Explorer compatibility issues, according to ChangeBase's FAQ.

To use the service, users need to upload zipped installer files in the .MSI file format. MSI files typically include associated files (such as .CAB files) to support the application, but it's possible to upload those files separately from the MSI file. The tested MSI file is then returned, along with a report in PDF format.

The idea of the service is to assess applications that may not run natively on Windows 7 Professional. AOK4SMB uses three color codes to assess them. Green means that the application will run natively on Windows 7 Professional. Amber assesses compatibility issues with the installer file and those problems automatically get fixed by the service. Red means that there's a problem with how the application works, possibly because certain functionality has been deprecated in Windows 7 Professional or a driver needs updating (or worse).

Microsoft teamed with ChangeBase on the service, but it also offers its own application compatibility resource through the Microsoft Windows 7 Compatibility Center. However, this Web portal doesn't provide help for checking the compatibility of custom-built applications, and that's where ChangeBase's service may prove useful.

SMB users of Windows 7 Professional and Windows 7 Ultimate editions also have the option of running legacy applications via Windows XP Mode, which works with Windows Virtual PC. Windows XP Mode provides a complete copy of Windows XP Service Pack 3 running in a virtual machine on top of Windows 7. It allows users to continue to use their legacy applications as the SMB transitions to Windows 7.

For larger organizations, Microsoft recommends using virtualization tools in the Microsoft Desktop Optimization Pack (MDOP), which requires having an Enterprise Agreement in place with Software Assurance. Microsoft Enterprise Desktop Virtualization, a tool included in MDOP, permits group management of desktop virtualization instances, unlike Windows XP Mode.

Smaller organizations eventually may have the option to leverage MDOP tools via a new Windows Intune service, recently rolled out in beta form by Microsoft. However, the Windows Intune service won't be commercially available for another year.

Miley Cyrus Is ‘Incredibly Grounded,’ ‘LOL’ Co-Star Demi Moore SaysSupport Expiring for Aging Windows Products

Office 2010 SharePoint 2010 Available to IT Pros

Microsoft opened up the bits of the release-to-manufacturing version to its TechNet Plus and Microsoft Developer Network (MSDN) subscribers on Thursday. The new products are available in both 32-bit and 64-bit versions. However, Microsoft is not recommending production use of 64-bit Office 2010 because many of the add-ins and controls used with the productivity suite aren't quite ready yet.

Here are the links for TechNet Plus subscribers: Office 2010 download; SharePoint 2010 download.

MSDN subscribers can use these links: Office 2010 download; SharePoint 2010 download.

Microsoft is offering a 25 percent discount to new TechNet Plus subscribers who sign up with a special code, available at this blog. The offer is available to U.S. subscribers only and comes with this caveat: "This offer is only for new TechNet Plus Direct orders only and is only valid for redemption in the US. Offer is valid 4/1/10 to 6/30/10, subject to change."

Microsoft generally released two other related products this week: SharePoint Foundation 2010 and SharePoint Designer 2010. SharePoint Foundation 2010 is a Web-based collaboration platform that succeeds Windows SharePoint Services 3.0. SharePoint Designer, currently available in 32-bit form, is a development tool for creating SharePoint business solutions.

There's also a new capacity management portal that provides help for deploying SharePoint 2010 across data farms, as described in this blog.

Other applications now available to TechNet and MSDN subscribers include Office Web Apps for SharePoint Server 2010 (x64), Project 2010 (x86/x64) and Visio 2010 (x86/x64), according to this blog.

As previously announced, Microsoft's volume licensing customers with Software Assurance can get the RTM versions of Office 2010 and SharePoint 2010 starting on April 27, while those without Software Assurance will have access beginning on May 1.

Microsoft is floating an acute window of time for those wanting to purchase Office 2007 with Software Assurance and still get upgrade rights to Office 2010 at no additional cost. That deadline is April 30, 2010, according to this blog.

Those who are not Microsoft volume licensing customers and who are buying Office 2007 through a Microsoft authorized reseller have a longer window of time to gain upgrade rights at no cost. They can buy Office 2007 until Sept. 30, 2010 and still retain upgrade rights to a comparable edition of Office 2010. This Office 2010 "Technology Guarantee" program has lots of restrictions. The eligibility requirements are described here.

Of course, waiting until June for the general public release of Office 2010 is another option. However, Microsoft's blog noted that the retail prices for Office 2010 editions will be higher than those for Office 2007.

Finally, those wanting to get documentation on Office 2010 features can download Office 2010 Product Guides here. Microsoft's download page lists about 22 Product Guides, ranging from a general overview to guides for specific applications, such Office Web Apps, Outlook, SharePoint Workspace and many others.

‘Kick-Ass’ Creator Mark Millar ‘Very Proud’ Of Film’s PerformanceMicrosoft 2010 Products Hit RTM, Arriving in May

Microsoft Security Report Points Fingers at ISVs

The overall number of Windows security holes has declined in the last year by 8.4 percent to about 2,500 vulnerabilities, according to a new Microsoft report.

For a big target like Microsoft, that's good news. It's one of the findings in the eighth edition of Microsoft's Security Intelligence Report, published today, which draws its data mostly from the second half of 2009. The report, which also tracks vulnerabilities in third-party software, can be downloaded here.

The bad news: almost to a person security experts are saying that it's time for independent software vendors (ISVs) who leverage Windows components to step up their own security strategies. And Microsoft thinks so too. Newer Windows operating systems are less vulnerable to attack. Instead, hacker and botnet attacks have shifted toward targeting third-party programs and utilities running on Windows.

In particular, third-party "auto updaters don't work for an enterprise environment," according to Nancee Melby, director of product marketing at Shavlik Technologies.

"An enterprise can't rely on faith that critical security updates are deployed in a timely fashion," she added. "It's time for the third-party vendors to look at Microsoft as an example and stop repeating the mistakes of the past."

Around 45 percent of attacks in 2009 exploited third-party apps on Windows XP. With Vista and Windows 7, that number was closer to 75 percent, according to the report.

Adobe's patching frequency has proved to be a case in point. Microsoft's report identified Adobe Reader as a consistently vulnerable application for Windows 7 users. Three of 10 troublesome third-party apps came from Adobe, according to the report.

"It's clear Microsoft has learned that Windows is often guilty by association -- justified or not -- when third-party apps have security problems," said Don Leatham, senior director of solutions and strategy at Lumension. "Microsoft has a strategy in place where they opened up the WSUS [Windows Server Update Services] APIs to allow ISVs to provide patches via Microsoft's corporate patching technology. They have done essentially the same for the System Center platform, but unfortunately there has not been widespread adoption of these capabilities by the ISV community."

As in Microsoft's previous security reports, the numbers show that more recent versions of Windows operating systems are less vulnerable to attack. Nevertheless, Microsoft's Malicious Software Removal Tool detected malware on eight of every 1,000 computers scanned in the United States during the second half of 2009. The United States was also the No. 1 target of rogue malware, according to the report.

"The only thing that Microsoft has done with Vista and Windows 7 is to make it much harder to use vulnerabilities in the design of the operating system to be the vector of attack," commented Phil Lieberman, president of Lieberman Software.

With the advent of cloud computing, Microsoft will face the additional challenges of managing their datacenter infrastructure and the security of their customer's data, while providing transparency on security policies.

"Microsoft must also get into the business of helping customers implement segregation of duties, physical security controls using mutual authentication, for instance, machine-to-machine verification and certificate management," Lieberman said.

Kurt Cobain Biopic ‘In The Works,’ 16 Years After His DeathMicrosoft Disputes ‘Vulnerability’ in Virtual PC

Sunday, April 25, 2010

SQL Server 2008 R2: April Launch Brings May Release

The way Microsoft sees it, a launch tour is not the same thing as a product launch. The April "SQL Server 2008 R2 Launch" promo described here will be an event celebrating the impending product release. It will be held in Nuess, Germany in conjunction with the PASS European Conference meeting of SQL Server pros.

Sometimes a launch event and an actual product launch coincide, as noted by veteran Microsoft watcher Mary-Jo Foley with regard to Office 2010 launching on May 12. SharePoint 2010's launch is also associated with that May 12 event.

A Microsoft spokesperson confirmed the May product launch for SQL Server 2008 R2.

"As we announced in January 2010, SQL Server 2008 R2 is still on target for availability by May and will be on the May price list," the spokesperson explained by e-mail. "There will be dozens of events and webcasts worldwide starting about that timeframe."

The current release of SQL Server 2008 R2 is at the community technology preview (CTP) stage, although it's considered "feature complete," as Microsoft announced in January. Microsoft typically rolls out betas, release candidates and release-to-manufacturing versions before a product is released into general availability (GA), but maybe not this time.

"I think it's quite likely that SQL Server 2008 R2 will release to manufacturing in April and be available to customers by May at the latest," said Robert Helm, a director of research at the Directions on Microsoft consultancy, in an e-mail.

The R2 nomenclature signals that Microsoft considers this version of SQL Server to have incremental improvements. Highlighted features include a self-service business intelligence capability using PowerPivot (formerly code-named "Project Gemini") and complex event processing support using a feature called StreamInsight. Two new product offerings also will be rolled out: a Datacenter SKU and a Parallel Data Warehouse SKU ("Project Madison").

"Business intelligence features are the most compelling thing about R2 and will probably drive most upgrades," Helm said. "The business intelligence features address both ends of the spectrum. PowerPivot will enable departments to set up smaller-scale BI systems for expert Excel users, while Madison will enable SQL Server to tackle the highest-end data warehouses."

Microsoft has also been putting out the word that SQL Server 2008 R2 will entail a price increase for customers who lack Software Assurance (SA). SA is a licensing option that lets users upgrade to the next product iteration at no extra cost over the SA contract's time span -- if a new product is released within that time span.

"The price per processor license for 2008 R2 Standard Edition will increase 25 percent," explained Lesley Rubin, a Microsoft partner marketing manager for the U.S. Central Region. "For the R2 Enterprise Edition, the price per processor will increase 15 percent. For both editions, server CAL licensing will remain flat. This price increase will take effect upon General Availability of R2 this May."

SQL Server 2008 R2 will offer fewer virtualization rights than SQL Server 2008. Currently, SQL Server 2008 users have unlimited virtualization rights, according to Microsoft's pricing and licensing guide (Word doc download). However, to get "maximum virtualization" rights with SQL Server 2008 R2, customers will have to pay for the more expensive Datacenter product license, per Microsoft's overview document (PDF download).

Helm confirmed that prices are going up for the Standard and Enterprise versions of SQL Server 2008 R2, adding that the Datacenter edition will have "the most interesting new features in the core database engine."

"R2 is clearly a push to keep customers on Software Assurance, and they will be the ones who have the strongest case for moving to the new database engine," Helm added.

SA customers still might have to pay to get the R2 version if their SA contract expires before the GA release.

"Customers with Software Assurance can deploy and run SQL Server 2008 R2 Standard and Enterprise editions with no price increase until they hit the first renewal after GA," Rubin explained in the blog.

The current release of SQL Server 2008 R2, known as the "November CTP," currently can be downloaded for free at this Microsoft site.

Miley Cyrus Is ‘Incredibly Grounded,’ ‘LOL’ Co-Star Demi Moore SaysMicrosoft 2010 Products Hit RTM, Arriving in May

Web Security Threats on the Rise, Report Finds

It may not be Tony Soprano on the Web, but a new security report finds that wise-guy hackers have become increasingly organized.

Additionally, they have more targets to hit on the Internet, according to Marc Fossi, a Symantec Security researcher. Fossi is editor of the "Symantec Global Internet Security Threat Report: Trends for 2009, Volume XV," which was released on Tuesday. The 97-page report can be accessed here.

"Once the malicious activity takes root, it's really difficult to get rid of it, and we're seeing that increasingly on the Internet," Fossi said. "As everybody gets more and more connected between different computer networks, it just increases the attack surface and more information stored on various sources becomes vulnerable or targeted."

According to the report, the U.S. is once again No. 1 with the most malicious activity on the Internet. China and Brazil came in second and third place, respectively.

Key Findings
Vulnerabilities in browser-based applications represent the fastest-rising information security flaws anywhere, the report found.

The biggest increase in malicious code was concentrated in the Europe, Middle East and Africa (EMEA) region. EMEA now leads the world in the overall volume of new viruses, worms and trojans created. The United States was found to be home to the most botnet command and control servers. It's also the most frequent target in denial-of-service attacks, according to the report.

Corrupt code, which is sold and distributed over the Internet, is becoming more widely available. Symantec found that 2.9 million new threats were developed last year in coded form. The code can become "more complex and dangerous" through additional alterations.

Malware kits, Internet threats and various client-side vectors, along with zero-day exploits, have grown. Consequently, manually patching computers to protect them from each new vulnerability is considered to be a losing battle, according to Symantec's report.

Fossi noted the emergence of do-it-yourself malware kits, including the Zeus Kit and SpyEye.

"You can create a unique binary with these kits that are professional enough to where they're selling for one hundred dollars and then be deployed," Fossi said. "You don't have to have a high degree of skill to deploy malware that is an info stealer and [it] can be configured to just lock a system."

Fossi said he's not ruling out a return of the Conficker worm, which ravaged Windows networks last year. It was the biggest worm since Blaster, which did its damage in 2003 and 2004.

"Conficker is definitely a possibility to come back, if not in its original form, in a variant or a new iteration" he said. "In the end, whether Conficker will emerge again is also a big psychology question. If you say [Conficker's authors] have moved on to something else, that's when they prove you wrong. So, yes, the possibility remains."

Best Practices
The best ways to secure an IT environment and reduce risks is to use antivirus software, firewalls and network security measures. Enterprises can initiate intrusion detection and prevention policies as well.

Fossi recommended keeping up with patch management cycles too. "Keep your browsers patched, regardless of which one you use," he said.

On top of that, there are issues with browser plug-ins and IT pros should have a strategy for managing them. The most common Web-based attack in 2009 was associated with malicious PDF activity, accounting for 49 percent of the total. Weaknesses in ActiveX are a huge issue when using Internet Explorer.

"Securing the endpoint is just as important is securing the server," Fossi explained. "With the rise of Web-based attacks, the endpoint is becoming increasingly important. Because they expand network influences, you can stumble on all types of things. Client-side vulnerabilities are being exploited more than anything else now."

Report: IE 8 Leads in Malware ProtectionArcade Fire, Spike Jonze Collaborating On Film, Rep Confirms

Agile Product Watch: Cloud-Based Management Tools and More

Here's a look at some of the newest Agile-related products hitting the market:

CA earlier this month announced CA Agile Vision Team Edition, a cloud-based planning tool that uses's platform. It's targeted at companies "seeking to leverage an agile software development process, coordinating effective project and portfolio planning and prioritization," the company said. CA plans to add integration with services such as's Chatter for social collaboration and its own project and portfolio management product, CA Clarity PPM On Demand.

Digite announced that its Agile Project Management solution will be delivered on-demand, joining its software-as-a-service offerings. Its features include: user story and task objects; task definition and progress reporting; a dashboard with burndown charts, velocity reports and other metrics; integrated test and defect management modules; and integrated collaboration tools for components such as wikis, Google Wave, Twitter and e-mail.

Telerik recently launched TeamPulse, a suite of Agile management tools targeting the Microsoft .NET platform. The company said it "focuses on addressing agile project management needs on a team-wide rather than individual basis." TeamPulse works with Microsoft's Team Foundation Server to provide real-time analytics data to display the health of Agile projects and up-to-the-minute progress of teams and individuals. Currently in beta, the commercial launch is slated for July.

ThoughtWorks Studios has announced Mingle 3.1, the Agile project management component of parent company ThoughtWorks' Adaptive ALM suite. Mingle's new features include: enhancements to Murmurs, its collaboration platform; card-level reporting functions; and usability features that allow increased customization of the user interface such as handling "favorite" Mingle views and improved history filtering and notification alerts. Other components of the Adaptive ALM suite include automated testing and continuous integration and release management.

Agile Management Tool ReleasedArcade Fire, Spike Jonze Collaborating On Film, Rep Confirms

Friday, April 23, 2010

Microsoft Courts PHP Developers with Reporting Services SDK

Microsoft, continuing its strategy of opening up its products to developers who use non-Microsoft technologies, yesterday announced a software development kit to help PHP developers use SQL Server Reporting Services in Web apps.

PHP has been getting a lot of attention from Microsoft lately. Within just the last two months, the company has announced a command-line tool for PHP to deploy applications on Windows Azure, OData interoperability with PHP and guidance for using PHP with the Windows Azure Tools for Eclipse plug-in.

The new SQL Server Reporting Services SDK for PHP provides a simple API to let developers list available reports and manage the rendering of reports in PHP applications, and also provide custom parameters from a PHP Web form, according to a Interoperability@Microsoft blog post.

The open-source project hosted on CodePlex works with the free SQL Server 2008 Express with Advanced Services edition. The Business Intelligence Development Studio bundled with that free edition is used to design reports. Persistent Systems Ltd. worked on the project with Microsoft, according to the CodePlex page.

"This edition includes the SQL Server 2008 Express database engine as well as graphical administration tools and the Reporting Services server components for creating, managing, and deploying tabular, matrix, graphical, and free-form reports," according to the blog post.

Speaking to this site about Microsoft’s increased emphasis on openness, Jean Paoli, general manager of Interoperability Strategy, said, “Mixed IT environments are a reality for many customers. We take a multi-faceted approach to interoperability that includes collaboration with competitors, partners and the open source community.

"We have released interoperability technical bridges for popular products including Windows Azure, SQL Server and Silverlight to connect them with various platforms, languages and tools like PHP, Java, Ruby and Eclipse,” Paoli continued. “We expect to continue adding others in line with customer demand."

Microsoft Rolling Out Visual Studio 2010 PromotionsAshley Greene Cast In ‘Butter’ Comedy

Microsoft Disputes 'Vulnerability' in Virtual PC

Microsoft defended its turf this week after a software security vendor went public about an alleged security hole in Redmond's Virtual PC hypervisor.

Core Security Technologies published a security advisory on Tuesday saying that a vulnerability in the hypervisor may allow attackers to bypass several Windows security mechanisms. Those mechanisms include data execution prevention, safe structured error handling and address space layout randomization.

The problem, according to Core Security's advisory, affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC (the successor to the 2007 version), Virtual Server 2005 and Virtual Server 2005 R2 SP1. The advisory excluded Microsoft's Hyper-V hypervisor, which is part of Windows Server 2008 and Hyper-V Server.

Microsoft's Paul Cooke disputed the "vulnerability" label being applied to Virtual PC's hypervisor. Virtual PC enables desktop virtualization, and when used with Windows XP Mode, it allows users to run the XP Service Pack 3 operating system in a virtual machine on top of Windows 7.

"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote in this blog post. "Instead, [Core Security] is describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system."

The protection mechanisms that are present in the Windows kernel are "rendered less effective inside of a virtual machine as opposed to a physical machine," Cooke noted. He added that there is no vulnerability introduced, just a loss of certain security protection mechanisms.

Microsoft's tiffs with security vendors over semantics and nuances on what constitutes a vulnerability are nothing new. However, this time, experts appear to be lining up on Redmond's side. Microsoft is correct that the operating system is isolated from the memory space of the programs running in the Virtual PC.

"The fact that the VPC [Virtual PC] creates a sandbox for misbehaved programs is exactly what it is supposed to do," said Phil Lieberman, founder and president of Lieberman Software.

To that end, Don Retallack, a security analyst at Directions on Microsoft, said he doesn't think Core Security's assertion sounds like a serious problem.

"Virtual machines are isolated from each other, so they are more secure," he said. In that sense [Core Security's theory] doesn't show how different virtual machines interact and what would happen in those scenarios."

Retallack concurred with Cooke that anti-virus software needs to be maintained on a virtual machine, just as much as with the underlying operating system. Michael Whalen, an independent IT consultant and former senior manager of knowledge management at O'Melveny & Myers LLP, echoed the sentiment.

"In general, at the enterprise level, virtualization is where things are heading because it allows you to run multiple virtual servers on one piece of hardware" Whalen said. "Apart from making sure the underlying operating system is patched and updated, things are more fundamentally secure in a virtual environment."

Support Expiring for Aging Windows Products‘Toy Story 3′ Director Hypes His Movie’s ‘Crazy’ 3-D

IE 8 Finishes Last on Google JavaScript Test

Google last week provided an additional means for users to test JavaScript performance in Web browsers.

Users can now access a Web page that taps into the 5,000-plus tests in Google's open source Sputnik conformance test suite version 1. Running tests via this page will check the performance of JavaScript as defined in the third edition of the ECMA-262 spec, according to a Google blog.

The big winner of the Sputnik tests so far is the Opera browser, with 78 failures, according to Google's bull's-eye comparison chart. Microsoft's Internet Explorer 8 browser performed the worst (463 failures) relative to the four other browsers tested by Google.

Clumped next to Opera in the center position of the chart were Apple's Safari (159 failures), Google's Chrome (218 failures) and Mozilla's Firefox (259 failures).

The use of WebKit technology in Safari and Chrome may explain their relatively close scores in Google's Sputnik conformance test. WebKit-based browsers typically have shown high marks in Acid3 testing as well. Acid3 is a set of 100 tests designed to assess JavaScript performance and other Web technologies, such as support for CSS 3 and scalable vector graphics.

According to Google's blog, the Sputnik test runner "can be seen as a continuation of and a complement to existing browser conformance testing tools, such as the Acid3 test."

Internet Explorer 8 shows a low score (20/100) on Acid3, but Microsoft has tended to disparage that test and the company still tends to ignore it. A Microsoft official even described a low Acid3 score (32/100) for its forthcoming Internet Explorer 9 browser, which is still under wraps.

Google is currently working to make the Sputnik test suite compatible with ECMAScript 5, according to the blog. Microsoft has also initiated an effort to test ECMAScript 5 through a Microsoft CodePlex project. ("ECMAScript" is the nomenclature used in the ECMA standard, but it's more commonly known as "JavaScript.")

ECMAScript 5 was published on December 3, 2009 as part of the ECMA-262 spec. The technology in ECMAScript 5 is based on ECMAScript 3 and came about after Microsoft and Yahoo dissented against ECMAScript 4, according to Wikipedia's account.

Report: IE 8 Leads in Malware ProtectionArcade Fire, Spike Jonze Collaborating On Film, Rep Confirms

Thursday, April 22, 2010

Smartphone Development Is More Than Just iPhone

Although it's clear that the iPhone platform is still the place to be for mobile developers, results from a recent Ovum survey indicate that there's a lot of development activity around all the major platforms, including -- somewhat surprisingly -- Microsoft and BlackBerry, often perceived to be В the stragglers bringing up the rear.

Ovum Principal Analyst Tony Cripps was quoted in a blog entry as saying that "while all five major smartphone platforms score well, it is BlackBerry OS and Windows Mobile that currently lead the opposition, rather than Android or Symbian."

By "opposition," Cripps means non-iPhone (and now iPad) development. Ovum surveyed 217 mobile application developers and found that 81 percent are working on iPhone apps -- or planning to do so. That continues to be where the money is, but developers know it's not the only game in town.

RIM's BlackBerry OS and Microsoft's Windows Phone 7 OS take second and third place, respectively, with 74 percent and 66 percent of shops building apps for them. Android comes next, at 64 percent, and Symbian, the OS for Nokia phones, brings up the rear of the "big five" at 56 percent. Symbian's last-place finish is also a surprise, given that it has the largest installed base and highest shipments of any smartphone platform, according to Ovum.

"Over the last year or so, it's been perceived that Microsoft and Symbian had been a little bit left behind in public perception of those platforms," Cripps says, "and [there is] linkage between consumer acceptance of a platform and developer acceptance of that platform. The iPhone shows that." But even though the iPhone remains king, the other major platforms are still thriving. That's one indication of how big the market is.

One interesting finding of the survey, Cripps says, is that application development companies tend to develop around similar groups of platforms. The majority that develop for iPhone, for example, also tend to develop applications for both Google's Android and BlackBerry. A smaller number of companies develop for four or more platforms, and very few have the financial and manpower resources to develop for as many as six platforms, according to Cripps.

That's been a big help for BlackBerry, Cripps says. "It's piggybacking on the success of the iPhone. If developers are writing for one [platform], chances are they're writing for Android and BlackBerry as well."

BlackBerry's success hasn't been all about riding iPhone's coattails, however. Cripps says he was surprised at "How well BlackBerry came out of this. It's not just enterprise apps it's being used for." RIM's recently-stated goal of being more consumer-friendly and not just a business phone has "come true," Cripps says. "RIM deserves credit here. Its showing is surprisingly good."

Things aren't so rosy for platforms out of the top five. For instance, Palm can't seem to get much traction around its Pre smartphone. "It doesn't look great either for palm or any other smartphone beyond the top five as things stand," Cripps says. "To rise above will require significant investment in developing products and convincing developers to build an ecosystem around it."

Robert Downey Jr. May Play Wizard In ‘Oz’ PrequeliPad Development Surges Ahead

SQL Server 2008 R2 Set to Analyze Mountains of Data, Coming in May

Microsoft announced today that SQL Server 2008 R2 is released to manufacturing just 20 months after SQL Server 2008, the platform on which it is built. SQL Server 2008 R2 (codenamed Kilimanjaro) introduces business intelligence features aimed at end users, through a dependency on Office 2010 and SharePoint 2010. All three platforms are expected next month, with SQL Server 2008 R2 slated to become available to MSDN and TechNet subscribers on May 3 and worldwide on May 13.

SQL Server 2008 R2's self-service business intelligence capabilities are tied into Excel Services in a browser running in SharePoint. The new PowerPivot add-in for Excel 2010 is part of the SQL Server 2008 R2 release. It supports viewing and working with large scale data in Excel workbooks that can be published to SharePoint Server 2010, with PowerPivot for SharePoint. Microsoft has coined the phrase "managed" self-service business intelligence because IT departments have access to administrative governance of BI usage and reporting.

With SQL Server 2008 R2, Microsoft is continuing its push to support enterprise-level requirements. This release introduces multi-server management capabilities, and Datacenter and Parallel Data Warehouse editions. Scalability is ramped up in SQL Server 2008 R2 Datacenter edition, which can support up to 256 logical processors, when used in conjunction with Windows Server 2008 R2. "That is continuing to enhance our scale up and give our customers the ability to take advantage of the hardware innovations that are being provided by our hardware partners," said Ted Kummert, senior vice president of Microsoft's Business Platform Division, during a conference call announcing SQL Server 2008 R2's release to manufacturing. The Parallel Data Warehouse edition, an appliance that is currently in its second technical preview, "is going to take us to the hundreds of terabytes," he added. "Our customers now can really buy one solution…a consistent environment that now lets them have the large single version of the truth—a mission critical data warehouse at the center with the surrounding data marts all the way through the reporting tool that can be from one vendor."

For developers, SQL Server 2008 R2 introduces the concept of the data-tier application package or Data Tier Application Component (DAC). Developers with Visual Studio 2010, which has a DAC project template, can package the schemas, objects and physical database and log files in a data tier as single unit of deployment. Some data types (spatial) are not supported in the initial release. Wizards in SQL Server Management Studio can also be used to extract a data-tier app from an instance of SQL Server to create a DAC.

"With the introduction of something we call Application and Multi-Server Management in SQL Server 2008 R2, our customers can now centrally manage all instances of an application running on any number of servers in a very consistent manner," said Tom Casey, general manager of SQL Server Business Intelligence at Microsoft. "A developer can quickly group collections of application artifacts together like tables and views and stored procedures. And they can group them into one coherent unit of deployment. And then building on the policy-based administration features that we originally added in SQL Server 2008, those same customers can now seamlessly apply policy and procedures to govern the deployment of those application components through all phases of the application lifecycle, whether it is from development, staging and all the way to production."

If developers make changes to application artifacts, SQL Server 2008 R2 can help identify what has changed and then deploy new versions of the components. "This works not only from the desktop to the data center but in the cloud as well," said Casey. SQL Server 2008 R2 introduces the SQL Server Utility in SQL Server Management Studio, which offers a new way of managing virtual resources (instances and database applications) through a Utility Control Point.

For enterprise DBAs, SQL Server Management Studio for the first time offers multi-server management--standard dashboard functionality in other enterprise database platforms. When the product is released next month, this feature will support SQL Server 2008 R2 only, according to a Microsoft spokeswoman. SQL Server 2008 support is expected in the first Service Pack, 90 days after RTM. SQL Server 2005/2000 are not supported by multi-server management.

SQL Server 2008 R2 also introduces the SQL Server Master Data Services based on the MDM technology acquired in June 2007 when the company bought Stratature; and complex events processing in SQL Server StreamInsight. An updated version of the authoring tool for creating SQL Server reports in Office ships with SQL Server 2008 R2. Report Builder 3.0 adds support for geospatial visualization, SharePoint lists, SQL Azure and SQL Server Parallel Data Warehouse.

The SQL Server ecosystem is on board. According to Casey, more than 2,000 ISVs have "signed up" to support SQL Server 2008 R2 with products and services.

SQL Server 2008 R2 will be available in four editions: Standard, Enterprise, Datacenter and Parallel Data Warehouse. The Parallel Data Warehouse edition, which is based on Datallegro technology that Microsoft acquired in July 2008, is not part of the May release.

‘Who Do You Love’: White Boy Blues, By Kurt LoderVisual Studio 2010 and Silverlight 4 Released

Microsoft Outsources IT To Infosys

Microsoft is outsourcing its IT help desk, PC, infrastructure and application support to Bangalore, India-based Infosys in a three-year deal that involves 450 Microsoft locations in 104 countries.

Terms of the deal, announced today by Infosys, were not disclosed but in an interview, Anand Nataraj, Infosys VP and unit head of infrastructure management services suggested the deal was substantial. "It's a fairly large deal," he said. "It's a major win."

Nataraj said Microsoft has tapped Infosys to implement ISO 20000 and ITSM Processes -- a set of best practices aimed at providing effective IT service management and meeting customer requirements.

The pact will involve the transition of work now performed by other partners and is not intended at displacing work done by Microsoft, according to Nataraj. "There is no job loss for Microsoft per se," he said. Microsoft for years has used offshore service providers to manage its infrastructure, applications, help desk and desktop support.

Infosys is subcontracting the PC support to Unisys. A Unisys spokesman said the company has been tapped to provide support for 120,000 employees worldwide. "This is a pretty large deal for us in terms of scope and the number of end users we are supporting," the spokesman said.

While Infosys had already been doing some work for Microsoft, Nataraj said 90 percent of the business is new to the company.

For Infosys, business is on the rise: the company today said revenues for the quarter ended on March 31 generated $1.3 billion -- a 5.2 percent increase over the same period last year and a 15 percent increase over the prior quarter. Net income of $349 million for the quarter reflected a year-over-year increase of 8.7 percent, Infosys said.

"We have been able to take advantage of the opportunities in the market and grow faster due to our investments in capacity and capability building even during the economic downturn," said Infosys CEO and managing director S. Gopalakrishnan in a statement.

Infosys is forecasting that its revenues will grow from 16 to 18 percent for the year and for 18.5 to 19.4 percent for the current quarter, year-over-year.

Support Expiring for Aging Windows ProductsSteve Carell, Tina Fey Ponder Getting Busy At ‘Date Night’ Premiere

Wednesday, April 21, 2010

Component Makers Expand into New Markets

Leading .NET component maker Telerik on Monday revealed that it was breaking into the application lifecycle management (ALM) space, with the release of Telerik WebUI Test Studio automated testing products and TeamPulse agile project management for Team Foundation Server. As reported by Visual Studio Magazine Executive Editor Kathleen Richards, Telerik has formed two new divisions -- Automated Testing and Team Productivity -- to support the initiatives.

A Microsoft-aligned component maker expanding its product portfolio is not in itself newsworthy. These companies constantly change or expand their offerings as Microsoft itself expands the number and quality of built-in components that it ships with maturing platforms like Silverlight and ASP.NET MVC. What is notable, however, is that component makers are now engaging in entirely new sectors.

Infragistics is best known for the NetAdvantage family of .NET developer components, but the company was also showing off its Quince Pro hosted developer collaboration solution at the Visual Studio launch event. Quince Pro allows developers to share design frameworks, style guides and pattern libraries to drive more consistent UI development across the organization.

The Quince code was developed internally at Infragistics, but for Telerik the move into testing was enabled by its merger with Austin, Texas-based ArtofTest. Christopher Eyhorn, executive vice president of the Automated Testing Division at Telerik and formerly co-founder of ArtofTest, said Telerik WebUI Test Studio is designed to extend its appeal beyond technical testers.

"What we've really tried to do is make this interface more QA friendly. We really wanted to gear it and make it more intuitive for the non-technical tester," said Eyhorn, adding that the new product has been optimized to detect Telerik controls.

"We have translators that actually detect all the Telerik controls on the page and record against the control object model, as opposed to just atomic XAML elements. So instead of recording just a click against some stackpanel, it's actually, 'Oh, we expanded the expander,'" Eyhorn explained.

Other component makers have operated in diverse markets for years. Developer Express (DevExpress) is a major component provider, yet it is perhaps best known for developer productivity tools like CodeRush and Refactor!. The company announced that the free version of CodeRush Xpress 5 was available concurrent with the Visual Studio 2010 launch, addressing changes to the updated WPF-based VS Editor and other new functionality.

Not all component makers are rushing to adopt new competencies, said Daniel Jebaraj, vice president of Syncfusion.

"My opinion is getting into other areas, competing with ALM vendors -- HP, Rational, Microsoft -- is not something I would consider. I think the opportunity for component vendors is to grow their component base and produce larger and larger frameworks," Jebaraj said. "There is a lot of opportunity just in the core component business, without getting into ALM and testing."

One way or the other, component vendors must seek fresh ground, said Kevin White, marketing director for DevExpress.

"Companies have to do it. They have to branch out."

Telerik Expands Portfolio with Team Development Tools‘Clash Of The Titans’ Crushes Box-Office Competition

Google Rolling Out Richer Web Apps

Google has updated its codebase, adding features to its Google Docs online suite of applications that make them richer and more collaborative.

The updates were announced on Monday at Google's Atmosphere cloud computing event held at the company's headquarters in Mountain View, Calif. Google claimed in its official blog that it has tapped into "faster JavaScript processing" in newer or modern browsers with the codebase updates. One effect of the increased speed is that Google Docs can handle large spreadsheets with performances that "feel like desktop applications," according to Dave Girouard, president of Google Enterprise.

Google has been working on the rewrite to its codebase "over the last year," according to Anil Sabharwal, product manager for Google Apps, in an enterprise blog post. The improvements may help build the case for organizations considering moving to cloud-based productivity apps from traditional on-premises productivity solutions, such as Microsoft Office. Google's online applications have tended to lack the rich features found in Office.

To accommodate the changes, Google will have to temporarily remove offline support for Google Docs, starting on May 3, 2010, according to Sabharwal. Offline support will continue to work for Gmail and Google Calendar, Sabharwal added. Google plans to update Google Docs with an improved HTML 5-based version of offline support.

Many of the new Google Docs improvements make them more on par with the kind of functionality seen in Microsoft Office Web Apps. Google added a margin ruler for documents, along with improvements in image placement and bullets. Spreadsheets have the sort of formula editing bar seen in Microsoft Excel, along with feature improvements such as autocomplete and columns that can be dragged.

Document collaboration is improved with the new codebase update. Google Docs now supports "up to 50 simultaneous editors." Changes get refreshed and can be seen in near real time during a collaboration session, according to Google. The company also plans to add a collaboration capability for drawings and diagrams, which users will be able to access "over the next few days," according to the official Google blog.

It's unclear if the collaboration improvements are related to Google's acquisition of DocVerse, announced last month, although DocVerse's technology helped enable collaboration using Microsoft Office files.

Google plans to describe more about the improvements in a Webinar on April 20 at 9:00 a.m. Pacific Standard Time or 12:00 p.m. Eastern Standard Time. Those wanting to tune in can sign up via the enterprise blog linked above.

Arcade Fire, Spike Jonze Collaborating On Film, Rep ConfirmsGoogle Buys Office Solution Provider DocVerse

Visual Studio 2010 and Silverlight 4 Released

Microsoft today is officially launching Visual Studio (VS) 2010 at the Microsoft Visual Studio Conference & Expo in Las Vegas. A major update of Microsoft's flagship integrated development environment (IDE), VS2010 incorporates an advanced user interface, powerful integration and customization technology, as well as improved ALM capabilities and extended support for key Microsoft developer platforms.

In addition to the VS2010 launch, Microsoft released the final version of .NET Framework 4, an important update to its managed framework that delivers a host of underpinning technologies for .NET application developers. Also released on Monday was the final version of Silverlight 4, Microsoft's rich Internet application (RIA) platform. Silverlight 4 boasts key improvements for business application developers, including out-of-browser execution and improved data binding.

“We’re excited to celebrate the launch of Visual Studio 2010 with developers around the world today,” Bob Muglia, president of the Server and Tools Business at Microsoft, said in a statement before the keynote. “The functionality of Visual Studio 2010, .NET Framework 4 and Silverlight 4 creates a powerful and unique combination, opening up new opportunities for developers to build applications that take advantage of new and existing devices, as well as emerging platforms like cloud services.”

VS2010 in the Spotlight

Among the most visible new capabilities of VS2010 is the redesigned user interface, based on Windows Presentation Foundation 4 (WPF4). The new UI enables a more flexible and visual developer workspace, with precise rich text handling and multi-monitor support. VS2010 also promises significantly enhanced extensibility, with the Managed Extensibility Framework (MEF) enabling third-parties to seamlessly integrate functionality to the IDE.

VS2010 targets support for several critical Microsoft platforms. SharePoint tooling in VS2010 has been extensively overhauled, enabling a first-class experience for SharePoint developers in the new IDE. VS2010 provides native support for SharePoint projects and templates, as well as one-slick deploy/debug/test capability. Windows Azure is also aggressively supported in the new release, providing a family ASP.NET-like experience for developers creating apps for the cloud.

VS2010 also provides new tooling for Silverlight 4, Windows Phone 7 mobile development and ASP.NET Model-View-Controller (MVC) projects, which enable developers to separate the appearance and core business logic of Web applications. While tooling for Silverlight 4 is not present in the current version of VS2010, Microsoft expects to add a Silverlight 4 designer soon. Developers will be able to download the Silverlight 4 tooling free from Microsoft.

Application lifecycle management (ALM) is an important area of focus in VS2010, which no longer limits key test and collaboration functionality to Team System versions of Visual Studio. IntelliTrace, described by Dave Mendlen, Microsoft senior director of developer marketing as a “time machine” for developers and testers, captures an application's execution history so a bug can be literally played back on a tester's machine. IntelliTrace promises to help end the scourge of non-reproducible bugs. Improved test and collaboration resources are also included in the release.

“The enhanced testing features in Visual Studio 2010 automate the majority of common tasks and streamline the flow of information across our team,” said Steve Schlonski, vice president, Xerox Global Services, Global Technology and Offering Development. “This has led to a significant productivity increase; when you combine this with the ability to have a single unified view of project status, it dramatically drives down project risk.”

At the show, Microsoft released a new collaboration product, called Visual Studio Team Explorer Everywhere 2010. A Team Foundation Server (TFS) tool for developers working outside of Visual Studio, VS Team Explorer Everywhere appeals to shops doing Java development on Windows and on Mac platforms, said Microsoft.

At the show Microsoft also announced that it was extending its Ultimate Offer program for two weeks beyond the original April 12 end date. The Ultimate Offer gives existing Visual Studio customers with a premium MSDN subscription the ability to step up to a higher level SKU when they move to VS2010. For instance, a developer shop using Visual Studio 2008 Professional would be eligible to upgrade to Visual Studio 2010 Premium under the program.

Microsoft Rolling Out Visual Studio 2010 Promotions‘Who Do You Love’: White Boy Blues, By Kurt Loder

Agile Management Tool Released

Goda Software last month released Scrum Spec 10.0, a project management tool specifically tailored for Agile development. It uses a customizable graphic interface to centrally manage Agile components such as releases, sprints and artifacts such as user stories, requirements, features, test cases and bugs, according to a company news release.

Along with the Professional edition, Scrum Spec 10.0 comes in a free Basic version that allows up to three licensed users. The free edition lacks the document management and customization functionality of the higher-end edition and also imposes a maximum database size of 2GB. The pro edition has no limits for users or database size. It is priced according to the number of floating clients, which can be installed on any number of computers, with only the server being locked to one machine. Pricing ranges from $1,300 for five licenses to $12,000 for 100 licenses.

An on-demand option in which Scrum Spec 10.0 is installed on Goda’s servers costs $40 per user per month with a minimum subscription period of three months.

The tool includes functionality such as: inline data editing, access control, import/export features and graphical reports with data analysis capability, according to company sources.

Janet Jackson Was Happy To Return To Tyler Perry’s ‘Family’Developers Mix and Match Agile Approaches

Oracle Reassures Developers about Future of MySQL

Oracle Corporation will increase its investment in the open-source MySQL database it acquired with its purchase of Sun Microsystems, and it has already begun to make improvements to the software. So said Oracle's chief software architect, Edward Screven, during his "State the Dolphin" keynote address at the annual MySQL Conference and Expo in Santa Clara, Calif., this week.

"We are going to continue to develop, promote and support MySQL," he said, adding, "It's worth it to Oracle to invest in MySQL, and we're making it better. Not at some abstract point in the future, but today."

Screven pointed to the beta of MySQL 5.5, which he claimed improves performance by more than 200 percent and improves recovery times by more than a factor of 10. He added that semi-synch replication and more partitioning will be integrated in MySQL 5.5, and he assured the crowd that Oracle will maintain MySQL Server's pluggable storage engine architecture -- the enterprise and community editions will ship with the same code.

Oracle also announced the release of MySQL Cluster 7.1 at the show, and Screven cited Oracle's investment in that release, as well as MySQL Workbench 5.2 and MySQL Enterprise Monitor 2.2, as further proof of the company's commitment.

Screven also made the case that Oracle is just open-source friendly in general. Open source has long been an import part of Oracle's product offerings, he said. He cited the company's extensive investment in and involvement with the Java platform, the Apache Web server, the Xen hypervisor, the Linux OS, the PHP scripting language and the Eclipse platform, among others.

"There's a lot of great stuff out there that's open source," he said. "By using open source… and delivering it to our customers … we speed up time to innovation. We get to take advantage of all the great work that's happening out there in the community. We also contribute work back. And we want developers to use our products, and developers like open source."

"MySQL is part of Oracle's open strategy that drives our entire company," he said.

But Roger Burkhardt, CEO of Ingres, an open source database company and Oracle competitor, warned that Oracle can't be trusted with MySQL. In an apparently widely circulated e-mail, Burkhardt wrote:

"Oracle has already cut back the MySQL road map to avoid competing with its own database management system and will try and attract MySQL developers onto a path to costly proprietary software and vendor lock-ins. MySQL lacks the enterprise grade strength and features required to actually run Oracle's own applications in production and they won't add these capabilities. They will use MySQL and Glassfish as open source вЂwindow dressing' to try and divert the threat from capable open source technologies such as Ingres and JBOSS, to their overpriced database and application server software."

Another critic of Oracle's stewardship of MySQL, Michael "Monty" Widenius, main author of the original MySQL and one of the creators of the MariaDB fork of the database, was on hand at the conference to provide his first keynote in five years.

"MySQL is an ecosystem, not just a company," Widenius said. He said that all the different branches of MySQL and the different companies have to work together to contribute code to a common 'trunk.'"

"You need to have lots of people outside inside to get something that is both developer and company driven," he said. "The best possible database you can get is when you have people who are using the code also developing it. The only way to do that is to have developers everywhere."

"There has been a lot of movement in the MySQL space this year," he added. "Lots of people have been changing jobs. Most of the MySQL executives from Sun have changed jobs. But what makes me happy is that we have been able to keep engineers in the [MySQL] ecosystems."

Open Source Starter Kit Builds Runtime Repository for VS 2010 Dotfuscator Suite‘Kick-Ass’ Star Chloe Moretz Gets ‘Primal’ In ‘Let Me In’

Microsoft 2010 Products Hit RTM, Arriving in May

Microsoft on Thursday announced the release of four of its 2010-branded applications to its manufacturing partners.

The products hitting release-to-manufacturing (RTM) stage include Microsoft Office 2010, SharePoint 2010, Visio 2010 and Project 2010. The RTM is Microsoft's final engineering milestone in which the completed product is shipped off for imaging by equipment manufacturers, or PC makers in this case.

The journey to RTM represents about 3.5 years per product for Microsoft's various teams.

On Monday, Microsoft also announced the RTM releases of System Center Essentials and System Center Data Protection Manager. Those announcements came as part of the Microsoft Management Summit 2010, which is currently ongoing this week in Las Vegas.

Microsoft's new management software "will be generally available and on the Microsoft Price List by June 1," according to Microsoft's blog for System Center Data Protection Manager. The blog added that the "full packaged product (and pricing) will be available by the end of May as it is released into the various Microsoft channels."

Those wanting to get their hands on Microsoft Office 2010, SharePoint 2010, Visio 2010 and Project 2010 have a few other dates to keep in mind. Microsoft's volume licensing customers with Software Assurance can download those products starting on April 27 from Microsoft's Volume Licensing Service Center. Volume licensing customers without Software Assurance can get those products from the center beginning on May 1.

Organizations can qualify for volume licensing with as little as two computers, according to Eric Ligman, global partner experience lead for the Microsoft Worldwide Partner Group.

Microsoft's MSDN subscribers will be able to download these 2010 products on April 22, according to one Microsoft blog. Presumably, Microsoft's TechNet Plus subscribers will be able to get the bits at that time too.

Individuals wanting to be the first to pick up a 2010 product box at their local retail store have to wait a bit longer. For instance, Office 2010 will be available in retail stores in June. Microsoft is taking preorders for the Office 2010 products at its online store here. The public can preorder Office Professional 2010 ($499.99), Office Home and Business 2010 ($279.99) and Office Home and Student ($149.99).

Microsoft Office 2010, SharePoint 2010, Visio 2010 and Project 2010 will be available in English, Dutch, French, German, Russian and Spanish languages when released in May.

Finally, Microsoft is planning a launch event on May 12 in which Stephen Elop, president of Microsoft's Business Division, will deliver a keynote address on the new Office 2010 and SharePoint 2010 products.

One of the useful features in Word 2010 will be coauthoring. Users can work on the same document while seeing the sections that other collaborators are revising. Microsoft will also boost collaboration in Office 2010 by integrating browser-based Office Web Apps with the productivity suite.

Microsoft released Exchange 2010 back in November. Those looking for Microsoft SQL Server 2008 R2 can expect it to be available in May.

Microsoft Issues March Patch, New IE Advisory‘Kick-Ass’ Creator Mark Millar ‘Very Proud’ Of Film’s Performance

Sunday, April 18, 2010

Report: IE 8 Leads in Malware Protection

Microsoft's Internet Explorer 8 outperformed four other Web browsers in protecting against malware spread by social engineering techniques, according to a Microsoft-funded NSS Labs report.

NSS Labs is an independent product testing firm, but it received support from seven test infrastructure partners for the study, "Web Browser Security Socially-Engineered Malware Protection -- February 2010" (PDF). Microsoft is not listed in the study as a sponsor, but a spokesperson at Microsoft confirmed the company's sponsorship by e-mail.

The main reason why IE 8 beat out the competition -- which included Apple Safari 4, Google Chrome 4, Mozilla Firefox 3.5 and Opera 10 -- appears to be Microsoft's use of its "SmartScreen Filter" technology. SmartScreen is a reputation-based URL comparison service that warns users of known threats, such as a Web page that attempts to get users to download malicious programs. Chrome, Firefox and Safari all used Google's "Safe Browser feed" service instead. The report did not explain what URL reputation service was used by Opera.

According to the report, IE 8 caught 85 percent of live threats. Other browser fell way behind in protection against socially engineered malware. Safari caught 29 percent of live threats, tying with Firefox. Chrome caught 17 percent, while Opera caught less than 1 percent.

Opera finished dead last in this report's overall comparisons of protection against socially engineered malware. This report is actually NSS Labs' third release on the subject, and Opera similarly trailed in the previous reports, published on July 20, 2009 (PDF) and March 12, 2009 (PDF). Back in March 2009, an Opera Software blog described NSS Labs' report as "just another Microsoft marketing trick." The blog questioned NSS Lab's methodology and suggested that statistical tricks were used.

NSS Labs methodology for the February study is described as a "proprietary Live Testing" approach. The objective is to insert the freshest samples of malware into the testing process over a set period of time. It's an approach that software security vendor Trend Micro announced support for late last year.

The report measured browser protection against malware only when spread by social engineering techniques. It excluded other means of spreading viruses, trojans and worms. Consequently, just 562 URLs passed the NSS Labs' criteria and were used in the study.

Browsers that scored well on the tests essentially had to show protection against trickery used by hackers to get users to click on a link or visit a malicious Web page, thereby downloading a malicious program. Malware associated with browser plug-ins (also called "add-ons") was excluded from the report. The report also did not test for "clickjacking or drive-by downloads."

RSA Conference: Microsoft Releases Preview of U-ProveAshley Greene Cast In ‘Butter’ Comedy

Office 2010 Breaks ISO/IEC Standard, Official Says

In response to criticism, Microsoft disclosed more information about how Office 2010 will support the controversial ISO/IEC 29500 document format standard.

Doug Mahugh, Microsoft's lead standards professional on the Office Interoperability team, on Tuesday came forward with Microsoft's plans after an influential Microsoft supporter during the standards process accused the company of bad faith. In response, Mahugh said in a blog post that Microsoft plans to fully implement the standard in its yet-to-be-announced "Office 15" release.

The bad faith accusation came from Alex Brown, a former convener of the Joint ISO/IEC Technical Committee that had helped to foster the Office Open XML (OOXML) document format as an international standard.

Brown also spearheaded a much criticized "Ballot Resolution Meeting" (BRM) that speeded up the ISO/IEC approval process. The BRM glossed over many issues associated with the standard, according to Andy Updegrove, an attorney with Boston-based Gessmer Updegrove LLP.

"Addressing and discussing each one [of the issues] in a single week would have been impossible, and Alex brokered a number of decisions that (depending on your viewpoint) either made a creative resolution possible or made a sham out of the BRM process. Up until now, Alex has staunchly defended those decisions," Updegrove wrote in a blog post.

Brown was a steadfast supporter of Microsoft during the tumultuous proceedings that led to ISO/IEC 29500 becoming a standard two years ago. However, last week, Brown accused Microsoft of not following through with the strict implementation of the ISO/IEC standard in Office 2010. Instead, Microsoft will use a transitional implementation.

"If Microsoft ship[s] Office 2010 to handle only the Transitional variant of ISO/IEC 29500 they should expect to be roundly condemned for breaking faith with the International Standards community," Brown wrote in his blog. "This is not the format 'approved by ISO/IEC,' it is the format that was rejected."

The transitional variant was rejected in September 2007, Brown explained. It was based on the Ecma-376 first edition standard for OOXML and contained portions of the spec that ISO/IEC felt should be deprecated.

Mahugh clarified that Office 15 will fully support the strict variant of the ISO/IEC 29500 standard. Office 2010 (formerly code-named "Office 14"), on the other hand, will have read-only capabilities for the strict variant but read and write capabilities for the transitional variant. Microsoft took that course to ensure compatibility and interoperability with other versions of Office, he explained.

"So although the conformance clause [in the ISO/IEC spec] says that Transitional 'should not' be used for new documents, we have decided that the needs of customers, combined with the realities of the current document format ecosystem (most existing implementations are Transitional, recent major changes to the Strict namespaces), make Transitional the right choice," Mahugh explained in the blog.

Office 2010 will be available in a couple of months. Microsoft announced that it plans to release Office 2010 to business users on May 12. The release will be part of a general product launch that includes SharePoint 2010, Project 2010 and Visio 2010.

Google Buys Office Solution Provider DocVerseKurt Cobain Biopic ‘In The Works,’ 16 Years After His Death

Telerik Expands Portfolio with Team Development Tools

Development tools provider Telerik Inc. is continuing its expansion beyond Windows and .NET components, merging with its partner ArtOfTest, Inc. and establishing a new business division with Imaginet Resources Corp., a specialist in Agile project management.

The company announced the creation of Automated Testing and Team Productivity divisions, both focused on developing solutions that meet the needs of small to medium-sized dev shops.

"We wanted to identify the key hurdles and obstacles that we ourselves experienced in software development internally," said Telerik co-CEO Svetozar Georgiev. "We believe that there is a very good chance that there are a lot of companies out there, which are small to medium sized that would benefit from such tools, because the supply of tools is biased towards the enterprise segment."

The company is now structured around four tools divisions: Developer Productivity, Team Productivity, Automated Testing and Web Content Management. The Developer Productivity Tools group is releasing RadControls for Silverlight 4 and WPF 4 in conjunction with the Microsoft launch of its rich Internet app platform and Visual Studio 2010 and .NET Framework 4 this week. The component suites support the new platform, and Microsoft's design studio tooling Expression Blend 4, which is still in beta. A new VS2008/2010 add-in for unit testing called JustMock was released last week in beta, with a commercial version expected in July.

The first tooling from the Team Productivity group is TeamPulse, which was built in Silverlight 4. TeamPulse is an agile project management platform that integrates with Microsoft Team Foundation Server. It provides visual tools to capture app requirements based on user stories and scheduling for iterations and sprints. After project management, agile teams can sync TeamPulse with Microsoft Team Foundation Server (TFS) 2008/2010.

"It is a planning sandbox for TFS," said Todd Anglin, a Microsoft MVP and Telerik’s chief evangelist. "The reason we went this route is that TFS is outstanding as a construction management tool that helps develop shops build software, but it is a little too rigid for the nebulous early stages of planning and so you need a sandbox to work through those things."

TeamPulse does not require TFS; it will work with any persistence store, including SQL Server, according to Anglin. It is available in beta this week; the commercial release is expected in July.

Telerik is also releasing a Quality Assurance edition of WebUI Test Studio, an automated testing framework that is also available as a Visual Studio plug-in for developers. The company has offered WebUI Test Studio, which supports AJAX, Silverlight and ASP.NET MVC testing, in partnership with ArtOfTest since 2008. The new standalone QA edition of the automated test framework--there is no requirement for Visual Studio--is designed to support functional and UI testing by non-technical users.

It also integrates with TFS 2010/2008 and source code, which makes it easier for QAs and developers to collaborate during the testing and development process, explained Anglin. "So the QAs can very easily interact with--check-out, create, check-in, edit, modify--all of the automated tests they are working with in the same TFS repository that the developers on the other side of the shop are using to write the code for the application," he said.

With both the QA and developer frameworks, you can record a test once and run it against multiple browsers. The tool supports Internet Explorer, FireFox and Safari; Chrome is on the roadmap. You can also change the layout of an application without breaking tests, according to Telerik. The automated testing frameworks offer native support of Telerik's RadControls.

"We have identified markets with a lot of synergies with what we do today," Georgiev said, "which address the same companies, the same people, but we are not just talking to developers from now on, we will be talking to developers' colleagues as well."

Licensing and pricing is designed to attract small to mid-size dev shops but the tooling is scalable for large enterprises, he said.

The Automated Testing Tools division remains in Austin, TX, where ArtOfTest, which merged with Telerik in December is located. The Team Productivity Tools division is based in Winnipeg, MB, Canada.

The company has expanded its portfolio aggressively in recent years. Telerik acquired Vanetek of Germany and its OpenAccess ORM product in December 2008.

Microsoft Rolling Out Visual Studio 2010 Promotions‘The Joneses’: Unsold, By Kurt Loder