FRAMINGHAM - Microsoft on Tuesday again abstained from naming which of its Windows programs, if any, contain bugs that could lead to widespread “DLL load hijacking” attacks.

Also on Tuesday, the company published an automated tool to make it easier for users to block attacks exploiting vulnerabilities in a host of Windows applications.

The DLL load hijacking vulnerabilities exist in many Windows applications because the programs don’t call code libraries — dubbed “dynamic-link library,” or “DLL” — using the full pathname, but instead use only the filename. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.

“Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in a Tuesday entry on that team’s blog . “This will primarily be in the form of security updates or defense-in-depth updates.”

Although Microsoft again declined to call out its vulnerable software, outside researchers have identified as potential targets a number of its high-profile apps, including Word 2007, PowerPoint 2007 and 2010, Address Book and Windows Contact, and Windows Live Mail.

Other vendors’ software may also be at risk, including Mozilla’s Firefox, Google’s Chrome, and Adobe’s Photoshop.

Bryant hinted that some Microsoft software could be exploited. “Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important,” he said, referring to the second-highest threat ranking in the company’s four-step scoring system.

Microsoft typically uses Important to describe bugs that can be exploited remotely — via the Internet or e-mail, for example — but which also require that the user assist the attack in some way, usually by clicking through warnings or opening a malicious file.

In another blog , Jonathan Ness, an engineer with MSRC, and Maarten Van Horenbeeck, an MSRC program manager, described how customers can deploy and use a tool the company first offered Aug. 23 .

That tool blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization’s network, and is aimed at enterprise IT personnel.

Not surprisingly, Microsoft acknowledged that users have asked for more help with the tool. Shortly after its release, IT professionals complained that the tool was confusing and asked colleagues for advice on how to configure it.

To simplify things, Microsoft has posted a “Fix It” tool on its support site that automatically blocks any DLLs from loading from WebDAV or SMB (Server Message Block) shares, two of the most likely attack vectors. Users must still download and install the original tool, however.

Ness and Van Horenbeeck also downplayed the threat to some extent, saying that DLL load hijacking bugs cannot be exploited via “drive-by” attacks, where a user’s PC is infected as soon as he or she browses to a malicious site.

“A victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays,” they said.

Microsoft has known of the issue since at least August 2009 , when researchers with the University of California Davis notified the company of their work. There’s evidence, however, of reports as far back as 2000, and attacks exploiting the flaw the following year, when the Nimda worm leveraged the bug in Office 2000.

HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when, on Aug. 19, he said he’d found 40 vulnerable Windows applications . Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.

Some vendors have already patched the problem in their software. Both uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively, have been updated to address the bug.

Others are working on a fix. “We’re testing our own Firefox-specific fixes and plan to get them out to users soon,” Mozilla’s security team said in an e-mail reply to questions last week.

Even so, Microsoft said patches may be long in coming to some users. “We recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible,” Bryant admitted.

In lieu of patches, the blocking tool is the best defense, he continued. With that in mind, Microsoft plans to make the tool available “within the next couple of weeks” for downloading and deployment using Windows Server Update Services (WSUS), Microsoft’s most-used business patch management mechanism.

The company is also thinking about pushing the tool to everyone, including consumers, via Windows Update, although it would be switched off by default, said Bryant.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds
• Researchers slate ‘month of bugs’ launch for Wednesday

FRAMINGHAM - A little-known group of security researchers will kick off a month of bug disclosures starting tomorrow that target unpatched vulnerabilities in software from Abode, Microsoft, Mozilla, Apple and others.

But the researcher who launched the month-long bug festival practice four years ago isn’t optimistic that reviving the practice would have an impact.

The “Month Of Abysssec Undisclosed Bugs” (MOAUB) will feature flaws in Microsoft’s Excel and Internet Explorer, the Linux-based cPanel Web hosting control panel, and other software, said Abysssec Security Research in a post to the firm’s blog earlier this month.

“They’re threatening — at least, the companies affected will see it as a threat — to release vulnerabilities on all kinds of software, from desktop applications to browsers,” said Jamz Yaneza, threat research manager at Trend Micro, today.

Microsoft , which figured prominently in the MOAUB announcement, said it’s aware of the group’s plan. “As always, if and when a vulnerability is publicly disclosed, Microsoft will take immediate action to determine the appropriate response for our customers,” said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC).

Yaneza said he had not heard of Abysssec before this.

According to the group’s Web site, it is made up of four researchers — none of whom were identified by a full name — that specialize in penetration testing, exploit development and application security review. Abysssec’s Web site was registered in 2008, but the WHOIS record is hidden behind a privacy wall.

However, LinkedIn listed Shahin Ramezany, of Albany, N.Y, as a researcher with Abysssec. The group did not reply to an e-mailed request for an interview.

“Starting on the 1st of September, we will release a collection of [zero-days], Web application vulnerabilities, and detailed binary analysis (and [proof-of-concepts]) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP [and] Novel [sic],” the foursome said.

Yaneza said users should pay attention to the MOAUB disclosures, but he didn’t seem worried about the threat.

“It’s all going to be low-hanging fruit,” he said, referring to the term that describes easily-found vulnerabilities. “We’ve seen vulnerabilities on these [programs]. I’m not too much concerned. If users patch as usual and keep their automatic patching turned on, they should be fine.”

Bug-of-the-month collections were popular several years ago, but the practice has been little used since 2007. In July 2006, HD Moore, now the chief security officer of Rapid7, used a “Month of Browser Bugs” event to showcase vulnerabilities in Internet Explorer 6 (IE6), Firefox, Safari and Opera.

Moore’s month-long bug event was quickly followed by others, including “Month of Kernel Bugs” in November 2006, and a “Month of Apple Bugs” in January 2007.

Yaneza called Abysssec’s upcoming bug month a “publicity stunt” designed to attract attention to the group.

Moore agreed.

“Sure, they are publicity stunts, but that’s not the point,” he said today. “Projects like Month of Brower Bugs, and the kernel and Apple ones, they get vendors to patch lots of vulnerabilities, dozens and dozens, and focus security research on a necessary area.”

But he wasn’t sure MOAUB would do that. “Other projects focused on one general area, like browsers or Apple,” Moore said. “But this seems like it’s just a bunch of vulnerabilities. I don’t know if this will have the same impact.”

Microsoft’s Bryant also took Abysssec to task. “Disclosing vulnerabilities publicly only puts customers at risk,” he said in an e-mail, repeating a long-time stance by the company.

Abysssec will post its findings on the Exploit Database Web site throughout September.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Tony Bradley
PC World (US)
August 31, 2010

SAN FRANCISCO - Microsoft is reportedly set to spend half a billion dollars on a marketing blitz to promote the upcoming launch of Windows Phone 7. For the sake of the success of Windows Phone 7, hopefully Microsoft understands that getting the right message in front of the right people is more important than randomly filling media with advertising.

Truthfully, $500 million isn’t that much–at least not for Microsoft. It spent $500 million pushing the launch of Windows XP, and that was a decade ago marketing an operating system that was almost guaranteed to be a success anyway. Adjusting for inflation, and throwing in some intangibles for the competitive state of smartphones, and Microsoft’s current place in the market, $1 billion would be reasonable.

But spending money alone will not ensure the success of Windows Phone 7. If Microsoft spends half a billion dollars running quirky, enigmatic ads for Windows Phone 7 on MTV and Nickelodeon, starring Bill Gates and Jerry Seinfeld, it may as well just flush the money down the toilet (or give it to me–e-mail me for the mailing address).

A bad message with a huge marketing budget can get some traction just based on buying sheer volume, but an awesome ad with virtually no budget can become a self-propagating, viral marketing message. The awesome ad has to strike a chord with the right audience, though. Then that audience will remember it, and share it, and act on it.

Windows Phone 7 appears to be a worthy next-generation smartphone platform from what has been revealed thus far. It also seems that Microsoft has thrown out its own playbook, and even steered away from a simple “me-too” approach to developing yet another iPhone-esque platform, and has actually developed some innovative elements that can set Windows Phone 7 apart from the competition.

The main reason that Microsoft has managed to hang on to 13 percent of the smartphone market despite having nothing compelling or innovative to offer for years is its foothold on backend servers, the desktop operating system, and–most importantly–office productivity. Businesses already have an investment in a Microsoft infrastructure, and a smartphone that integrates natively with that infrastructure makes more sense.

Other smartphones recognize the importance of Microsoft integration. Exchange push capability is a basic prerequisite for any business smartphone aside from a BlackBerry–and that is because BlackBerry Enterprise Server connects with Exchange on the backend and manages delivery of messages to the device.

It isn’t just about Exchange either. The Microsoft Office Suite is the core productivity software in a majority of businesses. Other smartphone platforms have remote desktops, or apps that are capable of emulating compatibility with Microsoft Office on some level–but they’re not Microsoft Office. Most of these implementations are functional, but are clunky and cumbersome compared with simply using Office. It’s like trying to fit a square peg in the round hole by tacking on apps after the fact that pale in comparison.
Business is Microsoft’s forte. Most Microsoft efforts at being cool, or trying to capture the consumer market have been abysmal failures–like the Kin. It is fair to recognize that all employees and business owners are also consumers, and to have a healthy respect for the success that Apple has had in working from the bottom up model–targeting consumers and sparking a revolution that forced business to take the iPhone seriously, but Microsoft is not Apple.

Microsoft should invest heavily in launching Windows Phone 7. It needs to give people a reason to care that Microsoft is getting back in the game, and some incentive for businesses to take a chance on the new mobile OS.

Microsoft just needs to make sure that it is saying the right thing, in the right way, to the right audience–or the marketing will just be a waste of time. And, all marketing aside, the success or failure of Windows Phone 7 will ultimately come down to how well-engineered and innovative the new platform really is.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 27, 2010

FRAMINGHAM - Microsoft’s Russian Web site today revealed details about the new Internet Explorer 9 (IE9) user interface, touting new features such as quick-release tabs and a Chrome-like address-cum-search bar.

Although the company has issued several developer previews of IE9 since March, those builds have lacked any user interface (UI), and instead have presented the rendering and JavaScript engines in a wrapper that lacks even the most basic navigational aids, such as a Back button.

IE9’s user interface will look a lot like Google’s Chrome if Microsoft Russia’s site is accurate.

Until today, Microsoft had kept quiet about IE9’s look and feel.

Microsoft Russia’s press site published a screenshot of and additional information about IE9. The page has since been pulled, but as of noon today, remained available in Bing.com’s cache .

ZDNet blogger Mary Jo Foley reported on the IE9 details earlier today.

The IE9 interface shown in the screenshot sported a Firefox-esque design to the Back/Forward buttons — the former is larger than the latter — dispensed with traditional menus, put tabs atop the browser window and combined the address and search bars, a move taken from Chrome’s playbook.

At the far right, IE9 displays a trio of icons — one is clearly Home — that likely lead to more menus and the browser’s bookmark manager.

The text on the page supported the hints provided by the screenshot that Microsoft will “Chromify” IE9’s interface by mimicking that browser’s UI.

“Your browser is not overloaded with navigation elements, and compared with other browsers leaves more space for the site,” a machine translation of the promotional copy read. “Now the user sees only what is necessary for navigation.”

The changes shouldn’t come as a surprise. Other browser makers, notably No. 2 Mozilla, have headed in that direction, too, as they follow the lead of Google and its cleaner-composed Chrome. Mozilla’s next major upgrade, Firefox 4, will feature tabs on top and will eliminate the traditional Windows menus above the browser’s content area, two features popularized by Chrome.

IE9’s marketing material also described a way to pin sites to the taskbar — much like a local application — by dragging a tab to the Windows taskbar. Those sites can then be accessed with a single click without first having to open IE9. “Anchored sites are seamlessly integrated into [the] navigation system [of] Windows 7,” the copy said. “Thus, the work of such sites [is] as simple and familiar as with other Windows applications.”

IE9 will also leverage the Aero UI of Vista and Windows 7 with a feature dubbed “quick release tabs.” By dragging IE9’s window to the side of the screen, Aero’s “Snap” feature will automatically display two tabs in equally-sized, side-by-side frames.

The new browser will run only on Vista and Windows 7, not the much more popular Windows XP.

Microsoft declined to confirm the details leaked by its Russian press site or comment on its IE9 interface plans.

IE9’s first beta will be available for download on Sept. 15 , when Microsoft will host a launch event in San Francisco. The company has not revealed a final ship date, although some have speculated that an April 2011 release is likely. That would coincide with MIX, Microsoft’s annual Web conference, slated for April 12-14, 2011, in Las Vegas.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Sharon Gaudin
Computerworld (US)
August 27, 2010

FRAMINGHAM - With Microsoft and Yahoo officially teaming up in the search market this week, it’s time to wait and see if this move could eat into Google ’s hearty lead over its top opponents.

Microsoft and Yahoo announced Tuesday that Bing is totally fueling Yahoo search results in the U.S. and Canada. The search integration comes more than a year after both companies announced that they were joining forces to better take on Google, the goliath of the search industry.

It will be a while before there are any numbers to show how the pair is fairing against Google , said Hadley Reynolds, an analyst at market research firm IDC. However he said the launch was a positive start.

“It’s important for Microsoft and Yahoo that the shift from Yahoo search to Bing for organic results took place smoothly this week — apparently without any technical breakdowns,” Reynolds said. “These transitions are dicey in any software environment, and the fact that Yahoo and Bing pulled off the project successfully should build confidence among search marketers and advertisers.”

With the 10-year deal, Yahoo gave up its own longstanding search technology in lieu of using Microsoft’s fairly new Bing search engine to power all searches on the various Yahoo sites.

Both the U.S. Department of Justice and the European Commission approved the search agreement earlier this year.

This week’s announcement marks a first step in putting the agreement into action. Satya Nadella, a senior vice president at Microsoft, noted in a blog post that at this point, Bing is only powering results in English in the U.S. and Canada. The setup is expected to expand into other languages and regions in coming months.

Yahoo users should expect to see few, if any, differences in their searches. What could change is the level of competition that Google faces.

“With Yahoo’s moving their volume of search users to Bing, it makes it a much more level playing field for Bing vs. Google ,” said Dan Olds, an analyst at Gabriel Consulting Group. “While the combined Microsoft and Yahoo search traffic is still significantly lower than what Google drives, it’s much larger than the two had on their own. This gives Bing better numbers to show advertisers and a chance to cut into Google’s lead.”

Neither Bing nor Yahoo separately has had any luck cutting into Google’s lead in the search market. Google captured 65.8% of the search market in July, according to market research company ComScore. Yahoo had 17.1% and Bing had 11%, ComScore reported.

The plan, then was for Bing and Yahoo to hitch their teams together and to make a reinforced assault on Google’s gates.

“This probably saved Yahoo, who, without the removal of the cost related to search and the influx of Microsoft revenue, would likely be gone by now,” said Rob Enderle, principal analyst at Enderle Group. “For Microsoft, it puts them in the search game but by creating a stronger competitor…. The onslaught against Google began when Microsoft basically wrote a blank check to Yahoo to fund the battle. But this [week's integration] will represent the biggest win Microsoft ever got in one move.”

Olds said Google should look over its shoulder and pick up the pace on search innovation if it wants to maintain its expansive lead.

“Now that Microsoft and Yahoo’s teaming up on search has become a reality, it’s definitely something that Google will take notice of and react to,” he added. “Both Microsoft and Yahoo have moved from also-ran status to a credible threat in terms of their traffic and technology.”

Olds also noted that Microsoft has deep pockets and probably can afford to invest in the search competition for years.

“For Google, search is the cash cow that supports everything else they do,” Olds noted. “Microsoft’s situation and perspective is different. They have their existing software franchises to generate money. This will put more pressure on Google’s profitability over time.”

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 26, 2010

FRAMINGHAM - Less than 24 hours after Microsoft said it couldn’t patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company’s software.

Also on Tuesday, a security firm that’s been researching the issue for the last nine months said 41 of Microsoft’s own programs can be remotely exploited using DLL load hijacking, and named two of them.

On Monday, Microsoft confirmed reports of unpatched — or zero-day — vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.

Microsoft also declined to say whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.

Many Windows applications don’t call code libraries — dubbed “dynamic-link library,” or “DLL” — using the full pathname, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking the application into loading a malicious file with the same name as a required DLL.

If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive — and in some cases con them into opening a file — they can hijack the PC and plant malware on the machine.

By Tuesday, at least four exploits of what some call “binary planting” attacks, others dub “DLL load hijacking” attacks, had been published to a well-known hacker site. Two of the exploits targeted Microsoft-made software, including PowerPoint 2010, the presentation maker in Office 2010, and Windows Live Mail, a free e-mail client bundled with Vista but available as a free download for Windows 7 customers.

Other exploits aimed at leveraging DLL load hijacking bugs in uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively.

At the same time, a Slovenian security company claimed that it reported bugs in two Microsoft-made programs last March.

“We’re going to publish a list of the vulnerable apps we found sometime soon,” said Mitja Kolsek, the CEO of Acros Security. “However, since HD Moore’s toolkit is already being used for finding vulnerable apps and at this point hundreds of good and bad guys already know about it, I can say that the two we fully-disclosed to Microsoft were in Windows Address Book/Windows Contacts and Windows Program Manager Group Converter.

HD Moore is the American researcher who kicked off a small wave of DLL load hijacking reports last week when announced he had found 40 vulnerable Windows applications . On Monday, Moore published an auditing tool that others can use to detect vulnerable software. When combined with an exploit added that same day to Metasploit, the open-source hacking toolkit that Moore authored, the tool’s results produce what he called a “point-and-shoot” attack .

All four of the exploits that went public Tuesday appear to be based on Moore’s Metasploit attack code.

Although the Windows Address Book — renamed Windows Contacts with the launch of Vista in 2007 — may be familiar to users, Program Manager Group Converter is probably not, Kolsek admitted. But both can be exploited.

“They’re part of every Windows installation and are associated with certain file extensions, allowing for ‘double-click-bang’ remote attacks,” Kolsek said. “To increase the likelihood of success, an attacker can create a shortcut with a PDF or Word document icon pointing to such files, which otherwise have different, less familiar icons.”

Contrary to Kolsek’s claim, Program Manager Group Converter, a holdover from pre-Windows 95 days, is included with Windows XP, but not with Vista or Windows 7.

Altogether, Acros uncovered 121 remote execution vulnerabilities in 41 different Microsoft applications, but reported details of only the pair in Address Book/Contacts and Program Manager Group Converter. The rest were left for Microsoft’s own researchers to find, said Kolsek.

Like a number of other companies, notably the French firm Vupen Security, Acros has decided that it will no longer report its vulnerability discoveries to vendors without compensation. “We’ve been giving them away for 10 years now,” said Kolsek, “and it wasn’t doing anything for us.”

In a long post to a new Acros blog , Kolsek added that there was no bad blood between his company and Microsoft over the former’s refusal to identify 119 bugs in the latter’s products. “It was a mere incompatibility of business interests,” he said.

Wireshark’s lead developer, Gerald Combs, said today that a fix for the DLL load hijacking bug would be released in the next few days. Microsoft and BitTorrent, the firm responsible for uTorrent, did not reply to requests for comment about their patching plans.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 26, 2010

FRAMINGHAM - Mozilla on Tuesday launched the fourth beta of Firefox 4, adding bookmark and password synchronization, and revamping how people wrestle tabs.

The latest build also sported the first attempt at accelerating Firefox 4’s page rendering by tapping the graphics processor. The hardware acceleration, available only in Windows Vista and Windows 7, is disabled by default.

Firefox 4 Beta 4’s most visible addition is “Panorama,” a new name for what Mozilla had been calling “Tab Candy.” Largely driven by the work of Aza Raskin, creative lead of Firefox, Panorama lets users collect tabs into sets, graphically displays those sets, and when users open a tab, shows only those tabs within the group.

Mozilla, which calls Panorama a tab manager, has argued that it’s the next step in the evolution of tabs.

Firefox’s rivals have nothing like Panorama. Apple, for example, introduced “Top Sites” to Safari last year, while Google’s Chrome has had a similar “Most Visited” feature since it launched in 2008. But both simply graphically represent frequently-visited sites using thumbnails.

Microsoft has not revealed the user interface or how it will use tabs in its next browser, Internet Explorer 9 (IE9), which is scheduled to ship as a beta on Sept 15.

Firefox Sync, the other major feature new to Beta 4, is not new to Mozilla: The service that keeps bookmarks, passwords, browser history, open tabs and other data consistent across multiple computers and devices traces its roots to 2007 and a project then dubbed Weave.

Sync has been available to users of earlier Firefox editions through an add-on and to iPhone owners via the free Firefow Home app , but this is the first time that the functionality has been baked into the browser.

Chrome and Opera have had integrated synchronization since 2008.

Mozilla also debuted hardware acceleration in Beta 4, but left the Windows-only feature turned off. To switch it on, users must edit the browser’s “about:config” file using instructions Mozilla has posted on its site.

Firefox 4, like IE9, relies on Windows’ Direct2D API (application programming interface) to boost rendering speeds by shifting some chores from the computer’s central processor to the graphics processor.

Microsoft’s made hardware acceleration a prominent part of its IE9 pitch , and rivals have started to react. Firefox, however, is the first browser to debut the technology in a beta-or-better build.

Hardware acceleration in Firefox 4 requires Windows Vista or Windows 7; the more popular Windows XP lacks the necessary graphics infrastructure, a fact that’s prompted Microsoft to drop XP from IE9’s supported operating systems.

Mozilla has set an aggressive schedule for Firefox 4, with a tentative release candidate slated for October and final ship date in November. According to meeting notes posted Tuesday, the current plan is to feature-freeze the browser Sept. 10, and issue a feature-complete Beta 6 later next month.

Firefox 4 Beta 4 can be downloaded for Windows, Mac and Linux from Mozilla’s site in 35 different languages.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Preston Gralla
Computerworld (US)
August 24, 2010

FRAMINGHAM - By some very important measures, Microsoft’s best days are behind it. Once the dominant technology company in the world, it has fallen behind — even far behind — in the market’s biggest growth areas: the Internet and mobile devices. True, it remains dominant on the desktop and in office suites, but that’s not where the growth is these days.

When it comes to the Internet, it trails far behind Google. And when it comes to mobile devices, it has fallen far behind both Apple with the iPhone and iPod, and Google with Android-based phones.

In fact, a milestone was passed back in May, when Apple overtook Microsoft in total valuation. Soon, it is expected to pass Microsoft in revenue as well.

SHOULD MICROSOFT SIMPLY GIVE UP, AND ACCEPT THAT ITS GLORY DAYS ARE OVER?

Certainly not. The technology market changes quickly, and companies can leapfrog competitors, even seemingly entrenched ones, with the right mix of strategy and products. Here is my modest proposal for two steps Microsoft can take to try and regain its technology dominance.

Step #1: Tear down the walls

Microsoft has become large and unwieldy, bedeviled by red tape, bureaucracy and political infighting. In my last column, I showed how infighting and bureaucracy at Microsoft led to the Kin mobile phone disaster, while Google, using technology from the same engineer who had developed the guts of the Kin, rushed ahead and succeeded with Android.

That’s far from the only instance of these kinds of problems. The Web-based version of Microsoft Office, for example, was not able to make use of the superb Windows Live Sync technology at its launch, even though it would have given the product a feature that Google couldn’t match. Why wasn’t Windows Live Sync included? The development cycles of Office and Windows Live Sync didn’t match. Microsoft could easily have incorporated the then-existing version of Windows Live Sync into Office. Instead, it has to wait until the development cycle of Windows Live Sync proceeds.

Microsoft should turn its engineers, designers and product managers loose, and make them entrepreneurial. If they need to step on the toes of other Microsoft products and technologies, or even filch them for their own use, so be it. That’s the only way Microsoft will be able to develop technologies its competitors can’t match. The company has some of the best engineers in the world. Microsoft should use them to their fullest capabilities.

Step #2: Kill the Windows brand

Microsoft’s vast wealth and success is built on top of Windows. But Windows is also holding the company back when it comes to the future, both in the eyes of consumers, and in the company’s own product development. Microsoft should continue to develop Window as an operating system, and should still call it Windows. But it shouldn’t force its other important products to carry the Windows name or even necessarily use Windows technologies.

The Windows Live brand is a perfect example. It’s not at all clear what the “Windows Live” brand is supposed to mean. It’s an unrelated set of Web services and downloadable software, most of which have nothing to do with Windows. What does Windows Live Hotmail, for example, have to do with Windows? Not a thing, given that you can use it with other operating systems, such as Mac OS X. Giving it the Windows name only confuses consumers.

The same holds true for the Windows Phone. In the past, forcing its mobile operating system to be Windows-like has hurt Microsoft; it’s one of the reasons the iPhone and Android both leapfrogged Microsoft in smartphones.

Microsoft should reconsider forcing almost everything it does to use the Windows brand and fit into the Windows ecosystem. Dropping that framework would give it a fresh chance with consumers, and allow its designers and developers to take a fresh look at the products they create.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Mitch Betts
Computerworld (US)
August 24, 2010

FRAMINGHAM - Cloud computing isn’t just a way to try to save money on IT infrastructure; it’s a way to accelerate business agility and innovation , according to a recent report by PricewaterhouseCoopers.

Traditional, rigid IT infrastructures get in the way of innovation because they take months or years to deploy when a business decides to try something new, the report said, whereas on-demand computing services can be set up in days.

“Often the costs and time required to test a new product or service, or try a new way of engaging customers, are so prohibitive, they discourage companies from even trying them,” according to the PwC report. “But cloud computing offers an inexpensive and flexible way to deploy the infrastructure as needed to test ideas.”

For example, the report said that 3M Corp. is using Microsoft Corp.’s Azure cloud technology to quickly analyze new designs for consumer products, and McKesson Corp. is using SAS Institute Inc.’s “analytics cloud” to study marketing data.

However, the report acknowledged that cloud computing raises security issues , as well as regulatory compliance, tax and financial accounting considerations.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 20, 2010

FRAMINGHAM - Microsoft today announced that the next version of Office for the Mac will include a pair of key features that debuted in the Windows edition of Office 2010 earlier this year.

Office for Mac 2011, which is slated for an October launch, will offer “Sparklines,” cell-sized Excel charts, and in-app image editing tools, two features that first appeared in Office 2010, the more popular Windows edition that hit the retail market last May.

Microsoft touted the new features as part of its attempt to boost compatibility between the Mac and Windows versions of the suite.

“What we’ve been able to do in Office for Mac 2011 is to bring a lot of power to bear to produce a professional-looking document that’s still compatible with Office for Windows,” said Kurt Schmucker, an evangelist with Microsoft’s Mac team, in a video the group released Wednesday.

Sparklines, which Computerworld reviewer Preston Gralla called the “most useful” among the changes to Excel 2010 on Windows, lets users drop in bite-sized charts or graphs into individual cells.

Microsoft pitched Sparklines and improvements to Excel’s PivotTables as compatibility wins for Mac users who need to share spreadsheet documents with co-workers running the Windows version of Office.

Previously, Microsoft has made much of the debut of a ribbon-style interface in Office for Mac 2011, another feature borrowed from the Windows edition.

Office for Mac 2011 will go on sale at the end of October; Microsoft has not yet set a definite date. however. Customers who purchase Office for Mac 2008 through Nov. 30 will be able to download a free copy of 2011 when it’s available.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

PHP User Group Philippines (PHPUGPH) and Microsoft Philippines recently hosted the annual emPHPeror Cup PHProgramming Competition, an event that provided students and professionals an opportunity to share ideas, insights and best practices on interoperable tools that enable them to build applications across different platforms.

PHPUGPH is a non-profit organization established to provide support for PHP and open-source enthusiasts in the Philippines. The contest was attended by various IT professionals, software developers and students who participated by coding PHP programs running on Windows Server 2008r2 and Microsoft’s Internet Information Services 7 (IIS7).

Marte Soliza from the University of the Philippines came in at first place garnering a total score of 10,086 out of 10 problems given. She bested 14 other teams/participants.

Rounding up the top five finishers are: (2) John Paul de Guzman with 8297 points; (3) Team Three Musketeers – Sheldon Clement Senseng; Steve dela Cruz; Ryan Velasco with 6139 points; (4) Adamson CS Web Team – Harold Jefferson Gomez; Thomie Jose San Agustin; Alvin Ray Cortes with 6064 points and (5) Jomel Imperio with 5312 points.

Possibly Related Posts:

• U.S. Ambassador visits IBM Philippines
• Oracle helps RCBC to drive business value
• Korean finance firm connects to MegaLink
• BPAP taps Sofitel Philippine Plaza
• Fujitsu Enterprise Solutions and Tire Giant Team Up

By Gregg Keizer
Computerworld (US)
August 16, 2010

FRAMINGHAM - Microsoft on Thursday announced it will release a public beta of Internet Explorer 9 (IE9) on Sept. 15, a little less than five weeks from now.

Only a minority of Windows users will be able to try the beta, however. IE9 will not work on Windows XP, the aged operating system that powers nearly 68% of all PCs running Windows. The new browser requires either Windows Vista or Windows 7 .

Thursday’s announcement followed a comment made late last month by Kevin Turner, the company’s chief operations officer, that the IE9 beta would show up in September . Until today, Microsoft had declined to set a date or even confirm Turner’s statement.

Microsoft first announced IE9 in March , and has released four developer preview builds since then, most recently on Aug. 5 when it said the fourth such preview would be the last.

But while those previews have trumpeted the new browser’s “Chakra” JavaScript engine, graphics processor-powered hardware acceleration, support for the new HTML5, and being more in line with current Web standards, Microsoft hasn’t as much as whispered about IE9’s look and feel.

The developer previews have relied on an nearly-nonexistent interface that lacks even the most basic navigational features, such as a back button or even an address bar.

Most expect that Microsoft will debut IE9’s UI (user interface) in the beta next month.

According to reports earlier this year, IE9 was to feature a look copied from Windows Phone 7’s “Metro” interface. Today, Neowin.net said sources had told it that Metro is out and a “simplistic UI similar to that of Google’s Chrome” is in.

If so, it wouldn’t be a surprise: Other browser makers, notably second-place Mozilla, have headed in that direction, too, as they follow the lead of Google and its cleaner-composed Chrome. Mozilla’s next major upgrade, Firefox 4, will feature tabs on top and will eliminate the traditional Windows menus above the browser’s content area, two UI features popularized by Chrome.

IE is on a two-month upswing in usage share, according to the most recent data from metric firm Net Applications, and Microsoft has to hope that IE9 will be able to keep that momentum.

However, earlier this month Roger Capriotti, a product management lead on the IE team, refused to be drawn into a discussion of Microsoft’s goals for IE9, or even whether the company thought the new browser would entice users to come back to the browser.

Vince Vizzaccaro, an executive with Net Applications, had previously pegged IE’s increase in usage share to the growth of Windows 7, the Microsoft OS that includes IE8, and to a national television advertising campaign in the U.S. More recently, he had other explanations.

“[The two-month increase] is more than a blip for IE,” said Vizzaccaro in an interview last week. “Something is working for them. Maybe it’s related to ongoing privacy concerns on the part of people with Google.”

Microsoft has said nothing about a ship date for IE9, though many have speculated on an April 2011 release to coincide with MIX, the company’s annual Web conference, slated to run April 12-14, 2011 in Las Vegas.

It’s possible the ship date will be significantly later: Microsoft finalized IE8 a full year after it released the first public beta for that browser. If it maintains the same pace for IE9, the upgrade’s final edition might not appear until September 2011.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Patrick Thibodeau
Computerworld (US)
August 13, 2010

FRAMINGHAM - Analysts are developing a short list of possible candidates to replace former Hewlett-Packard Co. CEO Mark Hurd, who resigned Friday. But it’s worth noting that Hurd’s name didn’t come up often, if at all, as a contender in 2005, when he was tapped for the HP job.

At the time, he was a veteran of NCR Corp., where he had served as its CEO and president.

During that search, The Wall Street Journal said executive recruiters envisioned the ideal successor to be “a star CEO at a company with at least $40 billion in annual sales.” NCR had revenue totaling just over $6 billon, making Hurd something of a surprise choice.

With Hurd now out — he resigned after HP’s board found fault with his relationship with a contractor and related expense reports filings , the succession guessing game is in full swing. Analysts are brushing off their 2005 lists and some familiar names are emerging as hot prospects.

Among those mentioned, once again, is Michael Capellas, the former CEO of Compaq, and Joseph Tucci, the CEO of EMC . The names of executives at IBM , Microsoft and Oracle are also being bandied about.
HP executives who were likely considered in 2005 and are seen as contenders now include Ann Livermore, the executive vice president of the company’s enterprise business and Vyomesh Joshi, executive vice president of HP’s imaging and printing group. New to the list is Todd Bradley, a former Palm CEO and president who is now executive vice president of HP’s personal systems group.

An easier task, perhaps, than trying to guess names is to determine what type of management style HP’s board will want in its next CEO.

Chuck House, an HP veteran who now heads Stanford University’s Media X , was especially critical of Hurd’s management style in his blog . He outlined in an e-mail what he hopes the board will look for in Hurd’s replacement. (Media X is affiliated with the H-STAR Institute (Human-Sciences and Technologies Advanced Research Institute) at Stanford, and works with industry and academics to study the impact of information and technology on society.)

House hopes the new CEO is someone who is “innovation appreciative” and is willing to spend research and development dollars, a leader who employs “management by walking around…, which implies caring and compassion and regard with dignity for employees.”

House also believes that HP needs to change its employee reward system by “getting rid of huge bonuses for the few, and restoration of profit sharing and much smaller, but meaningful, stock options for the many,” he said. “This is an easy signal to implement, and relatively cheap to do in actuality,” he said.

House, co-author of The HP Phenomenon: Innovation and Business Transformation, added that HP needs a listener and a supporter of “collective intelligence” rather than “father-knows-best” management style, he said.

Rob Enderle, an independent analyst in San Jose, Calif., said any internal candidates at HP could have an edge.

“This time around they have internal candidates that could do the job, though external candidates with the needed breadth will be rare,” said Enderle. He noted the emergence of board director Mark Andreessen, the co-founder of Netscape who has launched other companies and is a venture capitalist, “as a power player” at HP.

Andreessen “may want to put someone vastly younger and more dynamic in the role than any of the traditional internal or external candidates,” Enderle said. “I think the odds favor either an internal candidate or an unanticipated candidate at the moment, depending on how quickly they need to fill the job and how much influence Andreessen actually does have.”

Another important area for the next CEO will be ethics. Hurd wasn’t directly involved in the company’s pretexting scandal in 2006, when HP acquired phone records under false pretenses to learn the identity of a leaker. That incident prompted HP to emphasize its business conduct rules — rules that eventually led to Hurd’s ouster.

“I would expect the company to say publicly that it is strongly committed to ethics and internal compliance, and I imagine that whoever becomes CEO will also say publicly that she/he is strongly committed to ethics and internal compliance and quickly moving beyond this episode,” said Miriam Baer, assistant professor of law at Brooklyn Law School.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Robert X. Cringely
InfoWorld (US)
August 13, 2010

SAN FRANCISCO - It seems Microsoft didn’t get pummeled enough in the “I’m a Mac, you’re a PC” ad campaign, so it’s coming back for more. This time the marketing marvels at Microsoft have cooked up a new web site detailing the various ways in which the Mac is inferior to a Windows 7 machine. Like, for example, “Macs don’t work as well at work or at school” or “Macs can take time to learn” or “Macs don’t like to share.”

It’s kind of pathetic, really. Most of these arguments are premised on the notion that if you’ve already wasted most of your adult life using Windows, you’ll be more familiar with it than the Mac, so you might as well waste the rest of your adult life. Which is really the only reason why Microsoft continues to dominate desktop market share: It’s harder to switch than to stick with what you got, even if what you got sucks eggs.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or war tale from the trenches. Send your story to offtherecord@infoworld.com. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]

Still, is that the best MSFT can do with its billions in profits? Seriously?

It’s like Redmond has fallen so far behind in the mobile/tablet space that it’s clinging to an era in which the battle for control of the desktop still mattered. (”Remember the good old days when we were kicking the Macintosh’s behind?”) I can’t believe I’m actually writing this, but I’m starting to feel sorry for them.

Meanwhile, of course, there’s that new corporate motto Microsoft is allegedly going to reveal: “Be What’s Next.” So far that tagline has yet to be spotted in the wild, only at an internal Microsoft trade show. But it does reveal the huge gulf between how Microsoft perceives itself and how the rest of the non-Microsoft fanboy world perceives it.

Pop quiz: If you were looking for what’s coming next to the world of technology, is Redmond the first place you’d look? How about the 20th place? Is it even in the top 100?

In a blog post late last month (”Can Microsoft imitate Apple one more time?”), I asked Cringesters what they would suggest for a new Microsoft slogan.

Commenter “engpjp” suggests Microsoft take a page from the pre-second-coming of Steve Jobs era: “Microsoft: Be What’s NeXT.” I think they’d probably get sued for that one.

But the residents of Cringeville came up with some pretty good ones, too. Here are the best, followed by the author’s initials.

* “If you’ve got the solutions, we’ve got the problems” (D. W.).
* “The 500 pound gorilla doesn’t play with toys. Microsoft: We get the Jobs done.” (S. E.)
* Here’s one from the Caesarean section: “We came, we saw, we copied” (C. D.).
* The practical: “Reboot your life (and while you’re at it, your PC)” (R. L.).
* The acquisitive: “If you can’t beat em, buy em” (J. P.).
* The scatological: “Microsoft: We love downloading lots of s**** to your PC” (M. S.).

Here’s one proclaiming hey, at least our CEO didn’t have to resign because of a sex scandal: “We’re not HP” (B. C.).

And this one would sound right at home on that new Windows-vs.-Mac site Microsoft just created: “Lots of people use our software because they have to” (M. B.).

Personally, I like eSarcasm’s somewhat NSFW take on the new Microsoft slogan, especially this one: “Microsoft: Re-imagining the future by clinging blindly to the past.”

Maybe Microsoft should fire all of its marketers and hire the residents of Cringeville instead. We certainly couldn’t do much worse.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 12, 2010

FRAMINGHAM - Microsoft today issued a record 14 security updates to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight.

“Don’t get mired in the details,” recommended Andrew Storms, director of security operations for nCircle Security, as he acknowledged that the sheer number of updates and patches could easily overwhelm users.

“There are so many patches here that you could go in all kinds of different directions,” agreed Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. “It could come down to what people think are the biggest attack vectors.”

No one was questioning the size of today’s Patch Tuesday. The August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches, which was first set last October and repeated in June 2010. This month’s collection also tied the October 2009 record for the most critical bulletins.

Of the 34 fixes flaws, Microsoft rated 14 as “critical,” the highest threat ranking in the firm’s four-step scoring system. Seventeen were pegged as “important,” and three were labeled as “moderate.”

With Microsoft throwing nearly three-dozen patches at customers, it’s not a surprise that researchers disagreed on which updates people should apply first.

“I’d have to put MS10-056 at the top,” said Storms, referring to a three-patch update for Office that included a pair of critical vulnerabilities in Office 2007. “All one needs to do is have the preview pane open [in Outlook 2007] and just look at a malformed RTF file,” Storms added.

Unlike most exploits delivered via e-mail, these wouldn’t require the recipient to open an attachment, a practice people know is risky. But as Storms pointed out, most users preview e-mail messages without a second thought. “I’d put this in the same category as a drive-by,” Storms said. “I can imagine someone sticking an RTF file in a spam engine and just going crazy.”

While other researchers agreed with Storms that MS10-056 was dangerous, they nominated different updates — or combinations of updates — for their top pick of the month.

“I’m concerned about the two media-related updates, MS10-052 and MS10-055 ,” said Miller.

Those updates, both judged critical, address a pair of bugs in two codecs - software that compresses and decompresses video data — included with Windows.

To Miller, video vulnerabilities are a juicy target for criminals. “They want to find the biggest market [for their attacks], and media, and social media are so huge today,” he said. “Everybody is watching stuff, they’re not reading stuff.”

Miller said he expected attackers to leverage the codec flaws in the coming month, a bet Microsoft also made: Its Exploitability Index rated both vulnerabilities as a “1,” meaning it anticipates active exploits in the next 30 days.

Wolfgang Kandek, CTO at Qualys, seconded Miller, but lumped in other bulletins, including the six-patch IE update, MS10-053 , with the codec updates.

“With so many [updates] today, prioritization is important,” said Kandek. “And since most attacks today happen through the browser, we’ve put several updates into a group that should be applied first.”

Kandek added three more updates to that patch-first group because they could also be exploited through IE or another browser: MS10-049 , MS10-051 and MS10-060 .

The third of that bunch patches a pair of critical vulnerabilities in Silverlight, Microsoft’s rival to Adobe’s Flash.

“Silverlight is almost as popular as Adobe Reader on end-user systems,” said Kandek, citing data Qualys has compiled from its new ” BrowserCheck ” plug-in checking service. Kandek said that Silverlight is installed on approximately 60% of all PCs.

“This is the first major security update for Silverlight,” said Miller, who backed up Kandek. “It’s pretty easy to install, and lots of users may not even remember that it’s on their machines. Plus, just visiting a site means you’re exploited.”

But Josh Abraham, a security researcher with Rapid7, took a different tack. For his money, the biggest threat was the three-patch MS10-054 update, which fixed one critical and two important bugs in SMB (server message block), the Microsoft-made network file and print-sharing protocol that worms have leveraged in the past to infect PCs.

“It’s going to be non-trivial to ‘worm’ this,” admitted Abraham, whose company also manages the Metasploit open-source hacker toolkit. “But if you can come up with a reliable exploit, one that lets you leverage the vulnerability without authentication, it will be worth it.”

Abraham pointed out that the most vulnerable targets — Windows XP SP3 and Windows XP x64 SP2 — are widely deployed in both enterprises and among consumers, even though they’re nearly nine years old. It’s also likely that Windows XP SP2, which was retired from support last month and no longer receives patches, is also vulnerable, Abraham said. “So you’re also looking at things that are not being patched at all.”

Rapid7 and Metasploit will put resources into developing a reliable exploit for the SMB bugs, he added. “It’s definitely a high request already,” Abraham said.

Miller agreed that the SMB vulnerabilities are potentially dangerous, but looked on the bright side.

“You hear the three letters ‘S-M-B’ and the first thing you think of is ‘worm,’” said Miller. “This could be bad, but right now, it looks like the most likely result is a denial-of-service. That doesn’t mean that researchers won’t dig deeper to see if they can create a reliable exploit. But the patch is available now.”

If it takes a week, even two for researchers like Abraham to devise a ‘wormable’ exploit, that gives everyone that much time to patch, Miller continued. “With this one, it’s on a clock that starts right now,” he said. “And you don’t want to lose this race.”

This month’s security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Paul McNamara
Network World (US)
August 10, 2010

FRAMINGHAM - Much is being made of the fact that Microsoft has at least temporarily stanched the bleeding in terms of Internet Explorer’s market share, and, in fact, has managed to nudge the number upward slightly in each of the past two months.

15 SECRETS OF NEXT-GEN BROWSERS

According to a report from NetApplications released last week, IE gained has gained about 1% over that time, mostly at the expense of Firefox and Chrome. Interesting, notable and probably has their attention at Mozilla and Google. However, it’s also in need of historical perspective.

The July report leaves the top three at: IE, 60.74%; Firefox, 22.91%; and, Chrome, 7.16%.

A year ago, Microsoft had a touch under 68% of the market, Firefox was just about where it stands now, and Chrome was just climbing out of the crib at 2.59%.

IE has lost 10% over the past 12 months, while Chrome has almost tripled its share.

But let’s hop into the time machine and travel all the way back to a 2004 ‘Net Buzz column (pre-blogging for me):

“Bill Gates will hold a yard sale to help make ends meet before his company’s Internet Explorer is displaced as the world’s dominant Web browser.

“But that doesn’t mean there’s nothing meaningful in the browser usage trend data released recently by WebSideStory.

According to the Web analytics firm, users of the Mozilla and pre-release Firefox open source browsers grew to 6% of the U.S. online populace as of Oct. 29, up from 3.5% only four months earlier.

“That’s a solid jump from a modest starting point, yes, and Microsoft still commands a 92.9% market share. But the increased open source use comes almost entirely out of IE’s hide and presages nothing but good things for the official release this week of Firefox 1.0, the Mozilla project’s almost universally acclaimed entry into the world of alternative browsers.”

It’s easy to forget that Microsoft was once essentially the only game in town (just as it’s easy to forget Netscape Navigator was once almost universally acclaimed as the better of the two).

Only a year and a half later, there was this April 5, 2006, blog post:

“Firefox has topped 10% in the latest browser market share report from Net Applications. But at what point — what percentage share — does Firefox transition from ankle-biter to leg-breaker? In other words, what is the magic number for Firefox to graduate from nuisance/media darling to a genuine threat to Microsoft’s dominance of the browser market? … I’m saying 20%. … Anyone want to offer a different number?”

Firefox passed that 20% milestone in November 2008, according to NetApplications.

The initial Chrome beta had been released only two months prior.

Bottom line: There’s plenty of life left in Browser War II.

Nice idea, but about that name
So you’ve written an application that’s intended to address the public-health menace that is distracted driving. The app reads aloud e-mail sent to your iPhone or BlackBerry so that you can keep your hands on the wheel and eyes on the road.

You call the app … Text’nDrive?

It’s as if you made one of those Breathalyzer ignition locks and called it Drink’nDrive.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Tim Greene
Network World (US)
August 10, 2010

FRAMINGHAM - Keeping Microsoft and Cisco in its sights, IBM is planning to introduce variety of collaboration tools for mobile platforms where it wants to create full-featured unified communications endpoints and become the mobile collaboration vendor of choice.

MICROSOFT EXCHANGE IN THE CLOUD: FOUR MIGRATION TIPS

Initially these mobile tools will enable calling features that, for example, determine the least expensive mode for making a phone call, but that will be expanded to include the full range of IBM collaboration and conferencing features, said Alistair Rennie, general manager of IBM Lotus During an interview at IBM’s new and sprawling software development facility in Littleton, Mass. With the most recent release of Lotus SameTime Unified Communications collaboration software last week, the platform now supports Blackberry 5.0 and Microsoft Windows Mobile 6.5 clients.

As it accelerates its mobile plans, IBM expects to exploit its already extensive interoperability with other platforms including its major competitor in UC — Microsoft. Its mobile support will also challenge competitor Avaya and its mobile clients. Over time, as businesses deploy 4G handhelds, IBM will fully support mobile collaboration “on the mobile device of choice” and treat the collaboration features as services, not a stack of available features but an always-available set of tools, Rennie said.

He expects customers will adopt SameTime for mobile devices via its cloud-based collaboration suite LotusLive, starting with a core of instant messaging, presence, Web meetings and some video. That will grow over time to include voice integration with corporate directories as well as full video services.

Rennie also said the company would respond to customer demand for appliances that can be used to more easily bring collaboration tools into their networks, much the same way that they can add security platforms to their networks via IBM security appliances.

IBM is also building a downloadable, browser-based plug-in so anyone can join SameTime conferences even if their machines lack SameTime clients. Later this capability will be deployed from LotusLive clouds so, for example, a bank could call a conference to talk to high-value customers and have them participate with relative ease, said Rob Ingram, IBM senior product manager for UC. The clients are already available for Web conferencing and IM, and the browser-based client for video is scheduled for the first quarter of 2011. After that the company may look into a mobile browser-based client as well, he said.

Meanwhile, the company is working with videoconferencing vendors to build adapters to communicate with IBM video infrastructure so, for example, IBM desktop video participants could join conferences anchored by Polycom videoconferencing gear, he said. The user case they’re working on is collaboration with business partners who might not have IBM videoconferencing infrastructure, Ingram said. The list of those participating includes Cisco and Polycom but not Cisco’s Tandberg gear or HP conferencing.

Even as he looks ahead to mobile collaboration, Rennie noted that businesses over the past 18 months have altered their view of UC, which blends presence and various modalities of real-time communication — IM, phone calls, video — with collaboration tools integrated with calendaring and corporate directories, and non-real-time communication such as texting and e-mail. Elements of IBM’s UC offerings include Notes/Domino for messaging and calendaring; Lotus Connections for social collaboration; Lotus Quickr for team collaboration; SameTime for Unified Telephony; Lotus Live for on-premise or cloud collaboration. Avaya, Cisco Microsoft, Siemens and others rank among major competitors.

Whereas customers may have regarded UC as a package of tools that could be bought and installed, they now look at specific business processes, such as order fulfillment, from a desktop perspective rather than as a back-end resource, Rennie said. UC might have been deployed before for a siloed purpose such as a tool for contact-center agents, but now businesses see it with wider applications, he said.

CFOs, for instance can see the cost-saving benefits of enabling a business-analytics dashboard that pushes through work to the next stage by notifying the right person to handle it and pulling together conferences when needed. “We call it collaboration-enabled business processes,” Rennie said.

Such an idea is in contrast to just promoting attractive UC features, such as finding people in a directory with appropriate skills for a task and whose presence information shows they are available in the right modality and then clicking on their name to reach them. That is the way IBM has been selling UC in the past, and that needed to change, says Don Van Doren, a principal with Unicomm Consulting.

“You can use the quick-to-communicate stuff,” Van Doren says. “It’s useful, but it doesn’t touch the central concepts of unified communications and impact how companies can function differently. You need to get to the business guys and say there’s a business-process bottleneck that costs them two days out of every business development cycle.” And then show how UC can remove the bottleneck. But the task is daunting because that means pulling in top executives and line-of-business managers to help make the technology decisions with the IT staff, Van Doren says.

Even with that challenge, IBM is aligned to do well in battling its primary competitor, Microsoft, he says. Other UC vendors such as Cisco and Avaya come from the telephony end of communications, and he feels that software vendors with control of desktop software have the edge. One of IBM’s strengths is that it already has desktop productivity software widely deployed in corporate networks where users are comfortable with it. And it is interoperable with Microsoft platforms, he says, making it possible to use products they have already bought. Specifically, IBM’s strategy to enable putting IBM SameTime presence inside Microsoft’s Outlook and SharePoint, making it attractive to businesses that have already invested in the Microsoft technologies, he says.

Van Doren also ranks IBM as being far ahead in its social networking software for business with Lotus Connections tied into presence and with its capabilities for mining information within the corporate network to enhance finding the right people for specific tasks. “They’ve been working on this four or five years,” he says. “Cisco is just starting to do it.”

IBM also seems to be opening up its platforms more to third-party developers, he says. UC needs ecosystems that independent developers can work in, and Van Doren thinks IBM may be getting to that point. Earlier, the company seemed to want to make releases rock solid before opening up to partners, but it may serve the company better to be more open to third-party developers sooner. “It’s a much better strategy to get [products] out there with more people finding things that need to be fixed. The winner will be the company that opens up and supports best their ecosystem.”

Has IBM turned a corner? “Man, I hope so. We need another strong player in this industry,” Van Doren says.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 9, 2010

FRAMINGHAM - Microsoft on Friday said it is investigating an unpatched vulnerability in Windows after an Israeli researcher revealed a bug in the operating system’s kernel driver.

According to Gil Dabah, a researcher from Tel Aviv who goes by the nickname “arkon,” the Windows’ kernel harbors a heap overflow vulnerability. Dabah also posted a short proof-of-concept to demonstrate the bug on RageStorm.com, a site he and two others run.

“Microsoft is investigating reports of a possible vulnerability in Windows Kernel,” said Jerry Bryant on Friday. “Upon completion of the investigation, Microsoft will take appropriate actions to protect customers.”

In an alert published Friday , Danish bug tracker Secunia pinpointed the bug in the “Win32k.sys” kernel-mode device driver, the kernel component of the Windows subsystem. Attackers could exploit the flaw using “GetClipboardData,” an API (application programming interface) that retrieves data from the Window clipboard.

A successful exploit would allow hackers to execute their attack code in kernel mode, which would then let them infect the PC with malware or pillage any data on the machine.

The flaw exists in several versions of Windows, including XP SP3, Server 2003 R2, Vista, Windows 7 and Windows Server 2008 SP2, said Secunia, which rated the bug as “less critical,” the firm’s second-lowest threat ranking.

Microsoft has patched 13 Windows kernel vulnerabilities this year. In June, for example, MS10-032 patched three vulnerabilities in Win32k.sys; in April, it quashed eight bugs with MS10-021 ; and in February, MS10-015 fixed two flaws.

One researcher with experience digging up kernel bugs said the latest is business as usual. “I don’t think there’s been more than a few days this year that Microsoft [hasn't] been vulnerable to public kernel flaws,” said Tavis Ormandy on Twitter . Ormandy reported three of this year’s kernel vulnerabilities to Microsoft.

Most of those bugs were rated as “important,” Microsoft’s second-highest ranking, because they could not be exploited remotely, but required an attacker to have physical access to the PC and valid log-in credentials. It’s likely that Dabah’s find will as well.

Microsoft will issue 14 security updates , including 10 for Windows, on Tuesday. But unless the company found Dabah’s flaw on its own, or the vulnerability was reported by another researcher earlier — it’s not unheard of for several researchers to stumble across the same bug — a fix won’t appear until September or later.

In the meantime, said Secunia, “Grant access [only] to trusted users.”

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 09, 2010

FRAMINGHAM - The Google security engineer who stirred up a hornets’ nest two months ago after publicizing a critical Windows vulnerability said Friday that Microsoft will credit his work on four of the 34 bugs slated for patching on Tuesday.

“Apparently I’m getting four credits on Tuesday,” said Tavis Ormandy in a Twitter message Friday.

Ormandy is the researcher who disclosed a bug in Windows’ Help and Support Center just five days after reporting it to Microsoft. Ormandy said he took the bug public when Microsoft wouldn’t commit to a patching deadline; Microsoft has disputed that, claiming that it had only told Ormandy it needed the rest of that week to decide.

The resulting debate over Ormandy’s actions grew heated at times , as some researchers defended his actions while others criticized him for revealing information that later was used by hackers to attack Windows PCs.

After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.

Microsoft plugged Ormandy’s vulnerability on July 13 as part of that month’s Patch Tuesday. Microsoft did not credit Ormandy, or anyone else for that matter, in the MS10-042 advisory that accompanied the Help and Support Center patch.

At the time, Microsoft reiterated that that was standard practice, and had nothing to do with Ormandy specifically.

“When a security researcher is acknowledged in one of Microsoft’s monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately,” said Jerry Bryant, a group manager with the MSRC, in a e-mail reply to questions last month. “The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations.”

Bryant’s language was identical to policies Microsoft has spelled out on its Web site.

The four flaws that Ormandy said will be acknowledged were reported privately to Microsoft, Bryant intimated. “Credit given in our bulletins is always based on the finder working with us to keep vulnerability details private until the update goes out,” he said Friday. “The August bulletins will not deviate from normal process.”

Bryant declined to confirm that Ormandy will, in fact, receive credit for several vulnerabilities. “As usual, we cannot discuss details of bulletins, beyond the [advanced notification] and yesterday’s blog post, until they are released,” he said.

Ormandy did not reply to questions about when he reported the vulnerabilities to Microsoft, and whether he thought it meant anything more than Microsoft following its usual practice.

Andrew Storms, director of security operations for nCircle Security, noted that researchers typically receive a heads-up several days prior to a Patch Tuesday that will include fixes for bugs they have privately reported.

French security researcher Matthieu Suiche said Friday that he would also receive credit for reporting four vulnerabilities on Tuesday’s fix list. “Apparently I’m getting only 4 credits too,” he said on Twitter .

Suiche, who now has his own security consultancy, MoonSols , has worked for EADS, the European Aeronautic Defence and Space Company; the Netherlands Forensics Institute of the Dutch Ministry of Justice; and, according to his LinkedIn profile, participated in Google’s Summer of Code, a program that provides student developers stipends to write code for open-source projects.

Storms assumed that there was nothing under the surface about Ormandy receiving credit next week. “It would be pure speculation if Microsoft is patching his bugs any quicker than others,” Storms said in an interview conducted via instant message. “In fact, I don’t think I’d touch that topic with a 10-foot pole. But we can certainly be certain that Microsoft is keeping the conversation open and often with Tavis.”

Bryant declined to respond to additional questions, including whether Microsoft was giving Ormandy’s vulnerabilities higher priority than other researchers’ bugs.

That didn’t surprise Storms. “I think everyone wants to keep the relationship open and professional as much as possible,” he said.

Last month, Microsoft urged others to drop the term “responsible disclosure” and instead substitute “coordinated vulnerability disclosure” (CVD) to describe the collaboration between researchers and vendors.

According to Mike Reavey, the director of the MSRC, the name change would eliminate the loaded word “responsible” from the debate about how researchers report bugs and how and when companies provide patches.

In an interview two weeks ago, Reavey denied that the name change was triggered by the Ormandy disclosure, saying that Microsoft had been working with outside researchers and security experts for months before the June brouhaha.

On Aug. 10, Microsoft will release 14 updates — 8 labeled “critical” and 10 affecting Windows — that will patch 34 bugs.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Logan Kugler
Computerworld (US)
August 6, 2010

FRAMINGHAM - The words Windows and security have not always been compatible. In the past, Microsoft’s quest to make its operating system as easy to manage as possible for the “typical” user has often meant sacrificing adequate safeguards against intrusion and infection. Windows XP’s notorious vulnerability to network worms stands as a recent example; Microsoft shipped the operating system with a firewall but initially left it turned off by default.

For all its flaws, real and perceived, Vista marked a huge step forward in Windows security. Windows 7 has continued that improvement, adding several new features and enhancing many others — most obviously the User Account Control system, which proved so obnoxious in Vista that many users turned it off, leaving their systems vulnerable to intrusion in exchange for a less annoying experience. UAC has been revamped in Windows 7 to be less intrusive and more discerning about what constitutes a true threat, and therefore more effective.

Other Windows 7 security features are less apparent, especially those intended for businesses concerned with protecting not just one computer but an entire network. Among the most important new features are DirectAccess, a VPN replacement for computers on Windows networks; the Windows Biometric Framework, which standardizes the way fingerprints are used by scanners and biometric applications; and AppLocker, which improves on previous Windows versions’ Software Restriction Policies to limit which software can be run on a machine.

Also key are BitLocker To Go, which extends the full-disk encryption of BitLocker to external hard drives, and a refined procedure for handling multiple firewall profiles so that the level of protection better matches the location from which a user connects to the Internet.

In typical Microsoft fashion, these features have been made available with little fanfare or guidance. Let’s take a look at each to see how they can help Windows shops secure their computers and networks.

Note that some of these features are available for all versions of Windows 7, while others require the Enterprise or Ultimate editions. What’s more, you won’t be able to fully implement some features until you’ve upgraded all your users to Windows 7, and at least one — DirectAccess — has back-end requirements that most companies don’t have in place yet. These features will, however, work side by side with older technologies for users who are still on earlier versions of Windows.

So even though you may not be able to take full advantage of all the new security features immediately, the time to start planning for them is now. We’ll start with the features that you can use right away and work our way up to those that require planning.

Multiple active firewall profiles

Windows 7 offers a small but incredibly important improvement over Vista in its handling of firewall profiles. Vista allowed users to set up different firewall profiles for public, private and domain connections. A private network might be your home Wi-Fi network; aside from having the right WEP or WPA key, you don’t need any credentials to log in, but you trust it more than a public network like a coffee shop hot spot. A domain network requires authentication — a password, fingerprint, smart card or some combination of factors — to log in.

Each profile type has its own selection of applications and connections allowed through the firewall. For instance, in a home or small-business network marked Private, you might allow file and printer sharing, while on a network marked Public, you would likely disallow access to your files.

Vista’s firewall profiles worked well except when a computer was connected to multiple networks simultaneously, such as an Ethernet and a wireless network. In those cases, the system would default to the most restrictive profile. This could cause problems when, for example, connecting to a corporate VPN through a public Wi-Fi hot spot; Vista would recognize simultaneous connections to both a public and domain network and apply the public profile to both.

All versions of Windows 7 allow computers to keep several firewall profiles active at the same time, maintaining the access and functionality of the more trusted network while blocking access via the less trusted network. Since many remote access functions require less restrictive firewall settings, users can now work securely while remaining protected from threats outside of the corporate network.

Windows Biometric Framework

With fingerprint readers becoming more and more common on laptops, establishing a standard for the handling of biometric data has become important. Enter Windows Biometric Framework, a standardized method for storing fingerprint data and accessing it through a common API. Although most of the features of this subsystem are of interest only to developers, there are two important things that businesses should know.

First, while fingerprint scanners could formerly be used to log onto a computer but not to log onto a corporate domain (a corporate network or network subsection), the Windows Biometric Framework allows domain log-in.

Second, users can store up to 10 unique fingerprints, one for each finger. While most of us probably don’t expect to lose a finger anytime soon, having all 10 fingers enrolled in the system is a good precaution in case of lesser injuries. A cooking accident or a hand caught in a door can easily modify a finger enough that it won’t register correctly with a fingerprint reader, and you don’t want a user to be barred access to his computer while he heals.

Fingerprints are added using the Biometric Device applet, which appears in the Control Panel of any Windows 7 computer with a fingerprint scanner attached and from which you can enable computer and domain log-in. You must be logged in as an administrator to add or manage fingerprints on Windows 7.

BitLocker To Go

One of the most serious security threats facing today’s businesses is the loss of a mobile asset containing confidential corporate information. Windows Vista’s BitLocker began to address this problem by allowing business users to encrypt a laptop’s entire hard drive so that if it were lost or stolen, nobody could access the information stored on it. BitLocker To Go extends the same protection to even more easily lost external drives, including pocket-size hard drives and tiny flash drives.

Available in Windows 7 Enterprise and Ultimate editions, BitLocker To Go is simple to use: Right-click an external drive in Explorer and select “Turn on BitLocker” to open a wizard that will walk you through encrypting the drive, wait a while for the process to run, and you’re done. The wait depends on the speed of your computer and drives, but expect the initial encryption to take 20 minutes for a 2GB flash drive and up to a full workday for 500GB and larger external hard drives.

BitLocker To Go drives can be decrypted using a user-selected password and/or, in businesses that use them, a smart card for multifactor authentication.

Encrypted removable drives can be created only on Enterprise and Ultimate editions of Windows 7, but once you’ve created one, you can read from and write to it from any Windows 7 computer. You can also install a reader application on the encrypted drive that allows read-only access from Vista and XP computers.

Additional security can be implemented in corporate environments through the use of administrative policies that allow only BitLocker To Go drives to be written to, preventing users from storing data on nonsecure drives. Users of Windows Server can also keep a recovery password in escrow using Active Directory so that lost or forgotten passwords can be recovered.

AppLocker

Controlling what applications users can install or run is an effective way of maintaining the stability of users’ systems, preventing malware and protecting the integrity of the network from bandwidth-hungry applications like BitTorrent.

In previous versions of Windows, this was handled by the Software Restriction Policies feature. These policies could be applied to prevent specific software from running based on either its location in the file system or its failure to match a cryptographic hash of a known, trusted application.

Software Restriction Policies could be a hassle to implement and maintain effectively. Some programs need to be installed outside of the typical path, necessitating new path rules to be generated. And hash-based policies offer powerful security but can fail whenever a program is updated. Any change to the program’s code — even a bug fix or security update — changes the hash and, if allowed, would prevent the program from running. Thus, IT managers had to maintain and update a cumbersome list of hash rules and override programs’ ability to update automatically.

AppLocker, available for Windows 7 Enterprise and Ultimate (as well as Windows Server 2008 R2), adds a new, more flexible method of controlling software: publisher rules. Publisher rules rely on information in a program’s signature certificate, which more and more applications have today.

This information is far more detailed than the file path or hash data, which lets admins create complex rules such as allowing software only from a particular publisher, with a particular name, with a specific file name and/or of a particular version to be run. For example, a rule could be created to allow anything from Adobe to be run, or only Photoshop, or only the current and future versions of Photoshop.

AppLocker rules can be applied to any executable, script, installer or system library, giving users enough latitude to, say, install needed software or updates without an administrative override, while still preventing them from using unauthorized software.

Furthermore, AppLocker rules can be written to apply to specific users or user groups; your accounting team and your graphic design team probably have very different software needs, but with AppLocker, only one set of policies is needed to provide each group with its own unique set of restrictions and allowances. AppLocker can even distinguish among users who share the same computer.

A real timesaver is the ability to automatically generate rules from a trusted reference computer. Policies can be exported and applied globally across the network using Windows’ Group Policy settings. (See Microsoft’s TechNet for a step-by-step guide to using AppLocker.)

It’s important to note that AppLocker rules apply only to users whose machines are running Windows 7 Enterprise or Ultimate editions. If some of your users have older Windows versions, you’ll need to keep Software Restriction Policies in place for them. As more users upgrade to Windows 7, you can phase out SRP and rely on AppLocker.

DirectAccess

Billed by Microsoft as a “next-generation” replacement for VPNs, DirectAccess allows Windows 7 Enterprise and Ultimate users to connect directly to Windows 2008 R2 and future servers. Whereas users generally have to initiate VPN connections, DirectAccess is completely transparent for end users: When the computer connects to the Internet, DirectAccess automatically creates a secure connection to the corporate network without any action on the user’s part, and automatically routes requests to the internal network through that connection.

DirectAccess offers improvements over traditional VPNs beyond the automatic connection. First of all, it uses IPsec and IPv6 Internet protocols to encrypt and route the connection from end to end. Where VPN encryption is stripped at the VPN server, DirectAccess can remain encrypted all the way to and from the application server inside the corporate network. (DirectAccess supports a number of other protocols to create tunnels for this traffic across networks that do not support IPv6 or IPsec yet.)

And because DirectAccess uses a standard Internet port for traffic, it easily traverses firewalls without any additional configuration, something VPN users often have trouble with.

Another benefit: Because the connection is created and maintained automatically, administrators can continuously manage and update DirectAccess-enabled computers, even when the user is not directly using corporate resources. Remote users tend to connect through a VPN only when they need access to network resources; depending on the worker, weeks may go by between VPN connections.

This means that VPN users must be quarantined, scanned and patched before they can be allowed access to the corporate network, a process that slows down the connection and limits worker productivity, as well as providing IT administrators with only small windows of time to manage their remote computers. With DirectAccess, computers are updated at the same time as the rest of the corporate network and can be monitored regardless of whether the user needs access to the corporate network.

Note, however, that it won’t be practical for most companies to move to DirectAccess right away. The system relies on an advanced network infrastructure — including Windows Server 2008 R2 and IPv6 — that many businesses have not yet rolled out or are incrementally upgrading to, so it may be several years before many companies have all the tools and technologies in place to move fully to DirectAccess. During the ramp-up phase, it can be run alongside a traditional VPN.

But it provides a glimpse into the future of networking — a secure, always-on connection to “home base” that allows remote employees to work as if they were sitting in the central office.

For businesses, Windows 7 allows a partnership of sorts to be established between the security-savvy IT department and the end user, letting employees get to work while security policies are applied and updated from the network. What all these features share is a commitment to ease of use that does not come at the expense of real security, showing a Microsoft that seems to have finally recognized that the two are not necessarily incompatible.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Roger A. Grimes
InfoWorld (US)
August 6, 2010

SAN FRANCISCO - If malware were biological, the world would be in the grip of the worst pandemic in history. In 2009, more than 25 million different unique malware programs were identified, more than all the malware programs ever created in all previous years (see the annual report from Panda Labs). That’s a pretty incredible statistic. Malicious programs now outnumber legitimate ones by many orders of magnitude.

The world’s largest cloud computing user? Not Microsoft, not Google, not Amazon.com. The ringleaders of the Conficker botnet, with more than 4.6 million infected computers under their control, win by a mile. Some antimalware vendors report that 48 percent of the computers they scan are infected (see page 10 of the APWG Phishing Activity Trends Report) with some sort of malware. Trojan horse programs make up 66 percent of all threats (see page 4 of the annual report from Panda Labs).

[ Get the full scoop on successfully defending against modern malware in the InfoWorld "Malware Deep Dive" PDF special report. | Better manage your company's information security with our Security Central newsletter. ]

No one need wonder what malware is trying to do: It’s trying to steal money, whether it’s through data theft, bank transfers, stolen passwords, or swiped identities. Each day, tens of millions of dollars are stolen from innocent Internet victims. And yet many computer defenders can’t tell you what the biggest threat is to their environment. If you don’t know the biggest threats, how can you defend against them properly?

Today’s malware differs dramatically from the threats we faced just 10 years ago, when most malicious programs were written by young men looking to earn cyber bragging rights. Most malware made the user aware of its existence through a displayed message, music (as in the Yankee Doodle Dandy virus family), or some other sort of harmless mischief. Those were the days.

Thoroughly modern malware
Today’s malware is written by professional criminals. In most cases, users are unwittingly tricked into executing a malicious program in the form of a Trojan horse. Users think they are installing needed software, often “recommended” by a site they trust. In fact those sites are recommending nothing of the kind. Malware producers routinely break into legitimate websites using found vulnerabilities and modify existing Web pages to include malicious JavaScript redirects. Or the malicious code is hidden inside a banner ad on a website, supplied by legitimate ad services.

Either way, when the user surfs to the legitimate website, the malicious JavaScript is loaded, and it either prompts the user to install a program or redirects the unknowing user to another website where they are told to install a program.

Trojans lead the pack
Trojans typically camouflage themselves as downloadable antivirus scanners, “needed” patches, malformed PDF files, or add-on video codecs required to display an exciting video. Most of the fake programs have the clean look and feel of a real app. Even career antimalware defenders find it hard to tell the difference between what is real and what is fake.

Fake programs are even more successful at duping victims when they appear to come from popular, well-known websites that a user has trusted and visited, without incident, for years. Or they launch from one of the popular social networks, like Facebook and Twitter, which are all the rage among the least savvy computer users. Some malware programs scan the user’s computer for vulnerable software that lacks security patches, but typically, users cause infections themselves by installing apps they should not.

This is not to rule out the obvious impact of spam, phishing, adware, or other attack methods. It’s just that computer worms, viruses, and the other methods for exploiting computers, added up all together, don’t equal the threat of the socially engineered Trojan — even though some multivector worm programs, like Conficker, have victim figures that number in the millions.

In a common scenario, the first malicious program installed is called a downloader. A downloader’s goal is to be installed on the victim’s PC and then to “phone home” to the “mothership” Web server for more instructions. The downloader often has instructions to contact a dynamic DNS server to get the mothership Web server’s current location. The dynamic DNS server is just another Trojan-infected computer installed on an innocent user’s desktop. The DNS address record received by the downloader has an address that is good for only a short time — sometimes as little as 3 minutes. These “fast flux” techniques complicate efforts to investigate or eradicate malware. The downloader will eventually be redirected to another server (which is, of course, just another compromised host) and download a new program or receive instructions. This sequence of finding and downloading new programs and instructions can go on for dozens of cycles.

Eventually, the final program and instructions will be installed on the victim’s computer, with a handful of command-and-control servers under the direction of the botnet owners. Botnets can be used by the owners themselves to steal money, to conduct distributed denial of service (DDoS) attacks, or to break into other computers. Often the botnet owner will rent the botnet to other criminals who then use them to do their bidding. A good example of a common bot and botnet is Mariposa. At one point, it controlled more than 13 million PCs in 190-plus countries. The masterminds of Mariposa were not ultraskilled malware writing geniuses — they were three guys who bought a botnet “kit” on the Internet for $300.

DIY kits: Tools of the trade
Do-it-yourself malware kits have been around for two decades, but now they are soup-to-nuts efficient. The typical kit can spit out (currently) undetectable malware to do the customized bidding of its owner. Using these kits is as easy as clicking a few check boxes. The resulting malware will break into websites to start infecting innocent visitors, generate enticing spam and phishing e-mails, and do everything it takes to create the botnet — including bots, dynamic DNS servers, roving mothership Web servers, and the command-and control servers.

Many of the kits are directed toward bypassing particular types of authentication and focus on particular financial institutions. The better bot kits include a sophisticated administrative back end so that the hackers can read statistics on total infections, OS versions exploited, and tricks used. For another $30, the kit creators will include 24/7 tech support.

These kits aren’t hidden. With just a little bit of searching, you can find them on the open market, often marked as “experimental” or “test-only” products. And there are plenty of “service providers” willing to help malware hackers turn their ill-gotten gains into hard cash.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 6, 2010

FRAMINGHAM - Microsoft on Wednesday updated its bare-bones preview of Internet Explorer 9 (IE9) for the last time, saying that the next release would be a beta build.

on Wednesday updated its bare-bones preview of Internet Explorer 9 (IE9) for the last time, saying that the next release would be a beta build.

Although Microsoft hasn’t named a release date for IE9’s beta, the six-to-eight week stretch between each Platform Preview may provide a clue: If the company sticks to the same gap between the fourth preview and the beta, the latter should show on or after Sept. 15.

In IE9 Platform Preview 4, Microsoft has integrated its new JavaScript engine into the browser , finished its work on hardware acceleration and boosted performance in several areas, including the Acid3 test, said the IE team’s leader.

“The IE9 platform is nearly complete,” said Dean Hachamovitch, general manager of IE, in a detailed post on the browser’s blog Wednesday.

Last updated six weeks ago , the IE9 Platform Preview is not a full-fledged browser, but instead consists of a minimalist interface wrapped around Microsoft’s newest rendering and JavaScript engines.

When Microsoft debuted IE9 in mid-March, the company committed to updating the IE9 preview approximately every eight weeks until it issues a public beta. That beta is slated to ship next month , according to comments made last week by Kevin Turner, Microsoft’s chief operating officer.

The fourth preview includes fixes for previously reported bugs, wraps up the graphics processor-powered audio, video and text acceleration, and moves Microsoft’s new “Chakra” JavaScript engine inside the browser for better performance, Hachamovitch said.

“One aspect of [meeting our goals] is integrating the JavaScript engine natively inside the browser, rather than bolting it onto the side to support multiple JavaScript engines as some other browsers do today,” Hachamovitch said, taking a shot at rivals such as Mozilla’s Firefox. “How a JavaScript engine is integrated into the browser is as important as the engine itself for real-world HTML5.”

Although Microsoft once downplayed JavaScript speeds — Hachamovitch dismissed the contest for fastest browser as just a “drag race” during IE8’s development — it’s aggressively touted Chakra’s performance.

According to Hachamovitch, IE9 Platform Preview 4 scores better on the SunSpider JavaScript test suite than all rivals except Google ’s Chrome and Opera Software’s Opera. Microsoft’s SunSpider results differ from Computerworld’s latest, which pegged Apple’s Safari as the fastest on Windows, with Opera and Chrome close behind.

On the Acid3 benchmark, which checks how closely a browser follows certain Web standards, the IE9 Platform Preview 4 scored 95 out of a possible 100, the highest ever for a Microsoft browser. The score was a 14% improvement over Platform Preview 3.

Hachamovitch hinted that the score of 95 would be IE9’s best effort, arguing that the standards which prevent it from acing the benchmark are “in transition” and thus unlikely to get full support from Microsoft.

IE is on a two-month upswing in usage share, according to the most recent data from Net Applications, and Microsoft has to hope that when it ships in final form, that IE9 will be able to turn around the browser’s long-term decline.

The 16MB Platform Preview 4 can be downloaded from Microsoft’s site.

Unlike production versions, the IE9 preview can run alongside other editions, such as IE7 on Vista or IE8 on Windows 7 . However, neither the Platform Preview nor the final version of IE9 will run on Windows XP, a sticking point with some users of that nine-year-old operating system.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 5, 2010

FRAMINGHAM - Although some had hoped that Microsoft would violate its own patching policy, the company yesterday stuck to its guns and declined to provide a fix for a critical bug to users running Windows XP Service Pack 2 (SP2).

On Monday, Microsoft shipped an emergency patch for the Windows shortcut bug that attackers have been exploiting for several weeks. The vulnerability affects all versions from Windows 2000 on, including XP, Vista and Windows 7 .

But, per Microsoft’s practice, the oldest operating systems and service packs were denied the update.

“To be crystal clear, there is no security update for XP SP2,” said Microsoft spokesman Christopher Budd in a Webcast on the out-of-band patch that he hosted Monday afternoon.

Microsoft retired XP SP2 , as well as the even older Windows 2000, from all support on July 13, when both editions exited the company’s final five-year “extended support” phase. Products dropped from extended support no longer receive security patches or other non-security fixes from Microsoft via its Automatic Update service and business patch mechanisms like Windows Server Update Service (WSUS).

Nonetheless, a few security researchers had held out a little hope that Microsoft would issue a fix for the Windows shortcut vulnerability to machines running XP SP2.

“The only question I had was whether Microsoft would try and release a patch for unsupported operating systems,” Andrew Storms, director of security operations at nCircle Security, said in an interview Monday. “There’s a ton of people still running SP2, and it just went end-of-life.”

Other researchers, including Jason Miller, data and security team manager for patch management vendor Shavlik Technologies, echoed Storms yesterday, saying that he had looked carefully for any sign that Microsoft was pushing a fix to Windows XP SP2 or Windows 2000. There wasn’t.

Wolfgang Kandek, CTO of Qualys, confirmed that. “The recently discontinued Windows 2000 and Windows XP SP2 are not covered by the patch,” said Kandek.

Microsoft declined to directly answer questions yesterday about whether XP SP2 users would be served the out-of-band update. “Microsoft does not comment on the possible vulnerability of out-of-support versions of products,” said Budd in an e-mail reply to those questions Monday.

Earlier in the day, however, Budd had been more forthcoming. “Now that those products are no longer publicly supported, we do not call them out in our security bulletins, and we do not provide support for those products, which means that there is no security update for those products,” Budd said during the Webcast, which kicked off at 4 p.m. ET.

An audio recording of the Webcast is available on Microsoft’s site.

However, Microsoft confused some customers when the Download Center description for the shortcut bug fix initially listed both Windows XP SP3 and Windows XP SP2 as supported operating systems.

“That’s actually an error on the Download Center text, and something that we are addressing as soon as possible,” Budd said during the Q&A portion of the Webcast. Microsoft later revised the download’s system requirements section by striking the reference to XP SP2.

Because users running Windows XP SP2 will never be offered an update for the shortcut bug — or for any other future vulnerabilities for that matter — Microsoft has been urging customers to upgrade to XP SP3 or a newer version such as Windows 7.

Failing that, users who decide to stick with XP SP2 have several options, including doing nothing, implementing the shortcut-disabling workaround that Microsoft first recommended, or installing Sophos’ free tool that blocks malicious shortcuts from executing attack code.

The Sophos tool works on Windows XP SP2, but not on Windows 2000.

Minus a patch, workaround or other protection, Windows XP SP2 users will remain vulnerable to current and future exploits. “Users need to work on an upgrade strategy, as without patch support they will become increasingly susceptible to attacks from malware,” Kandek said.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By AvantiKumar
MIS Asia
August 25, 2010

SINGAPORE - As part of a continued collaboration drive to step up security levels, Adobe Systems has joined Microsoft to step up the Microsoft Active Protections Programme [MAPP].

News of the partnership, which was announced during the recent Black Hat USA 2010 conference, is to also encourage a shared sense of responsibility across the ecosystem, including Asia, as no one organisation can solve today’s complex security challenges, according to Microsoft Trustworthy Computing [TwC] director, Dave Forstrom.

“Adobe will distribute detailed vulnerability information for its software to all partners participating in Microsoft’s Active Protections Program (MAPP),” Forstrom said.

“The additional vulnerability information will provide security vendors an opportunity to offer quicker and more effective protections to their customers prior to Adobe deploying its security updates,” said Forstrom.

“Adobe has recognised that MAPP is a tried and proven model giving an upper hand to a collective network of global defenders who all rally behind a shared purpose–protecting our mutual customers,” he added.

Launched in October 2008 by the Microsoft Security Response Centre, MAPP is a collaborative effort that facilitates advanced information sharing on Microsoft product vulnerabilities with security software providers.

Coordinated vulnerability disclosure

Forstrom said Adobe and Microsoft have been working closely together to help improve the software update experience for mutual customers.

“Through this collaboration, we hope to make it easier for Microsoft System Centre Configuration Manager (SCCM) and Microsoft System Centre Essentials (SCE) customers to import Adobe updates through the Microsoft System Centre Updates Publisher (SCUP) and manage their distribution to client computers,” he said.

Forstrom added that MAPP would include vulnerability information sharing from Adobe Systems and Microsoft has discussed a new policy of coordinated vulnerability disclosure — a reframing of responsible disclosure — and introduced new tools and guidance that will improve online security for customers.

“In autumn 2010, Adobe will join Microsoft and share its vulnerability information with the 65 global MAPP members, offering advanced protection to hundreds of millions of people, he said. “Through programmes like MAPP, Microsoft is helping protect customers from the threats of today and tomorrow.”

“Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers,” said Adobe senior director of product security and privacy, Brad Arkin. “MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose–protecting our mutual customers.”

“Microsoft acknowledges that the constantly changing threat landscape requires a new approach to security–collaboration and shared responsibility are key as past individual efforts are no longer enough,” said Microsoft Security Response Centre director, Mike Reavey.

“We continue to encourage the collective industry–from security researchers and vendors to customers–to recognise the responsibility we all share in fortifying the broader computing ecosystem against online crime,” said Reavey.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 4, 2010

FRAMINGHAM - Microsoft today said that it will not sell upgrades for the upcoming Office for Mac 2011, mimicking the move it made earlier this year when it ditched upgrades for the Windows Office 2010.

The new suite’s lowest-priced edition will also lack a dedicated e-mail client, another decision copied from Windows.

Earlier Monday, Microsoft set an end-of-October launch of Office for Mac 2011; debuted a free offer for anyone who purchases its predecessor, Office for Mac 2008, between Aug. 1 and Nov. 30; and revamped the editions it will offer and their prices.

Microsoft acknowledged that the last of those three was to bring the Mac version of its suite in line with the more widely-sold Windows edition. “For better alignment across platforms, the Office 2011 pricing and edition options map closer with Office for the Windows operating system,” said Microsoft in a statement.

Microsoft touted the new prices. “The new Office 2011 lineup makes purchasing decisions easier — with a lower price-per-installation for all editions … [and] these changes ensure that customers get the right products and applications at the right price.”

Prices will be lower at best, the same at worst.

The entry-level edition, Home and Student 2011, costs $149 for a three-license version, the same price as the comparable 2008 package. But the new single-license version will run $119, a savings of $30 for those who have only one computer.

On a per-install basis, however, the $119 edition is no bargain: Users who have two computers can effectively get Office 2011 (or the current 2008) for just $75 per machine, and if they install it on three Macs, the cost drops to less than $50 per system.

Microsoft has not offered an upgrade price for Home and Student in the past.

The situation’s better for buyers looking at Office for Mac Home and Business 2011, which, like the cheaper Home and Student, takes its name from a Windows edition.

There, the single-license version runs $199, a $41 savings from the $240 upgrade price for the comparable Office 2008 edition, Office for Business 2008. A two-license package of Home and Business 2011 will cost $279, or $140 per installation, significantly less that the $400 for the current full version of Mac Office for Business 2008.

Customers used to upgrading still save under Home and Business’ pricing, since an upgrade to what had originally been called Office for Mac 2008 — and later renamed Business — was for just one license.

With the introduction of the one-license versions of Home and Student and Home and Business, Microsoft is taking the Mac edition of Office down the same path walked earlier by Office 2010. In January 2010, Microsoft confirmed that it would not offer “upgrade” pricing for Office 2010, a move that effectively raised the cost for some users planning on migrating.

Historically, Microsoft has sold discounted versions to users who already have an earlier edition on their PCs, whether that’s Office or Windows. This year, Microsoft instead instituted the same single-license pricing it announced today for the Mac.

It’s unclear whether Microsoft will also mimic Office 2010’s product key card — a small credit card-sized piece of plastic sold at retail that includes a single license activation key — for the Mac. Microsoft has pitched the key card as a simpler way to obtain upgrade rights to Office 2010. The public relations firm that handles Office for the Mac for Microsoft did not respond to a request for comment.

The company is also duplicating the application mix of its Windows suite in the Mac versions.

Office for Mac Home and Student 2011, for example, will not include the Outlook e-mail client, just as Office Home and Student on Windows omits that program. That’s a change for Mac users, who have been getting the Entourage e-mail software with the 2008 version of Mac Office.

The users most likely to be affected are those who were buying Home and Student 2008, then running Entourage rather than Apple’s own Mail client. The copy of Entourage in Home and Student was deliberately crippled so it could not connect with a company’s Exchange mail server.

Microsoft will also sell an academic edition of Office 2011 for $99 that includes Word, Excel, PowerPoint and Outlook — the same apps included with Home and Business — to college students, faculty and staff.

To keep customers buying Office 2008, Microsoft launched a Technology Guarantee program Monday that will let users download a free copy of Office 2011 if they purchased the older edition between Aug. 1 and the end of November. Consumers who purchase Office for Mac Home and Student 2008 will get the three-license version of the 2011 suite, while people who buy the 2008 Business Edition in full, upgrade or student versions will receive a free copy of the two-license Home and Business 2011.

More information on the free upgrade program has been published on Microsoft’s Web site.

Office for Mac was last upgraded in January 2009 , when Microsoft released the 2008 edition several months later than projected earlier.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 4, 2010

FRAMINGHAM - As promised, Microsoft today issued an emergency patch for the critical Windows shortcut bug attackers have been exploiting for several weeks.

Also as pledged, Microsoft did not deliver a fix for users running Windows XP Service Pack 2 (SP2) or Windows 2000, which were retired from support three weeks ago.

There was little in Monday’s accompanying bulletin that wasn’t already known, noted Andrew Storms, director of security operations at nCircle Security.

“This was almost entirely public at this point,” said Storms. “The only question I had was whether Microsoft would try and release a patch for unsupported operating systems.”

Storms’ reference was to XP SP2 and Windows 2000. “There’s a ton of people still running SP2, and it just went end-of-life,” Storms argued. “And SCADA systems typically run on older versions of the OS. I thought Microsoft might be strong-armed by SCADA vendors into releasing a fix for SP2.”

But Microsoft stuck to its long-standing policy and did not provide patches for machines running Windows XP SP2, Windows 2000 or any other off-support version.

The vulnerability addressed today was first described in mid-June by VirusBlokAda, a little-known security firm based in Belarus, but attracted widespread attention only after security blogger Brian Krebs reported on it July 15. A day later, Microsoft admitted that attackers were already exploiting the flaw using the “Stuxnet” worm , which targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility firms.

Those control systems are often dubbed SCADA, for “supervisory control and data acquisition.”

The flaw was in how Windows parsed shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

Exploit code went public last month, and Microsoft and others have spotted several attack campaigns based on the bug. When the company announced last Friday that it would patch the shortcut bug today, it also said that it had seen the virulent “Sality” malware family using the shortcut exploit.

Microsoft patched the problem by “correctly validating the icon reference of a shortcut,” according to MS10-046 bulletin.

The company also told users who had deployed a recommended workaround — which involved disabling the displaying of all shortcuts — to undo that workaround after applying the patch. Scattered reports on the Web, however, have noted problems unless the workaround is reversed before the patch is applied.

Because Microsoft’s patch results in a new version of Shell32.dll being pushed to users, the quality of the update will be important: Shell32.dll is a crucial Windows library file that contains numerous Windows Shell API (application programming interface) functions. If it’s flawed, or incorrectly updated on some machines, PCs will lock up with the notorious Blue Screen of Death.

Storms didn’t think there was anything to worry about. “They patched a Windows kernel bug in 20 days back in January,” Storms pointed out. “They probably understand the risks here by going out-of-band.”

Jason Miller, data and security team manager for Shavlik Technologies, said he wasn’t expecting a rush patch because of the proximity of August’s regular security updates.

“It’s not uncommon for Microsoft to release out-of-band,” said Miller, “but Patch Tuesday is just a week away. I expected that they would just wait until then.”

Microsoft’s regularly-scheduled monthly updates are to ship Aug. 10, a week from tomorrow.

According to Miller, out-of-band updates are usually released in-between a pair of Patch Tuesdays, in other words, approximately two weeks before the next slated release.

“Microsoft must have seen something in this that prompted them to release now,” said Miller, referring to last Friday’s announcement that Sality had begun exploiting the shortcut bug. “I’d bet that they’re probably expecting that we’ll see an additional uptick in attacks as other viruses add this [exploit] to their payloads,” Miller concluded.

The patch, which is available for all still-supported versions of Windows, including XP SP3, Vista, Windows 7 , Server 2003, Server 2008 and Server 2008 R2, can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 3, 2010

FRAMINGHAM - Microsoft’s Windows 7 reached a major milestone in July, while Apple’s Mac OS X lost ground for the fourth straight month, a Web analytics firm said Sunday.

According to California-based Net Applications, Windows 7 passed Vista for the first time last month by posting a usage share of 14.5%, versus its predecessor’s 14.3%.

Net Applications uses data acquired from the 160 million unique visitors who browse the 40,000 Web sites it monitors for clients.

Windows 7 has been on a fast pace to supplant Vista as Microsoft’s — and the world’s — No. 2 operating system, behind the nearly-nine-year-old Windows XP. By Net Applications’ calculation, Windows 7 needed just nine months to hit a mark that Vista took more than 21 months to match.

Vista’s share crested at 18.8% in October 2009 and has been in decline since: Vista has lost 4.5 percentage points, or 24% of its peak share, since Microsoft launched Windows 7.

Microsoft has not been shy about flaunting Windows 7’s success, calling it the firm’s fastest-selling operating system with more than 175 million licenses sold , and claiming that Windows 7 runs 16% of the world’s personal computers.

But the rate of Windows 7’s increase during July — just 0.8 of a percentage point — was the smallest since the new edition’s debut.

And for all its success at selling Windows 7 , Microsoft has not had as much luck in moving users off Windows XP.

The aged XP accounted for 61.9% of all operating systems used last month, Net Applications said, a decline of six-tenths of a percentage point from June and down 5.9 points since the first of the year. But Windows XP’s slide has slowed: In the second quarter of 2010, the operating system lost two percentage points, compared to 3.3 points in the first quarter. At that rate of decline, XP won’t drop under the 50% share mark until January 2012.

Combined, all editions of Windows ran on 91.3% of the machines that connected to Net Applications’ sites last month, a decline of just over one-tenth of a percentage point. Windows 7’s growing use appears to have been key to that small slip and in a slowing of Windows’ gradual decline: In the second quarter of 2010, Windows lost only one-fourth as much share as it did during the first quarter.

Meanwhile, Net Applications reported that Apple’s OS X recorded its fourth consecutive month of share decline in July, losing nearly two-tenths of a percentage point, the largest single-month drop in over a year and a half.

Since the beginning of 2010, Mac OS X has lost share in five of seven months. It now stands at 5%, the same number as in February 2010 and off the operating system’s peak of 5.3% in October 2009, the month Microsoft debuted Windows 7.

Net Applications’ numbers don’t equate to sales — two weeks ago Apple reported it sold a record 3.5 million Macs in the second quarter — but they do show that Windows 7 is fueling an even bigger PC sales boom relative to last year’s usage share standings. Windows 7, for example, now powers three times the number of machines than does Mac OS X.

Not all is gloomy for Apple . According to Net Applications, the iPhone ’s operating system accounted for seven-tenths of one percent of all OSes online in July — not just mobile operating systems — a 19% jump from the month before.

July was the first full month that the iPhone 4 was available in the U.S. and several other countries.

In a note on its Web site, Net Applications pointed out that the gain came amid reports of antenna and reception problems in the iPhone 4 throughout much of July. However, the company also said that the jump in share was “typical prior to the release of a major upgrade” as buyers delay purchases until a new version of an operating system or device is available.

Net Applications had a point. The first full month after the introduction of the iPhone 3G in the summer of 2008, iPhone usage share leaped 63%. Two months after the debut of last year’s iPhone 3GS, its share was 20% above pre-launch levels.

Net Applications’ operating system share data can be found on its Web site.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Peter Cohan
August 2, 2010

Thomas L. Friedman, The New York Times’s op-editorialist extraordinaire, penned a column in April about a topic that could affect the future of the US economy. But while his overall point is on target — he misses the mark in a key way.

Why should anyone in the Philippines care? After all, the Philippines has done a good job of making itself less dependent on the state of the US economy. And after much better-than-expected 7.3% GDP growth in the first quarter of 2010, Standard Chartered Bank raised its 2010 GDP growth forecast for the Philippines from 3.3% to 5.9%.

At that rate of growth, it seems that the Philippines has nothing to worry about when it comes to the US But without the problems in the US, that figure would have been even higher. The World Bank estimates that developing country growth is slower – between 0.2 and 0.7 percentage points — than it would have been were it not for the economic slowdown resulting from the developing world’s financial crisis that began in 2008.

But not only does the US present an economic threat to growth in the Philippines, it also presents opportunities for startups.

In that context, it is worth pointing out that I agree with Friedman on the main point — that a recovery in the US depends on small companies creating jobs. However, his prescription — increasing the number of what he calls “high-IQ risk-takers” in the US — won’t do the trick. Instead, jobs will result when entrepreneurs can get the capital they need to start and build successful ventures. And getting that money takes more than just smart people.

Friedman’s argument springs from what appears to be an interview with Craig Mundie, the chief research and strategy officer of Microsoft. Although Microsoft has been a relative laggard technologically for at least the last decade, Friedman appears to be swept away by Mundie’s viewpoint.

The Microsoft exec suggests that the problem with the US economy is that so-called high-IQ risk-takers in business and government are being discouraged by “cutbacks in higher education, restrictions on immigration and a toxic public space that dissuades talented people from going into government.” Moreover, Mundie argues that the common element that explains the “above-average returns as a country” for Singapore, Israel and America has been those high-IQ risk-takers.

AN IMPORTANT FLAW

I find it quite plausible when Friedman cites research from The Kauffman Foundation to conclude that most jobs come from small businesses. Kauffman’s Robert Litan argues to Friedman that, “Between 1980 and 2005, virtually all net new jobs created in the US were created by firms that were 5 years old or less. That is about 40 million jobs. That means the established firms created no new net jobs during that period.”

With 8.4 million people out of work since the Great Recession began in December 2007, anyone looking for a job surely cares deeply about the source of new jobs. Why does it matter if Friedman is right or wrong? Friedman’s effort to attribute small business jobs to high-IQ risk-takers is flawed. And that flaw is important because if policymakers follow the prescriptions that flow from his analysis, they won’t create the new jobs that people want.

Friedman’s analysis is offbase for three reasons: Failure to define key terms or to explain how they create jobs The success of Singapore and Israel come from very different sources It excludes factors that are critical to entrepreneurial activity

In considering what the US must do to encourage more start-up activity, Friedman’s prescription of letting more smart immigrants into the US seems fine. But many US companies have found ways of tapping potential immigrants’ talents by partnering with them in their home countries without them being US citizens. To the extent that Friedman’s focus on human capital has merit, it doesn’t go nearly far enough.

OPPORTUNITIES FOR THE PHILIPPINES

Our research found that when it comes to human capital, the Philippines has significant advantages over many of its Asian neighbors. And US companies, particularly professional services firms such as those in law and accounting, perceive many advantages in outsourcing research work to the Philippines. Specifically, these US firms hire workers in the Philippines because many of them speak English well, have a deep appreciation of American culture, and accept relatively low pay.

As US firms look to lower their fixed costs while preparing to handle growth in demand as the US economy recovers, there will be growing demand for Philippine ventures that can hire, train and deploy its citizens to deliver high quality service cost-effectively to US firms.

And those firms in the Philippines should tap into financial markets in the US and elsewhere to fund those startups. Seeking faster growth, $709 billion in capital is expected to flow to emerging markets in 2010. And if they can bring together US and other developed country customers with their skilled workers, Philippine entrepreneurs ought to get a share of those global capital flows.

That’s why human capital offers a strong base from which to build Philippine startups.

Possibly Related Posts:

• SocMed Savvy
• Independence Day
• Memo to President Aquino
• Wi-Fi’s Public Enemy: RF Interference
• Information Literacy: A Call to Action

By Robert X. Cringely
InfoWorld (US)
August 2, 2010

SAN FRANCISCO - Remember back in early June when Steve Ballmer said the Apple iPad was “just another PC”? He’d like to amend that slightly to “just another PC that’s now kicking our a**.”

In a meeting with analysts yesterday, Ballmer spent a fair amount of time talking about Apple’s iPad and trying to explain why there are no Microsoft-based devices that remotely compare to it.

[ Also on InfoWorld: Cringely is nothing if not an equal-opportunity satirist, as he proves in "Apple's Steve Jobs: He's no Old Spice Guy" | Stay up to date on all Robert X. Cringely's observations with InfoWorld's Notes from the Underground newsletter. ]

Fortune’s Philip Elmer-Dewitt distills the Ballmer discussion of the iPad into 11 words: “We’ll talk about slates and tablets and blah, blah, blah, blah.” (Apparently, Ballmer is also adopting the Steve Jobs 11-word rule.)

The “blah blah blah” part included a) an admission that the iPad has sold “more than I’d like them to sell,” b) “we’re coming full guns” to the slate market, and c) they’ll be “coming when they’re ready” — so don’t bother camping in line outside any Microsoft stores just yet. (Greg Packer, this means you.)

Meanwhile, the one Windows-based slate Ballmer could dig up to demo at last January’s CES — and got virtually heckled off the stage by the blogosphere afterward — may end up not being a Windows device after all. Now that HP has gobbled up Palm, its Slate PC may run Palm’s WebOS, a much more attractive tablet interface than Windows 7. Given how badly HP got jobbed by Microsoft during the whole “Vista ready” labeling debacle, I imagine this would be sweet revenge.

So, once again, Microsoft finds itself in the position of needing to imitate Apple to stay relevant.

Of course, imitation is part of Microsoft’s DNA. Copy something successful, then ram it down people’s throats. CP/M becomes MS-DOS, the Mac GUI gets reborn as Windows, though maybe “stillborn” is closer — it took Redmond 11 years to come up with an interface that approached the Mac’s features and simplicity. Intuit’s Quicken begets Microsoft Money. The iPod spawns the Zune. And so on down the line.

I’m not saying Microsoft has not come up with some innovations over the last 35 years. I still think Excel is the best software Redmond ever made. The Xbox, Microsoft Surface, Project Natal — er, Kinect — are all first rate. But its bread-and-butter strategy continues to be “imitate, then destroy.” And that strategy has grown less successful over time.

Now Microsoft has to play catchup to the iPad, as well as the 3,247 Android-based tablets we’ll be seeing over the next 12 months. Given how long it’s taking Redmond to catch up on cell phones, it may be two years before we see any tablets worth talking about. By then, it will be too late.

Still, this could explain Microsoft’s new slogan, unveiled at its annual Microsoft Global Exchange confab last week: Be What’s Next. In this case, what’s “next” is Apple, a company it seems Microsoft now desperately needs to become.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
August 2, 2010

FRAMINGHAM - MIcrosoft will ship a beta of Internet Explorer 9 (IE9) in September, a company executive said today.

If the timeline is accurate, the IE9 beta release will come a month later than earlier speculation, which had settled on August, a pick based in large part on PowerPoint slides purportedly from a Microsoft presentation that focused on Windows 8 , the next iteration of the company’s OS.

Today, Kevin Turner, Microsoft’s chief operating officer, said that IE9 would reach beta this fall. “We’re really excited about IE9, which will be beta and coming out in September,” said Turner during the company’s annual day-long presentation to Wall Street analysts.

Turner also boasted of Internet Explorer’s recent turnaround, claiming that it had gained usage share the last two months.

According to Web analytics company Net Applications, IE did increase its global share by a record six-tenths of a percentage point during June. However, Net Applications had IE losing, not gaining, ground worldwide in May.

As of June 30, IE accounted for an estimated 60.3% of all browsers used during the month.

Since March, when the company debuted a rough-around-the-edges IE9 developer preview, the company has updated the bare-bones browser twice, most recently in late June .

After Turner’s announcement of a September beta for IE9, Microsoft declined to answer additional questions, including when during the month users could expect the more stable preview, or whether the beta would be open to everyone, as the developer previews have been.

“We do not have any additional specifics to share at this time about when Internet Explorer 9 Beta will be available,” a company spokeswoman said.

Microsoft has also refused to name a release schedule for the final build of IE9. Most pundits now believe Microsoft won’t wrap up the browser until 2011.

That will be the case if Microsoft mimics the timeline it used for Internet Explorer 8 (IE8), which reached the beta milestone in March 2008 but didn’t ship until March 2009 .

Using IE8’s schedule as a guide, users can expect to see the final version of IE9 in September 2011.

IE9 will run on Windows Vista and Windows 7 , but not on Windows XP, the nearly-nine-year-old operating system that still accounts for 68% of all versions of Windows still in use.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds