A Little Experiment –

Okay. Let’s try a little experiment.

On Friday, March 13, a fellow who calls himself RSnake posted an interesting message on the Bugtraq site. Seems that RSnake has come up with a very, very simple Web page which, when viewed with either Internet Explorer or Firefox, causes Windows XP to freeze and/or keel over with a Blue Screen of Death.

It appears to be a Windows XP problem – at least some other versions of Windows don’t appear to be affected, and both IE and Firefox show the same problem, give or take a blue screen or two.

Sounds to me like a perfect opportunity for Microsoft to issue a “Security Advisory”. You know, the bulletins that Microsoft’s Security Response Center promises “will be issued ‘within one business day’ of Microsoft Corp. becoming aware of an incident or issue.”

Here’s an issue. It’s an important issue. Tell us, Microsoft: is the problem real? What versions of Windows and/or IE does it affect? Does Windows also croak if we try to read a formatted email message in Outlook or Outlook Express? When will we have a patch? Can you get us the information, either on the official Security Advisory page, or on the less formal MSRC blog, within a business day?

Hey, you’ve had all weekend to work on it, guys. That was enough time for the Firefox folks to not only acknowledge their most recent security holes, but also to create, test, and post a working, stable patch.

(I won’t even bother asking about the three outstanding “high priority” security holes that eEye Digital Security has posted.)

Office 2003 Hotfix

There’s a new hotfix for Office 2003.

See the Microsoft Patch Reliability Ratings article for details.

A Lean Windows XP?

May Jo Foley reports in her Microsoft Watch newsletter that Microsoft has confirmed it will build a “lean” version of Windows XP. (The original report came almost a month ago on Steven Bink’s site. I didn’t mention it here because the details just didn’t feel right. Still don’t, for that matter, but now MS is talking about it.)

The ‘Softies insist that “Eiger” (the code name) won’t be another “Windows Starter Edition” – the stripped-down, cheap version of Windows that’s sold almost three copies here in Thailand. Nope. This is a full security-enhanced version of Windows XP that’ll run on machines currently mired in Windows 98, or even Windows 95. And Eiger will do its magic on older machines without requiring a hardware upgrade.

Quoth Microsoft: “Eiger is not a general-purpose operating system. It can’t run games, office-productivity software or line-of-business applications…” Which begs the question: other than Firefox, what can it run?

Stay tuned for details. And watch out for typical Microsoft Marketing Drivel.

UPDATE (May 18): Steven Bink has posted an interesting interview with the Eiger dev team.

Firefox patch – Version 1.0.4

If you use Firefox (and you should!), run over to the Firefox site and get the latest patch. It’s called Version 1.0.4, and you need it.

Lesseee… by my stopwatch, it took the Firefox folks four days from the first public disclosure of the security hole until we got the patch. In 12 languages, no less. Not bad. Comparisons with Microsoft would be superfluous.

Microsoft Security Advisories a Sham

I’ve been reading for the past couple of weeks about Microsoft’s new “Security Advisories”. eWeek described the new service thusly:

The pilot project, which is independent of the scheduled monthly security bulletins, represents a major shift in the way the Redmond, Wash.-based software maker communicates with customers when information on security flaws is published by gray hat hackers and private research outfits. The new offering, dubbed Microsoft Security Advisories, gives engineers at the MSRC (Microsoft Security Research Center) an outlet for providing instant feedback, guidance and mitigations when researchers jump the gun and release vulnerability details before a patch is available. It is meant as a bridge to provide information and guidance in between the time a flaw warning is released and a patch is ready for the monthly security bulletins.

I’ve been hoping that Microsoft would finally acknowledge some of the (hundreds!) of known security holes in MS products, and give us consumers an idea of what’s being done to fix the most egregious flaws.

MS just posted its first Security Advisory, and it’s a sham, from beginning to end. One of the Advisories discusses the Tar Pit feature in Exchange Server. The other is a warmed-over discussion of the Windows Media Player bug that Ed Bott first brought up months ago, and I ran over in late February.

Microsoft conveniently updated its old Knowledge Base article about the way WMP reaches out to Web sites even if you tell it not to, so you might think that this is something new. It isn’t.

Advance information? “Instant feedback, guidance and mitigations when researchers jump the gun and release vulnerability details before a patch is available”? All I see is two-month-old drivel. Maybe some day the Security Advisories will arrive “within one business day” of Microsoft becoming aware of a problem. For now, it’s a crock.

I find it particularly enlightening to compare and contrast Microsoft’s continuing head-in-the-sand obfuscation bolstered by marketing happy talk with Mozilla’s immediate, open, honest reaction to discovery of new security holes in Firefox. May the better team win.

Next Version of Office in 2006

It’s official.

Joris Evers at IDG News quotes BillG as saying the next version of Office will appear in 2006. The new version will emphasize “workflow capabilities, rights management, advanced scheduling, document sharing and business intelligence”. Aside from the fact that the final feature appears to be an oxymoron, I have to stifle a yawn.

With so many important – even small – improvements that could be made, we’re going to get more SharePoint, more iron-fisted “rights management” and more and more of the stuff that most normal people like you and me need less and less. But the next version of Office certainly will sell more copies of Windows Server. Yessiree Bob. That’s where the big bucks are.

Could somebody tell me if Microsoft is ever going to make it easy to put an Outlook Contact’s address in a Word doc?

Oh well. At least we won’t have to deal with it for another year.

P.S. I always get a chuckle when I read Microsoft’s revisionist claim about release schedules for Office. The IDG article states, “A 2006 release is in line with Microsoft’s two- to three-year release schedules for Office.” Waaaaallllll… Let’s see. The first version of Office was version 4.0 – yes, MS skipped 1, 2, and 3. Office 4.3 (the only moderately stable version of Office 4.x) was released in June 1994. Office 95 was in August, 1995 – fourteen months later. Then there was Office 97 in December, 1996 (15 months), 2000 in June 1999 (18 months), XP in May 2001 (23 months), and 2003 in November 2003 (17 months). In fact, with one exception, Office has been on an 18-month release schedule, right up until the latest version.

The length of time between updates only matters if you’re projecting Microsoft’s corporate cash flow. The important thing for you and me is whether MS can deliver a compelling, stable upgrade – whether it takes 18 months or 36 or 72. We’ll see.

MS05-024 Security Patch a Real Yawner

The latest security bulletin from Microsoft, MS05-024, only applies to Windows 2000 and Windows Me. Further (if Microsoft can be believed), the exposure in Windows Me isn’t that great.

There doesn’t appear to be any reason to apply the patch unless you use Windows 2000. As usual, if I hear differently, I’ll let you know.

The May version of the Malicious Software Removal Tool differs from the April version by including of a sniffer for the SDBot worm, which is a very obscure critter. It wouldn’t hurt to run the Software Removal Tool, but I wouldn’t knock down any doors to get to it.

More Firefox Security Holes

The GreyHat Security Group discovered two critical security holes in Firefox. Somehow details of the security holes leaked on Saturday, and a “Proof of Concept” program, which demonstrates that the security holes are real, was posted. The Proof of Concept code actually uses both security holes, together, to run a (potentially destructive) program when you click on a Web page.

That was Saturday. By Sunday, May 8, Mother’s Day in the US, the Firefox team had patched things on their server well enough that the Proof of Concept code wouldn’t run. They haven’t patched Firefox itself yet, and the holes are still there, but the only known existing program that exploited the holes was stuffed. No word on when the patch will arrive.

Quoth Firefox: Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a “proof of concept” has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.

Oh. Did I mention that full technical details are on the Mozilla/Firefox Web site? Can you imagine Microsoft doing something like that?

Xbox 360 Specs Leaked

We aren’t supposed to know the details about Microsoft’s new game machine, but Neowin appears to have full technical specs.

Initial buzz is that the system’s hot. Figuratively, not literally. I’ll defer to my son for the full system workout. When it comes to gaming system, the proof’s in the playing, not in the specs.

With a tip o’ the hat to Paul Thurrott, the specs look quite spectacular: a custom 3.2GHz IBM PowerPC processor with three symmetrical cores, 512MB of RAM, custom ATI video processor with 10MB of embedded DRAM, DVD player, three USB ports, multichannel surround sound. Seriously cool.

Google Gagged

David Bennet, posting on Neowin has some interesting insights on Google’s sudden disappearance Saturday. Depending on where you live and which ISP you use, Google.com (and Google.co.uk and Google.fr) was not working for 15 minutes to an hour. Life went on, but Life Without Google is not life as we know it, eh?

The most ominous problem: many people complained about not being able to get at critical email, because GMail went down at the same time. I’m not one to criticize free email services – in fact, I recommend them heartily in all of my books – but I’m concerned about people using free email services for mission-critical mail.

Ballmer Reverses Stand on Gay Rights Legislation

I’ve been working with (and against) Microsoft for more than two decades, and in all that time I’ve never seen as divisive an issue between MS employees and brass as Microsoft’s “neutral” position on a gay rights bill in Washington State. It was very uncharacteristic of Microsoft, which has a long-standing, admirable reputation for keeping its nose out of employees’ personal lives, and supporting the right of every individual to choose.

Elizabeth Gillespie at Associated Press reports that Steve Ballmer has (finally) backed down and agreed to throw Microsoft’s support behind bills that prevent discrimination based on sexual orientation. You can see the full text of his message to the troops here.

Microsoft employee, certified genius, and all-around good guy Robert Scoble says, “From my position, I’m elated. I hope that this lets us all move forward and heal some pretty deep rifts that were exposed.”

I found it a bit, uh, interesting that Scoble first heard about Ballmer’s changed position from Wagged, the ‘Softie PR agency.

Bad Advice from CNN

The latest Sober virus outbreak has triggered a torrent of old, hackneyed, and dangerously erroneous advice from many corners, including this piece of drivel from CNN::

Computer users should never open e-mail attachments from unknown parties; they should update anti-virus, anti-spam and anti-spyware software on a regular basis, or invest in a program that automatically updates and installs those security programs when new threats are identified.

If you’ve read any of my books, you know that’s bad advice.

First, you should never open e-mail attachments from anyone, particularly from people you know. You should always write to the person who sent you the attachment and confirm that they meant to send you the attachment. Then you should save and scan the attachment before opening it. Sober-N sends out copies of itself to email addresses found on the infected PC, so infected messages may well appear to come from someone you know. The fact that a message came from an “unknown party” – or your sainted Aunt – makes not one whit of difference.

Second, there’s no need to “invest in a program that automatically updates… when new threats are identified.” You can get all the protection you need from AVG Free, which is free for personal use. AVG Free updates itself, just like the expensive packages, and (in my experience anyway) it is neither better nor worse than all the others.