Microsoft Re-Re-Releases IE Patch

September 14, 2006 Leave a comment

Microsoft has recently released, for the third time, a patch for MS06-042. From the article:
According to Microsoft's security bulletin, the IE patch was updated September 12 to fix another remote code execution vulnerability in IE's handling of long URLs from Websites using HTTP 1.1 protocol and compression. That's almost identical to the problem introduced in the original version of the patch, then discovered by security researchers at eEye Digital Security.
This issue underscores the security issues that Microsoft continues to have. You have to continue to wonder if they can possibly live up to the promises they have made for Vista and IE7. While bugs and security issues are to be expected in software as complicated as what we're talking about here, a single issue having to be addressed 3 (and counting) times shows a lack of discipline. I'd guess they have their developers so focused on getting Windows Vista out the door that the MSRC probably isn't getting the resources it needs to do things properly. Judging by the many unreleased vulnerabilities in the queue, including 5 with a Severity of “High”, things don't look like they're going to get any better any time soon.
–jeremy
, , , ,

Filed under Linux, Main Page, Microsoft, Open Source

Microsoft Releases New "Open Specifications Promise" on 35 Web Services Specifications

September 14, 2006 Leave a comment

From a post at consortiuminfo.org:
Microsoft has just posted the text of a new patent “promise not to assert ” at its Website, and pledges that it will honor that promise with respect to 35 listed Web Services standards. The promise is similar in most substantive respects to the covenant not to assert patents that it issued last year with respect to its Office 2003 XML Reference Schema, with two important improvements intended to make it more clearly compatible with open source licensing. Those changes are to clarify that the promise not to assert any relevant patents extends to everyone in the distribution chain of a product, from the original vendor through to the end user, and to clarify that the promise covers a partial as well as a full implementation of a standard.
The “promise not to assert” is basically an irrevocable promise by Microsoft that someone that implements one of the covered standards will not be sued for doing so. It's interesting (and I think encouraging) to see that this promise was updated to specifically include wording intended to make it more clearly compatible with open source. That's something we haven't often seen from Microsoft in the past. It should be noted that the “Microsoft Open Specification Promise” page includes testimonials from both Red Hat and Larry Rosen. I'd say this is another step in the relationship between Open Source and proprietary companies that I've been commenting on with increasing regularity. It's just a toe dip for Microsoft, but I'm sure they see the money that IBM and Oracle are bringing in based on Open Source and Open Standards and they don't want to be without a piece of the pie. Surely they are still figuring out internally how to balance that with the nature of their two cash cows and it will be something to watch as it unfolds moving forward. If this is a topic you are interested in, I'd recommend you read the full consortiuminfo analysis as it's quite in depth.
–jeremy
, , , ,

Filed under Linux, Main Page, Microsoft, Open Source

Quickest Patch Ever

September 8, 2006 Leave a comment

As was guessed in the original article, Microsoft was able to patch the issue quite quickly. In fact, quicker than most security fixes. From the article:
If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.
Now to be fair, this wasn't a full patch in the traditional sense, just an update of the DRM (which is more akin to a configuration change than a code change). But, the speed with which this was rolled out still underscores where the Microsoft priorities are. With the Zune poised to go, I'm sure they didn't want the RIAA thinking their DRM was bogus. Just goes to show that Microsoft really doesn't consider the average user the customer. Their customer is Dell/HP/etc. As long as this is the case, it just won't be in their perceived interest to help you. As you may have suspected, the patched version has already been compromised.
–jeremy
, , , ,

Filed under Main Page, Microsoft, Open Source

Ex-Microsoft Security Strategist Joins Mozilla

September 7, 2006 Leave a comment

You read that right. Mozilla has announced that “Window Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks.” As you may have guessed, many people are having a field day with this one. Comments like “Microsoft has a security team?” and “There goes the neighborhood” abound. The reality is that Window has gotten nothing but praise from every respected security professional I've seen comment. If she's good enough for the likes of Fyodor, that says a lot. As Firefox continues to gain market share, it's clear it'll become more and more of a target. It's great to see Mozilla being proactive and putting someone in place who can help construct a long term security plan. A small correction to many of the articles I've seen – she didn't come directly from Microsoft, but from Matasano Security where she was a principal and founder (she also worked for @stake before it was acquired by Symantec).
–jeremy
, , , ,

Filed under Main Page, Microsoft, Open Source

Google Apps for Your Domain

August 28, 2006 Leave a comment

Today Google released Google Apps for Your Domain. From the release page:
Now you can offer private-labeled email, IM and calendar tools to all of your users for free*, so they can share ideas and get things done more effectively. You can design and publish your organization's website, too. It's all hosted by Google, so there's no hardware or software for you to install or maintain.
Basically, it's Gmail+Google Talk+Google Calendar+Google Pages hosted at Google, using your own domain. Why most articles I see are calling it an “Office Suite”, when it lacks a word processor, a spreadsheet and a presentation program is beyond me. It seems people really want to see Google vs. Microsoft, to the point that they'll pretty much make it up if they have to. The program is ad supported now, but in the future you'll be able to pay to remove the ads. Having just made it clear I don't consider this an office suite in any way, it would not at all surprise me to see Google roll their online word processor and spreadsheet into this in the future. In fact, I'd be surprised if they didn't. I'd guess they're just waiting until the two are a little more polished. Even then though, this won't be a direct Microsoft Office replacement. It serves a much different audience and comes with much different advantages. The real power in this will be in the collaboration. It's a real pain for small offices to share extremely simple spreadsheets. That's where a product like this could excel (ok, that one was bad…I'll admit). Before this could even be in any way potentially considered an “Office-killer”, Google would have to offer a version you could host yourself, and that's not something I've seen any indication of yet. This is something that I think is going to take a while to play out. The world isn't quite ready for a mainstream online office suite yet, and the product aren't quite where they need to be. Given some time and additional technology though, this could be a space that is extremely compelling in the next 18 months or so. Being able to collaboratively edit a document from anywhere in the world, from any OS (including your mobile phone) is one of those paradigm changing events that will cause major disruption. When a company can put that technology behind their firewall and allow access via VPN…that's when we'll see enterprise adoption. My guess is that it will be Google and/or IBM that realizes this goal first.
–jeremy
, , ,

Filed under Google, Main Page, Microsoft, Open Source

FairUse4WM strips Windows Media DRM

August 28, 2006 Leave a comment

It was just a matter of time before something like this happened. Interestingly, engadget has written An Open Letter to Microsoft – Why you shouldn't kill FairUse4WM, but I wouldn't be surprised if this one gets fixed before the next patch Tuesday hits. For regular readers, you'll know that I am not 100% anti-DRM. But, I am anti-DRM when it's used in ways that work against consumers, which unfortunately these days is most of the time. The greed and hubris of most media companies these days is simply appalling. They'd prefer that you'd have purchased the very same song via LP, then tape, then CD, then PSP and then digitally. The best part is, for the last one..you don't even own it. You're just borrowing it, and in most cases the cost is more than you purchased it for previously. Their costs are shrinking by leaps and bounds, yet they want to pass none of that along. What's worse, if you use an OS such as Linux then you can't even legitimately purchase songs via most services in the first place. It's as if they want to drive people to P2P networks so they have an excuse for failing, and fail they will if they keep up the current trends. They are learning the same lesson that Microsoft is just starting to learn – if you squeeze your customers who are legitimately trying to play by the rules to the point that those customers feel you're being predatory, in the end they will find a way to leave. It may take a long time for a viable alternative to come in the case of monopolies, but it is inevitable. It's not that complicated. Give me a music service that doesn't have absurd TOS and arbitrary limitations and I will happily send you my money. Not only that, I will tell everyone else to do the same. If you can find a way to do DRM in a way that does not limit my legitimate use in any way but prevents mass distribution, I could care less to be honest. I don't want to steal…I just don't want to feel like you're stealing from me.
–jeremy
, , , ,

Filed under Linux, Main Page, Microsoft, Open Source

Microsoft patch opens users to attack

August 24, 2006 Leave a comment

Microsoft has spent a lot of time and effort trying to improve their security image. Part of that was gaining mindshare among admins, so that patches would be trusted and deployed in an expeditious manor. It seemed that the Microsoft vision went as far as to wish everyone simply enable automatic updates. Obviously, for a variety of reasons, that simply hasn't been the case. Recently, Microsoft has been taking some heat for machines rebooting despite automatic updates being off. Yes, someone actually sent Bill Gates an invoice because of it, and the media and blogosphere have been having a field day with it. In the midst of it though, Microsoft released a patch that fix about eight issues, but also actually opened a completely new vulnerability. It also causes IE to crash for a variety of business critical apps, such as PeopleSoft, Siebel, and Sage CRM and any site that uses HTTP 1.1 compression. What's exacerbating an already bad situation is that the proposed fix has now missed it's target release and is currently delayed indefinitely. When you have someone at a large security firm saying things like “They basically butchered that patch.”, it doesn't inspire a lot of confidence. These incidents will almost certainly undo much of the work that Microsoft has done on the “improving its security image” front, and they make you wonder just how much they'll be able to deliver on the promises made for Vista. The fact that part of the issue still seems procedural and not technical doesn't bode well.
–jeremy
, , , ,

Filed under Main Page, Microsoft, Open Source

Niall Kennedy is Leaving Microsoft

August 9, 2006 Leave a comment

That didn't take long. Niall Kennedy, who was seen as an ad hoc blogger evangelist replacement for Scoble at Microsoft, is already leaving. From his post:
The stock plummeted on the announcement Microsoft did not have its costs under control. Microsoft's market cap lost close to $59 billion in the six weeks after I joined and second quarter financials were released, more than the GDP of Ecuador and over half the market cap of Google. What do you do when the market responds to your 6 month-old online services strategy by reducing your valuation by 1.5 Yahoos? Windows Live is under some heavy change, reorganization, pullback, and general paralysis and unfortunately my ability to perform, hire, and execute was completely frozen as well.
Looks like Microsoft may be taking the short sighted approached and be letting the Street dictate a bit too much. Microsoft, in a bit of irony if you ask me, is in the middle of what Clayton Christensen calls the Innovator's Dilemma. A disruptive technology is upon us, but the sustaining technology for Microsoft (in the form of Windows and Office) is just too much of a cash cow. They can't move away too fast, lest they loss too much of their incoming cash, but at the same time they face a very real possibility of being left behind. Add to that attempting to placate Wall Street and you have one snarky situation on your hands. Now, Microsoft has a ton of cash to help them in this, but at the rate they are going to have to spend, that cash could go away faster than one might think. Now, I'm not one of those Open Source fanatics that will claim Microsoft will be irrelevant this time next year. They'll be relevant for a long time to come. But there is a strong possibility that a major snafu now will mark the beginning of the end. Keep in mind though, the “end” won't be a company that goes out of business, but one that looks like the railroads or Xerox does today. I continue to wonder how history will look back on Ballmer.
–jeremy
, , , , , ,

Filed under Main Page, Microsoft, Open Source

Ellison Talks Up Red Hat Linux

August 2, 2006 Leave a comment

It seems the rumors that Oracle may offer Red Hat support are intensifying. One thing that seems to be slightly misunderstood by the MSM is that Oracle can't simply redistribute RHEL. What they could do is offer a RHEL-compatible version of Linux, as CentOS does, that is completely devoid of the Red Hat name and any associated logos. This would be a fairly inexpensive thing to do for Oracle, and to be honest it doesn't have a lot of down side to it. Ellison would get the entire stack that he seems to desperately want and customers would get a single neck to choke, which they love. As I mentioned in my previous post on this topic though, I don't necessarily think this would be a bad thing for Red Hat. It would serve to further solidify Linux as the platform of choice for Oracle and really serve to further validate Linux as a server in general (not that it's even needed any more at this point). While RHAT may lose some support contracts to ORCL in the short run, the mind share that Linux would gain would almost certainly benefit Red Hat in the mid and long term. Now, if I were Microsoft and Sun, this would worry me much more. They have the most to lose.
–jeremy
, , , , , , , , ,

Filed under Linux, Main Page, Microsoft, Open Source

Ballmer Analyzes Microsoft's 'One Big' Vista Mistake

August 2, 2006 Leave a comment

This <a href="http://www.crn.com/sections/breakingnews/dailyarchives.jhtml;jsessionid=ZEQ0I0LMYJC1MQSNDLPCKHSCJUNN2JVN?articleId=191600739"CRN article covers a recent meeting Steve Ballmer had with industry financial analysts. From the article we get such Ballmer quotes as:

We made an upfront decision that was, I'll say, incredibly strategic and brilliant and wise — and was not implementable,” Ballmer said.
We've been fortunate. There is nothing that we have undertaken — with a couple of exceptions like Microsoft Bob that I'll cop to in advance — where we have decided that we have not succeeded and let's stop,” Ballmer said. “We've either succeeded, or we're still telling you we're going to succeed.”
I don't understand either quote either. I'd not call any decision that is “not implementable” by admission of the company CEO as strategic, brilliant or wise. If I were a Microsoft employee, I'd be a little worried by that comment. In the end, it seems they may have finally learned a lesson that Joel posted about way back in 2000. It's easy to say hindsight is 20/20, but I guess sometimes foresight can be also. The second quote is equally as odd. Multiple things Microsoft has tried have failed miserably, and in fact he points out one of the most egregious examples himself..in the middle of saying nothing hasn't succeeded. I guess one shouldn't be surprised that Microsoft's stock has stagnated during much of Ballmer's tenure. Still no news on whether he'll follow Bill and step down.
–jeremy
, , , ,

Filed under Main Page, Microsoft, Open Source

Older posts

Newer posts