Announcement for MSDN Community Distribution Program
We are pleased for becoming one of official Microsoft MSDN Community Distribution Agents in Egypt. You can now get a bimonthly CD for latest MSDN tools, reviews and libraries to help your development platform up-to-date, robust and more relible.
If you're from Egypt, Contact us NOW! for full details.
Dist. Agent: | Ahmed Mahdy |
Mobile Phone: | 002-010-333-6269 |
E-mail address: | ahmhdy@msn.com |
Word 2007 Not Bitten by Bugs
Microsoft says a preliminary investigation into reports of vulnerabilities in its Office 2007 suite has produced no evidence of a threat to users.
Reports of new security holes in MS Office have been made public on known exploit sites, including information about four bugs posted on one site. Microsoft has not released specific information about the vulnerabilities, citing potential risk to users. "Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products," a company spokesperson said April 11. "Our investigation into the possible impact of these claims on other versions of Microsoft Office is continuing." The reported flaws were uncovered by Mati Aharoni of Offensive-Security.com, in Israel. He said he was not searching for vulnerabilities in Word, but stumbled upon them while developing Offensive-Security.com course materials. "I ran a character substitution script on several Windows file formats and was left dazed by the results," he said. "The vulnerabilities I released to the public were the least dangerous of my findings—most resulted in DOS only—actually getting code to execute via these bugs is highly improbable."
Manage Windows Vista Application Compatibility
Migrating to Vista means big changes in application support. Will your applications work in Vista? Here are some strategies and tools to mitigate the impact of moving to the new OS.
As of the end of March, 2007, 129 applications were certified or designed for Windows Vista, and 922 applications worked or were compatible with Windows Vista. Think that's a lot? Well, it does add up to over 1,000 applications you can run on Windows Vista with few, if any, issues. But, given that there are tens of thousands of applications designed for Windows, this first thousand is just a drop in the bucket.
Making existing applications work for Vista is a big job. Microsoft is keeping track of each application that passes its bar and is providing weekly updates through its Knowledge Base. But this obviously doesn't suit everyone.
Take, for example, the National Institute of Standards and Technology (NIST), part of the Department of Commerce, which has decided to ban Windows Vista -- for now -- from its internal computing networks. Or the U.S. Department of Transportation and the Federal Aviation Administration, both of which have also decided to impose a temporary blackout on Windows Vista.
Besides grabbing attention, such a ban puts a focus on Vista's support of current and legacy applications. Vista contains a series of changes in the way it supports applications (after all, Microsoft performed a rewrite of all the Windows code for Vista). In some cases, these changes are system-wide -- in others they affect specific areas of application operation. In both cases, they can break applications.
Luckily, there are a number of solutions as well:
Problem: The version number for Windows has changed -- Vista is number 6. While this occurs each time a new version of Windows is released, it will affect applications because some apps check version numbers at installation, others during operation, and yet others during both installation and operation.
Solution: Installation logic is easy to modify if you have the right tools. Software packaging tools such as Altiris Wise Package Studio and Macrovision AdminStudio let you edit version numbers both in standalone installations and in installations which are integrated with the Windows Installer service. Changing the version numbers when an application is running is more difficult because you would normally need to modify the application's code, but you can also run the application in one of the many compatible modes Vista supports.
Problem: The 64-bit or x64 versions of Windows Vista don't support 16-bit code. In fact, while x64 editions of Windows support 32-bit applications as well as native 64-bit applications, they no longer support any 16-bit code at all.
Solution: Several 32-bit applications still rely on 16-bit installers; in these cases, x64 editions of Windows XP, Windows Server 2003, and Vista will automatically convert these installers to their 32-bit equivalents during installation.
(If an application is designed as a true 32-bit application, it will work well on x64 Vista and in many cases, work even better than on x86 or 32-bit editions of Windows. That's because Vista x64 breaks the 4GB memory limitation x86 systems face and grants more resources in general to applications.)
However, 16-bit applications will not install at all on x64 versions of Windows.
Vista beta testers face looming OS expiration
Microsoft Corp. has begun reminding millions of testers of Windows Vista's beta and release candidate (RC) previews that their trial runs end on June 1.
Cori Hartje, director of Microsoft's antipiracy efforts, became the first company executive to note the impending deadline. "As a reminder to those that helped with Windows Vista beta testing, the beta installations are set to expire at the end of May 2007," said Hartje in a Q&A that Microsoft posted March 30 on its public relations Web site. "So customers need to decide if they want to move to Windows Vista or back to Windows XP if they have test versions of Windows Vista on their PCs."
Details on how best to do that, however, are scant. Despite repeated requests to clarify the exact procedure beta and RC users need to take -- and whether Microsoft will provide either guidance or offer a discount to testers -- the company declined to spell out its plans.
What information the company has published is on last year's Customer Preview Program (CPP) site, which points to the June 1 expiration date and explains that once installed, the Vista previews don't allow for operating system rollbacks. "You cannot roll back to the previous operating system installation -- you will either have to acquire and install the final released edition of Windows Vista or reinstall a previous edition of Windows," the site reads.
Some hints, however, can be found on Microsoft's Vista support forums:
- Only a full version of Vista does the upgrade from Beta/RC to final. Multiple threads on the Vista forums note that it's not possible to do an in-place upgrade from Vista Beta or RC using a final, retail upgrade version of the operating system.
"You can't use an Upgrade edition to move from Beta/RC to final. Has to be a Full version," said a user identified as Richard Harper. That means Beta/RC users can't take advantage of the lower-priced upgrade Vista stock-keeping units (SKU) to retain their Vista settings and installed applications when migrating to the real deal. The price difference on Vista Ultimate is dramatic: $259 list for the upgrade edition, $399 for the full version. And that's important because ...
- $399 buys you in-place upgrade. If testers wondered why Microsoft gave them the most powerful, and expensive, Vista last year, this may be a clue: To do an in-place upgrade from a Vista preview to the final code requires not only a full edition, but a full edition of Ultimate.
"Just as in all past [Microsoft operating systems], downgrading isn't supported," said Dave B. Another user, Chad Harris, was more specific. "It has to be a Full version of Ultimate ... any other version (Home Premium, Business) is considered a downgrade to Ultimate and is not allowable."
- Revert to resume. To take advantage of lower-priced upgrade editions of Vista, or to move from the Beta/RC Ultimate SKU to a less-featured version, like Home Premium, testers must reinstall an earlier operating system -- likely Windows XP -- before upgrading from that to Vista final.
"So if I return my laptop to XP, then if I bought the upgrade version of Vista, it should work right?" asked NoSpinVette. Rick Rogers answered with a simple "Yes indeed." The reinstallation of XP, of course, deletes all data on the boot hard drive and so requires testers to backup data files and reinstall applications on the Vista-powered PC after the upgrade is completed.
Those hassles didn't sit well with some dedicated beta testers. "Do you mean to say that because I installed Vista RC2 over XP, I screwed myself out of upgrade pricing? If so, seems like MS is punishing beta testers," said a user labeled as "tom."
Others, however, brooked no whining. "You should've known better than to install a beta over your primary operating system/primary computer. Microsoft warned users not to do that," responded another poster identified as Michael.
The migration issue isn't trivial, if only because of the numbers involved. At one point in 2006, Microsoft boasted that 1.5 million users had downloaded Vista RC1 and said it expected an additional 1.5 million to download RC2
Windows XP to be phased out by year’s end
Computer makers have been told they'll no longer be able to get Windows XP OEM by the end of this year, despite consumer resistance to Vista and its compatibility problems.
By early 2008, Microsoft's contracts with computer makers will require companies to only sell Vista-loaded machines. "The OEM version of XP Professional goes next January," said Frank Luburic, senior ThinkPad product manager for Lenovo. "At that point, they'll have no choice."
Despite Microsoft's relentless promotion of Vista, manufacturers are still seeing plenty of demand from customers for systems preloaded with XP, especially in the finicky SOHO market.
In a recent post on its Direct2Dell blog, Dell reaffirmed to concerned customers that it wasn't about to force small business users -- who typically purchase PCs piecemeal, rather than in large enterprise-style orders -- to shift to Vista, which has experienced a less-than-stellar reaction from many buyers because of driver issues and moderately beefy hardware requirements.
"Dell recognizes the needs of small business customers and understands that more time is needed to transition to a new operating system," the post read in part. "The plan is to continue offering Windows XP on select Dimension and Inspiron systems until later this [northern] summer."
"From a local perspective, the post was a reminder more than an announcement," Dell ANZ corporate communications manager Paul McKeon told APC.
"This was something we'd always planned during the transition phase since businesses will have different time frames to adopt the new OS. If you're a consumer, you're unlikely to be managing more than say 2.4 OS images at home, so it's less of an issue"
There's general agreement amongst PC resellers that Vista has provided a minor boost to PC sales, but hasn't produced blockbuster numbers. A similar story applies in the retail space. Figures from marketing consultancy GfK suggest that after an initial sales surge, around 1500 copies of Vista are now being sold through Australian retailers each week, according to a recent report in the AFR.
While Dell's post suggested it wouldn't be promoting Vista systems to the home market, manufacturers still have the option of selling XP-based systems for consumers this year.
Microsoft patches Vista bug that snuck through beta test
All together it offered fixes for eight different vulnerabilities.
Microsoft Corp. today unveiled the second stage of its April security updates by releasing five security bulletins that patched eight vulnerabilities -- including one that was missed during the company's Windows Vista beta testing and ended up in the final version of the new operating system.
Of the four updates that addressed bugs in Windows, the MS07-021 update was clearly the one to patch pronto, said researchers. "This is my first [to patch] choice," said Amol Sarwate, manager of Qualys Inc.'s research lab.
"It affects everyone," agreed Minoo Hamilton, senior security researcher with patch management vendor nCircle Network Security Inc.
The update, which fixes three different bugs, includes one marked critical that affects all supported editions of Windows, from 2000 through XP and Server 2003 to Vista. The vulnerability in the error message processing of the Windows Client/Server Run-time Subsystem (CSRSS) can be exploited remotely, said Microsoft, and could result in a complete compromise of the PC.
The most likely way to deliver an attack: Dupe users into visiting a malicious Web site.
Ironically, this MsgBox flaw was acknowledged by Microsoft more than three months ago and was reported to the company's security team about the same time as the animated cursor (ANI) bug patched by an emergency fix last week.
"Number one, it affects earlier operating systems as well as Vista, so it's similar to the ANI vulnerability in that it's likely Microsoft reused [older] code in Vista," said Sarwate. "Two, it's a zero-day; it was out there [publicly] before today. Three, it has a Web-based attack scenario. And fourth, last but not least, it affects both clients and servers and is a core component of the operating system."
Hamilton concurred, especially on the reused code and the similarity with ANI. "It confirms a lot that we discussed about the ANI bug and the type of vulnerabilities Vista will likely have," he said. "The file handing- and process- and local privilege escalation-type vulnerabilities will be what attackers focus on with Vista."
But Hamilton also cast back to 2006, when Vista was still in beta testing. "This vulnerability was in the betas, so it escaped from the beta all the way to now."
The federal government's National Vulnerability Database confirmed Hamilton's charge. In a vulnerability summary first posted Dec. 21, 2006, a day before Microsoft acknowledged the bug, it listed Vista Beta 1 and Vista Beta 2 as affected. Of the remaining four updates, Sarwate and Hamilton split on pegging the next-most-dangerous bugs. Sarwate called out MS07-018 and MS07-019, both ranked critical by Microsoft; Hamilton, meanwhile, picked MS07-020 as the second-most-important update he recommended users deploy.
"MS07-019 is potentially wormable," said Sarwate, because a hacker can actively send packets to two listening ports and there's no user interaction required." Hamilton's choice, MS07-020, is rated critical on both Windows 2000 and Windows XP SP2, which account for the bulk of Windows clients.
"The one bright spot," said Hamilton, "is that MS07-020 shows us a trend. Take a look at the 'Mitigating factors' in the bulletin. It shows a progressive locking down of the operating system from Windows XP SP2 to Windows Server 2003 to Windows Vista.
"But then you turn around, and there's MS07-021, and you see Vista breaking out of those protections."
Office zero-day bugs spoil Patch Tuesday
A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.
The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.
"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.
Microsoft is investigating the bug reports as well, a company representative said in an e-mailed statement. The initial investigation has found that none of these zero-day claims demonstrates any vulnerability in the products of Office 2007, the latest version of Office, the representative said. Also, Microsoft is not aware of any attacks that exploit any of the issues at this time, he said.
In addition to the Office bugs, a zero-day vulnerability has been reported in Windows. Sample code that exploits a flaw in the way Windows handles help system files has been posted to the Internet.
"This is another heap-overflow flaw that might be exploited for code execution," McAfee's Raman wrote in an update to the Avert Labs blog late Tuesday.
Microsoft said it is aware of the issue. "Microsoft has listed .hlp files as unsafe file types and recommends customers exercise the same cautions with .hlp as .exe, as both file types are executable," it said. An attacker would have to use rigged .hlp files to exploit the flaw, according to Microsoft.
Word of the flaws comes on the day that Microsoft issued five security bulletins as part of its monthly patch cycle. The company is still dealing with the aftermath of an emergency patch released last week.
"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the exposure to these flaws until the next month’s Patch Tuesday," Raman wrote.
Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday--the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.
McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the Santa Clara, Calif.-based security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.
Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.
Researchers question Vista security after ANI exploit
Microsoft Corp.'s failure to spot the animated cursor bug in Windows Vista is, at best, a flag to hackers that old flaws may abound in the new operating system, researchers said today. At worst, it's a disconcerting sign that Vista's security-oriented development process slipped up.
This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.
The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.
Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.
Security researchers weren't so kind.
"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys Inc. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."
Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."
Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista.
The head of the company's security research lab defended the time spent investigating, developing and testing the fix. "Engineering a patch is a long, complex process," said Mark Miller, director of the Microsoft Security Response Center (MSRC). "We look at surrounding areas of code for similar vulnerabilities and, from our internal investigation, address as many as we can find."
Microsoft was alerted to the ANI file bug Dec. 20 by Alexander Sotirov, a vulnerability researcher at Determina Inc. in Redwood City, Calif. By mid-March, when Microsoft skipped its usual second-Tuesday-of-the-month updates, the investigation had been completed and a patch created, said Miller. "But it was still undergoing testing," he said, explaining why the patch wasn't released then.
On March 28, McAfee Inc. notified the MSRC that it had spotted attacks exploiting the cursor flaw. Within five days, as attackers ramped up use of the exploit to include hundreds of malicious Web sites, Microsoft promised to release a patch a week ahead of its designated monthly release date, April 10.
Miller, as have other Microsoft security officials, said that the patch could be released early because it was already on the April schedule. "We had an opportunity, and by pulling in the window by a week, it was very doable," he said.
He rejected the idea that Microsoft rushed to release the fix only when exploits appeared and publicity mounted.
"The number of people working on it doesn't change [when exploits are active], but the 24/7, around-the-globe effort does," said Miller. "When McAfee notified us, we ramped up our SSIRP [software security incident response process] to track the attacks and see what level of activity there was."
Determina's Sotirov, who found the flaw while auditing other code in the same User32.dll that contained the ANI bug, refused to criticize Microsoft for the time it needed to create a fix. "If you look at the average time it takes them, this vulnerability is not an exception," he said. "In fact, it's pretty standard."
By one metric, the numbers credit Microsoft. According to Symantec Corp.'s analysis (download PDF) of patched vulnerabilities in the second half of 2006, Microsoft took an average of 21 days between the public disclosure of a vulnerability -- code posted or mention made on a security mailing list such as Full Disclosure or Bugtraq -- and patch release. The ANI vulnerability, obviously a closely guarded secret on the part of hackers, didn't "go public" until March 28, making for a window of only six days.
But the fact that Sotirov, not a Microsoft employee, found the ANI vulnerability speaks ill of the company's emphasis on security and its claims of code review. Several analysts and researchers, for instance, have noted the similarity between today's flaw and one patched in January 2005. That bug, fixed by the MS05-002 update, also involved animated cursors and was reported to Microsoft by researchers from eEye Digital Security 57 days before the patch was issued.
If, as Miller said, Microsoft uses at least some time of the patch development process looking for similar vulnerabilities in the affected code, why wasn't the 2007 animated cursor flaw found in 2005? "We're doing an analysis of why we didn't find it then," said Miller.
Microsoft Posts Tools for Windows Home Server
Microsoft last week released a beta of documentation for a free software development kit (SDK) that helps developers build applications for its forthcoming Windows Home Server product.
The SDK documentation is available for download on the Microsoft Developer Network. It provides guidance on how developers can use the API and services in Windows along with the Visual Studio integrated development environment and Visual Studio C# tool to build new applications for Windows Home Server, which is currently in its second beta release.
Developers also must sign up and download the Windows Home Server beta on its Web site to use the SDK.
Typically, an SDK would also have libraries developers can use to build applications, but the developer libraries for Windows Home Server are available in the OS itself, said Charlie Kindel, general manager of Windows Home Server group at Microsoft.
He also said developing new applications for the product should be easy for developers because under the covers it is essentially the Windows client OS, except with tweaks aimed at specific functions. Those include features that help home users set up a network for several home PCs; store data and files from those PCs centrally; set up a security hub for the PCs; and allow users to access content from their PCs even when they are away from home.
Microsoft unveiled Windows Home Server, formerly known by the code name Quattro, at the Consumer Electronics Show in Las Vegas in January, and it is the first Microsoft server OS aimed specifically for home use. At the time of its launch, Microsoft said it did not plan to sell the product out of the box; instead, it said the OS will be distributed through original equipment manufacturers (OEMs) only on hardware built specifically to run it.
On Thursday, however, Kindel, said there might be a change in that plan. He said Microsoft may sell Windows Home Server out of the box when it becomes available later this year, alongside new MediaSmart Servers from Hewlett-Packard Co. that will be the first hardware available with the new OS pre-installed.
"We got a lot of feedback [from testers] and we want to satisfy them, so we are investigating whether [selling it separately] might be an option," he said.
Kindel said applications developers might build using the Windows Home Server SDK include those for system protection, media sharing, home security and home automation. Microsoft will continue to update the SDK beta as more information and APIs become available.
Microsoft to patch animated cursor bug early
Microsoft Corp. will patch the increasingly dangerous Windows animated cursor vulnerability tomorrow, a week early, a spokesman of the company's security team said yesterday.
"Microsoft originally planned to release the update on Tuesday, April 10, as part of its regular monthly release of security bulletins," the spokesman said in an e-mail. "However, Microsoft is aware of the existence of a public attack utilizing the vulnerability, [and] since testing has been completed, Microsoft will release the update ahead of schedule to help protect customers."
The announcement followed a weekend of escalating warnings from security organizations and reports from China's Internet Security Response Team (CISRT) of a worm in the wild using the unpatched vulnerability. Symantec Corp. and other antivirus companies confirmed the existence of the Fubalca worm yesterday.
Over the weekend, a number of events showed the speed with which attackers were moving. First, exploit source code was publicly posted on a security mailing list, then McAfee Inc. said it had seen at least one spam run that linked to the exploit, and finally, Websense Inc. claimed that it had spotted more than 100 malicious sites spreading the exploit, a tenfold increase over the day before.
Microsoft's decision to push the patch out tomorrow may have come just in time. This weekend, Ken Dunham, director of VeriSign Inc.'s iDefense rapid-response team, said, "We are in the eye of the storm. Spam run-type attacks pose significant danger to enterprises as the workweek resumes. Popularization of the exploit is under way amongst multiple hackers, and it's trivial to use and modify.
"This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers," said Dunham.
On Saturday, Microsoft's Security Response Center (MSRC) added Windows Server 2003 Service Pack 2 to the long list of Windows editions affected by the bug. Yesterday, Christopher Budd, an MSRC program manager, acknowledged that attacks leveraging the flaw had increased. "In light of these points and based on customer feedback, we have been working around the clock to test this update," Budd said on the MSRC blog.
The emergency fix, pegged as MS07-017, will be released through Microsoft's normal channels, including Automatic Updates, Windows Update and the enterprise-oriented Windows Server Update Services. MS07-017 will be only the third out-of-cycle patch from Microsoft in more than two years.
Microsoft patches Windows cursor vulnerability
Microsoft Corp. today patched the already-exploited Windows animated cursor vulnerability with a critical out-of-cycle security update that also fixed six other flaws.
The MS07-017 security bulletin, released a week ahead of the regularly scheduled April 10 patch date, fixes the ANI vulnerability that first surfaced last week when Microsoft acknowledged ongoing attacks. Since then, the bug has been tagged as "very dangerous" by security experts, has been distributed by hundreds of malicious Web sites and was the focus of multiple spam campaigns designed to dupe users into visiting criminal Web sites.
On Sunday, Microsoft promised it would push out an early patch.
Today's update is only the third since January 2005 to be posted outside the normal monthly schedule.
Microsoft based the early release decision on its own prognostications. "We have been monitoring the situation throughout and our indications, and those of our MSRA [Microsoft Security Response Alliance] partners, show there is a threat for attacks against this vulnerability to increase, although we haven't seen anything widespread," Christopher Budd, program manager at Microsoft Security Response Center (MSRC), said in a blog entry today.
The security bulletin rates the ANI bug as critical -- Microsoft's highest threat level in its four-step system -- across all supported editions of Windows: 2000, XP SP2, Windows Server 2003 and Vista. The vulnerability marks the first critical Vista bug disclosed and patched since the operating system's release Jan. 30, and the first flaw in Vista's own code.
Six other vulnerabilities were patched in the update; five were rated important -- one step below critical -- while the sixth was ranked even lower, as moderate. The half dozen fixes deal with a denial of service bug triggered by malicious Windows Metafile images; a vulnerability in Enhanced Metafile (EMF) image files that can elevate an attacker's privileges on a compromised computer; and a similar flaw in Windows' graphics-rendering engine. Six of the seven flaws fixed today allow hackers to hijack a PC.
Vista also is affected by the EMF vulnerability, said Microsoft, although it rated the threat as important, not critical.
Users can obtain the MS07-017 patches via Windows' Automatic Update, from the Microsoft Update service or through enterprise tools such as Windows Server Update Services (WSUS) and Software Update Services (SUS).
Even with the seven fixes issued today, Microsoft said its regularly scheduled updates next week will still take place. Limited information on those patches will be posted Thursday in an advance notice, as is the company's usual practice.
Microsoft to Fix Critical Vista Flaw Early
Microsoft confirmed Sunday that it would not wait until April's "Patch Tuesday" to release a fix correcting a critical flaw in Windows Animated Cursor Handling, which affects most supported versions of the company's operating systems. Instead, an update is coming Tuesday.
The exploit, which results in a crash-restart-crash loop, is triggered by a buffer overflow in an animated cursor file. A similar flaw was discovered in early 2005, but did not apparently affect Windows XP Service Pack 2. The new issue, discovered by McAfee's Avert labs does impact XP SP2 and Windows Vista, as well as Windows 2000 SP4 and Windows Server 2003.
Avert Labs' video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.
But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.
Security research firm eEye released its own third-party "temporary fix" for the problem Friday, but Microsoft recommended strongly that users wait for an official patch.
"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code," Microsoft security researcher Christopher Budd wrote in a blog posting.
"In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007."
Microsoft said it was notified of the flaw in December 2006, and has been working on a fix since. Coincidentally, the company claims the update was already scheduled for April 10, so moving it up one week is not that difficult of a task - a point ostensibly made to emphasize that customers should not expect similar turnaround on security patches in the future.
"Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10," Budd said, noting that, " it’s possible that we will find an issue that will force us to delay the release."
Blogger posts Windows Vista SP1 fixes on Web site
The owner of a blog dedicated to software patches has posted online more than 100 fixes he said are expected to be included in Windows Vista Service Pack 1 (SP1), Microsoft Corp.'s first major update to its latest Windows client operating system.
Ethan Allen, owner of The Hotfix blog and Web site, has posted a preview and information center for SP1, a site that includes many of the software patches Microsoft will include in the package, he said.
Allen, a software quality assurance manager at a company in Bellevue, Wash., said he received the fixes from someone close to Microsoft who has access to the technology.
Sources close to Microsoft confirmed Monday that it is currently testing SP1. However, the company itself officially has yet to announce a definite date for the software pack's release other than saying it will be out in the second half of 2007 close to the next release of Windows Server, code-named Longhorn. Microsoft also has been mum about specific details on what fixes will be included in the update.
According to Allen, SP1 will include device driver and software compatibility technology that many users had hoped would be available in the operating system from the start. Among them will be support for third-party USB and Firewire devices such as digital cameras, in particular products from Sony Corp. that have been having compatibility problems with Vista, Allen said.
Also, there will be patches to improve the TV playback and other media center capabilities in Vista, as well as to repair inconsistencies with the power management functions such as sleep and hibernation modes, he said.
What will be noticeably missing from the service pack, however, will be updates to Vista security, Allen said. "What's most surprising is there are hardly any security fixes at all," he said, adding that Vista is already more secure than any previous version of Windows.
A complete listing of patches that should be included in SP1 can be found on the Vista SP1 preview site, and Allen said he will be adding more as he gains access to them.
Microsoft typically releases service packs, or collections of software patches, for major software products within a year of a product's first full release to fix the software's initial glitches. Many products often have least two service packs, and Microsoft is expected to have a third service pack for Windows XP sometime this year.
Allen, a former Microsoft employee, has already posted on the Hotfix site patches that he expects will be a part of Windows XP SP3, although Microsoft has never confirmed that Allen's patches are valid.
Although the official word from Microsoft for Vista SP1's release date is the second half of 2007, Allen said he suspects the release will be timed closely with the busy holiday shopping season in November and December.
"I think what Microsoft is trying to do is patch this thing up so by Christmas time when everyone is starting to go out and buy their machines, Vista will be more compatible with applications and products out there," he said.
Vista originally was supposed to be available during the 2006 holiday buying season, but Microsoft had to push up the release until Jan. 30, 2007.
Microsoft Offers New Vista Enterprise Licenses
Microsoft Corp. is offering two new licensing options for Windows Vista enterprise customers that want to take advantage of emerging scenarios for large data centers.
The first gives enterprise users the ability to run the Windows Vista Enterprise client on a diskless computer, said Scott Woodgate, director in the Microsoft Windows product group. The second option, called the Vista Enterprise Centralized Desktop, for the first time lets users run a client version of Windows on servers in a data center so the OS can run locally via virtual machines.
A diskless PC has no hard drive; instead, the hard drive is stored on the network and an image of the OS is streamed from there into the memory and CPU of the computer, Woodgate said.
Companies interested in protecting sensitive data, such as financial services companies and government customers, have expressed interest in running Vista on diskless PCs for security reasons. However, it is an emerging scenario for data centers, and so for now will only affect a small number of customers, he said. "The target audience is for early adopters," Woodgate said.
To run Windows Vista Enterprise on diskless PCs, customers must use third-party diskless boot software from companies such as Citrix Systems Inc. and other Microsoft partners. This software enables the PC to find a copy of Windows on the network and to stream that software back onto the local machine, Woodgate said.
Vista Enterprise Centralized Desktop allows customers to take Windows Vista Enterprise client software and install it on a virtual machine on a server so it can be accessed from a thin or rich client. This licensing scenario is also the first time customers will be able to run Windows client software on servers, Woodgate said.
The centralized desktop option provides a cost-effective option for companies such as brokerage firms that have trading brokers viewing several computer monitors at once that are all attached to one PC. This way, a business can run one copy of Windows Vista Enterprise on a server and access the OS in multiple virtual machines, Woodgate said.
The diskless PC option is available Monday for no extra charge for customers that already have licensed Windows Vista Enterprise, said Mike Burk, a Microsoft Windows product manager.
The Vista Enterprise Centralized Desktop license will be available for customers that have Microsoft's Software Assurance subscription service for an additional fee beginning in July. Microsoft is not disclosing how much more customers will pay for the license as fees for Software Assurance vary per customer, Burk said.
Google Offers Absolute Free Broadband!!
On April's 1st, Google started showing an Advertisement on it's homepage about it's new (BETA) service, Google TiSP , this service is an absolute free wireless broadband service where once you sign up, you'll recieve your free kit which includes setup guide, fiber-optic cable, spindle, wireless router and installation CD. Google TiSP (BETA) is a fully functional, end-to-end system that provides in-home wireless access by connecting your commode-based TiSP wireless router to one of thousands of TiSP Access Nodes via fiber-optic cable strung through your local municipal sewage lines.
Here, plans you can benefit from, found on FAQ page:
8 Mbps
(10X basic DSL) | 16 Mbps
(20X basic DSL) | 32 Mbps
(40X basic DSL) |
Here is the funny in it, to be able to run service, just read instruction guide found in Getting Started page, the whole system needs just a toilet you can heck your fiber optics cable into!! 
. Read it yourself!!
Discover the trick: In FAQs page browse to the line: A full list of companies that support TiSP is available here , you'll findout that URL of "available here" link is directed to /tisp/notfound.html with this error:
Not Found
The requested URL was not found on this server. There are so many reasons that this might have happened we can scarcely bring ourselves to type them all out. You might have typed the URL incorrectly, for instance. Or (less likely but certainly plausible) we might have coded the URL incorrectly. Or (far less plausible, but theoretically possible, depending on which ill-defined Grand Unifying Theory of physics one subscribes to), some random fluctuation in the space-time continuum might have produced a shatteringly brief but nonetheless real electromagnetic discombobulation which caused this error page to appear. Or (and truth be told, this is by far the most likely scenario) you might have reached a page that we meant to create but didn't get around to it, since this year's April Fool's joke got hacked together at the last minute, more or less the same way this one did. And this one. And this one, and this one, and this one...
I hope you liked it and so intersted in it.... Happy April's Fool
Just wanted to show that TiSP referring to: Toilet Internet Service Provider!
"Whispering from article editor": Good work, Google!"