Microsoft to ship emergency IE, Visual Studio patches

Less than a month after a first pass at patching a troublesome flaw affecting its dominant Internet Explorer browser, Microsoft has announced plans to release two emergency updates with a comprehensive fix for the problem.

The unusual move comes on the heels of by reverse engineering specialist Halvar Flake that the original IE kill-bit fix was “insufficient” and that Microsoft “might have accidentally introduced security vulnerabilities into third-party products.”

Microsoft declined to discuss specifics of the emergency patches until (July 28, 2009) according to our source, it is directly linked to the Microsoft Video ActiveX Control (msvidctl.dll) issue that was being exploited in the wild.

READ ABOUT ActiveX Control Here

July 28, 2009 out-of-band updates will address:

• One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications.
• The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical.

Google Chrome Operating System

After years of repeated denials, Google has finally acknowledged that it is, indeed, building an operating system for PCs.

I think it’s good for customers, PC makers, software makers and even for Microsoft that Google is getting into the operating-system game. After more than two decades, Microsoft has only one real competitor in the desktop OS space: Apple. That’s not enough. Competition is good. It keeps prices down and true innovation up.

However, after reading the very few Chrome OS details that Google smartly dropped a couple of weeks before Microsoft is expected to announce the release to manufacturing of Windows 7, I’ve got a few doubts…. And quite a few more than the huge number of Google fanboys and girls who seem to forget for all its product debuts, Google hasn’t had any home runs other than search.

Google will undoubtedly fill in a lot of the holes that it left open with today’s announcement. But here are a few that already have me wondering:

1. Google Chrome OS is shipping in the second half of 2010? And people criticize Microsoft for preannouning vaporware by years? Late 2010 is eons from now in the computing world. (It’s even later than Windows Mobile 7, which is expected to start showing up on phones in the first half of 2010.) To those saying that Chrome OS will drop at the same time as Windows 7, your calendars need adjusting. Windows 7 goes on sale October 22, 2009.

2. Google is going to let people modify and change the OS source code? As Apple has shown quite well, when one vendor controls the end-to-end process, both the computer hardware and software, and doesn’t let anyone else touch it, a PC has more cohesiveness and less crapware. Microsoft has shown that OEMs can be allowed to customize their PCs without tinkering with — and introducing more support headaches, bugs and glitches into — the OS. How many different Chrome OSes will there be? Who will be entity users call when they have OS problems?

3. What happened to Google’s positioning that no one was going to want software running on PCs in our brave new world? People just needed devices and browsers and Google Docs and Apps. PCs were dated and clunky and only for people who wanted to run old-school apps locally. Weren’t they? Now, Google is adopting the same world view as Microsoft: There will be different OSes for different platforms (Android and Windows Mobile for phones; Chrome OS and Windows for PCs).

I also think it’s telling that many of Google’s fans seem to be assuming Microsoft is standing still. Yes, Windows 7 is just another version of Windows… a good one, but still another iteration of what Microsoft’s been developing for years.

Remember: Microsoft has a number of projects in the works that I’d say are more likely to be competitors to Chrome OS than is Windows 7. The Gazelle OS-in-a-browser project from Microsoft Research is still just a research project and not in incubation or test-release form. But if Microsoft decides it has legs, they could put it on a fast track. There’s Live Mesh — which is more like Google Wave in theory, than the Chrome OS. But no one at Microsoft has talked publicly about the implications of “meshifying Windows” and what that might look like.

The Scarlet V: What's a Vista business user to do?

Windows 7 has been released to manufacturing and is obviously the operating system that Microsoft and its partners will be pushing for the next two-plus years. If you’re one of those business users who is in the midst of deploying Vista, what should you do?


Up until fairly recently, Microsoft was telling users to continue going forward with their Vista deployments if they’d already begun them, and to just skip Vista and go straight to Windows 7 if they were just starting them.

But in May, around the time Microsoft delivered the near-final Release Candidate (RC) test build of Windows 7, Windows execs stopped saying much at all about Vista. In fact, it was like pulling teeth to get them to talk about Vista Service Pack (SP) 2, in terms of discussing features, fixes and/or availability. At the company’s recent Worldwide Partner Conference, the message was clear: As of May, any marketing campaigns that had been using the word “Vista” should be switched to refer to “Windows.”

Where does that leave big shops that bought into Vista? Are they deigned to be ridiculed and abandonned like Hester Prynne, forced to don a scarlet “A” (or, in this case, “V”)?

Mike Angiulo, General Manager of Microsoft’s Planning and PC Ecosystem team, said Microsoft is not casting off its Vista users.

“We are not abandoning our existing Vista customers,” Angiulo said. “A three-year cycle is the right amount of time” for the delivery of a new client operating system release to users, and that’s just about how long it will be by the time it makes Windows 7 generally available, he said.

“A lot of the compatibility work we’ve done with Windows 7 will benefit Vista users,” Angiulo added. Many of the drivers and applications that weren’t compatible with Vista out of the gate are now ready for Windows 7 and, by extension, Vista.

When I spoke with Dell this week, the shift in messaging around Vista vs. Windows 7 was crystal-clear.

“A year ago, 87 percent of our commercial customers were on XP. Many are looking to skip a generation and go straight to Vista, Windows 7″ said Jim Ginger, Global Lead of Dell’s End User Services Computing Practice. (Sorry: my mistake on that one… MJF)

But like Microsoft, Dell is insisting that the Windows 7 push won’t mean that Vista users get left behind.

“They can continue with Vista or start rolling out (Windows) 7. The two are similar enough that they will work harmoniously together” so having a mixed Vista/Windows 7 environment shouldn’t be an issue, he said.

For customers who are still on XP, Dell will be suggesting they move straight to Windows 7 and will make that its emphasis with its Dell Optimized Deployment Services, which are aimed at helping corporate users with 1,000 seats or more.

Forrester Research released a new research note on operating system licensing trends this week that echoed the emphasis on Windows 7. From that July 22 note:

“While some clients describe Windows 7 as ‘Windows Vista SP3′ or ‘what Windows Vista should have been,’ Windows 7 will deliver a lot of new features that make it a proper successor to Windows Vista despite the fact that it’s quite clearly an evolutionary update rather than a revolutionary change. We expect most businesses will find compelling reasons for an eventual upgrade, such as simplified connectivity for mobile workers, improved branch office networking, tighter data security and more granular control of applications, and easier access to data across resources”

The note’s authors added:

“Windows 7 is shaping up to be a suitable replacement for organizations that couldn’t justify an upgrade to Windows Vista, and it even has some firms that took the Vista plunge rethinking their upgrade strategy.”

The U.S. Air Force is one such customer.

The Air Force, as of April of this year, had deployed 90,000 Vista laptops and desktops, according to one of my sources who has knowledge of the details of the contract. The Air Force evaluated and tested Vista between December 2006 to June 2008 and initially deployed the operating system among select bases to about 10,000 users before going further. The Air Force moved to Vista because of the security assurances it offered over XP, according to my source.

So what’s the plan now that Windows 7 is going to be downloadable by volume licensees in a few more weeks? To move to Windows 7 as soon as possible, my source says. The Air Force has been testing Windows 7 internally for months and already has cleared the few app-compatibility hurdles it encountered moving users from XP to Vista.

-zdnet.com

China's Green Dam and the Cyberwar implications

Chinese military leaders have always been aware of the military advantage the US has over the People’s Liberation Army. Reading through their published assessments of Sino-US war possibilities confirm our belief that we would dominate them in the air, land and sea. However the PLA was born of asymmetric warfare and this remains a core part of their strategies against any possible wars with the US. Specifically the PLA writes about the use of cyberwarfare as a means of countering this imbalance.

This makes a lot of sense from a military perspective. The US economy is intimately tied to information services which rely on the Internet. China’s economy is primarily based on manufacturing physical goods. Taking down their network infrastructure would not have devastating effects while taking down ours would be near catastrophic. But the effects on our economy isn’t the only asymmetry worth talking about. The Chinese Internet is simply different than the US Internet. Their network is self contained and has only a handful of choke points which interact with the outside world. China has gone as far as null routing various non Chinese services in the past, such as Youtube and Google, simply for the sake of censoring unflattering media about the PRC government. The US doesn’t have this capability nor the style of government which would permit this type of unilateral action.

On July 1, 2009 China’s Ministry of Industry and Information Technology (MIIT) mandated that everyone must install filtering software known as Green Dam Youth Escort. The decree ensures that, depending on your interpretation, it is provided or installed on every computer sold in China. The ensuing outrage by Chinese netizens has MIIT back peddling their stance and softening the tone of their mandate. Whether or not the program survives is currently a heated subject of debate however it is worth noting that the companies invovled in producing the software are known to have both government and military ties. The government has already paid roughly $6M for the software which covers a site license for the entire country. Even though US computer manufacturers are dragging their feet due to moral and copyright concerns Japanese manufacturer Sony has reportedly already started to comply.

I’ve been thinking about the implications of the success of the program from a cyberwar perspective. China’s military leaders tout their ability to conduct asymmetric warfare using pinpoint attacks on our Internet infrastructure but Green Dam’s security vulnerabilities offer the chance to recruit every Chinese netizen into a botnet and destroy this capability from the inside. Green Dam represents a ubquitous new software mechanism in the landscape of the Chinese Internet which, in it’s brief history, has shown an incredible lack of security forethought.

Within the first weeks of scrutiny by security researchers the Green Dam filtering software was hit by two vulnerabilities discovered by a team lead by University of Michigan’s J Alex Halderman. One vulnerability required victims to browse specially crafted URLs and the other allowed a tainted security update to execute arbitrary code. Jinhui, the main manufacturer of the software, was quick to patch those vulnerabilities however another vulnerabilty was found in the patched code within hours by the University of Michigan team. At least two of those have known exploits circulating on the Internet already. Analysis of the filtering software shows a 1990’s mentality towards coding and brings with it all the sophomoric security flaws of those times. It is not unreasonable to assume that many more flaws exist in the code which will undoubtedly be exploited soon.

The vulnerabilities which require a victim to view a URL are interesting but not as critical as the update vulnerabilities. The update mechanism for Green Dam was poorly thought out and has very little in the way of content assurance. The filtering software polls the main Jinhui server and asks for an update over clear text protocols. Furthermore no code signing is used to verify the authenticity of the contents of the file meaning anyone skillful enough to penetrate their servers can inject code into the potentially millions of computers over a short period of time. This flaw could completely undermine the asymmetric warfare advantage the Chinese previously had.

Companies like Microsoft go to great lengths to ensure that only authorized code is sent and executed by the millions of computers requesting updates. They use code signing to ensure the integrity and authenticity of the code sent to its users. They understand that their update servers are an incredibly rich target for anyone that wants to control massive numbers of computers using a critical strike. If the MIIT decree is carried out successfully Jinhui will be in a similar situation. They will have the ability to execute code on literally millions of computers, both government and civilian, during update cycles. Any new cyberwar scenario will undoubtedly include this fact in its planning. One attack on the Jinhui server will offer the chance to capture every computer running Green Dam and possibly turn them against their own country.

It’s obviously not too late for Jinhui to get their act together and shore up their defenses. But right now they are entirely reactive instead of proactive. Historically this means that any attempt to fix their issues will be done with great haste and introduce as many problems as it fixes.

-zdnet.com

Apple and Google's native vs. Web app iPhone game: Get used to it

Google launched its Latitude app for Apple’s iPhone and a interesting window on the Web vs. native decision process was open.

The search giant’s Latitude app tracks you anywhere you go (if you want) and it has been a no-show on the iPhone and iPod touch even though the app has hit every other device operating systems.

In a blog post, Google outlined the following:

We worked closely with Apple to bring Latitude to the iPhone in a way Apple thought would be best for iPhone users. After we developed a Latitude application for the iPhone, Apple requested we release Latitude as a web application in order to avoid confusion with Maps on the iPhone, which uses Google to serve maps tiles.

Google, like Apple, continues to push for improvements in web browser functionality. Now that iPhone 3.0 allows Safari to access location, building the Latitude web app was a natural next step. In the future, we will continue to work closely with Apple to deliver useful applications — some of which will be native apps on the iPhone, such as Earth and YouTube, and some of which will be web apps, like Gmail and Latitude.

Unfortunately, since there is no mechanism for applications to run in the background on iPhone (which applies to browser-based web apps as well), we’re not able to provide continuous background location updates in the same way that we can for Latitude users on Android, Blackberry, Symbian and Window Mobile…

This Web vs. native app decision process will emerge repeatedly between Google and Apple. Simply put, the two are on a mobile collision course. Meanwhile, Apple isn’t going to want Google to confuse things for its iPhone features. Simply put, Apple limited Google Latitude.

As a consumer, it is becoming increasingly clear that Android may be the only real rival for the iPhone on the operating system and app front. When that collision course becomes more obvious you’ll see more Web vs. native app jockeying.

-zdnet.com

Fast Flux

Fast flux

is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer to peer, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.

Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace.

While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.

Single-Flux and Double Flux

The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.

A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS NS record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.

Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.

-wikipedia.