Slashdot Mirror

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

barking_at_airplanes writes "Some called him crazy a few years ago when he joined Microsoft to run the Open Source Software Lab, but Sam Ramji endured and made real differences to how Microsoft treats open source and how open source people view Microsoft. Ramji is now heading back to Silicon Valley to join a cloud computing startup. Sam comments in his announcement: '46 months later, I am amazed at the changes that have occurred for the company, for the team I belonged to, and the sentiments of the industry.' It's a statement which, 46 months ago, few Slashdotters would have thought could come true! With Sam leaving, can Microsoft's positive momentum into open source continue successfully? Bill Hilf says they're 'actively seeking someone to fill Sam's shoes.'"

angry tapir writes "Microsoft has made its second release under the General Public License in two days with software for Moodle, an 'open-source course management system that teachers use to create online learning Web sites for their classes[, which] has about 30 million users in 207 countries.' It comes on the heels of Redmond contributing drivers to the Linux community. No reports as yet on dropping temperatures in hell."

FishWithAHammer writes "Peter Galli of Microsoft posted a blog entry on Port25 today, regarding the explicit placement of C# and the Common Language Infrastructure (the ECMA standard that underpins .NET) under their Community Promise: 'It is important to note that, under the Community Promise, anyone can freely implement these specifications with their technology, code, and solutions. You do not need to sign a license agreement, or otherwise communicate to Microsoft how you will implement the specifications. ... Under the Community Promise, Microsoft provides assurance that it will not assert its Necessary Claims against anyone who makes, uses, sells, offers for sale, imports, or distributes any Covered Implementation under any type of development or distribution model, including open-source licensing models such as the LGPL or GPL.'" Adds reader anshulajain: "Understandably, Miguel De Icaza is jumping with joy."

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

1sockchuck writes "It takes most companies at least a year to build a new data center. Digital Realty Trust says it can build a new data center in just 20 weeks using standard designs and modular components that can be assembled on site. The company equates its 'building blocks' approach to data centers to building with Legos — albeit with customized parts (i.e. the Millennium Falcon Lego kit). Microsoft is taking a similar approach, packaging generators, switchgear and UPS units into pre-assembled components for rapid assembly. Is this the future of data center design?"

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

An anonymous reader writes "Microsoft's long-awaited integrated security suite, codenamed Stirling, has been delayed by months and will now not be available until the fourth quarter 2009. According to Microsoft, the delay is due to the further development of the firm's behaviour based technology, the Dynamic Signature Service, 'to help deliver more comprehensive endpoint protection for zero-day attacks,' and efforts to add interoperability with third-party solutions, as per customer requests. When completed, the suite will combine a number of tools, such as the ISA Server and multiple Forefront products."

CWmike writes "Microsoft has ramped up its new Windows support assistant 'Fix it for me' nearly three months after it quietly released the automatic repair and configuration tool. The upgrade adds a 'Fix it' button to some of the support documents that Microsoft posts to its Knowledge Base. The blog introducing the changes lists some of the Knowledge Base documents that boast the 'Fix it' button, including one that prevents users from connecting a USB storage device — useful in protecting against one of the infection vectors of the 'Downadup' worm. Have ideas for the tool? In a forum on the 'WinVistaClub' Web site, someone who said he was part of the 'Fix it' team at Microsoft encouraged users to send feedback on the feature to the group at fixit4me@microsoft.com."

CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.

wiedzmin writes "A couple of very useful updates have just been released by Microsoft for the ever so popular Sysinternals tool set. The most notable one is ProcessMonitor v2.0 which will now include 'real-time TCP and UDP monitoring.' Another one, released earlier this year — Desktops 1.0, provides a very unique multi-thread way to get multiple desktops running on your Windows box."

SecureThroughObscure writes "ZDNet Zero-Day security blogger Nate McFeters got an exclusive look at the Microsoft Blue Hat conference. This is an invite-only conference that few media get to attend, but apparently McFeters was brought in with co-worker Rob Carter to talk about some vulnerabilities they had discovered with a few product security teams in attendence, and was also asked to do a guest blog posting about the conference at the Microsoft Blue Hat blog. McFeters also included several pictures of the conference and after conference events."

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."

willdavid writes to tell us that Sam Ramji over at Port25 has a nice succinct list of the major open source principles that have been used while developing Windows Server 2008. "Overall, we've learned and continue to learn from open source development principles. These are making their way into the mindset, development practices, and ultimately into the products we bring to market. I've focused here on 'what Microsoft has learned from Open Source' - and ironically, I've agreed to do a panel at OSBC on 3/25 with Jim Zemlin of the Linux Foundation on 'what Open Source can learn from Microsoft'. As all of the different organizations in IT continue to evolve, we'll learn from each others' best practices and make increasingly better software. As in science, this incremental improvement will move all of us forward."

I Don't Believe in Imaginary Property writes "There's a growing revolt among Microsoft TechNet & MSDN subscribers who are frustrated that they can't yet get Vista SP1 and test their software on it. This can't be good news for anyone hoping that SP1 will have better compatibility. While SP1 has been released to manufacturing, and pirate copies are easy to find, Microsoft is withholding it from subscribers until early March. According to the article, some frustrated users are upset enough that they plan to abandon TechNet entirely and turn to piracy." Update: 02/12 17:37 GMT by KD : Sean0michael writes, "Aaccording to the Technet blog, they have pushed up the date to before the end of February, though no exact date is mentioned."

greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

koro666 writes "In his latest blog post, Mark Russinovich analyzes the network slowdown experienced by some users when playing multimedia content. 'Tests of MMCSS during Vista development showed that... heavy network traffic can cause enough long-running DPCs to prevent playback threads from keeping up with their media streaming requirements, resulting in glitching. MMCSS' glitch-resistant mechanisms were therefore extended to include throttling of network activity. It does so by issuing a command to the NDIS device driver... [to] pass along, at most 10 packets per millisecond (10,000 packets per second)... [T]he networking team is actively working with the MMCSS team on a fix that allows for not so dramatically penalizing network traffic, while still delivering a glitch-resistant experience.'"

eldavojohn writes "Microsoft is applying for OSI certification for its Shared Source Initiative. The move is described in a blog post by an MS OSS lab worker: 'Today, we reached another milestone with the decision to submit our open licenses to the OSI approval process, which, if the licenses are approved, should give the community additional confidence that the code we're sharing is truly Open Source. I believe that the same voices that have been calling for Microsoft products to better interoperate with open source products would voice their approval should the Open Source Initiative itself open up to more of the IT industry.' According to PC World, reaction from the community has been mostly positive."

SilentChris writes "Microsoft today released a new Media Player plugin for Firefox that resolves the problems users of the older version were experiencing. According to the company's Port 25 blog, it's backwards compatible with Windows Media Player 6.4. The plugin is for Windows XP and Vista only, but if you have to watch WMV video at least it's less likely to crash your browser."

An anonymous reader writes "Recently Microsoft's open source software lab posted PostgreSQL on Windows: A Primer. Postgres is one of the longest running open source databases — it has been around for nearly 11 years. The powerful object-relational database is a direct competitor to other OSS databases, as well as Microsoft's SQL Server 2005. So why is Microsoft promoting it? I get Redmond's interest in boosting anything that runs on Windows as a platform. Is this simply a case of left-hand, right-hand, or is something deeper going on?"

jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."

narramissic writes to let us know about yet another PowerPoint flaw, this one affecting PowerPoint 2000, 2002, and 2003, soon after Microsoft issued a record number of patches to fix numerous Office vulnerabilities (among others). The new problem came to light in a blog posting by Microsoft Security Program Manager Alexandra Huft, but the coverage at ITWorld has more detail. Huft writes, "We've been made aware of proof of concept code published publicly affecting Microsoft Office 2003 PowerPoint," and goes on to say that Microsoft is not aware of any attacks that exploit the bug.

GarstMan writes to mention that Microsoft has released what it hopes will be the last version of Windows Vista to go through the testing process. From the article: "This new build of Windows Vista offers users a higher level of performance and stability - improving what was established in Windows Vista RC1. We were able to also fix many of your bugs reported from RC1 and implement them for RC2. Thank you to our beta testers for the bugs and feedback you submitted for RC1. The improvement shows as we raised our quality bar even higher! Platforms and Services Co-President Jim Allchin has just posted a special announcement letter of RC2 to Microsoft Connect for the Windows Vista Technical Beta Testers."

teslatug writes "Channel9 has an interview with Bill Hilf of the Open Source Software Lab at Microsoft. Hilf argues that the majority of companies advocate open source solely so that they can drive customers to their core business, which is not open source. He calls this his 'donut theory.' Hilf also sees RedHat in this model, with support being their core. He compares this to dating, where you have to offer your date value in order to entice them. In his view, Microsoft offers developers a platform where they can make money selling their software. The virtues of 'free as in freedom' and the value of open source to the desktop users are skirted, but he makes an interesting point about big businesses like IBM and Oracle."

alienfluid writes to mention that RC1 of Windows Vista is now complete. This 'nearly complete' version of the operating system is already available to beta testers, and will be available to everyone else soon. From the article: "You'll notice a lot of improvements since Beta 2. We've made some UI adjustments, added more device drivers, and enhanced performance. We're not done yet, however -- quality will continue to improve. We'll keep plugging away on application compatibility, as well as fit and finish, until RTM. If you are an ISV, RC1 is the build you should use for certifying your application."

Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Christopher_G_Lewis writes "Today Microsoft announced that it is 'not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability' to fix Security Bulletin MS06-15. Granted, the vulnerability is easily prevented by basic firewalling, but this basically is the first time Microsoft has admitted that Windows 98 is so broken that it's crazy to be running it on today's Internet."

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

beuges writes "In an entry on the Microsoft Security Response Center Blog, Stephen Toulouse explains exactly how the WMF flaw could be triggered. BetaNews has an overview of the company's response." From the BetaNews article: "This code exists on every version of Windows since version 3.0, security firms have said. When this functionality was introduced, Toulouse said the security landscape differed from what it is now and metafile records were completely trusted by the operating system. Gibson claimed that the flaw could be exploited only by using a byte size of 1 in the metafile record, which Toulouse says is incorrect. He surmised that Gibson's tests had the offending function as the last entry in the metafile, which caused only incorrect sizes to trigger the flaw." We've previous reported on the backdoor claim.

LaughingCoder writes "Microsoft has announced their plans for the (currently free) AntiSpyware application, which is now in Beta. It is currently slotted to be bundled with Windows Vista. The end-user has the option of switching it out and using a different vendor's spyware protection if they want." From the article: "Microsoft gave an official name to its software for protecting computer users against spyware. The software, which has been known as Windows AntiSpyware Beta 1, will be called Windows Defender when the finished version becomes available next year, a Microsoft spokesperson said Tuesday. A posting on Microsoft's TechNet Web blog announced the change on Friday and also revealed some details about capabilities coming to the software. The current version of Windows AntiSpyware Beta 1 has 18 million users, the spokesperson said. "

TheRealSlimShady writes "According to a post by Ward Ralston on the Windows server team's weblog, Vista server is to get symlinks as part of the SMB2 protocol." From the post: "In Vista/Longhorn server, the file system (NTFS) will start supporting a new filesystem object (examples of existing filesystem objects are files, folders etc.). This new object is a symbolic link. Think of a symbolic link as a pointer to another file system object (it can be a file, folder, shortcut or another symbolic link)."

hggs writes "According to Stephen Toulouse at Microsoft, because of the possible virus threat that targets Monad the shell will not be included in Windows Vista. CNet is reporting that, even though Monad is not to be included on Vista, it will be included on a major server operating system for servers from Microsoft. Codenamed Longhorn server, that edition is due out by 2007." Update: 08/06 04:45 GMT by Z : As Mr. Toulouse states here, the submission here adds one and one and gets three. Monad hasn't been in Vista for about two months. The CNet article is clarifying a previous report stating that Monad could potentially be the first source of viruses in an OS which incorporated it. The interesting news about Monad in the server edition was obscured by the factually incorrect submission, which at first blush seemed to make sense. Mea Culpa.

hggs writes "According to Stephen Toulouse at Microsoft, because of the possible virus threat that targets Monad the shell will not be included in Windows Vista. CNet is reporting that, even though Monad is not to be included on Vista, it will be included on a major server operating system for servers from Microsoft. Codenamed Longhorn server, that edition is due out by 2007." Update: 08/06 04:45 GMT by Z : As Mr. Toulouse states here, the submission here adds one and one and gets three. Monad hasn't been in Vista for about two months. The CNet article is clarifying a previous report stating that Monad could potentially be the first source of viruses in an OS which incorporated it. The interesting news about Monad in the server edition was obscured by the factually incorrect submission, which at first blush seemed to make sense. Mea Culpa.