Saturday, March 25, 2006

WMF-Like Zero-Day Attack Underway

The link above is at eWeek, who seem to be doing a decent job of covering this as it begins to develop. If I were you, I would seek news of this elsewhere, as well, as it is unlikely any one site will have all the details correctly at once.

It's another of those pesky meta file holes. Proof of concept code is on the web and the attack is taking place, right now. Read about that here. And there is more to it than is evident now, so it behooves us to try to keep up as things progress. Needless to say, this is serious. Very much so. Microsoft even says so. You can read their advisory and recommendations for workarounds here.

And while you're at it, you probably ought to have a look at this which details how this vulnerability was sold on the underground market for $4K!

As long as I'm piling it on, here's another one guaranteed to ruin your dinner


Thursday, March 23, 2006

Dell Acquires Alienware

What does high-volume Dell get buying low-volume Alienware?

  1. An opportunity to use volume-driven low-cost Dell parts in very high profit machines, increasing the margin per unit.
  2. A new place to drive the growing emphasis on the XPS line, another higher-margin area at Dell, which could use some relief from the $399 commodity special.
  3. A back-door intro to selling AMD-based machines, since AMD is by far the gaming processor of choice right now. Dell does this in a wonderfully gace-saving way that does not rile Intel, Dell's monogamous chip partner until this news.
  4. With a skunk works called Alienware, Dell can safely learn all it needs to know about taking AMD machines to market in the high-volumes that drive the core business. However, I am still not convinced that Dell can or wants to jump into the AMD mass-market.
  5. A brand name for brand-conscious buyers for whom Dell is unacceptably down-scale, even XPS.

Okay. Microsoft's Vista is (yet again) delayed. This time until early 2007.

I seem to be the only one surprised by this move. I was of the opinion that Microsoft could not afford to delay Vista's release any further and that they knew it and so would move Heaven and earth to get it out to manufacturers (at least) in time for them to offer it during the holiday buying season. It is a mystery to me how Microsoft, making billions upon billions in profits with what in any other industry would be considered piddling costs, cannot hire enough quality workers to get products out on time and maintain those already released in a timely manner. Are they so financially mean they cannot stand to hire adequate staff? Sometimes it seems that way.

MS has already been deeply embarrassed by having to pull major features out of the release plans and announcing they would be added later, as circumstances permitted. Most damaging of these subtractions was WinFS, once touted as a major reason to upgrade (and perhaps THE reason to upgrade in servers). By all accounts, WinFS is a cutting edge file system, more robust, more versatile and of a higher performance level than anything offered for the x86 architecture to date. It wasn't just Microsoft flaks saying that, either. Reputable computer scientists were telling us things like that, as well. With my (admittedly limited) understanding of such things, I thought very highly of WinFS, too.

How they arrived at the current release plans is something of a mystery, too. Perhaps one has to be a billionaire to grasp them, which I most assuredly am not. They're going to release it to their Software Assurance clients first. then release to manufacturers (RTM) sometime after that.

I can see where MS might feel the need to placate that group of clients. When Software Assurance was announced, MS told anyone who would listen that the higher prices charged under the plan would be buying special services, updates, support and more. None of these promises have been delivered upon. At least not to the extent that could quell, or even moderate, the continuous grumbling by the customers involved. Ostensibly, this release pattern is to allow enterprises to begin testing for their own deployments. However, releasing to this group alone after so many problems and delays makes it look as if MS is going to be having enterprise clients doing their beta testing for them and more than one IT honcho I know has voiced exactly that sentiment. It isn't going to happen that way. What CIO or CTO is going to begin expensive and intensive deployment testing on an operating system with a partial feature set? Am I the only one sensing the discontinuity here?

Rumor has it that documentation and even scripts for support personnel are as late as Vista itself, or worse. If that is true, and Vista debuts to a skeletal support structure, the fur will fly. Another reason to release to only the largest clients, I guess. MS can and frequently does send "factory" support people to those outfits and they are probably planning on doing a lot of that until the infrastructure for more distant types of support is in place.

So far; not much has been heard on the subject from OEMs and ODMs; the people who actually put together the computers. It might be that they fear retribution from Microsoft if they protest or it might simply be they feel it better to say nothing rather than risk exploding and saying all. Either way, or some other way entirely, they must be very disappointed. They are going to be missing the most intense buying period of the year; the holiday season. Sure, they will sell a goodly number of PCs, but not the premium priced (and profitable) ones able to run Vista's AeroGlass interface in all it's glory. And savvy buyers may well avoid buying a new PC entirely so as not to risk buying a machine that can't run Vista when it gets here and being stuck with XP, which it is certain Microsoft won't want to support too far into the future.

I suspect we will see a lot of machines advertised as "Vista ready" and with either a substantial discount coupon for Vista when it does arrive or the promise of a free upgrade. There will be a lot of uncertainty over this, no matter what the hardware makers do. No doubt MS will concoct some scheme with them. But they are going to have to be brutally honest about exactly which version of Vista will run on the box they sell and make sure the buyers understand correctly. I can see a certain fear factor attached to this which might serve to drive first-time and/or less knowledgeable buyers away from the market until things become easier for them to understand. Remember; package deals with everything included and ready to run is what got these folks into buying computers in the past. The lower prices over the years just accelerated the effect. How these buyers will react to the news that they will have to install or upgrade to a new operating system soon after getting the machine home is anyone's guess. It may take a lot of persuading for the manufacturers and retailers to overcome this. (And we're not sure whether there will be an upgrade path to Vista that does not involve a clean installation. Microsoft hasn't said yet, to the best of my knowledge.)

Microsoft has shaken up the management of the Windows division. Steve Sinofsky, formerly of the Office division, will oversee Windows development. He has a reputation for getting products out the door in good time and in good shape. Perhaps he will be able to make a difference, though it may not be fair to expect too much of him because he is coming so late in the development process. Then again, it may not be as late in the game as we think, if MS thinks they still need almost all of a year to get Vista on the truck.


UltraVNC SC (SingleClick)

This is a very kewl tool if you have computers you need to go in and fix for friends and family. You run a program on your computer and the other person downloads a special tool you make (from this web site.) and runs it on their computer and you control their computer and they see you moving the mouse. They can save the file so if you need it again they have it. It only works with the IP address you make the tool for. Riley and I use this program all of the time. Joe

Wednesday, March 22, 2006

Microsoft to update IE after bugs found

It looks like MS is somewhat on top of this one. They're saying "possibly in April" for the patch but my friend near the source says it will be out of cycle and as soon as it's ready.

Our local Linux Users Group, besides a fair amount of snickering at MS over this, demonstrated exploit proof of concept code for both vulnerabilities, yesterday. I wasn't there, but a friend gave me a copy. It's nasty stuff, though NOD32 flagged both samples as suspicious, as did several other AV programs.

Beware, or get Opera or Firefox until IE is tightened up again.


Windows Defender home

"Windows Defender (Beta 2) is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps you stay productive. "
This requires a legal copy of Windows XP in order for you to download it.

Tuesday, March 21, 2006

Vista release to Consumers put off until 2007 |

I was looking at Google's new Finance Search, and found the following news. I don't think this is gonna surprise, anybody.
SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) said on Tuesday it plans to delay the consumer launch of its much-anticipated Windows Vista operating system to January 2007 from its earlier target of the second half of 2006.

Microsoft plans to launch a product for corporate customers in November and then roll out Windows Vista for consumers after the holiday shopping season, Jim Allchin, co-president of Platforms & Services Division, said in a conference call.

Stock Market News and Investment Information |

New bug can crash Internet Explorer | CNET

"Secunia deems the issue 'not critical." Is what a security outfit. Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process.

Archaic Sounds Caress Modern Ears

I find this very appropriate to something we discussed on Sunday's show. It is about what can be done when a media becomes obsolete or deterioates. On a societal level, we have the historians and the librarians take care of it.

So someday your old CDs may wind up in a museum or library being preserved. That is if we can straigten out the copyright laws and allow works that are no longer actively protected by the copyright holder to be preserved and placed into some kind of commons. I presume that recordings or data that is still commercially viable will be moved to new formats by those making money from it.

Curators at the University of California at Santa Barbara's Donald C. Davidson Library have digitized 6,000 late 19th-century and early 20th-century wax and plastic cylinder recordings -- precursors to the flat record. The audio, which includes ragtime hits, vaudeville routines and presidential speeches, encapsulates history with crackles and hisses, but archivists say preserving the sounds now is vital because the cylinders are deteriorating.

Adware backers named and shamed

The report is called "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend" and is by The Center for Democracy and Technology. In it, the CDT basically does what Ben Edelman has been doing for a while now; telling us just who supports the adware industry and how it is done. The link takes you to a synopsis in The Register.

Of course, 180 Solutions says adware is no different that television, where people pay for the content by "watching a few ads". I don't quite equate the two; mostly because I can't recall when the ads might have damaged my television or rendered it unusable. Drawing that outrageous parallel is the sort of slimy thing I'd expect from adware folks.


Samsung intros solid state notebook drive

We told you they would not be long in coming. The link is to a blurb in The Inquirer. While there are no pricing details yet, expect them to cost 60% more than a mechanical hard drive of the same capacity. Of course, that price will fall rather rapidly.

The big story is what this will do for battery life. Plus, the NAND drives deliver much higher performance than the had drives they replace.


New bug can crash Internet Explorer

This is not just another in the seemingly unending stream of IE vulnerabilities. The talk on various security mailing lists and IRC channels makes this clear.

Secunia rates this fairly low, as do most other firms. Apparently, crashing the browser is all this flaw is capable of. Attackers evidently cannot execute arbitrary code, nor control the machine's operation using this flaw. Talk among my security oriented friends has been decidedly "ho-hum" because of that. Further, they state that the limited ability of this flaw to be exploited and the limited reward for doing so is directly due to MS having exerted some real effort toward hardening IE. So if you think MS' security initiatives are just talk, think again.

I don't think it is my job to defend MS in this or much else, but credit where credit is due is only fair.


Monday, March 20, 2006

OnComputers Radio show Podcast 03-19-06

This is the On Computers Radio show podcast for 03-19-06. If you prefer, you can download the same file here via ftp.

Note: this is a repost.

OnComputers Radio show Podcast 03-19-06

This is the On Computers Radio show podcast for 03-19-06. If you prefer, you can download the same file here via ftp.