Microsoft

The Mono project, which produces an open source implementation of the .NET runtime, has released version 2.8. The update brings full support for version 4.0 of the C# programming language, substantial improvements to the optional LLVM-based Mono backend, and a new garbage collection implementation that is more efficient.

Mono was originally created to accelerate Linux application development and enable Windows developers to bring some of their existing code and skills to the Linux platform. The focus of the project has expanded in recent years as Novell has explored ways to monetize the underlying technology. Mono is increasingly viewed as a compelling tool for supporting rich embedded scripting in applications and bringing C# to environments where it wouldn't otherwise run.

According to the Microsoft Security Response Center, Microsoft will issue 16 Security Bulletins addressing 49 vulnerabilities on Tuesday, October 12. It will also host a webcast to address customer questions the following day.

Four of the vulnerabilities are rated "Critical," 10 are marked "Important," and the last two are classified as "Moderate." All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least eight of the 16 patches will require a restart.

A new tool developed by researchers at Georgia Tech and SRI International could provide an effective countermeasure against drive-by download attacks. The researchers claim that the software, BLADE ("Block All Drive-by Download Exploits), provides cross-browser protection against a wide range of real threats.

Drive-by attacks, in which an attacker exploits flaws in a browser or its plugins to silently download and install malicious software, are increasingly common, with many millions of hostile pages found on the Internet. With drive-by attacks sometimes being distributed by advertising networks, even careful Web users can find their browsers at risk of infection by this kind of malware.

The BLADE system works by blocking access to any executable program that a Web browser makes, if that access was not preceded by a user's explicit authorization for the download. Most browsers give users the opportunity to confirm or deny downloads; drive-bys, however, use security flaws to bypass this user intervention. BLADE tracks user actions—clicking a button to permit a download—and uses this information to selectively prevent access to downloaded files. The software also records both the URL and downloaded file, allowing further analysis by security professionals.

BLADE cannot prevent all attacks (for example, those that do not depend on creating persistent files on victims' computers would not be trapped), but the researchers' testing suggests that it's effective against a broad range of real-world exploits.

The testing suggested much greater efficacy than conventional anti-virus software. This is likely to be due at least in part to the generalized nature of the protection; rather than detecting malware with particular signatures, BLADE blocks any suspicious download activity.

The BLADE software should be available to download for Windows shortly. Though it appears effective, it's less obvious that the technique will ever be capable of providing widespread protection: if BLADE-like software became the norm, attackers would just use alternative routes to propagate their malware.

Read the comments on this post

Once upon a time, users who were careless about security posed a risk only to themselves. But, with the advent of pervasive networking and botnets, that's no longer true. As a result, lax security has become the equivalent of second hand smoke: it poses a risk to everyone, and needs a security equivalent of a public health campaign and quarantines. That's the message of a new report by Scott Charney, who heads Microsoft's Trustworthy Computing Group. And Charney has a simple solution: a digital health report that every piece of network hardware would be required to provide before having access to the full suite of Internet services.

Charney's report is entitled "Collective Defense: Applying Public Health Models to the Internet," and is available for download. In a blog post in which he announced its release, Charney presents this as part of a larger attempt to redefine how we look at cyberthreats, and references an earlier report he prepared. Don't believe him; the two reports are largely unrelated, and the earlier one did little more than present a list of reasons why cybersecurity is so challenging for governments, businesses, and private citizens.

Mozilla has announced its plans to update the search options in Firefox 4, the next major version of the popular open source Web browser. Google will remain Firefox's default search engine, but Microsoft's Bing search will be available as one of the standard options.

Firefox 4 users who want Bing as their default browser search engine instead of Google will be able to simply select it from the search box drop-down menu without having to perform any additional configuration steps. Mozilla says that the decision is a response to the increasing relevance and maturity of Microsoft's search engine and growing demand for the service among Firefox users.

Here are your hottest stories from the world of Microsoft for the past seven days.

Is that Bill Gates staring back at you from Outlook 2010?: Take a closer look at the fallback image in Outlook 2010's People Pane and you'll see it too.

The final version of Windows Live Essentials 2011 is now available to download. The all-in-one bundle of mail client, instant messenger, movie editor, blog editor, and more, runs on Windows Vista and Windows 7—Windows XP users need not apply.

We've already had a detailed look at Messenger and Live Mesh (which at the time was called Live Sync). The positives are much the same now as they were then; Messenger's social integration works well, its Facebook chat is useful, and its tabbed chats extremely welcome, if overdue.

Although building consensus position on patent reform proposals has proved difficult, practically every major stakeholder (except patent attorneys, of course) agrees that the US patent system is broken. As a result, patent problems occasionally generate unexpected alliances between disparate groups at opposite ends of the ideological spectrum. In the latest example, a number of organizations, including the Electronic Frontier Foundation and the Apache Software Foundation, have filed an amicus brief that expresses support for Microsoft's pursuit of revised patent rules.

Microsoft is currently mired in a high-profile patent dispute with i4i, a company that develops collaborative document editing software. The XML editing capabilities in Microsoft's popular office suite are said to infringe related patents that are held by i4i. The courts have consistently sided with i4i, awarding the company $290 million in damages and threatening Microsoft with an injunction. An appeals court upheld the judgement and the US Patent Office (USPTO) has declined to invalidate the patent.