Microsoft

A bid by the Internet Explorer team to automatically block the tracking systems used by online advertisers was itself blocked by others within the company in order to protect those advertisers, the Wall Street Journal wrote over the weekend. 

The InPrivate Filter feature, introduced in Internet Explorer 8, could have defaulted to "on." This would result in the tracking scripts used by advertisers such as Google being disabled, and in turn, reduce the ability for those advertisers to target the ads they show.

InPrivate Filtering works by tracking any scripts, images, and other resources that webpages reference. In particular, it tracks resources that come from a different domain than the page being viewed. If one of these resources is used by more than ten different sites, InPrivate Filtering deems that resource to be a tracking device and will block subsequent attempts to download it.

The WSJ story describes how the Internet Explorer group built the feature without consulting other groups in the company who might take an interest in such a change—in particular, Brian McAndrews, who had been CEO of advertising firm aQuantive until Microsoft bought it in 2007. 

McAndrews and others pushed back against the Internet Explorer team and its manager, Dean Hachamovitch, fearing that the feature would damage both Microsoft's own advertising business and its relationships with other advertising firms.

In the end, the marketers largely won the battle. Though InPrivate Filtering is part of Internet Explorer 8, it was scaled back. It is not enabled by default—indeed, it cannot be made to be on by default without modifying the registry—and an advanced subscription feature, one that would enable privacy groups to provide blacklists of companies known to breach privacy, did not ship at all. Lists of privacy offenders can be manually imported, but they can't be updated automatically.

Enabling InPrivate Filtering is not without some risk. Commonly used JavaScript libraries are available from specially created content delivery networks (CDNs) so that Web authors can more easily include them in their pages. Using CDNs in this way allows browsers to cache the scripting libraries and use their cached copies across many different sites, leading to better performance for users. InPrivate Filtering has no way to distinguish between "desirable" scripts like these and "undesirable" ones used for tracking; it is prone to blocking them all.

As such, the decision to disable the feature by default might make sense technically—even if made for quite non-technical reasons.

Read the comments on this post

Microsoft has announced plans to release of an out-of-band update on Monday to address the Windows Shortcut flaw revealed less than two weeks ago. The software giant has been keeping a close watch on the use of .LNK files exploiting the vulnerability and has concluded that it needs to act faster than usual.

Microsoft typically releases security patches on the second Tuesday of each month, with the next slated for August 10. Redmond is releasing this fix eight days early, at approximately 1PM EDT Monday. All currently supported versions of Windows are vulnerable, including Windows 7, so the majority of Windows users should be receiving this patch.

There have been multiple malware families that have picked up the .LNK attack vector, including a highly virulent strain named Sality.AT. Not only is Sality a very large family, but it is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. Microsoft has seen an increase in attack attempts as well as a change in the geolocation of the attack attempts across the systems it protects. In short, this new attack vector is becoming more widespread. The security team at the company believes more families will continue to pick up the technique, leading it to get the patch out as soon as possible.

Read the comments on this post

Microsoft Chief Operating Officer Kevin Turner revealed today at the company's annual financial analyst meeting that the first beta of the Internet Explorer 9 Web browser is planned for release in September. This is a little later than expected; leaked documents that emerged last month pointed at an August release date for the beta.

Some apparently authentic screenshots of Internet Explorer 9 have leaked, though perhaps surprisingly, they show few changes from the current version. Microsoft has shipped three platform previews to show off the Internet Explorer 9 engine, but these previews used a simple, bare-bones interface; the company wanted to wait before revealing Internet Explorer 9's look and feel. If the new browser really is just a minor evolution of the old browser's interface, that decision seems a little peculiar.

The new browser is eagerly anticipated, especially by Web developers; Internet Explorer 9 is a big improvement on Internet Explorer 8, with considerably improved standards compliance and functionality. News of the beta is certainly welcome, but there's still a marked contrast between Microsoft's release policy and the more frequent updates of browsers like Firefox and Chrome. For all of its improvements, there's a good chance that Microsoft's browser will have been surpassed by its competition by the time it finally ships.

No release date has been announced, but most believe that the final version will not arrive until 2011.

Read the comments on this post

Mindteck, a company that offers embedded software development and consultancy services, has released power consumption data after testing sleep, idle, low-use, and high-use scenarios of various Windows PCs. The researchers also built a model to estimate cost savings (pictured above) by using a centralized power management policy. What really piqued our interest, though, was that Mindteck looked at the effect of processor chipset drivers on the power consumption (in watts) of Windows XP and Windows 7 with varying driver configurations and older hardware:

As you can see, the results favor Windows 7 in every single scenario. The out-of-box differences are particularly high. For Windows 7, the consumption levels are actually the same as with the updated drivers—this means that Windows 7 is taking care of the chipset drivers, even on older hardware. The same cannot be said for Windows XP, and even with updated drivers (obtained manually), it still performs worse than Windows 7.

The whitepaper actually focuses on explaining how to "maximize the impact of effective power management with Windows 7," but the comparison to Windows XP was included in the appendix. Mindteck Smart Energy analysts quantified power consumption on five basic hardware platforms: a high-end desktop such as those used in engineering design or media processing, both a business desktop and business laptop, a Pentium 4 class business desktop to investigate prior-generation hardware, and a netbook. If you've already rolled out Windows 7 in your company, or are planning to, the 11-page report should help your CIOs and IT managers alike learn about leveraging Windows 7 to implement a comprehensive power management strategy. Check it out at the link below.

Read the comments on this post

Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia. Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot. Secunia has tracked security vulnerabilities and issues advisories since 2002, producing periodic reports on the state of software. Together, the top ten vendors account for some 38% of all flaws reported.

Though this does not mean that Apple's software is the most insecure—the report takes no consideration of the severity of the flaws—it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.

To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely-used programs. Five years ago, there were more first-party flaws (in Windows and Microsot's other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by two-to-one.

Secunia also makes a case that effectively updating this third-party software is much harder to do; whereas Microsoft's Windows Update and Microsoft Update systems will provide protection for around 35% of reported vulnerabilities, patching the remainder requires the use of 13 or more updating systems. Some vendors—Adobe, Mozilla, and Google, for example—do have decent automatic update systems, but others require manual intervention by the user.

Read the comments on this post

Microsoft has today both announced and released a beta version of its free Security Essentials anti-malware software. The new version of the lightweight anti-virus, anti-spyware software includes more protection against network-based attacks.

The network protection has two parts. Microsft Security Essentials now integrates with Internet Explorer to better protect against web-based threats. This allows the program to prevent malicious scripts from running. The current version can detect such scripts when they get written to Internet Explorer's cache, but that may be too late to protect the user.

For users of Windows Vista and Windows 7, the new Security Essentials provides protection against network exploits, by inspecting network traffic and blocking any suspicious connectivity. This feature isn't available for Windows XP, as it depends on the Windows Filtering Platform facility that was introduced with Windows Vista. Windows Filtering Platform allows programs to plug themselves into the networking subsystem and monitor any network traffic in a robust, high performance way. This provides protection above and beyond that offered by the Windows Firewall (which the new version of Security Essentials offers to enable during installation), as it can guard against attacks made on software that's allowed through the firewall.

The beta is available on a first-come, first-served basis on Microsoft Connect; the beta program only has a limited number of places. Microsoft claims that the beta is only available to customers in the US, Israel, Brazil, and China; nonetheless, it successfully downloaded and installed for me, based in the UK. Future updates will be delivered through Microsoft Update.

Microsoft Security Essentials has already become popular thanks to its low resource usage and discreet interface. This network-based monitoring represents a significant broadening of the Security Essentials' scope. By guarding against network attacks in addition to malware, the program is becoming something of a must-have for Windows users.

Read the comments on this post

Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010. Adobe Reader Protected Mode, a sandboxing technology based on Microsoft's Practical Windows Sandboxing technique, is a new mitigation feature scheduled for the next major version release of Adobe Reader. In addition to working with the Microsoft Office security team, Adobe also learned from the Google Chrome team as well as third-party consultancies and other external groups that have sandboxing knowledge and experience.

Adobe Reader Protected Mode will be enabled by default and will ensure that all operations required to display a PDF file to the user are run in a restricted manner inside a sandbox. Actions not permitted in the sandboxed environment, such as writing to the user's temporary folder or launching an attachment inside a PDF file using an external application, are funneled through a "broker process," which has a strict set of policies for what is allowed and what is not. This first release will sandbox all "write" calls, mitigating the risk of exploits that seek to install malware on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. In future releases of Adobe Reader, the company hopes to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information from the user's computer.

Adobe's products are almost as ubiquitous as Microsoft's, and since Microsoft has been taking security much more seriously ever since Windows XP SP2, it made sense for cybercriminals to target software which had so many vulnerabilities waiting to be discovered. Last year, Adobe Reader took the crown away from Microsoft Office as the software with the most vulnerabilities. Brad Arkin, Senior Director of Product Security & Privacy for Adobe Systems, announced in May 2009 that a major Adobe Reader and Acrobat security initiative was underway: code hardening, incident response process improvements, and a shift to a regular security update schedule.

Microsoft's and Adobe's products compete on many fronts, but it makes sense for Redmond to help its partners in the area of security. The sandboxing approaches that Microsoft has pioneered in Office, including the sandbox for its search subsystem, the MOICE sandbox, and Protected View, are there to improve the overall state of security on Windows. The progress in security made by the Office team can thus be extended to other third-party applications for Windows, protecting the customers that Microsoft has in common with its partners.

Read the comments on this post

Reports have been circulating for a few weeks about a new attack being targeted at certain Windows users that used USB memory sticks to propagate. More details have now emerged, including confirmation from Microsoft that a new flaw exists and is being exploited.

The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker's choosing. Any Windows application that tries to display the shortcut's icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.