Tech News Update

Wednesday, May 03, 2006

Firefox gets a fresh security update

Mozilla has issued a security update for its Firefox open-source browser, just weeks after it released a large fix to address several browser security flaws.

The Firefox 1.5.0.3 update is designed to address vulnerabilities in versions 1.5 through 1.5.0.2.
Malicious attackers could exploit the flaws to cause a denial-of-service attack, which in turn may allow them to take remote control of a user's system, according to an alert from security research company Secunia, which rates the flaw as "highly critical."

The flaws may be exploited when people attempt to engage a deleted component with designMode turned on. While this typically will crash the browser, it could also result in an attacker running malicious code, according to a Mozilla security advisory. Mozilla oversees the development of the Firefox browser.

The organization said it released the 1.5.0.3 version early to tackle the security issue. As a result, plans for a larger update will be bumped to version 1.8.0.4.

The latest security release follows one issued in mid-April. The 1.5.0.2 version was designed to address seven vulnerabilities, five of which were "critical" and could allow a malicious attacker to run code with virtually no user interaction.

Thursday, March 23, 2006

Clouds over Redmond

The latest delay for Windows Vista highlights a mounting challenge for Microsoft--finding a way to update its most important product on any kind of reasonable schedule.

With all the setbacks, it will be more than five years between Windows XP and Windows Vista. And for even that delivery schedule, Microsoft had to scale back many of the major advances that were planned for the new operating system.

Although Windows has largely maintained its dominant share of the operating system market, the software maker's inability to regularly update the product poses a growing risk to its cash cow.

"Microsoft is going to be feeling more pressure, especially as applications get to be more OS-agnostic," or not tied to a particular operating system, Gartner analyst Michael Silver said.
Microsoft has long spoken out about its need to be constantly innovating, with executives pointing to the fate that bedeviled IBM in the 1970s and 1980s, when it became seen as a lumbering giant in a field of nimbler and more agile competitors.

"I've been around IBM, and I saw how IBM overdid it," Steve Ballmer said in a 2003 interview with The Seattle Times. In that interview, the Microsoft CEO described the opportunities that IBM's slowed pace created for Microsoft when the PC came around, and talked about Microsoft's need to avoid that fate. "Maybe we will, maybe we won't--but we have strategy control, we have technology control, we've got financial control," he said.

Of course, recognizing the dangers and being able to escape the same fate are two different things.

One of the key problems is that the two halves of creating a new OS--programming and testing--are both getting longer to accomplish. On the development side, Microsoft has spent years re-architecting its software development practices in order to boost security, and such rigor also takes time. On top of that, the time spent testing new code has increased, although automated tools have helped some. Chairman Bill Gates noted on Tuesday that as many as half of the worker-hours put into Vista have gone into testing.

Microsoft also faces the challenge of trying to support all of the hundreds of millions of Windows machines out there. The company frequently takes pride in showing off how its latest and greatest operating system can run even the oldest applications.

"We are very backwards-compatible people," Gates said at an Office developer conference this week.

Apple Computer, which has taken a very different approach, has not been afraid to cut support for older Mac machines and software in its efforts to modernize its operating system. The results are a narrower security footprint and a much smaller number of types of systems against which to test.

Michael Cherry, a Directions on Microsoft analyst, said that although Microsoft is in a somewhat different situation, it can take lessons from Apple. The Mac seller took a one-time hit when it made major architectural changes with OS X and since then has focused on more modest, but noticeable, feature enhancements.

"There haven't been huge, massive changes," Cherry said. "But people have looked at them and said, 'Nice job. Let's buy it.'"

Cherry said that Microsoft shouldn't need to make significant changes to most of the underlying architecture of Windows at this point--only occasional upgrades should be needed, to add things such as new networking protocols. "Everything else should be about putting fancy sinks on top of the plumbing," Cherry said.

With Vista, Microsoft originally hoped to make major changes to the underlying code, adding in a new file storage mechanism called WinFS, along with all-new graphics and communications methods. It eventually had to pull out WinFS entirely and scale back several other architectural changes in order to make the project more manageable.

In the future, Microsoft may well look to focus more energy in interim releases on updating some of the companion programs that are part of Windows, as opposed to the core operating system code. Gates talked on Monday of the need, for example, to update Internet Explorer more often.

But Cherry said it's more than just a different approach that is needed.

Wednesday, March 15, 2006

Got Wireless Security?

GetNetWise and Symantec team up to offer a wireless security primer.

You've got a wireless network. You can use your computer anywhere in your house. But your neighbors may be benefiting too. If your network is not secured, they can "borrow" Internet access from you--no need to pay for their own. No harm, no foul, right?

Not exactly, say Symantec and the Internet Education Foundation, a nonprofit organization.

Symantec and the IEF have joined forces to help educate people about the risks of leaving their wireless devices unsecured. Hackers searching for financial information, business records, or sensitive e-mail can enter into your open network as easily as if you left your personal and business files at the curbside, they say. They have created a new public awareness campaign to educate people about these dangers, and to provide tips on how you can protect your personal files from hackers.

The Wireless Security Initiative is aimed at the 56 million Americans who use wireless technology. The WSI site offers tips for encrypting networks and provides step-by-step flash video tutorials, says Tim Lordan, executive director of the Internet Education Foundation.

"Wireless technology is becoming a fabric of our daily lives," Lordan says. "We want to be on the forefront of making sure that everyone's wireless devices, whether it be a smart phone, PDA or laptop, are protected and secure."

Widespread Problem

Symantec Vice President Sarah Hicks says the company recently found that nearly 50 percent of wireless users in Houston, Los Angeles, New York, and Chicago "leave their doors wide open." Researchers drove through neighborhoods with a wireless-enabled laptop and discovered thousands of unsecured networks.

Hicks said the problem is not confined to notebooks: 60 percent of consumers keep confidential business or client data on handheld devices.

Representative Mike Honda (D-Calif.) lauds the new initiative and says it will bring an increased sense of security to consumers.

"We need to ensure that consumers feel comfortable with the security of their wireless connections before we can expect to see the sort of saturation of wireless technologies and mobile productivity that is commonplace in Asia. Our counterparts overseas are surging ahead," Honda says.

Thursday, March 02, 2006

Teenager Claims to Find Flaw in Gmail

Blogger says he has discovered a flaw in Google's e-mail service that allows JavaScript to run.

A teenage blogger claims to have discovered a flaw in Google's Gmail service that allows JavaScript to run, potentially allowing a malicious hacker to gather e-mail addresses or compromise an account.
The supposed flaw may already have been fixed, however.
The teenager identifies himself in his blog as a 14-year-old named Anthony. His entry about Gmail is available online.

Getting the Message

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a Gmail account. The code will run in a preview pane, he wrote.

But if the code is mailed from one Gmail account to another, it is filtered out, he said.

Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

Google representatives in London could not immediately comment, saying the report would be forwarded to their technical staff.

Wednesday, March 01, 2006

Republicans tout high-tech agenda

WASHINGTON--Republican leaders from the U.S. House of Representatives on Wednesday promoted a series of policy proposals they hope will keep the nation's already-flourishing tech industry dominant in the future.

"Competitiveness" was the buzzword at a press conference in the basement of the U.S. Capitol, where House Speaker Dennis Hastert and 10 House leaders from the Republican High-Tech Working Group talked up a wide-ranging agenda tied closely to goals outlined by President Bush in his State of the Union speech last month.

"In short, America needs an education system that produces the finest students in the world, who enter an economy that is not hampered by regulatory red tape, frivolous lawsuits and an anticompetitive tax structure," Hastert said.

Rep. Bob Goodlatte of Virginia and Rep. Lamar Smith of Texas said they planned to introduce later on Wednesday a broad legislative package called the Innovation and Competitiveness Act, which includes several components that enjoy support from tech players.

A copy of that bill was not readily available. A summary sheet suggested the measure would aim at promoting research and development, increasing investment in math and science education, and eliminating "cumbersome regulations" and "stifling taxation" for technology companies. It would also include a section aimed at cutting back on so-called frivolous lawsuits of all sorts and proposals designed to create incentives for digitizing the health care system.

Leaders at the press conference repeatedly thanked the technology industry for its massive contributions to the economy--45 percent of the nation's gross domestic product, by one congressman's estimate--and painted the new legislative steps as a top priority.

The Republicans' take on policy overlaps in some ways with the "innovation agenda" announced by House Democrats, but, as usual, an ideological split remains. House Democratic Leader Nancy Pelosi said Wednesday that her party was committed to working with Republicans but belittled their proposal, saying Democrats "are committed to doing much more."

"It proposes nothing to bridge the digital divide through access to broadband," Pelosi said in a statement distributed to reporters at the Republicans' press conference. "It fails to propose any new ideas to achieve American energy independence." The Democrats' agenda, among other things, calls for incentives intended to bring broadband to all Americans and for increased investment in alternative energy sources.

At the time the Democrats' agenda was released, Hastert issued a statement accusing Democrats of voting against legislation considered important to tech interests.

Tech industry representatives have commended the efforts from both sides and indicated they don't care which party takes the lead, as long as someone is listening and poised to set industry priorities into law.

"Our message to the president and Congress is simple--let's work together to get a program done this year," said Ralph Hellman, president of the Information Technology Industry Council, whose members include Apple, Cisco, Dell, eBay, IBM, Intel and Microsoft.

Thursday, February 23, 2006

Bye-bye, BlackBerry?

A federal court hearing scheduled for Friday that could lead to the shutdown of BlackBerry devices throughout the United States is forcing longtime BlackBerry users to think about life without their mobile gadgets.

On Capitol Hill, where "CrackBerry" addiction is rampant, some thumb-typists are even expressing their anxiety in poetry. "'Freedom!' will the joyful say, Released from slavery today! Yet others'll suffer horrid angst if their little screens go blank," Larry Neal, deputy staff director for communications at the U.S. House of Representatives' Energy and Commerce Committee, wrote in an 18-line poem.

Tongue-in-cheek poetry aside, to millions of BlackBerry users, there's nothing funny about Friday's court hearing, which could draw to an end one aspect of the long-running patent spat between Ontario-based Research In Motion and Virginia-based patent-holding firm NTP.
At the hearing in U.S. District Judge James Spencer's Richmond, Va., courtroom, lawyers for NTP, RIM and the federal government will argue over whether to issue an injunction on the sale and support of the wireless devices on American turf, as well as the amount of damages due to NTP from RIM.

Spencer's ruling could come as early as Friday afternoon, but it's more likely to be handed down early next week. NTP has already said it will wait 30 days before shutting down the service, though it's not clear if that grace period starts on Friday or the day the decision is made public.

NTP in 2002 won a jury verdict that found that BlackBerry devices and software infringed on patents held by the late Thomas Campana, co-founder of the holding company. An injunction later arrived with that victory, but it was stayed and the damages were put in escrow pending the appeals process, which ended at the Supreme Court's door earlier this year. Given that the fundamental question of infringement has withstood the appeals process, NTP will ask for another injunction during Friday's hearing.

"I'm shocked that RIM hasn't settled," said Gary Abelev, a patent attorney with the New York law firm Dorsey & Whitney. The company had the opportunity to settle the case for $450 million last year, but that deal fell through. An injunction would prevent the sale of RIM's primary source of revenue in its largest market, effectively crippling the company.

RIM's answer to a possible injunction is a so-called workaround. The company earlier this month revealed sketchy details of the software-based workaround it says will be made available for download if an injunction occurs.

NTP is likely to argue that the workaround violates the same claims in the patents, and numerous hearings will probably follow, Abelev said. If the workaround is declared invalid, RIM is back to square one with nothing to show for millions in legal fees, he said.RIM's other hope is that the U.S. Patent and Trademark Office strikes down all of NTP's patents. The BlackBerry received a boost Wednesday when the USPTO issued a final rejection of one of the five patents in question, but NTP can appeal that decision through several more avenues, extending the case even further.

Watching and waitingOn Capitol Hill, all 100 senators, 435 House members and myriad staffers tote BlackBerrys. "It might be a nice change," said one Senate aide, who asked to remain anonymous. "Instead of looking at my BlackBerry the first thing in the morning, I might actually be able to take a shower without work on my mind."

Lawyers at the Los Angeles law firm Allen & Matkins are less amused at the prospect of losing their BlackBerrys. The firm's chief technology officer, Frank Gillman, is counting on RIM's workaround to keep his legal team in contact with clients, he said in an e-mail interview.

Tuesday, February 21, 2006

Google admits Desktop security risk

Businesses have been warned by research company Gartner that the latest Google Desktop Beta has an "unacceptable security risk," and Google agrees.

On Feb. 9, Google unveiled Google Desktop 3, a free, downloadable program that includes an option to let users search across multiple computers for files. To do that, the application automatically stores copies of files, for up to a month, on Google servers. From there, copies are transferred to the user's other computers for archiving. The data is encrypted in transmission and while stored on Google servers.
The risk to enterprises, according to Gartner, lies in how this shared information is pooled by Google. The data is transferred to a remote server, where it is stored and can then be shared between users for up to 30 days.

Gartner said in a report on Thursday that the "mere transport (of data) outside the enterprise will represent an unacceptable security risk to many enterprises," as intellectual property could be transported out of the business.

Google said that it recognized the risk, and recommended that companies take action. "We recognize that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google.
Google confirmed that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as e-mail does."

"Theoretically any intellectual property can be transferred outside of a company," Ku said. "We understand that there are a lot of security concerns about the Search Across Computers feature, but Google won't hold information unless the user or enterprise opts in (to the feature)."

Google said that security was the concern of individual businesses. "The burden falls on enterprises to look after security issues," Ku said. "Companies can disable the Search Across Computers facility."

Gartner said that sensitive documents may be inadvertently shared by workers, who may not have specialist knowledge of regulatory or security restrictions.

Google said it was unable to comment on the risks posed when individuals share sensitive information. "Some users may, and some users may not be able to," said Ku, adding that companies should follow their own policies.

"At the end of the day, each company should make its own decision. If they are uncomfortable, they shouldn't enable the feature," Ku said. "It's about what a company deems to be best corporate policy."

Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled."

Companies "must also evaluate what they are allowing to be indexed, and whether they are comfortable that they can adequately bar the sharing of data with Google's servers," said Gartner.

Google agreed that Google Desktop Enterprise would better mitigate security risks. "If you're given a choice, choose Enterprise," said Ku.

Friday, February 17, 2006

Attack code out for latest Microsoft flaw


Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.

The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.

Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.