Finding the fun in security vulnerabilities since 1996...

How to Secure Windows: Make Microsoft Liable for Vulnerabilities
   This year isn't the first time this subject has come up, but in the wake of this summer's mind-numbing Windows worms and viruses, many analysts and reporters are again asking whether Microsoft should be held liable for security vulnerabilities. Let me recast the question to "when" rather than "whether": Clearly, someone needs to jump-start the company into taking security problems seriously. I'm tired of hearing about how much Microsoft cares about its customers, how concerned it is about security, and how hard it's working to fix the problems. Actions speak louder than words, and the company's continued reluctance to do right by its customers is frustrating. Take, for example, Microsoft's insistence on releasing Windows XP Service Pack 2 (SP2) sometime next year or its refusal to add free antivirus capabilities to Windows--both of which would dramatically help its customers. Again and again, I'm struck by the dichotomy between what Microsoft says and what it does. Maybe a draconian solution such as federal oversight is the answer, as much as the very thought sends a shiver down my spine. Windows and its associated software services are as important to the national infrastructure now as telecommunications, power, and the airlines are, right? "It's crazy that Firestone can produce this tire with a systemic flaw and they're liable, whereas Microsoft produces an operating system with two systemic flaws per week and they're not liable," Bruce Schneier, chief technical officer at Counterpane Internet Security, told the "Seattle Post-Intelligencer" this week. Yeah, it is crazy.

Linux Still Less Secure Than Windows
   On the flip side of the coin, I should point out that Linux still suffers from far more security bugs and other vulnerabilities than Windows does. Researchers at mi2g Intelligence Unit, which has been tracking and verifying computer-based vulnerabilities since 1995, say that in August 67 percent of all successful and verifiable attacks against servers targeted Linux, compared with just 23.2 percent that targeted Windows--and August was the month during which SoBig.F and MSBlaster hit. Furthermore, 12,892 e-business sites running Linux were successfully breached during that month, compared with just 4626 sites running Windows. Windows vulnerabilities get more press because more people run Windows on the desktop, so any Windows-based worms or viruses will generally affect a far larger group of individuals. But anyone who thinks that jumping to Linux is a cure-all should think again. Even if you don't consider the usage numbers, everyone's favorite open-source poster boy is still a huge target for attackers.

Microsoft Preps Security Rollup for Windows XP
   It's the least Microsoft can do. Literally. This week, Microsoft alerted a small group of beta testers that this fall, the company will give XP and XP SP1 users an interim update that includes every critical bug fix for the system in a convenient, one-installation package. According to the company, the Update Rollup 1 for Microsoft Windows XP will include 22 previously released critical and security updates and will come in two versions--Full and Express, the latter of which will include just those bug fixes that Microsoft has released since XP SP1 appeared last fall. The testing time for the Update Rollup is short, suggesting that Microsoft will release it publicly in October or November. But the company is missing the point with this release: We need SP2 because downloading these fixes is too time-consuming for most consumers, especially those who use dial-up connections. A single huge download isn't that much easier or faster to install than using Windows Update to install a lot of individual downloads. Customers need these fixes and all other XP updates preinstalled on new PC systems, out of the box. This update package addresses only part of the problem.

IE Patent-Infringement Case Heats Up
   Microsoft is quietly telling developers to expect big changes in the underlying structure of Microsoft Internet Explorer (IE), thanks to the company's failing fortunes in an obscure patent-infringement case. Last week, a judge ruled that a company called Eolas Technologies, which is suing Microsoft, didn't misrepresent the facts in the case, which is bad news for the software giant because Eolas claims that Microsoft stole its Web browser technology. This case could eventually affect every Web browser on the planet because Eolas apparently owns patents related to Web browser plug-ins, which IE uses to communicate and interact with other applications and services on users' systems. In IE, Eolas's patents cover crucial subsystems such as scripting language support and Windows Media Player (WMP) interoperability, as well as popular add-ons such as Macromedia Flash, Java, and Adobe Reader, so if and when Microsoft loses the case (a decision is expected within 60 days), the company might have to make big changes. Short term, this scenario will be a problem because IE is the dominant Web browser, and many sites might have to change the way they display content to serve IE users. Long term, browsers from Apple Computer, Mozilla.org, Opera, and other organizations would also need to be changed if Eolas goes after them as well.

Securing Windows, Step One: Stop Using IE
   Speaking of IE, if you're looking for a way to better secure Windows, you could start by not using the number-one entry point for system vulnerabilities. If a buggier piece of software exists, I haven't seen it. (And on a related note, why would I want to "debug" a Web page that has errors--a common dialog in IE.) Just this week, Microsoft issued fixes for multiple vulnerabilities in IE 6.0, IE 5.5, and IE 5.01. The company says that some of these vulnerabilities "could expose sensitive information to others that may lead to the execution of arbitrary code." The bad news? No patch exists for these problems, so Microsoft simply advises that users disable Active Scripting. Sigh. If you're looking for a better solution, I recommend the Mozilla 1.4 browser suite or, even better, Mozilla Firebird 0.6, the standalone Web browser from the Mozilla Foundation. I've been using a variation of Mozilla for several months now (I currently use Firebird), and it's rock solid. You can even make the browser look like IE if you want to. For more information and free downloads, visit the Mozilla Foundation Web site

Vienna Considers Replacing Windows with Linux
   The city government of Vienna, Austria, is considering phasing in 15,000 Linux desktops over time, replacing a massive Windows installation. The city says it will fully decide on Linux by mid-2007 but will switch over several hundred computers a year until then to see how the Linux migration works. If all goes well, the city will migrate all its desktops by mid-2007, according to the deputy head of the city's information technology unit. If the full migration takes place, Vienna will be the second such rebellion in Europe; earlier this year, Munich, Germany, announced a decision to migrate 14,000 desktops to Linux.

Threatened by Microsoft? Complain
   The states involved in Microsoft's antitrust case--what we might call the "settling states," or more succinctly, every state except Massachusetts--have created an online complaint form so that individuals and companies can report suspected violations of the final judgment against the company. According to the terms of its settlement, Microsoft can't retaliate against PC makers and software companies that offer products that compete with Microsoft, must strike uniform Windows licensing deals with all PC makers, and must share technical information with other companies so that they can create products that work as effectively with Windows as Microsoft's own products do. You can find the complaint form on the states' Web site

Windows Everywhere? Try Windows Media Everywhere
   Back in the go-go days of the late 1990s, the mantra at Microsoft was "Windows Everywhere." Although the company might still be paying lip service to that slogan, I suspect that Windows Digital Media technology--and not Windows itself--will eventually be the most pervasive technology the company has ever delivered. Since Windows Media 9 Series debuted earlier this year, Microsoft has seen acceptance of its digital-media wares grow dramatically, with record numbers of portable and set-top devices supporting the Windows Media Audio (WMA) 9 and Windows Media Video (WMV) 9 formats, new digital-music download services adopting the technologies, and movie theaters using digital projection to display WMV 9-encoded movies. This week alone, Microsoft announced that it will present WMV 9 as a potential industry standard, and the company inked deals with several more consumer electronics makers and media companies to ensure that its Windows Digital Media technologies are spread even wider.

Office 2003 Coming Monday for MSDN, Volume Licensing Customers
   Although Microsoft Office 2003 won't be widely available until October 21, Microsoft Developer Network (MSDN) Universal customers and Microsoft volume licensing customers will be able to download the products beginning Monday, the company says. Originally, these customers were scheduled to get Office 2003 on October 1, but Microsoft bumped up the release to next week because of customer demand. PC makers will start shipping machines with Office 2003 preinstalled beginning in late September.

Apple Corps Finally Sues Apple over iPod, iTunes Music Store
   Apple Corps, the music company that oversees the Beatles' music, has finally sued Apple Computer over its music-oriented products and services, such as the iPod and the iTunes Music Store. Apple Corps previously sued Apple Computer in the early 1980s for its early work with digital music and won an estimated $50 million, along with a promise from Apple Computer that the company wouldn't attempt to enter the music business again. That ruling and Apple's highly public and successful forays into digital music during the past 2 years make me somewhat surprised that Apple Corps didn't sue sooner. "When it first happened with the iPod, we said, 'What could they be thinking?'" a Beatles legal insider reportedly said. "They knew we had the agreement, and that we'd won a lot of money from them already." I will say this: If you were wondering why Apple's music store is called iTunes and not the Apple Music Store, the company's previous flap with Apple Corps is obviously the reason.

Final Warning: Install the Patch
   Just a quick reminder about the new critical security fix I mentioned in yesterday's WinInfo Daily UPDATE: Download it. Now. Please. Seriously.