TECHBLOG.RANDTENTERPRISES.COM

MediaFox: A Firefox Build with Media on the Mind

2009-03-15T18:48:00Z

Windows only: If you're considering ditching your cable television altogether and partaking of the buffet of free media available online, you definitely want to check out MediaFox, a custom version of Firefox Portable.

Lifehacker reader Andrew Royce decided to stop paying for cable service and start using the web to get his television fix. He wanted a way to centralize his media experience and make the interface less like staring at his web browser and more like using a polished media client. Using a copy of Firefox Portable from PortableApps as his framework he dialed down the brightness and customized the appearance of Firefox with the Pitchdark theme. From there he added in various extensions to make his viewing more enjoyable like Autohide, which adds the handy fullscreen button to the toolbar, and FoxyTunes for controlling his music. Next to the button for Autohide is a quick launch button for Cooliris which displays videos and pictures in a cool cover-flow style scrolling wall. Andrew also tweaked Firefox to not launch common media formats in a separate player, but to keep everything within Firefox itself for a more streamline experience. Finally to actually keep track of all his favorite shows and media he created a custom bookmarks toolbar with links to the different television networks and their most popular shows. Check out the photos below for screenshots and closeups of his tweaks.

While all the pieces of Andrew's modification are publicly available and you could recreate the build with a few minutes of tinkering, he was courteous enough to create a virgin build with all the modifications ready for you to enjoy. Below is the a link to the build at Dropbox. If you have your own awesome tweaks or tricks for making internet-based media more enjoyable, sound off in the comments below. Thanks for sharing Andrew!

Windows 7 Beta Available "No ETA" on Product Keys"

2009-03-15T18:31:00Z

The 2.4GB Windows 7 public beta download is now ~~no longer~~ available from Microsoft, but the 2.5 million product keys Microsoft's promised are not yet being distributed.

Update, 5:30PST: Product keys are available, with many readers reporting success.

Update, 1:30PST: Computerworld reports that a Microsoft spokesperson said that the company is shoring up their servers to deal with the unexpectedly high demand for the Windows 7 Beta download.

The Microsoft spokeswoman did not know when users could expect to download the beta. "No ETA at this point," she said via a follow-up instant message.

The direct download links below DO WORK!

Update, 2:45PST: Thanks to Asian Angel, the direct download links have been updated to working versions below.

The direct download links to the disk image which you can burn, install, and run for 30 days are here:

What we're waiting on right now are the 2.5 million product keys Microsoft said they'd start handing out at noon today PST. Till that happens, you can get started on your download now using the links above. The beta (build 7000) will run just fine for 30 days without the key. Computerworld also reports that without an official Windows 7 product key, you can extend the trial from 30 to 120 days using the slmgr -rearm command.

If you're still hot to snag one of those 2.5M licenses, keep checking the Windows 7 beta page to get more info on key

How to Dual Boot Windows 7 with XP or Vista

2009-03-15T18:24:00Z

If you're dying to try out Windows 7 but aren't ready to give up your installation of XP or Vista, let's take a look at how to dual boot Windows 7 with XP or Vista.

Step 0: Download the Windows 7 Beta and Burn It to a DVD

Assuming you've already downloaded a fresh copy of Windows 7, you'll need to burn it to a DVD in order to do a fresh installation. To handle this task, grab a copy of the most popular CD and DVD burning tool ImgBurn, burn the ISO to a DVD, and move right along to step 1.

Step 1: Partition Your Hard Drive

Before you go installing Windows 7, the first thing you need to do is create a new partition on your hard drive to hold the new installation of Windows. Partitioning your hard drive will vary depending on whether you're running XP or Vista—namely because Vista has a partition tool baked in, XP does not.

Partition Your Hard Drive in XP

To partition your hard drive in Windows XP, you'll need to download some sort of third-party partitioning software. There are a lot of options available, but I prefer to stick with the previously mentioned GParted live CD, a free, open source boot CD that can handle all kinds of partitioning duties.

To use it, just download the GParted Live CD, burn it to a CD, then reboot your computer (booting from the disc). You'll boot right into the partitioning tool. HowtoForge's previous guide to modifying partitions with GParted is a great place to start, but it's a fairly basic procedure:

Resize your current OS drive to free up enough space for a Windows 7 partition (the minimum system requirements ask for 16G.
Create a new partition from the newly freed space.
Apply your changes.

Partition Your Hard Drive in Vista

The folks at Redmond were kind enough to include a disk partitioning tool in Vista if you know where to look. So go to Control Panel -> System and Maintainence (skip this one if you're in Classic view) -> Administrative Tools -> Computer Management. Once you launch the Computer Management tool, click on Disk Management under the Storage heading in the sidebar. It's partitioning time.

Luckily we've already gone down this road before in step-by-step detail, complete with pictures, so check out our previous guide to creating a new partition in Vista. In a nutshell, you'll need to shrink your current OS partition to free up at least 16GB of disk space (per the Windows 7 minimum system requirements), then create a "New Simple Volume" from the free space.

Step 2: Install Windows 7

Now that you've done all the heavy lifting, it's time for the easy part: Installing Windows 7 on your new partition. So insert your Windows 7 disc and reboot your computer (you'll need to have enabled booting from your DVD drive in your system BIOS, but most PCs will have this enabled by default).

Once the DVD boots up it's a simple matter of following along with the fairly simple installation wizard. When you're choosing installation type, be sure to select Custom (advanced) and choose the partition you set up above. (Be careful here. Choosing the wrong partition could mean wiping your other Windows installation altogether, so make sure you pick the new partition you just created.)

After you select the partition, go grab yourself a drink and let the installer do its work. Windows will run through some installation bits, restart a few times in the process. Eventually you'll be prompted to set up your account, enter your license key, and set up Windows. Keep your eyes open for fun new Windows 7 features, like your new homegroup (and the accompanying password). When it's finished, you're up and rolling with your new Windows 7 installation.

Congratulations! You should now have a new entry for Windows 7 on your boot screen when you first start up your computer. You've now got all the tools necessary to dual-boot Windows 7 and XP or Vista—or even to triple-boot Windows 7, Vista, and XP.

This isn't the only way to set up a multi-boot system by any means, but it's how I pulled it off. If you've got a method of your own that you prefer, let's hear it in the comments.

Technorati

2009-03-14T22:54:00Z

Tech Blog Is Now On Technorati

Blog Information Profile for RedSt

!

A sneak peek at the Windows 7 Release Candidate

2009-03-12T01:57:00Z

Last week, Windows 7 build 7048 escaped from Microsoft’s labs and quickly made its way to the Internet, where the x86 and x64 versions quickly became top downloads of the week.

This build is not the long-awaited Release Candidate, but it does include a slew of bug fixes, design changes, and interface tweaks checked in as part of the march toward an RC, much of it based on feedback from beta testers. What you see in this build is not experimental; given the development process for Windows 7, it is a near-certainty that the changes you see here will make it into the final product.


	Image Gallery: Don’t miss the before-and-after screens for every feature.

Over the weekend, I installed the x64 and x86 builds of Windows 7 build 7048 on two desktop PCs and two notebooks. The process was remarkably smooth and fast in every case. For the most part, installation went smoothly, with most drivers installed automatically, from the source media or from Windows Update. An upgrade of a Dell Latitude XT was nearly problem-free. On a clean install of a Dell XPS M1330, I had to track down a missing wireless adapter and replace the default sound driver with a Dell-supplied Vista-compatible version before the system would produce sound.

Several people, including my ZDNet colleague Adrian Kingsley-Hughes, have offered first looks at this build of Windows 7. For the most part, they’ve focused on a handful of obvious details, especially the greatly expanded options to remove Windows features such as Internet Explorer and Media Player. For this post, I decided to dig deeper and see what sorts of changes you’re not likely to notice right away. I’ve winnowed my list down to 21 separate changes; most of the changes fall into one of the following four buckets:

Fit and finish, especially tweaks to make the user interface more consistent
Branding, such as icons and sounds (we’ll see more of this, I’m sure, when the product is finally released)
Last-minute usability tweaks
Some image-driven changes, such as a scrubbing of negative language from the Windows 7 Reliability Monitor

I’ve documented what I found in this post and in an accompanying image gallery. Here’s a road map:

Page 2: Basic features, reworked

Page 3: Shell and UI tweaks

Page 4: Eye (and ear) candy

Page 5: Digital media

Page 6: Backup and recovery options

The basics

1. A new way to switch Control Panel views.

In the Windows 7 beta, the only way to switch to Control Panel’s all-icons is to click the All Control Panel Items icon at the bottom of the category view. That design apparently flopped in usability testing. In this build (and presumably in the RC) you can click a View menu at the top right of the Control Panel window to choose between Category view or large/small icons.

2. No more Aurora backgrounds.

In the beta release, sidebars on the left side of Control Panel windows followed the Windows Vista design, with white text on a dark background that resembles the old Aurora theme. For the RC, the design is changed to a light blue sidebar. Black type on this lighter background should be easier to read than the older white-on-dark-blue scheme, but some testers have complained that the new design is too faint and lacks contrast, especially for those with less than perfect vision.

3. Support for pen/touch devices.

The System Properties Control Panel includes a new line that indicates whether you have any touch or pen-enabled devices. The current crop of drivers for touchscreens is weak, however. The Dell Latitude XT shown here is capable of recognizing multi-touch gestures, but the only way to enable that support is by installing a very ragged beta driver from N-Trig.

4. No more “problems.”

It is, of course, completely unrealistic to think that Windows will ever be problem-free. But in this build, the word problem has been scrubbed from the Reliability Monitor front page. In the beta release, the heading referred to “your computer’s reliability and problem history.” In this build, there’s no mention of problems in the heading. The explanations of the 1-to-10 scale in the caption and along the right side of the graph are also changed to remove negative references to “least stable” and “poor reliability.”

5. Windows LiveID integration.

Now that a beta client is available for Windows LiveID, you can link your Windows logon to a Windows Live account. One advantage is quick access to Windows Live services, including Hotmail and Messenger. This is still a roughly drawn feature, though, and its full outline won’t become apparent until some additional pieces of the puzzle are unveiled.

Shell and UI tweaks

6. Tweaks to Windows Explorer.

A couple of months ago, I wrote, “If you love Windows XP, you’ll hate Windows 7.” Nowhere is that more apparent than in the new design of Windows Explorer. There a slew of tweaks in the post-beta builds designed to mollify old-school Explorer fans. For example, pressing Windows key+E now goes to the Computer pane by default, instead of to the Libraries pane. In the beta, right-clicking Libraries in the Navigation pane revealed a Delete menu that didn’t work; that menu is gone in RC builds. In the screen shot I’ve taken here, you can see the alternative Navigation pane, which resembles the XP-style Folders list.

7. Changes to library windows.

Speaking of libraries… This new addition to Windows 7’s file management arsenal is likely to be the most controversial. A slight change in the interface design is designed to make library windows more consistent with folder windows and and increase discoverability of this feature, We’ll see if it works.

8. Usability tweaks for the Homegroup feature.

The other Windows 7 innovation that’s likely to cause headaches for upgraders is the Homegroup feature. For post-beta releases, you can skip the Network and Sharing Center and right-click the Homegroup entry in the Navigation pane to see this group of options.

9. A cleaner Fonts folder.

In the Vista era, onbe of the most vocal UI complaints was over the ancient (Windows 3.1 era) Add Fonts dialog box. It’s gone in Windows 7, and in fact the Fonts folder has received a pretty impressive makeover. Favorite feature is the ability to hide fonts (such as those used for alternate languages) from application menus. In this release, the info pane at the bottom of the Fonts folder is reworked to hide mostly confusing file and designer information.

The differences in design are profound if you go from XP to Windows 7; you have to look much more closely to see the subtle changes in this post-beta version.

Eye (and ear) candy

10. Aero Peek is now the official name.

Everyone knows that Microsoft can’t come up with a sexy/clever/compelling name to save its life, right? Imagine my surprise, then, when I saw this change in the Taskbar Properties dialog box. The boring Desktop Preview feature is now officially called Aero Peek, a colorful name that was previously used only in demos,

11. New sound schemes.

I wasn’t surprised to see a slew of new Windows wallpapers in the Desktop Backgrounds folder. I was, however, startled when I counted a total of 13 new sound schemes in Windows 7 Build 7048. I especially like the Raga scheme, which add sitar-drenched Indian sounds at unexpected moments.

12. A new set of icons.

Icons are nearly pure eye candy, but for product designers they’re also an essential part of the branding process. The samples I’ve selected for the gallery include Calculator, WordPad, Paint, Homegroup, and Control Panel. They’re clearly a different approach from the current icon set, with a straight on approach instead of a tilt, and a simpler, bolder design.

13. Easier adjustments for ClearType settings.

The ClearType wizard in Windows 7 does an excellent job at helping you tune settings so that type is readable, especially on LCD screens. This subtle tweak in build 7048 adds a ClearType settings option in the Display Control Panel, where it’s much more likely to be discovered by someone tinkering with a system’s visual settings.

14. New ribbons for WordPad and Paint.

You have to look pretty closely to see these mostly cosmetic changes in WordPad (new icons on the Home ribbon, new checkboxes on the View ribbon). I’m more interested in the fact that WordPad allows you to open and edit documents saved in the Word 2007 native format with the .docx extension. On a default installation of Windows 7, without Microsoft Office, this file type is identified in the file properties as Office Open XML Document type.

15. Windows Media Player 12 now streams to Internet.

ZDNet’s Zack Whittaker deserves props for noticing this new feature and writing it up with more details about the user interface. It’s clear that Microsoft plans to create a channel you can use (in conjunction with a Windows LiveID) to stream music over the Internet, giving you access to your full music collection on a notebook, work PC or, presumably, a mobile device. Exactly how this feature will work, thogh, is still a mystery.

16. A smaller, slicker Mini Media Player.

Windows Media Player has had a mini player for as a long as I can remember. The version in the public beta of Windows 7 is clunky, to put it kindly. The revamped mini-player in build 7048 is much smaller and more elegant. Its playback controls are transparent, and slide out of the way until you move the mouse pointer back into the player window. If you prefer the clunky look, you can still resize the window and customize it (showing the playlist, for example). This image shows the default mini-player at actual size.

17. Radio station presets in Windows Media Player.

Through the years, radio stations have popped up and disappeared in different releases of Media Player. In Windows 7, the Radio Stations link has made a triumphant return to the main navigation pane, where it sits at the same level as Music, Pictures, and Recorded TV. In this build, however, the interface for saving radio stations is still missing, so it’s hard to see how the feature will work when it’s finished.

18. A simpler Now Playing background in Media Center.

When you play an album or music playlist in Media Center, Windows 7 replaces the boring blue Vista-style background with a wall of album covers, drawn from your collection. In beta builds, the wall slides down the screen, refreshing itself constantly. In build 7048, you have the option to make the album wall static or remove it completely; the latter option might be boring but provide a better experience on extender devices with low-powered graphics hardware.

Backup and recovery options

19. Simpler explanation for Advanced Recovery Methods.

The backup and recovery tools in Windows 7 are more usable than in previous editions, but they’re still daunting for non-technical users. As I went through the backup feature, I was struck by the sheer number of changes to headings, descriptions, links, and buttons. Clearly, this is an area where Microsoft has been doing extensive usability tests. Will the shorter, less technical headings and descriptions here make it easier for mere mortals to restore a backup? Only time will tell.

20. Simplified terminology for Backup options.

In this post-beta build, Microsoft appears to have settled on “system image” as the term it prefers over “image backup.” This is the sort of esoterica that usability experts argue over, and presumably the changes shown here are lab-tested and user approved.

21. More user data included in default backup sets.

If you use the Backup program’s default settings to create a system image and back up all data files, the Backup program makes some selections of folders it will back up for you. Noteworthy additions in this build include the Downloads folder and the hidden AppData folder, which often includes important data such as e-mail messages, address books, and program preferences.

These locations were inexplicably excluded in earlier builds; it’s good to see this sort of change made even at this late date.

And that’s my report. Have you downloaded this build (or a later one)? Any additional discoveries to report? If so, leave them in the comments.

Upgrading older systems

2009-03-06T18:44:00Z

Every couple of weeks somebody asks me whether it makes sense to move from an older Sun SPARC machine to a new x86 machine running either Linux or Solaris. My usual answer is that it depends: mainly on what the thing is supposed to do, how it fits with the other stuff you have, and who looks after it.

This week, however, I want to look at various aspects of that question and see if it’s possible to offer a clearer and less general answer.

In most cases the driving force for this comes from the fact that support costs on older hardware move in the opposite direction from purchase costs for warrentied hardware of comparable or greater processing power - but the primary issue in making that change comes from the need for architectural change imposed because the current version of what you have in place has moved too far upscale relative to your requirements.

Basically, as your hardware gets older your monthly support costs become an ever increasing fraction of the cost of replacing it with comparably powerful new gear - new gear that typically comes with a year or more of warranty coverage as good or better than the coverage you’re paying for on the old gear. At the same time, however, the fact that the applications still work on existing hardware means that the replacement hardware comes from much lower down the relative performance scale - and adopting it can often require an architecture change.

On net, therefore, the incentives sometimes work for change, and sometimes against - and sometimes they collide in unpleasant ways.

One former client has an application, for example, that’s both mission critical to his business and essentially unchanged for over ten years. It currently runs on a pair of Sun 450s from the Solaris 2.7 days - and while he could get better performance at near zero incremental cost by swapping in a pair of otherwise retired Xeon servers running Linux, he has no incentive to take any risk because the thing’s success makes it invisible to user management and he stopped paying Sun anything in about 2003 when he put a decommissioned, but fully functional, 450 away as a backup.

Another has huge incentives to change - but can’t for internal political reasons. On the incentive side they’re currently paying IBM more per quarter in support on a couple of P690s and a shared disk store than it would cost to replace them with brand new T5440s complete with three years of gold support - and on the negative side their original ERP decisions were so bad (customization and best of breed) that the company nearly went under getting anything working, and so user management will now reliably throw panic hissies if anybody in IT so much as thinks about making any changes.

And yet, the simple bottom line is that both are going to have to change - it’s just a fact of life: costs change; gear becomes obsolete, old software becomes a drag on positive change, failure risks increase as equipment goes past its engineered end of life.

Some general considerations for small systems change

Let’s assume a scenario under which the older system you’re thinking about upgrading is relatively small, support costs are high, and you can’t obviously transfer its workload to some other, larger, machine with adequate idle capacity.

Specifically, lets assume you have a Sun 490 from a few years ago (4 x 1.8Ghz USIV, 16GB, 4 x 73G that’s still under support and runs an engineering document and database application critical to everyone from R&D to the people handling customer warranty claims.

It works, but the hardware is getting old - and support costs seem outrageous relative to the nominal cost of PC style servers: your predecessor signed up for full 24 x 7 Gold level support at nearly $8,000 per year - about 10% of the nominal list price when he bought it- and lots of people claim you can get ten PC servers for that: one for every six weeks in support costs.

This is, in other words, Red Hat’s dream scenario - the primary one their anti-Sun campaign targets, and the one in which you’re supposed to believe that buying a free Linux from them will give you better performance for less money.

In this situation the key things to consider are:

your tolerance for system failure;
your tolerance for security (in the PC sense) risk;
constraints on future change opportunities;
I/O limitations and storage growth rates; and,
staffing related issues.

Note that application level SPARC compatibility is not directly an issue - any application can be either migrated or replaced if the incentives for doing it justify the risk and costs involved. It’s easier, of course, to upgrade to binary compatible HW/OS combinations, but that’s a cost/benefit issue, not an absolute.

The failure tolerance issue comes down to this: SPARC (and Power) systems are built to higher quality standards than x86 ones - and that’s true whether you’re comparing at the low end, mid range, or high end in each category. As a result the issue here is whether you care about the quality you’re paying for with that 490.

It’s a low end machine for SPARC but to match the quality in the x86 world you have to go to the higher end stuff: typically Compaq’s Proliant line, and that costs more than a new SPARC machine would. To make hardware savings, therefore, you have to be willing to accept a higher risk of hardware failure - so this comes down to how much of that you can tolerate.

All management speak aside, this is ultimately a gut call: my own rule of thumb being that if your users can see a cost difference between eight hours a year in downtime and two, then sticking with the higher end gear will be the right thing to do even if that cost difference seems smaller than the hardware savings .

The security (in the PC sense) issue is this: you only care about the risk of attacks that work or could work - meaning attacks that exploit code or process vulnerabilities in ways that can be directed against you. Since every OS and application has code vulnerabilities, and every process involves people and/or networking, the determining factor is how high the exploit barrier is.

In the x86 world exploits are virtually synonymous with vulnerabilities, but because this isn’t true for PPC or SPARC the barriers there are much higher - witness, for example, Apple’s transition from a company that could build a security reputation while ignoring vulnerabilities on PPC to an x86 maker that’s rapidly losing its reputation for security despite obsessive patching.

Again the question is one of comparing risks to possible costs and other consequences: basically, the worse the consequences a successful attack could be for you, the further you want to stay away from x86 - and if there’s a genuinely compelling reason to use x86 in a high value situation, bite the bullet on porting your application to OpenBSD and have security experts go over your code line by line as part of that process.

The opportunity cost issue on software change is one of the hardest to get your head around. The question is at what point change now starts to significantly drive up the cost of future change. In the obvious version of this you make a change decision today, and tomorrow’s vendor announcement means you’ve spent the money buying the wrong thing -but the more interesting, and more subtle, version is that you spend your change budget (including non dollar spending like stressing out user management’s tolerance for change) and tomorrow one of your people comes up with a new idea that you really want to implement but can’t -and one thing I’ll guarantee you is that nobody on your staff will really buy into your reasons for saying no.

This is where the option of doing nothing as long as possible really shines: the maxim about a tax delayed being a tax unpaid works here - if it’s Unix, and it works today, leaving it alone will pretty much guarantee that it works tomorrow -and, in these kinds of situations, that can be a good thing.

In contrast to opportunity costs, the storage issue is dead simple: those 73GB disks in the 490 can be upgraded to 146GB at minor cost, but going beyond that means either getting an external JBOD or trading off significant new costs against performance. Either way, once volumes get much past 4 x 146GB, the fact is that new gear with terabyte disk sets and full warranties usually combine lower cost with lower risk and higher performance relative to adding disk to old systems.

And, finally, there are staffing issues. People will tell you that switching from Solaris to Linux will make it easier to find qualified staff, but that isn’t true. Unix skills are usually easily transferable: if your current staff can keep their hands off that 490 running Solaris, they can probably keep their hands off a Linux replacement machine too -and, similarly, if you can hire someone who can get Linux set up and running properly, the chances are that Solaris won’t give them any trouble either.

Conversely, if your staff reports that 490 as unreliable, the one thing you can be assured of is that they’re causing those failures -and not only will they do the same thing to a Linux replacement, but whatever root cause (usually a manager whose skillset doesn’t match the technology) is driving this will also limit your ability to retain any new people you bring in with better skills.

Thus the positive bottom line on staffing is that if your shop is working well, there won’t be anything scary about transitioning between Linux and Solaris - in either direction.

Conversely, if what you’ve got is a skills-technology mismatch you have two choices: change the people, or change the technology - and do it before you change anything else because not facing up to the issue condemns you to a long and slow death by a thousand failures.

So what’s the real bottom line on all of this? Support costs may be a lever for getting people thinking about change, and technology continuation may have value for you, but in the end these kinds of decisions almost always come down to intangibles: guesses about future risks and opportunities, not the small dollars involved in support contracts.

Firefox 3.0.7 fixes 47 bugs, 17 critical

2009-03-06T18:38:00Z

The latest update to Firefox pushed out to users last night via automatic update addresses 47 bugs and enhancements, according to Mozilla. 17 bugs were marked as “critical” or higher.

Five potential security vulnerabilities were patched including these 3 that were marked as “critical”:

MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)

Glenn Randers-Pehrson, Martijn Wargers, Jesse Ruderman, Josh Soref, Gary Kwong, and Timothee Groleau were credited with identifying and reporting the problems.

Most of the issues involve common C/C++ memory management bugs such as freeing uninitialized memory or memory that has already been freed. If Firefox were written in Java or C# or any language with automatic garbage collection they wouldn’t have these problems, I’m just saying…

Mozilla has been updating Firefox 3 approximately once a month since its release in June of last year. Here’s a list of all the updates so far:

Coming on Patch Tuesday: 3 Windows bulletins, 1 critical

2009-03-06T18:31:00Z

Microsoft today outlined plans to ship three security bulletins for software vulnerabilities in the Windows operating system.

One of the three bulletins will carry a “critical” rating, meaning that it will cover flaws that could be exploited to launch remote code execution attacks.

According to the advance notice from Microsoft, the other two bulletins are rated “important” and can expose Windows users to spoofing attacks.

All three bulletins require a restart after deployment.

All supported versions of Windows will be affected by next Tuesday’s releases, including the newer Windows Vista and Windows Server 2008.

This month’s batch of patches will NOT include a fix for a known — and under attack — code execution vulnerability affecting Microsoft Office. Microsoft has already issued a security advisory on the Office attacks (via rigged Excel files) with some suggested mitigation guidance.

Microsoft hedges its Windows 7 bets with new IE 8 'removal' option

2009-03-06T18:26:00Z

Microsoft has taken another step to hedge its Windows bets in case the European Commission lowers the boom on Redmond’s browser-bundling practices.

With the current Windows 7 Build (No. 7048) that is circulating among selected testers, Microsoft is making it possible for Internet Explorer 8 to be removed from the Windows operating system, according to the AeroXperience site, and other testers with whom I’ve spoken.

“Removing” here is somewhat of a loaded — and perhaps overzealous — word. Microsoft can easily remove the IE 8 browser from startup. But over the past few years, the company has integrated the guts of IE into the operating system.

As Bryant Zadegan explained on AeroXperience: “This [new IE 8 removal option] only seems to wipe the actual executable running Internet Explorer 8 (iexplore.exe), but given that many of the most vocal proponents of choice were just looking for an option to functionally remove IE8, this might’ve been the only way to do it without killing the rest of Windows.”

One Windows tester, who requested anonymity, emphasized that the new “remove IE 8″ option was primarily cosmetic. “(The Windows) Explorer and Internet Explorer use a ton of shared libraries because they both perform similar and intertwined actions,” so that makes complete removal of IE from Windows near impossible at this point, he said.

The Windows team has been believed to be readying its “Plan B” in order to try to head off a potential derailment of the release of Windows 7 as a result of an ongoing antitrust case levied by Opera Software in the EU. Opera claimed Microsoft’s policy of bundling IE with Windows reduced consumer choice. In January, the European Commission (EC) issued a “statement of objections” in the case, indicating to many that it was prepared to find Microsoft guilty and force the Redmond company to take some kind of remedial action in the EU. Last month, Mozilla joined the complaint and Google requested the right to do so.

Interestingly, Opera officials have not asked for Microsoft to be forced to exorcise IE from Windows; instead, Opera execs have said they are advocating Microsoft to be forced to distribute other vendors’ browsers alongside IE. But the Windows team seems to be operating under the assumption that the EC could require the company to remove IE from Windows. Microsoft seems to be trying to further componentize Windows 7 so that such a requirement would have less potential negative impact on Windows 7’s release schedule.

The Technologizer tech-enthusiast site recently reported that the Windows team is still on track to deliver Windows 7 in the third quarter of this year, but is ready to delay Windows 7’s release until January 2010 if the EC requires the company to remove IE from Windows. (Microsoft isn’t commenting on either of these dates.)

I asked Microsoft for a statement on the new AeroXP report, as well as the Plan B scenario for Windows 7 in general. Still no word back.

Update (March 5): The Windows team delivered an official no comment. A spokeswoman added the following statement: “Windows 7 is still in development and currently in beta. We have no new information to share regarding any of the product’s final features.”

Update 2 (March 6): Microsoft has decided it does have information to share, after all. The company posted an acknowledgment of its decision to allow IE 8 to be removed from Windows 7 (an option most testers will see in the next month or so when the Win 7 Release Candidate build is issued) — but didn’t mention the Opera antitrust suit as a reason for the decision.

Micro-Kindlenomics: My cost benefit analysis

2009-03-02T19:54:00Z

Amazon’s Kindle 2 cures all of the ills that afflicted the e-tail giant’s first e-book. It has better navigation, a handy definition feature, a five-way controller and a text-to-speech feature that has raised a ruckus. But the decision to upgrade to the Kindle 2 comes down to the microeconomics: Are the features good enough to entice users of the first Kindle to upgrade to the new one at the same price–or more if you include a new cover?

That decision is a bit of a tough one for me. I have the first Kindle and acknowledge that it is clunky in spots. I turn the pages too easy, the resolution isn’t as good as Kindle 2 and it has one button that navigates pages. The Kindle 2 is sleek–even the charger is well designed. Next to the Kindle 2, the first Kindle is kind of homely.

Kindlenomics: Keep publishers and authors happy (cave once in a while)

Review: Amazon Kindle 2 5-way controller more significant than form factor improvement

The problem is that the Kindle 2 is $359. A new Kindle cover, which is a vast improvement over the first version, is another $30. The big question: Is the latest Kindle sleek enough to convince existing owners to toss what they have today and shell out nearly $390 for a new one with a cover?

If you don’t have a Kindle yet, the latest version makes it a no-brainer to get off the fence. I have no problems recommending the Kindle 2 to anyone buying an e-book. However, you should read Matthew Miller’s review and check out the Sony e-book comparison gallery.

For me, the Kindle 2’s price is a barrier. If there were a discount for current Kindle owners–or a rebate for recycling the first version–perhaps the price would be more palatable. A price of $199 would be a no-brainer for me. I’d upgrade to the Kindle 2 in a heartbeat at that price point. A price of $250 may also do the trick including the new cover that secures the Kindle 2 nicely. Anything more than $250 is seriously pushing it.

Based on my Kindle 2 review unit I created the following evaluation, which weighs the new features and what I’m willing to pay for them (click to enlarge).

Add it all up and I’ll stick with my homely Kindle for now. However, should my old Kindle fall apart, get lost or fall from a building I won’t weep too much with the Kindle 2 on the market.

Five things every Windows beta tester should know

2009-03-02T19:51:00Z

Last week my colleague Mary Jo Foley reported on rumblings of discontent from the invitation-only Windows 7 technical beta test community:

A number of Windows 7 testers have complained recently that Microsoft was not sharing enough information about changes it planned to make in response to their feedback.

Windows SuperSite’s Paul Thurrott questioned in a post yesterday whether Microsoft had already locked down Windows 7’s feature set before the majority of technical and public beta testers ever got to see a first release of the product. I’ve wondered the same.

This was all in response to another epic post on the Engineering Windows 7 blog by Steven Sinofsky, who tried to explain how the feedback process worked. The whole thing is worth reading, although at 4700+ words I’m afraid most people will just skim it.

Frankly, I’m having a hard time working up any level of sympathy for those doing the complaining, partly because I heartily approve of the way Windows 7 development is going right now and partly because I have seen the feedback process up close and personal. Microsoft is getting a bad rap from a group of people who are mourning the reality that they’re no longer being treated as privileged elites.

I was going to ignore this whole brouhaha, until I read a post on the subject by WinPatrol developer and Microsoft MVP Bill Pytlovany that included this provocative proposition:

Most Beta Testers Suck

As a developer I can tell you , beta tests aren’t what they used to be. The number of people who actually report decent bug information is minimal. Most people download the beta just to be an earlier adopter. Developers are lucky if users read the release notes and compatibility list let alone any beta instructions. There are so many different machine configurations that sadly the only way to find some bugs is to have full global adoption of new software.

Bill isn’t going to endear himself to any beta testers with that line of argument, but he does have a point. I’ve read many of the complaints Mary Jo referred to and a few hundred others on the members-only Windows 7 technical beta newsgroups. I think a lot of beta testers need a refresher course in the basics of what it means to be involved in the development of a product as complex as Windows.

In that spirit, here’s my list of five things every Windows 7 beta tester should know:

1. Things have changed. According to Thurrott, “The real problem here is that the feature set of Windows 7 was frozen well before the Beta release. So the feedback [Sinofsky] discusses throughout this post is 99 percent bug testing, really (and 1 percent, we hear your concerns but have a million reasons why we can’t change a thing).”

And this is a problem? I don’t think it’s any accident that the two most troublesome releases in the history of Windows also had the longest beta cycles. I was running pre-beta builds of Windows 95 in 1993, nearly two years before it was released. The first alpha releases of Longhorn, which eventually became Windows Vista, were handed out at the PDC in late 2003, nearly three years before Vista shipped.

By the time a beta is released, the feature set should be pretty much frozen. That’s how you concentrate on things like quality and performance.

As for the complaint that Microsoft hasn’t listened to feedback and ignored its most loyal customers when developing the feature set for Windows 7, I say, “Give me a break.” Since November 2006, Microsoft has gotten an earful about its Windows design decisions. The feedback loop includes:

Every blog post, review, newsgroup posting, and rant about Vista ever published
Support calls to Microsoft and its partners
Requests from PC makers and software developers
Telemetry data (all those crash reports really do go somewhere)
Field research and usability testing
Interviews with opinion leaders, including Paul and me, who have given feedback to Microsoft in person and on the phone many times in recent years. You think they weren’t taking notes?

That’s a helluva lot of feedback to take into account. There comes a point where more doesn’t mean better.

2. Windows design is a series of compromises. A lot of the complaints I’ve heard boil down to “Well, that’s not how I would have designed that feature.” Right. When you’re building a product that is going to be used by hundreds of millions of people, you have to find some common denominators. And as I wrote last year, sometimes there is no right answer: you can bet that for any decision you make, some nontrivial number of people will think you’re a complete idiot, no matter which option you choose.

I also hear lots of feedback suggesting that Microsoft should never remove a feature and should always give its old-time users a way to preserve the procedures they learned five or 10 or even 20 years ago. Seriously, I’ve heard people argue that Windows 7 should include the old File Manager utility from Windows 3.1. Can you imagine how complicated, even bloated, Windows code would be if no feature was ever cut and you could choose from a dozen or so Classic interfaces going back to 1991? But that’s the logical conclusion from that line of argument.

Things evolve. Old features disappear, and new ones are introduced. Deal with it. If you think there’s a better way to implement a new feature than the one Microsoft chose, blog it. But it helps if you can make a rational case - remember, you’re dealing with engineers. Simply saying “XYZ feature sucks” isn’t likely to win hearts or minds.

3. Writing good bug reports is hard work. I sympathize with testers who complain that their bug report was closed as “Non-repro.” But that’s reality. If it was easy to reproduce, the bug would most likely have been caught in one of the many, many automated testing cycles that each Windows build goes through. The really tricky bugs are those that are triggered by unusual combinations of hardware and software under specific conditions.

In fact, if you talk to the developers who dig into those incoming bug reports from technical beta testers, as I’ve done, you’ll quickly learn that it’s a pretty low-yield process. Most are duplicates and the vast majority are just requests for new features or changes to existing ones. When they get closed as “won’t fix” or “by design,” it’s because someone already considered that request and decided for any of a thousand reasons (budget, compatibility, risk of regression, or conflicting data) that the feature is going to remain as it is.

4. One more build does not mean a better product. In fact, you could argue as I did last week that the work of building an “official” beta release slows down progress. Pytlovany, who has worked inside Microsoft, agrees:

Every new beta release is a distraction to developers. The time it takes to create a frozen version takes away from a developers imagination and productivity. […] The internal testing required before any public beta is a lot longer than you might think.

If you’ve identified a bug and it’s made it onto the must-fix list, it shouldn’t take multiple passes to fix it. Microsoft’s Charlie Owen, who works on the Media Center team, had some great advice for beta testers in a blog post last week:

When the Windows 7 Release Candidate becomes available immediately download, install, test deeply and quickly provide actionable feedback.

Seriously: As the release candidate is downloading and with tenderness, kiss your spouse on the cheek and tell him or her you’ll be back in a week or so. Then lock yourself in the home office and be relentless and unforgiving in your testing of the Windows 7 Release Candidate and provide feedback.

5. Shipping is a feature. There is no such thing as perfect software. If the developers of any complex software product like an OS waited for every bug report to be “fixed.” the software would literally never ship.

The one thing Microsoft can do going forward that it has not done well in the past is to incorporate feedback from the current test cycle into the next version. The best way for that to happen is for Microsoft to develop a consistent, professional process for planning and shipping new releases on a predictable schedule. In theory, features that don’t make it into this release have a legitimate shot at making it into Windows 8. As Charlie Owen put it, “You should consider the Windows 7 Release Candidate as your first and best opportunity to influence the next version of Windows.”

Safari dominates browser benchmarks

2009-03-02T19:47:00Z

Proving itself a staggering 42 times faster at rendering JavaScript than IE 7, our benchmarks confirm Apple's Safari 4 browser, released in beta Tuesday, is the fastest browser on the planet. In fact, it beat Google's Chrome, Firefox 3, Opera 9.6 and even Mozilla's developmental Minefield browser.

We used the SunSpider suite of JavaScript tests to determine which browser was the quickest, and the Safari 4 beat every browser in terms of speed, on both a PC running Windows XP SP2, and a Mac running OS X 10.6 with all updates applied.

Below are the actual figures if you want to see how all seven browsers scored against each other, but for quick reference we determined on a PC that Safari was a whopping 42 times faster than Internet Explorer 7, just over six times faster than Internet Explorer 8, 3.5 times faster than Firefox 3, and 1.2 times faster than Google Chrome. Here's Safari versus the rest, excluding IE 7:

Add IE 7's results to the PC graph and witness the shocking truth. These are results from a PC with a 2.1GHz Intel Core 2 Duo:

1) Safari 4 (Total time: 910ms)
2) Mozilla Minefield 3.2a1 (1,136ms)
3) Google Chrome (1,177ms)
4) Firefox 3 (3,250ms)
5) Opera 9.6 (4,076ms)
6) Internet Explorer 8 (5,839ms)
7) Internet Explorer 7 (39,026ms)

On Mac OS X, Safari was four times faster than Firefox 3 and a depressing (for Opera) 7.5 times faster than Opera 9.6.

Results (fastest at the top) on Mac OS X (2GHz Intel Core 2 Duo):

1) Safari 4 (Total time 967ms)
2) Minefield 3.2a1 (969ms)
3) Firefox 3 (3803ms)
4) Opera 9.6 (7322ms)

You can download Safari yourself here.

This article was originally published on CNET UK Crave.

Open source for hard times

2009-03-02T19:39:00Z

Friend of the blog Erica Zeidenberg, who represents the good folks at Palamida, has been flogging an “open source job hunters toolkit,” filled with open source programs you can use, free, in your job hunt.

(This classic photo from the last Great Depression was done for the WPA by John E. Allen Inc.)

Of course, if there are no jobs you can’t hunt anywhere. But maybe if you get yourself a used Netbook and find an old stick memory sitting around, you can load these offerings as you head out for the real open road:

1. OpenGoo is the open source Web office that lets you collaborate with your fellow jobless and organize that people’s revolution we have all been waiting for. Compare it to the student version of Microsoft Office.

2. Scribus is the open source desktop publishing program for Linux that will help you get out those flyers telling other homeless people where the demonstration is. Compare it to Adobe Illustrator.

3. TextPattern is a flexible content management system that also helps you publish standards-compliant Web pages that print nicely. The revolution deserves a good Web site.

4. GIMP, the GNU Image Manipulation System, is great for resizing or extracting bits from pictures like the one above. I use it all the time. You can use it to virtually link the President to the workers’ enemy of the moment. Compare it to Adobe Photoshop.

5. Kino is a cool video editor for Linux. You can use it for that revolutionary film you have been planning, “Triumph of the Geeky.” You can compare it to Final Cut Pro.

6. Pidgin is the universal chat client that gets you over all those proprietary walls erected by “the man” so you can communicate between cells. It even supports custom smileys, so if you want to add a Che Guevara beard to yours go right ahead.

7. Mozilla Thunderbird is the e-mail client I use here at ZDNet Open Source. It’s a good replacement for Microsoft Outlook Express, plus you can add-in features like a calendar so you won’t be late for the revolution.

8. KPresenter is the presentation piece of the KOffice suite. This will let you demo your revolution so it won’t be confused with those of splitters like the Judean Peoples’ Front or People’s Front of Judea. That would be very embarrassing.

9. Amarok is an open source music player, an iTunes replacement, which will be one of the 15 projects honored with a booth at CeBIT next month. If you can’t dance to the revolution what is the point?

Anyway, good luck, and we’ll see you on the road. Unless President Obama can pull off a real economic recovery. In which case you’re all invited back to work.

Is the new browser war a good thing for end users?

2009-03-02T19:36:00Z

Browsers are getting better. Much better. The latest beta from Apple of Safari 4 shows just how much work is going in to making the modern browser fast, reliable, easy to use and standards compliant. Even Internet Explorer, while trailing the pack in terms of speed and compliance, is getting better. But is the new browser war a good thing for end users?

On the face of it that seems like a silly question. Of course it’s good for users. As a result of the groping competition users end up with faster, more reliable, more secure, easier to use browsers. Even Internet Explorer, which was stagnant for years, has improved dramatically (but it still has a long way to go). That’s gotta be a good thing, right?

Loading ...

Well, maybe not. While I’m happy to have several browsers installed on my system, and switch between the browsers depending on what I’m doing, this kind of behavior isn’t for everyone. Putting aside the fact that installing multiple browsers on a system means that you have to keep them all patched up in order to prevent vulnerabilities from building up, you can only really have one default browser on a PC, and so switching between them is cumbersome. You either have to copy and paste URLs between the browsers, or continually switch the default browser setting. You also run into problems with favorites - importing favorites into a newly installed browser is one thing, keeping all the favorites synced up is another. As a user of multiple browser, I know just how much of a hassle it all it.

So, wile I like Opera, Google Chrome and the new Safari 4 beta (I feel pretty indifferent about Internet Explorer 8 beta so far), I still consider Firefox to be the primary replacement for Internet Explorer. The reason is simple - it’s the most mature of the alternatives. While Chrome handles multiple tabs far better than Firefox, Opera has a built-in torrent capability, and Safari 4 is faster, but Firefox is a better all-rounder. not only that, but while Firefox remains the only browser that makes extensive use of add-ons, it’ll continue to remain popular amongst geeks (oddly enough, I don’t care much for the add-ons … too much hassle come time to upgrade the browser).

In my opinion, the only real alternative to IE is Firefox. It’s nice to have the other browsers (and on the Mac, an improved Safari is a good thing), but for now they’re just minor players.

Do you think that the new browser war a good thing for end users?

Should Mozilla stay out of the whole IE/EU antitrust mess?

2009-03-02T19:23:00Z

Mozilla Foundation chairperson Mitchell Baker believes that because Internet Explorer is integrated into the OS this give Microsoft an unfair advantage in the browser war. As a result of this Baker is in favor of EU involvement to try to level the playing field. Is this a bad move for Mozilla?

Baker appears to be getting ready to wade in pretty deep:

The extent of the damage is so great that it makes it difficult to figure out an effective and timely remedy. I believe it’s worth some effort to try. It’s easy to look at Firefox market share and assume the problem is gone or the damage is undone. But that’s not the case. The drag on innovation and choice caused by Microsoft’s actions remains. At Mozilla we work to reduce this drag through direct action, and the results are gratifying. If the EC can identify an effective remedy that also serves to improve competition, innovation and choice, I would find it most welcome.

I’ll be paying close attention to the EC’s activities, both personally and on behalf of Mozilla. Mozilla has enormous expertise in this area. It’s an extremely complex area, involving browsers, user experience, the OEM and other distribution channels, and the foundations for ongoing innovation. An effective remedy would be a watershed event; a poorly constructed remedy could cause unfortunate damage.

I’d like to offer Mozilla’s expertise as a resource to the EC as it considers what an effective remedy would entail. I’ll be reaching out to people I know with particular history, expertise and ideas regarding these topics. If you’ve got specific ideas or concerns please feel free to contact me. I’ll post more as the discussion develops. [emphasis added]

Loading ...

This post has already raised some red flags in a few camps.

Ars Technica:

I think that her position on this matter is highly questionable. There are quite a few open source software enthusiasts who would argue that, for a broad range of software products, the emergence of a Mozilla-like model is actually desirable and highly advantageous for consumers. A point will eventually arrive for many kinds of software where there is simply no point in trying to derive value from shrink-wrapping it, and then efforts will converge around collaboratively-developed open source implementations that will displace and eliminate the need for proprietary commercial implementations. Why should that be viewed as unhealthy?

…

It’s risky to let the government perpetually equalize the market, because sometimes the greatest innovations appear when inventors have to face tougher odds. It’s also worthwhile to wonder what will happen when the shoe is on the other foot.

…

It’s disappointing, however, to see Mozilla and other browser makers looking for government intervention rather than demonstrating the unequivocal superiority of standards-compliant web browsers by defeating Microsoft on their own. It’s hard to imagine anything good coming from all of this.

TechDirt:

So, it’s especially disappointing to read that the Mozilla Foundation appears to be siding with the regulators, complaining about Microsoft’s actions. Obviously, Mozilla is competing with Microsoft in this space, so at a first pass it may seem in their best interests to lobby the EU to punish Microsoft. But it’s disingenuous to say the least. Mozilla got where it did because it competed effectively. It built a better, more secure browser that many people made the choice to support over IE. In fact, Firefox’s chief architect, apparently unaware of what his “bosses” were cooking up, seems to have recently contradicted the Mozilla Foundation’s new position, where he admitted that he couldn’t see how anyone with a straight face could claim that Microsoft’s ability to bundle created a monopoly, noting that Firefox’s success in growing marketshare showed that making yourself “demonstrably better” worked. Oops.

I’m no fan of Internet Explorer, but I agree that I can see very little good coming from this. Not only that, Firefox is a perfect example of the fact that competition isn’t being stifled given that it’s grabbed what Mozilla acknowledges to be a 20% market share.

Mozilla isn’t going to win friends doing this, in fact, I think it’s likely to make enemies, and the best upshot it can expect won’t be any better than the “N” solution that was adopted to solve the bundling of Windows Media Player.

Thoughts?

ID thieves go phishing for GTalk, GMail passwords

2009-02-27T01:57:00Z

If you use Google’s GMail or GTalk services, pay special attention to random e-mails or instant messages requesting your login credentials.

There is a major spam run underway with a phishing scam using social engineering techniques to snag Google Account usernames and passwords and, according to multiple reports, the attack appears to be very effective.

This image shows a GMail message that purports to be an account termination warning from Google but, if a user is tricked into clicking on the link, he/she is redirected to a fake GMail page requesting the login credentials.

On the GTalk side, the scam is perpetuated via an IM with a TinyURL link that redirects to a ViddyHo login page.

That page instructs them to enter their Google account information, which is then used to break into the victim’s account and send the link to other users in the victim’s address book or buddy list.

Andrew Ostrow at Mashable says he received several GTalk messages with the scam on the same day:

I became alerted to it when I received IMs from three people I hadn’t talked to in some time within a matter of minutes – one a marketing exec at a prominent startup – with typical phishing jargon “check this out!” with a link to a tinyurl that when clicked, points you to a site called ViddyHo. Apparently, the site sends out the message to all of your Google Talk contacts.

These types of phishing attacks are not new but it’s interesting that Google is the target of a multi-pronged phishing attack at the same time. Google Accounts, in some cases, are tied to valuable properties — Google Checkout, Google Adsense, etc. — so a compromised account can lead to actual financial damage.

If you suspect you may have been tricked in this (or any phishing attack), it’s important that you immediately change your account password and security question.

As always, whenever you encounter a Web site asking for login credentials, stop a think carefully.

* Image via the Wall Street Journal, which got a confirmation from Google on the attacks.

Adobe swings and misses as PDF abuse worsens

2009-02-27T01:53:00Z

After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company’s response falls well short of providing definitive mitigation guidance for end users.

[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post is a great start. ]

Adobe’s response simply confirms what we already know and reiterates that turning off JavaScript will NOT eliminate the risk entirely. However, the company does not offer any definitive suggestions or workarounds, instead pointing to a list of anti-malware vendors blocking known attacks.

Here’s what we have from Adobe:

We have seen reports that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk. Keeping this in mind, should users choose to disable JavaScript, it can be accomplished following the instructions below:

Launch Acrobat or Adobe Reader.
Select Edit>Preferences
Select the JavaScript Category
Uncheck the ‘Enable Acrobat JavaScript’ option
Click OK

While this information is better than the silence we’ve gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring.

The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.

As my former ZDNet Zero Day blog colleague Nate McFeters points out, the issue is much worse than first imagined.

I decided I’d test this out and found that on a fully patched Mac OS X build, Safari 4, Mail.app, Preview.app, and potentially others all crash using the proof of concept exploit provide on milw0rm. The crash is actually in PDFKit, which supports all of those applications and likely much more.

According to this Secunia’s Carsten Eiram, his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.

All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not.

If Secunia can do it based on information that’s public, what’s to stop malicious hackers with major financial motivation?

So what now Adobe?

The Web video showdown: Content providers, cable companies and the users stuck in the middle

2009-02-20T18:20:00Z

There’s a looming showdown over Web video as content providers wrestle with the future as the television business model that has paid the bills for years becomes strained.

In the last day or so, Hulu has been on a tear as it rips down its content from other sites (Techmeme). First up, Hulu pulled content from TV.com, which is run by CBS Interactive, the parent of ZDNet. I wrote off the skirmish between TV.com and Hulu as big media theatrics–these massive media companies are always pulling content down to prove some point. But then there was Hulu’s move to rip its video down from Boxee.

For starters, Hulu has every right to make such a move. Hulu–a joint venture between NBC and Fox–didn’t have a formal relationship with Boxee. In an explanatory blog post, Hulu chief Jason Kilar spoke like a man caught in between two behemoths he can’t control.

Later this week, Hulu’s content will no longer be available through Boxee. While we never had a formal relationship with Boxee, we are under no illusions about the likely Boxee user response from this move. This has weighed heavily on the Hulu team, and we know it will weigh even more so on Boxee users.

Our content providers requested that we turn off access to our content via the Boxee product, and we are respecting their wishes. While we stubbornly believe in this brave new world of media convergence — bumps and all — we are also steadfast in our belief that the best way to achieve our ambitious, never-ending mission of making media easier for users is to work hand in hand with content owners. Without their content, none of what Hulu does would be possible, including providing you content via Hulu.com and our many distribution partner websites.

The big question here is this: Why was the request made now? Peter Kafka asks if the cable companies were behind Hulu’s put-the-Web-video-back-in-the-bottle attempt.

Jason O’Grady: Hulu’s fantastic suicide

The answer: You bet.

Here’s the deal: Cable companies pay content providers like Viacom and Disney big money to carry channels. When the economy was better cable companies weren’t going to sweat Web video experiments. It’s a different story today. Here’s what cable companies are facing:

High foreclosure rates;
Consumers cutting back on premium video packages and looking toward services like Netflix for their entertainment needs;
Intense competition from AT&T and Verizon;
And questions about the value of cable video.

The Wall Street Journal a few days ago chronicled how consumers are saving by ditching the cable service (they’re keeping the broadband service though). And Comcast’s fourth quarter results tell the tale. The cable giant actually saw a net subscriber decline. A lot of the cable problems are tied to the housing market–when you can’t afford to pay the mortgage chances are you’re not paying the cable bill either. Meanwhile, housing inventories are bloated and that also means a bunch of empty homes without cable service and customers that certainly won’t upgrade service. Here’s a look at Comcast’s customer metrics:

Comcast CFO Mike Angelakis acknowledged the troubles on the company’s earnings conference call:

The weak economy is impacting the consumer particularly on housing growth, vacancies and moves, providing us with fewer opportunities to sell new services.

Comcast operating chief Steve Burke expanded on that theme:

This earnings season everybody seems to be talking about the economy for obvious reasons. Instead of talking about the economy, what I’d like to do is be a bit more specific and talk about our marketplace. Our marketplace is affected by the economy and also by the ebb and flow of competition. In talking about our marketplace I’d like to highlight what we’re seeing, what we’re not seeing and also importantly what we’re doing about it.

In terms of what we’re seeing, first of all there’s more competition from the telephone companies, 10% of our footprint a year ago was over built, and today that number is more like 22%. Secondly, we’re seeing more price sensitivity particularly since the month of October. Third, its simply harder to make the phone ring with marketing and sales, customers appear to be defensive, they’re less likely to go out and subscribe or call up for upgrades or new services.

Hence our connects, the people coming into our business our connects are lower then we had planned. Finally, we’re seeing a very difficult ad sales environment that is currently showing no signs of improvement. Those are some of the things we’re seeing.

Burke then went on to list a few positives and noted Comcast can weather the storm–and it can.

But put yourself in the shoes of Mr. Cable mogul. You’re paying carriage fees to content companies that try to squeeze you for more money almost every year. Meanwhile, these content companies are showing video on the Web and kinda sorta monetizing it. Consumers are beginning to use Web video as a cable replacement. It’s only natural that cable companies would apply some pressure on content owners, which have to cave because Web video experiments aren’t paying the bills.

In the context of dollars, the Hulu moves are perfectly logical. The rub: The Web video genie is out of the bottle and isn’t going back in. But in a rough economy there will be many more video skirmishes in the day ahead and users will be stuck in the crossfire. The television business model is complicated and has been under attack for years. The recession–or perhaps more accurately the decession–will push the content-cable-Web tug of war to the forefront.

Mozilla shifts code development to the cloud

2009-02-20T18:12:00Z

The Mozilla Foundation's Developer Tools Lab, formed in October, has released its first prototype project - a web-based, collaborative code-editing framework named Bespin, after the planet where Cloud City is located in the Star Wars universe.

Dion Almaer and Ben Galbraith, the leaders of the Developer Tools Lab, said the aim of the project is to follow the example of tools such as Google Apps in shifting desktop-based tasks to the Internet.

Almaer said in a blog post: "As a challenge, we wanted to take on an interesting project that you would normally think of as a desktop application, and see if it would fly on the web. Being developers, why not develop something that we know and use every day? Our code editor."

Shifting the code editor to the web should make it easier for developers to collaborate, and one goal of the project is to enable live-coding sessions, Almaer said.

The tool is browser-based, so developers should be able to access it from any device using a standards-compliant browser, he said. Other high-level goals include ease of use, integration of the command line, standards compliance and extensibility, he said.

The initial release is only a preview, intended to get users and other developers involved, and Mozilla's initial focus was on performance, Almaer said.

Mozilla said: "The initial prototype framework... includes support for basic editing features, such as syntax highlighting, large file sizes, undo/redo, previewing files in the browser [and] importing/exporting projects."

Bespin 0.1 supports commands similar to those used in Ubiquity, a Mozilla Firefox browser extension that allows users to execute a variety of tasks simply by typing a command into the browser. The developers plan eventually to unite Bespin and Ubiquity, Almaer said.

He wrote: "Bespin commands look like Ubiquity commands, and we want to fully integrate them."

The project is accessible from Mozilla Labs's website, and requires a browser that implements an HTML 5 feature called Canvas. The developers said they have tested Bespin on Firefox 3 and WebKit Nightly, a test version of the open-source framework underlying Apple's Safari browser.

Targeted malware attacks exploiting IE7 flaw detected

2009-02-19T18:51:00Z

Researchers at TrendMicro have detected a targeted malware attack exploiting last week’s patched critical MS09-002 vulnerability affecting Internet Explorer 7. Upon opening the spammed Microsoft office document, vulnerable users are automatically forwarded to a Chinese live exploit site which still remains active.

The attack has also been confirmed by McAfee and by the ISC, who point out that the cybercriminals appear to have reverse engineered Microsoft’s patch in order to come up with the exploit.

From TrendMicro’s post:

The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.

HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.

This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.

The attackers trade-off in this case is to either launch a less noisy targeted attack, or attempt to target as many users as possible by using legitimate web sites as infection vectors, a choice that depends on what they’re trying to achieve, and who are they targeting in particular.

Who’s behind the attack anyway? The web service (9966.org) used as a “phone back” location with the stolen data, is a well known one used primarily by Chinese hackers in previous massive SQL injections attacks, which doesn’t necessarily mean the campaign is launched by Chinese hackers, since it could be international hackers from anywhere using a well known malicious infrastructure in order to forward the responsibility to local hackers.

Moreover, in this particular campaign I can easily argue that the window of opportunity for abusing this vulnerability in a targeted fashion, is just as wide open as attempting to exploit the same hosts by diversifying the use of different exploits. For instance, despite the timely exploitation of MS09-002, based on the number of Conficker affected hosts globally, a situation where once again a patch is present, there’s a great chance that some of the hosts they’re attempting to exploit through the use of MS09-002 are already part of Conficker’s botnet, or remain susceptible to outdated vulnerabilities.

So far, no massive malware campaigns are taking advantage of the exploit, but users are advised to self-audit themselves against known client-side vulnerabilities and MS09-002 in particular.