Apple restores partial access to MobileMe e-mail, admits messages lost

Apple Inc. late on Friday announced that it had restored partial access to blacked-out MobileMe e-mail accounts, but the company acknowledged that some messages sent to those accounts had been lost during the week-long outage.

Full access to MobileMe's e-mail will be restored within another week, Apple said.

In a posting under a new "Status" section of the MobileMe home page on Apple's Web site, an unnamed employee said he had been directed by CEO Steve Jobs to keep users up to date on the outage and efforts to restore service.

The long message -- an unusual step for Apple, but perhaps prompted by the fact that those affected are not able to receive mail at their mac.com or me.com addresses -- summarized the problem, which Apple blamed on a balky server. The post also reiterated Apple's claim that only about 1% of MobileMe subscribers had been blocked from their accounts.

"As of today, a team was able to restore limited Web access to those accounts so the affected members can use their browsers to read mail that has arrived since last Friday (though not before) as well as send and receive new mail," the Friday message read. "The team has already begun rolling out restoration of full access for all the accounts and expect[s] to finish by the end of next week."

The Apple employee confirmed the loss of some messages sent to the affected accounts in the two days prior to the outage, which began for most users on July 18. "We particularly regret to report the loss in the affected accounts of approximately 10% of the messages received between July 16 and July 18," Apple said.

Apple also updated a support document late Friday night to flesh out instructions to users. Until the new messages were posted to the Status page of MobileMe, the support document had been the only official word on the incident by Apple.

The document noted that the partial service restoration "does not provide access to any e-mail messages received or saved before the outage began on July 18," but it promised that most would eventually be restored to users. However, the support document echoed the warning in the Status message about lost mail. "While the vast majority of your e-mail messages will be fully restored, a small percentage of e-mail messages in the affected accounts have regrettably been lost. This includes approximately 10% of messages received between 5:00 a.m. PDT on July 16 and 10:20 a.m. PDT on July 18. We sincerely apologize for any e-mail messages you may have lost."

The only recourse, according to Apple, is if subscribers used a desktop client -- such as Mac OS X's Mail or Outlook, Outlook Express or Windows Mail on a PC -- to grab messages from their mac.com and me.com accounts and backed up their Mac's or PC's data. Those customers may be able to restore lost messages from their own backups.

Others are out of luck. "If you access your MobileMe Mail exclusively at me.com, there's nothing for you to do. Your account will be restored, but you will not be able to retrieve any messages that may have been lost from your account," the document stated.

MobileMe customers who had been without e-mail for more than a week were understandably happy to hear the news that some service had been restored, but the mood remained gloomy on some threads in Apple's support forums.

"After eight or so days, I think this is a little too late," said a user identified as "Confused7766" on the MobileMe forum, referring to the Status message and revised support document posted Friday. "If I had seen this on the third day, I would have been very happy."

Others continued to rebuke Apple. "Apple is still clinging to the phrase, 'rocky road' in describing the rollout," said David Farrow on another thread. "GIVE US A BREAK. This isn't a few rocks in the road, it is an effing LAND SLIDE.

"You're asking us to invest into using this service in our homes and small businesses, you have a rollout DISASTER like this, and then try to blow it off as a pebble in the road? I am losing confidence as this debacle unfolds, and I watch Apple's increasingly flailing response," Farrow wrote.

The e-mail outage was just one of several major MobileMe problems in the past two weeks. Prior to its July 11 kickoff, customers of the .Mac service -- MobileMe's predecessor -- complained about a day-long blackout when Apple shifted to MobileMe. That process was supposed to take just a few hours.

Last week, other users blasted Apple for slower-than-expected synchronization between Macs and PCs on one hand and the iPhone and MobileMe servers on the other. At the time, Apple apologized and credited customers with an additional 30 days of service after acknowledging that that part of the service didn't meet the definition of "push" synchronization.

Ex-Googlers' search engine draws fanfare, but testers prefer Google

While there has never been a shortage of would-be "Google-killers" -- upstarts aiming to beat the search giant at its own game -- few have generated fanfare like Cuil Inc. The start-up company's founders say that their search engine, also called Cuil (pronounced cool), offers an index that's three times larger than that of any other search engine.

Perhaps in anticipation of today's launch, Google Inc. on Friday boasted that it has tracked more than 1 trillion URLs on the Web. And the market leader's position was bolstered a bit today because the Cuil site was unavailable for some periods of time throughout the day.

Nonetheless, Cuil's reputation benefits from the backgrounds of those who launched the start-up firm. Anna Patterson, Cuil's president and chief operating officer, worked as an architect of Google search index and led the company's Web page ranking team. Her co-founder and husband, Tom Costello, the company's CEO, researched and developed search engine technology at Stanford and IBM.

But despite Cuil's claim that it had indexed 120 billion Web pages and that it provides relevant results based on Web page content analysis, which goes beyond Google's link analysis techniques, some early reviewers questioned whether it can compete with Google.

Danny Sullivan, a blogger at Search Engine Land, acknowledged the pedigrees of the founders of the company. "These people know search," he wrote. "In particular, they know on-the-firing line, heavy-duty, industrial-strength search. Not only that, they're unleashing what appears to be a comprehensive service that anyone can use."

However, he debunked the company's claim that they use content rather than popularity to link Web pages. Sullivan noted that he tested the search engine with a search for the term "Harry Potter." The Harry Potter & the Order of the Phoenix movie Web site came up first on Cuil, he noted.

"This is out of thousands of possible pages," he added. "How on earth can Cuil know just from the content on the page itself that the movie site should be in the top results, especially in a Web environment where people can (and will) custom-tailor content to mislead search algorithms? The answer is link analysis -- counting links and effectively seeing who is pointed at the most. The twist is that it is done by measuring the links from pages relevant to what someone searches on."

He went on to note that today's largest search engine companies, Google, Microsoft Corp. and Yahoo Inc., offer more than just the Web searching that Cuil is providing.

"News search, image search, video search, local search -- these are just some of the verticals that Cuil lacks but which do get used by searchers," Sullivan pointed out. "Not offering these makes Cuil feel too focused on what "old school" search used to be and [like it is] missing out on the Search 3.0 vertical and blended search revolution that has been going on."

While Cuil has a chance to pick up a bigger share of the search market than other start-ups, it is unlikely to threaten Google, he added.

"Google came along at a very special time," he noted. "It had better technology at a time when all the search engines had abandoned improving search, since that was seen as a loss leader. To date, Google is the real exception of 'a better mousetrap wins.'"

Michael Arrington, a blogger at TechCrunch, added that after testing Cuil with multiple search terms, he found it to be an "excellent search engine" but without the depth or relevancy of Google results. Arrington found that a search for "dog" returned 280 million results on Cuil and 498 million on Google.

"It seems pretty clear that Google's index of Web pages is significantly larger than Cuil's, unless we're randomly choosing the wrong queries," Arrington noted. "And Cuil's ranking isn't as good as Google's, based on the pure results returned from both queries. However, he did note that Cuil excelled in related categories, which return results that were extremely relevant

"With Google, we've all gotten used to trying a slightly different search to get the refined results we need," Arrington added. "Cuil does a good job of guessing what we'll want next and presents that in the top right widget. That means Cuil saves time for more research based queries."

Stan Schroeder, a blogger at Mashable, also tested the quality of Cuil for multiple searches compared to Google, and he found the newcomer lacking.

"The more I tried, the more I was convinced that Google is, quite simply, a vastly better search engine," he noted. "This is unfair, I know: Cuil is a very new product, and Google has been around for quite a while. No one can create a better search engine than Google, simply because Google does not only search Web sites, but -- through its domination of the market -- the entire Web bends to Google's will because every Web site wants to be positioned well on Google."

Security experts knock Apple for not patching DNS bug

Apple Inc. has not yet patched a critical Domain Name System (DNS) bug in its Mac OS X operating system, analysts and security researchers noted today as some criticized the company for dragging its feet.

"It's not sending a real good message," said Rich Mogull, an independent security consultant and former Gartner Inc. analyst. "If they don't patch this in a reasonable time, they're putting their customers at risk."

Apple, which integrates considerable open-source code into its operating systems, relies on BIND (Berkeley Internet Name Domain), created by the Internet Systems Consortium (ISC), for its DNS components. ISC patched BIND July 8, but as of today, Apple had not released an update for Mac OS X.

According to Dan Kaminsky, the researcher who uncovered the DNS flaw in February and helped coordinate a multivendor patch effort, Apple was told of the vulnerability before patches went public. "They were notified at some point," said Kaminsky, who did not name a date. "They were given a heads-up."

Approximately a month after Kaminsky discovered the vulnerability, representatives from several major developers, including Cisco Systems Inc., Internet Systems Consortium (ISC) and Microsoft Corp., met at the latter's Redmond, Wash., headquarters to discuss how to handle the bug. "In the Spring it was all about [vendors] who write DNS code, at its core it was about people who write name servers," said Kaminsky. Companies he called "second tier," those that "ship name server code that others write," were not part of that March meeting at Microsoft. Apple, he added, was one of those second tier vendors.

Calls to patch grew louder last week, however, after other researchers guessed some of the bug's technical details. Two days later, attack code went public.

Apple did not respond to questions about when it had been informed of the DSN flaw and when it would update Mac OS X to patch the bug.

Kaminsky was willing to cut Apple some slack on the DNS patch issue because of its miniscule market share. "Not that many people are running BIND on OS X Server, and those that do don't need Apple to hold their hand about patching," he said. "If there was a huge population of people behind DNS servers running OS X, I'd be more worried. That's not a dig [against Apple], it's just a statement."

In the grand scheme of things DNS, Kaminsky continued, Apple is a minor player at best. "We have bigger fish to fry," he said, adding that it was more important to focus on the vendors whose DNS code affected the most people.

True enough, said Mogull, but that's beside the point for people running Apple's operating system, particularly those relying on Mac OS X Server. "It may be a low priority in the scheme of the DNS vulnerability, but if all my servers are OS X, it matters. Within the Mac audience, it matters."

Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., echoed Mogull's comments. "It is valid to say that the target market [for the DNS exploit] doesn't really affect them, if only because Mac OS X is primarily a client-side operating system."

But both Mogull and Storms hammered Apple for not providing its users with any word. "Users have to wonder if Apple is even listening to the talk about the DNS bug," Storms said. "We don't know anything. Why can't Apple simply make a one-line statement that it knows about the vulnerability and will have a fix in the next 30 to 60 days?

"It's that fear of the unknown that fuels the fire," Storms said.

Mogull, too, was critical of Apple's security process in general and this example in particular. "Apple's mostly gotten a pass on security issues," he said, "and as long as customers aren't getting beaten up, that's not been a problem. But that can change very quickly."

Mogull recommended that Apple work more closely with the open-source community responsible for code integrated in Mac OS X, such as the ISC's BIND, and urged the company to change how it handles security. "Apple does need to change its security practices. It makes a great operating system, but it's going to be much more of a target going forward."

Storms saw the bright side of Apple not patching the DSN bug, however, saying that it could be one of the few instances when the company's time-to-patch can be measured accurately. "Let's give them the best case, for them, and say that they didn't know until Microsoft patched on July 8," Storms said. "But now there's a vulnerability with exploit code freely available. How quickly is Apple going to respond a get a patch out?

"For most of the vulnerabilities it patches, it's difficult to tell what their internal [patch] release cycle looks like," he said. "This is the first chance we've had to gauge how quickly they can get their act together."

But this isn't the first time that Apple has been taken to task over how fast it updates the open-source parts in its OS. Last year, for example, Charlie Miller, a researcher at Baltimore-based Independent Security Evaluators (ISE) who is noted for his Mac and iPhone vulnerability research, called the company "negligent" for taking too long to patch. More recently, Miller slammed Apple for waiting until July to update the iPhone's built-in browser after Miller had exploited the same bug to hack a MacBook Air in March at a security conference contest.

"They do have a history of being slow to patch their open-source code," Mogull agreed.

Researchers unleash DNS attack code

Just days after details of a critical bug in the Domain Name System (DNS) software went public, researchers released attack code that can silently redirect users to unintended sites.

HD Moore, the creator of the Metasploit penetration testing framework, and a hacker who goes by the alias "I)ruid," published the attack code in two parts yesterday and today to several security mailing lists and to the Computer Academic Underground Web site.

The two exploits do essentially the same thing, said Andrew Storms, director of security operations at nCircle Network Security Inc.; both poison a DNS server's cache, and therefore can, at least temporarily, replace the legitimate addresses in that cache with bogus destinations. Users steering to what they believe are valid sites could, if they pull the routing information from a victimized DNS server, be sent instead to a fake site such as a phony banking site, where they could be easily duped into divulging confidential information.

Yesterday's exploit, explained Storms, lets an attacker poison a DNS server's cache with a single malicious entry, but today's attack code allows a hacker to poison large quantities of domains with one fell swoop. "This second exploit has the potential for a much larger impact," said Storms, "and could result in potentially thousands of fake addresses inserted into a DNS server's cache.

HD Moore, however, noted that the single entry exploit of Tuesday gives attackers more anonymity, while today's exploit requires hackers to have a real DNS server. "That means they'll be less anonymous," Moore said, adding that it would be possible to trace the DNS requests back to the fake server operated by the attacker, then have it taken offline by, for instance, the host provider.

"Both [kinds of attacks] will be difficult to detect," Storm said. "It will probably take an end user to raise the flag when they go to their banking site, for example, and then report, 'Hey, this just doesn't look quite right.'" Digging through the enormous amount of data generated by a DNS server -- hundreds of thousands of results in an hour at a company like nCircle, said Storms -- is simply impossible.

The DNS cache-poisoning bug exploited by Moore's and I)ruid's attack code was first announced earlier this month by Dan Kaminsky, director of penetration testing at Seattle-based IOActive Inc. The bug, which Kaminsky uncovered earlier this year, was patched that same day by several major vendors, including Cisco Systems Inc., Internet Systems Consortium Inc. and Microsoft Corp.

Although Kaminsky declined to publicly disclose technical information, he briefed several fellow security researchers after he was criticized for overstating the seriousness of the threat. Those researchers recanted, and said Kaminsky's research was on target.

Monday, however, a German hacker went public with his guesses about the bug's details. His speculation was confirmed later in the day by Matasano Security, a consultancy that included at least one researcher who had been briefed on the bug by Kaminsky.

That was when Moore and I)ruid started working on the attack code, Moore said today. "We were keeping an eye on it before, but we didn't really start until Monday," he said. "There have been tools available to check to see if you needed to patch [the DNS software], but there wasn't any way to actually see if you could actually do this attack."

The exploits have been added to the Metasploit framework, said Moore, but at the moment can be launched only from systems running Linux. He said that work on exploits able to run from Mac OS X and other operating systems would start soon, but that the attack code would not be tweaked for Windows. Because of the way the exploits are written, they "would never work on Windows."

That doesn't mean Windows users are safe, however. Although the current exploits can't be launched by attackers from a Windows PC, end users running Windows are at risk if they don't apply this month's DNS patches.

Storms didn't dismiss the possibility of attacks now that exploit code is available, but downplayed the threat because of all the attention the bug has received. "I think the likelihood of a mass attack is limited," said Storms, "because a whole lot more people understand how DNS works than did several weeks ago."

Users should patch now, said Storms, even if they're not operating a DNS server. "It's important that you look at the Microsoft patch now," he said, referring to the fix Microsoft issued two weeks ago for every version of Windows except Vista.

"Anytime you can change [entries on a] DNS server, you run into a lot of other issues, including drive-by Web attacks," warned Moore.

Microsoft looks to mimic Apple success, says Ballmer

Microsoft Corp. CEO Steve Ballmer said yesterday that his company hopes to steal a page from Apple Inc.'s playbook and change how it works with hardware makers in an attempt to duplicate its rival's success.

In a Wednesday e-mail memo to employees that also outlined changes brought on by the departure of platforms and services chief Kevin Johnson, Ballmer cited several areas that Microsoft would focus on during the next year. Among his comments were some cryptic remarks about Apple.

"In the competition between PCs and Macs, we outsell Apple 30-to-1," Ballmer said in the e-mail, which was obtained by the Seattle Post-Intelligencer, as well as other news outlets. "But there is no doubt that Apple is thriving. Why? Because they are good at providing an experience that is narrow but complete, while our commitment to choice often comes with some compromises to the end-to-end experience."

Ballmer went on to promise that Microsoft would change how it deals with hardware vendors, such as Dell Inc. and Hewlett-Packard Co., the world's No. 1 and No. 2 computer sellers, respectively. "Today, we're changing the way we work with hardware vendors to ensure that we can provide complete experiences with absolutely no compromises. We'll do the same with phones -- providing choice as we work to create great end-to-end experiences."

Analysts struggled to interpret Ballmer's comments, with some unsure exactly what he meant and others willing to read between the lines.

"If he's serious, this would be a pretty fundamental change in how they work with hardware manufacturers," said Rob Helm, an analyst at Directions on Microsoft, a Kirkland, Wash., research firm.

Historically, Microsoft's role in deciding what goes into a PC, or how PCs are priced, has been minor. "Microsoft may have had a major role at times, the Tablet PC is one, but really it relies on forward-thinking partners like HP, who would take a change on Microsoft's designs on software," said Helm.

But the company clearly sees Apple as a threat, outnumbered sales notwithstanding. "Apple's making inroads in the U.S., especially in the consumer market and at the high end," Helms said as he speculated on what drove Ballmer to announce a major change in PC production. "Those are the same people that might pay for a premium version of Windows, so maybe that's one reason."

Allan Krans, an analyst at Technology Business Research Inc., was less inclined to read Ballmer's note as a major shift in Microsoft's strategy. "I don't think this is surprising. This is not anything new."

Rather than see it as a call for Microsoft to become more involved in hardware design, Krans interpreted the memo to mean the company will try to market its software as competitive with Apple's in the functionality and user experience areas. "He's talking not only about the software experience, he's also talking about how Microsoft plans to draw excitement to the platform and why they need to do that because of the shift toward the consumer," Krans added.

During a previously scheduled day-long meeting with Wall Street analysts at Microsoft's headquarters today, Ballmer did add that the company would boost spending on marketing in fiscal year 2009, noting that Microsoft currently spends much less on marketing PCs and smart phones than does Apple.

"My first reaction is that Microsoft may be willing to do more with contract hardware makers," said Helm. "If I had to take a guess, I'd say [it would be] in the ultramini laptop market, which is currently hot and an area that Microsoft has deep concerns."

The low-cost, lightweight notebook market, which Microsoft has touched on already this year as it made exceptions to the retirement of its aged Windows XP operating system, is important for other reasons, said Helm. "The current operating system [Windows Vista] doesn't run on that, so Microsoft has had to make allowances for crippled licenses of XP.

"It's probably within Microsoft's ability to produce an ultramini laptop," he said.

But can Microsoft pull off such a dramatic shift in how it works with hardware partners? Can it really make itself more Apple-like? Helm was dubious.

"They'll say, 'How hard can it be? And we have the money to blow it a couple of times if that's what it takes.' That's their thinking," Helm said.

Microsoft's online woes hint at larger vulnerability

Microsoft Corp. has built its massive software business by watching other companies take the lead in emerging technology markets and then following fast with competitive products that eventually become dominant once those markets begin to pay out.

The company did it with IBM during the birth of the PC and Netscape during the browser wars, and it's currently making a strong showing against Sony and Nintendo in the game-console market.

However, Microsoft's inability so far to capitalize on online advertising and services and its inability to make any headway against Google shows that, despite its huge cash reserves, this strategy may no longer be effective.

In an unexpected move on Wednesday, Microsoft reorganized its platform and services division, which oversees its online services business (OSB) and its lucrative Windows OS business, into two groups to separate its distinct online brands. It also announced the departure of the president of the group, Kevin Johnson, who is reportedly leaving the company to join Juniper Networks Inc.

Both of the new organizations -- one that oversees Microsoft's online advertising and search properties and another that runs Windows Live services and Windows OS -- will report directly to Steve Ballmer.

This move shows the CEO taking firm control of a part of Microsoft's business that has been searching for an identity since the company launched Windows Live services in late 2005 -- in part as a complement to its MSN and search businesses and in part as a rebranding of previous online efforts.

"For the past two years, I've been totally confused about [the difference between] Windows Live, MSN and Windows," said Charlene Li, an independent technology industry analyst. "The messaging and product features don't pull together."

She said splitting up businesses is "a good thing" for the company because it will help clarify Microsoft's online strategy. "You start seeing some differentiation between what the Windows Live brand stands for and what online services is trying to do," Li said.

The move to divide its online brands follows the news last week on a financial conference call that Microsoft would invest "hundreds of millions of dollars" in its OSB group in light of its failure to close a deal to purchase Yahoo or at least its search business. OSB has operated at a loss for years and has shown only meager signs of life despite Microsoft's best attempts to revive it.

For Microsoft's fiscal 2008, OSB showed a year-over-year revenue gain of 32%, from $2.44 billion in 2007 to $3.21 billion in 2008. For the year, however, OSB lost $1.23 billion in operating income; a nearly 100% increase over the $617 million loss in operating income in fiscal 2007.

Last Thursday, Microsoft Chief Financial Officer Chris Liddell sketched out some vague plans for Microsoft's investment, which mainly will go into its search business to bolster online advertising revenue.

However, published reports say Microsoft's biggest shareholders aren't convinced that the company's financial bet will yield much of a return. Microsoft is hosting its annual meeting for financial analysts in Redmond, Wash., Thursday, and will likely shed more light on how it plans to revive OSB with the restructuring and with its renewed investment in the group.

Analysts will certainly be looking for some serious clarity on the topic, especially since Microsoft has been throwing money at online services for years.

"Microsoft's execution online has been poor," said Matt Rosoff, an analyst at Directions on Microsoft. "They've never had a runaway success with a product line ... nothing that has dominated the market or changed the game."

To be fair, the online advertising game -- which some analysts estimate will represent about a $50 billion revenue opportunity in the U.S. alone in the next few years -- is far from over, he said.

Rosoff noted that Microsoft only really began going after Google in earnest three years ago when it launched MSN Search, which was overhauled and rebranded Windows Live Search, and then simply Live Search shortly thereafter.

Microsoft takes a "10-year view of things," he said, noting that Microsoft made more than $60 billion in revenue last year, and the business continues to grow. The company has the "luxury of looking at this as a very long-term business," he said.

"If any other company had thrown this much money away online, they wouldn't be in business right now," Rosoff said. But because of its cash balance and the strength of its business, Microsoft "can invest a lot of money in it without having to worry about the short term."

Still, Microsoft is facing vulnerability in areas that have been a lock for the company for many years. For example, many attribute Apple Inc.'s modest growth in computer sales to negative publicity surrounding its Windows Vista PC OS. While the Windows client OS is still a cash cow and is in no real danger of obsolescence, Apple's success shows there are new chinks in the Microsoft armor.

The popularity of the iPod and iPhone may be showing Windows customers that there are credible alternatives, said Greg Sterling, principal analyst at Sterling Market Intelligence.

This so-called "halo effect," combined with Apple's aggressive advertising campaign that exploited problems users had with Vista early on, proves to PC users that they don't have to settle for what may be perceived as a subpar OS if they don't want to, he said.

"To the extent that people are less fearful of using alternative systems -- that gives them a sense they can stray from Microsoft products and still be OK," Sterling said. The growth of Google's search engine and other online services and applications also provides people with alternatives to Microsoft, he added.

This perception could hurt Microsoft in other markets it's attempting to dominate -- such as the one for virtualization software -- even if the company has the cash to play the waiting game.

Microsoft is chasing VMware in virtualization. To combat its giant competitor, VMware said on Tuesday that it would offer a free version of its basic hypervisor product -- similar to the Hyper-V product Microsoft now offers in its Windows Server OS.

If history is any indication, Microsoft should eventually be able to overtake VMware, especially since its hypervisor is tied to such a successful operating system.

But even Paul Maritz, VMware's new CEO and a former Microsoft executive, pointed out on a VMware conference call Tuesday that Microsoft is not completely invincible, especially when another company already has a substantial lead in a market.

Indeed, Sterling said, "I think there is clearly a perception in the market that Microsoft is not the invincible juggernaut it was."

Mozilla fixes nine flaws in Thunderbird

Mozilla Messaging patched nine security vulnerabilities in Thunderbird yesterday, the first time it has plugged holes in the e-mail software since early May.

Thunderbird 2.0.0.16, which was added to Mozilla's download servers late Wednesday, quashes nine bugs, including one that was patched last week in Firefox, the company's open-source browser. The remainder fix flaws that were first addressed in early July when Mozilla updated Firefox to Version 2.0.0.15.

It's not unusual for Thunderbird security updates to lag behind those released for Firefox.

Seven of the nine bugs were rated "moderate" by Mozilla, the second-lowest of the four rankings in its threat system. The other two were pegged as "low."

The bug patched in Thunderbird yesterday that was fixed in Firefox last week was in the browser rendering engine's CSSValue array data structure. According to Mozilla, the vulnerability could be used by hackers to force a crash, and from there, run malicious code. Several other just-patched Thunderbird vulnerabilities could also be used by attackers to execute code remotely.

Thunderbird 2.x, like its browser sibling, is on the way out. Most of Mozilla's attention is now on Thunderbird 3.0, which has been available as an Alpha 1 preview for more than two months.

Users can download Thunderbird 2.0.0.16 in versions for Windows, Mac OS X and Linux from the Mozilla site, call up the e-mail client's built-in updater or wait for the automatic update notification, which typically appears within 24 to 48 hours.

Major sites fall victim to Web hijack; check yours

Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack toolkit called "Asprox," which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found it will download malware onto the computer.

I wasn't struck by the number -- these days, 1,000 sites unfortunately isn't that many -- so much as by the list of sites that Finjan says were hacked. My own city's site, which I've visited many times to pay parking tickets and the like, was nailed (though it's now clean). Snapple took a hit, as did the National Health Service in the UK and a wide range of other sites.

As with a previous SQL injection round I wrote about in May, you can check to see if your site has been infected by running a Google search. Before you do, let me repeat a warning I wrote then:

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

This time around, you'll need to run these three different searches, as the attack is inserting different code into different sites. In each case, substitute your site's domain (ie., computerworld.com) for "domain."

site:yourdomain "b.js"

site:yourdomain "ngg.js"

site:yourdomain "fgg.js"

When I ran those searches just now I turned up plenty of still-infected sites, so again, be extremely careful about visiting any of them. If your site turns up in search results, contact your IT department or hosting provider immediately.

Whether or not your site turns up, it's also a good idea to run the free Scrawlr tool from HP, which can check your site for the kind of vulnerabilities exploited by a SQL injection attack. It's quick and easy to download and run.

Also, for your own computer's safety, it's critical to keep all your software -- not just the browsers and the OS -- up-to-date with patches. Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy as well as Windows.

Facebook bug leaks members' birthday data

A glitch in a test version of Facebook's Web site inadvertently exposed the birthdays of Facebook's 80 million members this week.

The bug was discovered over the weekend by Graham Cluley, a senior technology consultant at Sophos. While checking out Facebook's new design, Cluley noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden.

Facebook allows users to control who sees private information such as their birth date, which can be a valuable nugget of data for identity thieves. But Cluley discovered that the new site was making this information public to other members. "Their new profile page essentially ignored the privacy setting to withhold the data of birth," he said.

"For a brief period of time, a small number of users were able to access a private beta of Facebook's new site design meant only for developers. During that time, some of those users had their birthdays revealed due to a bug," Facebook said Wednesday in a statement. The company could not say exactly how long this data was exposed or how many people viewed the beta site, but the bug was patched within hours of Cluley's discovery.

Facebook may intend for the beta site to be private, but it has been open to the general public for several days. It features a new profile design that should be rolled out as an option to Facebook users some time this week.

Cluley himself did not consider this a major data breach, but he said it should serve as a warning to people who put a lot of information on social networks. "It raises a more serious question which is, 'Can you trust these social networks to look after your data properly?'" he said.

Facebook is sensitive about privacy. In November the company scrambled to fix its Beacon ad system after a CA researcher discovered that the system was collecting data on users' online behavior, despite Facebook's assurances to the contrary.

"With Beacon we just screwed it up," said Matt Cohler, the company's vice president of product management, during a March session with reporters.

Cluley isn't sure that won't happen again. He's telling his friends to just make up a birth date on Facebook from now on.

Apple's MobileMe users gripe about 'push' that isn't

Some Mac users are calling foul after discovering that information entered on their Mac and PC calendars and address books isn't pushed instantly to the servers in the MobileMe "cloud."

Apple, meanwhile, has posted a support document to its Web site acknowledging that applications on a PC, or on a Mac running Leopard, synchronize with MobileMe only once every 15 minutes. Macs running the older Mac OS X 10.4, aka Tiger, sync with MobileMe only once each hour.

Users have vented on Apple's own forums as well in comments on sites such as MacRumors.com, which posted a story early Monday on the brouhaha.

"It's really the desktop iCal and Address Book issue that's got everyone disappointed though, because Apple didn't tell people it was only push one way down, and everyone understandably assumed that the desktop apps would push UP as well, based on Apple's marketing," said a user identified as "McToast" on a thread in Apple's MobileMe support forum Sunday. "But they don't."

Changes made to the iPhone's e-mail, address book or calendar are pushed almost instantly to the MobileMe servers, and entries added to or modified in the MobileMe Web-based applications push down to the iPhone at the same speed. Any changes that reach the MobileMe servers are pushed immediately to the user's Mac or PC, but on the upstream -- from Macs and Windows PCs to MobileMe -- there's a lag because of the best-speed-sync of every 15 minutes.

Apple confirmed the slower Mac/PC-to-MobileMe synchronization in a document published last week to the company's support database.

"Selecting Automatic in Mac OS X allows your computer to immediately sync and update when there are any changes on the MobileMe servers. Those changes can come from your iPhone, iPod touch, the MobileMe website, or another computer. Changes made on your computer will be synced to the MobileMe 'cloud' once every 15 minutes (or every hour in Mac OS X 10.4.11)."

Windows-to-MobileMe sync also occurs about every 15 minutes, Apple added in the document.

Most users contributing to the support forum were disappointed about the slower sync, and felt Apple misled them when it marketed MobileMe.

"This is definitely disappointing, and Apple's sales blurb is misleading if not downright wrong," said a user tagged as "keith.wilson" on the same thread as McToast. "They clearly state that 'When you make a change on one device, the cloud updates the others. Push happens automatically, instantly and continuously.' Whilst this is true for iPhones, iPod touch and the new web apps, it's not true for the Mac desktop applications."

"Disappointing to say the least," agreed another user, "FarmacyMan."

Another user called out Apple for touting MobileMe as "Exchange for the rest of us," a phrase it's used since it unveiled the service in early June. "For comparison, I updated a contact on my PC-based Outlook application (Microsoft Exchange). In a few seconds, that record was updated on my Blackberry," reported Jim Dever on the support forum. "I like to give Apple the benefit of the doubt, but they must not have anticipated the reaction by those of us expecting to see MS Exchange-like functions in MobileMe."

Elsewhere, a Mac user posted a workaround on the hints and tips section of Macworld, a Computerworld sister publication, that outlined how to change the 15-min. interval by modifying a .plist file on a Mac.

This is the second dustup over MobileMe since it went live late last week. Then, customers griped about a day-long outage as Apple launched the new service and shut down its predecessor, .Mac.

MobileMe costs $99 for an single-user annual subscription. But although Apple initially let users sign up for a free 60-day trial last week, that offer has apparently been pulled.

Icahn files Yahoo board proxy statement with SEC

Billionaire investor and Yahoo Inc. shareholder Carl Icahn filed a definitive proxy statementJerry Yang. nominating a slate of nine directors to replace Yahoo's board and its CEO,

Today's filing with the U.S. Securities and Exchange Commission comes after Yahoo on Saturday rejected a joint proposal from Microsoft Corp. and Icahn that called for a restructuring of Yahoo's board and executive ranks and the sale of the company's search business to Microsoft.

Icahn's slate of directors includes Mark Cuban, an Internet entrepreneur and majority and controlling owner of the NBA's Dallas Mavericks; and Adam Dell, managing general partner of Impact Venture Partners, a venture capital firm focused on IT investments. The slate differs from board members Icahn proposed in a letter to Yahoo in May. Icahn's list submitted today leaves out Robert K. Shaye, co-chairman and co-CEO of New Line Cinema, and replaces Shaye with Icahn himself.

In a letter to shareholders, Ichan, who owns approximately 5% of Yahoo, Icahn said, "We believe that now is the time to enter into a significant transaction with Microsoft."

Yahoo could not be reached for comment.

In the statement, Icahn told shareholders that Microsoft would be willing to enter into an agreement to purchase all of Yahoo, or the software maker would purchase Yahoo's search business with certain guarantees for shareholders if the current board were replaced with Icahn's nominees.

Microsoft: Search-only deal was Yahoo chairman's idea

Microsoft Corp.'s proposal Friday to purchase Yahoo Inc.'s search business was actually the idea of Yahoo Chairman Roy Bostock, and Yahoo has publicly "mischaracterized" the discussion surrounding the proposal, Microsoft said Monday.

In a statement, Microsoft claimed that Bostock called the office of Microsoft CEO Steve Ballmer last Thursday to arrange a call, on which he told Ballmer that "with substantial guarantees on the table and an increase in the TAC [traffic acquisition cost] rate, there are the pillars of a search-only deal to be done."

"Mr. Bostock encouraged Mr. Ballmer to submit a new proposal to Yahoo for a search-only deal reflecting these terms," according to Microsoft.

Yahoo said Saturday night that it rejected a joint proposal made Friday night by Microsoft and investor Carl Icahn that called for a restructuring of Yahoo, the removal of its board and management team, and the sale of Yahoo's search business -- which the proposal devalued -- to Microsoft.

At the time, Yahoo said it was given only 24 hours to reject or accept the proposal.

But Microsoft said in its statement that Yahoo "mischaracterized" the discussion as "a take it or leave it ultimatum, rather than a timetable in order to move forward to intensive negotiations." The proposal also did not call for any changes to Yahoo's governance, Microsoft said.

Upon Bostock's urging Thursday, Microsoft proposed an "enhanced search transaction" to include "significant revenue guarantees, higher TAC rates, an equity investment and an option for Yahoo to extend the agreement over a 10-year period," according to Microsoft.

"At the time Microsoft submitted its enhanced proposal, Microsoft asked that Yahoo confirm whether it would agree that the enhancements were sufficient to form the basis for the parties to engage in negotiations over the weekend on a letter of intent and more detailed term sheets," according to Microsoft. However, Yahoo told Microsoft on Saturday that it had rejected the deal, Microsoft said.

Microsoft submitted its first unsolicited bid to acquire Yahoo on Feb. 1, but the two companies have been unable to come to an agreement despite months of negotiations. Most recently, Yahoo has said publicly that it is willing to sell the company to Microsoft for $33 a share and that it is not interested in deal to sell only its search business.

Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC

It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet, a security researcher said today.

The SANS Institute's Internet Storm Center (ISC) currently estimates the "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches, said Lorna Hutcheson, a researcher and analyst, in a post to the ISC blog.

"I have been asked many [times] by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected," said Hutcheson. "The answer to this is 'yes' for most home users and systems that are Internet-facing.

The ISC maintains a record of the time between network probes for an average IP address, and assumes that hackers would follow a successful probe -- which would disclose one or more open ports -- with an exploit, most likely a worm.

Another security researcher, however, said unpatched machines can last longer than just a few minutes before falling to attack. The German Honeypot Project, which sets vulnerable systems on the Internet to collect malware, estimates survival time in hours, not minutes.

"Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time," said Thorsten Holz, a co-founder of the project and current a Ph.D. student at the University of Mannheim, in a post to the Honeypot Project's blog. The project's data estimates the average time between connecting to the Internet and compromise at under 1,000 minutes, or approximately 16 hours.

"[But] the time is still short, and you need to patch a system before taking it online," said Holz.

"While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas," added Hutcheson of the ISC.

Microsoft says it would deal with new Yahoo board

In a statement Monday, Microsoft Corp. confirmed that it would be interested in resuming talks with Yahoo Inc. with a new board of directors, either as part of an effort to buy Yahoo's search business or the entire company.

Billionaire investor Carl Icahn, who has been pushing for a deal with Microsoft and has proposed a new slate of Yahoo directors, also issued a letter on Monday, confirming that he has discussed the scenario "frequently" during the past week with Microsoft CEO Steve Ballmer and other executives.

In response to Icahn's letter, Yahoo's board of directors on Monday said the company is ready to sell and urged Microsoft to make an offer for all of Yahoo now if it is still interested in buying rather than speculate about plans for some "future 'negotiation' between Mr. Icahn's directors and Microsoft's management."

"If Microsoft and Mr. Ballmer really want to purchase Yahoo!, we again invite them to make a proposal immediately," the company said in a statement.

It added that a deal between Icahn's proposed new board and Microsoft to only buy Yahoo's search business "would not lead to an outcome that would be in the best interests of Yahoo!'s stockholders."

In its statement, Microsoft said that, after Yahoo's shareholder meeting this quarter, it would be "interested in discussing with a new board a major transaction with Yahoo, such as either a transaction to purchase the 'Search' function with large financial guarantees or, in the alternative, purchasing the whole company."

Microsoft also noted that its talks with the current board have reached an impasse. "Despite working since Jan. 31 of this year, as well as in the early part of last year, we have never been able to reach an agreement in a timely way on acceptable terms with the current management and board of directors at Yahoo," Microsoft's statement said. " We have concluded that we cannot reach an agreement with them."

Ballmer expressed concern that the current board could mismanage the company during the months it would take for a sale to gain regulatory approval, putting Microsoft's investment at risk, according to Icahn.

Icahn has nominated a number of candidates to be named to the board at the company's August shareholder meeting. In the letter, he said he has "little doubt" that a new board will immediately begin negotiations with Microsoft and "move expeditiously" to replace current CEO Jerry Yang "with a new CEO with operating experience."

"There is no need to keep pointing out the mistakes I believe Yahoo made by not immediately taking a $33 offer made by Microsoft. But one thing is clear -- Jerry Yang and the current board of Yahoo will not be able to 'botch up' a negotiation with Microsoft again, simply because they will not have the opportunity," Icahn wrote.

"Our company is now moving toward a precipice," he added. "It is currently losing market share in its 'Search' function; our current board has failed to bring in a talented and experienced CEO to replace Jerry Yang and return Jerry to his role as Chief Yahoo, and currently it is witnessing a meaningful exodus of talent."

Microsoft first made an unsolicited offer to buy Yahoo on Feb. 1 -- a $44.6 billion cash-and-stock deal that offered shareholders a 62% premium over Yahoo's stock price the day before of $19.18.

But 10 days later, Yahoo's board rejected that offer, saying it undervalued the company. On Feb. 11, Yahoo's stock closed at almost $30.

Microsoft later increased its offer to $33 per share, or about $47.5 billion, but Microsoft eventually walked away from the negotiations on May 3 after the two sides failed to agree on a price.

Since then, Microsoft officials have repeatedly said the company isn't interested in acquiring all of Yahoo. Later, Microsoft did offer to buy Yahoo's search advertising business, but those negotiations also fell through. Yahoo instead struck a more limited deal to outsource part of its search ad business to Google.

Google is doing WHAT?

With a skyrocketing stock price, fanboy hysteria and -- most importantly -- really useful products, Google Inc. is the prima donna of tech for the new millennium.

The company is so active that it's hard to keep track of everything it does. And, just when you get a good handle on its litany of Web applications, promising lab innovations and unheralded research projects, it seems to turn on a dime -- a difficult move for a $167 billion company with 19,000 employees -- and invent something new. Who would have thought a search site company would get involved in laying a fiber-optic undersea cable between the U.S. and Japan?

Of course, not everything has worked out for the company, as these flubs, flops and failures illustrate. JupiterResearch analyst Michael Gartenberg, for one, isn't put off by the wide range of directions the company has taken and occasional miscues.

"The whole Google empire started as a research project, and it's a core in their DNA to try and discover new things and figure out how to monetize them," he says. "When you have a market cap like they do and the cash cow in the guise of paid search, they can keep experimenting. You need the financial wherewithal to support these projects, and plenty of smart people to carry them out. Google does not seem short on either."

Truth and rumors

Here's an update on some of Google's most interesting projects, including some new details about Android, energy initiatives, language translation and a new facial recognition search technology. Also, the Web is rife with wild rumors about clandestine Google projects, so we asked the secretive company to comment on some of the more prominent ones to try to find out what's really going on.

Android

Street View on an Android phone suddenly becomes much more powerful because you can use it when you are standing on a street corner, trying to find an address.

Click to view larger image.

Although the "gPhone" never materialized, the company has been planning something better: an operating system for phones called Android. It's partly a direct competitor to Windows Mobile and partly an experiment in open-source development. Recently, the company held a contest for third-party developers to create innovative apps for Android. 1,700 programmers took up the challenge.

Examples from the contest include wayfinding apps that tap into the handheld's Global Positioning System chip. One application lets users find a taxi based on where they are. Another app lets users find their friends' locations and what they're doing and lets them create plans with them, with all the information tracked in real time. Some of these apps sounds a bit theoretical at this point -- the platform and phones will ship in the second half of 2008 -- but Google did post a PDF that shows the top 50 winners in the first round of the challenge, along with screenshots.

Erick Tseng, Android product manager, says it's a massive shift in thinking from the phone dictating what you can do to the device being open to any kind of content, service, provider and media.

"There are clear benefits to the ecosystem, not just [for] the users, but [also for] developers, carriers, providers," Tseng says. "Whatever phone you use today, think about the difficulty of getting content -- Android has unfettered access to content. You never have to think about, because I am on this service or this provider I can't get certain content."

Not everything has gone smoothly for Android, however. Charles Covin, a Forrester Research Inc. analyst covering Android, says "I think the Android platform is a long-term play, and its short-term hiccups are no surprise. Google is intent on reaching consumers wherever they can, and it's clear that, while Internet use on mobile phones is still limited, it is the next venue where Google can expect to interact with its customers."

Facial recognition search

After measuring the facial characteristics of an image, you can find all versions of that image, including the most common photo and all variations.

Click to view larger image.

Image search is a burgeoning market that is woefully untapped. Today, when you type "Paris Hilton" at Google.com, you'll find images that other users have tagged. Yet tagging is a tedious process. At Flickr.com, for example, many images are left untagged, making it impossible to find them by searching. The more images stored without tags, the harder it is to find them.

At Google, new facial recognition technology will make it easier to find untagged images. Unlike the technology used for biometrics -- where you can pass through a security checkpoint when a video camera confirms your identity -- this image search is purely for finding the information you want.

"What Google did for text, we want to do for vision," says Shumeet Baluja, a Google research scientist. "We want to make images just as searchable and accessible as text."

Imagine this scenario: Five years from now, when all of your digital photos are stored online, you decide you want to search for pictures of your grandmother. With Google facial recognition technology, you might start with a source scan that measures the distance between the eyes, arrangement of nose, ears, eyes and other data. In seconds, you find every image you ever uploaded -- and any image stored anywhere online.

Language translation

The actual language-translation interface looks simplistic, but it is based on thousands of language-pair rules that require high processing power and complex programming techniques.

Click to view larger image.

Translation has been around for years, especially as part of search engines such as Alta Vista. Google has made progress with the vast number of languages it has made available for translation, including Russian, Arabic and the recent addition of Hindi. Another innovation is in researching the rules applied to machine translation based on cultural phenomena of languages, which requires a great deal of computer processing.

"The more rules used, the better the quality of the translation," says Franz Och, a Google machine translation research scientist. "If you want to perform an English-to-Hindi translation, for example -- which has a small subset of the language pairs [matching words] of French or Spanish -- the smaller the language, the more important machine translation becomes. Finnish is a challenging language because of the morphology. One word could have all kinds of information inherent to it. Other language translations are more complicated because there are so many differences between the languages. Nice languages with historic roots and similarities are easier, like French to English."

Energy initiatives

Bill Weihl is the energy czar at Google charged with making the company a leading example of energy efficiency. Most buildings at Google's headquarters have a solar array that provides 30% of peak power usage at the campus. The company also lets employees use hybrid cars for occasional short-term use -- they are located in a garage that is itself powered by a solar array.

"In the last year, we have been working with companies in the industry in and outside of technology to drive energy efficiency in PCs and servers," Weihl says. "We started an initiative with Intel and HP and others called the Climate Savers Initiative. Also Starbucks -- who provides a lot of the fuel that drives the tech industry. It is not a technology issue -- it is a demand issue."

2 emissions and promoting the use of hybrid vehicles." border="0">Google runs the Google.org/recharge Web site as a portal for information about reducing CO₂ emissions and promoting the use of hybrid vehicles.

Click to view larger image.

"It costs more to get a PC or server that is energy-efficient; components have not been efficient," Weihl says. "It is a cost that pays beck within a year or two. For years, we talked about price performance and features. We really need to educate the industry and consumers that they should think about energy when they buy them."

Universal search

Universal -- or "one-box" -- search, changes the search paradigm at Google. Instead of just presenting text results, you now see videos, photos and other content listed in the results.

Click to view larger image.

Anytime you search on Google.com, you are performing a "universal search," where the results are not just text links but a mix of Web sites, images, videos, blog entries and even audio. The underlying technology is how Google determines which results it presents and how it presents them. With universal search, Google continues to tweak algorithms and experiment with the search results. The goal, says Bailey, is to present balanced results based on the search term and move away from the heavy emphasis on only textual Web links that existed prior to the switch to universal search in May 2007.

"If you search for Martin Luther King, you might be thinking text, but we present relevant video results," says David Bailey, a Google senior software engineer for universal search. "We can look at the results and compare and contrast. Someone might be speculatively searching, but we put the 'non-Web' results at the top of the page. There might be blog posts or video podcasts. It is a good diversity play when we search everything speculatively. We know about the video, we have the thumbnails, we know the star rating, so we should present those results."

Rumored projects

Along with the confirmed projects already mentioned, there are also plenty of rumors about fantastic new programs at the Mountain View, Calif.-based technology juggernaut. We asked Google to comment on some of the more prominent rumors and to confirm or deny its involvement.

Google bows to pressure, adds 'Privacy' link to home page

For Google, ready Privacy: That could be the subliminal message Google wants to send by replacing its name on its famously spartan home page with a link to its privacy policy.

Last month, privacy organizations wrote to Google CEO Eric Schmidt asking the company to link to its privacy policy from its home page. Including the link on the home page is good practice -- and also mandated by California law, the organizations said.

On Thursday, Google acceded to the request, putting the word "Privacy" at the foot of its home page and linking it to its privacy information pages. The link replaces the company's name next to the copyright notice, leaving the number of words on the home page unchanged.

Google had previously declined to make the change to its home page, saying that users appreciate the lack of clutter there. Microsoft and Yahoo both include privacy links on their search pages, while Ask.com added a link to its privacy policy on June 18.

The order to remove the company's name to make way for the privacy link came right from the company's founders, Vice President of Search Products and User Experience Marissa Mayer explained in a posting to the company's blog.

"Larry and Sergey told me we could only add this to the homepage if we took a word away -- keeping the 'weight' of the homepage unchanged at 28," she said.

That figure holds only if you have signed out of your Google account and are viewing the basic U.S. home page in English, see no promotional line running beneath the search box, see no invitation to make Google your home page because you have already done so, and count "©2008 Google" (now "©2008 Privacy") as two words.

Google gives away home-cooked Web application security scanner

Google has released for free one of its internal tools used for testing the security of Web-based applications.

Ratproxy, released under an Apache 2.0 software license, looks for a variety of coding problems in Web applications, such as errors that could allow a cross-site scripting attack or cause caching problems.

"We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary Web technologies," wrote Google's Michal Zalewski on a company security blog.

Ratproxy -- released as version 1.51 beta -- is quick and less intrusive than other scanners in that it is passive and does not generate a high volume of attack-simulating traffic when running, Zalewski wrote. Active scanners can cause problems with application performance.

The tool sniffs content and can pick out snippets of JavaScript from style sheets. It also supports SSL (Secure Socket Layer) scanning, among other features.

Since it runs in a passive mode, Ratproxy highlights areas of concern that "are not necessarily indicative of actual security flaws. The information gathered during a testing session should be then interpreted by a security professional with a good understanding of the common problems and security models employed in web applications," Zalewski wrote.

Google has posted an overview of Ratproxy as well as a download link to the source code. Code licensed under the Apache 2.0 license may be incorporated in derivative works, including commercial ones, but the origin of the code must be acknowledged.

Weak web application security continues to embarrass companies, potentially causing the loss of customer or financial data.

A 2006 survey by the Web Application Security Consortium found that 85.57 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26.38 percent were vulnerable to SQL injection and 15.70 percent had other faults that could lead to data loss.

As a result, security vendors have moved to fill the need for better security tools, with large technology companies acquiring smaller, specialized companies in the field.

In June 2007, IBM bought Watchfire, a company that focused on Web application vulnerability scanning, data protection and compliance auditing. Two weeks later, Hewlett-Packard said it would buy SPI Dynamics, a rival of Watchfire whose software also looks for vulnerabilities in Web applications as well as performing compliance audits.

Microsoft promises four patches next week

Microsoft Corp. on Thursday chalked in four security updates for next week that would fix vulnerabilities in Windows, SQL Server and Exchange Server.

All four were labeled "important," the company's second-highest ranking, even though one of the Windows updates will quash a bug that attackers could use to execute malicious code remotely. That kind of vulnerability has been regularly rated as "critical" by Microsoft in the past.

As is its practice for pre-patch notifications, Microsoft disclosed few details today of next week's updates other than their severity ranking and the affected software.

"None of these were on my radar," admitted Andrew Storms, director of security operations at nCircle Network Security Inc. "I'm doing quite a bit of head scratching given the variety and interesting details [in the bulletins]."

One of the two Windows bulletins will patch Windows 2000 and Windows XP -- including the recently released XP Service Pack 3 (SP3) -- but not Windows Vista, while the second update slated for the client operating system will patch Vista, including Vista SP1, but not the older OSes.

The Vista bug caught Storms' eye because while Microsoft said it could result in remote code execution -- a description reserved for a serious vulnerability that could let hackers hijack a PC -- the company ranked it as important, not critical.

"I read that kind of bug as 'critical'," said Storms. "Microsoft seems to have stepped it up a notch," he said, noting that it appears the company is taking a harder line in defining "critical" flaws as only those that don't require any user action to be exploited.

Microsoft described both the SQL Server bug and the Exchange vulnerability as elevation of privilege flaws, and will provide patches for the former to Windows Server 2003, Server 2008, Windows 2000 and all still-supported versions of SQL Server, the company said. The Exchange update applies to both Exchange Server 2003 and the newer Exchange Server 2007.

The amount of detail Microsoft tucked into the pre-patch notification for the SQL Server and Exchange Server vulnerabilities puzzled Storms, who pointed out that Microsoft specified that the former's flaw affected both WMSDE, the SQL engine added to Windows clients, and WYukon, the engine within Windows server software. "I don't know whether this is a clue [about the vulnerability] or whether they're just being more promiscuous with information," Storms said.

It doesn't appear the Microsoft will be patching an Internet Explorer vulnerability first reported in 2006, but which returned to the limelight last month when security researcher Aviv Raff claimed that it could be combined with a bug in Apple Inc.'s Safari to pose a danger to users. At the end of May, Microsoft warned users of the blended threat, and recommended that people stop using Safari.

Apple patched Safari for Windows to quash the browser's so-called "carpet bomb" bug two weeks ago.

But Storms thought there was an outside chance that Microsoft would fix IE, even though it didn't explicitly label any of the prospective patches as intended for Internet Explorer. Last year, he said, Microsoft dealt with protocol handler bugs that could be exploited by attacks against IE by fixing Windows, not the browser.

The four security updates will be posted Tuesday, July 8, around 1 p.m. EDT.

Microsoft trumpets security additions in upcoming IE8

Microsoft Corp. today outlined new security features that it plans to add to Internet Explorer (IE) next month, including anti-malware protection to match tools similar to those offered by its rivals and a filter the company said would block most cross-site scripting attacks.

Internet Explorer 8 Beta 2, which Microsoft has slated for release sometime in August, will include two new security tools, said Austin Wilson, the director of Windows client product management.

One, dubbed "SmartScreen Filter" by Microsoft, adds malware blocking to the antiphishing protection already embedded in IE7. The new feature, which will resemble the defenses already used by rival browsers Firefox 3.0 and Opera 9.5, will warn users when they're about to visit a site known or suspected of spreading malicious code and then block any download from that site.

Unlike Mozilla Corp.'s Firefox, which retrieves a blacklist several times daily, then stores it locally to compare against Web site addresses, IE8 will dynamically determine whether a site is potentially dangerous by pinging remote servers each time a user tries to reach a page.

Microsoft will use multiple third-party sources to compose the blacklists for both phishing and malware-hosting sites, said Wilson. It will also draw on data gathered by Windows Defender, the company's free antispyware tool. Wilson would not disclose the third-party information providers, however.

"We get the data feeds and update our lists multiple times a day," he said. "And IE8 makes the call to the URL reputation service servers, and if it's a phishing or malware site, the browser navigates away from the page and displays a warning."

He denied that the process would have a noticeable effect on IE8's performance. "Our choice was to make sure that the user has the most recent data possible," he said. "We do an asynchronous call, so the page rendering takes place while the call is made to the reputation servers."

Also to debut next month in IE8 Beta 2 is an integrated filter that Microsoft said would prevent most cross-site scripting attacks. "Today, the end user can be doing all the right things, checking the URL to make sure it's legitimate, only going to trusted sites, but because of vulnerabilities on the Web server side, they can still be compromised," said Wilson, referring to cross-site scripting attacks, which are most commonly used by identity thieves and have been on the upswing.

"When IE8 sees a cross-site scripting attack, it stops that script from being reflected to the server, and stops the attack at the client," Wilson added.

IE8 will have the cross-site scripting filter enabled by default, and it will not need to deal with pop-up warnings or other dialogs, added David Ross, a security software engineer at Microsoft. "When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response," said Ross in a technical posting to the IE team's blog today.

Cross-site scripting is sometimes referred to by the abbreviation "XSS."

However, Ross acknowledged that IE8's cross-site scripting filter won't completely protect users. "The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea," Ross said.

John Pescatore, a Gartner Inc. analyst, applauded Microsoft's plans. "It's good to see these kinds of things built into the browser," he said, adding that the two new features take different approaches against security problems on the Web.

The SmartScreen Filter is the "more reactive part" of the IE8 security upgrade, Pescatore argued. "You really have to protect the browser user against himself," he said, and one way is to block users from straying into dangerous places.

The concept behind the cross-site scripting filter and IE8's planned support for protocols designed to make intersite communications more secure is similar to the tools Microsoft and Hewlett-Packard Co. unveiled last week to help Web site developers and administrators secure their sites against SQL injection attacks. "You can't build everything into the browser," Pescatore said. "The browser has to be the thing that tries to protect the user, but it can't make up for all the Web security vulnerabilities."

IE8 Beta 2 will ship next month, Microsoft's Wilson confirmed today, although he declined to set a more specific date.

Beta 1, which launched four months ago, can be downloaded from Microsoft's Web site.