Microsoft Internet Explorer SSL security hole lingers

Microsoft still does not acknowledge a weakness in its browser that enables attackers to hijack what are supposed to be secure Web sessions

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions.

The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. Apple has fixed the problem for Safari for Macs.
"Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time."

The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to.

Current versions of Safari for Mac, Firefox, and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions.

In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders.

For instance, someone might register www.hacker.com. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says.

At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

Intel to show off laptops, netbooks

Intel will show off key products next week that the chipmaker hopes will expand its presence in the mobile space while driving it into new markets.

The company will shed more light on its next generation of smaller and faster mobile chips at the Intel Developer Forum in San Francisco Tuesday through Thursday. The new chips will be in laptops, netbooks and even smartphones and ultramobile devices starting next year.

Intel is making rapid progress in creating smaller, more integrated chips to speed up performance while drawing less power, said Steve Smith, vice president and general manager of Intel's digital enterprise group operations. The progress is in line with Moore's Law, which states that the number of transistors on a chip doubles every two years. However, doubts have surfaced about its relevance as chips shrink at faster rates than in the past.

"Moore's Law is alive and well," Smith said. "One of the benefits we have of Moore's Law and scaling is to bring Intel architecture to smaller and smaller devices, including what I'd call mobile Internet devices, handhelds, tablets and all the way into the future of cellphone-type devices," Smith said.

Intel earlier this year announced it would invest $7 billion over the next two years to revamp manufacturing plants. Intel at the time said it wanted to add efficiencies to the production process and create smaller and more integrated chips at lower costs. The revamp would help create tinier chips to go into, for instance, smartphones, set-top boxes and TVs, which could add revenue, CEO Paul Otellini said at the time.

Intel is on track to start mass production of chips using the latest 32-nanometer process in the fourth quarter this year, an upgrade from the existing 45-nm process used to make chips like Core processors today. Intel is showcasing the levels of integration achieved by shrinking the chips, and the performance and power benefits realized from the advanced manufacturing process.

"Over time we've integrated different system functions into what we now expect on a processor," Smith said. For example, the floating point, cache and memory were originally separate system units that were ultimately integrated into the processor. Some new chips integrate functions like graphics inside the processor, Smith said.

Intel will share further details on the latest laptop chips code-named Arrandale, which are based on the Westmere architecture. Arrandale is a two-chip package with an integrated graphics processor, which could help improve graphics performance and use less power. The new chips allow each core to run two threads simultaneously so more tasks can be run at the same time compared to predecessors. The initial chips will come in dual-core configurations with 4MB of cache.

Westmere is a process shrink of the existing Nehalem microarchitecture. Nehalem forms the basis of existing Core i5, Core i7 and Xeon 5500 server chips, which are manufactured using the 45-nm process.

Google says Apple did reject Voice app

Google told the U.S. FCC that Apple did indeed reject the Google Voice application from the iPhone store, despite contrary statements from Apple.

Both Google and Apple have responded to questions posed by the FCC about the status of the Google Voice application. Apple said that it was
But Google, whose full comments only surfaced on the FCC Web site (PDF) on Friday, said that Apple informed it that the Google Voice application was rejected because "Apple believed the application duplicated the core dialer functionality of the iPhone. The Apple representatives indicated that the company did not want applications that could potentially replace such functionality," Google wrote in the letter.

Apple did not immediately reply to a request for comment about Google's filing, but in a statement made to The Wall Street Journal it insisted that it has not rejected Google Voice and that it continues to discuss it with Google.

Apple serves as gatekeeper for applications in its iPhone App Store. It has offered a few guidelines about what is not allowed, but has come under fire for rejecting some applications apparently only because they compete with services from either Apple or AT&T.

Google contends in the filing that Apple delivered the news about the rejection of the Google Voice application verbally, during a phone call between Phil Schiller, Apple's senior vice president of product marketing, and Alan Eustace, Google's senior vice president of engineering and research.still considering the application.

Microsoft launches CDN for AJAX

Microsoft's ASP.Net team is offering a free AJAX CDN (content delivery network) service to cache AJAX libraries and boost Web site performance, a company official said this week.

With the Microsoft AJAX CDN, performance can be significantly improved for ASP.Net Web Forms and ASP.Net MVC applications using ASP.Net AJAX or jQuery libraries, said Scott Guthrie, corporate vice president of the Microsoft Developer Division, in a blog entry.
The CDN service is free for both commercial and non-commercial uses. A CDN improves performance by enabling browsers to "more quickly retrieve and download content," Guthrie said.

"For example, instead of having a browser request for an image traverse all the way across the Internet to your Web server to download, a CDN can instead serve the request directly from a nearby 'edge cache' server that might only be a single network hop away from your customer, making it return much faster -- which makes your pages load quicker," he said. CDNs are composed of edge cache servers placed at key Internet network points, Guthrie said.

Microsoft will update libraries in the CDN as it ships new versions of ASP.Net AJAX.

Microsoft also has recently released ASP.Net AJAX Preview 5. ASP.Net AJAX is a client-side JavaScript library for building AJAX applications to work with modern Web browsers. The technology features client templates that can be used to format database data in a browser; client controls; ADO.Net Data Services support and Windows Communication Foundation backing.

Preview 5 improves the client-side data story. New features include dynamic and recursive templates, binding converters and compatibility with the ASP.Net UpdatePanel.

People are snapping up new desktop and laptop PCs long before the launch of Windows 7, a sign of strong demand in the market, analysts say.

Demand for PCs improved in July and August, which is "something special, because the expectation was that many people would delay purchases until after Windows 7 came out in October," said Manish Nigam, head of technology research in Asia for Credit Suisse, at a technology conference in Taipei.

Consumers often wait until after the launch of a major new operating system to buy a new PC for fear of having to pay for the upgrade and to avoid the hassle of loading the new software themselves. This time, strong marketing for free or discounted Windows 7 upgrades for new PC buyers ahead of the official launch of the OS on Oct. 22 appears to have worked.

There were also fears the global recession might continue to affect PC demand.

PC shipment growth declined for six straight months, from the beginning of the fourth quarter of last year through the end of the first quarter of this year, iSuppli said in a report last week, as the global financial crisis slammed world markets. Sequential growth returned in the second quarter and will continue for the rest of this year as the global economy continues to recover and Windows 7 launches, the market researcher said.

The advertising blitz for Windows 7 "will be a major positive for the PC industry," iSuppli said.

Hype for the new OS, which won solid reviews from many people who tested it, and lower prices for PCs are already drawing buyers.

PC shipments in August beat expectations at investment bank Merrill Lynch by 3 percent, as laptop PC demand picked up in Europe and sales remained brisk in China, the bank said in a report on Tuesday.

The investment bank remains positive about the PC sector due to strong sales by Taiwanese manufacturers and healthy inventory levels. Taiwanese companies build a large number of the world's PC components and own most of the PC assembly factories in China.

Business has been so strong in recent months that shortages of a number of components have become troublesome, including LCD screens, laptop batteries and chips such as DDR3 (double data rate, third generation) DRAM.

Indeed, Converge, a chip and component distributor, says shortages have also emerged for a number of key microprocessors. The rising demand suggests the peak season for PC manufacturing has arrived and it appears healthy, Converge said in its monthly newsletter. The company warned that the shortages will increase prices.

Increased costs for PC vendors may not translate into higher prices for consumers, however. The global economy remains weak, and companies continue to offer deals to entice people to buy new desktops and laptops.

The value of global PC shipments dropped 19.1 percent in the second quarter, market researcher IDC said on Wednesday, although the number of PCs shipped declined just 2.4 percent. The researcher attributed the fall to people favoring low-cost devices such as netbooks.

The big question mark for the PC industry is when corporations, which account for nearly 60 percent of PC shipments, will start replacing aging fleets of computers.

The other iPhone lie: VPN policy support

The iPhone OS 3.1 fixed false reporting about Exchange policy adherence. It turns out that a similar flaw existed for VPN policies, too

It turns out that Apple's iPhone 3.1 OS fix of a serious security issue -- falsely reporting to Exchange servers that pre-3G S iPhones and iPod Touches had on-device encryption -- wasn't the first such policy falsehood that Apple has quietly fixed in an OS upgrade. It fixed a similar lie in its June iPhone OS 3.0 update. Before that update, the iPhone falsely reported its adherence to VPN policies, specifically those that confirm the device is not saving the VPN password (so users are forced to enter it manually). Until the iPhone 3.0 OS update, users could save VPN passwords on their Apple devices, yet the iPhone OS would report to the VPN server that the passwords were not being saved.

The fact of the iPhones' false reporting of their adherence to Exchange and VPN policies has caused some organizations to revoke or suspend plans for iPhone support, several readers who did not want their names or agencies identified told InfoWorld. One reader at a large government agency describes the IT leader there as "being bitten by the change," after taking a risk to support the popular devices. "I guess we will all have to start distrusting Apple," said another reader at a different agency.
Last week's iPhone OS 3.1 update began correctly reporting the on-device encryption and VPN password-saving status when queried by Exchange and VPN policy servers, which made thousands of iPhones noncompliant with those policies and thus blocked from their networks. (Only the new iPhone 3G S has on-device encryption.) Apple's document on the iPhone OS 3.1 update's security changes neglected to mention this fix, catching users and IT administrators off-guard. Worse, it revealed that Apple's iconic devices have been unknowingly violating such policies for more than a year.

"My guess is the original decision to emulate hardware encryption was made at a level where there wasn't much awareness of enterprise IT standards. After all, this is a foreign language for Apple," says Ezra Gottheil, an analyst at Technology Business Research. "However, once the company realized the problem, it made a spectacularly dumb choice. The change was necessary and inevitable, but Apple could have earned some points by coming clean at the earliest opportunity. Instead, it allowed itself to be seen in the worst possible light. This is the result of a colossal clash of cultures. Even when it is trying, Apple cannot force itself to think like an enterprise vendor."

Apple's advice to users on addressing the Exchange encryption policy issue is to either remove that policy requirement for iPhone users or replace users' devices with the iPhone 3G S.

IT organizations can also consider using third-party mobile management tools that enforce security and compliance policies; several now support the iPhone to varying degrees, including those from Good Technology, MobileIron, and Zenprise.

Google offers Android 1.6 SDK

The development kit features a new search framework, CDMA backing, and support for additional screen sizes

The Android 1.6 SDK, which adds backing for CDMA and additional screen sizes to the Android mobile device software platform, is available for developers to download, the Google Android blog said this week.

The downloadable kit is based on the "donut" branch of the Android Open Source Project. Support for CDMA and additional screen sizes enables applications to be deployed on more mobile networks and devices, the blog states.
"You will have access to new technologies, including framework-level support for additional screen resolutions, like QVGA and WVGA, new telephony APIs to support CDMA, gesture APIs, a text-to-speech engine, and the ability to integrate with Quick Search Box," said Android SDK tech lead Xavier Ducrohet.

The 1.6 release of Android features a redesigned search framework for users to search across multiple sources such as browser bookmark, contacts, and the Web. Searches can be done via the home screen. The user interface offers an integrated camera and a faster camera experience. A VPN control panel lets users configure different types of VPNs. Also featured is a battery usage screen indicating which applications and services are consuming power.

Version 1.6 also offers the Pico multilingual speech synthesis engine. Developers also gain a framework for building and recognizing gestures and associating them with specific actions. The SDK features the GestureBuilder tool to generate libraries of gestures to include with applications.

Devices running Android 1.6 are anticipated as soon as next month, Ducrohet said. Applications written for older versions of Android will run on version 1.6.

The kit requires a new version of Android Development Tools and includes a tool to enable downloading of updates and components like add-ons or platforms.