Microsoft Internet Explorer SSL security hole lingers

Microsoft still does not acknowledge a weakness in its browser that enables attackers to hijack what are supposed to be secure Web sessions

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions.

The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. Apple has fixed the problem for Safari for Macs.
"Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time."

The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to.

Current versions of Safari for Mac, Firefox, and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions.

In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders.

For instance, someone might register www.hacker.com. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says.

At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

Intel to show off laptops, netbooks

Intel will show off key products next week that the chipmaker hopes will expand its presence in the mobile space while driving it into new markets.

The company will shed more light on its next generation of smaller and faster mobile chips at the Intel Developer Forum in San Francisco Tuesday through Thursday. The new chips will be in laptops, netbooks and even smartphones and ultramobile devices starting next year.

Intel is making rapid progress in creating smaller, more integrated chips to speed up performance while drawing less power, said Steve Smith, vice president and general manager of Intel's digital enterprise group operations. The progress is in line with Moore's Law, which states that the number of transistors on a chip doubles every two years. However, doubts have surfaced about its relevance as chips shrink at faster rates than in the past.

"Moore's Law is alive and well," Smith said. "One of the benefits we have of Moore's Law and scaling is to bring Intel architecture to smaller and smaller devices, including what I'd call mobile Internet devices, handhelds, tablets and all the way into the future of cellphone-type devices," Smith said.

Intel earlier this year announced it would invest $7 billion over the next two years to revamp manufacturing plants. Intel at the time said it wanted to add efficiencies to the production process and create smaller and more integrated chips at lower costs. The revamp would help create tinier chips to go into, for instance, smartphones, set-top boxes and TVs, which could add revenue, CEO Paul Otellini said at the time.

Intel is on track to start mass production of chips using the latest 32-nanometer process in the fourth quarter this year, an upgrade from the existing 45-nm process used to make chips like Core processors today. Intel is showcasing the levels of integration achieved by shrinking the chips, and the performance and power benefits realized from the advanced manufacturing process.

"Over time we've integrated different system functions into what we now expect on a processor," Smith said. For example, the floating point, cache and memory were originally separate system units that were ultimately integrated into the processor. Some new chips integrate functions like graphics inside the processor, Smith said.

Intel will share further details on the latest laptop chips code-named Arrandale, which are based on the Westmere architecture. Arrandale is a two-chip package with an integrated graphics processor, which could help improve graphics performance and use less power. The new chips allow each core to run two threads simultaneously so more tasks can be run at the same time compared to predecessors. The initial chips will come in dual-core configurations with 4MB of cache.

Westmere is a process shrink of the existing Nehalem microarchitecture. Nehalem forms the basis of existing Core i5, Core i7 and Xeon 5500 server chips, which are manufactured using the 45-nm process.

Google says Apple did reject Voice app

Google told the U.S. FCC that Apple did indeed reject the Google Voice application from the iPhone store, despite contrary statements from Apple.

Both Google and Apple have responded to questions posed by the FCC about the status of the Google Voice application. Apple said that it was
But Google, whose full comments only surfaced on the FCC Web site (PDF) on Friday, said that Apple informed it that the Google Voice application was rejected because "Apple believed the application duplicated the core dialer functionality of the iPhone. The Apple representatives indicated that the company did not want applications that could potentially replace such functionality," Google wrote in the letter.

Apple did not immediately reply to a request for comment about Google's filing, but in a statement made to The Wall Street Journal it insisted that it has not rejected Google Voice and that it continues to discuss it with Google.

Apple serves as gatekeeper for applications in its iPhone App Store. It has offered a few guidelines about what is not allowed, but has come under fire for rejecting some applications apparently only because they compete with services from either Apple or AT&T.

Google contends in the filing that Apple delivered the news about the rejection of the Google Voice application verbally, during a phone call between Phil Schiller, Apple's senior vice president of product marketing, and Alan Eustace, Google's senior vice president of engineering and research.still considering the application.

Microsoft launches CDN for AJAX

Microsoft's ASP.Net team is offering a free AJAX CDN (content delivery network) service to cache AJAX libraries and boost Web site performance, a company official said this week.

With the Microsoft AJAX CDN, performance can be significantly improved for ASP.Net Web Forms and ASP.Net MVC applications using ASP.Net AJAX or jQuery libraries, said Scott Guthrie, corporate vice president of the Microsoft Developer Division, in a blog entry.
The CDN service is free for both commercial and non-commercial uses. A CDN improves performance by enabling browsers to "more quickly retrieve and download content," Guthrie said.

"For example, instead of having a browser request for an image traverse all the way across the Internet to your Web server to download, a CDN can instead serve the request directly from a nearby 'edge cache' server that might only be a single network hop away from your customer, making it return much faster -- which makes your pages load quicker," he said. CDNs are composed of edge cache servers placed at key Internet network points, Guthrie said.

Microsoft will update libraries in the CDN as it ships new versions of ASP.Net AJAX.

Microsoft also has recently released ASP.Net AJAX Preview 5. ASP.Net AJAX is a client-side JavaScript library for building AJAX applications to work with modern Web browsers. The technology features client templates that can be used to format database data in a browser; client controls; ADO.Net Data Services support and Windows Communication Foundation backing.

Preview 5 improves the client-side data story. New features include dynamic and recursive templates, binding converters and compatibility with the ASP.Net UpdatePanel.

People are snapping up new desktop and laptop PCs long before the launch of Windows 7, a sign of strong demand in the market, analysts say.

Demand for PCs improved in July and August, which is "something special, because the expectation was that many people would delay purchases until after Windows 7 came out in October," said Manish Nigam, head of technology research in Asia for Credit Suisse, at a technology conference in Taipei.

Consumers often wait until after the launch of a major new operating system to buy a new PC for fear of having to pay for the upgrade and to avoid the hassle of loading the new software themselves. This time, strong marketing for free or discounted Windows 7 upgrades for new PC buyers ahead of the official launch of the OS on Oct. 22 appears to have worked.

There were also fears the global recession might continue to affect PC demand.

PC shipment growth declined for six straight months, from the beginning of the fourth quarter of last year through the end of the first quarter of this year, iSuppli said in a report last week, as the global financial crisis slammed world markets. Sequential growth returned in the second quarter and will continue for the rest of this year as the global economy continues to recover and Windows 7 launches, the market researcher said.

The advertising blitz for Windows 7 "will be a major positive for the PC industry," iSuppli said.

Hype for the new OS, which won solid reviews from many people who tested it, and lower prices for PCs are already drawing buyers.

PC shipments in August beat expectations at investment bank Merrill Lynch by 3 percent, as laptop PC demand picked up in Europe and sales remained brisk in China, the bank said in a report on Tuesday.

The investment bank remains positive about the PC sector due to strong sales by Taiwanese manufacturers and healthy inventory levels. Taiwanese companies build a large number of the world's PC components and own most of the PC assembly factories in China.

Business has been so strong in recent months that shortages of a number of components have become troublesome, including LCD screens, laptop batteries and chips such as DDR3 (double data rate, third generation) DRAM.

Indeed, Converge, a chip and component distributor, says shortages have also emerged for a number of key microprocessors. The rising demand suggests the peak season for PC manufacturing has arrived and it appears healthy, Converge said in its monthly newsletter. The company warned that the shortages will increase prices.

Increased costs for PC vendors may not translate into higher prices for consumers, however. The global economy remains weak, and companies continue to offer deals to entice people to buy new desktops and laptops.

The value of global PC shipments dropped 19.1 percent in the second quarter, market researcher IDC said on Wednesday, although the number of PCs shipped declined just 2.4 percent. The researcher attributed the fall to people favoring low-cost devices such as netbooks.

The big question mark for the PC industry is when corporations, which account for nearly 60 percent of PC shipments, will start replacing aging fleets of computers.

The other iPhone lie: VPN policy support

The iPhone OS 3.1 fixed false reporting about Exchange policy adherence. It turns out that a similar flaw existed for VPN policies, too

It turns out that Apple's iPhone 3.1 OS fix of a serious security issue -- falsely reporting to Exchange servers that pre-3G S iPhones and iPod Touches had on-device encryption -- wasn't the first such policy falsehood that Apple has quietly fixed in an OS upgrade. It fixed a similar lie in its June iPhone OS 3.0 update. Before that update, the iPhone falsely reported its adherence to VPN policies, specifically those that confirm the device is not saving the VPN password (so users are forced to enter it manually). Until the iPhone 3.0 OS update, users could save VPN passwords on their Apple devices, yet the iPhone OS would report to the VPN server that the passwords were not being saved.

The fact of the iPhones' false reporting of their adherence to Exchange and VPN policies has caused some organizations to revoke or suspend plans for iPhone support, several readers who did not want their names or agencies identified told InfoWorld. One reader at a large government agency describes the IT leader there as "being bitten by the change," after taking a risk to support the popular devices. "I guess we will all have to start distrusting Apple," said another reader at a different agency.
Last week's iPhone OS 3.1 update began correctly reporting the on-device encryption and VPN password-saving status when queried by Exchange and VPN policy servers, which made thousands of iPhones noncompliant with those policies and thus blocked from their networks. (Only the new iPhone 3G S has on-device encryption.) Apple's document on the iPhone OS 3.1 update's security changes neglected to mention this fix, catching users and IT administrators off-guard. Worse, it revealed that Apple's iconic devices have been unknowingly violating such policies for more than a year.

"My guess is the original decision to emulate hardware encryption was made at a level where there wasn't much awareness of enterprise IT standards. After all, this is a foreign language for Apple," says Ezra Gottheil, an analyst at Technology Business Research. "However, once the company realized the problem, it made a spectacularly dumb choice. The change was necessary and inevitable, but Apple could have earned some points by coming clean at the earliest opportunity. Instead, it allowed itself to be seen in the worst possible light. This is the result of a colossal clash of cultures. Even when it is trying, Apple cannot force itself to think like an enterprise vendor."

Apple's advice to users on addressing the Exchange encryption policy issue is to either remove that policy requirement for iPhone users or replace users' devices with the iPhone 3G S.

IT organizations can also consider using third-party mobile management tools that enforce security and compliance policies; several now support the iPhone to varying degrees, including those from Good Technology, MobileIron, and Zenprise.

Google offers Android 1.6 SDK

The development kit features a new search framework, CDMA backing, and support for additional screen sizes

The Android 1.6 SDK, which adds backing for CDMA and additional screen sizes to the Android mobile device software platform, is available for developers to download, the Google Android blog said this week.

The downloadable kit is based on the "donut" branch of the Android Open Source Project. Support for CDMA and additional screen sizes enables applications to be deployed on more mobile networks and devices, the blog states.
"You will have access to new technologies, including framework-level support for additional screen resolutions, like QVGA and WVGA, new telephony APIs to support CDMA, gesture APIs, a text-to-speech engine, and the ability to integrate with Quick Search Box," said Android SDK tech lead Xavier Ducrohet.

The 1.6 release of Android features a redesigned search framework for users to search across multiple sources such as browser bookmark, contacts, and the Web. Searches can be done via the home screen. The user interface offers an integrated camera and a faster camera experience. A VPN control panel lets users configure different types of VPNs. Also featured is a battery usage screen indicating which applications and services are consuming power.

Version 1.6 also offers the Pico multilingual speech synthesis engine. Developers also gain a framework for building and recognizing gestures and associating them with specific actions. The SDK features the GestureBuilder tool to generate libraries of gestures to include with applications.

Devices running Android 1.6 are anticipated as soon as next month, Ducrohet said. Applications written for older versions of Android will run on version 1.6.

The kit requires a new version of Android Development Tools and includes a tool to enable downloading of updates and components like add-ons or platforms.

Microsoft announces Project 2010

Available later this year in public beta, Microsoft’s latest project management offering will be built on SharePoint Server 2010

Microsoft is announcing today the latest step in its next wave of Office-related products, Project 2010, which the company says is the biggest Project release in a decade. The software has been given a significant upgrade with an eye toward simplifying project management.

Project 2010 is built on SharePoint Server 2010 in order to enhance collaboration capability, make for easy integration with Microsoft Office and Exchange, and allow for easy deployment and scalability. "The fresh, simple and intuitive features of Microsoft Project 2010 will enable teams and organizations of all sizes to select and deliver the right projects on time and on budget," said Chris Capossela, senior vice president, Information Worker Product Management Group at Microsoft.

Project 2010 also integrates project management and portfolio management on a single server, meaning all aspects of PPM (project and portfolio management) share a data store with centralized administration. End-users will have a common UI, and customizable workflow controls allow for better PPM and resource allocation. Also featured are new views like Timeline and Team Planner, Web-based project editing, and user-controlled scheduling. As with other 2010 releases like Office 2010 and Visio 2010, Microsoft is aiming to provide a consistent user experience across devices and products.

On the technical side, ActiveX dependency is gone in Project 2010 in order to improve security, and 64-bit compatibility boosts performance.

Microsoft has cut the number of Project editions from four down to three: Project Standard 2010, Project Professional 2010, and Microsoft Project Server 2010. A public beta is due later this year, and full release is expected in the first half of 2010.

Windows 7 touch: Dead on arrival

Integrating touchscreen technology into t

he OS sounds revolutionary -- until you try to use it

Touch-based interfaces have captured everyone's imagination, thanks in large part to the iPhone. With Windows 7, Microsoft joins Appls in bringing touch to the desktop, baking touch capabilities into the OS itself. Whereas Apple quietly added touch to Mac OS X Leopard a couple years back, Microsoft has hyped its Microsoft Surface technology for more than a year. Beneath this hype has been the suggestion that, with Windows 7, a touch revolution is brewing.

Or maybe not.

[ See what Windows 7's top 20 features are. And explore the new Windows 7 in InfoWorld's Deep Dive report. | Check out what the new Mac OS X Snow Leopard offers. ]

Two years of avid iPod Touch use has gotten me excited about the idea of touch UIs, so I was eager to try out the vaunted touch technology in Windows 7. My MacBook Pro has touch capabilities in its trackpad, but I usually run the laptop closed when working at my desk, so its touch capabilities haven't been regularly accessible. The new breed of all-in-one PCs with touch-sensitive screens from Dell and Hewlett-Packard promised to change the equation and make touch on the PC as cool and functional as touch on an iPhone.Well, that was the theory. The truth has been a bitter disappointment. In both Windows 7 and Mac OS X Snow Leopard, the touch experience has been underwhelming.

Limited deployment is partly to blame, as -- despite marketing hype -- neither Apple nor Microsoft is making a serious effort to touchify their OSes. For Microsoft, touch seems to be a technology crush it won't admit it's fallen out of love with; for Apple, touch seems to be a key part of its non-PC strategy. (Neither Apple nor Microsoft would talk to InfoWorld about touch technology.)

Of course, Microsoft and Apple may have reason for not getting serious about touch. After all, outside of the obvious use in self-contained kiosk environments, does touch really make sense on a PC?

My early experience suggests it does not.

Here are the key concerns that make PC touch useless for most people -- and that will continue to plague any notion of a "touch revolution" on the desktop PC for years to come.

Issue 1: Touch is not omnipresent
What makes the touch interface so compelling on the iPhone and on quality copycats such as the Palm Pre is that the use of touch gestures are a fundamental part of the operating system and the applications. Just as using a mouse is fundamental and universal in Windows and Mac OS X, touch gestures are universal in the iPhone, Palm Pre, and so on. This means the user interfaces are designed with touch at the core, and typically work intuitively as you put your finger to the screen.

Skype closes its Extras program for developers

There wasn't enough demand for the plug-in apps, though Skype will still support other developer programs

By Juan Carlos Perez | IDG News Service

Skype is shutting down Extras, the most important part of its program for outside developers, saying that demand for these third-party plug-ins has been weak.

"Despite the incredible breadth of Extras developed for Skype, simply not enough people were using them to justify our continued support of the Extras programme," Skype official Antoine Bertout wrote Friday in an official blog.
Extras applications are installed within the Skype system so that end users can execute them from within Skype's user interface. Extras are both free and fee-based.

While Skype will no longer accept new Extras, it will continue offering the existing ones via the Extras Manager interface in Skype for Windows and in the Skype shop. Skype also plans to continue to maintain all public API (application programming interface) documents and API tools.

The decision to discontinue the Extras program was tough, but it doesn't mean the end of the Skype developer program, according to Bertout.

"While the Extras program didn't work as well as we'd hoped, we still believe there are opportunities for third-party developers to enhance the Skype experience. We'll keep you posted," he wrote.

Skype, eBay's Internet telephony, video conferencing and instant messaging unit, is in the process of changing owners. eBay, which paid $2.6 billion to buy Skype in October 2005, has reached an agreement to sell a 65 percent stake in Skype for $1.9 billion in cash to an investor group led by Silver Lake.