Data Cube Systems

Microsoft Corp. issued a record-breaking number of software security updates today, shipping patches that plug at least 31 different security flaws in its Windows operating systems and other software.

More than half of the security holes Microsoft plugged with June’s patch batch earned a “critical,” severity rating, meaning Redmond believes attackers could exploit the flaws to break into vulnerable systems without any help from the victims. What’s more, Microsoft is warning that it expects to see publicly available reliable exploit code for most of the vulnerabilities it has issued patches for today.

According to Symantec Corp., this is the largest number of vulnerabilities Microsoft has ever addressed in a single patch release (the previous record was set in Dec. 2008, when Microsoft issued 28 security updates in one go).

Probably the most important of today’s updates is a critical patch that addresses at least eight security holes in various versions of Microsoft’s Internet Explorer Web browser, including IE8. In fact, one of the flaws patched in IE8 was first demonstrated at a hacking competition in Canada in March. Microsoft says that particular flaw does not affect the Windows 7 release candidate (RC), but does affect Windows 7 Beta. The IE 8 updates for the Windows 7 Beta are available here.

“These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities,” said Ben Greenbaum, senior research manager for Symantec Security Response, of the IE flaws.

Another update patches two security holes in Microsoft’s Internet Information Services (IIS) Web server software. Andrew Storms, director of security operations for vulnerability management company nCircle, notes that instructions explaining how to exploit one of those IIS flaws already is available online.

“Anyone running IIS that isn’t using the available mitigation steps should jump on this one right away because there are exploits in the wild, and an exploited server can allow attackers to gain unauthorized access to protected resources on your Web site,” Storms said.

Microsoft also released an update that plugs at least seven holes in Microsoft Office Excel. These vulnerabilities are most serious on Office 2000 installations, but those users can’t get these updates from Windows Update.

Last month, Microsoft shipped a single patch to plug some 16 security holes in various versions of its Powerpoint software. The company said at the time that it was still working on fixing those flaws in the Powerpoint versions in Office for Mac and Microsoft Works. Today, Microsoft addressed those Mac and Works vulnerabilities in a separate Powerpoint patch rollup.

IE8 is the last version of the Internet Explorer Web browser. At least, that’s what I’m hearing through the grapevine. It seems that Microsoft is preparing to throw in the towel on its Internet Explorer engine once and for all.

And just what will be its replacement? I’m getting conflicting stories on that one. Some are still claiming that Microsoft will go with WebKit, which, thanks to the popularity of Apple’s Safari browser and also Google’s Chrome, is rapidly becoming a de facto standard for all non-IE and non-Firefox implementations.

Others insist that that the whole WebKit story is merely a feint and that Microsoft will in fact be adopting a brand-new engine coming out of its Microsoft Research division. Dubbed “Gazelle,” this new engine will supposedly be more secure than Firefox or even Chrome, making copious use of sandboxing to keep its myriad plug-ins isolated and the overall browser process model protected.

But regardless of which direction Microsoft takes — WebKit or Gazelle — it will still have to navigate the treacherous waters of legacy ActiveX support. And as someone who has spent some not-so-quality time developing ActiveX controls in the past, the need to maintain some sort of compatibility layer within any proposed IE replacement is a critical consideration.

For most casual users (i.e., grandma in her den surfing eBay), ActiveX was and is just another annoying RIA (rich Internet application) mechanism, one that has increasingly been supplanted by Adobe Flash or various AJAX-based mechanisms. However, for enterprise IT shops with a heavy Microsoft investment, ActiveX has long been an integral part of many in-house applications.

If Microsoft intends to pull the plug on IE after version 8, it will need to articulate a clear legacy migration strategy that allows these shops to preserve their investments in ActiveX controls and resources.

Then there’s the issue of legacy HTML/CSS support. So much of the Web has been tweaked for IE 6.x compatibility that even Microsoft’s own attempts to implement a more standards-compliant browser engine in IE8 have met with disastrous results. For me, the situation so bad that when I do find myself using IE 8 (typically, to view a site that causes my copy of the Chrome 2.x beta release to blow up), I end up configuring IE 8’s compatibility mode as the default viewing option since the browser’s native rendering mode breaks practically every site I visit.

Finally, there’s the matter of third-party developers using IE’s rendering engine with their own applications. A good example would be a program that includes a help file in HTML format and then uses a custom form to display an embedded Web browser object to host the file. This embedded object is invariably an ActiveX container for the IE engine that’s installed with Windows, so any attempt to remove IE from the OS — or to radically change its core underpinnings — will need to account for applications that rely on the existence of an accessible, programmable IE object model.

Of course, all of the above is old hat for Microsoft, a company whose status as global software leader too often makes it a victim of its own success. I, for one, look forward to the possibility of a clean break with IE’s creaky old rendering engine. But I hope the company pays more care and attention to preserving legacy compatibility than it did with some of its more recent OS efforts.

The amount of market share commanded by Microsoft’s Internet Explorer browser has dropped for the seventh consecutive month.

Internet Explorer now has 67.55 percent of global browser market share, a drop of over seven percentage points in a year, according to figures from Web metrics company Net Applications, released Monday. Mozilla’s Firefox browser, meanwhile, has gained market share in the same time frame, climbing over three percentage points to 21.53 percent.

Microsoft’s browser has steadily lost ground to its competitors in the past year. Its share dropped sharply in both October and November 2008, when it lost over one percentage point in each month.

Apple’s Safari browser now stands at 8.29 percent, up from 7.13 percent in November, when IE dipped. Safari has gained share more quickly than Firefox in that period: Mozilla’s browser accounted for 20.78 percent of browser use three months ago, and now has 21.53 percent.

Google’s Chrome browser, launched in September 2008, now has 1.12 percent of the market, having overtaken Opera in November. Opera’s share of the market now stands at 0.7 percent.

Internet Explorer’s drop of seven percentage point since February last year is a continuing trend. Microsoft lost over nine percent of browser market share in the preceding two years.

Most of IE’s drop in the past year has been in Internet Explorer 6, which fell from 30.63 percent last February to 19.21 percent this January. Internet Explorer 7 has gained market share overall over the same time period, rising from 44.03 percent to 47.32 percent.

Microsoft launched the first release candidate for Internet Explorer 8 last week. It hopes to regain lost ground by adding features such as private browsing and a cross-site scripting filter.

Is the White House more of a museum than a working office? Does it even have WiFi?

MSNBC has reported that on their first day on the job, Obama’s White House staffers suffered from downgrades on every front. During the campaign and the transition, Obama’s team was a Mac shop; they arrived in the White House to find six-year-old Windows PCs and a mess of disconnected land-line phones. (Windows! The horror!)

Not only that — staffers were forbidden from accessing outside email accounts or chatting online, too. MSNBC quotes one Obama spokesperson as characterizing the transition as “kind of like going from an Xbox to an Atari.” Bummer.

However, Andrew Rasiej, co-founder of the blog TechPresident, notes that the President won’t be as isolated as we thought. “Obama is keeping his BlackBerry, or at least that’s the latest word,” he says. Even still, the White House doesn’t sound anywhere close to the standards of business 2.0. But what about life 2.0?

Not much better. “They are going to ban instant messaging from the White House,” says Rasiej, “so staff don’t get caught writing something as casually as if they were speaking it.” Putting as little information as possible into digital channels means less is lost in the event of a security breach. A casual attitude towards Internet communication could spell trouble, Rasiej says.

So no IM for Sasha and Malia. What about email? Can the girls and Michelle keep up email correspondence the way they used to?

“Internet Access will be available for the whole family, but under greater security control,” Rasiej says. Personal emails from the first lady and the kids are considered private, and won’t be subject to the post-Nixon Presidential Records Act, so the girls can feel free to dish to their friends without worrying those emails will ever become public domain.

Luckily, Obama’s staff won’t be stuck in the dark ages forever. MSNBC says that White House counsel had approved the use of Gmail accounts and personal cell phones, allowing staffers — many of whom arrived to their new offices to find neither computer nor phone — to get communications up and running. Many of the other restrictions on White House communications can be lifted or altered with a stroke of the President’s pen.

Rasiej says Wi-Fi isn’t out of the question, either. “I’m not sure if the first family will have Wi-Fi access, but I don’t see why not, under the right security,” he theorizes. Staffers won’t care either way; White House-issued laptops are reportedly scarce.

It’s not known whether the White House currently uses Wi-Fi, but the network security news site Dark Reading used a long-range antenna to scour the White House environs for vulnerable wireless networks in 2007. They found 104 networks and 66 wireless access points in the area, many of them encrypted with easily-hackable WEP passwords — mostly coffee shops, hotels, and offices. They couldn’t trace any of them back to the White House itself, until they access a database that mashes up WAP data with Google maps. They find eight networks coming from inside the building, but none of them visible or accessible to outsiders. (As they note, these could belong to press organizations or other non-governmental entities camping out at the first residence.)

Other buildings in the Capitol were more vulnerable. Sitting in front of the Treasury building, they picked up a EV-DO signal — a wireless broadband card connected to a laptop. If an employee were to access the Internet with one of those (say, to get to a site that might be restricted from a government PC), and then re-attach the computer to the government network, a virus could easily jump the virtual fence.

Should Obama’s administration bring change to the way the White House does its daily business, they’ll have to be wary that some of our most-loved Internet conveniences might not be worth the risk. Isn’t bureaucracy fun?

Originally, Moore’s Law described the number of transistors that can fit on an integrated circuit, which doubles approximately every 18 months. Now, a team of researchers from China has discovered that Moore’s Law can also describe the growth of the Internet. In a recent study, the researchers have predicted that the Internet will double in size every 5.32 years.

That finding is one of several results from the study published by Guo-Qing Zhang, et al., in a recent issue of the New Journal of Physics. The researchers investigated the evolution of large-scale Internet topology, or how the Internet is structured and connected. Based on routing data of six-month intervals from December 2001 to December 2006, the researchers predicted not only the Internet’s exponential growth rate which follows Moore’s Law, but also more specifically how the Internet evolves.

The study looked at the Internet not in terms of Web sites in the World Wide Web, but at the level of autonomous systems (AS). As Zhang explained, an AS, the unit of routing policy, is an administrative routing domain that can apply its own policy, which is a result of a mutual commercial agreement between autonomous systems. A university, an ISP, or a large company network can own an AS.

In the researchers’ model, each node represents an autonomous system. A link between two autonomous systems is, in the real world, both physical (i.e. optical fiber cables connecting the two networks) and commercial (i.e. an agreement between the two networks).

To identify the core of the Internet, which is the most important part, the researchers used a method called k-core decomposition. Here, a k-core is gained by recursively removing all nodes (with their respective links) with degree less than k. Very few nodes belong to the core: the most central part of the core (the nucleus) contains less than 0.3% of the total nodes.

Overall, the researchers found that the Internet’s core and the periphery seem to be governed by different evolutionary mechanisms. While the core is relatively stable, the majority of the new nodes and edges that contribute to the explosion of the Internet appear in the periphery. This result contrasts with previous studies, which have shown that the maximum k of the core increases as the size of the full Internet increases.

“Many models are proposed to predict the evolutionary properties of the Internet in the future, and to our knowledge, these models assume that the central part and the periphery obey the same evolving mechanism, and the maximal connectivity of the Internet should grow very fast,” Zhang, of the Institute of Computing Technology at the Chinese Academy of Sciences, told PhysOrg.com. “Here we show that the maximal degree (connectivity number) as well as the size of the central part is relatively stable, and the explosion is mainly contributed by the periphery. These findings indicate a completely different picture against the previous works, and can be considered as important criteria for modeling the Internet.”

The most accurate model to describe the Internet evolution may be the so-called positive-feedback preference model. Here, a node’s number of links increases as a feedback loop of the node’s degree. However, the researchers explain that some other hidden mechanism must exist to explain why the maximum k remains stable.

The results also showed that the Internet overall is more loosely connected than previously thought. That is, although there is a high density of links connecting to the large-degree nodes (the “rich-club phenomenon”), connections between large-degree nodes are relatively sparser than the expected number, given their degrees. Instead, the results showed an unexpectedly high number of links connecting small-degree nodes, making the Internet more spread out than previously thought.

As the scientists explained, understanding a network’s topology is a crucial prerequisite for optimizing its performance. They hope that these results will help lead to an overall model of the Internet.

“Understanding the Internet topology is crucial for the design of routing protocol, P2P traffic optimization, as well as the design of some intelligent strategies against the congestion and cascading failure,” said co-author Tao Zhou of the University of Science and Technology of China and the University of Fribourg.