Microsoft Security

New security threat

Update: Patch for part of the problem:

On line news sources have picked up ISC’s warning of a new threat to IE users which could allow hackers to steal on line banking passwords.  The code exploits a combination of a hole in unpatched IIS web servers to install malicious pop ups and a hole in IE to install a program via that pop up. The installed program watches for connections to a specific set of banking sites and logs the username and password (yet another reason everyone should get a pop up blocker, I’m so glad XP SP2 comes with pop up blocking as part of its greatly enhanced security).

Unfortunately the articles don’t do anything to help users understand what they should do to protect themselves from this attack or even if there is anything they can do. The reason for this lack of info is there is little users can do to defend against this exploit, even for advanced users. This is very scary to users of any level.

So… what should users do?  Here are my suggestions (yeah, these are my suggestions, my employer hasn’t approved them etc.)

Users of Windows XP can protect themselves by upgrading to Windows XP service pack 2, RC2 (RC2 means “release candidate 2”, i.e. it’s not the final version). Early adopters may rejoice and the braver among you may jump on board. I’ve been running SP2 for a while now and my personal opinion is: RC2 is great, but just in case you should back up your stuff and choose the install option which allows you to remove it if you have second thoughts later on. Unfortunately SP2 RC2 is a “preview” and isn’t supported by us yet. 🙁

Users should also review the ISC list of targeted bank URLs (scroll down through the report to find the list). If users have visited any of those sites recently they should seriously consider changing their banking password. By the law of averages users who get frequent pop up advertisements are the most at risk (regardless of the type of site you visit).

For users of earlier versions of Windows or people who aren’t willing to install the unsupported RC2 release there isn’t a fix yet, but there will be a fix in a couple weeks (no date has been announced yet). To help protect users until the patch has been fully tested Microsoft is working with law enforcement to shut down all the sites known to be hosting the exploit.

On a related note, if you don’t update your system regularly, you really should.  I’ve set Windows to automatically update my machines every night at 3am if needed.  Some worry automatic updates will cause problems but here’s my anecdotal data: I’ve been running automated updates on my very non-standard PC (a dual processor, 500 MHz Celeron with additional hardware that hasn’t been approved for Windows 2000 much less XP) for as long as it’s been available – I have never had a problem caused by the automatic updates.  Besides, the problems created by not updating far outweigh the possible problems you might encounter with the automatic updates.  Also, the automatic updates don’t include hardware drivers in the vast majority of cases (and it’s the hardware driver updates that cause many upgrade problems people encounter).

Some more details from ZDNet:

Hotmail Microsoft

Movement from the Mac guys

A couple big changes this week involving the guys from the Mac team (I used to test PWS, IMN, OE and Entourage for the Mac team):

Tantek Çelik has decided to leave the MS fold and strike out into the world.  Tantek was a key player in the IE browser for Mac and is well known for his CSS contributions.  He also worked to get his teams’ excellent rendering engine into one of our set top boxes, unfortunately without success.  He has a great summary of his MS work in his open farewell letter.  He has yet to announce his next project.

Also related to Microsoft Set top boxes, Dick Craddock has come on board with Hotmail as the Front Door Development manager (we call the servers which host all the chrome and features for Hotmail the “Front Door” machines because users enter through the front door).  Back in 1998 when Microsoft bought Hotmail the Mac Internet client team (IE and OE) in San Jose was kind of cut in two as many people went “downstairs” to work on the newly acquired service.  Dick took the reigns and I had the pleasure of reporting to him for a time.  Dick moved buildings along with the Mac IE team and went to work on Ultimate TV and then onto other MS TV products.  Now, almost six years later, I get a chance to work with him again.  Dick’s migration is 100% upside for Hotmail.

I moved from the Mac group to Hotmail in ’98.  Kristin, who used to report to me as a tester, joined later.  Omar, who first came to MS as an intern in my team, is now a lead here.  Dick, to whom I used to report, is now a dev manager here.  Hey, the world does revolve around me!


Are Blogs really “all that”?

Seriously now… blogs are little more than personal home pages with built-in text editors.

People put up web pages for a number of reasons, but it’s really all about a real or perceived notion that what they have to say is interesting to other people.  Blogs are all the rage now because they’ve cut through the painful overhead of setting up and maintaining a web page.  Here’s what I say, they’re nothing new, just a better implementation.

Bill Gates is now going to get a blog.  Doesn’t he already have one right here?  Sure… it doesn’t look like a blog, but it serves the same function.  So, if Bill Gates already has a web page that provides a forum for his views and news what is he really getting?

Perhaps it’s not that simple.  Our society is continuing to evolve from a formal to informal society.  We don’t wear ties to work anymore.  We don’t like our neighbor’s kids to call us “Mr. This” or “Mrs. That”.  We prefer instant messaging over e-mail.  Are blogs just an extension of that formal to casual transition our culture is making?

A formal home page is cold and corporate.  It has pretty graphics and structured layout.  A blog tends to have fewer static pictures and the content, while structured, tends to be shorter and come in fits and bursts (My posts range from a couple lines to long boring rants no one reads… are you still here?).

So what do you think?  Are blogs really something new?

Hotmail Net

Hmm, I was going to charge more than that

While I was only joking about selling addresses (see comments) it appears the AOL workers are a little less loyal to their users.

A snippet of the whole article from Reuters:

US Charges AOL Worker Sold Customer List for Spam
Wed Jun 23, 2004 07:07 PM ET

By Andy Sullivan

WASHINGTON (Reuters) – U.S. investigators said on Wednesday they had arrested an America Online employee and a Las Vegas marketer for stealing the Internet provider’s customer list and selling it to a purveyor of “spam” e-mail.

AOL members were flooded with millions of unwanted messages because of the scheme, according to a criminal complaint filed in U.S. district court in New York.

Jason Smathers of Harpers Ferry, West Virginia, was charged with stealing a list of 92 million AOL customer screen names and selling them to Internet marketer Sean Dunaway of Las Vegas.



I guess Gregory Mendel wasn’t crazy

Hoo boy, I bet this crew is fun a the local neighborhood fourth of July barbecue!

Lance Champion of McMinnville, Tennessee decided to pull over a local deputy for violating the speed limit (Note: Lance isn’t a peace officer, he just plays one in his own mind).  The resultant conversation landed 23 year-old Champion in custody for disorderly conduct (um, duh!). 

Champion then did what any good local superhero would do, he called his mom.  Mom Champion next showed up at the scene with Champion’s 17 year-old brother. Jr. Champion helped the situation by slapping the hand of a police officer who was supervising the towing of Lance Champion’s car. 

Okay kids, what happens when you hit a police officer?  That’s right, you get arrested.  Having her two sons arrested was obviously tough on Mom Champion who promptly got herself cuffed for disorderly conduct as well.  Wanna go for a royal flush?

The Champion patriarch, Hal Champion, was able to return from church just in time to help diffuse the situation by showing up and (like a good Christian) through peace, love and understanding promptly get himself taken down with a taser gun and arrested.

Some people shouldn’t be allowed to breed.

Yeah, sounded crazy to me too, but it’s real and happened on Tuesday, go get the official write up at CNN.


Try this on

So, you’re sitting at home thinking… “I had a Cesarean section with my first child and that means I’ll have to have one for my second child.  I should just get a zipper installed for convenience.  But… what would that look like?”

Well, worry no longer, you can try on your own belly zipper navel piercing to be sure you like the look.


If a blog falls in the wood…

My Cousin Mark Robert (I can’t remember a name for two seconds? Must be time to put me out to pasture) used to work for Nokia as a patent attorney, now it appears he spends his time blogging.  I guess I’ll have to drop him an e-mail to find out else what he’s up to.


The official word

The official press release is now available on MS Press Pass.  Enjoy!

In related news, Omar is also stoked about the change. 🙂

Overseen Photography

Are they allowed to do that in Disneyland?

This, um… “enthusiastic” fellow was seen sitting in the front window of Jamba Juice in Downtown Disney:

 Click for big


The cat’s out of the bag…

Yep, it looks like the articles are starting to roll off the presses, even before any press releases are out from MS Press Pass.  How do they do it? 🙂

Here’s what’s important: we’re not trying to have a “storage war” as some would say, we’re tying to make storage not be “the issue”.  We’re putting in a lot of effort to make sure we have the features users really want and need.  In the rush to announce the storage bump the articles gloss over that we’ll be doing things like improving security by changing the anti virus cleaning to be free for all users (we have had free anti virus scanning for all users for over five years).

I guess the basic thing is this: I want people to know that we love making cool software, we’ll continue to do that.

Related news: