Microsoft has launched another salvo in its campaign to hammer the final nail into the coffin of an outdated, insecure product: Internet Explorer 6.

The problem with Internet Explorer 6 is that Microsoft no longer supports it, and the creaky old web browser simply doesn’t provide anything approaching a sufficient level of defence as severely critical vulnerabilities have been left unpatched.

A new website,  www.ie6countdown.com, attempts to convince users of the reasons why they should upgrade to a more secure version of the web-browsing software, and provides information for organisations on how they can best migrate.

What I found particularly interesting, however, was a graphic of the world showing the percentage of browser marketshare Internet Explorer 6 has in each country.

India, Saudi Arabia, Taiwan and Vietnam are all doing a poor job of choosing a hardened web browser, with IE6 responsible for ten percent or more of the browser usage in those countries.

But the worst country by miles is China, where – according to Microsoft – Internet Explorer 6 accounts for over a third of the browser usage. Hmm, I wonder how much of that is related to pirated copies of the software that users have chosen not to replace with legitimate later versions?

Anyway, this is a good campaign by Microsoft – and although it is clearly designed to switch people to Internet Explorer 9, anything which encourages computer users to throw its ageing predecessor IE6 in the garbage bin has to be applauded.

It’s not often that we encourage you to stop using one of our products, but for #IE6, we’ll make an exception: http://bit.ly/g0wt4m

March 4, 2011 2:24 pm via webReplyRetweetFavorite

@Microsoft

Microsoft

Lets make Microsoft’s day – help them kill off Internet Explorer 6.

USB Flash Drive

Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past. Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

XP vs. 7 using Autorun.

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission.

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that can we make.

Microsoft is at odds with a researcher employed by Google who published a zero-day Internet Explorer vulnerability on New Year’s Day. The vulnerability was discovered using cross_fuzz, a browser fuzzing tool created by Google researcher Michal Zalewski, who says he gave Microsoft more than six months of warning before going public with the flaw. That hasn’t stopped Microsoft from sharply disagreeing, however, with the company arguing that Zalewski has now put thousands of IE users at risk.

According to Zalewski’s published timeline of events, he first told Microsoft about the vulnerability in July of last year and provided the company with copies of cross_fuzz for independent verification. Zalewski informed the company that he planned to release the tool in January, and Microsoft acknowledged the report at that time—confirmed on Tuesday by Microsoft spokesperson Jerry Bryant.

Microsoft said it was unable to reproduce any problems using the cross_fuzz tool upon being informed of the issue in July, despite Zalewski’s insistence that he saw “multiple crashes and GDI corruption issues” in IE. The company claims it was only notified on December 21 of a new version of cross_fuzz that could cause a potentially exploitable crash.

Microsoft immediately issued Security Advisory (2488013), confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.

“We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable,” Bryant told sources.

This is when the stories diverge, however. Zalewski says he heard virtually nothing from Microsoft until mid-December, at which point others were able to reproduce the problem, including by means of the original cross_fuzz version used last July. According to Zalewski, Microsoft was suddenly concerned about the potential PR fallout and claimed the IE problems only surfaced after he had updated his code. Zalewski said he confirmed that the problem was unchanged by running both the new and old versions of the fuzzer and told Microsoft again that he planned to release the tool in January.

“Response from [Microsoft Security Research Center] confirms that these crashes are reproducible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case,” Zalewski wrote on December 29. As promised, he released the fuzzer on January 1.

Now, Microsoft is accusing Zalewski of increasing the risk to IE users—the company says attackers may find a way to exploit the flaw before a patch can be tested and distributed. Zalewski insists that Microsoft knew about the flaw and his plan to release in January for more than six months, however, and did nothing until it was almost too late.

Whichever way this he-said, she-said fight ends up, Microsoft says it’s actively monitoring the situation and plans to issue a patch soon.

Facebook and Bing just announced a new search partnership during a joint event at Microsoft’s San Francisco offices. With this new partnership, Bing wants to take personalized search to the next level by tapping into the knowledge of your friends on Facebook. Microsoft looks at this as “the beginning of how search gets better because of your friends.” According to Microsoft, “search is not just about the connections between data but also about the connection between people.”

Among the new features that Microsoft will launch today are Facebook results for name queries (4% of all queries on Bing are name queries) and personalized results based on what your friends liked on Facebook. Thanks to this, you can now see what restaurants your friends liked on sites like OpenTable, for example, or if your friends liked a certain movie. Microsoft will roll these new feature out later today.

The new personalized search results are based on what your friends “liked” across the Web. These results will appear in a box on the search results page. Results for name queries will now highlight people in your social network in a separate box. Thanks to this, results for common names like “Bob Smith” will now highlight people in your social network or within your friends’ networks.

In the near future, Bing also hopes to be able to find topic experts among your friends and highlight relevant search results from sites and stories that they liked.

At the beginning of the event, Microsoft’s president of its Online Services Group Qi Lu noted that Bing wants to go beyond just the basic search experience that today’s Internet users are familiar with. With this new partnership, Bing will be able to offer better search results for name queries, for example. According to Lu, by being able to connect search to your social graph, Bing will be able take search to the next level. Today’s announcement, according to Lu, is only the beginning of this new partnership.

Facebook’s Mark Zuckerberg called this announcement “one of the most interesting partnerships we have done recently.” Given that Facebook already had a partnership with Microsoft, Zuckerberg noted that Microsoft is a good partner for Facebook. Facebook likes to work with underdogs (like Bing) who want to innovate and “push new things.”

So far, these new capabilities in Bing look quite similar to Google Social, which also integrates results from your Twitter and Google Buzz friends on the search results page.

We already know quite a few details about Internet Explorer 9, Microsoft’s upcoming attempt to retain – or grow – its market share in the browser world. Standards and speed are the main focus of IE9, and if a video of the upcoming beta release is anything to go by, they’re doing pretty well. Just… Did they just manage to make the interface even less appealing?

Microsoft has fed us a number of builds for Internet Explorer 9, and while theyshowed off the speed improvements as well as the much more modern standards support (95 on Acid3), Microsoft remained tight-lipped on what, exactly, it was planning to do about that abomination they dare to call a “UI” used by the previous two Internet Explorer releases.

With the beta release only a few days away, leaks are bound to occur. A website called IEBest.com (I wish I was making this stuff up) claims to be in possession of the beta release, and has the video material to prove it. Of course, it’s hard to assess how genuine this stuff is, but if it is, the IE9 user interface team deserves a spanking.

Assuming this is real, the interface doesn’t look particularly polished; the tabs feel bolted on, as if they’re not part of the actual program. If it were a screenshot, I’d call Photoshop on that one. Everything does look a lot tidier than previous releases, but one massive problem stands out like a major cringe-inducing eye-sore.

While I’m this close to proposing to Chrome’s UI so I can give her babies, Chrome does have one major problem: lack of tab overflow. If you open boatloads of windows in Chrome, the tabs become ever smaller and less readable, until you’re finally just staring at a white mountain range.

However, at least Chrome will give you the full width of the window to play with. In this supposed IE9 user interface, you’re given just half of the window for the tab bar, because the stupid address bar is in the way! This monumental oversight alone makes me think we’re looking at a fake. This just can’t be real.

I suppose we will find out in a few short days.

Example of private browsing in Firefox.

Features in the four major browsers designed to cloak users’ browser history often don’t work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week’s Usenix Security Symposium in Washington DC. The makers of those browsers — Microsoft, Mozilla, Google, and Apple respectively — often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

“We discovered that all these browsers retain the generated key pair even after private browsing ends,” the researchers wrote. “Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site’s identity to the local attacker.”

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE’s InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then “using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).”

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode — but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It’s only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much.

Windows XP Professional

Microsoft originally said that new owners of Windows 7 who wanted to downgrade to XP would only have until 2011 to do so, but now the company has changed its mind and extended support for the old operating system until 2020.

That’s right. Windows XP, an operating system that is already almost 10 years old, will apparently still be relevant for another 10 years.

“We have decided to extend downgrade rights to Windows XP Professional beyond the previously planned end date at Windows 7 SP1,” wrote Microsoft in an official blog post. “Going forward, businesses can continue to purchase new PCs and utilize end user downgrade rights to Windows XP or Windows Vista until they are ready to use Windows 7.”

Because users did not seem to be overly outraged about Windows 7 the way everyone was about Vista, it seemed perfectly fine to cut off the remaining life of Windows XP without too much haste. And for the majority of individual computer owners, that probably wouldn’t have been a problem.

However, what is a problem is that 74% of businesses still use Windows XP, and for a lot of them, the cost of upgrading all of their machines to Windows 7 is not financially tenable. Thus, companies risk having old computers with Windows XP and new computers with Windows 7 which would fragment their network and make it impossible to streamline systems.

It is as a result of that statistic that Microsoft will now continue to allow downgrades to Windows XP for people who purchase Windows 7 Professional through 2015, and through 2020 for people who purchase Windows 7 Ultimate, according to a report from Computerworld.

However, as of yesterday, Microsoft ended all support for Windows XP SP2, so anyone who still wants to be covered by Microsoft support will at least have to move to XP’s Service Pack 3.

If you get a posting on your Facebook wall telling you “this is without doubt the sexiest video ever! ” which seems to be accompanied by a video titled “Candid Camera Prank [HQ]” then don’t click on the video: it’s a lead-in to malware.

Clicking the link will take you to what seems like a Facebook application which then tells you that your video player is out of date – and encourages you to download a file.

If you do, then the same “video” plus link gets posted using your avatar to al your friends on Facebook -– meaning it is spreading virally.

It’s not clear at present whether Facebook has acted to halt it. You should, however, expect that it will mutate in the coming hours/days (depending on how determined the virus writer is), so it might not be exactly that message or video frame. The key element in the attack is that it tells you to download a file.

At Sophos, Graham Cluley notes that:

“Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.”

The file seems to install a piece of adware called Hotbar, which thus generates revenue for the malware writer. (About Hotbar: “displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.”)

Microsoft is, separately, strongly encouraging people and companies to stop using Internet Explorer 6, using the argument that “you wouldn’t drink 9-year-old milk, so why use a 9-year-old browser?”

Though aimed at the Australian market (possibly IE6 has a higher prevalence there due to some geographical quirk), the arguments for abandoning IE6 are stronger than ever, and have been repeated many times – not least on this site (the browser that won’t die, why the NHS can’t get its browser act together). And of course it is widely believed – though so far not confirmed – that IE6 was the vector for an attack against Google by Chinese hackers at the end of last year.

I happened to stumble across a visual representation from Intac showing the approximate number of dedicated servers that major tech companies own. When you speak in terms of numbers, it becomes hard to comprehend just how large these server farms have become. Intel, for example, is estimated to have around 100,000 servers in its arsenal, while Facebook, AT&T, and Time Warner Cable, all fall between 20,000 and 30,000. Without being able to see these server farms with your own eyes, these statistics are merely tossed aside as nothing more than interesting facts.

It’s no secret that Google is a giant. But, do people realize just how big they really are? Companies like Microsoft, Amazon, and eBay all have over 50,000 servers, though their exact numbers aren’t made public. Google, by comparison, is estimated to have over 1,000,000 dedicated servers, accounting for over 2% of the servers in the world. The graphical representation below allows one to truly understand just how unbelievably huge Google is (especially compared to the other major tech giants). Get your scroll-wheel ready and take a look.

(click to enlarge the graph)

Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).

In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft. ”As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday.

“The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key,” Ross added.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.” Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available.

“Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk,” said Jerry Bryant, a senior manager with the MSRC, in an e-mail. By Prodeus’ account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Microsoft has not set a timeline for a fix, saying only that, “Microsoft will take the appropriate action to help protect our customers.” The next scheduled security patch date for the company is March 9.

Although it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system. Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.

Microsoft has won court approval to shut down a global network of computers which it says is responsible for more than 1.5bn spam messages every day. A US judge granted the firm’s request to shut down 277 internet domains, which it said were used to “command and control” the so-called Waledac botnet.

A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam.

A recent analysis by the firm found that between 3-21 December “approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone”. It said it was one of the 10 largest botnets in the US.

Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked.

Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software. The court order was part of what was called “Operation b49″.

Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains.

Microsoft said it was the result of months of investigation and described it as a legal first.

“This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world.”

It turns out a rootkit is responsible for some Microsoft users experiencing the dreaded “blue screen of death” after applying one of the latest Windows patches, Microsoft said today.

Post-Patch Tuesday reports of XP SP2 and SP3 users being unable to restart their systems after applying the new MS10-015 patch led Microsoft to suspend its automatic distribution of that patch while it investigated whether the patch itself was causing the problem. The director of Microsoft’s Security Response Center, Mike Reavey, said in a blog post today that the issue occurs when a system is infected with the so-called Alureon rootkit.

“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015,” Reavey said. “Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”

The finding syncs with what some security researchers concluded earlier in the week, after initial concerns that the patch itself was flawed.

Meanwhile, distribution of the MS10-015 patch is still on hold for some systems via Automatic Update until Microsoft comes up with a fix for the issue, which it says only affects 32-bit machines. Automatic Updates for 64-bit systems are now again pushing the MS10-015 patch, which fixes a bug in the Windows kernel.

“A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,” Reavey said.

Microsoft is working on a “simpler solution” to detect and eradicate the rootkit from infected systems, which it plans to release in a few weeks, according to Reavey.

Setting a machine to “standard” rather than “administrator” account mode typically prevents kernel malware from infecting systems, he said, and keeps antivirus signatures up-to-date is also helpful.

Microsoft’s just-released free antivirus software (Microsoft Security Essentials or MSE) has already been put to the test, literally: In an early test by an indie laboratory, the much-anticipated Microsoft Security Essentials (MSE) detected and removed all rootkits.

AV-Test.org reports that MSE found and killed all 25 rootkits tossed its way during a test it conducted on the new software, which Microsoft rolled out on Tuesday. MSE basically replaces Microsoft’s subscription-based OneCare product, but focuses solely on anti-malware — detecting and removing viruses, spyware, rootkits, and Trojans. It doesn’t come with security “suite” functions, like a firewall, computer maintenance tasks, or backup.

AV-Test.org tested the new version 1.0.1611.0 with virus and spyware definitions 1.67.178.0 on Windows XP SP3, Vista SP2, and Windows 7. Rootkits traditionally have been the nemesis of many AV products. But Andreas Marx, CEO of AV-Test.org, says MSE’s 100 percent rootkit detection rate was “very impressive.”

MSE also detected all 3,700 samples of static malware, but the software was unable to detect new, unknown malware using dynamic, behavior-based detection. “None of the samples were detected based on their suspicious behavior,” Marx says. But, he says, other AV-only packages don’t include this dynamic detection feature, either. It’s usually only available in Internet security “suite” versions of the products, he says.

On XP, MSE found 98.44 percent of current samples of viruses, worms, Trojans, and bots, and 90.95 percent of adware and spyware. AV-Test.org found that MSE was able to remove all active malware components during the repair and cleanup phase, but in some cases residual pieces from the infections remained, such as inactive executable files and a disabled Windows firewall.

“The scan speed is quite OK when compared with other AV products. The scanner is not the fastest one, but also not the slowest available,” Marx says. He notes the test was a quick summary of some of the product’s features, and that the lab plans to conduct more in-depth testing and reviews of MSE. So this is early good news for Microsoft’s brand new product that is being put to the test. Only time will tell if it is able to keep up with the new threats that will target it and try to break through its defenses.

The day dreaded by many commercial antivirus vendors is here: Microsoft today made its free antivirus software available.

Microsoft Security Essentials (MSE), which Microsoft had code-named “Morro,” basically replaces Microsoft’s subscription-based OneCare product, but focuses solely on anti-malware — detecting and removing viruses, spyware, rootkits, and Trojans. It doesn’t come with security “suite” functions, like a firewall, computer maintenance tasks, or backup.

Interestingly, Microsoft is neither pushing the product via Windows updates nor bundling it with the operating system. “You have to proactively go to the Microsoft site to download it,” says Alex Eckelberry, CEO of Sunbelt Technologies, which sells enterprise AV, email, and other security tools for Windows. Eckelberry says Microsoft’s freebie software is ultimately “good for the consumer.”

What about commercial AV vendors? Eckelberry says he doesn’t expect the software to hurt them as much as AV vendors, like AVG, that also offer free anti-malware software. While it’s mainly a consumer product, he says it will also attract small mom-and-pop shops. “It won’t affect enterprise SMBs because it’s not manageable, so they won’t touch it,” he says.

Overall, Eckelberry says, MSE is good for consumer security.

Siobhan MacDermott, head of public policy, corporate communications, and investor relations for AVG Technologies, says while free AV sounds good at first glance, it could actually hurt consumers in the end.

“On the surface, a free offering from the company with a dominant market share would appear be a good thing. We believe, however, broad adoption could, in fact, put consumers at greater risk,” MacDermott says. “The strength of the security community rests in its diversity of products and the innovation delivered by companies like AVG, whose entire focus is keeping our users’ personal data and computers safe. It is our core business and one in which we simply cannot fail.”

Because Microsoft’s OS base is so large, a large community of MSE users will attract more attackers, according to MacDermott. “It is a law of numbers; large communities create large pools of opportunities for thieves,” she says. “If Microsoft leverages the power of its OS market to rapidly create a large community of MSE users, we believe those customers will be doubly vulnerable.”

Microsoft provided a peek at Security Essentials in June when it released a public beta version of the software.

The company says the software alerts users only when they need to take action due to a threat that’s detected, for instance, and it limits CPU and memory usage.

“Consumers have told us that they want the protection of real-time security software, but we know that too many are either unwilling or unable to pay for it, and so end up unprotected,” says Amy Barzdukas, general manager for consumer security at Microsoft. “With Microsoft Security Essentials, consumers can get high-quality protection that is easy to get and easy to use — and it won’t get in their way.”

MSE doesn’t require any registration or renewals, and is available for download here. For those interested, check out the review that is already up from arstechnica.com!

Microsoft made its Internet Explorer 8 browser available yesterday, along with a company-commissioned report claiming IE8 is more secure against malware than rival browsers from Mozilla and Google. Users were able to download IE8 in 25 languages at 12:00 noon Eastern Daylight Time on Thursday from Microsoft’s IE Web site and its online download center.

Microsoft has been preparing users for IE8 for a good year now, stressing performance improvements, better support for Internet technology standards, the addition of new features to help people keep track of most visited sites and favorite sources of information, and of course, security, as highlights of the new browser. According to the report Microsoft released Thursday, based on research conducted by NSS Labs, IE8′s Release Candidate 1 was 69 percent effective at catching malware before it did damage to a user’s system. Mozilla Firefox 3.07 came in second with a 30 percent effectiveness rate, with Apple Safari’s 3 in third place with a 24-percent rate and Google’s Chrome 1.0.154 in fourth place with 16 percent effectiveness rate

NSS Labs said in the report that the data was collected from tests conducted in just over 12 days from Feb. 26 through March 10 in its labs in Austin, Texas. During the course of the test, the company said it monitored connectivity to ensure the browsers could access the live malware sites being tested, and performed 141 discrete tests. The margin of error of the tests was 3.76 percent, according to NSS Labs. Amy Barzdukas, a senior director at Microsoft, acknowledged that it might be a conflict of interest for Microsoft to sponsor a report in which IE8 came out on top in terms of security. However, she encouraged people to “look closely at the results” before making a judgment call on the validity of the report.

IE8 will be included as part of the Windows 7 OS. However, for the first time since adding browser technology to its operating system, Microsoft will give users the ability to turn off IE8 as a feature in the system. This decision was outlined in a blog post on the Engineering Windows 7 blog. Microsoft is under pressure from an ongoing antitrust case in the European Union to give users more browser choice in Windows.

Microsoft will issue an emergency security patch Wednesday (Today!) for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected. The sad part is a majority of these people will probably not know that they need to run updates to fix this security hole or even know how to run Windows Update to plug it!

Vulnerability Protection

An advance notification of the patch published Tuesday describes it as protection for a “remote code execution” vulnerability. The move follows Microsoft’s security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary “workarounds” for protection.

Serious Flaw

The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information.

Some security analysts had gone as far as to suggest all IE users switch to a competing browser (such as Firefox of Chrome) until Microsoft found a suitable fix.

Getting the Patch

Microsoft’s emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.

Although I am 2 days late, this is good news for people who don’t like shelling out 100+ dollars to get the latest version of Microsoft Office. On the 14th Open Office 3.0 was released and contained some very promising updates to the already extremely popular open source office suite! So read on if you are interested or a fan of Open Office!

The biggest improvement to OpenOffice 3 is the ability to open Office 2007 files. However, some files, such as .docx, .xisx, and .pptx, can only be read. The second major enhancement is a new version for the Apple Mac. The upgrade installs and runs like a normal OS X application. For the longest time now since Microsoft Office 2007 has been growing popularity and more people are using it, the most common problem was that when someone saved the file in the default 2007 format, Open Office could not open the file to read. Now with this new version out and kicking, users of Open Office now have that ability to read those files and although they can not alter them in that format, they are able to save them to formats which will allow them to edit the documents. This is also good news for Mac users because with this version Open Office installs and runs like a native Mac program would on the system.

This release was big enough to also cripple the Open Office website for almost a day and a half with tons of people trying to download the latest version and give it a go! Almost all day Monday and well into Tuesday they had a message up on their site which stated:

Apologies — our Web site is struggling to cope with the unprecedented demand for the new release 3.0 of OpenOffice.org,” the site said. “The technical teams are trying to come up with a solution.”

All that was on the site other than this simple message was different links to download the software. With me dual booting Windows XP and also Ubuntu Linux, this is a very good release for me and others like me because now I can work on my stuff saved with Microsoft Office on my Linux partition when I am booted into Ubuntu. So download and Enjoy!

Click Here for the official Open Office Website!