Microsoft to patch IE zero-day bug next week

Microsoft today said it will deliver six security updates on Tuesday, including one that will patch a vulnerability in Internet Explorer (IE) the company admitted only last week. The update will address an IE zero-day vulnerability that Microsoft confirmed Nov. 23 in a security advisory. "I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue," said Jerry Bryant, a spokesman for the Microsoft Security Response Center (MSRC), in a blog post announcing the advisory last week. The updates will patch a total of 12 flaws in Windows, IE and Microsoft Office, the company said in a follow-up entry to its security response center's blog . At the top of the patch list, even Microsoft's own, will be an update for IE 5.01, IE6, IE7 and IE8 that has been pegged as "critical," the firm's highest severity rating in its four-step scoring system.

Microsoft's advisory was its reaction to proof-of-concept attack code that had gone public several days before, when it was posted to the popular Bugtraq security mailing list. Next Tuesday's update, however, will quash bugs in all still-supported versions of IE, not just IE6 and IE7, a fact Microsoft confirmed today . "We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday," Bryant said in another blog post. The sample code exploited a flaw in IE's layout parser, and could be used to hijack fully-patched Windows machines. The advisory Bryant called out was the one Microsoft issued last week. "We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly." Microsoft's advance notification spelled out the significance of the problem with IE: All versions of its browser contain one or more flaws when run on Windows 2000, Windows XP, Vista, Server 2003 and even Windows 7. Only the company's newest server products - Server 2008 and Server 2008 R2 - are somewhat safer. Microsoft confirmed to Storms that the IE update contains fixes for multiple vulnerabilities; it's not unusual for Microsoft to quash several bugs in a single update. "Last week's zero-day is still not applicable to IE8," Storms said after he consulted with MSRC. "Some other bug is also being patched in the same bulletin." The attack code that went public Nov. 20 was not only unreliable, according to security experts who dived into the exploit, but was touted as only affecting IE6 and IE7 on Windows XP. Later, Microsoft said that Vista users would be protected to a degree not enjoyed by XP customers because the former's "sandbox" would limit the ability of the exploit to compromise the PC. Most outside security researchers, including Storms, were pessimistic last week when asked whether Microsoft could scramble fast enough to fix the flaw in IE6 and IE7. Today, he was impressed. "I would have wavered last week [on] whether they would fix it," he admitted. "But given the impact [of the vulnerability] and the fact that there's code out there, I'm not surprised that they managed it." Other updates slated for release on Dec. 8 include patches for bugs in Windows; Office 2000 and Office 2003; and Microsoft Project 2000, 2002 and 2003. Three of the six updates will be tagged critical, while the remaining trio will carry the "important" label. "Frankly, the rest don't matter at this point," said Storms, referring to the non-IE updates. "IE is the top of the news for Microsoft today, and will be next week." The bright spot, said Storms, is that Microsoft keeps ladling more information onto its pre-Patch Tuesday notification , a preview customers rely on to plan their patching strategy for the following week. "They're blogging and telling us the number of vulnerabilities and the [affected] applications now, which is great," Storms said, applauding Microsoft's moves. "They continue to increase the amount of information they provide. However, that doesn't mean IE 5.01 and IE8 are suddenly vulnerable to last week's zero-day exploit, said Andrew Storms, director of security operations at nCircle Network Security.

They're setting a real trend here." Microsoft will release the six updates at approximately 1 p.m. ET on Dec. 8.

Chip sales to grow in 2010, iSuppli says

Worldwide semiconductor sales will grow in 2010 as chip sales gain steam in response to stabilizing economies, analyst firm iSuppli said on Wednesday. Chip sales could total $282.7 billion in 2012; sales tallied close to $273.4 billion in 2007. However, global chip sales will decline in 2009, albeit at a lower rate than iSuppli first projected. Semiconductor sales could grow by 13.8 percent on a year-over-year basis to reach US$246 billion in 2010. Chip revenue will keep growing through 2012 and could reach levels of 2007, after which chip revenue skid began. The analyst firm predicted year-over-year global chip sales would decline by 16.5 percent in 2009. Earlier in the year, iSuppli projected a 23 percent drop.

Semiconductor sales and inventory levels in the PC and mobile-handset markets - which account for a majority of semiconductor sales - improved in the second quarter, iSuppli said. Chip sales in 2009 will total US$216 billion, compared to $258 billion in 2008. Chip sales have "gained clarity" as economies stabilize and supplies improve in key markets after an unstable first quarter, iSuppli said in a statement. Major vendors have also increased their outlooks for PC and mobile-handset sales, which has given more clarity to project overall chip sales for the year. "Semiconductor shipments rebounded as inventories were replenished and modest forward-looking purchases were made," said Dale Ford, senior vice president, market intelligence services for iSuppli, in a statement. Otellini's comments were stronger than conservative outlooks provided for an expected PC industry recovery from companies like Advanced Micro Devices and Dell earlier in the year. Intel CEO Paul Otellini last week said that its chip shipments were stabilizing as PC shipments start to take off.

The companies said that PC shipments would grow as users look to buy new PCs with Microsoft's upcoming Windows 7 OS, which is due next month, and as companies look to refresh PCs. The global economy was partly boosted in the second quarter by worldwide economic stimulus efforts, especially in China, iSuppli said. The U.S. stimulus effort - the American Recovery and Reinvestment Act - has a lesser effect as it wasn't implemented on a wide basis, iSuppli said. China's stimulus efforts resulted in a massive increase in consumer purchasing, which benefitted worldwide economic conditions, iSuppli said. An economic stimulus package of $787 billion to spur economic activity was passed in February by Congress and signed into law by President Barack Obama.

US lawmakers question ICANN gTLD plan

Several U.S. lawmakers urged the Internet Corporation for Assigned Names and Numbers (ICANN) to back off on a plan to offer an unlimited number of new generic top-level domains until concerns about trademark protections and other issues can be addressed. You guys made us come here today." The board at ICANN, the nonprofit organization created in 1998 to oversee the Internet's domain name system, voted in June 2008 to move toward unlimited gTLDs, in addition to the 21 gTLDs available now, including .com, .biz, and .info. Members of a subcommittee of the U.S. House of Representatives Judiciary Committee on Wednesday questioned ICANN Chief Operating Officer Doug Brent about why the organization continues to move forward with its plan to sell new generic top-level domains, or gTLDs. Judiciary Committee Chairman John Conyers, a Michigan Democrat, complained that ICANN hasn't been able to resolve complaints about its plan to sell new gTLDs to compete with .com, .org and other current TLDs. "This is a hearing we shouldn't have had to call," Conyers said. "If the parties had come together, I doubt if we'd be here this morning.

Under the ICANN plan, anyone could apply for a new gTLD - some suggested have been .food, .basketball and .eco - at a cost of about US$100,000. Asked by lawmakers how soon ICANN planned to offer new gTLDs, Brent said he wasn't sure. Critics of the TLD expansion, including Hewlett-Packard and Dell, have complained that a huge expansion of gTLDs would force trademark owners to buy multiple domains on each new gTLD, potentially costing them and their customers billions of dollars. ICANN had originally planned to offer them this year, but the latest estimate is February, and Brent said he expects that deadline to slip as ICANN works with critics to resolve issues. This week, the Coalition Against Domain Name Abuse (CADNA), an organization with 19 large-business members, called on the U.S. government to conduct a "full-scale" audit of ICANN. "ICANN has not properly vetted this decision in an objective fashion," CADNA said. "This rollout expands the size of the Internet exponentially without first performing a sound cost/benefit and security and risk analysis to determine both desirability among and risk to Internet users." At the Wednesday hearing, Conyers seemed to connect the gTLD disagreements with the end of an oversight agreement ICANN has with the U.S. Department of Commerce. A spokesman for Conyers wasn't immediately available to clarify his comment.

ICANN's long-standing formal relationship with the U.S. government ends Sept. 30. "If you don't meet the 30th deadline, you're going to all be sorry that you didn't make it," Conyers said. ICANN's Brent defended the organization's decision to move forward with new gTLDs. Internet users, including the U.S. government, have long called for new TLDs, he said. Winners of new gTLDs will have to abide by a lengthy set of rules, he said. "ICANN did not casually think this plan up," Brent added. "This will not be an unbridled expansion. In addition, the expansion of TLDs would allow Internet users who don't use the Roman alphabet to have domain names in their native languages, he noted. It is the work of many hands from a bottom-up process." Representative Bob Goodlatte, a Virginia Republican, questioned whether ICANN had enough resources to enforce strong trademark protections and other rules in the new gTLDs. He asked if ICANN saw that there were still "a lot of things that need to be worked out here." "We might question 'a lot,' but I think, absolutely we have more work to do," Brent answered.

Instead, we should address these concerns." But Steve DelBianco, executive director of e-commerce trade group NetChoice, suggested the new gTLDs are little more than an effort to create new labels, when ICANN has more important issues to work on. "Every day our industry and my members create new applications, Web sites and services," he said. "Labels are just one of the ways people find these new services. Despite the continued concerns, Paul Stahura, CEO and president of domain-name registrar eNom, said the ICANN plan will lead to more competition among domain-name registries. "There is high consumer demand for many new gTLDs," he said. "There currently is little or no competition to satisfy this demand, and ... we shouldn't prohibit competition because of trademark concerns. The label is not the creation, it's just something we stick on it." One proposed gTLD is .food, he said. "Dot-food won't create a single new restaurant," DelBianco said. "It won't create a new Web page, it won't create new restaurant reviews or online reservation sites."

Lawsuits over Heartland data breach folded into one

A lawsuit consolidating 16 separate class-action complaints brought by financial institutions against Heartland Payment Systems Inc. has been filed in U.S. District Court for the Southern District of Texas. The complaints allege that the payment processor was negligent in its duty to protect card holder data. The claims stem from the massive data breach disclosed by Princeton, N.J.-based Heartland in January. The amended complaint includes for the first time several statements that Heartland is alleged to have made regarding the controls it had in place to protect credit and debit card data just prior to the breach.

The lawsuit seeks compensation from Heartland for the costs that the financial institutions say they've had to bear in notifying customers about the breach and in reissuing new payment cards. The fact that the company suffered the breach despite its claimed security measures shows that Heartland either negligently or deliberately misrepresented the facts, the lawsuit alleged. Among the financial institutions listed are the Pennsylvania State Employees Credit Union, Lone Star Bank of North America and Amalgamated Bank of New York. "There were multiple lawsuits filed all over the country on behalf of financial institutions, and all of those cases were sent to federal court in Houston" for consolidation, said Joseph Sauder, an attorney with Chimicles & Tikellis LLP. The Haverford, Penn.-based law firm is representing some of the plaintiffs in the lawsuit. "This complaint incorporates the strongest claims from all of the financial institution class-action lawsuits," Sauder said. "The next step is for Heartland to file a response to this complaint," he said. The breach, which is considered the biggest involving payment card data, compromised more than 100 million credit and debit cards. Heartland on Jan. 20 disclosed that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of customers.

So far, Heartland has publicly admitted to spending nearly $13 million on breach-related costs, and analysts expect it will cost the company millions more in the coming years. The cases were consolidated in federal court in Texas because Heartland's data centers are located in that state, Sauder said. Heartland, one of the biggest payment processors in the U.S., manages about 100 million credit and debit-card transactions per month. A "separate track" of cases involving consumer lawsuits against Heartland is also being heard in the same court, Sauder said. BJ's Wholesale Club, Hannaford Bros. and Dave & Buster's restaurant chain. In September, Albert Gonzalez, 28, of Miami pleaded guilty to the data heist at Heartland and several other retailers, including TJX Companies Inc.

Gonzalez is scheduled to be sentenced in December and faces 15 to 20 years in prison under the terms of his plea agreement. Heartland did not immediately respond to a request for comment.

Win 7 Launch: Early Adopters Eager to Bid Farewell to XP

At the Windows 7 launch in downtown Manhattan, Microsoft CEO Steve Ballmer unveiled the general availability of Windows 7 with his usual enthusiasm, emphasizing ease of use, faster boot up times and the ability to bring together the PC and the television. Consumers. Ballmer drum-beating aside, Windows 7 has garnered some of the best reviews of any version of the OS. With user interface and networking features that are both slick and useful, and an army of hardware makers lined up with special deals on everything from netbooks to high-end gaming PCs running Windows 7, the setting seems ripe for consumers to upgrade or buy a new computer.

Check. Yet despite the testing, planning and time-consuming complexities of an enterprise OS upgrade, corporate customers at the Windows 7 launch interviewed for this story are hankering to deploy Windows 7 in their environments. [ For complete coverage on Microsoft's new Windows 7 operating system - including hands-on reviews, video tutorials and advice on enterprise rollouts - see CIO.com's Windows 7 Bible. ] Early adopters from different lines of business and at different stages of migration agree on three points: Windows XP has had its day; Vista was never worth it; and Windows 7 offers businesses too many security, networking and navigation features to ignore. Enterprises, on the other hand, are a more complicated bunch. XP Couldn't Last Forever Holland America Line, a Seattle-based cruise ship company with a fleet that travels all over the world, has been aggressively testing Windows 7 as part of a migration from Windows XP for its 3,900 PCs across 14 cruise ships. Though only 20 machines run Windows 7 right now, IT manager Phil Norman says that a year from now he plans to have 50 percent of all machines at Holland America Line running Windows 7. "We tested Vista with a small group, but there were too many application compatibility issues. Application managers in the company's IT and finance departments have been testing Windows 7 for application compatibility for about a year.

The benefit just wasn't there," says Norman, adding that Windows 7 is a "much more usable operating system, with better security features." Norman gives kudos to Windows XP for being a very stable and easy OS to maintain. "But only to a certain extent," he says. "More and more we're relying on third party vendors with XP, and it can't handle newer drivers." Yes, Windows 7 Can Save You Money Del Monte Foods, a San Francisco-based food production and distribution company that sells canned fruits and vegetables as well as pet foods, is at a similar stage in their Windows 7 deployment as Holland America Line, with 45 out of its 3,000 total business users running Windows 7 on their machines. The company skipped Vista because it was "cumbersome, hard to use and had too many compatibility issues," says David Glenn, Del Monte's director of enterprise operations. The other users run Windows XP. Del Monte plans to have Windows 7 on 1,000 machines within a year. Even though migrating from XP to Windows 7 is estimated to cost $1,035 to $1,930 per user, according to research firm Gartner, Glenn is confident that Windows 7 will ultimately save money for Del Monte. "The new Windows 7 hardware coming out is less expensive than hardware in XP's days," he says. "Also, Windows 7 is a lot easier to use, so our training and support costs will go down. One good example is connecting to a printer is so much easier with Windows 7," he says.

Glenn adds that because Microsoft is pushing Windows 7 in the home market, Del Monte will encourage employees to upgrade on their home machines. "There's a lot of functionality in Windows 7 they can learn at home and bring with them to work. Virtualize Those Apps Migrating to Windows 7 has been made smoother for both Holland America Line and Del Monte by using MDOP (Microsoft Desktop Optimization Pack), a suite of add-on applications available to members of Microsoft's Software Assurance program that help manage a network of PCs. Both companies are using the Application Virtualization feature of MDOP, called App-V, to virtualize applications and make them available to Windows 7 users even if those apps are not compatible with Windows 7. "It's a temporary fix while application vendors get compatible and it will help speed up our deployments to Windows 7," says Glenn. Al Gillen, a VP at research firm IDC, offered a reminder that not all enterprises are so gung ho about Windows 7 adoption. Windows 7: A Security Savior? But, he adds, there is a solid case for businesses to move on. "Mainstream support for XP has ended and that could become a liability for companies," says Gillen.

McBeth is in the process of testing and slowly migrating Starwood's 160 hotels (including the Sheraton and Westin brands) to Windows 7. With many different employees accessing the same computers at front desks, security poses a big concern. "Like most companies, we deal with external and internal security policies," says McBeth. "Any security breach and we are subject to fines, audits and bad PR. So obviously we want more security features in the OS, and Windows 7 provides that." Specifically, McBeth highlights the built-in security features of Internet Explorer 8, as well as AppLocker, a Windows 7 feature that protect users from running unauthorized software that could lead to malware infections, and BitLocker to Go, an encryption feature that protects the data on external hard drives and USB thumb drives. Mark McBeth, VP of IT at Starwood Hotels, has security on his mind as well. Norman of Holland America echoes the need to have security features baked into the OS. "In our industry there's lots of compliance. With XP, we have resorted to using third party security vendors and there have been compatibility problems along the way." A New Day for Microsoft IDC's Gillen says that every company's Windows 7 adoption experience will be different. "Like any OS upgrade, there will be early adopters, and there will be late adopters," he says. Our ships are basically floating cities," he says. "Windows 7 meets security needs better. But with positive reviews and a solid launch, Windows 7 could mark a new beginning for Microsoft, Gillen says. "Microsoft got a lot of criticism over Vista.

Follow him on Twitter at twitter.com/smoneill. This is a chance to rewrite the gamebook for both consumers and businesses." Shane O'Neill is a senior writer at CIO.com. Follow everything from CIO.com on Twitter at twitter.com/CIOonline.