Joe John

Microsoft yesterday re-patched Internet Explorer, the third time it's been forced to repair one of the updates from its largest-ever bug fix, which was delivered on Oct. 13. Monday's fix targeted MS09-054 , the update that patched four vulnerabilities, all "critical," in Internet Explorer (IE). According to Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC), the follow-on hotfix patches Web page display problems introduced by the update. The new problems can crop up in any still-supported edition of IE, including IE 5.01, IE6, IE7 and the newest version, IE8, on all Windows operating systems, including Windows 7. The troubles are serious enough to prompt Microsoft to push the re-patch to all users. "We plan to release this update through the same broad release channels as the original security update, MS09-054," Budd said in an entry to the MSRC blog yesterday. "Customers will see [the re-patch] offered by default through Windows Update, Microsoft Update and Automatic Updates." Computerworld confirmed that Windows XP, Vista and Windows 7 systems that had been fully patched last month were offered Monday's update through Windows Update. Budd downplayed the severity of the problems, saying that the number of users affected was "limited." A document on Microsoft's support site outlined the two issues, one that scrambles Web page elements, while the other spawns a "Type Mismatch" script error on sites that use VBScript or a mix of VBScript and JavaScript.

Monday's re-patch was the third correction related to Oct. 13's massive security update , which set records for both the number of separate bulletins (13) and the number of vulnerabilities quashed (34). On Oct. 14, Microsoft offered up a workaround for a problem with MS09-056 , then corrected several errors in MS09-062 last Thursday. It's not unusual for Microsoft to re-release security updates. The company also revised an August update, MS09-043 , last week to correct a patch-detection error that may have left some corporate users who receive updates via Windows Server Update Services (WSUS) unpatched. In June 2008, for example, the company admitted a patch intended to fix a problem in Windows XP's implementation of Bluetooth didn't work. The update for MS09-054 can be downloaded from Microsoft's site, or retrieved using Windows Update or WSUS.

Microsoft blamed human error for the snafu.

What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden - every address with a .se top-level down name. Problems that affect an entire top-level zone have very wide-ranging effects as can be seen by the .se incident. … Imagine the same thing happening to the .com domain, which has over 80 million domain names." The total blackout of .se lasted for about an hour and a half, Pingdom says, although aftershocks are expected to continue. "The .SE registry used an incorrectly configured script to update the .se zone, which introduced an error to every single .se domain name," says Pingdom. "We have spoken to a number of industry insiders and what happened is that when updating the data, the script did not add a terminating '.' to the DNS records in the .se zone. According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain "is exceptionally rare. … Usually it's a single domain name that has been incorrectly configured or the DNS servers of a single Web host having problems.

That trailing dot is necessary in the settings for DNS to understand that '.se" is the top-level domain. Thanks to well-functioning surveillance system .SE discovered the error immediately and a new file with the DNS data (zone file) was produced and distributed within one hour. … The false information that was sent out affected accessibility to all .se domains for a short time. It is a seemingly small detail, but without it, the whole DNS lookup chain broke down." Sweden's Internet Infrastructure Foundation, which administers .se, issued this statement: "The cause was an incorrect software update, which, despite our testing procedures were not detected. However, there may still be some name servers that have not changed out of misinformation against the real." A spokesperson for .se, Maria Eklund told a Swedish press outlet that the issues may not be completely resolved before Wednesday. "This little mistake is going to affect Internet traffic for two days," she told the newspaper. (Speculation that it's really the fault of newly "internationalized" ICANN begins in 3 … 2 … 1.)

PC makers looking to boost sales in recent years have increasingly zoned in on rural China, a vast and largely untapped source of new PC users. But other Chinese and foreign PC makers are also building their distribution networks in those regions in a bid to boost sales. "Most vendors have realized the importance of this market," said Simon Ye, a Gartner analyst. Lenovo and Hewlett-Packard are the major PC makers that have made the most progress in rural China, a term often used to describe everything from mountaintop villages to cities of a few hundred thousand people.

But not all PC makers are ready to tackle rural China, said Ye. The HP and Lenovo cases suggest that catered marketing tactics and a major investment in expanding a company's retail outlets are required for a rural sales push to succeed. The vendor further extends its reach by selling PCs out of vans that it sends around the country. HP this year has partners running 7,000 retail stores for its PCs in China, and it aims to expand that network to cover 10,000 Chinese towns next year. HP also has a van that visits universities, clients and IT expos to show off PCs and teach people how to use them. HP staff gave talks and showed the animated movie "Kung Fu Panda" as they displayed the company's PCs to students. In June the bus visited a rural elementary school near Chongqing, an inland Chinese metropolis.

Lenovo has also used movies to promote its PCs in rural areas. HP has grown to become the second-largest PC vendor in China, where it took 14.2 percent of the market in the second quarter, according to IDC. Lenovo, a Chinese brand, led the market with a share of 28.5 percent. The company arranges screenings of current films that it precedes with Lenovo ads. Many potential PC buyers remain untapped in rural China. Chinese authorities launched a subsidy scheme for rural residents early this year that grants a 13 percent rebate on the purchase of PCs and other electronics.

Just over one in four PCs sold in China in the same quarter were sold in tier-one and tier-two cities, a category that includes cities such as Beijing, Shanghai and some provincial capitals, according to IDC. "The remainder obviously shows you the big opportunity in the lower-tier cities," said Bryan Ma, an IDC analyst. The scheme, an effort to drive domestic economic growth amid the global recession, sold nearly 580,000 computers by the end of September, according to China's commerce ministry. More than 40 percent of the PCs sold in the scheme were from Lenovo in September. But those sales have been dominated by Chinese companies like Lenovo and Founder, another PC maker that has targeted the rural market. HP took just 3 percent of the sales, while Dell and Acer both had less than 1 percent.

Both companies equip the PCs to function through the electric voltage fluctuations common in rural areas. Both HP and Lenovo tweak PCs for rural buyers. They also load the machines with programs such as agricultural databases for farmers - and the companies' own entertainment suites. Lenovo is pitching its PCs as wedding gifts with slogans like, "Lenovo wedding computers, one step to a happy life." The marketing makes use of a traditional preference in China to give gifts that appear prestigious. Lenovo has tailored its ads for the rural market, where the company is building nearly 8,000 new sales outlets.

Another slogan targeting businesspeople calls Lenovo PCs the "golden key to information wealth." Dell is another PC maker that hopes to crack China's rural market, but the company has only recently begun seeking the distribution partners it will need to do so, said Ye of Gartner. HP's success has largely been driven by its use of different resellers in each region of China, he said. "It will take two to three years to see if Dell can reproduce HP's success," said Ye.

Apple missed a golden opportunity to lock down Snow Leopard when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista, a noted Mac researcher said today. Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard." Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits. "Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook , and winner of two consecutive "Pwn2own" hacker contests . "It's the exact same ASLR as in Leopard, which means it's not very good." Two years ago, Miller and other researchers criticized Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomize important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista. "Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link.

How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged. "They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. I don't think anyone would miss them." Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface.

DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7 . Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder." Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security." In the end, though, hacker disinterest in Mac OS X has more to do with numbers, as in market share, than in what protective measure Apple adds to the OS. "It's harder to write exploits for Windows than the Mac," Miller said, "but all you see are Windows exploits. It's not worth him nearly doubling his work just to get that last 10%." Mac users have long relied on that "security-through-obscurity" model to evade attack, and it's still working. "I still think you're pretty safe [on a Mac]," Miller said. "I wouldn't recommend antivirus on the Mac." But the missed opportunity continues to bother him. "ASLR and DEP are very important," Miller said. "I just don't understand why they didn't do ASLR right," especially, he added, since Apple touted Snow Leopard as a performance and reliability update to Leopard. "If someone else is running your machine, it's more unreliable than if you're running it," Miller concluded.

All engines, full reverse! Previously Skype and other Voice over IP (VoIP) applications for the iPhone, such as Fring, were relegated to Wi-Fi connections, prompting calls of foul play by consumers who often wanted to take advantage of features like the services' cheaper rates for international calling. That's the order AT&T seemed to be giving on Tuesday when it announced that it would be altering its existing policy to allow Internet phone applications such as Skype to place calls over the iPhone's cellular data connection. An FCC investigation was launched in April at the behest of Internet advocacy group Free Press, shortly after the Skype app was released for the iPhone.

While some alleged that AT&T's desire in keeping Skype off its data network was a way of stifling competition and forcing customers to use the wireless company's international calling options, it's also been suggested that AT&T was worried about the amount of traffic the immensely popular iPhone could bring to bear on its network. Notably, the ban did not apply to non-iPhone devices on AT&T's network. "Today's decision was made after evaluating our customers' expectations and use of the (iPhone) compared to dozens of others we offer," AT&T Wireless CEO Ralph de la Vega told The Wall Street Journal. Somewhat coincidentally-if you believe in such things-earlier in the day, Google and Verizon held a joint press conference to announce their new partnership, in which the two companies stressed network openness. Nor does it affect the contentious Google Voice service, which uses the standard telephone functions of the cellular network to route phone calls to and from users. The decision today does not apparently affect other applications that suffer from similar restrictions, such as the iPhone version of SlingPlayer Mobile, which allows users to stream video from their home devices only over Wi-Fi connections.