Advertising - Instant Ads Set the Pace on the Web: Via NYTimes.com .

Now, companies like Google, Yahoo and Microsoft let advertisers buy ads in the milliseconds between the time someone enters a site’s Web address and the moment the page appears. The technology, called real-time bidding, allows advertisers to examine site visitors one by one and bid to serve them ads almost instantly.

For example, say a man just searched for golf clubs on eBay (which has been testing a system from a company called AppNexus for more than a year). EBay can essentially follow that person’s activities in real time, deciding when and where to show him near-personalized ads for golf clubs throughout the Web.

If eBay finds out that he bought a driver at another site, it can update the ad immediately to start showing him tees, golf balls or a package vacation to St. Andrew’s, Scotland, often called the home of golf. If a woman was shopping, eBay could change the ad’s color or presentation. [ Read more ... ]

Hackers exploit latest IE zero-day with drive-by attacks: Via Computerworld Cybercrime/Hacking News.

Hackers are exploiting the just-disclosed unpatched bug in Internet Explorer (IE) to launch drive-by attacks from malicious Web sites, security researchers said today.

"This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out," said Craig Schmugar, a threat researcher at McAfee, in a blog post today.

Attacks are launched from Web sites in a classic drive-by fashion, said Schmugar and others. "Visiting the page is enough to get infected," Schmugar said.

Symantec also confirmed that it has spotted in-the-wild attacks exploiting the critical vulnerability in IE6 and IE7 that Microsoft acknowledged yesterday. "We're still seeing just limited attacks," said Ben Greenbaum, a senior research manager on Symantec's security response team. "The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware." [ Read more ... ]

The Weakest Link Redux: Via EFF.org Updates.

We often criticize DMCA takedown abuse here at EFF, but last week's Cryptome snafu highlights another facet of the problem: how a DMCA takedown for one item can result in the removal of lots of lawful material.

To recap, Cryptome posted Microsoft’s global criminal compliance manual. Microsoft sent a DMCA takedown notice to Cryptome’s domain name registrar and web hosting provider, Network Solutions, alleging that the post infringed copyright. Under the DMCA, a web hosting provider is protected from copyright infringement liability if, among other things, it “expeditiously” disables access to material properly identified in a DMCA takedown notice. Network Solutions asked Cryptome to remove the Microsoft compliance manual. Cryptome refused explaining that the document was posted in order to help the public better understand Microsoft's practices, and followed up with a DMCA counternotice. Network Solutions promptly shut down the entire Cryptome website. Thus, a complaint about a single document caused significant collateral damage to the perfectly legal material on Cryptome. [ Read more ... ]

Cryptome's Publication of Microsoft's Compliance Manual is a Fair Use: Via EFF.org Updates.

Yesterday, Microsoft used a Digital Millennium Copyright Act (DMCA) takedown notice to demand that a copy of the "Microsoft® Online Services Global Criminal Compliance Handbook" (the Compliance Manual) be removed from Cryptome, a security website. As a result, Network Solutions felt obliged to takedown the entire Cryptome.org domain, a repository for thousands of important and controversial documents.

As is often the case, the ensuing uproar simply called more attention to the document in question. Yesterday evening, Microsoft wrote to Network Solutions and withdrew its takedown demand, while insisting that its copyright concern was nevertheless legitimate.

We appreciate that Microsoft acted quickly to correct its error, but are still disappointed that Microsoft nonetheless insists that, in the words of Evan Cox, outside counsel for Microsoft, "Microsoft has a good faith belief that the distribution of the file that was made available at that address infringes Microsoft's copyrights."

To the contrary, as we explain below, Cryptome's publication of the Compliance Manual is a clear fair use under the Copyright Act. [ Read more ... ]

Microsoft's new 'phone home' anti-piracy practice unacceptable, says critic: Via Computerworld Privacy News.

'At what point is one free of this' perpetual checking, asks Lauren Weinstein

The Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of its anti-piracy software took the company to task again today for a new practice that will examine consumers' Windows 7 PCs every 90 days to make sure they're running legitimate copies of the OS.

Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), urged Windows 7 users not to accept the option update to Windows Activation Technologies (WAT) when Microsoft begins seeding it to the Windows Update service later this month.

"The approach that Microsoft is now taking doesn't seem to make sense, even for honest consumers," Weinstein argued in a post to his blog. "Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their 'phone home' checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. [ Read more ... ]

Microsoft Learned of IE Zero-Day Flaw Last September: Via Threat Level.

Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole completely until Thursday.

The software giant had intended to release a patch for the flaw in February — more than four months after learning about it, but had to speed up that plan and role it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according to security firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. [ Read more ... ]

Defeating Microsoft BitLocker: Via Schneier on Security.

Defeating BitLocker, even with a TPM.

Related.

Read Original Article:(Via Schneier on Security.)

Sneaky Microsoft plug-in puts Firefox users at risk: Via computerworld.

Patches critical bug, exploitable because of add-on silently slipped into Firefox last February

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves the browser open to attack, Microsoft's security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site. [ Read more ... ]

Microsoft Recovers Lost Sidekick Data - WSJ.com: Via WSJ-Wall Street Journal.

Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices.

The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible.

The fix comes as Microsoft suffers through a public backlash after mishandling the information found on the Sidekick line of messaging phones, which are popular with teenagers. T-Mobile already has offered affected subscribers a free month of data services and a $100 gift card. At least one customer has filed a lawsuit against both companies. [ Read more ... ]

Microsoft Loses Sidekick Users' Personal Data: Via Business Center - PC World.

Contacts, calendar entries, photographs and other personal information of Sidekick users has almost certainly been lost for good following a service disruption at Sidekick provider Danger, the Microsoft subsidiary said on Saturday.

The amount of data and number of users affected wasn't disclosed by Microsoft or T-Mobile, but the Sidekick support forums are buzzing with pleas from users looking for tips on how to restore their devices or get their data back.

On Saturday, Microsoft said any data that users had on their devices and is no longer there has almost certainly been permanently lost. [ Read more ... ]

Apple betrays the iPhone's business hopes by InfoWorld: Yahoo! Tech: Via InfoWorld: Yahoo! Tech.

Thousands of users have been accessing e-mail, calendars, and contacts over Exchange connections through their iPhones or iPod Touches, not knowing they were compromising their corporate security. During that entire time, Apple has extolled its support of Exchange and convinced many businesses that the iPhone was a corporate-class device they should embrace or, at least, tolerate.

It also turns out that Apple had a similar issue -- with a similarly stealthy fix -- in its iPhone OS 3.0 update, which corrected misreporting about its VPN policy support. [ Read more ... ]

Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723): Via Microsoft Security Bulletin.

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. [ Read more ... ]

Microsoft's Free AV App May Be a Non-Starter: Via Slashdot.

CWmike writes "Microsoft is preparing to launch a public beta of Morro, the free anti-malware it announced last November, according to reports. Morro will use the same scanning engine as Windows Live OneCare, the software that the free software will replace and Microsoft's first consumer-grade antivirus package. OneCare is to get the boot as of June 30 (along with finance app Microsoft Money). John Pescatore, an analyst at Gartner, has questioned whether users would step up to Morro even if it was free. [ Read more ... ]

Security Fix - Microsoft Update Quietly Installs Firefox Extension: Via Security Fix - Voices at The Washington Post.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows. [ Read more ... ]

Microsoft Offers Secure Windows … But Only to the Government: Via Threat Level.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.  The only problem is, you have to join the Air Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as a template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for years.  But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Threat Level spoke with former CIO of the Air Force, John Gilligan, to get the details. [ Read more ... ]

Lobby Groups Launch Full Assault For Canadian DMCA: Via Slashdot.

An anonymous reader writes "Bill C-61, the previous attempt at a Canadian DMCA, may have failed, but it is clear that the music, movie, and business software industries are engaged in putting massive pressure on the Canadian government to bring it back. Lobbying records show several meetings each week with Government Ministers for CRIA, CMPDA, and Microsoft over the past month. Meanwhile, the CRIA is preparing a grassroots campaign in support of new copyright laws, even claiming that the current rules are costing jobs to truck drivers delivering CDs and DVDs."

Read Original Article:(Via Slashdot.)

DHS Appoints Microsoft Executive to Secure Government Computers: Via Wired: Threat Level.

You might not think it's newsworthy when the Department of Homeland Security fills a job vacancy. But it's news when a department that has security in its name actually appoints someone with security in his background.

Unfortunately, in this case, the security background comes courtesy of Microsoft, which might cause some to ponder the phrase "unclear on the concept." [ Read more ... ]

Rights Groups Speak Out Against Phorm, UK Comm. Database: Via Slashdot: Your Rights Online.

MJackson writes "The Open Rights Group (ORG) has issued a public letter to the Chief Privacy Officers (or the nearest equivalent) for seven of the world's largest website giants (including Microsoft and Google), asking them to boycott Phorm. The controversial Phorm system works with broadband ISPs to monitor what websites you visit for use in targeted advertising campaigns. [ Read more ... ]

UAC Whitelist Hole In Windows 7: Via Slashdot .

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. [ Read more ... ]

Gamer Claims Identifying As a Lesbian Led To Xbox Live Ban: Via Slashdot: Your Rights Online

Goatbert writes "I just read on the Consumerist about an XBOX Live user being banned for identifying herself as a lesbian. Despite appeals, Microsoft has stood by its position that merely mentioning that you are gay or lesbian is grounds for terminating your XBOX Live membership."

Read Original Article ( Via Slashdot: Your Rights Online. )

Hackers Jump On Newest IE7 Bug: Via Slashdot

CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."

Read Original Article ( Via Slashdot. )

DRM in Microsoft UK's Mobile Music Service: Via EFF.org Updates

Late last week, Microsoft launched a mobile phone music downloading service in the UK, but the public has quickly focused its attention on Microsoft UK's mystifying choice to include digital rights management (DRM) on its music files. PC Pro reports that the restrictions prevent buyers from playing the music anywhere but on the mobile phone used to make the purchase, while tracks from the iTunes Music Store and Amazon's MP3 store are cheaper and DRM-free.

In a follow-up Q&A published by PC Pro, a Microsoft UK executive attempts a familiar "defense" of the DRM antifeature -- acting like the consumer may want less freedom with their purchased media:

[Q:] With the likes of iTunes and Amazon offering DRM-free music that you can play on any device, why would anyone choose the MSN Mobile service?

[A:] There may well be people who just want to listen to the track on their mobile alone.

[ Read more ... ]

Despite Gates' Prediction, Spam Far From a Thing of the Past: Via Slashdot

Slatterz writes "Bill Gates declared in 2004 at the World Economic Forum in Switzerland that spam would be 'a thing of the past' within five years. However, Graham Cluley, senior technology consultant at Sophos, has written in a blog post that 'with the prophecy's five-year anniversary approaching, spam continues to cause a headache for companies and home users.'"

Read Original Article ( Via Slashdot. )

Microsoft Brings Back DRM: Via Slashdot

Barence writes "Microsoft yesterday unveiled its MSN Mobile Music service — and a surprise return to digital rights management (DRM). While companies such as Apple and Amazon have finally moved to music download services free of copy protection, MSN Mobile locks tracks to the mobile handset they are downloaded to. It also charges more than the other services per track, and offers no way to transfer your tracks to your new phone when you upgrade. The company's Head of Mobile UK spoke to PC Pro about the launch, but his answers are almost as baffling as the service itself. Best quote: Q: 'If I buy these songs on your service — and they're locked to my phone — what happens when I upgrade my phone in six months' time?' A: 'Well, I think you know the answer to that.'"

Read Original Article ( Via Slashdot. )

Slashdot | US-CERT Says Microsoft's Advice On Downadup Worm Bogus: Via Slashdot

CWmike writes "Microsoft's advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."

Read Original Article ( Via Slashdot. )