I was both bemused and pleased to read about NY Attorney General Andrew Cuomo having extracted a $375K settlement from both Symantec and McAfee to set aside what Network World reports as “…charges that they automatically charged customers software subscription renewal fees without their permission.” The gist of the argument is that customers didn’t receive sufficient warning that their AV service fees were really subscriptions that would renew automatically on a yearly basis after the initial purchase period expired. Here’s my favorite snippet from the story, a quote from Cuomo’s office: “Companies cannot play hide the ball when it comes to fees consumers are being charged.”
At least, in the enterprise world where service contracts are an important part of any volume purchase agreement, and must be invoiced yearly, things are a bit more explicit. But since so many IT administrators also dole out advice on home and personal gear and software, as well as take care of company or organization assets, you might want to let your users know that they’ll be able to opt out of automatic renewals in the future if they choose to do so.
Cynics see this tactic as a way to keep company revenue streams topped up, because they virtually guarantee ongoing cash flow once users sign up for a subscription. Both companies explain this maneuver as a way to help protect customers, especially by making sure they can keep their security software up-to-date. It will be interesting to see how their bottom lines fare as a result of this ruling (companies that do business in NY state are now required to refund such charges at user request, as long as users ask for a refund within the 60-day period following the posting of fees to a credit or debit card, bank account, or other payment instrument).
Personally, I think auto-renewal is a good thing, but that consumers shouldn’t be forced into accepting the arrangement. I also think that companies should be required to send a notification 60 days before auto-renewal occurs, and include opt-out information and links in such e-mails to make it easy for consumers who don’t want to stay on that bus to get off if they choose. I already get this level of service from companies based in the EU (where this sort of treatment is the norm), so US-based companies should be able to do likewise.
In the wake of numerous leaks about the upcoming product, Paul Thurrot was finally allowed to go public on June 18 about the replacement product for Windows Live OneCare. Formerly code-named “Morro” (for the famous beach in Rio de Janeiro), the product is almost into public beta, and will be called Microsoft Security Essentials (MSE). His story about the product and its checkered history makes fascinating reading: check it out on his SuperSite for Windows. It looks like current plans are for general availability when Windows 7 goes into GA (on or about 10/22/2009). This offering will be free of charge, and will work with 32- and 64-bit versions of Vista and Windows 7 (32-bit Windows XP versions only).
In describing the product, Thurrot starts by listing what’s been rumored or reported about the product that isn’t true. Here goes my summary/recap:
- it’s not a “cloud computing AV solution” though it does support near-real-time updates
- There’s no managed firewall
- There’s no management facility for multiple computers on a home network
- There’s no application controls nor GPO capability
According to Thurrot, what MSE does have to offer essentially boils down to “OneCare minus the stuff that’s not related to fighting malware.” He also goes on to describe MSE as “small, fast, light, and effective.” Right after that he starts to elicit some incredulity when he says “…and since it’s built on the same award-winning underpinnings as Microsoft’s other security products you know you can trust it.” Wait a minute: is this for real. Yep! When I go off to look at the latest Virus Bulletin 100 (aka vb100) there it is with a vb100 sticker (but it appears that Thurrot is really talking about ForeFront which has also earned vb100s consistently starting as far back as June 2007 ).
I have to say that MSE appears to be a real boon, especially for users in need of low-cost/no-cost protection for virtual machines as well as real ones. According to Thurrot the public beta will commence next Tuesday on June 23. I think we’re going to have to check this out!
Here’s an interesting story from June 16 on the SPAMfighter.com Website, based on recently-released research work from leading antispyware firm Webroot. It’s entitled “Vista Low on Malware Detection” and makes some pretty interesting points:
- The OS demonstrates only limited built-in malware blocking capabilities: it cannot block 84% of common malware elements, including some of the most common and well-known malware and spyware versions.
- Some malicious code was able to install at administrative privilege level, execute code, and use a keylogger, but Windows Defender could neither detect nor stymie its installation or run-time activities.
- Signature updates for malware were also observed to be “extremely slow” on Windows Vista.
What’s the point? Try this quote for size “…security experts…cautioned users that the default malware blocking software as well as the anti-virus programs of Microsoft may fail to provide them comprehensive protection…” Duh!?
When it comes to news like this, I’d like for them to tell me more about what they learned in doing their analysis, and how other threat prevention mechanisms fared as well. Everybody knows that additional protection is necessary for Windows PC active on the Internet, and most corporate security policies require specific and more powerful antimalware coverage anyway. What would have been more interesting and potentially useful would have been a comparison of effectiveness for leading antispyware programs (including Webroot’s own Spyware Sweeper, PC Tools Spyware Doctor, and so forth and so on), as well as speed comparisons for signature updates and scanning for XP, Vista, and Windows 7.
I’m hoping more and more of that detailed information becomes available as Windows 7 heads for commercial release in October. And gosh, would I ever love it if somebody stepped up to fund an organziation like Virus Bulletin for the anti-spyware community. There may never be an AntiSpyware 100 (AS100) like the VB100 if what I know about spyware remains true — and things show no signs of changing in this regard — but it would be nice to have AS80-plus or AS90-plus ratings to help separate the merely adequate antispyware packages from the real star performers. To me, that would be some real news!
A great story in Western Australia Today (WAtoday.com.au) features Ms. Larson-Green, the person behind the ribbon technology introduced in Office 2007, who has since taken over ownership of the Windows 7 UI and its usability (called “Windows Experience”) prior to the imminent launch of that new flagship OS in October, 2009. The story is entitled “Meet Microsoft’s antidote to Vista” and describes Larson-Green’s background, motivation, and focus in helping to prepare Windows 7 for beta testing and launch. Refreshingly her self-professed goal is to “…build an operating system that doesn’t require people to take computer classes or master thick manuals.” Larson-Green credits a work history that includes waiting tables and answering customer support calls at Aldus (now part of Adobe) for sensitivity to customer wants and needs, and empathy with their trials and tribulations.
She focused on more centralized planning, and better coordination to create a more cohensive and intuitive look and feel for Windows 7. She also worked hard to eliminate the scores of pop-ups, alerts, and notification that system developers mean to be informative, but which bedevil ordinary users who simply want nothing more than to get them out of the way (to me, this finally explains the consolidation of alerts into the Windows 7 Action Center, and why only generic alerts get issued periodically–I hadn’t realized the noise had gone away, but had definitely noticed its reduction subliminally).
According to the story, Larson’s mantra is best stated as “user in control’ (hooray, what a simple but significant concept). The goal was “…to build an operating system people could use without studying first, one that would let them get right to reading the news or sending email without dragging them down a rabbit hole of setting and configurations. A system with manners…”
Larson-Green is already at work on Windows 8, though her group is still engaged in occasional tweaks to Windows 7 (though this will freeze solid in mid-July when the RTM version goes to OEMs for the October 22, 2009 release). Larson-Green says she plans to measure how well Windows 7 is doing “…by conversations she overhears at Best Buy and comments posted by bloggers.” Her hope is that people will like it. If my recent experiences in getting to know and writing about Windows 7 in the past three months are any indication, I don’t think she’s going to be too disappoointed.
Last November, MS announced its plans to create a no-cost consumer security software product. Code-named “Morro,” this solution is supposed to debut in H209 and be able to deal with viruses, spyware, rootkits, and Trojans. It’s going to be low-footprint on the client side, and use Web-based services and scanning technologies to keep resource consumption and local file sizes small and zippy. Ultimately, Morro will replace Windows Live OneCare, and take over the low-end security role for the company.
Recently, lots of published accounts have mentioned that MS is now testing Morro internally in-house, and is preparing a public beta of the technology (see this ComputerWorld story, for example). This Reuters newswire story posted on Wednesday, June 10, indicates that this beta will be unleashed “soon.” Interestingly, stock values for both Symantec and McAfee dropped with this news, with investors guessing that those companies will lose (paying customer) market share in the face of an at least potentially credible free product. Well-known Windows maven Paul Thurrot is quoted in the ComputerWorld story as suggesting that news of the imminent beta was leaked prematurely, and that “…it wasn’t supposed to be today,” apparently confirming that “soon” means “not yet.”
When the product does make its appearance, even enterprise administrators might find it worthwhile for certain applications. Chief among these will be the new Windows XP Mode available in copies of Windows 7 Professional, Enterprise, and Ultimate editions. Even VMs need security software, and this could be just the ticket for sufficient coverage to keep those occasionally used virtual desktops safe and secure.
OK, so yesterday’s Patch Tuesday does the deed for June. It’s a monster: 10 security bulletins, 31 vulnerabilities addressed, and involving most versions of Windows itself, IE, and various MS Office and related elements (Works, Word, and Excel). Even the Windows Print Spooler and OS Kernel get in on the act!
Of the 10 bulletins issues, half (5) are critical, and fill some gaping widely-known holes in MS security. Chief among these: the dual WebDAV gothas for IIS publicized in May (explained in this Ryan Naraine blog from 5/19) and the infamous Pwn2Own vulnerability discovered in March at the CanSecWest conference in Vancouver.
|MS09-018||Critical||Active Directory, Server 2000/203||2 remote code execution items|
|MS09-019||Critical||IE version 5-8||8 vulnerabilities, including remote code execution items|
|MS09-020||Important||IIS||2 vulnerabiliites allowing elevation of privilege|
|MS09-021||Critical||MS Excel||7 vulnerabilities including remote code execution|
|MS09-022||Critical||Windows Print Spooler||3 vulnerabilities, including remote code execution (Windows|
|MS09-023||Moderate||Windows Search||Single vulnerability could allow info disclosure|
|MS09-024||Critical||Microsoft Works converter||Could allow remote code execution|
|MS09-025||Important||Windows kernel||4 vulnerabilities that could allow elevation of privilege|
|MS09-026||Important||RPC||Could allow execution of arbitrary code or takeover|
|MS09-027||Critical||MS Word||2 vulnerabiltiies could allow remote code execution|
OK, now the rumors are no longer rumors, and the launch date, aka GA (General Availability), is out thanks to Steve Ballmer’s keynote at Computex (much) earlier today in Taipei, Taiwan, and Brandon LeBlanc’s “Date for General Availability” posting to the Windows 7 Team Blog yesterday.
Here’s the deal, in broad strokes:
- Windows 7 hits store shelves on 10/22/2009, ostensibly to have it ready for the holiday buying season (lots of others outside MS are speculating it’s more of a pre-emptive strike against Android which becomes available at the end of October)
- The Windows 7 Upgrade Option will kick in “soon” which permits those who purchase a new and qualifying PC to exercise “…a special deal to upgrade to Windows 7…” Look for Brandon to blog about this program with dates and more details as “soon” becomes “real soon,” I guess! (According to TechARP, a usually reliable source for leaked MS secrets, this will happen on July 1.)
- RTM should occur some time in mid-July, with Windows Server 2008 R2 following in the same time frame.
OK, now what I want to know is when MSDN and TechNet subscribers can lay hands on the RTM version. I hope we’ll see some more information on that very soon. Not only am I itching to get and use this code, I’m also working on a book that we’re going to have to review very thoroughly to make sure it agrees with the RTM version in all respects and in every screenshot. Stay tuned!
It just goes to show you that sometimes enough hullaballoo can cause even the biggest of dogs to change its bark. Case in point: the hue and cry that followed the disclosure earlier this year that Microsoft’s Windows 7 Starter Edition would be limited to 3 simultaneous applications while running. Ed Bott showed that this wasn’t really a hard and fast limit anyway, because it included as many browser tabs as you might want to open in a single window, and apparently didn’t charge for use of OS-based utilities (Windows Explorer, Microsoft console programs, Accessories, and so forth).
Nevertheless, I’m pleased to report that on May 29, Windows 7 product manager Brandon LeBlanc posted to the Windows Team Blog an item entitled “Let’s talk about Windows 7 Starter.” Among other tidbits of interesting info, includes the news that Windows 7 Starter will no longer impose any arbitrary limitations on the number of apps it can run at the same time. Of course, given the kinds of machines that are typical for the netbook platforms at which it aims, I suspect that CPU limitations will still play a role in the number of apps anybody will want to keep open at any given moment.
What’s just as interesting about this posting is the list of things that Windows 7 Starter does NOT include, which I quote verbatim from LeBlanc’s posting:
- Aero Glass, meaning you can only use the “Windows Basic” or other opaque themes. It also means you do not get Taskbar Previews or Aero Peek
- Personalization features for changing desktop backgrounds, window colors, or sound schemes.
- The ability to switch between users without having to log off.
- Multi-monitor support.
- DVD playback.
- Windows Media Center for watching recorded TV or other media.
- Remote Media Streaming for streaming your music, videos, and recorded TV from your home computer.
- Domain support for business customers.
- XP Mode for those that want the ability to run older Windows XP programs on Windows 7.
To me, most of these limitations make a lot of sense. The only one I’d complain about is the multi-monitor support one: given that most netbooks offer resolution of 1024×600 or so (especially those with 10.1″ screens or smaller) it strikes me as cruel and unusual to keep me from hooking up an external monitor when one is available. The hardware includes a VGA (or equivalent) video out port, so why should the OS restrict its use?
Let’s make some more hullaballoo! Maybe we can get MS to back off on this, too. I’ve already posted this observation to the comments on the blog. Perhaps you could, too?
Previously aswoon with relief at a more stable system after installing Vista SP2, I failed to notice an interesting dilemma: although I can access local area network resources, and have no trouble using the Internet, Vista thinks I’m not connected to any network. This leads to a very interesting display in Windows Explorer, in fact:
I conducted a little research into this situation and learned that this problem has persisted since Microsoft introduced SP1 for Vista — I guess I should be grateful it waited this long to bite one of my systems — and that there’s no easy fix available. I tried leaving, then rejoining my local workgroup, rebuilt my TCP/IP protocol stack, uninstalled then reinstalled my NIC driver — all to no avail. Looking over the various fixes others have attempted — see this discussion on the MSDN Forums entitled “Windows Vista – LAN working properly, but Vista says I’m not connected,” for example — I see I hit most of the high points. But since nobody else has been able to fix this, either I supposed I shouldn’t feel so bad.
Nonetheless, I can’t help it. It bugs me no end when things don’t work like they’re supposed to, and I can neither fix them nor figure out why or how they broke. Maybe that’s what keeps me banging my head against Vista after all these years, eh?
With a publication date of 5/25/2009, Windows Vista Service Pack 2 actually hit the Microsoft Download Center yesterday (5/26/2009). It’s official title is “Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 – Five Language Standalone DVD ISO (KB948465).” Not only does this image roll up Windows Server 2008 and Windows Vista in a single ISO image file; it also includes both 32- and 64-bit versions of both OSes. The following Vista versions are also included:
- Windows Vista Business
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Ultimate
On the Server side, 32- and 64-bit versions for standard processors are available, plus a version for Itanium-based systems as well.
There’s also a TechNet article available dated 5/26/09, entitled “Service Pack 2 for Windows Server 2008 and Windows Vista.” This is where most people will want to go to grab their downloads, because you can get separate versions here for ISO (the preceding item in the initial paragraph), but also separate links for x86, x64, and ia64 (Itanium) versions are also available. You’ll also find a link here to the Windows Service Pack Blocker Tool, and a FAQ that describes its recommended uses.
It will still be a while before Windows Update provides automatic access to Windows Vista SP2, so you may want to give the TechNet link above a visit in the meantime.