Seven Security Bulletins, at least 19 holes

And six of the patches are for Internet Explorer 7 on Vista. What a record for the latest, ultra-secure versions, eh?

The official, full list is here. Ryan Naraine has posted an excellent overview. Hold onto yer hats, folks. This is gonna be one wild ride.

Whatever you do, don’t apply the patches yet. Many of them go deep inside Windows, and there are bound to be many, many howls of pain in the coming days. I’m seeing some evidence of server meltdown on the Microsoft site – at least, access to microsoft.com from where I am is slower than ever.

We remain at MS-DEFCON 2, for both Windows XP and Windows Vista: “Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.”

UPDATE: The SANS Internet Storm Center lists three of the Security Bulletins as having known exploits. One, the MS07-027 Internet Explorer patch, contains some ho-hum fixes for IE that shouldn’t affect you because you use Firefox, right? (The best part of the MS07-027 patch seems to be fixes to IE’s printing proclivities.) The second bulletin with known exploits, MS07-029, fixes the DNS hole that appears in various versions of Windows Server; since you probably don’t run Windows Server, that one isn’t a big deal.

The third actively exploited patch, MS07-024, applies to Word, and that may cause you concern – after all, you probably use Word, and the last thing you need is to get stung by a security hole. But if you dig a little deeper, you’ll find that the 0day exploits for this hole are “subject to very limited and targeted attacks to Word. Our ongoing monitoring of the situation has indicated that the scope of attacks has remained limited throughout the life of the issue.” MS07-024 fixes the 0day hole described in Security Advisory 933052. In other words, you have a better chance of being struck by lightning than getting hit with this 0day.

Of course, now that the patches are out, the cretins are combing over them, trying to find what’s been fixed. So the situation will change. But for now, I suggest you keep your powder dry, and refrain from knee-jerk patching.

Still at MS-DEFCON 2

Just a reminder.

There’s a big blob of patches headed our way in less than 48 hours.

Now’s a good time to batten down the hatches, make sure that you don’t have Automatic Update turned on, and learn to sit on your thumbs. The sky isn’t falling, in spite of what you may read on Patch Tuesday.

You Vista users (and you know who you are): I continue to strongly recommend that you avoid the Vista Media Center Patch Rollup 1. There are still unresolved problems with the patch rollup, and the benefits aren’t worth the hassles.

Stick a fork in it – Windows Live Hotmail is done

As anticipated, Microsoft has officially announced that Windows Live Hotmail is live.

The successor to Hotmail, then MSN Hotmail, then Windows Live Mail, Windows Live Hotmail has been 10.5 years in the making, in Internet time. Microsoft hypes Windows Live Hotmail as being “more like Outlook” – a dubious distinction at best. For years, Microsoft has been saying that every generation of Hotmail is “more like Outlook.” Perhaps some day Hotmail’s designers will have the guts to give us a version that’s less like Outlook.

With excellent alternatives from Google and Yahoo!, the latest Hotmail draws a stifled yawn from my corner.

Transportation (in)Security Agency misplaces 100,000 employees’ data

Daily Tech reports that the US Transportation Security Agency can’t find “an external computer hard drive containing the personal, bank and payroll information of up to 100,000 former and current Transportation Security Administration (TSA) employees… The TSA is unaware if the hard drive has left its premises. The hard drive contained sensitive information on employees who worked for the TSA from January 2002 until August 2005. The agency employs almost 50,000 people and is the agency responsible for securing transportation systems in the country, including airports and railroads.”

TSA must have horrendous turnover problems. Do the math. If the numbers are right, in less than four years, they’ve had 100% turnover.

Compounding the problem: apparently TSA brass learned about the, uh, leakage on Thursday, but didn’t warn the 100,000 until Friday night.

Microhoo goes pffffffffft?

The Wall Street Journal reports that the merger talks between Microsoft and Yahoo are in the past tense.

That doesn’t surprise me too much. But this part did:

Whatever the outcome, Microsoft’s online division could be heading for a shake-up, say people familiar with the situation. Failure by the Redmond, Wash., company to make better headway against Google in Internet search, combined with Microsoft losing a deal to Google last month to buy online-advertising specialist DoubleClick, has spurred Microsoft Chief Executive Steve Ballmer to consider new action, these people say. Mr. Ballmer’s frustration with the group’s progress has been “palpable,” said a person familiar with the company.

When SteveB turns palpable, you gotta watch out for flying chairs. Could it be that Windows Live is going to go through (yet another) gut-wrenching change? Does this mean we get a new name for Hotmail, er, MSN Hotmail, uh, Windows Live Mail, d’oh, Windows Live Hotmail?

Microsoft’s online efforts aren’t cutting the mustard. Even if Scoble is convinced that Office will move to the Web, compliments of Silverlight, I keep seeing too little, too late.

Microsoft’s cash cows are bleating.

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0

So sue me.

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0

BBC has a good overview of the “Digital Rights Management” (in my books I call it C.R.A.P.) brouhaha that’s erupted ever since folks started posting the key that could unlock some HD-DVDs.

With a tip o’ the hat to Kevin Rose. You did The Right Thing, my man.

Harry McCracken

I’ve written a bit, now and then, for PC World. Like all the other computer-oriented hard copy magazines, PC World has fallen on some hard times. Through it all, the people there have maintained a very high level of professionalism: I may disagree with a PC World article or two now and then, but there’s never been any question that the folks running the mag are involved, passionate, knowledgeable and honest.

Until now.

Harry McCracken, who’s been with PC World for 12 years, abruptly resigned as Editor-in-Chief “over disagreements with the magazine’s publisher regarding stories critical of advertisers.” Ed Bott reports that Harry apparently left when his new boss drew flak from Steve Jobs over an article entitled “Ten Things We Hate About Apple.” The article got spiked. Harry hit the streets.

I’d be willing to bet that many folks I know at PC World won’t stick around very long. When a journo loses his integrity, there ain’t much left.

Good on ya, Harry. Come visit me in Phuket. We can do some honest work slinging sandwiches and pouring lattes.

and a partridge in a pear tree

Microsoft has posted its official advance notification about the patches we should see next Tuesday.

Looks like we’re going to see a fix for the DNS problem that’s bee plaguing Windows Server sites. And there will be lots and lots of non-security patches.

The scorecard:

Windows – 2 security bulletins
Office – 3 security bulletins
2 you probably don’t need to worry about, one for Exchange Server and one for CAPICOM/BizTalk

There will also be a seven non-security updates.

Time to hunker down and listen for the scream of the cannon fodder. Read the admonitions on my Microsoft Patch Reliability Ratings page. Get all your patches up to date (except the Vista Media Center patch rollup), then make sure you have Automatic Update turned off on all of your machines.

It’ll be one bloody Tuesday, guaranteed.

We’re at MS-DEFCON 2.

Microsoft Update “svchost” redline getting fixed – sooner or later

Susan Bradley, writing in this week’s paid version of Windows Secrets Newsletter, notes that Microsoft is aware of the svchost “red line” problem that I discussed a month ago. In particular, for many people, installing the April Patch Tuesday patches caused their machines to run up to 100% utilization for extended periods of time when Microsoft Update or Windows Update started running.

“For those who have been suffering from near-crippling speed issues, in which your computer comes to a near standstill when booting up or scanning for updates, help is on the way. Bobbie Harder announced the good news on the WSUS blog. An issue with the svchost.exe process, which runs Windows Update and Microsoft Update and can consume 100% of your computer’s CPU processing power, will be resolved over the next few months.”

Before you click through to the referenced WSUS blog posting, strap on your hip waders. The jargon runs hot and heavy.

Windows Live Hotmail ready to go, uh, live

Be still my heart.

Microsoft started publicly beta testing the new version of Hotmail, er, Windows Live Mail, uh, Windows Live Hotmail (the current name) about 18 months ago.

Numerous notices have sprung up around the Internet that (gawrsh!) Microsoft is just about ready to make Windows Live Hotmail live.

In a world where improvements to online software appear about as frequently as episodes of House, it’s refreshing to see a company mired in the old Windows-era development paradigm, where we see new versions – with marginal improvements – every six years or so.

DON’T install Windows Vista Media Center patch rollup KB 932818

I’m continuing to hear about problems with Microsoft’s “Cumulative Update for Media Center for Windows Vista,” better known as KB 932818.

I repeat my warning posted here a week ago: if you have Windows Vista Home Premium or Ultimate (the only versions of Vista that include the new Windows Media Center), do NOT install the KB 932818 patch until we have more information about the screw-ups.

The KB article is up to version 2.1, which is never a good sign. Vista Home Premium and Ultimate users should wait until Microsoft acknowledges and fixes the problems.

Those of you running Windows XP should get your patches installed now. Read about the problems, particularly with red-lining Microsoft Update runs, on my Microsoft Patch Reliability Ratings page, then get yourself patched up.