- +
Strategies for Dealing With IT Complexity 24/12/2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
How to Get Real About Strategic Planning 04/02/2008 12:50:59
Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn't it time we all got real?Oh, it must be nice to be the CIO of a FedEx or a GE or a Credit Suisse. Places where IT and the business are so tightly aligned you can barely tell the two apart. Where corporate leaders understand that IT is a strategic asset and support it as such - +
Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Toxic Mix or Bit of a Mixed Blessing? 31/12/2007 10:36:30
“Eye of newt, and toe of frog, Wool of bat, and tongue of dog . . . ” The inter-generational office brew of Boomer, Gen X and Gen Y may not be quite as odious as that of the three witches in Shakespeare’s Macbeth, but even so it makes “for a charm of powerful trouble”"Eye of newt, and toe of frog, Wool of bat, and tongue of dog . . . " The inter-generational office brew of Boomer, Gen X and Gen Y may not be quite as odious as that of the three witches in Shakespeare's Macbeth, but even so it makes "for a charm of powerful trouble" - +
What Price Innovation? 05/11/2007 13:44:31
CIOs say they want more than the traditional “your mess for less” relationship with their outsourcing providers. And the providers want to market themselves as partners in innovation. So why isn’t it happening?CIOs say they want more than the traditional "your mess for less" relationship with their outsourcing providers. And the providers want to market themselves as partners in innovation. So why isn't it happening?
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Optimized Back-up and Recovery for VMWare for VMWare Infrastructure with EMC Avamar
EMC Data Profiling for File System and Exchange Server Environments
Enterprise Wireless WLAN Security
An EMC Perspective on Data De-Duplication for Backup
A Guide to Next-Generation Backup, Recovery and Archive
Network Aware Service Management
Revolutionising Back-up and Recovery
Wireless LANs: Is my enterprise at risk?
Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
Microsoft has clarified what it plans to patch to fix a bug in Windows XP and Server 2003, but said it had no plans to overhaul the operating system's protocol-handling technology.
Mark Miller, director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the MSRC's operations manager, acknowledged there was confusion around its decision to patch a vulnerability in Windows XP and Windows Server 2003 on systems running Internet Explorer 7.
"There are two separate issues," said Miller, referring to the Universal Resource Identifier (URI) bug in Windows that was the focus of a security advisory issued last week, and a larger problem that first surfaced in June but gained traction in July. "The issue [from] back in June is really related to protocol handling, and is really around how third-party applications handle them," Miller said.
Starting four months ago, researchers uncovered vulnerabilities in applications such as Apple's Safari for Windows and Mozilla's Firefox that were traced to Windows' protocol handling, the technology that lets browsers run other programs via commands in the URL. In July, criticism mounted as some researchers said Microsoft bore full responsibility for the flaws, which could be used to hijack PCs. Others, however, defended Windows, saying it was the applications' duty to "sanitize" -- to guarantee that the URIs didn't allow invalid input -- the URLs they passed to the operating system.
"The answer is yes and no," said Reavey, when asked whether Microsoft was responsible for patching. Protocol handlers registered by Windows are its responsibility, he said, and will be fixed when flaws are found, but plugging holes in handlers registered by third-party developers is not Microsoft's job.
The most common protocols, such as mailto:, which opens the default e-mail client and pre-addresses the To: field after a user clinks a mailto: link, are Microsoft's. But other developers register protocol handlers as well. Mozilla, for example, registers a protocol handler dubbed "firefoxurl:" that's used to open another instance of Firefox.
Microsoft's decision to patch bugs in protocol handlers registered by Windows is the logical move, said Ben Greenbaum, a senior manager with Symantec's security response team. "Their software is on both sides of the Windows XP-Internet Explorer 7 vulnerability," said Greenbaum, "so they should be looking at patching that issue."
"If the protocol is one that Windows handles, we understand it's up to us to patch it," said Reavey. "Mailto: wasn't the problem, it's a problem in how Windows handles protocols."
But when asked if his team would revisit Windows' processing of third-party protocol handlers, Miller made it clear that at the present, Microsoft had no intention of changing anything. "We have no plans," he said. Other developers must secure the protocols they register, he continued. "The IE team did a very good blog post on this back in July."
Microsoft has not set a timetable for delivering the announced Windows XP and Windows 2003 patch. Likewise, it has only described the fix in general terms, saying Thursday that it would "revise our URI handling code within ShellExecute to be more strict." Miller, who declined to get more specific about either the schedule or the details, said: "The update will be part of our normal product update process. It will be released as soon as we feel it's ready."
At least one researcher thinks Microsoft should do more than just patch its own problems. "Part of the larger issue here is that vendors lack a clear standard on what is and what is not approved to be stuffed into these extended URL areas," said Andrew Storms, the director of security operations at nCircle Network Security. By the time a code snippet makes its way to the final executing program, the program is so far removed from the browser, it has no idea what has been sanitized, what has been escaped or what kind of information has been approved to be in the permitted list of data."
More importantly, added Symantec's Greenbaum, is that the debates over protocol handling vulnerabilities and patch responsibility have major implications in a Web 2.0 world. "This gets to the heart of secure coding and secure data," he said. "It's early, but the decisions made on this class of vulnerabilities could determine the long-range security of the Internet."
Computerworld Member Login
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Fujitsu PC targets Today's Young Adults with the release of the L series 2008-10-14 12:40:00+10
RSA survey shows employees’ everyday behaviours puts sensitive business information at risk 2008-10-14 11:29:00+10
Sound Alliance Group expands with acquisition of Mess+Noise 2008-10-14 08:48:00+10
Sterling Commerce Introduces New Managed File Transfer Capabilities That Cuts Server Change Management Time in Half 2008-10-14 08:41:00+10
Simms Exclusive Distributor of Cygnett MP3 Accessories 2008-10-14 08:10:00+10
CRM your salespeople will love
Winning over the sales department and obtaining buy-in at all levels is crucial to the success of any CRM initiative. Discover how you can let salespeople work how they want to and reduce their administrative burden with the latest CRM technology.
