Microsoft News Tracker

Over the last week there have been a number of reports of automated SQL injection attacks on Web sites running Microsoft’s flagship IIS Web server. The Washington Post’s Brian Krebs summarizes them nicely in Hundreds of Thousands of Microsoft Web Servers Hacked.

If there is any good news in this, it is that the server modifications so far only amount to the addition of a Javascript malware loader on site Web pages.  While this loader will infect unpatched browsers (and apparently RealPlayer and Yahoo Instant Messenger), the browser holes that it exploits are not new and patches have previously been made available. The status on RealPlayer and Yahoo IM is currently unclear.

It isn’t entirely clear whether there is actually a vulnerability in IIS or it’s just the usual problem of Web programmers not sanitizing user input, but Microsoft has issued a security advisory (951306) with workarounds.

Update: Microsoft’s Bill Sisk says that the problem is due to poor Web programming practices and not any IIS vulnerability and also that security advisory 951306 is for a different problem.

Microsoft Developer Division General Manager Scott Guthrie today revealed the roadmap for a series of additional Web development products that build on top of last week’s RTM of Visual Studio and .NET FX 3.5. In outline form with liberal quoting from Guthrie, it looks like the following:

(more…)

The Windows Server Division Weblog heralds the restricted release of the June 2007 Community Technology Preview (CTP) of Windows Server 2008:

(more…)

This week Microsoft is holding its TechEd 2007 conference and there’s a variety of news:

Bob Muglia, SVP of Microsoft’s Server and Tools Business kicked off TechED 2007 by detailing the company’s strategy for Dynamic IT for the People-Ready Business (Dynamic IT). Apparently it was as bad as it sounds although there were some redeeming features.

More substantially, Muglia also announced assorted product news including the official names for Katmai and Orcas as well as revealing two acquisitions:

(more…)

Press release:

Microsoft Corp. today unveiled the first publicly available test version of the next edition of Windows Server, code-named “Longhorn.” The release allows people to evaluate the increased control, flexibility and protection built into Microsoft Windows Server “Longhorn” Beta 3, available for download today at http://www.microsoft.com/getbeta3. The final version of Windows Server “Longhorn” is on track for release to manufacturing in the second half of 2007.
…
The newest version of Microsoft’s Web server, Internet Information Services (IIS) 7.0, also provides a more secure, extensible platform for efficiently managing and reliably hosting Web applications and services. Microsoft is today announcing the availability of the IIS7 Go Live license, which will allow customers to host Web applications and .NET 3.0 Web services on Windows Server “Longhorn” Beta 3 in live production environments.
…
The Beta 3 release of Windows Server “Longhorn” marks the beginning of the second wave of innovation to be delivered by Microsoft over the next year. Following on the heels of the successful launch of Windows Vista™ and the 2007 Office system are Windows Server “Longhorn” and the next versions of Visual Studio®, code-named “Orcas,” and Microsoft SQL Server™, code-named “Katmai.” These products will provide organizations with an advanced development and Web platform as well as streamlined data management and analysis, enabling infrastructure optimization.

There’s more on new features in Beta 3 by following the link, but I didn’t spot any surprises although there have certainly been enhancements. David Lowe at the Windows Server Division weblog has more details on how Beta 3 will be widely distributed plus some new information resources including the Windows Server Code Name “Longhorn” Technical Library, a Reviewer’s Guide, and some free e-learning clinics.