14 DAY TRIAL // On Monday, Alexandra Huft, a Microsoft representative, wrote on a blog that sample attack code that exploits a vulnerability in PowerPoint has been published on Internet. "I wanted to let you know that we've been made aware of proof of concept code published publicly affecting Microsoft Office 2003 PowerPoint. We are currently investigating this report. The reported proof of concept may allow an attacker to execute code on a user's machine by convincing them to open a specially-crafted PowerPoint file. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem," she said.
Secunia rated this flaw "highly critical" saying that "the vulnerability is caused due to an unspecified error when processing PowerPoint presentations." I guess Microsoft hoped to have a calm Monday but if it isn't Windows, it must be something else. It's PowerPoint's turn that causes a headache for the giant.
On Tuesday, the European Commission issued a warning for the giant saying that allowing developers access the kernel of 64-bit versions of Vista doesn't mean that European release of the operating system is already approved. "The European Commission has been informed of Microsoft's intention to deliver its Vista operating system worldwide, with no delay in Europe. The Commission has not given a "green light" to Microsoft to deliver Vista because, as the Commission has consistently stated, Microsoft must shoulder its own responsibilities to ensure that Vista is fully compliant with EC Treaty competition rules and in particular, with the principles laid down in the March 2004 Commission anti-trust decision concerning Microsoft (see IP/04/382 and MEMO/04/70). In line with the Commission's obligations under the EC Treaty and its practice, the Commission will closely monitor the effects of Vista in the market and, in particular, examine any complaints concerning Vista on their own merits," it was mentioned.
On Wednesday, Yahoo released an optimized version for Internet Explorer 7, "an example of the way other companies can customize the new browser" as Microsoft said.
"Optimized for Yahoo!, with: 2 home pages: Yahoo! & Yahoo! News; Yahoo! Search as your default; Yahoo! Toolbar. Additional features of IE 7: Simpler to get around with a new streamlined design; Faster and more organized surfing with Tabs; Keep your IE6 favorites and bookmarks - they'll come along with you," it is mentioned on the website. This version of the browser contains several tweaks, the most important being that "favorite Yahoo! services are 1 click away".
On Thursday, the giant published documents for developers informing them how to create products under the privacy rules. "Failing to protect customer privacy can lead to an erosion of trust. Over the last several years, Microsoft has established extensive internal guidelines for developers that help them protect customer privacy, give them a view into customer expectations and global privacy laws, and document the hard lessons we've learned. These guidelines have been engrained in our development process and are now incorporated into the Security Development Lifecycle (SDL). The impact has been felt across Microsoft's products and services. In response to requests from customers, partners, ISVs, educators, advocates, and regulators, we created a public set of privacy guidelines for developing software products and services. These guidelines are based on our internal guidelines and our experience incorporating privacy into the development process. By documenting our principles, we hope to help anyone building products and services to meet customer expectations and deliver a more trustworthy experience. As the threat landscape escalates, customers are feeling less able to control access to their personal information, so consumer trust is waning. As an industry, we need to set a high bar for respecting customer privacy, to help build greater trust in the Internet and e-commerce. We want to foster an open dialogue with others in the industry so we can build a common set of privacy best practices to help meet our privacy obligations and increase customer trust. We are pleased to offer our guidelines as a starting point to accelerate this effort." it is mentioned on the website.
On Friday, the giant tried to clarify a vulnerability reported in Internet Explorer 7, just after a few days since its official release.
"We've gotten some questions here today about public reports claiming there's a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue. These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express. While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers. We do have this under investigation and are monitoring the situation closely and we'll take appropriate action to protect our customers once we've completed the investigation. I hope that helps to clarify," said Christopher Budd in his blog.
Week's Conclusion:
Vulnerability on Monday, security flaw on Friday? Even they were not confirmed, these flaws are giving the giant a powerful hit in its image, right when the company is preparing for the big launch of Windows Vista.
