Further to David’s excellent opinion on the recent Internet Explorer vulnerability, I’d like to put forward some additional information for your consideration.
For any business concerned about the efficient and secure functioning of their systems, a regular process of patching and updating software is, unfortunately, unavoidable. In this instance the peice of software that has gained the press coverage has been Microsoft IE, but is next time just as likely to be Firefox, MYOB, Adobe Reader, or any other piece of software in common use. Grassroots IT can certainly help with this, but an acceptance and understanding of this will help put the recent press regarding IE in perspective.
I agree that IE6 must be retired, and not before time. But I do suggest a pinch of salt with the recent hyped up press.
Update: Minor edits to clarify the relevance the security flaw to all versions of IE, not just IE6.
The French and German governments have recently announced that everyone should move away from Internet Explorer. A big call. This announcement has come about because there is a specific security flaw in Internet Explorer which, as highlighted by Google, was used in a very deliberate, highly sophisticated attack, originating from China, to try and access the Gmail accounts of Chinese human rights activists. (For more geeky details on the specifics of the security flaw, head down below to **)
Now, I don’t really like Internet Explorer. I don’t care whether it’s IE6, IE7 or IE8, I don’t like it. In fact, I even agree with the general sentiments put forward by France and Germany when they suggested that people use a different browser… but that’s just my personal opinion. It *is* an insecure browser and there *are* problems with it. Admittedly, Internet Explorer 8 is a significant improvement over earlier versions.
Unfortunately, it’s not as simple as switching to a different browser. As much as I want to say, “Switch to Google Chrome, Mozilla Firefox or even Opera”, a lot of the functionality of your company intranet and SharePoint specifically requires Internet Explorer. Without it, you’ll have a hard time doing anything other than simply looking at pages hosted by SharePoint etc.
Being fair, Internet Explorer isn’t the only web browser that has security issues. Over time, vulnerabilities and security flaws have been and will continue to be discovered in every single web browser available. Switching to a different web browser won’t suddenly make you impervious to attacks from the web. If it did, then there wouldn’t be any need for anti-virus solutions, firewalls or malware removal tools. The fact that these things all exist (and have billions of dollars spent on them annually) are a pretty good indicator that there is more to it than simply switching browsers.
To ensure that your computers are as safe as possible, we deploy and monitor a range of security products including anti-virus solutions, malware detection software, hardware and software firewalls, in addition to keeping all of your systems patched and up to date with Microsoft patches and hotfixes.
If you have any concerns or queries about your system security, please contact us on 1300 554 138 and we’ll be happy to have a chat with you.
**If you want to get your geek on, feel free to continue reading for a bit more of a breakdown of the issue that brought this to light and caused all the fuss. Be warned, it might get a little geeky.
Right, still with me?
Google announced on their blog at 3PM on 12/01/2010 that there had been a security attack originating from China. Within 48 hours, Microsoft had published a security advisory (http://www.microsoft.com/technet/security/advisory/979352.mspx), letting people know that they were aware of the flaw and that they were working on fixing it. Since then, they’ve kept that advisory updated and as of 21/01/2010, they had developed a fix, published it and made it available for download.
Now, you may not be aware of this, but Microsoft normally releases its updates and patches on a specific release schedule. Given the serious nature of this issue, Microsoft chose to release it “out of band”. Meaning that instead of waiting to release it with their next scheduled updates and patches, they released it as soon as it was ready. Now, let’s have a look at the timeline of events:
12/01/2010 – Google announce an attack on their systems using this exploit
14/01/2010 – Microsoft release security advisory acknowledging the problem
15/01/2010 – Microsoft update their advisory with more accurate information following developments in their investigation; The same day, the German Office for Information Security issued a press release advising people to switch to another browser
18/01/2010 – France echoes Germany’s advice that people switch to a different browser
20/01/2010 – Microsoft released details of a work around to avoid the problem until they had finished testing the patch to correct the problem
21/01/2010 – Microsoft released a fix for this security flaw (http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx)
Interestingly, most of the calls we received about this issue have come in since the 21st. So, in essence, by the time people became aware of this and grew concerned enough to contact us, the fix had already been released and been pushed out to the systems under our management. If you currently don’t have a managed support agreement with us and you’re not sure if you have adequate security measures in place, drop us a line or shoot us an email and we’ll be happy to help.
So just as you think you’ve got it all worked out, Microsoft announce a full refresh of the Microsoft Partner program. Of course now it’s going to be called the Microsoft Partner Network, designed to provide more clarity to both partners and clients. I’m thinking it’s a good thing, to be honest. I need to dig in a little deeper to properly understand the changes, but it’s looking good so far.
So what does it mean? It means that partners will need to transition their competencies across to the new system. Check out the transition tool. For clients, it means more value in the partner competencies. Rather than one broad ‘Partner’ level (eg: Gold Partner), which tells you pretty much zero about what the partner is capable of, the new system emphasizes Competencies, allowing much great clarity as to what a partner is actually capable of doing for you.
So SBS 2003 was without doubt a rip snorter of a success story for both Microsoft, and small businesses the world over. With a cracker combination of technologies, it really did lift the bar as far as small business tech was concerned. Now that SBS 2008 is shipping, it will be interesting to see how it goes. To put my thoughts out there, I’m expecting it to a solid, polished product, which provides just as much value as SBS 2003. At this stage, I can’t see any compelling reasons to upgrade from SBS 2003 though, so the uptake I think is going to be slow and gentle (just the way it should be). As SBS 2003 servers come to end of life, and for those businesses not yet on SBS at all, I think the new product will prove to be an excellent choice.
continue
Sigh. Once more the quagmire that is Microsoft licensing drags a solution to a stand-still while we seek clarification. And the (scary?) thing is that you can ask 5 different experts, and get 5 different answers. When you’re putting a solution in for a client, you need to be confident of conforming to all necessary licensing guidelines, and sometimes…well…they just seem to make that bit hard. In particular at the moment we’re structuring an SPLA based solution for a client to better meet their business model. Everything is well sorted except for one…tiny…thing…that could make or break the particular solution we’ve put together. Now of course we have Plan B in place, but we would of course prefer Plan A. I know it’s howling at the moon, but common MS, there must be an easier way.
continue
It’s no secret to anyone who’s attended any form of conference or professional gathering that only about 30% of the value ever comes from the official agenda. It’s the hallway conversations, the shaking of hands, the sharing of meals that produces the real value at these things. Tech.Ed 2008 (Microsoft’s annual parner love-in) this year was definitely no exception. I was lucky enough to find time to get down for the SMB focussed pre-day, not the whole thing, but to be honest, I think that was where the value really was for me. Official presentations were mainly driven by the impending release of SBS 2008 and the new Essential Business Server (EBS) products, and to be fair, there was some really good stuff in there. Even better though was being able to put some faces to names, and really get some proper dialog going with some very sharp individuals. I’d like to think that I’ve got some solid ideas, and no shortage of inspiration from the trip. Now I just need to find time to make some use of them all!
It's Microsoft Partner Roadshow time again, when all of us little Microsoft people lose a day's productive work to sit in a hotel seminar room and bask in the warm glow of the mothership. Now the last few of these MS has copped a hiding for offering sales/marketing blurbs, and not much more. Now given that all of the attendees are MS partners, you can probably safely assume we're up to speed with that stuff, and wanting something meatier. Ie: something more technical. Thus, in exchange for paying real money to attend this time, we were promised what are called Hands-On Labs. Ie: Here's the software. Load it on your laptop, click the buttons, play. So you can imagine how unimpressed everyone was when the very first session was a 3 hour powerpoint slide deck. Groan. The presenter certainly knew his stuff, but that's not the point.
Speak to your audience, Microsoft! Especially when you've asked them to pay for the priviledge, and promised them something they really want. We are technically minded IT business people. We do not want marketing babble. We are not impressed with the glossy stuff. We're here to learn and improve our knowledge, not get sweaty over MS evangelism.
Geez, ain't the roll of a new operating system fun. Oh, yeah, and let's add the roll of a totally new version of office suite, too. Microsoft WIndows XP is now officially 'retired', and Windows Vista is the one. Buy a new machine, comes with Vista. Doesn't matter that half the software out there won't run on Vista (did I mention that?), but at least Vista's pretty. Microsoft Office 2007 is the other new bundle of joy on the block. So Office 2003 has now also been retired from mainstream distribution and Office 2007 has taken it's place (can anyone say "learning curve" ?).
Now I'm sure that in 6 months time both Vista and Office '07 will be great, but until then, Vista only at home, please. Repeat after me… "Vista does not yet belong at the office".