With a long-awaited security update to Windows XP now complete, Microsoft is preparing a holiday season push for the 3-year-old operating system–and is set to revisit ambitious plans for the next major revision, News.com has learned.

That revision, code-named Longhorn, one of the most difficult and complicated in the company’s history, has fallen further behind this year, as Microsoft shifted developers from the project and onto Windows XP Service Pack 2, which took longer than expected. Now the company faces the task of getting Longhorn under control and making XP seem fresh during a longer-than-usual wait between OS updates.

“SP2 was a major milestone for the Windows development team,” the company said in a statement Wednesday to CNET News.com. “Now that it has been released, it is a natural time to revisit Longhorn priorities.”

With SP2 shipped and Longhorn still in development, Microsoft faces three major challenges: how to market XP this holiday season, what to do in the years before the next major OS release, and what changes to make to Longhorn, if any, to ensure a timely update.

The answers could have a significant effect on consumers, partners and even investors, since Microsoft dominates its industry. Although the technology behind Longhorn has drawn praise, the long wait for the update has raised some concerns. Major partners, including Intel, have worried about the lag time between major OS updates.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

More IT news stories
Death of the Internet greatly exaggerated
Digital attacks on Winamp use ‘skins’ for camouflage
‘Plays for sure’ means Microsoft’s inside
Justice Dept. probes for pirates

Many investors have expressed concern about whether Microsoft can release new software fast enough to spur the company’s growth, as well as that of Microsoft-dependent technology companies. In the meantime, Linux providers and other companies with innovative technology, such as Google, are making inroads.
Although Microsoft Chairman Bill Gates was enthusiastic when unveiling an early version of Longhorn at a developer event last October, he has been largely mum in recent months. “We’re not saying much new about Longhorn today, it’s fair to say,” Gates told financial analysts during a meeting last month at Microsoft headquarters.

“Now that (SP2) has been released, it is a natural time to revisit Longhorn priorities.”
–Microsoft
Even though Gates and CEO Steve Ballmer were coy with Wall Street, Longhorn is a key part of the company’s financial future. Windows is one of Microsoft’s main profit centers, and the company had planned to tie other software, including the next update of Office, to Longhorn’s release. Microsoft has already scaled back those plans, however, saying for example that the next version of Office will work with older versions of Windows as well.

As for Longhorn’s rollout, Microsoft said in April that it had pushed out the target for the software until the first half of 2006. A test version of the software has also been delayed until next year.

Matt Rosoff, an analyst with Directions on Microsoft, said: “2006 is what we’re predicting” for the final release. “It’s conceivable it could slip further.”

For now, Microsoft is preparing a slew of new consumer products and services designed to spur sales of Windows XP, which debuted in October 2001.

Entertainment center
The company is focused on making the PC more of an entertainment hub. Apple Computer has invigorated its own sales with its “digital hub” plan, and Windows-based PC makers are selling everything from plasma televisions to portable media devices. Hewlett-Packard, for example, is expected to soon unveil an HP-branded iPod.

For its part, Microsoft will soon announce its MSN Music download store and Windows Media Player 10, a new version of its jukebox software. The company also has been quietly preparing an update of Windows XP Media Center edition, an entertainment-themed version of the OS that allows consumers to watch videos and view pictures via a remote control.

Bill Gates Microsoft started testing the new version–code-named Symphony–early this year. The company has sent the finished software to computer makers, with a goal of having the new version of Media Center in PCs by October, according to a PC industry source. Microsoft declined to comment on this.

Besides enhancing the user interface, Microsoft is considering two steps aimed at making the Media Center edition of the OS more widely adopted: lowering the price it charges PC makers for the software and removing the requirement that it ship with a TV tuner, an industry source said.

All past Media Center-based PCs have included a TV tuner and promoted TiVo-like recording as a key feature. Making the TV-recording feature optional would allow PC makers to sell machines equipped with Media Center for less than $800–a price that could generate more demand.

The new version of Media Center will coincide with a marketing campaign called “Windows XP Reloaded,” which promotes numerous products that are debuting this year as reasons to buy a Windows XP computer. These are expected to include Windows Media Player 10 and two peripherals tied to Media Center. One is the Portable Media Center, a handheld that plays music, pictures and recorded TV, downloaded from a PC. The other is a set-top box, known as Media Center Extender, that allows consumers to watch videos and TV shows in the bedroom while the Media Center PC is in the den.

Longhorn’s long journey
Beyond sprucing up Windows XP with more advanced multimedia features, Microsoft has to complete a road map for Longhorn and decide what to do further with XP before the next major OS update. Microsoft has already scaled back its Longhorn ambitions. In April, the company said it would trim Longhorn around the edges, hoping to allow the OS to ship by 2006.

Other companies, such as Apple, have tried to update their operating systems with smaller, more frequent revisions. Apple has been averaging roughly one new release of the Mac OS X per year since the first version debuted in 2000. The latest edition, Mac OS X 10.3 Panther, shipped in October 2003, while “Tiger,” with its improved search capabilities, is due out in the first half of next year.

With Longhorn, Microsoft has been planning three major changes to the way Windows works: a new file system known as WinFS, a new graphics and presentation engine known as Avalon, and a Web services and communication architecture dubbed Indigo. Such a major overhaul is difficult for Microsoft, with its need to ensure compatibility with thousands of existing software programs, not to mention myriad peripherals and other devices. In the past, the company has had to scale back or scrap some ambitious efforts, such as the ill-fated Cairo release of Windows in the mid-1990s.

For its regular monthly security announcement in August 2004, Microsoft released only a single Security Bulletin, MS04-026, “Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks.” This vulnerability, which could allow a remote attacker to run arbitrary code on a compromised system, has also been assigned the MITRE candidate ID CAN-2004-0203.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Details

There hasn’t been any proof of concept published for this vulnerability, and the threat itself wasn’t made public before the Security Bulletin and patch were released by Microsoft.

This vulnerability itself is due to a weakness in the way Outlook Web Access validates https: redirection query input, and the update corrects this flaw. Microsoft reports it may also be possible for this vulnerability to insert spoofed data in Web browser caches and intermediate proxy server caches.

MBSA (Microsoft Baseline Security Analyzer) version 1.2 or later will identify this vulnerability, and SMS (Systems Management Server) will deploy this fix. MS04-026 replaces the patch provided in Microsoft Security Bulletin MS03-047.
Applicability

This vulnerability is found only in Exchange Server 5.5. Exchange 2000 Server and Exchange Server 2003 are not vulnerable.
Risk level – Moderate

Microsoft rates this as only a moderate threat because the at-risk service isn’t used in all Exchange installations, and the threat hasn’t been disclosed until now. However, it’s important to remember that the Microsoft ratings are not simply a measure of how much damage the vulnerability can cause if exploited. Any remote code execution threat is critical if your system is vulnerable, so this threat poses significant risk to those organizations that are running OWA on Exchange 5.5.
Mitigating factors

Using SSL connections would eliminate this threat because the data will be encrypted and not cached on proxy servers. Also, if you block anonymous access to OWA, only authorized users can take advantage of this exploit.
Fix – Apply patch

You will need to have Exchange 5.5 Service Pack 4 installed before applying the provided patch.

If Outlook Web Access is not needed, then you can simply remove it, which will mitigate this threat. See Knowledge Base Article 290287 for detailed instructions.

Another workaround is to disable OWA via Exchange Administrator. You need to do this for each Exchange site.
Final word

I have long felt that Microsoft should use a different vulnerability rating system that explicitly shows all the separate factors Microsoft uses to rate a threat. The overall rating we see today is simple but really doesn’t convey much information. If you don’t have an affected component installed, then your risk level is zero; but if you do have a vulnerable system, then the threat level may easily be critical, while the same vulnerability gets an overall rating of moderate.

Here is an example of individual vulnerability ratings based on various considerations:

* Exploit danger: CRITICAL
* Proof of concept published: LOW (if not published)
* Exploit seen: LOW (if not seen in wild)
* Number of potentially affected systems: LOW
* Risk if best practices followed: LOW
* Overall risk: MODERATE

This is the type of system that I would recommend Microsoft to adopt for rating its vulnerabilities.

Also, I think it’s important to remind administrators, at least once every year, just how much confidence Microsoft places in these patches and the associated Knowledge Base articles. I have no inside information, but I can read the disclaimer that you will find at the bottom of Security Bulletins:

“The information provided in the Microsoft Knowledge Base is provided ‘as is’ without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.”

Now, I’m certainly not a lawyer and have no ambitions in that area, but I do know what “as is” means when you buy a used car. It’s also important to note that Microsoft disclaims responsibility for “any damages,” even if Microsoft knows that there is a possibility of such damage.

In other words, always remember that you are on your own when it comes to making sure these patches work right, and that installing them won’t end up breaking something else on your network.