Week in review: Oops, Microsoft did it again

The software giant acknowledges twice in one week that it had underestimated threats posed by software flaws, raising more criticism of the company's security policies.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
5 min read
Microsoft acknowledged twice in one week that it had underestimated the threats posed by two different software flaws, raising more criticism of the company's security policies.

The software giant said it plans to change the severity rating of a vulnerability in software common to Internet Explorer and other Windows applications from "important" to "critical." The move was prompted by an in-depth analysis written by the security researchers who found the flaw.

The advisory originally said the vulnerability could be used only to make Internet Explorer fail. However, after two weeks of research, security firm eEye Digital Security warned PC users that the flaw, which occurs in the handling of the open-source image format PNG (portable network graphics), could enable malicious programs to run on the victim's system.

Late last week, Microsoft raised its threat rating for a security flaw in its Internet Explorer browser to "critical," in response to criticism of its initial assessment of the hole's danger. A Microsoft representative said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant.

The first security hole exposed millions of Web servers and PCs to potential hacking. That flaw likely affected the more than 4 million Web sites using Microsoft's Internet Information Server software.

Microsoft also warned of eight flaws in its version of the Java virtual machine, the worst of which "could enable an attacker's Java applet to gain control over another user's system," according to the alert. The malicious program could let an attacker add, delete or change data on the victim's computer as well as run programs.

Certainly mistakes are bound to occur when writing software, observers say. But Microsoft says a research firm is very mistaken when it predicts that the growing popularity of Linux will force the software giant to bring its software to the Unix clone starting in late 2004. Microsoft, which has no love for Linux technology and its open-source philosophical underpinnings, quickly dashed cold water on the report.

'Tis the season to shop online
Online retailers bagged big gains to start off the holiday shopping season, with U.S. consumers spending $6.2 billion online in November, up 22 percent from a year ago, according to a new report. Bargain-hunting was a major impetus for online shopping--40 percent of shoppers said that price was a key reason they went online instead of offline.

U.S. consumers spent $2 billion online in the week after Thanksgiving, according to a separate report. That's an increase of 34 percent from a year ago.

With holiday spending in full gear, Google is testing a new service that uses the company's search engine to help shoppers find products online. Dubbed Froogle, the new service lets people search by category or by simply typing a product description into the search window.

Unlike the pages on some portal sites, there's no central shopping cart or wallet, and the company has no special merchant stores. It does allow people to narrow their search by price.

Google's new service will certainly contribute to a quiet revolution that is transforming the way people shop online. A CNET News.com special report shows that the maturing strategies of a few key survivors of the dot-com meltdown are allowing consumers to visit just one or two sites for all their shopping needs.

As a result, after years of experimentation and fierce competition, the business of e-commerce is finally settling into a pattern that will define the online shopping experience of the Information Age. And ironically, today's e-tailing industry has come to mirror its counterpart in the brick-and-mortar world, relying on that most American of consumer institutions: the mall.

Memory loss
Sony is close to unveiling a new, higher-capacity version of its popular Memory Stick removable flash memory card, but sources say it won't be compatible with some older devices. The new Memory Stick uses a different architecture to achieve higher capacities than the original card, so devices should be better able to perform high-end functions, such as playing streaming video.

But to achieve the higher capacity and performance levels, Sony was forced to drop support for some devices built for the current Memory Stick format. It remains unclear what upgrade options will be available to current device owners to make their devices compatible with the new format.

ViewSonic moved to clear up a brewing controversy among customers over the memory capacity of its handheld computer, the company's first device in that niche. The company recently released the V35 Pocket PC device, stating that it came with 64MB of RAM. However, not all of that memory is accessible, as about 27MB is needed for the Microsoft Pocket PC 2002 operating system and software on the handheld.

The oversight caused some long discussions on enthusiast Web sites, such as PDABuzz. "If anyone has purchased a device under the impression that they are getting 64MB, they can return it for a refund," a ViewSonic spokesman said.

Researchers are contemplating a new technology to replace the removable memory being built into millions of consumer devices. So-called flash memory will remain viable for several more years, but researchers anticipate that later this decade manufacturing limitations will force the industry to adopt a new technology.

Flash memory can store data even when batteries are removed from a device, cutting off the power supply. That makes flash an essential feature in millions of cellular phones, handheld computers, digital cameras and music players. Flash is also increasingly finding a home in cars, TV set-top boxes and network equipment.

Also of note
Microsoft released blueprints designed to help technology managers install Windows more efficiently and at a lower cost?A major cyberterrorism event will occur in 2003, a technology research group predicted, one that will disrupt the economy and bring the Internet to its knees for at least a day or two?Apple Computer filed a civil lawsuit against a former Apple contractor accused of leaking information about redesigned Power Mac computers released in August?The FBI plans to launch an online manhunt for an alleged Boston mob boss, in a novel crime-fighting experiment in partnership with Web portal Terra Lycos?An industry trade group that includes members such as MSN, AOL and Yahoo endorsed a new set of ad sizes that are larger than standard Web banners.