MS (finally) confirms unpatched SQL Server flaw

Microsoft came clean and admitted its SQL Server database software is vulnerable to code injection attacks. It's not a new flaw but the same bug in the database software that emerged around the time of Microsoft's monthly Patch Tuesday update earlier this month.

In an advisory, Redmond's security gnomes confirmed that code has been produced that exploits a security bug affecting Microsoft SQL Server 2000, Microsoft SQL Server 2005 and Windows Internal Database, in certain configurations.

On the plus side, Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are immune from the flaw. Third party apps that make use of the vulnerable code also appear to be in the clear.

The software giant stated that although exploit code exists it hasn't received any reports of attacks. Its advisory contains suggested workarounds.

Microsoft fails to mention this but Secunia reports that the flaw is the same bug discovered by SEC Consulting, which published an advisory on the security bug on 4 December. SEC Consulting only did this after months of dialogue with Microsoft.

A separate zero-day vulnerability became the subject of an out-of-sequence patch. That flaw is being hit far harder than the SQL server bug, which arguably presents a lower general risk for internet hygiene. Microsoft said it's investigating the SQL Server flaw, which past form would suggest is a candidate for a patch in either January or February as part of Microsoft's regular Patch Tuesday update cycle.

Security flaws in SQL Server are of interest well outside the data centre.

Hackers often use vulnerabilities in database software to plant malicious script that hijack internet sessions to serve up exploit code from systems under their control. The tactic forms the basis of drive-by download attacks, a class of assault that's become a preferred distribution route for Trojan code over recent years.

Sun boosts OpenSolaris on Atom

Intel has announced that the OpenSolaris variant of Unix is now better supported on its Atom processors.

The Atom support is being positioned to bring the joys of x64 computing to netbooks and other low-power computing devices, and it offers some of the best performance/watt in processing these days.

Sun Microsystems, which largely steers the OpenSolaris effort and will use the distro as the basis of the next generation of Solaris, wants to be among the greenest of IT vendors. It also wants to find a new niche for Solaris, as Linux has done superbly on netbooks this year.

So, Atom support is important for Sun, even if it doesn't mean as much to Intel, which has done quite nicely for itself being a Linux zealot and helping its x64 partners sell against RISC/Unix iron.

Writing in his blog, David Stewart, who manages the OpenSolaris team within Intel's software and solutions group, which is predominantly involved in tuning Solaris for Xeon-class server processors, said that two important Atom features have been put back into OpenSolaris, which allows for drivers and other software to optimized to run on Atom. These features? Performance counters and support for the MOVEB instruction.

While these features seem pretty small on the face of it, the fact that Sun and Intel are working to get OpenSolaris working well on Atom chips means that Sun (or indeed, some other platform maker) has a better chance of creating Solaris-based embedded and consumer devices.

While Linux (of one sort or another) is the default platform for a lot of such devices these days, Solaris is well regarded, rock solid, and has the virtue of being a single distro (so long as you ignore some of the minor ones that have cropped up, such as MilaX, BeleniX, NexentaCP, and SchilliX).

OpenSolaris does boot on Atom-based systems, but sometimes requires some tweaks to the Grub loader to make it happen because it is checking for features that are not necessary to run in 64-bit mode on Atom that are on other x64 chips. If you are really bored, you can read about the bug and the workaround here. There are also issues with integrated network interfaces, too, which you can see here.

These kinds of issues are what made Linux support an issue on Mini-ITX machines that became all the rage a few years back and that, in part, has resulted in Intel delivering the Atom processors that the company hopes will displace x86 and x64 processors made by VIA Technologies and popularized in the Mini-ITX, Nano, and Pico platforms.

These VIA boards are getting smaller and more powerful, and they embody some pretty clever engineering, too. I have personally built and put into production Mini-ITX servers using laptop disk drives because of their low power consumption. But Windows works out of the box - believe it or not, even Enterprise Server 2003 and Small Business Server R2, which I have in production now on a bunch of machines.

While Novell's SUSE Linux Enterprise Server has worked fine on these machines, the embedded BIOS-style RAID disk controllers don't work, which is a problem.

Small footprint, small start

In short, Sun has to do a lot more than get two key features on Atom chips working with OpenSolaris to be a viable alternative to Windows or Linux on any Atom-based platform. Getting the operating system to load is not as useful as having all of the features of myriad boards and systems fully supported in the operating system.

And, if Windows and Linux do a better job at this, they win and Solaris - open or otherwise - will lose. There are a lot of embedded systems and non-standard ATX and Micro-ATX motherboards out there using other processors aside from the standard desktop and server chips from Intel and AMD.

OpenSolaris support has to be broad as well as deep to compete, and with Sun not sure how to make money in its core markets, the company doesn't appear to have the dough to invest to make this happen.

And even if it did, it is not clear where the money is to be made in such devices. How much money has Sun made because Java is in cellphones and on hundreds of billions of desktops? See what I mean?

All that said, every new thing that the OpenSolaris community can make run the operating system run on is a good thing for the Solaris ecosystem. This is how Linux got to where it is today. One platform at a time.

Google Hands Out Phones, Not Cash, as Holiday Bonus

While Internet search giant Google handed out cash to employees last year, the company is scaling back and giving its workers a different kind of gift this holiday season.

Google is giving its employees a taste of its own Kool-Aid by passing out Android-based mobile phones to at least 85 percent of employees, a person described as "familiar with the matter" told Bloomberg News.

"The current economic crisis requires us to be more conservative about how we spend our money," Google said in an internal memo that was posted on technology industry blog Valleywag.com.

Because the phone will not work in more than one dozen countries, including Turkey, Kenya, Brazil, Russia and India, Google is instead giving $400 to employees in those countries, which is the cash value of the phone.

Cash-Strapped or Celebration of Android?

Gone are the days of huge cash bonuses and all-expenses-paid holiday weekend trips to the Caribbean.

Instead, companies are finding ways to cut costs, making drastic changes including cutting thousands of jobs, cutting back on plans to expand, and spinning off other businesses in order to turn around a profit for shareholders -- and in an effort to stay afloat.

Adobe Systems, Viacom, AT&T and Circuit City are just some of the companies that have cut between 600 and 5,000 employees in recent weeks.

Google, while successful, has also felt the pinch of the economic downturn and has also had to scale back. Last month, the company quietly cut a reported 3,000 contract positions.

So Google's explanation behind its move should not be shocking to employees.

"Some of you will of course be wondering why we decided to change from a cash bonus to the Dream phone," Google states in the posted memo. "Here are the reasons: First, we've never developed anything like the Android software before and this represented a unique opportunity to celebrate that achievement."

"Googlers globally have been asking for the Dream phone, and we're looking forward to seeing all the different things that you do with them," the company said. "This is a chance for us to once again dogfood a product and make it even better! We felt that giving the Dream phone would be a great holiday present -- something we could all celebrate."

Bloggers React

Bloggers are fired up about Google employees who are not gracious about receiving the mobile phone as a bonus.

Bloggers say Google employees should be happy that they are receiving a bonus in such hard economic times and should be thankful that they are not being sent home for the holidays with a pink slip, as many in the technology industry have in recent months.

NPR launches features to build custom podcasts

Still can't decide among the hundreds of podcasts that National Public Radio makes available over the Internet?

Now you can create your own.

A new feature NPR launched this month lets listeners create custom podcasts blending individual audio reports on any topic or keyword.

Rather than have NPR editors, say, choose five or six stories for its movies podcast, you can create your own for just Christmas movies. Simply type in the topics or keywords into the appropriate boxes at http://npr.org/podcast, and the site generates a link that you can plug into Apple Inc.'s iTunes or other podcast-supporting software.

The custom podcast can be hit or miss, though.

An attempt to create one on the hit TV show "Gossip Girl" returned several off-topic audio reports, including one on landscaper Christy Webber.

5,000-10,000 new Twitter accounts a day: study

Micro-blogging service Twitter is gaining 5,000 to 10,000 new accounts a day and most of its users have joined this year, according to a study released on Tuesday.

Internet marketing company HubSpot, in a "State of the Twittersphere" report, said 70 percent of the estimated four to five million people using Twitter have signed up in 2008 and 20 percent have joined in the last 60 days.

It said the average user has been on the real-time short-messaging service for about 275 days.

"A year ago Twitter was a relatively small community of techies and Web 2.0 geeks, now it is going mainstream," the report said.

"Twitter is not only being talked about and used by a lot more people, but more and more marketing industry events and conferences are using Twitter as a standard means of communication," it said.

HubSpot said 35 percent of Twitter users have 10 or fewer "followers" -- people who subscribe to receive their 140-characters-or-less messages -- while nine percent of Twitter users follow no one at all.

The average number of followers for a Twitter user is 70, it said, and the average person follows 69 people.

The report said Twitter traffic was the highest on Wednesdays and Thursdays and dropped off by about 30 percent over the weekend.

Launched in August 2006, Twitter has been embraced by a number of celebrity users including Barack Obama, who racked up more than 150,000 followers during the US presidential campaign, and four-time NBA champion Shaquille O'Neal of the Phoenix Suns.

Twitter users have also made news recently by providing lightning fast on-the-scene updates from events such as the Mumbai terrorist attacks.