The SANS Institute has uncovered what they've termed a "rare gem" as far as computer security investigations go that sheds new light on how up to 20,000 Web sites have been hacked since January.

They found a sneaky software tool that uses Google's search engine to hunt for Web sites running certain kinds of vulnerable applications, wrote Bojan Zdrnja, on the institute's blog.

"While we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used," Zdrnja wrote.

When the tool finds a site that is vulnerable, it kicks into action. "The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site," Zdrnja wrote.

That SQL statement was crafted to target Web sites running Microsoft's Internet Information Server and SQL Server. Once compromised, the Web sites were then rigged to serve malicious software to visitors using JavaScript, which tried various exploits based on known software vulnerabilities.

Among the malicious programs served up was a password-stealing program for the game "Lord of the Rings Online," security vendor McAfee said last month.

SANS said the software tool also reports to a server based in China, a feature that may be used to count the number of infections in order for the person using the tool can get paid, Zdrnja wrote. The tool may have other functions, but SANS is still analyzing it.

Among the victims from these attacks were the Web sites of security vendor Trend Micro  as well as CA.

Companies should think twice about skipping Windows Vista and should get started sooner rather than later on updating their client desktops to the latest Microsoft operating system, according to an independent report issued by Forrester Research.

The report, "Building the Business Case for Windows Vista," says there are a number of reasons to upgrade now, even if avoiding Vista to wait for Windows 7 may seem like a viable option. The company has issued a second report, "Lessons Learned from Early Adopters of Windows Vista," to show how some users have handled migrations.

[ Compare Forrester's findings with InfoWorld's 10 reasons enterprises can skip Windows Vista and stick with XP. ]

Forrester lays out five reasons companies should begin upgrading soon, including the fact that there are few viable alternatives, given the depth of Windows penetration in the enterprise. The research firm says its hardware surveys show Windows is the operating system found on 99 percent of PCs in North America and Europe. In addition, Windows is the operating system on 97 percent of PCs in small businesses, Forrester says.

Benjamin Gray, author of the report, notes that while Apple's Mac OS and Linux  are enjoying renewed visibility, switching thousands of users from Windows to another platform is not a workable solution for the majority of companies. In addition, users need to stay current on Microsoft and independent-software-vendor (ISV) support of Windows operating systems, he says.

Forrester notes the expiration milestones for extended support and security patches on Windows 2000 and XP, and the fact that Windows 7 isn't expected to ship until 2010 at the earliest, as reasons users should keep their desktop operating system fresh. 

Two other reasons for a prompt migration to Vista are the probable unavailability of Windows XP after June 30, 2008, and uncertainty around Windows 7. Microsoft has extended the deadline once for XP already, and Forrester predicts it will not happen again. In addition, the report says uncertainty around the availability and feature set of Windows 7 is a red flag for those looking to skip Vista.

Finally, the report says that Vista has valuable features and functions, such as security and user enhancements, citing the opinions of early adopters Forrester surveyed. The firm says these early adopters also reported on their overall migration experience, confirming that compatibility issues are still their No. 1 headache. Nevertheless, they reported they found workarounds for most of their issues, according to the survey.

Forrester recommends that users tie upgrades to PC refresh cycles, make sure desktops have 2GB of memory and limit upgrades to PCs that are less than 18 months old. Companies also should use the Windows Vista Hardware Assessment tools, which are free from Microsoft, and use stopgap measures, such as client and application virtualization, in the short term. They also should press their ISVs for Vista compatibility.

The report noted that early adopters relied heavily on Microsoft's free Application Compatibility Toolkit and their existing client-management suites to discover Vista compatibility issues.

Forrester also recommended reworking software developed in-house to align with Vista and to carefully configure Vista's User Account Control feature to avoid user issues.

Network World is an InfoWorld affiliate.

The latest research from Gartner and IDC is in, and it confirms a growing marketshare for the Mac, reaching 6.6 percent.

The reports both confirm that Apple's U.S. Mac business outgrew the overall U.S. PC market by a significant margin in Q1 2008. While the global PC market grew 14.6 percent, in the U.S. overall growth was just 3.5 percent. And Apple outgrew both.

Gartner pegs Mac shipments in the U.S. as up 32.5 percent; IDC offered more conservative assesement, pegging growth at 25.1 percent. Either way, Apple outgrew the market.

Dell was the only other company to post double-digit growth, with about 15.6 percent growth in the first quarter.

Apple's success means it now holds around 6 percent of the U.S. computer market. Gartner believes Apple now has 6.6 percent, while IDC claims Apple's at 6 percent of U.S. market share.

Apple reportedly shipped in excess of 1.01 million Macs across the U.S. in the quarter, and saw "decent growth" in the professional market. The company saw marketshare under 4.3 percent on a global basis.

Macworld UK is an InfoWorld affiliate.

Apple has issued a security patch for its Safari Web browser, fixing the flaw that earned one security researcher $10,000 at the CanSecWest security conference.

The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs.

The bug lay in the way WebKit would process certain specially crafted JavaScript commands. In order to exploit the flaw, Miller had to first make the contest organizers visit a special Web site that contained his malicious JavaScript code.

There was one other winner in the CanSecWest PWN 2 OWN contest, which invited hackers to try to break into Windows, Mac and Linux computers. Shane Macaulay, a researcher with the Security Objectives consultancy, hacked into a Vista machine using an Adobe Flash Player bug, which was patched last week.

WebKit is also part of Apple's Dashboard and Mail software. An Apple spokesman could not say whether users of those products were also at risk from this attack.

In an e-mail interview, Miller said anything that used an older version of WebKit would be vulnerable. This might include Linux browsers and mobile-phone browsers, he said.

A second WebKit flaw, patched Wednesday, could lead to a cross-site scripting attack, in which an attacker can do things such as steal the login credentials or log the keystrokes of a victim.

Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit flaws, Apple said in its security advisory.

The Safari 3.1.1 update also includes fixes for a pair of Safari-for-Windows vulnerabilities that could possibly be exploited by attackers to run unauthorized software on a victim's computer and to make a fake phishing Web page appear to have a legitimate Web address.

Curl announced Wednesday support for Ubuntu Linux, which will allow desktop Ubuntu users to easily see Curl-enhanced Web content on their computers without having to manually configure a player.

The RIA (rich Internet application) vendor said the Ubuntu Installer for its Curl 6.0 platform also provides tools for Web developers to create rich Internet content that will be viewable to Ubuntu users.

Bert Halstead, chief architect at the Cambridge, Mass.-based company, said Ubuntu desktop users can download the Curl runtime environment for free to enable their computers to properly render the Curl enhanced code when viewing Web pages.

"It gives Ubuntu users the ability to see Curl content in the way it is meant to be seen," with enhanced features, Halstead said.

The new installer supports Ubuntu 7.10 and is expected to also work with the upcoming 8.04 release , he said.

Curl already has support for Red Hat 9 Linux, SUSE Enterprise Linux 9, and Turbolinux 10 and 11, as well as Microsoft XP and Vista. There are also beta versions for Mac OS X on PowerPC and Intel processors.

Curl's RIA platform competes with Adobe 's AIR/Flex, Microsoft's Silverlight and Ajax. Richard Monson-Haefel, Curl's vice president of developer relations, said Curl allows developers to write their code once and then it is properly rendered for each operating system.

"Adding Ubuntu is a big step for us because Ubuntu is the biggest desktop Linux " in use, he said. Because Ubuntu is a Debian-based Linux distribution, any other Debian-based Linux should also work with the Ubuntu installer, he said.

The product is free for most users but there are licensing fees for enterprise users who want to use it internally and for users who charge for their online content.

A major upgrade to Google's Urchin Web analytics server software has finally shipped after a delay of about three-and-a-half years.

Urchin 6, originally due in late 2004, is available for purchase from authorized resellers for $2,995, Google announced Wednesday.

Google acquired Urchin Software in March 2005, and in the next two-and-a-half years placed most of its attention on the company's Web-hosted product, the free Google Analytics.

Unlike Google Analytics, Urchin is designed to be installed on customers' servers, an option some companies prefer for various reasons, such as hosting their data on their premises and not on the vendor's datacenter.

As time passed and Google remained mum on its plans for Urchin 6, customers worried that their investment in the software would go to waste and the product would be discontinued.

After all, Urchin 5.0 shipped in mid-2003, and it had been on version 5.7 since 2005. Prior to Google's acquisition, Urchin Software claimed having more than 20 percent of Fortune 500 companies as clients.

Google broke its silence about Urchin 6 in October of last year, when it announced that the upgrade would enter a beta testing period, dispelling concerns about the product's future.

At the time, Google said it would change the product's packaging by integrating its components, which were priced individually, into a single offering with a flat price.

Previously, Urchin's core piece cost $895 and its optional modules had different prices, including one that cost almost $4,000.

Google will offer Version 6.0 free to any customer who bought a support contract for version 5.0. If customers never bought a support contract, Google will apply whatever amount they paid for their Urchin 5 system toward the price of Version 6.0, which can potentially make it free in some cases.

It's no secret that Google prefers Web-hosted software, and in Wednesday's Urchin 6 announcement, it encouraged users to use Google Analytics.

"We continue to recommend Google Analytics for most users and most circumstances, as its marketing-oriented reports are more advanced than Urchin's. You can even use Google Analytics and Urchin together at the same time and have the best of both worlds," reads the posting on the Official Google Analytics Blog.

Companies use Web analytics software to track, measure and analyze their Web sites' traffic. This information can help a company decide how to modify its site's layout to increase sales, as well as evaluate the effectiveness of online advertising campaigns.

In a related announcement, Google launched as a separate product its Website Optimizer, previously part of its AdWords service. Website Optimizer, which is free, lets site publishers test how effective at engaging visitors different layout designs are. The product has versions in 27 languages.

Customers at the MySQL conference this week said Sun's acquisition of the database company could increase MySQL's credibility among senior IT decision makers still skittish about using open-source software.

There were some, though, who feared that ownership of MySQL by a traditional IT vendor would diminish growth in the community of MySQL developers, who provide a regular stream of patches and new features for the database.

"The main downside is that the community might reject it [Sun's purchase of MySQL]," said Yuriy Demchenko, a database administrator and Web applications developer at a large Canadian telecommunications company. "We'll see if the community continues to grow at the rate it has."

Demchenko said his company, which he did not want identified because he is not authorized to speak for it publicly, runs primarily Oracle and IBM's DB2 databases, but his department uses MySQL for "semi-official startup projects" that sometimes end up running in production. He uses the community edition of MySQL "because it's free."

The upside of the acquisition is that it will make higher-level executives at the carrier more comfortable with MySQL because it is owned by a big, stable company, Demchenko said. His company already uses Sun servers.

Sun closed its $1 billion purchase of MySQL in February and is hosting its first MySQL user conference this week in Santa Clara, California, where it released a near-final version of MySQL 5.1. It has been at pains to emphasize its support for open source and similarities in the companies' cultures, despite their vast difference in size.

"Sun has a relatively enlightened attitude to open source, so I don't see [the acquisition] affecting the community too much," said Steffen Higel, a systems engineer with online gaming company DemonWare, which is using a version of MySQL 5.0 to serve up games like Call of Duty 3.

DemonWare switched from the Ingres database to MySQL about a year ago because it found Ingres "terrible" in terms of support and performance and because Higel and his colleagues had experience with MySQL at a university, he said. It began with the free community edition and switched to a paid subscription after DemonWare was acquired by Activision, Higel said.

He is happy with MySQL but would like more back-up capabilities, which are not due until MySQL 6.0 later this year. Sun said this week it would delay the final release of MySQL 5.1 by up to three months, but Higel said that's "not a huge deal, there's nothing show-stopping we need."

Lionel Beaudet, technical manager for the French division of Virgin Mobile, is more worried by Oracle's acquisition of Innobase than by Sun's MySQL buy. Innobase makes the default transactional storage engine for MySQL, and the Oracle deal has created some uncertainty for MySQL users.

MySQL is developing a storage engine for MySQL 6.0, called Falcon, and partners are developing others. Virgin Mobile will test Falcon to see how it performs in case it needs to make a transition, Beaudet said. Marten Mickos, the former CEO of MySQL and now a Sun senior vice president, said MySQL recently renewed its license with Oracle, though he would not say for how long.

Another user is WePlayTV.com, a startup that will soon launch a service for building online communities around television programs. The Sun deal is "a good thing, it adds maybe some respectability to the MySQL brand, plus you know now that the company is always going to be there," said Silas Martinez, a systems engineer for WebPlayTV.

"Some people might be hesitant, but as long they see that MySQL remains its own entity within Sun, I don't think it will be a problem," he said.

WePlayTV picked MySQL for its fast performance and ability to scale at low cost, Martinez said. His company has a policy to use open-source software because of the lower cost and support from the developer community. He is using MySQL 5.0 and was at the show to evaluate MySQL Cluster.

Ron Rosen, founder of online affiliate marketing company MyStoreMaker.com, also cited the low cost of MySQL compared with top-tier databases like Oracle. He favors the acquisition because it will bring stability to MySQL and its product road map, he said.

"As long as Sun doesn't do anything crazy, everything should be OK," he said.

A security researcher has uncovered a serious flaw in Google Spreadsheets, which could give an attacker access to all of a user's Google services.

While the bug, an XSS (cross-site scripting) flaw, has now been fixed by Google, it is an indication of the perils that can accompany the growing popularity of SaaS (Software as a Service), according to researcher Billy Rios, who uncovered the problem.

Because of the way Google structures its authentication processes, a single XSS attack can deliver access to all of a user's Google services and documents, Rios said.

"With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you," he said in a blog post.

The exploit relied on the way Internet Explorer determines the content type of server responses, ignoring the content-type header in certain circumstances. Browsers like Firefox, Opera, and Safari can be made to share the same behavior, Rios said.

"Developers need to understand the nuances of how the popular web browsers handle various content-type headers, otherwise they may put their web application at risk of XSS," he wrote.

To carry out the attack, Rios injected HTML into the first cell of a table, along with Javascript designed to display the user's cookie. IE then rendered the content as HTML, allowing the cookie to be viewed.

The attack could be delivered via a link to the specially formed spreadsheet, Rios said.

"To be fair, Google included a subtle defense to protect against content-type sniffing (padding the response), but those protection measures failed (with a little prodding by me)," he wrote.

Rios recently publicized a vulnerability (also now fixed) in Google Code allowing the theft of passwords.

Google Apps began as a set of hosted services, but Google this month has begun rolling out offline access to them, beginning with the word processor, Google Docs.

Over the next three weeks or so, Google will turn on the feature for all word processor users, giving them the ability to view and edit documents offline. During the same time period, Google Docs' spreadsheet will gain offline ability for viewing, but not editing documents.

Google Docs' third component, an application to make slide presentations, will remain for now without offline access. However, Google has plans to extend the offline access to it and to other hosted services in the Google Apps suite, of which Docs is part. Apps also includes Gmail, Calendar, Talk, and others.

Two consumer-focused advocacy groups have objected to a p-to-p bill of rights and responsibilities proposed by Comcast and Pando Networks, saying the companies don't have the authority to speak for Internet users.

Cable modem provider Comcast seems to be trying to lessen criticism of its network management practices after press reports last October showed Comcast was throttling BitTorrent traffic, said Gigi Sohn, president of Public Knowledge, a digital rights group.

The p-to-p (peer-to-peer) bill of rights effort, announced Tuesday, comes after Comcast last month announced an agreement with BitTorrent, a leading user of the BitTorrent p-to-p protocol, with the two companies agreeing to work together to solve network management issues. Pando Networks is a maker of p-to-p software.

"This so-called agreement is simply another way for Comcast to try to evade punishment for its blocking and degrading of peer-to-peer services for its customers," Sohn said in an e-mail. "As with the 'agreement' with BitTorrent, today's announcement is long on rhetoric and short on detail."

Sohn called Comcast's idea for a customer bill of rights "ludicrous."

"Comcast should fix its internal problems with customers being kicked off the Internet service for no good reason, or [who] are disappointed about having programming switched to expensive digital services before it starts pretending to solve the problems of the Internet that it helped to cause," Sohn said.

Marvin Ammori, general counsel of advocacy group Free Press, also questioned the bill of rights.

"Comcast and a company called Pando have declared themselves the arbiters of consumers' rights and responsibilities," he said in an e-mail. "Their announcement gives little information about the arrangement, but Comcast's behavior tells us everything we need to know. For the past year, Comcast has been blocking peer-to-peer applications -- a practice that they continue to this day with no indication of when or if they plan to stop."

Comcast seems to be trying to divert a U.S. Federal Communications Commission inquiry into the traffic blocking, Ammori said. The FCC has scheduled a hearing on network management and net neutrality at Stanford University in California on Thursday.

"Comcast's announcement is little more than the fox telling the farmer, 'I'll guard the henhouse, you can go home,'" he said. "And that's all the attention it deserves."

A Comcast spokeswoman didn't immediately respond to a request for comments. A representative of LimeWire, the distributor of a widely used p-to-p software package, also didn't immediately respond to a request for comments on the Comcast proposal.

But an FCC spokesman said Wednesday the Comcast/Pando idea deserves to be considered. The FCC has invited representatives of the two companies to speak at the Thursday hearing, said spokesman Robert Kenny.

"Establishing a specific and clearly defined p-to-p bill of rights is an interesting idea with potentially important implications for all Internet users," Kenny said. "We look forward to more fully understanding the goals, scope and time frame of this industry effort."

All of a sudden, green is the "in" color. In 2007, the IT industry embraced the green datacenter concept. What followed was an avalanche of PR from vendor after vendor claiming that they were greener than their competitors. 

Although not yet a global phenomenon, the green data center movement is rampant in the United States, the United Kingdom and Germany. A corporate social conscience? No. A corporate economic conscience? Yes. From CIOs to purchasing managers, the belief that a green IT infrastructure reduces recurring expenses has become self-evident.

[ Keep up with all the latest in green IT with Ted Samson's Sustainable IT blog ]

Now, in 2008, we are about to take the next major corporate step in going green. No better architecture can be used as a foundation for this next step than SOA.

Based upon recent studies, the overall corporate adoption rate of SOA is 64 percent with the most important decision issues being business case justification and ROI. Couple this with the fact that 56 percent of corporate adopters cite lack of key process and architecture skills as implementation inhibitors.

What we have in 2008 with respect to SOA are basic business issues, not technology issues. In fact, today, over 70 percent of SOA adoption/implementation rationale is business driven, vs. 30 percent in 2006. Technology may never again be the driving force in the corporate decision process, but in SOA it will always be the implementation mechanism. Therefore, to correctly "green" the corporation we must "green" SOA.

If we look at a typical SOA framework we see that one of the key elements is the business process. Supporting these processes are a host of services that allow life-cycle control from inception to implementation to monitoring to optimization to governance.

Simplistically, green SOA allows us to blend green concepts subliminally and in a symbiotic manner into corporate business processes. This is a win-win for the corporation. Green SOA allows a corporation to minimize economic demand (such as rising cost for energy, raw materials, and waste disposal), satisfy customer and stakeholder demand (such as environmental, social, competitive, and market concerns) and compliance (such as regulatory requirements, global treaty enforcement, and legal constraints).

Over time there will be numerous approaches to applying green philosophies to SOA. Right now the thunder belongs to IBM. What started as a suggestion has become a major strategic and product initiative! To effectively green the corporation, IBM believes that one must address people, processes, assets, information, infrastructure, and communications/application connectivity.

No architecture changes were required by IBM to SOA. But additions to the concepts of policy and metrics were required to "green" SOA. IBM seized upon the business concepts of carbon emission management for policy and linked it to a metric called a KPI (key performance indicator) as a base for what it calls Green Sigma.

Classically, KPIs are financial and nonfinancial metrics used to help organizations define and measure progress toward organizational goals. Apply that concept to carbon management, and we green SOA.

IBM's Green Sigma is a five-step process that begins with 1) the definition of KPIs; 2) establishing a baseline for measurement and metering; 3) deploying a carbon management dashboard console; 4) process optimization; and 5) management/compliance. Carbon management is a dynamic real-time concept that utilizes dashboards to benchmark performance, measure, control, and optimize carbon KPIs and finally to track and account for carbon credits.

Otherwise known as green currency, carbon credits are about to become the CFO's hidden asset in a developing global carbon trading marketplace. Carbon credits can be defined as the currency metric for global carbon-emissions trading based upon the reduction of greenhouse emissions relative to a total annual emissions cap and market-determined monetary value through trading.

Credits then can be exchanged (for example, to finance carbon reduction/offset agreements between global trading partners), bought and/or sold on developing international markets at the prevailing market price.

Until now, the concept of carbon emissions management was limited to a paper and a pen rather than computers and networking. With the arrival of green SOA tools and concepts into the marketplace, corporations can begin to develop, implement, monitor, manage, and govern everything from green business processes to green IT infrastructures.

Not only will business costs decrease, but process improvements will occur through increased compliance and improved performance. Add the green "icing on the cake" through the asset monetization of carbon emission credits and no corporation or government can hesitate to become a jolly and prosperous Green Giant.