Microsoft laid out on Monday its road map for SQL Server and a complement of add-ons it hopes will eventually redefine business intelligence and data warehousing.

The next version of the database server, code-named Kilimanjaro, is slated for release in the first half of 2010 with a focus on self-service and reporting capabilities for BI. Microsoft plans to have a "community technology preview" (CTP) available within the next 12 months.

The self-service features are wrapped up in a set of technologies code-named Gemini. Those technologies let users build BI applications that can access data across many sources, aggregate the data, build charts and reports, and share the resulting applications via SharePoint.

Microsoft also plans to integrate the unified communications capabilities of Office Communications Server to aid the sharing of BI results.

Microsoft said much of the Gemini technology will be tied to Excel, allowing users of that desktop program access to the self-service analytics.

Microsoft made the announcements at its annual BI Conference, which is going on in Seattle this week and is expected to draw 2,500 users and partners.

The company's acquisitions in the BI market and its stated intentions to expand BI capabilities on the back of its popular SQL Server have been shaking up the market in the past six months.

Giants like Business Objects/SAP, Cognos/ IBM, and Hyperion/Oracle are among the BI heavyweights with an eye on Microsoft.

A report by Gartner earlier this year said Microsoft still "lags behind pure-play vendors in terms of metadata management, reporting, and dashboard and ad hoc query capabilities."

Microsoft plans to systematically address those deficiencies.

The immediate goal is to extend its BI tools and software so they are more accessible to users, especially those using Excel and SharePoint.

With Gemini, Microsoft hopes to bring BI to users without sacrificing IT control.

"One important thing about Gemini is managed self-service," says Fausto Ibarra, director of product management for SQL Server. "Managed means IT is in control of the process where today end-users use Excel without control of IT or without control on data."

With Gemini, IT will be able to see how data is being shared, will have control of security on the data, and will make data sources available to users.

Those sources could include ERP data, mainframe applications and independent software vendor programs.

Another key feature of Gemini is in-memory BI, which analyzes large amounts of data in memory in order to speed performance.

At the conference, the company also unveiled plans for a highly scalable database technology code-named Madison that would be available in an appliance. Madison integrates SQL Server with technology the company acquired when it bought DataAllegro earlier this year.

DataAllegro developed large-volume data warehousing appliances, and Microsoft hopes to scale Madison to handle hundreds of terabytes of data. At the conference, Microsoft showed a demo using 1 trillion rows of data.

The company also plans to use data quality technology acquired when it bought Zoomix in July to enhance the quality of available information. Microsoft would only say the technology will come in "future versions" of SQL Server.

CTPs of Madison will roll out in the next 12 months with the appliances available in the first half of 2010. Dell, HP, Unisys, Bull Systems, and EMC have signed on as hardware partners.

Mixing together a m?lange of services, software, and marketing, IBM's announcement this week of its Cloud Services Initiative is about putting an organizing construct around all of its cloud offerings, according to one IBM executive.

To that end, it does not appear that there is much new in the way of products or services in the initiative.

Mostly repackaging of IBM datacenter and Lotus technology Bluehouse, the centerpiece of the initiative, is a Web-based tool for collaboration. However, while the name may be new, Bluehouse actually incorporates a great deal of Big Blue's existing products, such as IBM's Lotus SameTime collaborative and social networking environment. Bluehouse builds on the services currently offered in SameTime for instant messaging and unified communications. "Bluehouse adds document sharing, contact sharing, and community building all in a SaaS (software-as-a-service) model," said Dave Mitchell, director of strategy for cloud services at IBM.

[ Confused about what cloud computing really means? Find out in InfoWorld's definitive guide to cloud computing. And for more on Bluehouse, see "IBM bundles up cloud computing initiatives." ]

Along with Bluehouse, IBM also announced SameTime Unyte, a Web conferencing offering. Unyte is part of Bluehouse as well.

In addition to Bluehouse, the four-part initiative adds to IBM's SaaS platform offerings, whereby IBM hosts the delivery infrastructure for software vendors. What's new is not technological but marketing: IBM has broadened the definition of a partner, expanding it to mean any software vendor that uses two out of three products IBM delivers: middleware, hardware, and managed hosting. Partners are also the beneficiary of joint marketing efforts.

Services to integrate cloud components into an organization's business environment are also available for IBM customers.

The fourth component will provide a datacenter environment based on IBM's Cloud Computing Centers around the world. This will give customers remote access to computing power in an on-demand environment.

Looking past proprietary clouds Although the Bluehouse effort appears to be something IBM has been doing for a considerable number of years through its datacenter services, Mitchell hinted at doing something more, resolving an issue that has recently been swirling around the use of cloud solutions. "We are working with our partners using SOA to develop open clouds as opposed to proprietary clouds as in the past."

This comes on the heels of recent statements by Richard Stallman, for example, founder of GNU and a well-respected industry watcher who was quoted in the British newspaper The Guardian as saying cloud computing is nothing more than a "marketing hype campaign" and a "trap which will lock users into proprietary systems."

The difference between what IBM is offering and others, says Mitchell, is that an open cloud environment will give users more interoperability and more connections to partners.

Since 2005, Oracle has spent at least $32 billion on acquisitions -- turning itself into the vendor of a top-to-bottom enterprise software stack that is arguably broader in scope than any rival suite.

In doing so, Oracle hasn't diluted its database focus. Sales of databases and middleware still account for more than half of its revenue. And according to consulting firm Gartner, Oracle controlled 49 percent of the global database market last year, with more revenue than the next four vendors -- IBM, Microsoft, Teradata and Sybase -- combined.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

But Oracle has shown some signs of vulnerability at the high end of the database market. For instance, many Web 2.0 companies are eschewing its databases and instead running open-source technologies like MySQL on grids of PC servers. And corporate users with data warehouses sized in the hundreds of terabytes, or even in the petabyte range, are finding column-oriented databases and specially tuned data warehousing appliances to be more scalable than Oracle databases are.

So Oracle's annual OpenWorld conference in San Francisco two weeks ago was heavy on database news as the company tried to show that it is agile enough -- and its software is robust enough -- to respond to the new challengers.

At the top of the list was Oracle's announcement of a pair of hardware products -- its first ever -- aimed at users looking to get ultrafast performance out of their ultralarge databases.

For the past six months, Oracle CEO Larry Ellison had teased users and analysts with hints that the vendor would introduce a "database accelerator" at OpenWorld. That turned out to be the Exadata Storage Server, which combines Oracle's parallel query software with ProLiant servers from development partner Hewlett-Packard.

What makes the Exadata system different from a typical storage server, according to Oracle, is the database intelligence built into the device. Ellison claimed that Exadata can speed up large queries by performing lower-level calculations on the information it stores and then sending the results to the main database, instead of flooding it with raw data.

The other new product, the industrial-sounding HP Oracle Database Machine, is a self-contained system designed to match up against integrated data warehousing appliances from vendors like Teradata and Netezza.

The Database Machine combines eight regular database servers running Oracle Database 11g with 14 Exadata systems that have a total storage capacity of 168TB and InfiniBand connections offering 14GB/sec. of aggregate data bandwidth.

That all costs a mere $2.33 million -- for existing customers that have enterprise or unlimited Oracle database licenses. New customers would have to pony up for licenses for the eight database servers; based on the configuration recommended in an Oracle white paper, that would cost an additional $3.22 million, analysts said.

Even so, Christo Kutrovsky, a database administrator at The Pythian Group, an Ottawa-based company that manages databases for corporate clients, said he thinks the Database Machine could be worth the steep cost if the alternative is having the IT department try to assemble a similar system itself.

"Ninety percent of the problems I've seen are due to improperly configured systems," Kutrovsky wrote in Pythian's corporate blog. Installing the Database Machine eliminates that issue by making configuration errors "impossible," he said.

According to Oracle, customers that tested production workloads on a half-size Database Machine said queries ran 10 to 72 times faster than they did on other systems. Those early users include the Chicago Mercantile Exchange, supermarket chain Giant Eagle and LGR Telecommunications, which develops data warehousing systems for telecommunications carriers.

In a blog post, Forrester Research Inc. analyst James Kobielus described the introduction of the Database Machine and Exadata as "a bold move into petabyte scale-out territory -- an emerging, very-high-end niche in which one veteran vendor, Teradata, has been preeminent."

Kobielus also noted that Oracle's storage layer is transparent to applications, meaning they don't need to be rewritten in order for users to see performance gains on the new systems.

Lukewarm receptionBut Tim Hall, a U.K.-based Oracle DBA, blogged that he was "a little underwhelmed" by the OpenWorld announcement. "It all seems a little irrelevant to me," Hall wrote, citing the price tags and high-end focus of the new products. "For me, this is like discussing the merits of a Lamborghini when I'm actually going to buy a Renault Clio."

And independent database analyst Curt Monash said that although the Database Machine and Exadata are impressive from a technical standpoint, he doesn't expect them to win over many Web 2.0 companies or other new users. The technologies make the most sense for businesses that already use Oracle's data warehousing products and "are content to pay Oracle prices," Monash said.

For companies that don't have money to spend on a turbocharged system like the Database Machine, Oracle is touting 11g's Advanced Compression option. In a session at OpenWorld, Oracle officials said the data compression technology can dramatically shrink database table sizes and boost read/write speeds by as much as three to four times in data warehouses as well as transaction databases.

In fact, Oracle claims that companies using Advanced Compression no longer need to move seldom- or never-used older data to archives. Instead, they can keep all that information in their production databases, according to Oracle officials.

But users haven't flocked to Advanced Compression yet. One reason is that it's not a free add-on: Licenses start at $11,500 per processor -- a relatively high price in its own right.

In addition, the technology is available only to users of the year-old 11g Enterprise Edition, which has yet to be widely adopted. Andrew Mendelsohn , senior vice president of server technologies at Oracle, said that 75 percent of the company's database customers are running its 10g release, while another 20 percent are still using the even older 9i version.

For instance, LGR Telecommunications has built a pair of 300TB data warehouses for AT&T, which stores its caller data records in them. But the databases, which run concurrently, are based on 10g and can't take advantage of Advanced Compression yet.

Hannes van Rooven, a technology manager at LGR, said during a presentation at OpenWorld that his company uses compression only to a limited extent now, although it does plan to increase its usage "extensively" in the future.

Intermap Technologies Inc. is running the spatial version of 11g for an 11TB database of mapping and imagery data that is expected to grow to 40TB by the first quarter of 2010. But Sue Merrigan, senior director of information management at Intermap, said that the company doesn't compress the data "because we're concerned it would lose its accuracy."

That wouldn't happen, Oracle officials said. But comments such as Merrigan's show that even among some of its loyal customers, the vendor still has a sales job to do on Advanced Compression -- never mind the Database Machine and Exadata.

Chris Kanaracus of the IDG News Service contributed to this story.

CA plans to unveil this week its datacenter automation product that industry watchers say will help IT staff offload server resource-provisioning duties and give CA an advantage over competitive products from BMC and HP .

CA Data Center Automation (DCA) Manager r11.2. will let customers automate systems monitoring and resource provisioning. The software competes with technology HP acquired with Opsware and BMC bought with BladeLogic. CA developed its product in-house, which industry watchers say could give CA an edge if competitors are still working to integrate acquired software.

[ Stay ahead of advances in technology with InfoWorld's Ahead of the Curve blog and newsletter. ]

"CA's seemingly slow progress on the DCA technology is a sign of an internal design approach which might just be the right one," says Evelyn Hubbert, senior analyst with Forrester Research. "Acquisitions are always challenged by architectures, which need to be matched or modified mostly to the disadvantage of the client. CA knows its architecture and can design integrations and extensions from the ground up."

For instance, DCA Manager will integrate software for network and systems management as well as ties to Wily Introscope 8 and Customer Experience Manager 4.2 products for application performance management, which are also scheduled to be announced this week.

DCA Manager runs on a server and works with existing agents in a customer environment to gather information and trigger events. The software collects system software and hardware configuration information, discovers applications and their dependencies, and detects change across the environment. Integration with existing products also give the software access to network availability, application performance, and business service management data, which CA says can help automate resource allocation based on demand.

"The software includes algorithms and policy-based management features that, for instance, can compare how application performance correlates to resource consumption. Based on that information, DCA Manager can determine if resources need to be provisioned," says Stephen Elliot, vice president of strategy for CA's Infrastructure Management and Data Center Automation business unit (and a former IDC analyst). "Customers need to be able to allocate resources based on the business demand."

DCA Manager monitors utilization and performance across mixed-platform datacenter environments. The data can then be fed into customizable dashboards that give data center managers a view of their physical and heterogeneous virtual environments, which analysts say is a capability many vendors are looking to offer.

"It's unclear at this point if the market for data center automation products is tied to hardware, which could be HP's selling point, virtualization platforms like VMware and Microsoft or third-party software that can handle heterogeneous hardware, operating systems and virtual technologies," says Mary Johnston Turner, senior analyst with Enterprise Strategies Group.

CA says the DCA Manager software can also be used to provision resources on a scheduled basis, letting customers delegate duties. For instance, a self-service features lets non-IT staff schedule desired resources for specific applications or events at the university. Once scheduled, DCA Manager will use images and templates built by Husain's staff to automatically provision the server capacity for the assigned function. When the need is no longer there, the resources can be reclaimed by IT.

"When it comes to management, IT decision makers list the impact on IT staff and cost as the top factors they consider. CA's self-service reservation management systems gets IT in part out of the workflow and lets end users schedule resources for themselves," Turner says. "Technology that saves on staff time and keeps the business going is compelling, and right now investing in automation tools is really going to pay back for IT."

Naveed Husain, CIO at Queens College, a City University of New York public educational institution, is conducting a proof of concept on CA DCA Manager. He says the software, which is not fully implemented, could help him manage more than 100 Dell servers running Windows and Linux operating systems and supporting more than 20,000 students, staff, faculty and other employees at Queens College -- without adding head count. And with virtualization on the horizon, Husain realized he couldn't postpone an investment in infrastructure monitoring and automation technology any longer.

"It's embarrassing to have built a high-availability environment with redundancy and failover and get calls because disk utilization on a server is over 75 percent and you didn't know because you can't have human eyes on all the servers all the time," Husain says. "At the low end we would pay $36,000 for a help-desk position and then anywhere between $60,000 and $90,000 for senior IT staff. Because I can't invest in staff, I am going to invest in this automation tool because I believe it will make my staff's lives easier now and save us money while the work still gets done."

IBM has joined the companies jostling for position in the cloud computing space. The company has announced a variety of offerings that it claimed would allow users to better manager data and make collaboration easier.

The company has opened up the beta for Bluehouse, the company's so-called Facebook for the enterprise. The software has been available in closed beta for the past nine months but is now being made available to anyone. The company said that Bluehouse would combine social networking and online collaboration tools to help organizations to share documents, contacts, engage in joint project activities, host online meetings, and build social networking communities through a Web browser.

[ Learn more about what cloud computing really means and the new breed of utility computing and platform-as-a-service offerings. And for additional analysis of Bluehouse, see "IBM's cloud initiative repackages its familiar offerings." ]

The company has also bundled Sametime Unyte an existing product as part of the new cloud initiative. Sametime Unyte is Web-enabled collaboration tool that allows the sharing of documents, presentations, or applications, via a Web browser. There are several new enhancements to the product including a "waiting room" for meeting participants to gather and specialized alerts and prompts for meeting hosts. The company has said that Sametime Unyte will be bundled with Lotus Notes and Lotus Sametime to allow people working in e-mail or instant messaging to join Web conferences, with a single click of a button

Other products to be released include Rational Policy Tester OnDemand that the company said would reduce online risks by automating Web content to help with compliance.

Rational AppScan OnDemand will scan Web applications for security bugs and Telelogic Focal Point centralizes product information shared by product management, engineering, and marketing teams.

The company said that the moves were in line with user demand. "We are moving our clients, the industry and even IBM itself to have a mixture of data and applications that live in the datacenter and in the cloud," said Willy Chiu, vice president, high performance on demand solutions, IBM. "IBM's cloud computing strategy was inspired by feedback from the business world's broadest IT customer base indicating a growing desire to utilize data, applications, and services from any device and from any location based on open standards."

Techworld is an InfoWorld affiliate.

Many companies are stepping up their datacenter investments even as they try to make cutbacks in other parts of their business, according to survey released Monday by AFCOM, the association for datacenter professionals.

The investments are a sign that company executives recognize the important role datacenters play in their business, particularly as more services and processes go online, according to AFCOM founder and former president Len Eckhaus.

[ Learn more about how the financial crisis is affecting IT and the high-tech industry, plus what IT can do to help, in InfoWorld's special report. ]

Half the respondents to AFCOM's survey said their datacenter budget had increased this year compared to 2007, while a third said it stayed flat and 18 percent said it declined. Forty-three percent expected their budget to increase again next year, in most cases by about 10 percent.

"Part of it is because of the Internet and everything going online. Part of it is that executives these days have a better idea what their datacenter is doing for them," Eckhaus said.

The investments are also being driven by efforts to improve power efficiency, which can lead to savings. About 80 percent of the respondents said they expect to do more "greening initiatives" this year and next.

The results are based on responses from 312 datacenter professionals working mostly in the U.S., with a few in Canada, Asia, and Europe. About two-thirds work in IT and one-third in facilities. The survey was conducted in May, before the U.S. financial crisis, but one datacenter manager said the results hold true for his company today.

Tom Roberts is director of datacenter facility management at Trinity Information Services, which supports the IT needs for Trinity Health System and its 17 hospitals around the United States. His datacenter budget increased for this year and next and he expects it to increase again in 2010, he said.

Trinity Health has been moving clinical systems and patient administration systems out of its hospitals and centralizing them in its main datacenters. The company's senior leadership, who he described as "avid investors in IS," have seen several benefits from the centralization but also realize the need for additional investment to ensure the systems are always available when needed.

"It comes down to putting in very hard and fast DR [disaster recovery] systems for all the main systems we have for our hospitals, and making sure they are available when they're needed," he said. The new investments at Trinity will also go towards meeting increased power and cooling needs, he said.

The survey results are being presented Monday morning at AFCOM's Data Center World conference in Orlando.

CIO.com is an InfoWorld affiliate.

Mono 2.0, an open-source runtime enabling .Net-based applications to run on Linux, Mac OS X, and Unix, is being released Monday, featuring capabilities for a number of .Net technologies.

Considered a major upgrade, the open source Mono 2.0 runtime leverages Microsoft's .Net Framework 2.0 programming model. With Mono, developers can build desktop and server applications using Microsoft-based environments and deploy them across multiple platforms, including Windows. Novell is leading the Mono effort.

"The existing apps you build on Windows, you can now run those applications on Linux or MacOS 10. Different people have different reasons for doing so," such as platform consolidation, said Miguel de Icaza, vice president of developer platforms at Novell and Mono project maintainer.

Mono 2.0 supports the C# 3.0 language and LINQ (Language Integrated Query) for querying of data across databases, objects, and XML content, de Icaza said. Also, users can move over server applications built for .Net and client applications built with Windows Forms.

Version 2.0 of Mono, however, lacks support for key .Net 3.0 and .Net 3.5 APIs, specifically Windows Communication Foundation, Windows Workflow Foundation, and Windows Presentation Foundation. These are not currently supported because they were not amongst the most requested technologies sought by early users of Mono, de Icaza said.

"We don't support them because we haven?t developed those pieces yet," he said. Work on WCF support is planned for next year.

Also featured in Mono 2.0 is MoMA (Mono Migration Analyzer), a tool to assess the readiness of Linux environments for migration of .Net applications.

Microsoft's reaction to Mono has been mixed, according to de Icaza. "I guess it depends on who you ask. In some cases, of course, they would rather have people stay on Windows," he said. Microsoft is working with de Icaza and Novell on Moonlight, which will enable applications built for Microsoft's Silverlight browser plug-in to run on Linux. Moonlight 1.0, a more complete release than what has been available, is set to be released by the end of this month.

Mono is intended to help more applications be moved to Linux and help developers reach a larger market. "From our position, we want more developers to be able to start deploying their third-party applications on Linux. We want to enrich the Linux ecosystem," de Icaza said.

He estimated that 45 percent of applications will run on Mono 2.0 out of the box while 18 percent will require developers to spend a couple of weeks to make some changes due to operating system differences. About 20 percent will require significant work, taking about three to six months, if the application is tightly integrated with Windows, de Icaza said.

Current Mono user Mindtouch, maker of the Deki collaboration platform, opted for Mono because it sought to provide cross-platform solutions, said Aaron Fulkerson, Mindtouch founder and CEO.

"I think Mono is fantastic for us," he said. Mindtouch founders and many of the company's developers had worked at Microsoft and sought to leverage Windows-based development skills, he said. But .Net lacked platform independence.

"We very seriously considered going with Java and then [took] a good hard look at Mono," Fulkerson said. Mono was determined to be a "sufficiently mature technology to build on," he said.

"In fact, we developed our product and deployed solely on Mono and Linux up until this month," just now adding support for Windows, said Fulkerson.

The Mono 2.0 runtime is offered under the LGPL, while class libraries and compilers are available via the MIT X11 license.

Mono was built using Microsoft documentation pertaining to the .Net engine and languages, which are ISO standards, de Icaza said. Work on Mono 2.0 has been going on for about two-and-a-half years. The Mono project itself was begun in 2001.

The ongoing credit crisis is a concern for everyone in nearly every industry -- fear of lost jobs, foreclosed homes, and bankrupt businesses. But those lost jobs are likely to further bolster the booming offshore outsourcing market -- so the experts predicted.

Fast-forward two months: It's time for them to eat their words. Neither are customers outsourcing more nor is the industry growing any faster. In fact, each day service providers only revise their growth estimates in the downward direction.

[ Learn more about how the financial crisis is affecting IT and the high-tech industry, plus what IT can do to help, in InfoWorld's special report. ]

Some brave analysts are finally coming out with the truth. Days after Wall Street's collapse, vice president and principal analyst with U.S. research firm Forrester, John McCarthy, said the scale of the crisis had rendered all previous studies, including Forrester's own survey released earlier this month, redundant, and that Indian IT providers should prepare for slower growth and lower profits. "It is naive to say an economic slowdown is good because cost-cutting will lead to higher offshoring. This is no longer a recession, it is fundamental restructuring of financial services that is taking place," says McCarthy.

What the hell happened in these two months?

Multiple factors are at play here -- some recent developments and some historic issues that have been building over time.

About 20 to 40 percent of the revenues of offshore outsourcing firms are tied to the financial services industry. With its collapse, companies have been forced to look to other vertical markets. In normal circumstances, that should have been enough to offset the revenue erosion. But the problem is that everyone is in the same boat and those other industries are also impacted by the crisis, fading consumer demand, and reduction in spending.

For example, the travel vertical has started seeing a rise in ticket cancellations and refunds, which has led service providers like WNS to greater conservatism on revised guidance. Hexaware stated that delayed decision-making is spreading out from BFSI to travel, and it has now reduced its annual growth estimate from 24 percent to 7 or 9 percent. Sasken is now cautious about telecom handset segment as all the top-five handset customers are seeing a slowdown in sales (a U-turn from Sasken's bullish stand on this segment a couple of months ago).

So, suddenly all players are chasing a smaller market, in which there was little differentiation among players anyway, and it will lead to pricing pressure, reduced profitability, and less growth.

It will also become difficult to generate new business (unless driven by price), which will result in generic and inefficient players rightfully getting wiped out of the market. Rather than getting upset about it, I think it's an exciting opportunity for service providers to innovate and build their differentiators. Customers, I would say, have never had it so good -- they can finally be in the driver's seat.

It's also difficult to accurately quantify the business value of offshore outsourcing. At a theoretical level, it does make sense. At a headcount level, it also makes sense. But at a business outcome level, the real and hidden costs are often ignored and many companies are left thinking, "Hey, wait a minute, I offshored hundreds of my staff...why isn't my profitability increasing?" And despite share of offshoring rising, why haven't we ever seen a reduction in IT spend? That's because offshore outsourcing has so far focused on headcount as the currency, not the business value generated. That is about to, thankfully, come to an end.

The more I think about the full value chain, the more intrigued, and sometimes scared, I get about the full impact. TCS has reduced its annual hiring estimate by about 30 percent, Wipro already reduced headcount in IT services last quarter, Polaris has resorted to just-in-time hiring, Infosys is visiting fewer campuses...what does it mean for the employment market in offshore outsourcing countries? Will wage inflations ease off? Will attritions finally come to manageable levels? Will being skilled come back in fashion compared to just having an IT diploma/degree? We'll have to wait and see...

It is the end of the golden age of offshore outsourcing, but it also heralds a new dawn -- the age of truth and rationality. Where offshore outsourcing delivers real, tangible business value, and service providers are focused on making things work for customers in unique and innovative ways.

Here's to the new age...cheers!

Arpit Kaushik runs a business redesign company in London, Crystals, that helps technology-centric companies get unstuck. CIO.com is an InfoWorld affiliate.

Ask.com plans to upgrade its search engine on Monday with several enhancements that it considers significant and that it believes could give its popularity a boost in a market dominated by Google.

Ask.com has sharpened the relevance of its search results, made the engine faster, and simplified the site's layout, said Ask.com president Scott Garrell.

"The strategy from a product perspective is to provide the best answer the first time, everytime," Garrell said. "We want to reduce the distance between your query and the answer you want."

If Ask.com can consistently provide direct answers in its search results page, Garrell believes it will grow its user base. It generally takes people three to four clicks in any search engine to get the desired information, he said.

Behind the scenes, Ask.com's makeover includes an improved ability to extract data from Web pages; to mix in a wider variety of result types like photos, news, images, and videos; and to tap a broader pool of data sources for queries about entertainment, jobs, health, and reference information.

With this upgrade Ask.com, owned by IAC, is also aiming to recapture the functionality that gave it its prominence during its heyday: the ability for people to type in queries in natural language. Ask.com is bringing this functionality back via a question-and-answer feature that uses semantic search technology to interpret the questions and return relevant answers found on the Web, Garrell said.

In the mid to late 1990s, before the rise of Google, Ask.com -- then called Ask Jeeves -- was a leading search engine, along with others like Altavista and WebCrawler. After the dot-com bubble burst, Ask Jeeves de-emphasized its consumer search engine and focused on providing search services and software to the enterprise market. However, it abandoned this strategy in mid-2003, exiting the enterprise market and vowing to regain the ground lost in the consumer search space.

Since then, Ask.com has regularly updated and enhanced its search engine, often earning praise from industry experts for clever and useful innovations in technology and layout. Unfortunately, the company's share of search usage in the U.S. has fluctuated in recent years roughly between 4 percent and 7 percent, coming nowhere near market leader Google, which has in turn increased its dominance more and more.

For example, in November 2005, Google handled almost 40 percent of all U.S. queries, while Ask Jeeves placed fifth with 6.5 percent, according to comScore. By comparison, in August of this year, Google had a 63 percent share of U.S. searches, while Ask.com placed fourth with 4.8 percent, according to comScore.

Evan Andrews, a Jupiter Research analyst who was given a demo of the new and improved features, said Ask.com has a chance to attract new users, something that is hard in the search engine market because people grow very attached to their preferred provider -- Google for most.

However, there is a segment of users that Jupiter Research has identified as "power searchers" that have a voracious appetite for new search products and features. They might be drawn to give Ask.com a try and stick around if they like the improvements in blending different types of results, the so-called universal search concept that Google and all other major search providers are pursuing.

"Ask has always been a leader, a pioneer in universal search and pushed the envelope when it comes to that, so it stands a good chance to see additional gains in market share," Andrews said.

Andrews also liked the new Q&A search functionality, as well as the expanded repositories of structured data that Ask.com can tap to deliver direct answers to queries. "It's going to be difficult with just one announcement and some new features to overtake Google, but that doesn't mean Ask shouldn't try," he said. "Based on our research, the strategy of delivering richer search results is the right one."

Microsoft has released the next version of its desktop management toolset for IT that includes updates to its application virtualization and asset management tools.

Microsoft Desktop Optimization Pack (MDOP) 2008 R2 is now available to users with volume licensing contracts and Software Assurance maintenance contracts. 

MDOP is designed specifically to help IT administrators manage collections of Windows desktops, including Vista SP1.

The R2 release does not include the new license reconciliation features for MDOP's Asset Inventory Service 1.5 (AIS). That update will be available in early November. The AIS 1.5 reconciliation feature tells users if the software deployed in their infrastructure is compliant with their licensing agreements.

Early next year, Microsoft will add to MDOP its Microsoft Enterprise Desktop Virtualization (MED-V) software, which is the first Microsoft-branded release of the recently acquired Kidaro technology.

MED-V runs multiple versions of Windows or applications concurrently without having to open multiple virtual machine sessions. The software complements another MDOP tool called App-V.

The R2 release does include App-V 4.5 (formerly Softgrid), which introduces integration with System Center management tools, including the System Center Operations Manager 2007 Management Pack for App-V 4.5.

App-V 4.5, which was first made available individually Sept. 15, lets users package applications up into "containers," store them on a server where they can be centrally managed, and then stream those containers to desktops, devices or shared PCs.

The 4.5 version is the first developed under Microsoft's Trustworthy Computing and Secure by Default guidelines.

App-V 4.5 also features Dynamic Suite Composition (DSC), which lets virtualized applications share middleware resources; support for 11 languages; and a service provider license option called Microsoft Application Virtualization 4.5 Hosting for Desktops.

In addition, Advanced Group Policy Management 3.0 (AGPM) also has been updated to include new settings to enforce the use of the Group Policy change management tool.

MDOP includes AIS; App-V; Enterprise Desktop Virtualization for managing and deploying virtual PCs; System Center Desktop Error Monitoring; Advanced Group Policy Management (AGPM) for change management via group policy objects; and the Diagnostics and Recovery Toolset, which helps in recovering a crashed PC.

MDOP is composed of software from Microsoft 's purchases of Softricity, Kidaro, AssetMetrix, Winternals Software and DesktopStandard.

MDOP is a big part of Microsoft's Optimized Desktop, which addresses centralized management and deployment of physical and virtual resources.

Network World is an InfoWorld affiliate

HP on Monday is updating its SOA governance software, HP Systinet 3.00, which assists with discovering and reusing services in composite applications and business processes.

Featured is support for standards such as BPEL (Business Process Execution Language) and integration with other HP SOA products. In Version 3.00, multiple users within an organization can discover and reuse services, the company said.

With the upgrade, customers can automate service lifecycle policy compliance by capturing best practices to achieve SOA objectives. This is being accomplished by integration with HP Quality Service Center, a separately available product.

Pre-built lifecycles and templates in Version 3.00 enable nonexperts to quickly use the product, HP said. More sophisticated users can customize service lifecycles through use of wizard-driven programming interfaces. Role-based dashboards provide information in a format related to a specific user's responsibilities.

HP acquired the Systinet product when it bought Mercury Interactive in 2006; Quality Center also came over with the Mercury buy. "The focus of HP SOA Systinet 3.00 is all about enabling customers to take their SOA governance efforts to a much larger scale," said Kelly Emo, HP software SOA product marketing manager.

HP has completed integrations between all of its quality solutions for SOA, she said.

Users of the upgrade can build reusable business processes and include them in the governance framework through support for BPEL. Productivity can be increased via business processes that are easier to discover and reuse, HP said.

Automation of repetitive tasks across a large number of services is featured, with support for bulk operations and lifecycle "cloning," HP said. Support for Open SCA (Service Component Architecture) and WSDL 2.0, for exposing interfaces, is featured as well.

Version 3.00 also can trigger business policies based on service quality through integration with HP Service Test Management or manage rogue services in production through linkage with HP Universal Configuration Management Database.

HP Systinet 3.00 is available now.

Microsoft has extended the availability of Windows XP on new PCs by six months, the company confirmed Friday.

Computer makers that "downgrade" machines from Windows Vista Business or Vista Ultimate to Windows XP Professional will be able to obtain media for the latter through the end of July 2009, a Microsoft spokeswoman said Friday.

The new date is a change in policy. Previously, Microsoft had planned to halt XP Professional media shipments to major computer makers after Jan. 31. 2009.

"As more customers make the move to Windows Vista, we want to make sure that they are making that transition with confidence and that it is as smooth as possible. Providing downgrade media for a few more months is part of that commitment," the spokeswoman said in an e-mail.

The Jan. 31, 2009 date is also the last day when smaller companies, dubbed "system builders," will be allowed to purchase Windows XP licenses to install on the machines they assemble. The system builder deadline has not changed, the spokeswoman added; It remains next Jan. 31.

To confuse matters, some PC makers have long claimed that they would provide XP downgrades on new computers past the Jan. 31 deadline. Last June, for example, Hewlett-Packard talked of a July 2009 cut-off. "HP...will continue to offer this option on its business systems through at least July 30, 2009," a company spokesman said almost four months ago .

The Microsoft spokeswoman clarified the situation. "The [downgrade] rights don't go away," she said via instant messaging in response to follow-up questions. "It's all about having the media on hand. It's always been okay to use what you've got."

Microsoft sent Windows XP into semi-retirement last June when it stopped selling the aged operating system at retail, withdrew Windows XP Home from use on new PCs and allowed XP Professional to be installed as a Vista downgrade.

The latter tactic takes advantage of Vista's end-user licensing agreement (EULA), which allows users -- and in their stead, computer makers -- to install Windows XP Professional while also providing media for Vista for a possible upgrade later. More than a third of all new PCs are being downgraded to Windows XP, according to data from a Florida company that operates a community-based performance testing network.

It's also possible that XP will be widely available long after July 31, 2009. "Downgrade rights do not expire," Microsoft's spokeswoman said Friday.

The longer availability puts Microsoft in an unusual position; the new timeline will make it possible for users to purchase XP-powered PCs through next July, just months before Microsoft plans to roll out Windows 7, the successor to Vista.

Computerworld is an InfoWorld affiliate.

The only thing CEO Steve Ballmer knew about Microsoft's Windows Vista Capable marketing campaign was what he was told by subordinates, and he should not have to testify in the class-action lawsuit that accuses the firm of deceiving customers, the company said Friday.

In a motion filed Friday, Microsoft asked U.S. District Court Judge Marsha Pechman to block the move by plaintiffs' attorneys to depose Ballmer later this month. Lawyers for the plaintiffs want Ballmer on record in the case, which charges Microsoft duped consumers when it touted then-current PCs as "Vista Capable" in the months leading up to the late-2006 launch of the new operating system.

A Microsoft spokesman said the opposing lawyers were grandstanding. "This unnecessary request to depose Steve Ballmer is part of an effort by class action lawyers to generate media interest in topics that fall outside the narrow theory the court allowed them to pursue in this lawsuit in February," said company spokesman David Bowermaster.

In a declaration submitted to Pechman, Stephen Rummage, an attorney with Davis Wright Tremaine LLP, which is representing Microsoft in the case, said that he told plaintiffs' attorneys that Ballmer would not be available for a deposition before the Nov. 14 cut-off. "After briefly describing our understanding of the law, I told [plaintiffs' attorneys] that Mr. Ballmer had no unique or superior personal knowledge of any disputed facts, asked them to explain why they thought Mr. Ballmer's testimony was necessary, and requested that Plaintiffs rethink their request to depose Mr. Ballmer," Rummage told the judge.

Ballmer echoed that in his own declaration, also filed Friday. "I was not involved in any of the operational decisions about the Windows Vista Capable program," he said. "I was not involved in establishing the requirements computers must satisfy to qualify for the Windows Vista Capable program. I was not involved in formulating any marketing strategy or any public messaging surrounding the Windows Vista Capable program.

"To the best of my recollection, I do not have any unique knowledge of nor did I have any unique involvement in any decisions regarding the Windows Vista Capable program," Ballmer added.

All he knew about Vista Capable was what subordinates, particularly Jim Allchin, the Windows development chief who took Vista to market before retiring in early 2007, and Will Poole, the former senior vice president responsible for the client version of Windows, told him. Ballmer admitted having had only "brief discussions about technical requirements and timing" for the marketing effort with high-level executives at partners such as Intel.

Microsoft's Bowermaster declined to comment late Friday when asked why Ballmer was not more involved in the Vista Capable marketing campaign. At the time of Vista's debut in November 2006, Microsoft touted the unveiling as its "biggest ever in the history of Microsoft product launches."

The plaintiffs' attorneys also asked for testimony from other current and former Microsoft executives, including Allchin, Poole, and Rajesh Srinivasan, a product manager in the Windows group at the time of Vista's launch. Lawyers will take their depositions starting Monday.

The lawsuit, which began in 2007 and was granted class-action status in February 2008, claims that Microsoft ran a "bait and switch" by touting slower, less-expensive PCs as able to run Vista when they would handle only Vista Home Basic, the least expensive version of the OS. The suit argues that Home Basic is not representative of the Vista that was heavily marketed to consumers.

The case is perhaps best known for the hundreds of internal Microsoft e-mails made public earlier this year, but it resurfaced Friday after lawyers for the plaintiffs asked Pechman to force Microsoft to use Windows Update to notify users that they may qualify for inclusion in the case.

Computerworld is an InfoWorld affiliate.

June 25, 1998, and June 30, 2008, marked two important milestones in Microsoft's evolution of the Windows OS -- the passing of the torch from Windows 95 to Windows 98, and the less seemly transition from XP to Vista.

In the 3,659 days between, users of Windows have been forced to bear witness to another evolution of sorts: bugs that left Windows open to exploits that appeared almost as fast as you could say, "On the Origin of Species."

[ For some fun of the hacker and admin variety, see "Stupid hacker tricks, part two: The folly of youth" and "Stupid user tricks 3: IT admin follies." ]

Uncovering -- and exploiting -- Windows vulnerabilities has made sport for many and careers for many more. Entire industries have sprung up to protect Windows users from previously unknown flaws, while malware authors have matured their practices from juvenile pranks to moneymaking criminal enterprises.

Caught in the middle of this never-ending onslaught is the innocent PC user and the besieged IT admin -- you. And though Microsoft and the entire software industry have labored tirelessly to handle zero-day exploits and to develop protocols for reporting potential security problems, we've seen and experienced several colossal security meltdowns thanks to the humble Windows bug.

These errors, buried in millions of lines of code, have steered great corporations and turned the tide of fortunes. It's high time they got the credit they deserve. Here are the worst Windows flaws we've endured since the introduction of Windows 98.

Password "password" would have been more secure Bug identifier: VCE-2000-0979, MS00-072 Description: Share Level Password vulnerability Alias: Windows 9x share password bypass Date published: Oct. 10, 2000

Windows 9x introduced a nifty little concept wherein users could host a password-protected mini file server, aka a share, on their PCs. The idea was simple: Allow users of networked computers to host and share files securely. Only the padlock Microsoft used to lock the door came equipped with a gaping hole that rendered it useless.

"When processing authentication requests for a NetBIOS share, Windows 95/98 would look at the length of the password sent by the attacker and then only compare that number of bytes to the real password," writes vulnerability expert H.D. Moore, who manages the Metasploit Framework project.

Oops. "This let the attack specify a password of zero bytes and gain access to the share," without actually knowing the password at all, Moore explains.

"The real damage," he continues, "was that by trying all characters of incrementing lengths, they could literally obtain the password for share from the server."

Upshot: Rather than functioning as a lock on a door, the password authentication scheme for Windows 95/98's File and Print Sharing acted more like a nail through a hasp -- to open the door you only needed to pull out the nail, with hardly any effort.

Folder traversal: Total server control with a single URL Bug identifier: MS00-078 Description: Web server folder traversal vulnerability Alias: Directory traversal bug Date published: Oct. 17, 2000

If there's one thing we've learned from the past decade of Microsoft patches, it?s that not everyone keeps on top of them. When Microsoft published this particular advisory, the patch that fixed the problem (MS00-057) had already been released two months prior.

With this bug, if you knew the layout of a Microsoft file system -- which folders appear where -- you could send a command to a Web server that essentially gave you total control.

As anyone who has spent any time using a Windows computer will tell you, it's not hard to find your way around the hard drive. Documents go in a particular folder path; most applications are put in another folder path; and so on.

By using dots and backslashes (or their respective unicode representations) in the URL, this bug allowed you to navigate up and down the file system and execute commands, just by knowing a few simple rules and how Windows organizes itself. While account permissions for IIS are somewhat limited, a related exploit helped escalate privileges, giving remote users the ability to do whatever they wanted to with Windows servers simply by sending a few URLs.

"Originally found as an anonymous post in the PacketStorm forums, this resulted in nearly two straight years of mass ownage against Windows web servers," Moore writes.

Upshot: Directory traversal opened up a new world for automated attacks that merely had to call a particular URL to do their dirty work.

Code Red: Deadly bug, disgusting soda Bug identifier: MS01-033 Description: Unchecked buffer in index server ISAPI (Internet Server API) extension could enable Web server compromise Alias: The Code Red bug Date published: June 18, 2001

What happens when you send a ton of data at a Microsoft Web server? If it was the summer of 2001, well, you owned the network. At least that's what happened a little more than a month after Microsoft released this obscure-sounding patch for IIS Web servers.

The nature of the bug was simple: Take an IIS server, invoke a buffer overflow, and commands spill into other parts of system memory. Because the commands were issued in the context of the system itself, the bug opened up for exploitation virtually all aspects of the server's operation.

And exploitation happened, all right, on a scale that hadn't been seen before.

On the afternoon of Friday, July 13, 2001, security engineers at eEye Digital Security received reports of a worm that was spreading rapidly through its customers' networks. Fueled by a limited edition, crimson, caffeinated, high-fructose corn syrup-based beverage, Mark Maiffret and Ryan Permeh spent a weekend reverse-engineering the worm, and alerted the world to its presence.

What the worm did was probe vulnerable IIS servers, infect them, and create 100 threads of itself, which then spread to other computers. If the date was between the 20th of the month and the end of the month, it would attempt to spew data at www.whitehouse.gov. Permeh and Maiffret estimated that the worm could infect approximately 500,000 unique IP addresses per day.

Upshot: Code Red really drove home the importance of patching bugs soon after Microsoft released the patch, because the patches themselves give malware authors clues to exactly where they should look for new vulnerabilities.

Fastest infection. Ever. Bug identifier: MS02-039 Description: Buffer overruns in SQL Server 2000 Resolution Service could enable remote code execution Alias: The SQL Slammer bug Date published: July 24, 2002

While technically not an OS bug, the SQL Slammer bug deserves honorary mention due to the sheer velocity with which vulnerable systems were infected. The bug targeted Microsoft's database server. Vulnerable computers were subject to buffer overflows that, if properly crafted, could place commands into memory to cause the targeted system to execute those commands with the permissions of the database service.

Patching was complicated by the fact that admins needed to run an earlier patch before they could run the MS02-039 fix. The bug affected primarily corporate server systems, but also affected home users who had MSDE (Microsoft SQL Server Desktop Engine) installed. That made a number of home users, some of whom didn't even know they had MSDE on their machines, unwitting participants in the carnage to come.

Because the Slammer worm primarily targeted servers running databases, it didn't infect millions of machines. It did, however, spread rapidly -- so rapidly, in fact, that it had infected roughly 9 out of 10 vulnerable machines within 10 minutes of being released on Jan. 25, 2003. The entire worm was only 376 bytes, and fit into a single packet of data.

The MS02-039 bug was "one of the biggest oversights of all time," says Steve Manzuik, senior manager of security research at Juniper Networks, "not because it was an easy or obvious bug to find -- it wasn't."

"At the time of the patch, no one realized that every vulnerable SQL installation was also listening on a UDP (User Datagram Protocol) port that they could be exploited over," Manzuik explains. "Many administrators simply locked down access to the SQL TCP ports while forgetting about UDP."

A postmortem by the Cooperative Association for Internet Data Analysis revealed that the worm was a model of efficiency, doubling the number of infected systems every 8.5 seconds, and flooding the Internet with so many infection attempts that routers shut down. When restarted, so many routers attempted to update their routing tables simultaneously that normal Internet traffic simply couldn't get through the gridlock.

Upshot: SQL Slammer demonstrated the power of a vulnerability that could fit within a single data packet, and brought home the lesson that a single application weakness could cause the entire Internet to grind to a standstill. And it's still out there, drifting around on a few old systems, looking for new hosts to infect.

Billy Gates, stop making money! Make malware instead. Bug identifier: MS03-026 Description: Buffer overrun in RPC interface could allow code execution Alias: The Blaster Worm bug Date published: July 16, 2003

The DCOM RPC interface is a common component of NT-based Windows OSes, including NT, 2000, XP, and Server 2003. In the summer of 2003, it became the subject of intense scrutiny.

As Microsoft described in the bulletin that accompanied the patch, a successful exploit only required the attacker to send a "specially formed request" to a vulnerable PC -- a bit like dangling candy in front of a ravenously hungry baby.

By Aug. 11, the Blaster worm arrived, and though it spread rapidly, it was fairly easy to block with a firewall.

Unfortunately, protecting home systems with firewalls wasn't common practice at the time. Home users' PCs -- connected directly to the Internet -- got whomped by the worm. When the worm's code crashed the infected computer's RPC service, the computer would display a message warning of imminent shutdown, and unceremoniously reboot itself.

The worm had another message, this one to Microsoft's founder, and embedded within its code: "billy gates why do you make this possible? Stop making money and fix your software!!"

But it was fixed. Or at least it would have been if people had patched their systems.

At the end of the summer, Microsoft released a second set of updates in MS03-039 that blocked additional ports that attackers could use to mess with the RPC service.

Upshot: We're all in better shape thanks to the wide adoption of firewalls in the home. Thanks in part to Blaster and its ilk, most broadband modems have one built in.

That sassy bug has a lot of spunk Bug identifier: CVE-2003-0533, MS04-011 Description: Stack-based overflow in certain Active Directory service functions in LSASRV.DLL Alias: The Sasser bug Date published: April 13, 2004

In yet another example of ironic buffer-overflow goodness, this bug made the security subsystem of Windows the agent of evil itself. And, once again, malicious coders used Microsoft's own patch to figure out exactly where to target the OS.

As Windows XP's gatekeeper, LSASS (Local Security Authority Subsystem) manages the permissions of a PC's user accounts. So when eEye -- the same company that discovered the Code Red bug -- quietly disclosed the details of this flaw to Microsoft in October 2003, it touched off six months of furious coding in Redmond that culminated in a patch that fixed 13 other Windows 98, NT, 2000, XP, and Server 2003 flaws, as well as the LSASS bug.

And, within 18 days, the Sasser worm was cruising the Internet, hopping from one unpatched machine to another. The poorly coded worm wreaked havoc, shutting down networks around the world. Even though a fix was already available, many users -- in particular, corporate IT managers -- still had not applied MS04-011. By May 1, 2004, work on fixing the unintended damage caused by Sasser had become a round-the-clock operation, says then director of the Microsoft Security Response Center, Kevin Kean, with "a number of war rooms and rotating shifts" for MSRC staffers.

Upshot: What was that about patching as soon as the updates are available? Lessons that should have been learned three years earlier didn't really sink in until Sasser publicly pummeled patchless PCs to pulp.

WMF: Wherein malware is foisted Bug identifier: CVE-2005-4560, MS06-001 Description: Vulnerability in graphics-rendering engine could allow remote code execution Alias: Windows Metafile vulnerability, aka drive-by downloads Date published: Jan. 5, 2006

Over the winter holidays in 2005, security researchers began discussing a newly discovered vulnerability in a Windows library used by the OS to display various kinds of graphics in apps and the OS itself.

The problem stemmed from a particular image file format, native to Windows since the days of Windows 3.0, called WMF (Windows Metafile). Used as the native format for storing graphics within Microsoft Office documents, support for WMF was by that point thoroughly embedded into Microsoft products.

WMF files contain function calls that a program sends to the GDI (Graphics Driver Interface). Someone discovered that WMF files can contain executable code as well. This would allow you to, say, create a WMF file that, merely by being viewing, invokes Internet Explorer to visit a particular URL, download a file, and execute that file. Special.

The aftermath of the discovery followed a familiar pattern. Microsoft issued a patch on Jan. 5, 2006, in record time. But for a long while, unpatched computers running vulnerable versions of gdi32.dll roamed the Internet, slurping up mountains of malware.

The bug had far-reaching effects, enabling malicious code to be foisted on unsuspecting users and executed in a variety of ways: previewing an e-mail containing the malicious WMF file in Outlook; viewing an image preview in Explorer; viewing a malicious WMF in certain third-party graphics programs; indexing a hard disk that contained a malicious file; following a URL link in an e-mail, IM, or on another Web page to a site where the malicious file was embedded in the Web page.

Upshot: We learned that nothing is sacred, that any file format could be considered hostile. And we also got a cool new name for an exploit method: drive-by downloads.

MDAC: The component that keeps on giving (headaches) Bug identifier: CVE-2006-0003, MS06-014 Description: Vulnerability in MDAC (Microsoft Data Access Components) could allow code execution Alias: MDAC RDS.Dataspace ActiveX bug Date published: April 11, 2006

Way back in 1998, Microsoft issued a security bulletin about a component of IIS that ran under Windows NT Server called Microsoft Data Access Components. In the bulletin, MS98-004, Microsoft warned that a part of MDAC called the RDS (Remote Data Service) had a vulnerability that allowed unauthorized people to browse databases.

Flash-forward eight years to the spring of 2006. Microsoft released a security bulletin about a component of MDAC called RDS, which has a vulnerability that permits malicious Web servers to perform drive-by downloads against the unpatched PCs of unsuspecting victims. Eerily familar.

In the later case, it was an ActiveX control that allowed users to connect to RDS through IE and wreak havoc. The ActiveX control doesn't behave as intended, and can be loaded and exploited if you visit the wrong Web site.

Of course, by 2006, MDAC isn't just loaded on servers; you may have it on your PC. Moreover, the bad guys have changed tactics. No longer content to wait patiently for you to happen upon their malicious Web site, they spam you with links, buy ads based on Google searches, and load their pages with SEO (search engine optimization)-rich keywords. The result, however, is the same: Visit and be exploited.

In fact, the bad guys are now using off-the-shelf exploit software to put malware onto your machine. A tool called MPack that's loaded on malicious Web sites can check to see what browser version you're using and what patches you have installed. Based on this analysis, it delivers the exploits that will do the most damage. More galling is that they don't even bother to hide what they're doing, naming the Web page that performs the exploit "mdac4.php."

Upshot: The MDAC RDS is a complex system, with a multitude of patches available depending on which version you have installed. Manually choosing the right patch can be a complicated task. But with such a serious flaw, you can't afford to make a mistake. Patches like these have helped push advancements in Windows Update, which scan your system and pick the right patch automatically, so you don't have to.

Related articles Stupid hacker tricks, part two: The folly of youth Tech-savvy delinquents set the Net aflame with boneheaded exploits that earn them the wrong kind of fame Stupid hacker tricks Looking to enter a life of cybercrime? Beware the boneheaded miscues of these infamous cyberschnooks Stupid user tricks 3: IT admin follies IT heroes toil away unsung in miserable conditions -- unsung, that is, until they make a colossally stupid mistake More stupider user tricks: IT horror stories redux Idiot-proof your enterprise with these 10 hard-luck lessons of boneheaded IT miscues Stupid user tricks: Eleven IT horror stories A long-suffering consultant and InfoWorld contributor recounts his tales of user catastrophe and lessons learned -- and shares astounding stories from readers, too The top 10 security land mines Companies can actually worsen their risks by failing to take these commonsense approaches to security How to think like an online con artist An enterprise is only as secure as the weakest human link. Here's how to use social engineering to test security defenses Top 10 reasons to be paranoid Every bit of your virtual existence is being monitored -- get scared accordingly Test your network security IQ So you think you know something about security? Not so fast, smart guy. We've got a hunch you might not know as much as you think Test your geek IQ If you truly want to know how smart you are when it counts, then InfoWorld's Geek IQ test is the puzzler for you

Google and Yahoo will further delay their controversial search-advertising deal in the face of an ongoing investigation by the U.S. Department of Justice.

"When we announced our advertising agreement with Yahoo in June we agreed to delay its implementation until October to give regulators time to look at the details," Google said on Friday. "As we are still in conversation with the Department of Justice, we have agreed to a brief delay in implementing the agreement while those discussions continue."

The agreement, announced just as Microsoft's acquisition bid for Yahoo was falling apart, will let Yahoo run Google ads with Yahoo's search results and on some Yahoo sites in the U.S. and Canada. Critics have said the deal will hurt competition and lead to higher prices as Google and Yahoo hold the top two market-share positions in search.

Google, which has recently stepped up its public statements in support of the deal, argues that prices will remain fair because advertisers pay based on an auction system. "Neither Google nor Yahoo set ad prices," wrote Tim Armstrong, president of advertising and commerce for Google in North America, in a recent blog post . "Ads are priced by an auction where an advertiser only bids what an ad is worth to them."

Google recently launched a Web site arguing why it thinks the deal would be good for advertisers.

The DOJ has confirmed that it is conducting an antitrust investigation into the partnership.