Microsoft's security team acknowledged Tuesday that it knew of bugs in its Jet Database Engine as far bask as 2005 but did not patch the problems because it thought it had blocked the obvious attack vector.

A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago.

In a post to the Microsoft Security Research Center (MSRC) blog late Monday afternoon, Mike Reavey, the MSRC's operations manager, admitted that outside researchers had notified Microsoft in 2005 and 2007 of separate bugs in Jet, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic.

In both cases, Microsoft had told the researchers that it would not fix the flaw because it considered users safe. Outlook blocked the MDB file format from being opened, Exchange servers stripped them from incoming e-mail, and Internet Explorer issued warnings when users clicked on such files, said Reavey in explaining Microsoft's decision.

The company hadn't thought of the attack strategy now being used by hackers, however. "Everything changed with the discovery of this new attack vector that allowed an attacker to load an MDB file via opening a Microsoft Word document," he said. "The previous guidance does not work against this new attack. So that's why we alerted customers to these attacks and are re-investigating Jet parsing flaws -- this is a new attack vector discovered that we didn't know about previously."

Attackers are, in fact, doing an end-run around Outlook, researchers at Symantec said last week when they released findings that prompted Microsoft to issue a security advisory warning users running Word on Windows 2000, XP, and Server 2003 SP1 to take defensive steps.

One researcher said Microsoft could have done more earlier to prevent the sudden scramble for a fix.

"I can't count the number of times we've seen this in the past with a Microsoft product," said Oliver Friedrichs, a director with Symantec's security response team. "Clearly, there should have been more concern from Microsoft in the first place. There have been two vulnerabilities, one in 2005 and another in 2007, and both were left unpatched.

"It does draw some concern," Friedrichs said.

The MSRC is still working out how it wants to patch the vulnerability or throw up more barriers to the now-known attack through malicious Word documents. It may try to stop those documents from loading MDB files without prompting the user, or it may include a newer version of Jet -- one already plugged into Windows Vista, Windows Server 2003 SP2 and slated for Windows XP SP3 -- with any fix.

In the two-plus months since Steve Jobs first announced the MacBook Air during January's Macworld Expo keynote, Apple's most svelte laptop has generated much debate, as well as a good deal of criticism -- much of the latter relating to Apple's decision to focus on weight and thinness at the expense of traditional features.

These criticisms aren't without merit. As I noted when I first covered the MacBook Air's trade-offs, you do lose features compared to the other offerings in Apple's laptop line: an optical drive, a number of ports and expansion options, a removable battery, and processing power. For some people, the loss of these features is a deal-breaker; the MacBook Air is not for them. But back in January, I wrote that for people who value light weight and are willing to give up other features to get it, the MacBook Air is an interesting machine (yes, "interesting" is the word I chose at the time).

Since writing that article, I've had the opportunity to use a MacBook Air firsthand. Specifically, I used Macworld's review unit as my only laptop for three weeks -- a span that included two six-hour plane flights bookending a week's vacation in Hawaii (and, no, the TSA didn't make me miss my flight because of the Air). I used the MacBook Air on planes, in a hotel/condo, on tables and desks, on my lap, in coffee shops, on the patio, and around the house. I carried it by itself, in various laptop bags, and packed in carry-ons. During vacation, it was our family computer, used for surfing the Web for sights and food, e-mailing friends and family back home, editing vacation photos, watching movies, doing leisure writing, and even playing a few casual games. Back home, I made an effort to use the Air for many things I'd normally do on my desktop Mac. (And, yes, I did temporarily misplace the Air under a stack of papers and periodicals; luckily, I didn't accidentally recycle it.)

After that real-world road test, I want to amend my earlier statement: For people who value light weight, and are willing to give up other features to get it, the MacBook Air is a compelling machine. What's more, I think I underestimated the appeal of the Air as a primary computer.

Size matters ... reallyMy post-test impressions: In terms of everyday features, the Air's screen is brighter and better than that of the MacBook -- it's even a major step up from that of my first-generation, 1.83GHz MacBook Pro, despite the latter's larger screen size. Performance for most tasks isn't noticeably different from that of my MacBook Pro, and the Air's keyboard feels better than the one on my wife's MacBook. I've also come to the conclusion that I never want another laptop that doesn't have an ambient-light sensor and a backlit keyboard.

But as you might expect, it's really the size and weight of the Air that won me over. For travel and carrying, the MacBook Air is considerably lighter and much more compact than both the MacBook Pro and the MacBook, despite the latter's similar footprint. Although 2 or 3 pounds may not seem like much, the lighter weight makes a big difference when carrying a laptop, especially when your bag also holds a bunch of other stuff. (It's difficult to appreciate how much lighter the Air is until you go back and use a MacBook Pro or MacBook; as Macworld editorial director Jason Snell recently said on Twitter, the MacBook feels "like heavy, heavy bricks" in comparison. Twitter-style hyperbole, of course, but the general sentiment is dead-on.)

And while Jason found the Air's thinness to be something of a gimmick, I found it genuinely useful. Because the Air is so thin, I could fit more reading material in my carry-on, and I could fit the Air in pockets and pouches that wouldn't accept other Mac laptops. I even stuck the Air in my seat pocket during a flight -- try that with a MacBook Pro.

Feature presentationAll of which got me thinking about the widespread discussion of "features." A recent post in the Macworld forums seems representative of the feelings many people have towards the MacBook Air:

Having lived with an Air for a while, I think there are a couple problems with this viewpoint. First, that it takes too narrow a view on what is and isn't a feature. Second, that it overestimates what the "average Mac user" actually needs.

Features first: If you're making a spreadsheet of traditional features -- the number of ports, the processor speed, and so on -- the MacBook and MacBook Pro beat the MacBook Air handily, as do many non-Apple laptops. But as someone who's owned a PowerBook Duo, a PowerBook 2400, and even an eMate, I contend that the Air's size and weight are features as well. And for many people, size and weight are, in fact, more important features than some of the things the Air is missing: Unlike an optical drive or a removable battery, a laptop's size is in use at all times; if you carry your laptop often, a lighter computer may be more valuable to you than a DVD drive.

Similarly, let's not forget that a laptop's screen, keyboard, and trackpad are things you're using whenever you're using the computer -- and the Air is superior to the MacBook, and comparable to the MacBook Pro, on all three counts.

Given that context, consider the second issue I raised above: Is the Air practical for the average Mac user? Back in January, I would have said "that depends." And I still say that. But I now contend that it's practical for more people than I originally thought. Partly because I underestimated the benefits of the Air's size and weight in everyday use, but also because I think I overestimated the negative impact of the Air's "missing" features.

A different perspectiveWhat I mean here is that I originally looked at the Air from the point of view of someone who uses many external peripherals and who has obscene amounts of hard-drive space on his desktop Mac. But I'm definitely not the typical Mac user. Consider, instead, my wife. She's a smart cookie and fairly tech-savvy. Yet she rarely uses an optical disk with her computer (a MacBook), she never connects FireWire devices, and her USB ports are used almost exclusively for transferring photos from her camera or memory cards; I don't think she's ever plugged in two USB devices at the same time. (Our printer is served up by an AirPort Base Station.) In terms of performance, her most demanding computer tasks involve editing photos. Now, given that the number of times she's ever connected a FireWire device to her MacBook is a fraction of the number of times, in a single week, she picks up her laptop and carries it, which feature do you think is more important to her: weight or ports? In my experience with Mac users, I think there are many people out there just like her.

Similarly, I recently realized that when I'm on vacation, I'm much closer to a typical Mac user in terms of what I need in a computer. During our trip, we never regretted not having an optical drive; I had loaded a few movies on the hard drive. Thinking I might need more than one USB port, I packed Moshi's Cardette card reader, which includes a two-port hub; we never used the additional port. (Although the card reader did raise one criticism of the Air's design: its USB port can be a hassle to get to when the computer is sitting on a desk or table.) And performance was never an issue; the Air handled our tasks with ease. Meanwhile, the Air's battery life was exceptional, the screen was large and bright enough to watch movies, and it was trivial to travel with. It was a near-ideal combination of capability and carry-ability for us.

Or, to put it more simply: Over the three weeks I used the Air, the thing I noticed the most was not a lack of ports or storage, or poor performance. What I noticed the most -- overwhelmingly so -- was that the Air was a joy to carry and use.

The wider appeal of thinNow, don't get me wrong: The Air isn't for everyone. But as long as lightweight/compact laptops are exercises in compromise, each user must weigh those compromises against his or her own needs and don't-needs. And when you look at the Air this way -- considering features in the context of particular users -- I think the Air's appeal is wider than I had originally estimated. It's a great computer for hard-core road warriors, and it's a great second computer. But it also performs -- well -- the everyday tasks of many computer users. For some of these people, the Air will be more practical than Apple's other laptops simply because of its smaller size and lighter weight.

To wit: I know a good number of non-techie people who've purchased the Air simply because it does everything they need in a package that's smaller, lighter, and more convenient for their around-the-house-and-down-to-the-coffee-shop laptop life.

As for me, our family's new MacBook Air arrived last week.

Much has been said about the evils of vendor lock-in. The reality is that there are definite advantages to being a "Windows shop," particularly in terms of manageability and unified IT support. We like the idea of introducing Linux or Mac OS X into our companies, but it isn't always so easy in practice.

That's beginning to change, however, thanks in part to the efforts of Likewise Software. Likewise Open Spring '08, released today, is the latest version of a product that allows Linux, Mac OS X, and other Unix systems to authenticate against Microsoft Active Directory servers. This makes it possible for network administrators to manage Unix systems the same way they do Windows clients. And the best part is that the software is free.

Active Directory integration allows IT managers to add and delete user accounts, manage passwords, and set up user permissions from a central console, reducing the time and resources needed to manage a corporate network. This in turn makes it easier to log and audit user activity, which can be essential for compliance with Sarbanes-Oxley and other regulations.

Likewise (nee Centeris) has provided these capabilities for Unix systems since 2005, but it wasn't until December 2007 that it released the code for its core product as an open source project. With the Spring '08 release, Likewise Open is available as a free download for more than  110 Linux, Unix, and Mac platforms. The software will be bundled with the forthcoming Ubuntu 8.04 desktop Linux distribution, due to arrive in April, and you can expect to see it included in future releases from Novell and Red Hat. Users of Mac OS X and other platforms can download it from Likewise's Web site.

The free version doesn't give you everything. If you need group policy management, user migration tools, compliance reporting software, or snap-ins for Microsoft Management Console, you'll need to purchase the Likewise Enterprise edition. And, as usual, proper commercial support is available for a fee.

Still, the release of this technology as an open source project is a big deal. When any Linux, Unix, or Mac OS X system can integrate with Active Directory for free, one of the nagging hurdles to business adoption of non-Windows operating systems has effectively been eliminated. The question is: Has Microsoft matured enough in its attitudes that it can see this as a good thing? Or, given Microsoft's tight control of its technologies and protocols, are Linux's newfound capabilities destined to be short-lived?

Apple's decision to push the latest version of Safari to Windows users through a software update application on XP and Vista may have scorn of Mozilla's CEO. But industry analysts say there's nothing unusual about the practice.

"It's much ado about nothing," said Michael Gartenberg, vice president and research director at JupiterResearch.

The controversy flared up late last week with the release of Safari 3.1. Windows users began noting that Apple was posting the updated browser as a download in the Apple Software Update utility, which is packaged with the Windows version of iTunes and QuickTime.

Mozilla CEO John Lilly decried the move, saying that the practice of offering a new piece of software that users didn't ask for and checking that update by default "is wrong, and borders on malware distribution practices." Mozilla develops the rival Firefox Web browser.

Apple's move "undermines the trust relationship great companies have with their customers, and that's bad -- not just for Apple, but for the security of the whole Web," Lilly wrote on his blog.

However, industry analysts that track browser developers like Apple and Internet Explorer maker Microsoft don't share that assessment. "It's hardly a stealth installation or sneaky," Ross Rubin, director of analysis at market research firm NPD, told Macworld. "It's an option that shows up, and consumers can clearly decide whether they want to install it. It's something that can be positioned as complementary to the other software Apple already has on the machine, such as iTunes, that likely uses the same rendering engine as Safari."

Analysts also point out that Apple has made no secret of its plans to push Safari in this manner. When he announced the Windows version of the Web browser at last June's Worldwide Developer Conference, Apple CEO Steve Jobs said that the company planned to leverage its ties to Windows-based iTunes users to distribute Safari.

"This should come as a surprise to nobody because Apple said they were going to use this mechanism to distribute Safari," JupiterResearch's Gartenberg said.

Analysts also note that Microsoft follows a similar practice with its automatic updater. In fact, Microsoft has been steering people away from using "Windows Update" in favor of the more robust "Microsoft Update," which also checks a user's PC for Office updates and other Microsoft software. The update mechanism also offers options for new software or capabilities that were not on the PC.

"It's a little disingenuous of Mozilla because Firefox is a self-updating application," said Gartenberg, noting that when he turned on his computer recently there was an update for Firefox that he hadn't asked for. "Now you're talking about degrees."

So what's behind Mozilla's complaints about the way Apple is distributing its Safari updates to Windows users? Bloggers have suggested that the dispute could be rooted in the Google search tool found on both Safari and Firefox. The search tool reportedly generates revenue for both browser makers, and if Firefox starts losing market share to Safari, that would mean less revenue for Mozilla.

Rubin noted that Mozilla had always been supportive supportive of Safari under the rationale that having more standards-compliant Web browsers is good for the Web, and it pressured Microsoft to be more standards-compliant itself. However, that attitude may have changed once Safari stopped being a Mac-only browser and threatened to take away some of Firefox's Windows users.

"If I were the Mozilla guys, I'd be concerned too," Gartenberg said. "Safari offers a great browsing experience. It may be a bit of sour grapes from the Mozilla guys."

The unpopularity of the United States has IT users in foreign countries happy to use open-source software, Red Hat President/CEO Jim Whitehurst said at the InfoWorld Open Source Business Conference in San Francisco on Tuesday.

This way, they do not have to pay "intellectual property taxes" to American companies, he said. Outside the United States, open source is seen from a public policy perspective as a fundamental good, Whitehurst said.

"I never thought I would say this but actually, being very unpopular in the world, as frankly the U.S. is these days, is a huge benefit to open source," because people are resentful of sending billions of dollars back to the U.S. in IP taxes, Whitehurst said. They also do not want to pay it to Western Europe, he said.

[ Check out InfoWorld's open-source roundtable discussion ]

Whitehurst said he has met with government officials in countries like Russia and China. Moving to a model not shackled by U.S. IP laws is extraordinary, he said.

But an audience member asked if Red Hat, when meeting with officials in countries not wanting to pay American companies, urges them to follow the GNU GPL (General Public License) and share code. "There is a ton of GPL violations going on," the audience member said.

Whitehurst responded he did not see some deep conspiracy over this issue but stressed the relative newness of the problem. "Absolutely it's an issue we need to watch and to manage," he said.

Whitehurst also discussed Red Hat's business model, which relies on subscriptions and support. "Fundamentally, our business model is to create enterprise editions of open source projects," he said. "We have created an enterprise version of Linux that you can sleep on [at] night knowing that it does not go down," he said. Open source also means having to work every day to keep customers happy, Whitehurst said.

More needs to be done to get enterprises involved in the open-source community, Whitehurst said. "We do a lousy job of getting enterprises involved in the community," he said.

Whitehurst said Red Hat has an 80-plus percent share in Linux with a little more than $500 million in revenues. "The dollars in open source relative to what we do are relatively small," he said.

Also at the conference Tuesday, officials from several open-source ventures, serving on a panel about the future of open source, contended that a turbulent economy was good for open source.

"I do think it's going to be good," said Roger Burkhardt, president and CEO of Ingres. "The question is when will the benefits come."

But resulting IT staff layoffs during economic downtimes means fewer people are able to start an incremental project, he said. MySQL's Zack Urlocker, vice president of products, countered that project teams without a budget will just find open-source software to get their projects going. "Sometimes the CIOs or CEOs just aren't even aware of it," he said.

Belt-tightening will be good for innovation and particularly for open source, said Mark Shuttleworth, founder of Ubuntu. "I think the absence of money is the biggest spur to innovation than the presence of money," he said.?

Open-source attributes were pointed out, such as lower acquisition and maintenance costs, freedom from vendor lock-in, and access to community developed customizations. The use of open source is becoming a first option, according to Shuttleworth. "I think we're pretty close to the point where proprietary software has to be justified instead of the other way around," he said.

During an introduction to the conference, Matt Asay, vice president of development at at Alfresco, pointed out that roughly $2 billion has been invested in open-source software since 2000 and in one year, it has all been given back through acquisitions like Sun's $1 billion acquisition of MySQL.

Open source has moved beyond CRM and content management systems, Assay said. "Can open source innovate? I think the answer is demonstrably yes," he said.

At another panel session the future of the operating system, Google's computing model, in which everything is hosted on the Internet and accessed via a thin-client browser, was questioned by an Intel official

"The Google model really scares me," said Dirk Hohndel, chief Linux and open-source technologist at Intel. The model gives a third party control of data, which cannot be accessed on an airplane, he noted.

Sun's James Hughes, chief technologist for Solaris, said very large companies are looking at outsourcing their applications to Google but he has not seen it actually happen. "I don?t see anybody doing it, but maybe they will," he said.

Hughes also pointed out differences between Solaris and Linux, which are vying in the open source OS space. "There's than one OS out there, and if Solaris strives to be Linux, why bother," Hughes said. Solaris is differentiated by features like DTrace, for dynamic tracing, he said.

"In general, I don?t see it as Unix versus Linux versus whatever. We've gone to a model of open source," Hughes said. Solaris, though, has had a challenge because it underwent 20 years of closed-source development before going the open-source route, he said.