Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.

But the company is evasive on whether it paid ¬20,000 ($29,500) to researcher Adam Gowdiak of Security Explorations, who wanted payment for the six-month effort spent finding the flaws.

[ Read the related story on how researcher Adam Gowdiak found critical bugs in Nokia phones. ]

Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak's research, said Mark Durrant of Nokia's corporate communications.

The mobile giant's position could rekindle the debate among security professionals on whether voluntary research should be rewarded by vendors whose products are affected.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure," or a discrete notification before vulnerability information is made public. Vendors also don't want to be at the mercy of vulnerability hunters, who could threaten to turn information on a flaw over to hackers.

"It would be very easy for there to be an idea that you can hold companies to ransom," Durrant said. "The reality is he [Gowdiak] has done a significant amount of research, and clearly it's understandable he wants to find a way to monetize that."

Gowdiak, a researcher in Poland, said earlier this month he had found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his Web site that he worked at one time for its developer, Sun Microsystems.

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk." Durrant said that conclusion is based on the fact the vulnerabilities are not yet public and it is difficult to execute an attack using the flaws.

"This requires deep technical skill," Durrant said. "This isn't something someone in a garage is going to be able to sort out in an afternoon. He's [Gowdiak's] clearly a smart guy."

Gowdiak said he provided Sun and Nokia on Aug. 7 with one- to two-page summaries of the vulnerabilities he found. Sun has indicated it will soon issue patches.

Gowdiak won't say if Sun paid for the full research. But Sun's intent to patch shows the company was able use the information that "we gave to them for free," he said.

"It wasn't that we tried to demand money from Sun and Nokia," Gowdiak said. "We didn't try to blackmail them."

Microsoft this week is proceeding with an update to Windows Vista and Windows Server, making available a beta-level service pack featuring capabilities for virtualization and power savings.

The company on Tuesday began offering the Windows Vista and Windows Server 2008 SP2 (Service Pack 2) Beta release to MSDN and TechNet subscribers and will extend it to the public via TechNet on Thursday. Offering a single service pack minimizes deployment and testing complexity, Microsoft said.

Included in the service pack, according to the Windows Server Division blog, are Hyper-V bits in the release-to-manufacturing stage, meaning the bits are completed. Hyper-V is Microsoft's hypervisor-based server virtualization technology enabling multiple operating systems to run on a single physical machine. This enables workload consolidation across multiple underutilized servers onto a smaller number of machines.

Also highlighted in the service pack are changes to the power profile to yield more power savings. The service pack also addresses reliability and performance issues and supports new types of hardware. The 64-bit CPU from Via Technologies is supported and performance is improved for Wi-Fi connections after resuming from sleep mode.

"We are tracking to ship SP2 in the first half of 2009," said Justin Graham, senior product manager for Windows Server, in the blog.

With the release, Microsoft is looking for developers and IT professionals to have an early look at the technology and offer feedback. The beta is being offered via a Microsoft Customer Preview Program (CPP)

"The CPP is intended for technology enthusiasts, developers, and IT pros who would like to test Service Pack 2 in their environments and with their applications prior to final release. For most customers, our best advice would be to wait until the final release prior to installing this service pack," said Mike Nash, corporate vice president for Windows Product Management at Microsoft, in The Windows Blog on Tuesday.

"Windows Vista SP2 builds on the solid foundation of Windows Vista SP1, and represents our ongoing commitment to Windows Vista today," Nash said.

VMware released on Tuesday VMware View 3, new software aimed at providing desktop virtualization, application virtualization, and management of virtual desktops in one product.

VMware View is a reworking of the company's VMware Desktop Infrastructure product that adds other components to solve the problem of managing virtualized desktop environments, said Raj Mallempati, a group product manager of desktop products for VMware.

[ Find out how VMware ThinApp 4.0 fared in InfoWorld's Test Center review | Keep up with the latest virtualization news in the InfoWorld Virtualization Topic Center | Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

VMware View is part of an initiative that VMware is calling vClient, which it unveiled at its VMworld conference in September. Mallempati said with the vClient strategy, VMware hopes to solve the "desktop dilemma" of not only virtualizing applications and desktops, but also managing and deploying those environments.

"At the end of the day, we also want to make sure we can provide end-users with a virtualized view of their desktops, applications and data," he said.

In addition to providing desktop virtualization, VMware View 3 includes View Composer, a new product that creates virtual desktops from a master image; VMware ThinApp, which simplifies application packaging and deployment to a virtual desktop environment; and Offline Desktop, which provides the ability to move virtual desktops between the datacenter and a local laptop or desktop. The product also includes Unified Access, which provides desktop administrators a single management platform for virtual desktops and applications.

VMware View 3 comes in an Enterprise Edition and a Premier Edition. The Enterprise Edition includes VMware Infrastructure Enterprise Edition, VMware View Manager 3, and Unified Access, and it costs $150 per concurrent user for a perpetual user license. The Premier Edition includes those products but adds VMware View Manager 3, VMware ThinApp, VMware View Composer, and Offline Desktop. It costs $250 per concurrent user for a perpetual license.

As virtualization of server OSes becomes more common, both VMware, which remains the leader in the virtualization software market, and other vendors are expanding their offerings to tackle the problem of virtualization desktops and applications that run on desktop computers.

Even though VMware remains the leader in virtualization across the board, the company has had a bumpy year in which it's faced its stiffest competition to date. Vendors such as Microsoft are building virtualization directly into their server OSes and are branching out into desktop and application virtualization. And in July, the company had a major executive shake-up, with CEO Diane Greene leaving suddenly to be replaced by former Microsoft executive Paul Maritz.

Oracle has contributed data-integrity protection code, partly developed with the hardware vendor Emulex, to the Linux kernel, the vendors announced Tuesday.

The code helps maintain "comprehensive data integrity" as information "moves from application to database, and from [the] Linux operating system to disk storage," according to a statement. It also lowers the possibility that erroneous data will get written to disk.

[ Get the latest on storage developments with InfoWorld's Storage Adviser blog and Storage Report newsletter. ]

The companies' effort is meant to help datacenter administrators track and address corrupted data quickly, lowering costs and downtime, said Scott McIntyre, vice president of product marketing at Emulex, in a statement.

Oracle and Emulex, which makes products for connecting servers, networks, and storage systems, are developing an early-adopter program that will help customers start working with the new features.

When a lot of information is moving through various aspects of a system very quickly, its integrity can suffer, said Redmonk analyst Stephen O'Grady. And at the same time, data integrity grows more vital as systems scale up, he added.

But improvements like the code contribution announced Tuesday are only "one piece of the puzzle," and will work in tandem with next-generation Linux file systems now under development, such as Btrfs, he said.

The Btrfs project, now available under the GPL open-source license, was first developed at Oracle.

Oracle is a key contributor, along with other large vendors, to the kernel project. The company makes money on Linux through its Unbreakable Linux support service.

Microsoft has released a new wave of Windows Live services that adds more social-networking qualities to its set of online services.

The company unveiled last month a plan to add Facebook-like qualities to its set of online services, which include e-mail, calendaring, instant-messaging, photo-storage, and sharing and collaboration services, among others. At the time, the company said the new services would be available to users before the end of the year.

[ Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]

Microsoft first revealed the Windows Live brand for its online services and a plan for a major overhaul and to add new services in November 2005. The services are aimed at competing with Google by making Windows Live Web users' entry point into the Web and ultimately allow Microsoft to sell more online advertising.

The new version of Windows Live services lets people users have designated as "friends" see activities they are doing in other Web applications through Windows Live Hotmail, Windows Live Messenger, and other Live applications and services. The capabilities will be similar to the way Facebook allows users to be notified via e-mail or on its Web site about what their friends have been doing in the applications they use on Facebook, a feature called the "news feed."

To provide the new "activities" feature, Microsoft has partnered with popular third-party Web sites to link their applications with Windows Live, including Flickr, iLike, LinkedIn, Yelp, Flixster, Pandora, Twitter, Photobucket, and Tripit.

In addition to updates to existing services, such as Windows Live Messenger and Windows Live Spaces, there also are several new services available to users with Tuesday's release.

They include Windows Live Groups, a service for letting teams, clubs or other groups of people collaborate and engage in online discussions; Windows Live Photos, a new photo-storage and sharing service; Windows Live Profile, a way for people to share information about themselves with more than 50 partner sites; and Windows Live People, which allows users to store and manage Windows Live contacts.

Users can access the new services online now.

Zoho, maker of an on-demand suite of business and productivity applications, announced on Tuesday CloudSQL, a new service that lets developers use the ubiquitous SQL to connect Zoho data with other cloud-based or on-premises applications.

SQL is a "pretty old" language but is also "pretty awesome," said Zoho's director of marketing, Rodrigo Vaca, in a blog post Tuesday. "It is by far one of the easiest and most efficient ways to query and interact with structured data. That's why it remains by far one of the most heavily used languages for business applications."

[ See how other Zoho offerings measured up in InfoWorld Test Center reviews: "Office killers pack some heat" and "Zoho CRM aims big, hits small" | Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Cloud computing has ushered in new methods of data retrieval and storage, leading to "improved, faster, and more responsive Web applications," Vaca added. "But while there are some SQL-like approaches for cloud computing out there, they tend to be fairly limited and not as powerful as the full-blown SQL."

CloudSQL supports a wide range of SQL variants, including ANSI, Oracle, Microsoft SQL Server, IBM DB2, and MySQL.

The service "serves as the bridge between the external application and the data stored inside Zoho. It receives the query in SQL, interprets it, delegates queries and aggregates results across the Zoho services," Vaca wrote.

The company has also developed a JDBC (Java Database Connectivity) driver and is working on an ODBC (Open Database Connectivity) driver. This means developers "can just continue using SQL drivers and statements as they already regularly interact with their premises-based databases using JDBC or ODBC drivers," Zoho said in a statement.

Initially, Zoho Reports, a BI and reporting service, will support CloudSQL. Other products, such as Zoho CRM, will support it down the road.

Zoho's announcement represents an attempt to win over IT specialists who haven't been quite ready to embrace the cloud-computing model, one observer suggested Tuesday.

"CloudSQL simply represents an incremental move that will enable Zoho to grow, extending a comfort blanket to nervous DBAs seeking reasons to resist relinquishing control over their data," wrote Paul Miller, a blogger who tracks trends in cloud computing and the semantic Web.

For now, CloudSQL is available at no cost. Zoho, which is a division of the Pleasanton, Calif., company AdventNet, will monitor usage and decide whether it needs to begin charging for it, according to a representative.

CloudSQL is somewhat unusual in that it lets users connect their Zoho apps and others in a free and broadly compatible manner, instead of forcing them to use a proprietary tool that carries a price tag, said RedMonk analyst Michael Coté.

"Access to data is the key problem for all these [cloud-based applications]," he said. "That's where the lock-in is, it seems, in such offerings. Whoever controls access to the data can control pricing."