Bev's News

Like some of you (many of you?), I read TechCrunch from time to time.

Not religiously, mind you. Since it usually doesn't cover anything that is relevant to me, and rarely covers anything truly important/interesting to me. this is not a flaw in them, they just don't have me in their target demographic.

dditionally, I tend to generally skip the posts by MG Siegler.

I mean I don't hate the man, I can't. I don't even know him.

But one has naught but to read 10-15 random posts of his to conclude that if iPhones and iPads were personally programmed by Steve Jobs to have their antennas electrocute every member of MG's family and all of MG's friends, that MG would have some kind of pro-Apple spin on the matter. It just doesn't feel to me like anything approaching journalism, which seems (to me) to conflict a bit with TechCrunch's stated purposes.

Now I am not a member of the I Hate MG Siegler Facebook group or anything like that, but skipping his posts in most cases just seems like better time management.

But in his hilarious Decoding Microsoft’s Fantastic Passive-Agressive Numbers Post that a colleague pointed me to, there was a fun line I really liked:

24%
Linux Server market share in 2005.

33%
Predicted Linux Server market share for 2007 (made in 2005).

21.2%
Actual Linux Server market share, Q4 2009.

What he really means: Remember when everyone was saying Linux was going to take over the market? They’re going the wrong way.

Now the part that caught my eye was not the full quote, it was that last bit.

The They're going the wrong way bit.

I thought of it when someone pointed out to me the Plan for multilingual sites (SharePoint Server 2010) article on TechNet, published on May 12, 2010.

In particular, this note:

Um.

Now it turns out the reason for this is that in SharePoint 2010 they made an explicit move to use WCF (the Windows Communication Foundation).

And although WCF is

a part of the .NET Framework that provides a unified programming model for rapidly building service-oriented applications that communicate across the web and the enterprise

it turns out that perhaps one of the ways it was allowing such a rapid method for doing all that work was by not supporting International Domain Names.

Oops.

Amazing how rapid one can be when one sticks to ASCII!

Now I look forward to some point in the future where I can excitedly point out that WCF is on the right track, and that SharePoint is back on the right track. I really am.

But for now, unlike MG Siegler, I am not a fanboy of the company at the center of my professional life (Microsoft, in my case; Apple in his). And because of this, I call bugs BUGS, mistakes MISTAKES, and design flaws DESIGN FLAWS. It is how I believe things can be made better (and people who read here can be made aware of problems in the meantime). Whatever credibility I have rests on my honesty, in this regard. And I take that pretty seriously.

With all that in mind....

You know how WCF can help one to "...communicate across the web and the enterprise" ?

Well, make sure to not include a world wide in front of the word web here, at the moment. Because every day from now until they fix this flaw in their design, there will be more and more sites created, builyt, and promulgated that cannot use WCF. Or the latest version of SharePoint.

Because (unlike most of the rest of Microsoft), They're going the wrong way.

This post is part of an ongoing series of Rangers introductions. See An index to all Rangers covered on this blog for more details.

Who you are?

Marcel de Vries, Technology Manager Microsoft Application Development at Info Support in the Netherlands. I work as an IT Architect Consultant for mainly financial enterprises like banks, Insurance companies, etc. I am responsible for the Info Support Software Factory Endeavour that helps us and our customers’ bee more effective in the delivery of Administrative applications based on a SOA architecture. I am married and have two kids of the age 7 and 9.

What makes you “tick”?

I have a constant hunger for new and Cutting Edge technology. Constant learning new stuff and pass on what I have learned to others is what I am passionate about. I am also a Team guy, I want to discuss with other people on how they thing we can make things work and get inspired by idea’s. Tell them my idea’s get feedback and improve the initial thoughts. Constant improvement is what I am striving for.

Where you live

In Warnsveld, Netherlands

Where is the place you call home?

The same where I live :)

Why are you active in the Rangers program?

To share knowledge about early technology. In my job I am often involved in TAP programs with Microsoft and that combined with my work as architect for our software factory and consultancy, gives me lots of insights in how we can start using the tools and products Microsoft builds. Besides the constant feedback you try to give during a TAP program to improve the outcome of the product that will ship, you gain very early knowledge on how the product works, what works great, what works but has rough edges and what you should avoid, since you know it is an area the product will improve in the future and is dangerous to do a lot of investments on in the current release. I have burned my hands many times in this respect and I want to help the brought community to keep away from places you might get burned and help use the products where they provide the most value.

What is the best Rangers project you worked in and why?

Visual Studio 2010 Architecture Guidance, since I feel the tools have a lot of potential, but I see people struggle allot using it the first time. I get lots of questions about how they can make it work in such a way they actually leverage it in larger scale projects rather than in your average test project “Hello World”. We were able to give the customers guidance on the strong points of the tools, help them arrange the models in such a way they can scale them well in large solutions and even work on models concurrently avoiding collisions and potential issues. We also tried to give guidance on how to get from a blank sheet of paper in a step by step pattern to the correct input and translations to the actual implementation of the solution and verification of the product against the architecture. This now enables a constant feedback cycle on architecture so we are able to not only think of architecture when we start, but make it a constant improvement cycle during the lifecycle of the product. I think that provides great value to may customers and links directly to the questions above on what make me tick as well :)

The Team Software Process Body of Knowledge (TSP BOK) was drafted to define the fundamental knowledge and skills that set TSP-trained individuals apart from other software professionals. It helps individual practitioners to assess and improve their own skills, provides employers with an objective baseline for assessing the process improvement skills and capabilities of their development team members, and guides academic institutions that want to incorporate TSP into their software and other engineering courses or curricula. The TSP BOK also facilitates the development of TSP certification programs that are based on a well-established standard set of knowledge and skills.

Source: http://www.sei.cmu.edu/library/abstracts/reports/10tr020.cfm

Windows2008R2 環境に「レポート拡張機能」をインストールした際に発生する事象と解決策
が以下のサイトにあります。

AX 2009 Setup fails to install IIS Components on Windows Server 2008 R2
http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/11/ax-2009-setup-fails-to-install-iis-components-on-windows-server-2008-r2.aspx

(解決策)
AX2009インストールフォルダのSupportフォルダ下にServerManagerCmdInputIIS.xmlが有ります。
ServerManagerCmdInputIIS.xmlを開いて以下のように変更下さい。
(変更前)
<Feature Id="NET-XPS-Viewer" />
(変更後)
<Feature Id="XPS-Viewer" />

Windows7にAX2009インストール時にエラーが発生する事象と解決策が以下のサイトにあります。

HotTopic: Not able to install Dynamics AX 2009 on a Windows 7 workstation

https://mbs.microsoft.com/customersource/support/selfsupport/hottopics/HT_AX2009_NETFrmwrkClientProfile.htm

https://mbs.microsoft.com/partnersource/support/selfsupport/hottopics/HT_AX2009_NETFrmwrkClientProfile.htm

(解決策)

1. Microsoft .NET Framework 4 Client Profileをアンインストールしてから、AX2009クライアントをインストール。その後 KB982670を適用。

又は

2. Microsoft .NET Framework 4 をインストールしてからAX 2009クライアントをインストール。

Напомню, что цель этого упражнения заключается в создании инструмента, который бы помогал мне тестировать части компилятора. Для тестирования двоичных деревьев, как мы видели, можно генерировать все деревья из одного, двух, трех и т.д. элементов. Этот механизм обладает полезными свойствами. Во-первых, мы знаем, что рассматриваем все без исключения двоичные деревья и любое конкретное дерево мы рано или поздно получим. Во-вторых, вначале мы гарантировано получим деревья меньшего размера; если алгоритм работает для всех деревьев размером 5 и меньше, значит, он работает для всех деревьев. И в-третьих, ни при каких обстоятельствах алгоритм не будет выполняться бесконечно; можно не беспокоиться о бесконечных циклах. Нужно беспокоиться о комбинаторном взрыве, поскольку существует множество деревьев, но каждое дерево может быть получено за конечное время. Было бы неплохо получить аналогичные возможности для кода, который бы генерировал каждое выражение для определенной грамматики.

Очевидным решением в лоб этой задачи является создание анализатора грамматики. Т.е. генерируем все строки из одного элемента, разбираем ее и отбрасываем те строки, которые мы не можем корректно разобрать. Затем генерируем все возможные строки из двух элементов и т.д. Недостаток этого подхода заключается в том, что скажем, для генерации строки class c : b { }, даже если вы ограничитесь алфавитными символами нижнего регистра, пробелами и знаками пунктуации, вам придется сгенерировать и разобрать около триллиона триллионов строк, большая часть из которых не будет являться программами, как например, aaaaaaaaaaaa},c. Этот метод слишком медленный.

Более разумным способом будет сгенерировать все строки, которые состоят из одного терминального символа, разобрать их, отбросить некорректные, сгенерировать все строки из двух терминальных символов, и т.д. Т.е. начать с разбора a, class, { и т.д. Этот путь значительно лучше; он потребует всего лишь около миллиона шагов, чтобы получить class c : b { }. Но он все еще слишком медленный и нам, к тому же, придется написать анализатор. Было бы значительно лучше не генерировать некорректные программы вовсе.

А что, если бы у нас был способ сказать «сгенерируй все корректные программы с одним терминальным символом; хорошо, теперь сгенерируй мне все программы с двумя терминальными символами» и т.д.? Т.е. не нужно создавать кандидаты, а потом их проверять, просто создавай все корректные кандидаты. Это будет работать. Но как это сделать?

Давайте вернемся к нашей первой задаче: генерации строк для всех возможных двоичных деревьев. Грамматика для того языка была следующей:

T: x | ( T T )

Мы можем воспользоваться тем же механизмом, который использовали до этого! Помните, перед генерацией всех двоичных деревьев из четырех элементов мы сказали, что эти деревья выглядят так:

{все двоичные деревья размером 0} за которыми следуют {все двоичные деревья размером 3}

{все двоичные деревья размером 1} за которыми следуют {все двоичные деревья размером 2}

и т.д. Т.е. все строковые представления двоичных деревьев, скажем, из восьми терминальных символов:

( {все строки с 0 терминальных символов } {все строки с 6 терминальными символами } )
( {все строки с 1 терминальным символом } {все строки с 5 терминальными символами } )

и т.д. Т.е. мы берем два терминальных символа для окружающих скобок, и затем находим все комбинации, которые приведут к шести дополнительным комбинациям внутри скобок. Мы явно сводим задачу размера k к нескольким задачам, размера, меньшего, чем k-1, так что это отличный способ для рекурсивного решения. Так ведь?

В следующий раз: Я прав или я где-то допустил логическую ошибку?

Оригинал статьи

Menu:  Tools -> Customize
Command:  Tools.Customize
Versions:  2008
Published:  7/31/2010
Code:  vstipEnv0033

You can customize any toolbar in Visual Studio 2008.  Just click on the drop-down to the right of any toolbar then click on "Add or Remove Buttons" and choose "Customize":

Alternatively, you can go to Tools -> Customize on the Menu Bar:

Whichever option you choose, you will get the Customize Dialog:

In this case we are going to look at the Commands Tab:

The best way to learn how to customize menus and toolbars is to do an example.  In this case, we want to add the ability to select some code then RIGHT CLICK and comment or uncomment the code.

First, we have to go back to the Toolbars Tab and pick the menu or toolbar you want to modify.  For our example, we will choose the Context Menus:

Now we click on the Commands Tab and locate the items we want to add.  In this case, we dig a bit and find "Selection Comment" and "Selection Uncomment" on in the Edit section:

Now we have to see which menu we want to modify.  Click on the Editor Context Menus -> Code Window to see where we want our items to go:

Now CLICK AND DRAG your items where you want them on the menu:

If you want, you can click on the Modify Selection button to reset, delete, modify the name, modify the button image, change the way the item is displayed, or begin a new group:

We would like the new buttons to be in their own group so click on the item just BELOW where we want our group to be:

Now choose "Begin a Group" from the Modify Selection button to get a new group line:

That's it!  Close the Customize dialog then select some code and RIGHT CLICK to see if your items show up:

Enjoy!

До этого момента мы преимущественно говорили об улучшении быстродействия JavaScript в Internet Explorer 9, и не сказали почти ничего о новых или измененных функциях языка в движке "Chakra". Теперь, с выпуском третьего Platform Preview, мы можем рассказать вам о новых возможностях JavaScript, которые вы можете попробовать самостоятельно.

К слову, промышленным стандартом, определяющим язык JavaScript, является ECMA-262: ECMAScript Language Specification, разработанный и опубликованный Ecma International. В прошлом году исполнилось десять лет с момента представления третьей редакции ECMA-262 в декабре 1999 года. В декабре 2009 года Ecma одобрила пятую редакцию ECMA-262, являющуюся преемником третьей редакции (четвертая редакция никогда не публиковалась), и в прошлом же году мы представили частичную поддержку ECMAscript 5 (ES5), добавив поддержку JSON в IE8. Помимо JSON, однако, ES5 стандартизирует множество важных расширений в языке JavaScript.

Новые возможности ES5 в IE9 Platform Preview

В режим документов Standards в IE9 добавлено множество важных возможностей ES5:

Новые методы массива. Было добавлено девять новых методов для работы над массивами. Два из них, indexOf и lastIndexOf, поддерживают поиск определенного значения в массиве. По существу они схожи с одноименными функциями, что выполняют операции над строками. Остальные семь методов массивов позволяют управлять массивами при помощи стиля функционального программирования. Например, нижеприведенный фрагмент кода использует новый метод фильтра для сбора элементов массива, отвечающих определенному условию:

//функция, проверяющая, включен или отключен объект элемента меню

function enabled(menuItem) {return menuItem.status==="enabled"};


//Предположим, что отдельные элементы меню имеют свойство состояния (status property) и

//что объект меню имеет свойство элементов (items property), которое является массивом.

//Создаем новый массив, содержащий лишь включенные элементы меню

var enabledItems=myMenu.items.filter(enabled);

Эти методы поддерживают различные виды обработки массива без явного программирования циклов. Кроме этого, все методы являются универсальными, то есть они могут быть применены к любому объекту с пронумерованными свойствами, а не просто объектам, созданным при помощи конструктора массива. Вы можете познакомиться с демонстрацией, использующей эти методы на веб-узле IE9 Test Drive. Также они обобщены в нижеприведенной таблице:

Расширенная объектная модель. Важнейшей возможностью в этой области являются аксессоры. Их иногда также называют свойствами «getter/setter», поскольку они позволяют программистам, использующим JavaScript, контролировать, что происходит, когда программа получает или устанавливает значение свойства. Расширенная объектная модель ES5 также позволяет программистам контролировать, могут ли отдельные свойства менять свои значения, перечисленные выражениями for…in, а также могут ли свойства быть удалены или переопределены. Также она позволяет программисту контролировать, могут ли новые свойства быть добавлены в объект. ES5 также упрощает программистам, использующим JavaScript, создание объектов, наследуемых от определенного объекта-прототипа, а также просмотр определений свойств объекта и управление ими. Все эти возможности расширенной объектной модели доступны посредством свойств функции new конструктора объекта. Тем не менее, следует заметить, что текущий выпуск IE9 Platform Preview не поддерживает целиком использование этих методов с DOM-объектами.

Другие вычислительные методы и функции. Помимо добавления новых методов массива и объекта, ES5 добавляет или расширяет некоторые дополнительные методы, выполняющие полезные вычислительные операции.

ES5 также содержит ряд других незначительных изменений и технических исправлений в языке. Многие из них не повлияют на большинство программистов, поскольку они просто стандартизируют возможности, всегда поддерживавшиеся в браузерах. Примером таких функций является объединение строк в строчных литералах. Другое небольшое изменение представляет больше интереса. Такие зарезервированные имена как if, super и public могут теперь использоваться в качестве имен свойств объектных литералов и для доступа к свойству, следующему за точкой. Благодаря этому изменению программистам более не придется беспокоиться о длинных и произвольных списках слов, которые они не могли использовать в качестве имен свойств.

«Один скрипт, одна разметка»

Обновление JavaScript в IE9 не ограничивается поддержкой новых возможностей ES5. Сюда также относится стремление убедиться, что разработчики смогут использовать в IE9 ту же разметку и те же скрипты, что они используют в других браузерах. Ранее в этом году мы опубликовали документы, подробно описывающие отличия реализации JavaScript в IE8 от третьей редакции спецификаций ECMAScript. При разработке режима IE9 Standards мы обратили особое внимание на эти различия и внесли изменения, позволяющие IE9 исполнять те же скрипты, что и исполняют другие браузеры.

function f() {alert("declaration")};

obj.callback=function f() {alert("expression")};

f(); // IE8 неверно выводит "expression"

var fact="the web is big";

Math.factorial=function fact(n)

{return n<=1?1:fact(n-1)};

alert(Math.factorial(9)); // IE8 вызывает исключение

var e = "outer";

try {throw "inner"} catch(e) {};

alert(e); // IE8 неверно выдает "inner"

var obj; //значение obj не определено

try {alert(obj.prop)}

catch (e) {

if (e instanceof ReferenceError) alert("correct")

else if (e instanceof TypeError) alert("IE8 wrong")

}

var len = [1,2,3,].length;

alert(len); //должно быть 3, IE8 выдает 4

var a=[0,,2,,4];

alert(a.hasOwnProperty(1));// IE8 неверно выдает значение true

var obj={valueOf:0, toString:1,foo:2};

var n=0;

for (var p in obj) n++;

alert(n); // IE8 отображает 1, а должен 3

alert("\v"==="v");//IE8 выдает true, а должен false

alert("\v"==="\u000b");

//IE8 возвращает false, а должен true

alert(hasOwnProperty===undefined);

// IE8 неверно выдает true, а должен false

var x=/((a)|(ab))((c)|(bc))/.exec("abc");

// x должен быть:

// ["abc","a","a",undefined, "bc",undefined, "bc"]

// IE8 выдает: ["abc","a","a","","bc","","bc"]

alert((0.09).toFixed(1));

// должно отображаться 0.1

// IE8 отображает 0.0

«Использование одинаковых скриптов» касается не только того, как скрипты могут исполняться в Internet Explorer. Сюда также относится стремление убедиться, что скрипты, которые вы разрабатываете и тестируете в IE, также будут работать в любых других соответствующих стандартам браузерах, которые могут использовать ваши пользователи. Одна из проблем, которая может препятствовать достижению этой цели, заключается в возможностях, поддерживающихся исключительно в IE и отсутствующих в других браузерах. Если такая функция не является принципиально важной для функциональности браузера и не имеет уникального значения, реализована в одном единственном браузере и, по-видимому, не станет частью веб-стандарта, то она представляет собой опасность для совместимости. Если вы непредусмотрительно используете такую функцию в скрипте, то пользователи не смогут работать с ним в других браузерах.

В реализации JavaScript в Internet Explorer исторически имеется несколько функций, подпадающих под эту категорию, которые мы решили исключить из IE9 Standards Mode. В основном это функции, добавленные в качестве расширений возможностей на ранних стадиях разработки IE. Однако они не были добавлены в другие браузеры, и сегодня становится очевидным, что они никогда не будут включены в стандарт ECMAScript.

Первой функцией в этой категории является возможность добавления точки с запятой после любого блока кода. Например, IE разрешал заявления типа "if", составленные следующим образом:

if (conditionMet) {performTrueAlternative()};

else {performFalseAlternative()};

В IE также имеется ряд расширений к синтаксису объявления функции. Одно из расширений позволяет объявлениям функции напрямую определять свойства метода объекта. Например:

function String.prototype.firstChar() {return this.substring(0,1)};

означает то же самое, что

String.prototype.firstChar = function (){return this.substring(0,1)};

Другое расширение позволяло объявлению функции определять несколько имен функции. Например, код

function declaration,dcl() {return processDeclaration)()};

, который задает как короткое, так и длинное имя одной и той же функции. Ни одно из этих расширений не добавляет каких-либо новых возможностей, которые бы не могли быть выражены с помощью стандартных функций языка, они не стандартизированы, не поддерживаются другими браузерами, и мы исключили их из режима IE9 Standards.

Заметьте, что это не означает, что мы удалили все функции, присущие исключительно реализации JavaScript в IE. Некоторые функции жизненно необходимы в случаях, когда разработчику требуется получить доступ к уникальным возможностям Internet Explorer или Microsoft Windows. Например, сюда относятся возможности JavaScript, поддерживающие доступ к объектам ActiveX.

Тестирование прогресса

Первостепенной целью при разработке IE9 является обеспечение единой разметки, которую можно было бы использовать во всех браузерах, к чему, конечно, относится и JavaScript. Так как же мы узнаем о нашем продвижении к этой цели? В одной из предыдущих статей мы говорили об отношении Microsoft к разрабатываемому набору тестов JavaScript. Мы считаем, что организации, ответственные за веб-стандарты, должны опубликовать окончательный набор тестов, гарантирующий работу одинаковых скриптов и одинаковой разметки во всех браузерах. На данный момент стандартизированного набора тестов для JavaScript не существует. Комитет стандартов ECMAScript согласился разработать такой набор, и мы совместно с разработчиками других браузеров, являющихся членами Ecma, трудимся над этим. Этот набор тестов еще не завершен и не опубликован. Тем временем, более 1300 относящихся к ES5 тестов, которые мы используем и планируем предложить Ecma, доступно на веб-узле Internet Explorer Testing Center. В результате добавленной нами поддержки ES5, IE9 теперь проходит все шестнадцать тестов Acid3 в группе 6 (JavaScript).

Проверьте самостоятельно

Нам нужны ваши отзывы. Дайте нам знать при обнаружении ошибки в JavaScript. В особенности нас интересуют проблемы совместимости. Если вы используете стандартизированную возможность JavaScript, и в режиме Standards в IE9 Platform Preview она работает иначе, чем в других браузерах, возможно, вы обнаружили ошибку – сообщите о ней на Connect. Поскольку вышеописанные изменения относятся лишь к режиму IE9 Standards, веб-узлы, работающие в режимах совместимости, не отражают этих изменений и продолжают вести себя по-прежнему.

Наконец, внимательно просмотрите ваш код на использование определения браузера для известных различий или ошибок JavaScript в IE, поскольку, скорее всего, оно более не будет работать в режиме IE9 Standards. Это уже не тот же самый старый JavaScript в IE.

Спасибо

Аллен Вирфс-Брок (Allen Wirfs-Brock)

Инженер-разработчик языка JavaScript в Microsoft

FY10Q4 Microsoft earnings are upon us. So, what's been going on since last we met over the quarterly results?

• The KIN phone collapse put WP7's future in doubt. Would WP7 meet the same fate? Is it under the same level of mismanagement? Fortunately, some fairly positive takes on pre-release WP7 have been coming out ahead of earnings to shore up confidence and excitement.
• Market Cap - yes, Apple passed us by and there was an abundance of articles and postings questioning just how much longer Microsoft would have to endure Mr. Ballmer as CEO (hint: a long loooooong time).
• Itsy-bitsy-layoff-committees: targeted small layoffs to kick of FY11 team budgets. If they are that low key and only disclosed on some random bit of the blogosphere, do they really amount to much accountability on Microsoft's sake? Again, our contingency hiring is out of this world so it's not like we're saving a bunch of money - we just have folks on the payroll we can easily cut loose as needed.

What kind of questions might be / should be posed during the earnings call?

• Dates: firm dates for WP7 devices and Kinect and associated Kinect titles beyond the kind-of-interesting launch titles.
• Win7 + Office 2010: are the cash cows still, err, bringing home the bacon?
• Bing / Ad-center: is Bing on the upswing? Is Bing / Ad-Center doing anything more than eating the bacon that our cash cows bring home?
• Legal: it's been very quiet on the European Union front. Office 2010 was released without a single investigatory squeak, as far as I know. Is this all behind us for now? That would be great.
• WP7: application developers in the queue? We need to re-enforce the cool apps that we'll have ready when WP7 is launched. In a move that has totally delighted me, Microsoft is giving every employee the ability to write and deploy WP7 applications (and, what, ability to get a device at launch, too?) - wow! Now's the time to truly show off your stuff and write for WP7 and get your app out the door.

The glow of Windows 7 has dimmed and Office 2010 and the VS2010 eco-system need to pick up the steam as we head to WP7 and Kinect launch. Apple is rolling in the moolah being a content delivery channel and our story, other than some Xbox features, is still pretty fuzzy. For instance: Windows Media Center is one of those crown jewels we've let plop out of the crown and get kicked around the court. I love WMC but it seems to be a neglected feature, caught in the chop between E&D / Zune and Windows. After a phone, it's the next experience we should bring out some reference hardware for to easily DVR HD channels off the air and plug right into your HDMI system and watch it go.

My usual suspects for earnings discussion:

• Mr. Joe Wilcox over at Beta News
• Mr. Todd Bishop over at TechFlash's Microsoft Blog
• Mr. Joseph Tartakoff somewhere within paidContent.org.

(I'll update the post later if there are interesting developments from the earnings release.)

Mini-Microsoft Microsoft MSFT -- Comments

Get out of the way Microsoft Bob, you have a replacement that Microsoft's Gen-Y employees can claim for their own! It's spelled K-I-N.

KIN's demise can't surprise anyone. When I looked at the phone's features, I thought: alright, an incomplete Facebook experience that I cannot improve by installing new applications... and I pay $$$ through the nose for a plan. But I've got a green dot and KIN Studio... maybe that will be enough to sell enough units to justify the Danger acquisition and the person-years of work behind getting KIN out. What the hell where all those people doing? I couldn't imagine anyone wanting the resulting iffy feature-phone at a smartphone cost, but KIN wasn't made for me. I was willing to let the market be the judge of KIN.

Verdict? Guilty, guilty, guilty.

The original Zune/Pink phone had interesting momentum but it all got squandered. What's the one ThinkWeek paper I want to read this year? Lessons Learned from Microsoft KIN and How Microsoft Must Change Product Development. You can't have a failure like this without examining it and then sharing what went wrong, all with respect to vision, execution, and leadership. How big was the original iPhone team? How big was the KIN team? Why did one result in a lineage of amazingly successful devices in the marketplace, and the other become a textbook extended definition for "dud" ?

Interesting comments:

All I can say as a former Windows Mobile employee who is now working for a competitor in the phone space is that this is good news for the rest of us. [...] Personally I quit because of the frustrating management and autocratic decision style of Terry Myerson and Andrew Lees. The only exec in the team myself and other folks respcted was Tom Gibbons who is now sidelined. Lees and Myerson don't know consumer products or phones. Gibbons at least knows consumer product development. We often talk about how Andrew Lees still has a job but Microsoft's loss is a gain for the rest of us.

And

And now Kin is killed *after* it has shipped in June 2010. You can bet Andy was involved in the development of Kin, the partnership agreements with the OEM, Verizon and most importantly the "ship it" approvals all along the way. And Microsoft discovers its a bad idea after it blows up in the broad market. Absolutely no thanks to any pro-active decision making on Andy's part.

Now there is spin that Andy killed kin to put all the wood behind Windows Phone 7. Er, the guy was in charge for two years of Kin development. He could have made this decision far earlier.

Similarly Windows Phone 7 has two years of development under his watch. Based on his past performance, 99% chance this is also going to be a total catastrophe. It further doesn't help that much of the Windows Phone 7 leadership team was kicked out of Windows when they screwed up Vista.

And finally, one Danger-employee's point of view of why they became demotivated:

To the person who talked about the unprofessional behavior of the Palo Alto Kin (former Danger team), I need to respond because I was one of them.

You are correct, the remaining Danger team was not professional nor did we show off the amazing stuff we had that made Danger such a great place. But the reason for that was our collective disbelief that we were working in such a screwed up place. Yes, we took long lunches and we sat in conference rooms and went on coffee breaks and the conversations always went something like this..."Can you believe that want us to do this?" Or "Did you hear that IM was cut, YouTube was cut? The App store was cut?" "Can you believe how mismanaged this place is?" "Why is this place to dysfunctional??"

Please understand that we went from being a high functioning, extremely passionate and driven organization to a dysfunctional organization where decisions were made by politics rather than logic.

Consider this, in less than 10 years with 1/10 of the budget Microsoft had for PMX, we created a fully multitasking operating system, a powerful service to support it, 12 different device models, and obsessed and supportive fans of our product. While I will grant that we did not shake up the entire wireless world (ala iPhone) we made a really good product and were rewarded by the incredible support of our userbase and our own feelings of accomplishment. If we had had more time and resources, we would of come out with newer versions, supporting touch screens and revamping our UI. But we ran out of time and were acquired and look at the results. A phone that was a complete and total failure. We all knew (Microsoft employees included) that is was a lackluster device, lacked the features the market wanted and was buggy with performance problems on top of it all.

When we were first acquired, we were not taking long lunches and coffee breaks. We were committed to help this Pink project out and show our stuff. But when our best ideas were knocked down over and over and it began to dawn on us that we were not going to have any real affect on the product, we gave up. We began counting down to the 2 year point so we could get our retention bonuses and get out.

I am sorry you had to witness that amazing group behave so poorly. Trust me, they were (and still are) the best group of people ever assembled to fight the cellular battle. But when the leaders are all incompetent, we just wanted out.

I guess we need another ThinkWeek paper on how to successfully acquire companies, too. Between this and aQuantive, we only excel at taking the financial boon of Windows and Office and giving it over to leadership that totally blows it down the drain like an odds-challenged drunk in Vegas. And the shareholders continue to suffer in silence. And the drunks are looking for their next cash infusion.

Dude, Where's Ray? You see more and more yearning for the days of BillG at the helm, perhaps because at least he was an uber geek that could drill your team's presentation like nobody's business and understand what your team was doing. And occasionally get enthralled by technology choices that would confound your average user (WinFS). Ray was supposed to serve as a replacement architect at Microsoft's technical helm, yet his impact seems to be superficial (and pretty disparaged if you chat with any leader in the company). Here's a snippet of a great comment about Ray and his impact at Microsoft:

The problem is, Ray doesn't see himself as the "Chief Software Architect" of the company. He sees himself as the "Chief Visionary Officer" (to borrow someone's phrase from early comments). He sees his job as being the person who regularly kicks "old" Microsoft in the butt to wake them up to whats going on in the world.

All of his behavior lines up with this: His correcting of Ballmer (in public!); His team's building Mesh, an expensive, buzz-generating, science-project app beloved by those who know about it, but irrelevant to those who don't (which is 99+% of the planet); More recently, his team's building of Docs.com -- another expensive, buzz-generating app that has no business model and no path to ever having one (if you need an indication of how pointless an exercise docs.com is, just look at the visitor trends for it since launch: http://trends.google.com/websites?q=docs.com).

Meanwhile, Ozzie has made enemies of most of the leaders of the actual products that pay for his "Labs". He's made no secret of the fact that he thinks that Windows is run terribly, or that Office is dead technology. Behind closed doors, he is openly dispariging of Microsoft development practices and Microsoft technology. His efforts to build product display a stunning lack of a caring about how much things cost to run, or whether they will ever make money. To my knowledge, he doesn't care in the slightest about the enterprise businesses at the company.

Dude, Where's My Job? Folks have been talking about ongoing stealth layoffs and the impending July FY11 layoffs reacting to teams with reduced budgets. I've scanned some various HR calendars and found some interesting appointments more around next week vs. this week, but the layoff rumors have spilled over beyond here and into TechFlash: Microsoft pruning more jobs. A follow-up by Ms. Mary-Jo Foley: More Microsoft job cuts coming ZDNet. So I'd expect more news next week than this week, but one commenter has noted:

Layoffs confirmed for tomorrow. I see long meetings booked by HR-types in Lincoln Square and RedWest-C. Didn't go through all the calendars for you main-campus types.

If Microsoft is doing this to appear fiscally responsible, they really can't tell just this half of the story. The other half of the story is the number of contingent staff positions, which if you open up Headtrax for yourself to investigate be prepared to tell Elizabeth you're coming to join her, because it about gave me a mild heart-attack.

If you learn anything, please comment regarding the group and the size of the hit and any impression about the folks impacted (e.g., 10%'ers, long-term employees, etc).

Mini-Microsoft Microsoft -- Comments

Well, here's to wrapping up FY10. The kick-off of the Annual Review Season is our long, long, sloppy kiss goodnight to the fiscal year that was.

How are various things wrapping up?

Entertainment and Devices: with Bach and Allard out of the picture the E&D snow globe got a shaking where it's not clear how things are going to change. I was surprised at the number of pro-Bach comments in the last post, and a number of commenters believed that Mr. Bach had what it took to be the next Microsoft CEO. I respect your opinion, but I have to admit I did my best "ba-roo?" reading that.

Regarding Mr. Bach's departure: you can't call it accountability. Accountability would have been right after the red-ring o' death $1,000,000,000USD write-off. Come on, when senior leaders get together to consider what kind of emergent opportunities to get into, it's all about the billion dollar market. Perhaps they wrongly assumed that it exclusively meant income. It's pleasant that we have an entertainment presence like the Xbox and that Sony took a hard one on the chin, but did it really need to take that much money away from the shareholders and tarnish our reputation so much? And leave so much more unfulfilled around TV media entertainment that is getting rapidly covered by competitors?

Given the swirling flakes in the E&D snow globe, does E&D need to be Sinofsky'd? Discipline can be a good thing. You don't want every project to be like Forza. Willy-nilly feature development without stringent peer reviews and pre-checkin testing: dumb. Agile? So is using two hands instead of one to smear poo all over a wall. You've got twice the mess to clean-up. Those days should be behind us. More than anything, E&D needs leadership that oozes passion for everyday joys and who show up late Friday afternoon to play with what's new this past week and give praise and feedback. It needs joy and delight and laughter. And while running the trains on time is good for everyone, it doesn't need the stoic, passionless, data-driven rectilinear styling of a Sinofsky org's Switzerland.

No, rather than Switzerland E&D needs Italy. It needs curves and "oooo's!" and non-linear surprises. Sinofsky, I'd say, is on a three-release effort with Windows so he's busy anyways. I can't imagine if he was brought in to help pull things around, though, that it would go very well... I imagine his lieutenants first job would be to put the ribbon into the Zune client app and Media Center and then try to figure how to wedge it into the Xbox dashboard. Nanites would start flowing through everyone's bloodstream, and their skin would turn sickly pale... the trains would run ontime, just to dull destinations.

Kin: we put a lot of time + effort around Danger and producing the Kin (well, maybe more effort could have been spent on keeping the services running). Kin is not made for me or my social circle, so I can't judge it as a device. Sales will be the deciding factor here. And I'm sure when the first quarter numbers are released, we'll just say, "Well, we have an update to the Kin feature phone that we are sure will increase uptake significantly." Like fully supporting Facebook and Twitter features. I love the green dot, though.

And I do like Kin Studio, which I think pushes Kin over the top for some Millennials. If Kin Studio could be adapted soon to be a feature available for every WP7 phone user then we'd really surprise and delight potential phone users.

WP7: As for the WP7 phone: goodness. I'm hoping it's great and I like what I see. I like that a number of 3rd parties are already in the tube to deliver apps. I have sore glutes, though, from all the WP7 demos I see: every time a WP7 PM says, "Let me try this" my buns seize up hoping that it goes smoothly this time vs. the PM mumbling something about regressions in the latest build. There's still plenty of runway to go and time to fix all the various bugs and oddities, but it makes me apprehensive regarding the overall quality bar and wondering, "How did this go in so busted to begin with?" Several someones being agile, no doubt.

While we've been chasing the iPhone hockey puck (of what, two releases ago?) we risk that the real puck of today is Android. Maybe. The Android ecosystem is still too chaotic, but its potential is showing (thank you, Vic). We have to not only have great 3rd party apps on release but also show commitment in having our own series of Microsoft applications constantly going out of the door. For important as the mobile platform is, it's surprising how little we're invested in developing our own series of applications for it, hoping that developers will meander over to our party.

And as the mobile application platform grows up into more interesting devices, the Windows hardware platform is growing downwards to meet it. There's a collision of development philosophy dead ahead and it needs to be solved this summer, not within years. Microsoft seriously needs to woo developers, and if you're giving them an ever-changing flowchart of constantly updated development platforms when the competitors have straight lines, you've lost a big campaign and potentially the war. Windows, E&D, and DevDiv must be forced to reconcile the future of application development and distribution from mobile to client to cloud by Microsoft's CEO, or start FY11 with leadership that can.

Natal: I'll get a Natal device when it comes out, though I don't know how much I'll use it in the cozy space I have our Xbox in. I'm not redecorating for Natal, which means every time I boot it up I will look around at all the various potential ankle and knee injuries. It might be worth it, though, if I can swing a light-saber, force-push, and even wave my hand for a Jedi mind-trick. But not for playing paint kick-ball.

A big Windows opportunity for Natal: some smarty plugs it into his desktop and a driver installs and Win7 magically lights up for Natal interaction. Word spreads. Win7 works with Natal and you can go all Minority Report now with your laptop and desktop! That's a Jobs-worthy show-off moment: "Oh, yes, an iPad. How nostalgically quaint to have a device you have to actually smear your fingers around the surface to do something with. Now, watch my Cheetos plastered fingers bring up Media Center to play some recorded World Cup! And after that, I'll navigate the universe with Worldwide Telescope!"

Pop a cap in your ass: which by cap, I mean Market Cap and the reflections and abundant free advice issued forth when Apple passed Microsoft with-respect-to Market Capitalization this past week. A lot of focus came down on Mr. Ballmer, who shrugged it off as much as he shrugs off the lost decade of MSFT stock price. A nice case study of attitude begets results. While Microsoft has its three-screened head in The Cloud (can't wait to see that marketing campaign [eye-roll]) Apple continues a consumer-love affair of joyous design and content delivery. One bit of free advice I naturally loved: What Will It Take to Save Microsoft (MSFT) - a snippet from the end:

And I see no end to the misery. Microsoft should learn from longtime brother-in-arms Intel (Nasdaq: INTC), whose CEO Paul Otellini has cut a complicated beast down to the operations that really matter. That's the kind of sugar-free medicine it would take to save Microsoft from itself, and of course, something that drastic will never happen.

What a shame.

Yes, we need our Neutron Jack at this point. We have our supposedly endangered cash cows and then a lot of products and operations clinging on. Many of which that would never exist in a sane company. Spin-off those groups to live or die on their own, with Microsoft owning appropriate stock such that if their survival instinct kicks in and they flourish, it will be a nice hefty return. You also have to realize that product groups are way overstaffed and just need engineers, in this day and age, that can do it all vs. being silo'd into their coding, testing, or spec'ing narrow band. Specialization is not sustainable. And the Partner system needs to be nuked away: more and more it's leading to bad short-term shiny decisions meant to make Partner. Well, this list goes on. I think our next CEO comes from the outside, because only an outsider at this point can scrub the company clean and ensure that the corporate DNA is rewritten.

Stealth Layoffs: comments here for a while have been saying don't expect anymore large layoffs but do expect ongoing stealth layoffs, the kind that don't trigger the WARN act, let alone publicity. If you see your leadership meeting with HR far more frequently than usual, should you be nervous? Well, first step, ask what's up. If the answer is unsatisfying and doesn't ring true: yep, be nervous, especially as FY10 wraps up and new FY11 reduced budgets kick in.

If you or your group has indeed been affected, please, if you will, share as much as you can.

Mini-Microsoft Microsoft -- Comments

Just a quick celebration of this morning's news: Robbie Bach is retiring from Microsoft.

I'm so happy for him. And for Entertainment and Devices. And Microsoft.

This is a great opportunity for E&D to evolve and restructure. And, of course, a great opportunity to really screw up who to put in charge and such.

And yes, J Allard is out of here as well. Don Mattrick and Andy Lees step up. Also: David Treadwell side steps. And Office shuffles up a little bit.

What would you do with the various groups, products and who else would you put in charge?

Mini-Microsoft Microsoft -- Comments

Time for another quarterly update - all indicators point to a great quarter. With Win7's results and upcoming releases of Office 2010, Natal, and Windows Phone, things are on the upswing. Like I wrote back in July 2009, I believe that Microsoft has turned the corner and is headed in the right direction, though by no means is the corporation out of the scary neighborhood a lot of bad turns sent it into.

But we have hit the bottom with Vista and have emerged as the can-do underdog. If Microsoft knows anything, it knows how to do underdog. We really need to learn how to be the gracious competitive top-dog, too, but for now, underdog works.

Plus, given time, the context of the competitive marketplace has changed a lot. First: thank goodness for competition. Even pureblood Google and Apple fans should be thankful for competition from Microsoft, even if they deign its presence with faint of disdain and use air-quotes when saying the word competition (and for some reason, I can't get a vision of the Seattle Weekly's Uptight Seattlelite out my mind while writing that). Second: there's enough growing concern with Apple and Google's success that folks naturally want balance and by no means do they see Microsoft as dominating. Rather: underdog, fighting for balance.

Things have gotten interesting again. Let's check-in on some of the original reasons this random blog started up:

Improved:

• Microsoft needs to reduce employee size. It’s too big. It doesn’t need a quicky Atkins-equivalent. No, it needs to get itself on a corporate exercise program that will shed itself of unwanted groups and employees. And stay on that.
  • Wellll, we added a lot of jobs in the five years after that point, but when the cold harsh reality of over-hiring became obvious, it was handled (poorly) through layoffs.
• Microsoft needs to stop hiring. It’s hard enough finding the scarcest of treasured corporate resources: the talented individual suitable for working at Microsoft. Stop hiring, trim down, and rebalance those precious scare employees inside to where they can be more productive and make products that delight our customers.
  • There have been freezes and slow-downs so that's good. But some hiring continues. What we really need is an efficient defrag to allow load balancing in the company.
• Unleash employee driven innovation with a Microsoft Labs community area.
  • We have various labs now and other efforts that have come and gone.
• Re-energize the home market. The home market is pretty tepid with-respect-to Microsoft-branded software. It can’t take that much effort to invigorate Microsoft for the home user and make it cool.
  • Yes, we realize now that the consumer market is worth pursuing vs. making the IT department happy with limiting features. People find cool technology now outside of work and bring it into the workplace (e.g., the iPhone). This is much improved and has a long way to go before we're great at it. Actually leveraging the power of the individual PC is still barely tapped, and probably groups are confused given Azure and three-screens about pushing more onto the desktop than we are.
• Start working vigorously on Internet Explorer again. Winning the browser wars, dusting off our hands, and running away screaming from IE to the Next Cool Thing represents the very worst in less-than-competitive behavior.
  • Yep, we are working on IE with great passion. How we participate and influence HTML5 will be an interesting process to watch. I have no faith in the W3C (what was the last useful thing they helped create... XML namespaces?). HTML5 is the Next Big Thing if you listen to some folks who have large impact regarding Microsoft's future direction, so something is going to happen here. Have fun, IE-team!
• Less research, more application.
  • Goodness knows most of the researches I know or occasionally work with are motivated to find out what product teams need and get inline with producing interesting features that the product team just doesn't have the background to create, so kudos there.
• Continue the community effort and make it so if you’re not leading cool innovation, your butt is dedicated to some time per week helping out in the community, sharing all that wonderful knowledge between your ears. Reward that!
  • I did have this under the next section of "Not-addressed" until I realized that employee blogging covers this and has become so rampant that it has faded to a point that it's not acknowledged ("blogging is dead" and everyone now of course communicates in spurts of 140 characters. Uh-huh.). I'd like to see this turn into engineering employees writing more code that ships outside of our product line rhythm.

Not-improved:

• Re-interviewing: all employees below a certain life-time review average need to re-interview. Those that don’t make the cut the second time around get to look for new opportunities elsewhere.
  • Just an idea regarding what to do for people who do not have career momentum. Over the years, the question has been: "Will this person make Level 63?" - if not, they should find a new company.
• Back to Basics. Win32 and C++. Bread and butter. Not everything can run in the freaking CLR.
  • Our development story is a complete mess. And I don't see it getting any better. I'd say we're on a collision course of Bach vs. Sinofsky given development options for the Windows Phone vs. Windows. In the middle of this is a meandering DevDiv organization. If we have a gap in our underdog armor, it is our development story.

Back to quarterly results: the analysis I look forward to:

• Mr. Joe Wilcox over at Beta News
• Mr. Todd Bishop over at TechFlash's Microsoft Blog
• Mr. Joseph Tartakoff somewhere within paidContent.org.

Friday we have a Town Hall. I'm sure there will be questions about going forward competing with the iPhone and iPad and Google. And maybe questions / comments like:

• Are the layoffs over?
• Wow, what a great quarter. I'm really looking forward to my raise this year...

Administrivia time...

This old blog: hey slacker blog-writer, what's going on here? Well, obviously not much. Mainly, unlike many of you talented people, I don't do multitasking well. Writing especially. Back, going on six years now, this was my spare time focus for writing and reading & responding to all the great comments. It was a unique place that arose organically as a lone voice to ask, "Aren't other people concerned about where Microsoft is going?"

Well, this lone voice has other writing passions right now (not involving Microsoft) and that's where I'm putting the occasional spare time I squeeze out of my life. I'm sure you can understand. It also happens at a time where things are fairly good with-respect-to Microsoft's future and direction. Yes, there are problems but there have been more successes than failures and the success of our competitors have provided clarity regarding direction and what success looks like.

If there are interesting constructive topics you'd like to discuss, please let me know.

Mini-Microsoft Microsoft MSFT -- Comments

Time for another Microsoft earning announcement. I'm going to be missing you, Mr. Liddell, and your New Zealand accent. With so many tech companies reporting good numbers and with Windows 7's success, I dare say that we're expecting a rosy quarterly earning report. And, if that's the case and knowing Mr. Ballmer's past record, he'll say something financially scary soon to rain on the parade.

Places I track for news on earnings include:

• Mr. Joe Wilcox over at Beta News (Joe has been on fire lately with all of his postings - one reason I've been quiet here is that when I think of something to write about, Mr. Wilcox already has it written up and posted)
• Mr. Todd Bishop over at TechFlash's Microsoft Blog
• Mr. Joseph Tartakoff somewhere within paidContent.org.

What questions do you expect or would you like to come up during the call? And if they don't come up during the conversation with the analysts, what Q&A do you want to send Mr. Ballmer's way during our upcoming Town Hall meeting?

• Windows 7 continued success: how does that turn into profits and what kind of projections are we looking at?
• Entertainment and Devices re-org: how does that align for future success and avoidance of being one big huge money pit?
• Windows Mobile 7: we so dropped the ball in our early phone OS presence that now it seems like it's a losing battle to have a dog in this fight. But WinMo7 is out there. To me, I can imagine this becoming like the Zune HD: well praised and all, but not making a dent in the market because everyone has already moved on to the iPhone platform.
• Bing: % of market share on track?
• Efficiency: are back to our "we always fire the bottom 10% every review cycle" line of B.S. or are RIFs and layoffs still in effect? Given that the tech market at least seems to be turning around with-respect-to hiring (at least looking at the internal openings in Microsoft and how often I get pinged by recruiters), does Microsoft need to close down on the layoffs loudly and publically for both morale and recruitment's sake?
• iPad iPad iPad! So what, the techie echo-chamber screams for the iPad? I'll be quiet happy with my Kindle for now, just because I do need it for lots of book reading vs. momentary goofing around with apps and browsing. Still, it does extend Apple's reach into the Windows market. What 'cha gonna do about that, Microsoft? How come you never thought of something like this? Or a book reader? You had what and what? Wow...
• Ballmer: seems as though people are questioning Mr. Ballmer's continued CEO-ship. How much longer did he say he's in for being CEO?

Going back to the layoffs: first of all, this round does need to wrap up by end of FY10. The stress of possible layoffs will continue to have a negative effects on Microsoft, let alone recruiting. We should have one last big flush and then call ourselves done. I'm tired of the layoff rumors as much as anyone else. Probably more so, given the comment fear-mongering. To paraphrase a commenter here: Mini-Microsoft has correctly predicted 12 of the last 3 layoffs.

One commenter made a good point in that it is going to take a while to work through the fat, though, because Microsoft dug itself into such a deep, undisciplined hole that when layoffs were needed, no one knew how or where to start and certainly didn't realize how bad it had become.

(later...)

Thanks to the deferral $s, it was a break-out quarter. Some follow-ups:

• Joe Wilcox: Microsoft reports $19 billion quarter, lifted by $1.71 billion deferral Betanews
• Todd Bishop: Windows 7 sales lift Microsoft to record revenue, strong profits and PC Windows sales strong, but other Microsoft units struggle
• Joseph Tartakoff: Microsoft Blows Past Analyst Estimates paidContent
• Mary Jo Foley: Earnings take-away Microsoft is still powered by Windows All about Microsoft ZDNet.com
• Brier Dudley: Brier Dudley's blog Microsoft earnings report includes CFO's hush deal Seattle Times Newspaper
• Nick Eaton: With Windows 7, Microsoft kills Wall Street with record quarter and Breaking down Microsoft's Q2 earnings

Mini-Microsoft Microsoft MSFT -- Comments

With today's 800 Microsoft layoffs, Microsoft Layoff 2009 has reached its final milestone and shipped, exceeded expectations of 5,000 with 5,800 reduced positions.

Err... yay?

Last week during the Town Hall Mr. Ballmer confirmed there would be one more iteration on the layoffs. And after that? Who knows. More to come? Maybe. Booga booga!

You know, we have people working for Microsoft (or, at least did, I don't know, maybe no longer) responsible for driving executive leadership education and growth at Microsoft. This is their friggin' job. Develop Microsoft Leadership at the executive and L68+ levels. So, has anyone hemmed and hawed in-front of Mr. Ballmer and mentioned that this nickel and diming layoff approach is at the worst case end of the layoff management scale?

The looming threat of continuing RIFs and layoffs indicates that Microsoft is just too big for its leadership. It is beyond their capabilities to wrap their minds around everything Microsoft is doing. It has gotten away from them. What needs to go? Hell, I don't know even what all these people do, and you want to decide who stays and goes?

Yes.

Cut deep. Cut once. Get on with it and say, "We're done. We have aligned our company to be efficient and effective within this new global economic climate and are ready to focus on returning to profits and market share growth."

Done.

Coverage I've noticed today on the outside:

• Mr. Brier Dudley's blog Microsoft cuts 800 more jobs, including 200 in Puget Sound Seattle Times Newspaper
• Mr. Joe Wilcox: Is there any sense to Microsoft's 800 layoffs Betanews and Former Microsofties, Can I Tell Your Story « Oddly Together
• Mr. Nick Eaton Microsoft laying off 800 more
• Ms. Mary Jo Foley Are the Microsoft layoffs over now All about Microsoft ZDNet.com
• Mr. Joseph Tartakoff Microsoft Cuts 800 More Positions paidContent

On Don Dodge:

• Mr. Michael Arrington: Microsoft Loses Don Dodge. This Is A Huge Mistake
• Nick Eaton Startup guru Don Dodge among Microsoft layoffs
• John Cook Startup guru Don Dodge among those let go in Microsoft cuts

And, bummers for me given that she interviewed me for Microspotting, Ms. Ariel Stallings tweet about being caught up in this layoff round.

Coverage from the inside? No email. Quiet. Quite dysfunctional. There was something linked off of the MSW site and it also had a FAQ document that had to be one of the worse FAQs I've ever read. There is an "A" portion to an FAQ and in this case some of the questions were great but the answers looked like they were generated from some sort of English obfuscation Perl script 3rd place prize winner.

So, I'm going through about sixty comments now on the older post. I think it was necessary for Microsoft to have layoffs due to the mismanaged growth and lack of focus and direction our Senior Leadership Team has given us. But it should have been twice as much, done all at once. Now we dither.

Were you affected by the layoff or know someone who was? I'd be interested in knowing which groups and organizations are affected.

Mini-Microsoft Microsoft -- Comments

October 22nd 2009. Windows 7. The circle is now complete.

What is Windows 7? There's a lot that Windows 7 is (oh, it's faster, it has an improved task bar, peeking, snapping, homegroupin', stable drivers and some pretty freaky desktop pictures) but the big thing that it isn't is that Windows 7 is not Vista. It didn't suffer Vista's raging dysfunctional mismanagement and broken windows. It didn't require a reset. Sure, it wasn't perfect and there's a lot of improvements yet to be made in focus and team productivity, but the Windows team delivered. So toot that damn horn, because this here train is arriving on time.

With FY10Q1 announcements coming this week and along with Windows 7, I hope we have a lot of good things to talk about with the analysts. Google and Apple and Yahoo! certainly did. Usually we release our quarterly earnings on the appropriate Thursday afternoon, after closing. It is unfortunately disturbing that we've decided to release our FY10Q1 earning results instead on this Friday morning before trading. I say disturbing only because the last time we did this, a whole bunch of Microsofties were pulled into a layoff. Now... hopefully this earnings report is delayed so that we can have this Thursday the 22nd be all about Windows 7 and not our financials. And I can not imagine that we (and by "we" I mean the Microsoft Senior Leadership Team) would be so dumb as to release our flagship product on a Thursday and turn around and fire a bunch of people the next day.

So, anyway, what's in the mix as the financials come up this week?

Windows 7: check. Thank goodness for SteveSi. I certainly hope he gets paid a lot more than Robbie Bach this year.

Within the Windows 7 reviews, there's going to be a point-of-view that the operating system is dead, which is, ah, kinda dumb. Your web browser isn't going to bootstrap that Intel CPU on its own. What might be dead is rich applications, which is a fair argument and Microsoft is failing to provide much in the way of new rich applications. In fact, we are cutting them one by one (Money, Encarta... Streets, you best watch your back). Sure, there's a transformation to online replicated services and all, but we really need to convince our consumers that there is a strong worth in having a Windows 7 on your laptop so that it's not a fancy glowy brick when the internet is down.

Kindle? Wouldn't it be sweet if we had a nice ebook reader application? We could call it... mmm, Reader?

Windows Live is supposed to help with building value via rich applications. Live has been broken out of Windows to free it from the consent decree and all ('cept for sneaking a Win7 component out early, wink-wink). Messenger, Mail, Photos, Movies, and an awkward online service. And Live Writer (though rumored a dead-man walking per comments).

It's a fair start, and if I had my druthers OneNote would move out of Office and into Windows Live to be the essential authoring companion to the Windows experience. Windows Live Essentials is a good start, but to add some joy into owning a Windows machine, what we need just as urgently is Windows Live Non-Essentials.

Joy. There's a concept just asking for a planning pillar. How strangely would your coworkers look at you during spec reviews if you asked how joyful the feature happened to be?

Windows 8: speaking of planning! The Sinofskyfication of Windows continues, along with alignment around his good lieutenants.

Office: hey, hey, hey, there's a Beta on the way. The Office train lost its conductor but it mostly seems to be still on track. Though trust me: Office wants its Steven back. Bad.

Mobile: Holy. Crap. I don't think we have any unbruised skin left on our body to take any more lumps regarding our mobile strategy. The Microsoft Mismanagement theory is in full force as we throw any willing body into the Mobile effort. Something good has to come out of those typing monkeys, rights? Windows Mobile Phone 6.5 or whatever the hell it's called didn't win any "Wows" and I discovered 1:1 the worst question to ask is, "So, can I upgrade it to Windows Phone 7?"

Look. Let's talk about device loyalty. I first started with owning PocketPCs. An HP Jornada. I loved it. When upgrade time came, HP had bought Compaq and abandoned the Jornada for the iPAQ (what, they had the iThing first?). So, unable to upgrade to the next CE, I cursed a little and bought one of those iPAQs. But HP decided not to allow it to be upgraded. So I switched to Dell to get their latest Axim PocketPC. Dell would be a safe bet, right? And Dell gave up on the line. My latest act of company loyalty: getting a powerful HTC WinMo 6 device. It was cut-off the 6.5 train, and soon, I'm going to be buying a new phone.

And I'm going to buy an iPhone.

I hate it. I hate to think that I'll be installing Apple software on one of my computers because their PC software is so inelegant and buggy (check Watson). I hate that I've been so loyal to the PocketPC platform and Windows Mobile but I've finally had my chain yanked for the last time. I'm not buying a 6.5 device only to have it abandoned when 7 comes out. Microsoft is doing nothing to convince me that it's going to get any better. We suffer through rumors that Pink is imploding and issues with Sidekick data doing disappearing acts while our CEO has conniption fits over Microsofties sporting iPhones. Dude, this is why.

In this case, Microsoft is going to have to earn me back and convince that not only do they have a better experience and better quality phone but that they also won't kick me off to the side of the road when a new release comes along, spinning a sad tale that the carriers make all the decisions.

Dev Div: If I had to sit down tomorrow and write a casual application for the PC, my mind would fork itself in about five different directions. Native with ATL? WPF? Silverlight? An HTA? And what's up with XNA? If I want to write an app for the Zune (which Zune?) what do I do? And can it run on some future mobile device? And the PC? And Xbox?

And how do I share it? How do I sell it? And, ah, crap, you mean you just released a whole new version of C# / Silverlight / XNA that I have to go and relearn? Maybe those free Starbucks coffee dispensers wasn't a good idea...

If anything, I'd probably be pretty damn tempted to invest time learning Adobe AIR. And I'm thinking that while smack dab in the middle of the Microsoft bubble. There are a lot of Partners in Dev Div, and I'm not seeing any benefit from their concentration. The Windows client should be the premiere development platform. It's not. What am I missing?

Are We There Yet? Are the layoffs over? Has Microsoft stabilized? Of course, I'd be satisfied with another 10,000 or more positions being eliminated. But I want it done in one fell swoop, like all the conventional wisdom out there dictates, so that the remaining work force can align itself and get to work and not constantly worry if their group is next. If we're going to continue this quarterly rhythm of maybe-layoffs, maybe-not then morale is going to get seriously poisoned. Let's finish this round and call it done.

Ballmer: well, Mr. Ballmer, if you ever wanted to leave on a high-note, this is it. I'm frustrated because when you hear Steve 1:1 you know that he gets it. He knows some key strategies and things that need to get done. But then Yahoo! happens. Vista happens. Over-exuberant hiring happens. Layoffs happen to shed off the over-hiring. And a flat stock price happens. So something is seriously not connecting between (a) when you hear Steve talking and (b) when he makes major decisions. Hmm. Maybe it's something about guys named Steve having localized reality distortion fields.

This week, as we celebrate Windows 7, you do see an undercurrent of knife-sharpening while examining Mr. Ballmer.

• Ballmer takes center stage with Windows 7 by Bill Rigby at Reuters. This week's award for damning praise: "He hasn't destroyed the company, but it clearly is not at the top of its game." Yikes. Is that on Mr. Ballmer's commitments? "FY10: do not destroy the company..." I should have added that to mine.
• Forecast for Microsoft: Partly Cloudy by Ashlee Vance at the New York Times. It almost wants me to say, "Hey, no, we are the Evil Empire here! Not Google! I. AM. THE. EMPIRE. Don't you put us in that corner!"
• NY Times all but says it: Ballmer must go by Fake Steve. This is the highlight reel of the NYT story above, with scary graphs charting Microsoft stock performance compared to Apple and Google. Two follow-ups: Why the Borg's copycat business model no longer works and Why won't the Times just come out and say what they mean about Fester?

The biggest question still out there: just who would you replace Ballmer with? If a shareholder revolt was to actually happen (shyeah, right) who would be the right choice to lead Microsoft? There is no heir apparent. And no obvious motivation to find one. But wait. Maybe, just maybe... you know, we'll have to wait and see and discover if Steven Sinofsky's upcoming book One Strategy! has a chapter on 'How To Become the CEO of a 100,000 Employee Company' (hopefully followed by the chapter 'More With Less - How To Transform a 100,000 Employee Company Into a 70,000 Employee Company').

Any fireworks you're expecting this week of Windows 7 and Quarterly results?

Mini-Microsoft Microsoft -- Comments

Some quick comments on this year's Microsoft 2009 Company Meeting.

First, how did my six hopes for the Company Meeting hold up?

1. Steve Ballmer comes out first to set the context for the meeting in light of a pretty awful FY09 Q3 and Q4: Zilch.
2. Practical vision: well, Craig and Ray did seem to focus on the practical aspects of product groups, research, and inbetween the technology transferring power of the labs groups. Seemed practical. But then there was that whole Avatar assistant thing that no one around me felt like was real: one-half.
3. Demos are short, sweet, powerful... sorry, but Elop's demos sucked the life out of entire stadium. Some were good, and some were really really short. So: one-half.
4. Show us the new stuff. Hey, we did get to see some new stuff. Bing. Zune HD. Map goodness. No Halo. New ad cuteness. But it was still conservative. Hmm. How about: three-quarters realized.
5. New simple review system? Phffft. Not unless thwacking balls w/ your avatar is our new review system. 160 for that. Zero for this.
6. Serious wrap-up by Ballmer. Zero.

Add that up and we get 1.75/6.00 - hey, almost one-third realized.

Now, I'm not going to go into revealing anything all that interesting that happened in the meeting. Just my general impressions of the day.

Kevin Turner was first and, well, I'm kind of tired of the "ThankYou"s by now. He did take on the job of addressing the tough year and I believe he said some things that really surprised me. Growth hides mediocrity being one of them. That we over hired. Sure we all thought it, too, but to now go and put on the 20/20 glasses and speak it in front of the company gives me hope (hmm, need a new word) that it won't happen again. Same with the realization that you shouldn't start up doing work in good-times that you know you'd drop and cut during bad times.

Dr. Qi Lu might be my favorite techie right now. I was impressed with what he's brought together for Bing and what's coming and how he has focused the team and adopted some of the new technology that Satya was showing. Who the hell thought we'd be feeling so good about our search decision engine? Ever?

Elop. Steven. Baby. Dynamics. XRM. Really? What did I do to you to have that forced down my eyeballs? I'm pouring another glass of wine right now hoping I can kill whatever brain cells are still connecting this demo memory together. Geez. Did anyone give you advice that this was a bad idea? If so, keep listening to them. If not, you're seriously lacking good reports willing to give you honest feedback.

Robbie Bach did okay, but I can't say the demos blew me away. The table-top demos were full of slick sparkly presentation but... it was all stuff I've seen one way or another so nothing new there. He missed a golden opportunity for Microsoft-Fan-Boy love to go and have someone play Halo:ODST on stage or show some great Zune HD apps.

Bob Muglia. What did he talk about? I remember the real cool tech for traces and then WinDiff. Did he talk about how we're losing the edge on client development for Windows and how it's all a confused multi-SDK technology mess centered around everything being .NET based?

Sinofsky went pretty fast - when in doubt, load up the stage with a bunch of new, cool technology and play with it. I loved the reveal on the Mac Air case ("It's aluminum!"). And I think Steven gets the best line for when the train let loose its blaring whistle he said something along, "This is where someone mentions about the trains running on time."

Craig and Ray: it was nice that they switched up their presentations - that added some energy. But not enough. It seemed a lot more practical this year, other than what I mentioned previously about the whole very well staged Starfire demo. I hadn't seen that in like... over ten years.

And then Steve Ballmer. I've got say, at this point in the day I was pretty much in a "Where's mai KoolAid" funk until Mr. Ballmer came on stage and started presenting. I feel this is a big transitional year for Microsoft. I've said we've turned the corner, but that doesn't mean we're out of the bad neighborhood yet, nor are we incapable of making bad decisions all over again. The second half of FY09, and what we are still enduring as part of the economic crisis, has provided a certain level of alarmingly crisp clarity to refocus, and I believe Ballmer's presentation served for about as much focus we're going to see in the near term.

And I like how he ended his presentation. How do we feel? He reflected on how Microsoft is not a normal company and that its employees have an unnatural emotional attachment to it (yep, that's true - it can cause them to have all sorts of crazy reactions and do crazy, passionate things). How do you feel? Steve, well, he wants you to feel good about where we are, what we're doing, and where we're going.

I must feel good, because I have hope.

(Oh, by-the-way, if you see Mr. Ballmer walking your way: hide you iPhone. Trust me on that one.)

Additional links:

• Rule No. 1: Hide the iPhone from Ballmer at the Microsoft meeting
• Microsoft's Bing 2.0: Coming this fall (maybe even next week)
• Twitter highlights from Company Meeting at Safeco

Mini-Microsoft Microsoft -- Comments

(Updated below for the Extra-Long-Labor-Day-Vacation-Layoff of September 3rd 2009)

I'm one of the biggest Microsoft Company Meeting fanboys *evah*, but even I'm surprised that we're having a full-blown Company Meeting this year at Safeco Field in Seattle. I thought it and MGX were going to be cut without a second thought given the economic reset we are all enduring. I'm wrong. Given that it is happening, it's my opinion that this year's Company Meeting sure can't be a clone of last year's. I mean, last year's was great and everything... but now our everything is different.

I think about the context around this year's Company Meeting. There is what the crowd brings, what the crowd expects to see, and what the Senior Leadership Team (SLT) wants to accomplish with this meeting. Look, against this current economic tide the Microsoft SLT is putting on the Company Meeting. There has to be a pretty big goal they are shooting for, not just rah-rah party-demo time.

Because there are two very large elephants sitting down front and center with the hand-picked floor crowd. Two grumpy elephants with very good memories, one of January 22nd 2009 with 1,400 Microsoftie layoffs and the other with May 5th, 2009 and 3,600 further Microsoftie layoffs. Folks are going to come into Safeco, grab their box lunch, sit down with their co-workers and friends and as they fold their pink paper airplane, they are going to remark, "I can't believe they are spending all this money for today. <<Fill name in the blank>> and more could have kept their job if they just cancelled this horse and pony show."

These folks might have on their Proudly Serving My Corporate Masters buttons, but they've scratched out the Proudly part. They are staring at the grumpy elephants, and are looking to the SLT for some serious L.

I'm just imagining what corporate baggage people are bringing in during the Company Meeting. Maybe they were part of the original 1,400 and had to scramble through interview loops to find a new Microsoft position. To be clear: I wanted cut-backs when we were in the 50,000 range of employees, let alone approaching 100,000. 100,000, man. That's crack-pipe craziness. Had we been more prudent and efficient over the years, we wouldn't have reached the stage where the light bulb went off over Ballmer's head and he said, "I know... layoffs!" We got bloated and we cut, and we should cut more. But our leadership shouldn't have gone down that crack-pipe path to begin with.

Anyway, looping back to the 2009 Microsoft Company Meeting, some of my hopes and expectations:

One: I expect Steve Ballmer to come out front first, before any other Microsoft leadership, to speak the truth about the last year and where we are now. He must acknowledge it starkly. We had layoffs. We had inefficiencies. Positions had to go due to the economy being unable to sustain those parts of the business. There are people missing this year that, last year, were some of the biggest Microsoftie fans.

And, there are people here this year that will not be in the audience next year.

Take that in.

With success in the middle of hardship, this is a rare opportunity to enact change in Microsoft culture and recalibrate to being efficient and streamlined. I want Ballmer to get out front and say, "Today, we're celebrating our success of Windows 7. From this success we are learning and we are acting. We're learning why it was a success, how to do even better, and then taking those lessons and putting them into practice. In Windows. In Office. In Dev Div. In all of Microsoft. The rest of today we will not only tell you where we are and where we are going, but we're also going to discuss honestly how we're changing to be an efficient, streamlined company that smartly uses its successes to leverage good change. For the benefit of the company, our customers, our shareholders, and our employees."

Two: Any vision this year has to be practical and realized with one, two, or at most, three years. And, closing the loop on accountability, there's a discussion and a review of how the vision of the past has brought us to practical results. The pie has come down from the sky and now it's time to eat.

Three: demos are short, sweet, powerful, and made especially for a crowd of some of the smartest (plus good looking) people on earth.

Four: if it's new and hot, we get to see it now. That new Halo game. Zune HD. Stuff that even Beta testers haven't seen yet. Give us some reward for actually working for Microsoft and being excited about seeing things that are new and known by very few. Hell yes we'll tweet and blog about the coolness. And to assuage any anxiety over that: happy, enthused Microsofties sharing their enthusiasm for Microsoft with the world == a good thing in this day and age.

Five: a short introduction by LisaB of the new, efficient, streamlined review system: a simple Word document that let's you cover what you were responsible for, how you did, and your manager's assessment. Hey, I can dream.

Six: wrap-up by a serious Steve Ballmer. No running around high-fiving people or shaking his fists in the air to get a "YeAAAH!" from the crowd. But rather a serious Ballmer who covers what we've been through, how we're going to change, and a re-enforcement for the success at Microsoft being something that has to spread through-out the teams.

After the Company Meeting, I intend to sit down at Pike Brewing and ponder over: what did the SLT intend to accomplish this year at the Company Meeting? How are the Microsofties attending better for having been there?

My concern is that the template for the meeting this year is the same as it ever has been, with some comedic hijinks, Kevin Turner covering all the "gooood" results that we should be fired up about, music, Liddell's financial review, an opaque speech by Ozzie, very late arriving busses full of people wondering why we can't figure out traffic control, rambling demos of misbehaving and barely competitive technology, paper airplanes smacking the back of my head, and a big cheerleader Ballmer at the end, all screaming and full of gusto... and totally passing over the hardships of this year.

I hope that all doesn't happen, but if it does, later I'll just sit at the bar between the grumpy elephants and drop some tears into my beer while still musing over what the SLT's intentions and goals might be.

What goals and expectations do you have for the Company Meeting?

Addendum: as of September 3rd 2009 it looks like it might be two large grumpy elephants and a little baby elephant:

• Ms. Sharon Pian Chan "Microsoft laying off 27 employees in Redmond and Bellevue" Seattle-Times
• Mr. Nick Eaton "Microsoft to lay off 27 from Redmond, Bellevue" Seattle-PI

Weird. How much more than 27? And just who is affected? I don't see it on the WARN site yet. Snippet from Ms. Chan's post:

Microsoft spokesman Lou Gellos said the company is making cuts across the country, but he did not elaborate on how many more jobs in the U.S. were affected.

"I can confirm that part of our effort to reduce costs and increase efficiencies involved 27 job eliminations here and in other regions across the country. While job eliminations are always difficult, we are taking these necessary actions to realign our resources against our top priorities."

Mini-Microsoft Microsoft -- Comments

Today we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198 on Monday, August 2, 2010 at or around 10 AM PDT. 

We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.

Our colleagues over in the Microsoft Malware Protection Center (MMPC) have more details about what they've seen in the threat environment.

As always, we'll provide additional information as it is available.

Finally, as always, we'll hold a special edition of the bulletin release webcast on Monday, August 2, 2010 at 1:00 PM PDT. If you are interested in attending the webcast, click here to sign up.

Thanks,

Christopher Budd

Sr. Security Response Communications Manager at Microsoft

Two years ago, in front of a standing-room only crowd here at Black Hat, we introduced three new information sharing programs as well as the concept of Community-Based Defense. The underlying concept shared by all three programs was simple-collaboration will be key to preventing and defending against online crime going forward; no one company, individual or technology can do it alone. The call to action was bold-put aside competitive and philosophical differences and move beyond our individual boundaries to work together to help improve and protect the broader security ecosystem. The reaction-applause!

We all know Black Hat can be a tough crowd, and wearing the blue badge can at times amplify that - making the positive response really pleasant. But it wasn't altogether unexpected.  Each of the then-new programs-the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR)-were fueled by, and designed to address, customer needs.  And recognizing the collaborative nature of two of the programs, we'd spent months getting feedback and support within the community, from customers to vendors to researchers, to get into a position to make the announcements that day. 

Today, the MSRC released its second annual progress report on those programs-"Building a Safer, More Trusted Internet through Information Sharing"-and we're excited to share the results.

Some highlights:

• MAPP now has 65 members worldwide, providing protections for hundreds of millions of customers.
• MSVR identified and privately coordinated vulnerabilities with 32 and 19 vendors in the first and second years of operations respectively.
• Of the 349 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, there has been only one revision, which involved a reduction in risk assessment severity.

Speaking of the success and impact of MAPP, we couldn't be more thrilled with the announcement today that Adobe Systems Incorporated will begin sharing early warning details on their vulnerabilities through MAPP beginning this fall. Two years ago, there was broad feedback throughout the industry-from analysts, customers, and partners-that MAPP was a game-changer, shifting competitive advantage away from the bad guys (criminals, attackers) to the good guys (protection providers, customers). For the first time, protection providers were able to operate together on a massive scale, developing and preparing protections for their customers to be made available upon release of Microsoft security vulnerabilities -- and ahead of the exploits developed by attackers. Today, we believe the same game has been raised a level with Adobe helping to advance protection time, giving an upper hand to the global network of defenders in the battle against online crime.

Many of you have already read Matt Thomlinson's introduction last week of our new policy of coordinated vulnerability disclosure and Katie Moussouris' expansion on the concept and the need for reframing the community's approach and mindset from the subjective language of "responsible" to the collaborative label of "coordinated." I don't intend to rehash that here, except to say that we look forward to continuing the dialogue on this new policy at Black Hat and beyond. This move didn't happen overnight as we believe it is reflective of a broader groundswell within the community that's been underway for some time. We're encouraged by the overwhelming volume of support behind the shift as evidenced in Katie's post and in interactions and response since then.

Even with more concerted attention on community-based defense and this growing sense of shared responsibility throughout the security community, attackers will still continue to case systems and applications looking for vulnerabilities. The stakes are high and criminals won't relent.  So today, we're also announcing the Enhanced Mitigation Experience Toolkit (EMET). 

EMET is a free tool that provides a way for IT professionals to add some of the latest security mitigations -- such as DEP, mandatory ASLR and export address table (EAT) filtering -- to software to protect against exploits of vulnerabilities.  It helps harden existing applications from current exploit techniques without requiring any recoding. Look for an SRD blog post in August announcing availability of the new toolkit on the Microsoft Download Center.

More details on each of these announcements can be found at our Black Hat Press Site: http://www.microsoft.com/presspass/events/blackhat/.

Every Black Hat is different, but year after year one of the highlights of the show for Microsoft is continuing the conversation with researchers, partners and customers, and then acting on it. This is a community that is bound together by a common purpose-that is to improve the security landscape. It used to be enough to expect others to make that happen; but today, no one is exempt from helping to ensure the safety of the Internet. We're in this together, and we're better together. If you're at the show, pay us a visit at the booth or say hello when you see us; in any case, we look forward to hearing from you and continuing this work together.

Dave Forstrom, Director, Microsoft Trustworthy Computing

BH Landscape

Next week, many of us here will be heading down to Las Vegas for Black Hat.  The MSRC, and other teams in Microsoft, have been attending Black Hat for years.  In fact, we've been sponsoring the show for the last eight years-the last five as a platinum sponsor. Some might ask why? It's funny, I can actually remember back in my days as an officer protecting networks in the U.S. Air Force, questioning why Microsoft had such a presence at the show. As much as I'd like to say it's because of the weather (after all, most of us are over here in the rainy Northwest), or because it's the largest security conference out there (it's not), or even better, because we so look forward to getting our next Pwnie Award-the truth is it's none of the above. Well, maybe just a bit on the Pwnie. But the reality is that to us, Black Hat has always been a reflection of, and driven by, the community-likeminded people from all walks of life and professions with a shared interest in advancing the state of security. They come together to share ideas, advance thinking, network and collaborate, and ultimately learn from one another.  We feel connected to that and always look forward to being a part of it.

So with the show fast approaching, I've taken some time to reflect on where the Microsoft Security Response Center is currently and where we see ourselves going with respect to security. Specifically, I've been thinking a lot about three areas: 1) our work to address vulnerabilities in our software, 2) our work with the security community and 3) our philosophy on vulnerability disclosure. Given the fact that each of these topics have recently garnered interest and fueled discussion in the community and media, I thought I'd share my thoughts.

Vulnerabilities and Time to Fix

Some will say that we take too long to fix our vulnerabilities. But it isn't all about time-to-fix: Our chief priority with respect to security updates is to minimize disruption to our customers and to help protect them from online criminal attackers. These customers own and operate a diverse ecosystem of nearly a billion systems worldwide. It's humbling to think about the responsibility this entails and yet we embrace the challenge. Even in the face of that, our overall track record shows the window of vulnerability is being reduced and we have additional plans to improve.

The Microsoft Security Response Center (MSRC) receives more than 100,000 e-mail messages per year at secure@microsoft.com - that's nearly 275 per day or 11 per hour. This is filtered down to approximately 1,000 legitimate investigations per year. Once a vulnerability has been confirmed, a comprehensive examination is undertaken to ensure that the reported vulnerability is addressed, other vulnerabilities that might exist in related code are identified and addressed, and no new vulnerabilities or bugs are introduced during this process.

But why don't we commit to fixed timelines? Because it is important to consider the overall customer risk when focusing on updating software for security issues. Most security updates released by the MSRC will be rapidly deployed to hundreds of millions of systems worldwide helping to protect customers from attacks in a very short timeframe. And the software being updated is being used by hundreds of thousands of applications on all sorts of hardware in all sorts of scenarios. So it is imperative that the update has been rigorously engineered and tested in order to avoid creating any type of disruption to these systems. During this time, the MSRC monitors for signs that the vulnerability, or variants, are being used in active attacks. The MSRC does this by using comprehensive telemetry systems as well as data and information provided by customers and partners around the world, and the rest of the industry. This approach helps Microsoft balance between the potential urgency of releasing an update for a particular vulnerability and ensuring high confidence that the update will address the vulnerability, all of its variants and maintain the functionality and stability that customers expect from the affected products.

Many times the issue that the finder reported is an indication of other similar vulnerabilities in that area of code. And the original issue may not be the most complicated, or even the most likely to get used in attacks. Microsoft tries to address vulnerabilities and all of their variants in as few updates as possible because they cost enterprise customers time, effort and money to re-assess and deploy multiple updates for issues that could potentially be addressed in a single update. The time it takes to complete a comprehensive examination helps to ensure the number of security updates Microsoft releases and needs to re-release is kept to a minimum, thus reducing the costs and potential disruption to enterprise customers' operations. Due to the increase in quality that Microsoft has achieved over the last five years, some enterprise customers deploy security updates with little or no testing, and hundreds of millions of consumers continue to use the Automatic Update client on their systems to ensure that they stay protected automatically.

For the majority of issues, we are able to release high quality and comprehensive security updates to customers well before any indication of attacks, and well before they are disclosed publicly. However, there are exceptions. In some cases attacks result, and when that happens, we have to compress testing to release updates quickly. Also, when there are attacks, we release workarounds in days that can block these attacks even without the updates. Usually these take the form of a "FixIt" that can protect customers with one click or be easily deployed throughout the enterprise.

However, there are cases that take much longer. In fact, last year at Black Hat there was a security event dealing with a vulnerability in a library called "ATL" or "Active Template Library." That issue affected not only multiple Microsoft product versions, but also several 3^rd party products and services. It took over a year to coordinate that release, and in the end, even the finders themselves understood and commented that with the complexity involved, taking over a year wasn't unreasonable. When seemingly simple security issues, such as a memory corruption bug, affect multiple different products, the coordination and calibration can drive longer timelines so no product, or customers of those products are left behind. And there have also been cases that are such deep architectural changes that they can take multiple years to fully resolve or may not be able to be resolved in some of our older products.  Usually these issues result from new threats emerging that product designs or assumptions couldn't anticipate.  Changing those assumptions for products that have been in market for several years does take time and coordination so customers and applications can work effectively with them.

Focusing on resolving security issues has and will always be a priority for us. And work to improve our processes will continue, but we must always strike a balance between timeliness and quality.

Working with the Security Community

The topic of how well Microsoft works with the security community is important to me personally, and to my team. Years ago, this was a very valid concern. I can remember being on the outside of Microsoft and watching researcher discussions noting how Microsoft wouldn't engage or was unresponsive. We've made dramatic changes on this front since the inception of Trustworthy Computing. At Microsoft we recognize, and appreciate, the unique value that security researchers play in identifying issues and helping the entire computing ecosystem improve from a security perspective. We also thank many in the community for their collaborative work over the years, and for nearly a decade we have demonstrated our commitment to working with them in an honest and transparent manner. We may not always agree on the severity and the amount of time it should take to develop and test an update that has to work with hundreds of millions of computers, but we do believe we're fair and open when working with researchers. It's not in our interest or the interest of our customers to behave any differently.

 Throughout the years we've seen researchers saying that if vendors really valued their work, we'd compensate them directly for the vulnerabilities they discover. That's a trend that's continued in recent weeks. We absolutely value the researcher ecosystem, and show that in a variety of ways. The most well-known is the fact that we acknowledge the researcher's work in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. And that's just the tip of the iceberg. We also work to make sure we can support the community's development by sponsoring and supporting nearly 50 security conferences in over 20 countries each year. 

Probably the community effort that started more of the deeper relationships we've built with researchers is our own little "hacker" conference we host at Redmond each year, called "BlueHat Security Briefings." Launched in 2004, this conference is aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas, social networking and ultimately improving the security of Microsoft products. Key to the success of BlueHat and its benefit to our customers is the direct question-and-answer access that researchers get with the specific owners of the technology they're researching. In many cases, some of our direct competitors have sat on our stage at Microsoft and talked about problems in our products, directly to the folks that develop and manage them. And they've been able to get feedback on their research from the same folks as well.

The Shift to Coordinated Vulnerability Disclosure

If there's one area that has had had staying power in terms of driving polarized debate in the broader security community-as manifested in mainstream and social media this past month-it's in how to disclose vulnerability details.  Ideally, updates for those vulnerabilities are available for all customers before details are broadly available. This allows us to protect the end-users because they just get the updates automatically, and large Enterprises can analyze, prioritize and deploy updates to hundreds of thousands of systems quickly. When communication breakdowns and disagreements happen, resulting in vulnerability details disclosed by researchers before we release an update, those details are then used by criminals to attack our customers. The worst situation is when vulnerabilities aren't disclosed to the vendor at all, because then there's very little hope of broad protections ever getting released for all customers. 

Because of this range of situations, we also see a range of philosophies. Of course, Microsoft always supported the position that the best way to disclose issues is in a coordinated fashion, where details of the vulnerability are released in conjunction with an update that is broadly available for customers. This is known as "Responsible Disclosure." The term itself can be subjective because if either party doesn't abide by those terms, it is implied that they themselves are "irresponsible." Debate on this very issue of responsibility is understandable; however, it is important to remember that in the end we are dealing with customer safety issues - and we should all take that seriously. It is unfortunate these debates can make us lose focus on what is really important - protecting people using the Internet from harm.

Today, Matt Thomlinson, the general manager of Security at Trustworthy Computing, introduced a new disclosure philosophy Microsoft is adopting called Coordinated Vulnerability Disclosure http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx .  Katie Moussouris, senior security strategist on the MSRC Ecosystem Strategy team, provides more information and insight on the necessity of this shift in disclosure philosophy and practice on the MSRC Ecosystem Strategy Team Blog http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx. You'll see from her post, we're not alone in acknowledging it is time for a change. Other vendors and researchers from the broader community of defenders are supportive and will be instrumental in making this shift a reality. So read the post, provide your feedback and then join us in making this an industry wide shift.

Now back to the catalyst for this post-Black Hat.  We're just a few days from the event itself and we'll likely see more themes develop once it kicks-off. But I hope the thoughts I've shared here provide some insights into our point of view on recent discussions in the community.

The realities of today's threat landscape point to a world that has shifted from a variety of participants with various motives to one of two sides-those who intend to harm or commit crime and those who intend to prevent harm and fight crime. As an industry and community, philosophical differences or competition aside, we should be in this together. Our own welfare as individuals and a collective community is at stake with unseen criminals who show no indication of backing down. It's our hope that this effort to shift to a shared responsibility of coordination and collaboration is something that is carried beyond Black Hat as we progress and evolve as a global community of defenders.

Hope to see you at Black Hat!

Mike Reavey
Director, MSRC

Today, Microsoft is announcing a shift in philosophy on how we approach the topic of vulnerability disclosure, reframing the practice of "Responsible Disclosure" to "Coordinated Vulnerability Disclosure."  In recognition of the endless debate between responsible disclosure and full disclosure proponents and its ability to detract from meaningful and productive industry collaboration and customer defense, we believe that the community mindset needs to shift, framing a key point - that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers.

Coordinated Vulnerability Disclosure (CVD):   Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem.  

CVD does not represent a huge departure from the current definition of "responsible disclosure," and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk. However, CVD does allow for more focused coordination on how issues are addressed publicly. CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible. 

As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk-not amplifying it. This distinction is critical. We recognize it's possible that very limited attacks may be happening without our knowledge. However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified. 

It is evident from listening to those on both extremes of the disclosure argument that there is one thing that we are all trying to do: protect customers. We've been working with the security community closely for years to coordinate our actions for the benefit of customers. Coordinated vulnerability disclosure will help keep users safe.

For further perspective on CVD and how we see it working, please see Katie Moussouris' Ecostrat blog post at http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx.

Thank you,

Matt Thomlinson
General Manager, Trustworthy Computing Security

Hi,

During the July 2010 webcast, we fielded questions varying from the re-release of MS10-024 to answers for the error messages received during the application of MS10-041 and more.   Click  here to review the full Q&A page so you can see all of the answers that were provided for these and the other great questions from the July webcast.

Also, attached here is the link to the Q&A index page for your review -  in case you wanted to view any of the past 12 webcast Q&A's.

 As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks!

Jerry Bryant

Group Manager, Response Communications

 Click here to register for next month's webcast.

We've just updated Microsoft Security Advisory 2286198 to let customers know that we now have an automated "Fix It" available to implement the workaround we first outlined in our original posting on Friday, July 16, 2010. More information is available in the KB article 2286198, but in summary running the "Fix It" can help prevent attacks attempting to exploit this vulnerability. This workaround will disable some icons from being displayed so we recommend administrators test this before deploying it widely.

We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround).

As always, we encourage customers to review this new information and to evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability.

As always, we'll update the security advisory and this blog with new information as it becomes available.

Thanks,

Christopher Budd

Follow us on Twitter: @MSFTSecResponse

Hi everyone,

We have released Security Advisory 2286198, which addresses a publicly reported vulnerability in Windows Shell. Microsoft has found that this vulnerability is most likely to be exploited through removable drives. Currently, we have seen only limited, targeted attacks on this vulnerability.

In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware, a threat family already known to the Microsoft Malware Protection Center. The MMPC has a blog post with more technical discussion of Stuxnet.

We recommend that customers follow the guidance provided in the Security Advisory, making note of mitigations and tested workarounds. We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

Customers should be aware that signatures in up-to-date versions of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform protect customers against the Stuxnet malware.

We are also actively working with members of our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Dave Forstrom
Director of Marketing Communications, Integrated Communications & Response

Hi everyone. As part of our usual monthly update cycle, today Microsoft is releasing four security bulletins to address five vulnerabilities in Windows and Microsoft Office.

MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.

MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.

MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.

The following video provides an overview of these four bulletins:

Both Windows vulnerabilities and one Office vulnerability have Critical severity ratings, while the second Office vulnerability carries an Important severity rating.

As always, Microsoft recommends that customers test and deploy all security updates as soon as possible. We recommend that deployment priority be given to MS10-042 and MS10-045.

For a more in-depth look at these issues, our Security Research & Defense (SRD) team has taken a closer look at both these bulletins on its blog.

We also include one bulletin re-release, MS10-024, in this cycle. The re-release will address the issue previously noted in KB976323, in which the installation of the bulletin reset user-configured settings for SMTP servers on Windows Server 2008-based systems with Internet Information Services (IIS) installed. Users who have previously installed MS01-024 will not be offered the re-released update.

Today also marks the end of support for Windows XP Service Pack 2. Customers who have not migrated from this version are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7. In addition, after today's bulletin release, we will no longer provide support for all Windows 2000 products as we have reached the end of extended support.

More information about the security updates can be found on the Microsoft Security Bulletin summary webpage.  Our Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins.

Please join the monthly technical webcast to learn more about the May 2010 security bulletin release. The webcast is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.

Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Hi everyone. Today we're releasing our advance notification for the July security bulletin release, which is scheduled for Tuesday, July 13. This month's release includes four bulletins addressing five vulnerabilities.

• Two bulletins, both with a severity rating of Critical, affect Windows.
• Two of the bulletins affect Microsoft Office; of those, one carries a Critical severity rating and one is rated Important.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We will close out two Security Advisories this month.

• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack.

Please join Adrian Stone and me for a public webcast on Wednesday. We'll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, July 14
Time: 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454299

Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Updated July 9, 2010 to correct transposition concerning number of critical bulletins for Windows (accurately, two) and MS Office (accurately, one).

Hosts:                                   Adrian Stone, Senior Security Program Manager Lead

                                             Jerry Bryant, Group Manager, Response Communications

Website:                              TechNet/security

Chat Topic:                          June 2010 Security Bulletin Release

Date:                                    Tuesday, June 8, 2010

Q: The .NET updates are only a security update correct? Not a service pack or rollup, right?

A: The June Security Bulletin release had one security bulletin, MS10-041, for the .NET Framework and another set of updates corresponding to Microsoft Security Advisory 973811. The update corresponding to Microsoft Security Advisory 973811 carries the extended protection security feature, so that is not a security update in the traditional sense. But there was no service pack or rollup in the June release.

Q: Will Microsoft provide updates for Windows 2000 next month? Do you recommend we upgrade to a newer version of Windows?

A: We remind all Windows 2000 and Windows XP SP2 customers that all support for these platforms will end after July 13, 2010. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates. We will release appropriate bulletins for Windows 2000 and Windows XP SP2 next month.

Q:  Why does the update required in KB979909 prompt for an interaction? This causes it to fail installation on Windows Update.

A: Security updates deployed via Windows Update generally do not prompt for user input; however some updates may display an End User License Agreement (EULA) which needs to be accepted before the update is installed. If the update KB979909 is installed in the same transaction as another update which shows a EULA then it may appear like the prompt is coming from the update KB979909. We are not aware of any specific issues at this times that may cause KB979909 to display a user prompt, but if you are encountering this issue please contact 1-866-PC-SAFETY and our support engineers should be able to assist.

Q: Why was the Cumulative IE patch MS10-018 automatically declined by Windows Server Update Services (WSUS) when MS10-035 was just released?  Also, MS10-018 can no longer be approved either.

A: This month’s IE update did initially experience some detection issues in the update, but this has been corrected. As the IE updates are Cumulative in nature, the updates provided in MS10-018 are included in MS10-035. If you install the latest IE update, it will include the previous fixes.

Q: For clarity, when will these updates be released for download by System Center Configuration Manager (SCCM)?

A:  Most of the updates are available via SCCM. Please see the bulletin for specifics.

Q: In testing these updates  on release day we had multiple Windows XP systems that were idle (no applications in use), I was surprised to find that it took two or even three cycles of patches and reboots to get all the updates installed. In other words, rather than one reboot at the end, there were some updates then reboot, more updates then reboot. On one machine, yet more updates and another reboot.  Can you explain why that is necessary?  Microsoft updates are usually sequenced better than this, so that only one reboot is needed.

A: Without specific parsing of logfiles, it's difficult to diagnose multiple reboot scenarios but I would guess that it's possible you had earlier updates that had not yet been applied to this machine, or you had not yet rebooted from a prior update installation. Windows Update requires that if you have a pending reboot that the reboot must be completed before it can install newer updates. That may be the reason for the behavior you observed.

Q: In reviewing our (WSUS) server this morning after synchronization overnight, MS10-033 was not yet available. Has this update been made available for WSUS?

A: There are multiple KB's associated with MS10-033.  Please refresh your WSUS scan cab file and contact Customer Service if you still experience this issue.

Q: Concerning MS10-041, are all of the updates required to be installed? For example, we have deployed .NET 3.5 SP1 as a package that also updated some earlier versions of .NET. Does the same apply here? Does the update for .NET 3.5 SP1 also patch the earlier versions of .NET?

A: You can have more than one version of the .NET Framework installed side-by-side. Therefore, yes, you need to install all updates that pertain to versions of the .NET Framework you have installed. Technologies like Windows Update (WU), Microsoft Update MU) and WSUS will detect automatically which updates are applicable to your system. For more information, please see the General FAQ section in the MS10-041 bulletin, specifically the question: "How do I determine which version of the Microsoft .NET Framework is installed?"

Q: When Windows XP SP2 falls out of support, does that mean Windows XP x64 is totally out of support?  There isn’t a Service Pack 3 (SP3) for Windows XP x64.

A: Windows XP x64 released to manufacturing (RTM) is out of support. We recommend upgrading to Windows XP x64 SP2.  See http://support.microsoft.com/lifecycle/ for a full listing of supported platforms.

Q: Does installation of MS10-039 in a multi-server Microsoft Office SharePoint Server 2007 (MOSS) environment require manual, ordered installation and running of the wizard, similar to a MOSS service pack deployment?

A: Yes, the installation of MS10-039 on a multi-server MOSS environment does require manual install. For best results you should also do an ordered installation.

Q: For MS10-033, can email firewall vendors scan attachments for this vulnerability?

A:  In the case of malicious media content attached to email, yes they can, although there are attack vectors affected by this vulnerability that can’t be scanned by email scanners -- for instance, a malicious website can host specially crafted media content.  In this scenario, an email firewall will not mitigate against this issue.

Q: MS10-039 does not appear in Windows or Microsoft Update.  How is this update applied?

A: Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."  In addition, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (for instance, “MS10-039"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Q: Not sure if it was addressed, but has MS10-020 and the issues saving files to network shares been resolved?

A: You can review KB980232 to see the latest information about this issue.  All known issues and their resolutions will be listed there.

Q:  The bulletin for MS10-039 says an "attacker could gain the same user rights on the SharePoint site as the targeted user.” If targeted user is a Domain Admin, would attacker have Domain Admin rights on all domain members?

A: No. For CVE-2010-0817 the targeted user can only gain rights in SharePoint and not on the domain.  When an attacker initiates this attack and they convince the targeted user to click the Cross-Site-Scripting (XSS) link, the attacker is essentially tricking the targeted user to run commands sent by the attacker against the SharePoint server.

Q: Do we have any detection logic in this month’s Kernel update so that it doesn’t create any big impact, such as the blue screen of death (BSOD) issue of February’s release?

A: There are no updates this month that require additional detection logic.  We have no reports of known issues at this time that would cause us to use this type of detection logic.

Q: Are known issues tracked on the knowledge base (KB) article associated with each of the updates? How often is that updated?

A:  All known issues are tracked through the bulletin’s KB article. These are added as issues are identified.

Q: Regarding MS10-039 for Office SharePoint, does the user need to successfully log into the site to submit the request?

A: For both the CVE-2010-1257 Information Disclosure issue and the CVE-2010-1264 denial of service (DoS) issue, in the SharePoint bulletin MS10-039, authentication is required. However, for CVE-2010-0817 -- the help .aspx issue -- no authentication to the SharePoint server is required.

Q: I don't mean to sound stupid but what is meant by applying a shim? And what is a shim?

A: With the Shim infrastructure, which we also call the Microsoft Windows Application Compatibility Infrastructure, you can target a specific application fix but only for a particular application (and typically, for particular versions of that application), with these fixes housed outside the core Windows functions and maintained separately.  To get a complete understanding of shim technology, please see http://technet.microsoft.com/en-us/library/dd837644(WS.10).aspx.