Michael Corey's Database Virtualization/Database Administration as a Service® Blog
Posted on Tue, Dec 23, 2008 @ 11:25 PM
Oracle Set Its Sights On Salesforce.com is that what is really going on?
I have been working with Oracle since version 3. Over the years at times it seemed when I observed Oracle I was watching a good soap opera. I suppose that could be said of any big company. On the Latest Oracle Fiscal Second Quarter conference call it appears that Oracle now has set Salesforce.com in its sights.
Oracle Target = Salesforce.com
To use an Oracle term I use to hear over the years. When Oracle sets a company in its sight it means “shut off its oxygen”. Though in this case I would not think that is the intention. So in this latest Fiscal Second Quarter conference call Salesforce.com got quite a bit of attention. In years past I use to listen to these calls, I dont take the time anymore. So I will rely in ZD to provide you some background.
December 19th, 2008
Oracle puts Salesforce.com in its sights
Posted by Larry Dignan @ 4:49 am Oracle’s fiscal second quarter conference call was interesting on a couple of fronts. Here are a few observations:
No. 1: Oracle has a new whipping boy: Salesforce.com.
Check out CEO Larry Ellison’s comments about Salesforce.com, which totaled eight mentions (not quite SAP territory, but getting there), on the company’s second quarter conference call. The call came after solid earnings results.
In sales on demand, our primary competitor there is salesforce.com and this quarter was conspicuous and a series of competitive wins against salesforce.com. One which was our largest ever on demand or cloud computing, whatever you want to call it, a competitive win over salesforce.com was actually a replacement of salesforce.com.
The customer will be de-installing salesforce and replacing it with Oracle sales on demand so we’re very excited about that. That business is now growing.
When we compete head-to-head with salesforce we win more deals then we lose and that’s new in the last couple of quarters.
And then there was co-president Charles Phillips:
We have strong customer adoption at Siemens, we had a 12,000-seat win, that’s [inaudible] implementation and we’ll become the standard there. US Food Service where we beat salesforce.com about 7,000 users there. [Matreol] Healthcare displaced salesforce.com there and in West Pack where we also beat saleforce.com.
So we have had quite a bit of momentum there and I forgot to mention [Swisscom] as well, another 3,000 seats.
Add it up and you have eight mentions of Salesforce.com from Oracle. You can read that mean:
Oracle is going to buy Salesforce.com. The smack talk can preclude a merger. After all, executives said the company is still shopping for deals.
Or Oracle is acknowledging that Salesforce.com is moving upstream and becoming a threat and Ellison is sending a brushback pitch. Speaking of Salesforce.com obsession Oracle just announced a bunch of CRM on demand wins (statement).
To read the remaninder of this Article in ZDNET....
Oracle puts Salesforce.com In Its Sights
The Marc Benioff Larry Ellison Relationship
First To Better Understand what is happening a little background information... If my memory serves me right, Larry Ellison was an early investor in Salesforce.com. At one point very early in Salesforce.com history Larry Ellison was asked to be on the Board of Directors by the Salesforce founder Marc Benioff a former Oracle Employee. Then Larry Ellison was asked to resign from the Salesforce.com board due to a conflict of interest. That conflict of interest was Oracle launching a direct competitor called OraclesalesOnline.com. It is also my understanding that Marc and Larry Ellison knew each other before Marc went to work for Oracle. When Marc Benioff was at Oracle I had the pleasure of have a lot of dealing with Marc. Marc very early on was a true visionary. Marc always stood out from others. At Oracle he introduced a number of initiatives that had major impact on directions Oracle was taking. When Marc left Oracle I felt it was a real loss. I always knew Marc was headed for great things, What I liked most about this article was the conclusions. Oracle is acknowledging that Salesforce.com is moving upstream and becoming a threat and Ellison is sending a brushback pitch. Anyone who is familiar with Salesforce.com knows they are definitely moving upstream in a big way. Saleforce.com is a true development platform already. It is already letting people realize the power of cloud computing. I could go on for pages on where Salesforce.com is headed but would take this blog way off topic. Suffice to say Salesforce.com is headed upstream in a big way.
Oracle is going to buy Salesforce.com. The smack talk can
preclude a merger. After all, executives said the company is still
shopping for deals. There are so many great reasons why Oracle should buy Salesforce.com The companies are very synergistic.
Salesforce could really benefit from Oracle dominant position in the enterprise as it moved forward with its development platform. With Oracle behind salesforce.com it would be so much easier to get major corporations to adopt a development platform for rolling out applications housed in the clouds using salesforce.com at its heart.
Oracle would have an incredible brand to build its cloud computing strategy built around an Oracle Software as a service offering.
What really got my attention what something I read in Silicon Valley Watcher. There article provided some really interesting insight.... Marc Benioff, CEO of Salesforce would make a good successor to
replace 63 year old Larry Ellison, CEO of Oracle, when he retires says
Matthew Greeley, CEO of BrightIdea.com. Mr Benioff is used to work at
Oracle. When he left Oracle in 1999, Mr Ellison provided seed funding
for Salesforce and also served on its board of directors.
-Mr Benioff needs a new challenge, he appears to be losing interest
in Salesforce, or at least reducing his financial interest in his
company at a rapid daily rate. He has been selling 10,000 Salesforce
shares every single day since
21 August 2007. Before then, he sold 20,000 shares every day since 14
November 2006. Prior to that date, Mr Benioff sold thousands of shares
every day in variable amounts since 31 July 2006.
[Please see: Insider Trades - Marc Benioff - Yahoo! Finance.]
-An Oracle acquisition of Salesforce would strengthen its strategic
position against SAP, the top enterprise application software company.
SAP has been slow in figuring out its online strategy, even naming its
initiative has been challenging to the company.
UPDATED: Larry Ellison will have to buy Salesforce at some point
anyway. Netsuite cannot be scaled to the size of Salesforce in this
decade, maybe in the next. The two businesses could be easily
integrated, that's the beauty of online software, it's all standards
based.
To read the entire Silicon Valley Insider article....
Is Salesforce Worth $75/Share To Oracle? Some things in this article really stood out... Marc Benioff, CEO of Salesforce would make a good successor to
replace 63 year old Larry Ellison Mr Benioff needs a new challenge, he appears to be losing interest
in Salesforce, or at least reducing his financial interest in his
company at a rapid daily rate. If Larry Ellison were willing to step down, I can not think of a better person to take over the helm at Oracle then Marc Benioff. Given where the industry is headed, cloud computing, Software as a service. Marc would be a visionary that could take Oracle to new heights.
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Mon, Dec 22, 2008 @ 10:50 PM
Microsoft Security Advisory (961040)Vulnerability in SQL Server Could Allow Remote Code ExecutionPublished: December 22, 2008 Microsoft is investigating new public reports of a vulnerability
that could allow remote code execution on systems with supported
editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005,
Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000
Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine
(WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft
SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack
3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft
is aware that exploit code has been published on the Internet for the
vulnerability addressed by this advisory. Our investigation of this
exploit code has verified that it does not affect systems that have had
the workarounds listed below applied. Currently, Microsoft is not aware
of active attacks that use this exploit code or of customer impact at
this time. In addition, due to the mitigating factors for default
installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is
not currently aware of any third-party applications that use MSDE 2000
or SQL Server 2005 Express which would be vulnerable to remote attack.
However, Microsoft is actively monitoring this situation to provide
customer guidance as necessary. We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. Upon
completion of this investigation, Microsoft will take the appropriate
action to protect our customers, which may include providing a solution
through a service pack, our monthly security update release process, or
an out-of-cycle security update, depending on customer needs. Customers who believe that they have been attacked can obtain security support at Get security support
and should contact the national law enforcement agency in their
country. Customers in the United States can contact Customer Service
and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY.
Additionally, customers in the United States should contact their local
FBI office or report their situation at Internet Crime Complaint Center. Mitigating Factors: | • | This
issue does not affect supported editions of Microsoft SQL Server 7.0
Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft
SQL Server 2008. | | • | This
vulnerability is not exposed anonymously. An attacker would need to
either authenticate to exploit the vulnerability or take advantage of a
SQL injection vulnerability in a Web application that is able to
authenticate. | | • | By
default, MSDE 2000 and SQL Server 2005 Express do not allow remote
connections. An authenticated attacker would need to initiate the
attack locally to exploit the vulnerability. |
To read the original security alert from Microsoft......
Microsoft Security Advisory (961040)
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Sat, Dec 20, 2008 @ 02:47 PM
3 out of 4 Cables Cut !
The Gremlins are back. 
Once again undersea cables have been cut. 3 out of 4 cables have been cut. This will effect Internet and phones all though Europe, Middle East & Asia. If the 4th cable gets cut this could be a total blackout. A total black out.
This has happened quite a few times before. Here are some blogs I did the last time this happened….
Internet Outage Hits India, Middle East Again!!!!!!
Fifth Undersea Cable Cut ! ! !
I found out about the latest problem through an article in the BBC NEWS... 
Severed cable disrupts net access
Internet and phone communications between Europe, the Middle East,
and Asia have been seriously disrupted after submarine cables were
severed.
It is thought the FLAG FEA, SMW4, and SMW3 lines, near the Alexandria cable station in Egypt, have all been cut.
A fault was also reported on the GO submarine cable 130km off Sicily.
Experts warned that it may be days before the fault is fixed and said
the knock on effect could have serious repercussions on regional
economies.
Jonathan Wright - director of wholesale products at Interoute which
manages part of the optical fibre network - told the BBC that the
effects of the break would be felt for many days.
"This will grind economies to a halt for a short space of time," he
said "If you look at, say, local financial markets who trade with
European and US markets, the speed at which they get live data will be
compromised."
"If you think how quickly trades can be placed, if they are
suffering from bad latency times, then by the time a trade is placed,
the market may well have moved on."
The cause of the break is as yet unknown, although some seismic
activity was reported near Malta shortly before the cut was detected.
In a statement released in relation to one of the breaks, France
Telecom said: "The causes of the cut, which is located in the
Mediterranean between Sicily and Tunisia, on sections linking Sicily to
Egypt, remain unclear."
The French firm said it was sending a ship out to fix the line
between Italy and Egypt, although it could take until 31 December to
fully repair the line.
The main damage through is to the four submarine cables running across the Mediterranean and through the Suez Canal.
It is thought that 65% of traffic to India was down, while
services to Singapore, Malaysia, Saudi Arabia, Egypt, Taiwan and
Pakistan have also been severely affected.
To read the Remainder of the article....
Severed cable disrupts net access
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Fri, Dec 19, 2008 @ 11:39 AM
The Record Industry who I akin to the Mafia
The record industry who I like to akin to the Mafia has finally gotten smart. I am no fan. They have used strong-arm tactics against college campuses, students etc. They complain about all the pilfering of music online yet the record industry continues to rake in the money. 
Its about time they change there ways. Here is what recently just happened….
I found this on Techdirt. RIAA Abandoning Mass Lawsuits In Favor Of Backroom 3 Strikes Policy
from the it's-a-step,-but-a-very-small-one deptIt really was just three days ago that we suggested that if the record
labels actually wanted anyone to take them seriously concerning their
desire to come up with more constructive solutions to the business
model challenges they face, they should at least stop suing
folks as a gesture of trying something new. The usual recording
industry defenders in the comments claimed this was a ridiculous
suggestion, but it appears that the RIAA is at least taking a small
step in that direction. The Wall Street Journal is reporting that the
recording industry (the WSJ mis-labels it "the music industry") is abandoning its strategy of mass lawsuits.
First off, this is a step in the right direction -- and
we think it's great that the record labels have agreed to do this, even
if it's many, many years too late. And, it's hardly a huge concession.
The lawsuits have been an unmitigated disaster.
They have done nothing to slow file sharing (in fact, the publicity
generated from the lawsuits has often been credited with alerting many
people to the possibility). The strategy has also splintered the file
sharing space into many, many different players, many of them way
underground, unlike in the early days when there were a manageable
number of players who could be worked with proactively. It's also done
tremendous damage to the brands of the major record labels (Universal,
Warner, EMI and Sony) and the RIAA itself -- leading many to swear off
buying any of their products. Finally -- and most importantly -- the
strategy did absolutely nothing to help musicians adapt to a
changing market that was opening up tremendous new opportunities both
to spread their music and to profit. So, kudos to the folks at the RIAA
for finally realizing how backwards this strategy has been.
The fine print
But, of course, this is the RIAA, so you can rest assured that the
details aren't anything to be happy about. In exchange for not filing
mass lawsuits, the RIAA has worked out backroom deals with numerous
ISPs (brokered by Andrew Cuomo -- who has a history of using baseless threats to get ISPs to censor content
they have no legal responsibility to censor). The exact details are a
bit sketchy, but it sounds like a variation on the ridiculous three strikes
policy that has been (mostly) rejected in Europe as a violation of
basic civil rights. Basically, these ISPs will agree to be the RIAA
enforcers. Based solely on the RIAA's flimsy evidence,
the ISPs will either pass on, or directly email subscribers with,
warning letters. Depending on the specifics of the agreement, the users
will get one or two more warning letters before the ISP will start
limiting their internet access or potentially cutting them off
entirely. If you think this sounds suspiciously like what Europe just rejected, you're right.
And, of course, the RIAA still says it may sue those who don't stop file sharing after all of this. They're just backing away from the mass lawsuit filings that they've been doing.
Why this is still a bad deal
Okay, so over the past few weeks, recording industry defenders have said that we were jumping the gun in criticizing a potential plan because it wasn't final. Our point was that since the record labels claim they want a "conversation,"
these deals shouldn't be negotiated in backrooms not involving
substantial stakeholders. So what happened here? Yup, a backroom deal
was negotiated without any involvement from users. And it was done
under the direction of Andrew Cuomo, who just spent many months
browbeating ISPs into agreeing to censor content.
To read the remainder of the article
RIAA Abandong Mass Lawsuits in Favor of Backroom Strikes PolicyPosted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Thu, Dec 18, 2008 @ 11:06 AM
This is a pretty important security Bulletin. If you use Internet Explorer and go to a specially crafted web page you could be at real risk..... Microsoft Security Bulletin MS08-078 - CriticalSecurity Update for Internet Explorer (960714)  Executive Summary This security update
resolves a publicly disclosed vulnerability. The vulnerability could
allow remote code execution if a user views a specially crafted Web
page using Internet Explorer. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users
who operate with administrative user rights. This security update
is rated Critical for Internet Explorer 5.01, Internet Explorer 6,
Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For
information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. For more information, see the subsection, Affected and Non-Affected Software, in this section. The
security update addresses the vulnerability by modifying the way
Internet Explorer validates data binding parameters and handles the
error resulting in the exploitable condition. For more information
about the vulnerability, see the Frequently Asked Questions (FAQ)
subsection under the next section, Vulnerability Information. This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051. Recommendation. Microsoft recommends that customers apply the update immediately.Affected and Non-Affected SoftwareThe
software listed here have been tested to determine which versions or
editions are affected. Other versions or editions are either past their
support life cycle or are not affected. To determine the support life
cycle for your software version or edition, visit Microsoft Support Lifecycle. Affected Software Note For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update.  | |
|
Internet Explorer 5.01 Service Pack 4 when installed on Microsoft Windows 2000 Service Pack 4 | Critical
Remote Code Execution | Critical | Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows XP Service Pack 2 and Windows XP Service Pack 3 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet
Explorer 6 for Windows Server 2003 with SP1 for Itanium-based Systems
and Windows Server 2003 with SP2 for Itanium-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet
Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
and Windows Server 2003 with SP2 for Itanium-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Vista and Internet Explorer 7 in Windows Vista Service Pack 1 | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Vista x64 Edition and Internet Explorer 7 in Windows Vista x64 Edition Service Pack 1 | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for 32-bit Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for x64-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems | Critical
Remote Code Execution | Critical |
Note For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. | |
A
remote code execution vulnerability exists as an invalid pointer
reference in the data binding function of Internet Explorer. When data
binding is enabled (which is the default state), it is possible under
certain conditions for an object to be released without updating the
array length, leaving the potential to access the deleted object's
memory space. This can cause Internet Explorer to exit unexpectedly, in
a state that is exploitable. An attacker could exploit the
vulnerability by constructing a specially crafted Web page. When a user
views the Web page, the vulnerability could allow remote code
execution. An attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-4844. | |
Mitigation
refers to a setting, common configuration, or general best-practice,
existing in a default state, that could reduce the severity of
exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation: | • | In
a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however,
an attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to convince users to visit the Web
site, typically by getting them to click a link in an e-mail message or
Instant Messenger message that takes users to the attacker’s Web site. | | • | An
attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights. | | • | By default, Protected Mode
in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista
and later helps protect users and their systems from malicious
downloads by restricting requests to start another program or requests
to save files without the user's consent. This includes user or system
files and settings. |
| |
Workaround
refers to a setting or configuration change that does not correct the
underlying vulnerability but would help block known attack vectors
before you apply the update. Microsoft has tested the following
workarounds and states in the discussion whether a workaround reduces
functionality: | • | Set
Internet and Local intranet security zone settings to “High” to prompt
before running ActiveX Controls and Active Scripting in these zones You
can help protect against exploitation of this vulnerability by changing
your settings for the Internet security zone to prompt before running
ActiveX controls and Active Scripting. You can do this by setting your
browser security to High. To raise the browsing security level in Internet Explorer, follow these steps: 1. | On the Internet Explorer Tools menu, click Internet Options. | 2. | In the Internet Options dialog box, click the Security tab, and then click the Internet icon. | 3. | Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. |
Note If no slider is visible, click Default Level, and then move the slider to High. Note
Setting the level to High may cause some Web sites to work incorrectly.
If you have difficulty using a Web site after you change this setting,
and you are sure the site is safe to use, you can add that site to your
list of trusted sites. This will allow the site to work correctly even
with the security setting set to High. Impact of workaround.
There are side effects to prompting before running ActiveX Controls and
Active Scripting. Many Web sites that are on the Internet or on an
intranet use ActiveX or Active Scripting to provide additional
functionality. For example, an online e-commerce site or banking site
may use ActiveX Controls to provide menus, ordering forms, or even
account statements. Prompting before running ActiveX Controls or Active
Scripting is a global setting that affects all Internet and intranet
sites. You will be prompted frequently when you enable this workaround.
For each prompt, if you feel you trust the site that you are visiting,
click Yes to run ActiveX Controls or Active Scripting. If you
do not want to be prompted for all these sites, use the steps outlined
in "Add sites that you trust to the Internet Explorer Trusted sites
zone". Add sites that you trust to the Internet Explorer Trusted sites zone After
you set Internet Explorer to require a prompt before it runs ActiveX
controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet
Explorer Trusted sites zone. This will allow you to continue to use
trusted Web sites exactly as you do today, while helping to protect you
from this attack on untrusted sites. We recommend that you add only
sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. |
| • | Configure
Internet Explorer to prompt before running Active Scripting or to
disable Active Scripting in the Internet and Local intranet security
zone You can help protect against exploitation of this
vulnerability by changing your settings to prompt before running Active
Scripting or to disable Active Scripting in the Internet and Local
intranet security zone. To do this, follow these steps: 1. | In Internet Explorer, click Internet Options on the Tools menu. | 2. | Click the Security tab. | 3. | Click Internet, and then click Custom Level. | 4. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 5. | Click Local intranet, and then click Custom Level. | 6. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 7. | Click OK two times to return to Internet Explorer. |
Note
Disabling Active Scripting in the Internet and Local intranet security
zones may cause some Web sites to work incorrectly. If you have
difficulty using a Web site after you change this setting, and you are
sure the site is safe to use, you can add that site to your list of
trusted sites. This will allow the site to work correctly. Impact of workaround.There
are side effects to prompting before running Active Scripting. Many Web
sites that are on the Internet or on an intranet use Active Scripting
to provide additional functionality. For example, an online e-commerce
site or banking site may use Active Scripting to provide menus,
ordering forms, or even account statements. Prompting before running
Active Scripting is a global setting that affects all Internet and
intranet sites. You will be prompted frequently when you enable this
workaround. For each prompt, if you feel you trust the site that you
are visiting, click Yes to run Active Scripting. If you do not
want to be prompted for all these sites, use the steps outlined in "Add
sites that you trust to the Internet Explorer Trusted sites zone". Add sites that you trust to the Internet Explorer Trusted sites zone After
you set Internet Explorer to require a prompt before it runs ActiveX
controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet
Explorer Trusted sites zone. This will allow you to continue to use
trusted Web sites exactly as you do today, while helping to protect you
from this attack on untrusted sites. We recommend that you add only
sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. |
| • | Disable XML Island functionality Warning
If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk. Create a backup copy of the registry keys by using the following command from an elevated command prompt: Regedit.exe /e Disable_XML_Island_backup.reg HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}
For Windows Vista and Windows Server 2008 only, take ownership
of [HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}], as
follows: 1. | As an administrator, click Start, click Run, type Regedit in the Open box, and then click OK | 2. | Go to [HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}] | 3. | Click Permission, then Advanced, then Owner | 4. | Change Owner to Administrator | 5. | Click Grant Full Control to Administrator | 6. | Then iterate for all subkeys |
Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg: Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}]
Run Disable_XML_Island.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island.reg
Impact of workaround: Embedded XML in HTML may not render correctly. How to undo the workaround Restore the original state by running the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island_backup.reg
|
| • | Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL This
workaround applies only to Windows Vista and newer operating systems
and requires that UAC prompting and Protected Mode be enabled, which
are the default settings. Save the following text to a temporary directory: For 32-bit systems Save to a text file called: "BlockAccess_x86.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
For 64-bit systems Save to a text file called: "BlockAccess_x64.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
"%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
Run the following command from the temporary directory as an Administrator: SecEdit /configure /db BlockAccess.sdb /cfg <inf file>
After the command completes, you should see the following messages: The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
Validating the workaround To validate that the workaround was successfully applied, run the following commands at a command prompt: For 32-bit systems icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
For 64-bit systems icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll"
Each time you run icacls, search through the output for the following line. Mandatory Label\Medium Mandatory Level:(NW,NR,NX)
Impact of workaround: Any ADO/OLE DB applications
running in Internet Explorer, which is not common, will stop
functioning. The impact is minimal since all other processes running in
Medium or higher integrity level would still be able to load the dll and use it. How to undo the workaround Save the following text to a temporary directory: For 32-bit systems Save to a text file called: "unBlockAccess_x86.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
For 64-bit systems Save to a text file called: "unBlockAccess_x64.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
"%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
Run the following command from the temporary directory as an Administrator: SecEdit /configure /db UnblockAccess.sdb /cfg <inf file>
After the command completes, you should see the following messages: The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
| | • | Disable Row Position functionality of OLEDB32.dll Warning
If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk. Create a backup copy of the registry keys by using the following command from an elevated command prompt: Regedit.exe /e Disable_Row_Position_backup.reg HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}
For Windows Vista and Windows Server 2008 only, take ownership
of [HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}], as
follows: 1. | As an administrator, click Start, click Run, type Regedit in the Open box, and then click OK | 2. | Go to [HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}] | 3. | Click Permission, then Advanced, then Owner | 4. | Change Owner to Administrator | 5. | Click Grant Full Control to Administrator | 6. | Then iterate for all subkeys |
Next, save the following to a file with a .REG extension, such as Disable_Row_Position.reg: Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}]
Run Disable_Row_Position.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_Row_Position.reg
Impact of workaround: All ADO applications using the
RowPosition property and related information will stop functioning. All
OLE DB applications using the OLE DB Row Position Library will stop
functioning. How to undo the workaround Restore the original state by running the following command from an elevated command prompt: Regedit.exe /s Disable_Row_Position_backup.reg
|
| • | Unregister OLEDB32.DLL Run the following commands from a command prompt as an administrator: | • | For
supported versions of Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008 for 32-bit Systems Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" Regsvr32.exe /u "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" |
Impact of workaround:
All OLE DB and ADO applications will stop functioning. This includes
all ASP/ADO implementations, SQL Server linked services, .Net
applications using the System.Data.OLEDB namespace, and some Office
functionality that accesses external data. How to undo the workaround Run the following commands from a command prompt as an administrator: | • | For
supported versions of Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008 for 32-bit Systems Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" Regsvr32.exe "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" |
| | • | Use ACL to disable OLEDB32.DLL Run the following commands from a command prompt as an administrator: | • | For supported versions of Windows 2000, Windows XP, and Windows Server 2003 cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based
Systems cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N cacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N | | • | For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems takeown /f "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) | | • | For
supported versions of Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems takeown /f "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.64.dll.TXT icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) takeown /f "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) |
Impact of workaround:
All OLE DB and ADO applications will stop functioning. This includes
all ASP/ADO implementations, SQL Server linked services, .Net
applications using the System.Data.OLEDB namespace, and some Office
functionality that accesses external data. How to undo the workaround Run the following commands from a command prompt as an administrator: | • | For supported versions of Windows 2000, Windows XP, and Windows Server 2003 cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based
Systems cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone cacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone | | • | For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems: icacls "%ProgramFiles%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT | | • | For
supported versions of Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems icacls "%ProgramFiles%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.64.dll.TXT |
| | • | Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008 Local
Administrators can control DEP/NX by running Internet Explorer as an
Administrator. To enable DEP, perform the following steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click Advanced. | 2. | Click Enable memory protection to help mitigate online attacks. |
Impact of workaround:
Some browser extensions may not be compatible with DEP and may exit
unexpectedly. If this occurs, you can disable the add-on, or revert the
DEP setting using the Internet Control Panel. This is also accessible
using the System Control panel. |
| • | Disable Data Binding support in Internet Explorer 8 Beta 2 Perform the following steps: 1. | Set Internet and Local Intranet security zone settings to High. | 2. | Save the following to a file with a .REG extension, such as Disable_Data_Binding.reg to add the feature control key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_SUPPORT]
"iexplore.exe"=dword:00000000 | 3. | Run Disable_Data_Binding.reg with the following command from an elevated command prompt:
Regedit.exe /s Disable_Data_Binding.reg |
Impact of workaround:
This workaround turns off data binding for all security zones. Any
accessed Web sites that use data binding will no longer render properly. How to undo the workaround Use the following registry file to remove the feature control key: Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_SUPPORT] |
| |
What is the scope of the vulnerability?
This
is a remote code execution vulnerability. An attacker who successfully
exploited this vulnerability could gain the same user rights as the
logged-on user. If a user is logged on with administrative user
rights, an attacker who successfully exploited this vulnerability could
take complete control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who
operate with administrative user rights. What causes the vulnerability?
The
vulnerability exists as an invalid pointer reference in the data
binding function of Internet Explorer. When data binding is enabled
(which is the default state), it is possible under certain conditions
for an object to be released without updating the array length, leaving
the potential to access the deleted object's memory space. This can
cause Internet Explorer to exit unexpectedly, in a state that is
exploitable. As a result, memory may be corrupted in such a way that an
attacker could execute arbitrary code in the context of the logged-on
user. What might an attacker use the vulnerability to do?
An
attacker who successfully exploited the remote code execution
vulnerability could gain the same user rights as the local user. Users
whose accounts are configured to have fewer user rights on the system
could be less impacted than users who operate with administrative user
rights. How could an attacker exploit the vulnerability?
An
attacker could host a specially crafted Web site that is designed to
exploit this vulnerability through Internet Explorer and then convince
a user to view the Web site. The attacker could also take advantage of
compromised Web sites and Web sites that accept or host user-provided
content or advertisements. These Web sites could contain specially
crafted content that could exploit this vulnerability. In all cases,
however, an attacker would have no way to force users to visit these
Web sites. Instead, an attacker would have to convince users to visit
the Web site, typically by getting them to click a link in an e-mail
message or in an Instant Messenger message that takes users to the
attacker's Web site. It could also be possible to display specially
crafted Web content by using banner advertisements or by using other
methods to deliver Web content to affected systems. What systems are primarily at risk from the vulnerability?
This
vulnerability requires that a user is logged on and reading e-mail
messages or is visiting Web sites for any malicious action to occur.
Therefore, any systems where e-mail messages are read or where Internet
Explorer is used frequently, such as workstations or terminal servers,
are at the most risk from this vulnerability. Servers could be at more
risk if administrators allow users to browse and read e-mail on
servers. However, best practices strongly discourage allowing this. Which of the workarounds should I apply to my system in order to be protected?
Based on our investigation, setting the Internet zone security setting to High
will protect users from known attacks. However, for the most effective
protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds. | • | Disable XML Island functionality | | • | Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL | | • | Disable Row Position functionality of OLEDB32.dll | | • | Unregister OLEDB32.dll | | • | Use ACL to disable OLEDB32.dll |
For additional workaround details, please see the following post: . Each
of these workarounds is equally effective in protecting customers;
however, each workaround has different impacts based on the environment
in which they are applied. We encourage customers to evaluate which of
the workarounds would be least impactful to their environment, based on
the impact statements included with each workaround. How does configuring the Internet zone security setting to High protect me from this vulnerability?
Setting the Internet zone security setting to High
protects against all currently known exploits of this vulnerability by
disabling scripting, disabling less secure features in Internet
Explorer, and blocks known techniques used to bypass Data Execution
Prevention (DEP). It is important to note that the vulnerable code may
be reached even with these protections in place, however current
attacks would not be successful with these workarounds in place. How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 on Windows Vista and later protect me from this vulnerability?
Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista run in Protected Mode
by default in the Internet security zone. (Protected Mode is off by
default in the Intranet zone.) Protected Mode significantly reduces the
ability of an attacker to write, alter, or destroy data on the user’s
machine or to install malicious code. This is accomplished by using the
integrity mechanisms of Windows Vista which restrict access to
processes, files, and registry keys with higher integrity levels. What is Data Execution Prevention (DEP)?
Data
Execution Prevention (DEP) is included in Internet Explorer; disabled
by default in Internet Explorer 7, and enabled by default in Internet
Explorer 8 Beta 2. DEP is designed to help foil attacks by preventing
code from running in memory that is marked non-executable. For more
information about DEP in Internet Explorer, please see the following
post: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx.
Recently, proof of concept code was published that demonstrates methods
to bypass DEP. However, the workarounds included in this bulletin, of
setting the security slider to High as well as applying one of the OLEDB32.dll workarounds, are still effective in blocking current attacks. What does the update do?
The
security update addresses the vulnerability by modifying the way
Internet Explorer validates data binding parameters and handles the
error resulting in the exploitable condition. When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2008-4844. When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited. | |
Manage
the software and security updates you need to deploy to the servers,
desktop, and mobile computers in your organization. For more
information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update." Finally, security updates can be downloaded from the Microsoft Update Catalog.
The Microsoft Update Catalog provides a searchable catalog of content
made available through Windows Update and Microsoft Update, including
security updates, drivers and service packs. By searching using the
security bulletin number (such as, “MS08-010”), you can add all of the
applicable updates to your basket (including different languages for an
update), and download to the folder of your choosing. For more
information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ. Detection and Deployment Guidance Microsoft
has provided detection and deployment guidance for this month’s
security updates. This guidance will also help IT professionals
understand how they can use various tools to help deploy the security
update, such as Windows Update, Microsoft Update, Office Update, the
Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool,
Microsoft Systems Management Server (SMS), and the Extended Security
Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723. Microsoft Baseline Security Analyzer Microsoft
Baseline Security Analyzer (MBSA) allows administrators to scan local
and remote systems for missing security updates as well as common
security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer. The following table provides the MBSA detection summary for this security update. Microsoft Windows 2000 Service Pack 4 | Yes | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Yes | Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Yes | Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Yes | Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Yes | Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems | Yes | Windows Vista and Windows Vista Service Pack 1 | Yes | Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 | Yes | Windows Server 2008 for 32-bit Systems | Yes | Windows Server 2008 for x64-based Systems | Yes | Windows Server 2008 for Itanium-based Systems | Yes |
For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions. Windows Server Update Services By
using Windows Server Update Services (WSUS), administrators can deploy
the latest critical updates and security updates for Windows 2000
operating systems and later, Office XP and later, Exchange Server 2003,
and SQL Server 2000 to Windows 2000 and later operating systems. For
more information about how to deploy this security update using Windows
Server Update Services, visit the Windows Server Update Services Web site. Systems Management Server The following table provides the SMS detection and deployment summary for this security update. Microsoft Windows 2000 Service Pack 4 | Yes | Yes | Yes | Yes | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Yes* | Yes* | Yes | Yes | Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | No | No | Yes | Yes | Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 | Yes* | Yes* | Yes | Yes | Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 | No | No | Yes | Yes | Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems | No | No | Yes | Yes | Windows Vista and Windows Vista Service Pack 1 | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for 32-bit Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for x64-based Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for Itanium-based Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes |
*SMS
2.0 and SMS 2003 with SUSFP support all affected versions of Internet
Explorer except for Internet Explorer 7. For more information, see Microsoft Knowledge Base Article 924178. For
SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes
the Security Update Inventory Tool (SUIT), can be used by SMS to detect
security updates. See also Downloads for Systems Management Server 2.0. For
SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can
be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates.
SMS 2003 can also use the Microsoft Office Inventory Tool to detect
required updates for Microsoft Office applications. For more
information about the Office Inventory Tool and other scanning tools,
see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003. System
Center Configuration Manager 2007 uses WSUS 3.0 for detection of
updates. For more information about Configuration Manager 2007 Software
Update Management, visit System Center Configuration Manager 2007. Note for Windows Vista and Windows Server 2008
Microsoft Systems Management Server 2003 with Service Pack 3 includes
support for Windows Vista and Windows Server 2008 manageability. For more information about SMS, visit the SMS Web site. For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles. Update Compatibility Evaluator and Application Compatibility Toolkit Updates
often write to the same files and registry settings required for your
applications to run. This can trigger incompatibilities and increase
the time it takes to deploy security updates. You can streamline
testing and validating Windows updates against installed applications
with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0. The
Application Compatibility Toolkit (ACT) contains the necessary tools
and documentation to evaluate and mitigate application compatibility
issues before deploying Microsoft Windows Vista, a Windows Update, a
Microsoft Security Update, or a new version of Windows Internet
Explorer in your environment. | |
Microsoft Security Bulletin MS08-078 - Critical
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Thu, Dec 11, 2008 @ 09:51 PM
Compliancy requirements are a real issue for today’s companies. If you are publicly traded you fall under Sarbanes Oxley act,(Public Company Accounting Reform and Investor Protection Act of 2002). If you are in healthcare you fall under the healthcare Health Insurance Portability and Accountability Act (HIPPA). If you process credit cards you must meet the requirement of the Payment Card Industry (PCI) Compliance. New compliancy requirements come up all the time. Massachusetts just passed a law that could affect your business. This new 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth comes into effect in 2009. 
For example if you are a business in California that takes credit card information on a Massachusetts resident then you must meet the requirement of this new law.
Joseph J. Laferrera a lawyer at Gesmer Updegrove LLP Gesmer Updegrove LLP in Boston authored a great whitepaper on this new law.
New Data Security Regulations Have Sweeping
Implications For Massachusetts Businesses SQL Server 2008 Compliance GuideMicrosoft has published a SQL Server 2008 Compliance guide to help you. Brief DescriptionThis paper provides an overview of how to approach compliance for the management of the SQL Server database. It describes the compliance-related features of SQL Server 2008 and how to apply them to IT controls. This paper includes tips and scripts to help jump-start compliance solution development.
Overview
Organizations across the globe are being inundated with regulatory requirements. They also have a strong need to better manage their IT systems to ensure they are operating efficiently and staying secure. Microsoft is often asked to provide guidance and technology to assist organizations struggling with compliance. The SQL Server 2008 Compliance Guidance white paper was written to help organizations and individuals understand how to use the features of the Microsoft® SQL Server® 2008 database software to address their compliance needs. This paper serves as an accompaniment to the SQL Server 2008 compliance software development kit (SDK), which provides sample code and guidance for understanding SQL Server 2008 compliance features and using them for developing solutions. To Get a copy of the Guide:
SQL Server 2008 compliance Guide Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Tue, Dec 09, 2008 @ 11:53 AM
It's amazing the many ways people can think of to steal your identity. If you think it can not happen to you think again. My 19 year old son had his identitty stolen, I would not have thought him a target. I will reference at the end of this blog some useful security information. Here is an email I recieved: Here Is The Latest Scam To Steal Your Identity This has been verified by the FBI (their link is also included below).
Please pass this on to everyone in your email address book. It is
spreading fast so be prepared should you get this call. Most of us take
those summonses for jury duty seriously, but enough people skip out on
their civic duty, that a new and ominous kind of fraud has surfaced.
The caller claims to be a jury coordinator. If you protest that you never received a summons for jury duty, the scammer asks you for your.... Here is the Scam
Social Security number and date of birth so he/she can verify the
information and cancel the arrest warrant. Give out any of thisinformation and bingo; your identity was just stolen.
The fraud has been reported so far in 11 states, including Oklahoma ,
Illinois , and Colorado . This (swindle) is particularly insidious
because they use intimidation over the phone to try to bully people into
giving information by pretending they are with the court system. The FBI
and the federal court system have issued nationwide alerts on their web
sites, warning consumers about the fraud.
Check it out here: Link to FBI Site Validation of Scam Here is what posted from the FBI Site...
THE VERDICT: HANG UP
Don't Fall for Jury Duty Scam
06/02/06
The phone rings, you pick it up, and the caller identifies himself as
an officer of the court. He says you failed to report for jury duty and
that a warrant is out for your arrest. You say you never received a
notice. To clear it up, the caller says he'll need some information for
"verification purposes"-your birth date, social security number, maybe
even a credit card number.
This is when you should hang up the phone.
It's a scam.
Jury
scams have been around for years, but have
seen a resurgence in recent months. Communities
in more than a dozen states have issued
public warnings about cold calls from people
claiming to be court officials seeking
personal information. As a rule, court
officers never ask for confidential information
over the phone; they generally correspond
with prospective jurors via mail.
The
scam's bold simplicity may be what makes it so effective. Facing the
unexpected threat of arrest, victims are caught off guard and may be
quick to part with some information to defuse the situation. "They get you
scared first," says a special agent in the Minneapolis field office who
has heard the complaints. "They get people saying, 'Oh my gosh! I'm not
a criminal. What's going on?'" That's when the scammer dangles a
solution-a fine, payable by credit card, that will clear up the
problem.
With enough information, scammers can assume your identity and empty your bank accounts.
"It
seems like a very simple scam," the agent adds. The trick is putting
people on the defensive, then reeling them back in with the promise of
a clean slate. "It's kind of ingenious. It's social engineering." In recent months, communities in Florida,
New York, Minnesota, Illinois, Colorado,
Oregon, California, Virginia, Oklahoma, Arizona,
and New Hampshire reported scams or posted
warnings or press releases on their local
websites. In August, the federal court system
issued a warning on
the scam and urged people to call their local
District Court office if they receive suspicious
calls. In September, the FBI issued a press
release about
jury scams and suggested victims also contact
their local FBI field office.
In March, USA.gov,
the federal government’s information
website, posted details about jury scams
in their Frequently Asked Questions area.
The site reported scores of queries on the
subject from website visitors and callers
seeking information.
The
jury scam is a simple variation of the identity-theft ploys that have
proliferated in recent years as personal information and good credit
have become thieves' preferred prey, particularly on the Internet.
Scammers might tap your information to make a purchase on your credit
card, but could just as easily sell your information to the highest
bidder on the Internet's black market.
Protecting
yourself is the key: Never give out personal information when you receive an unsolicited phone call.
More Information |
 Want to learn more about new and common scams like this one? Then sign up for our e-mil alerts.
|
Useful Blog on what to do if your Identity is Stolen
Identity Theft Hits Home Lessons Learned
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Sun, Dec 07, 2008 @ 03:35 PM
Its Amazing what is out on the Internet if you know where to look. I am an avid Ipod user. I use it every day. I have been thinking about getting an iphone. When I saw this latest article from the BBC News it immediately caught my attention. 
Wireless turns iPod into a phone
A freeware application for the iPod Touch can turn the music player into a virtual mobile phone.
Truphone uses wi-fi technology in an iPod Touch to allow users to make
calls to other iPod Touch owners and Google Talk's messaging service
users.
The software is a spin-off from technology Truphone developed for smartphones and iPhones.
The developers plan to have the ability to make calls to and from landlines in place very soon.
Truphone is the latest firm to offer voice over internet
protocol (VoIP), alongside Unlicensed Mobile Access and proprietary
protocols such as Skype.
Geraldine Wilson - Truphone's CEO - said the firm had ambitions to become a global internet player.
"There are a slew of new features we're rolling out for the iPod
Touch that will let users call landlines, Skype users or send instant
messages. We're talking weeks, not months, before these go live."
Although Truphone technology can, in theory, work on any mobile
device, the firm is concentrating on devices that have an application
store.
To read the entire article....
Wireless turns Ipod into a PhonePosted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Fri, Dec 05, 2008 @ 09:57 PM
Ever wonder what the difference is between SQL Server 2008 Enterprise Edition and SQL Server 2008 Standard edition. Well Microsoft has published a document that provides such a comparison. At the end of this blog is a link so you can get the entire document. Here are a few highlights from the document: SQL Server 2008 EnterpriseSQL Server 2008 Enterprise is a comprehensive data platform for running mission critical online transaction processing (OLTP), data warehousing (DW) and business intelligence (BI) applications. SQL Server 2008 Enterprise provides enterprise class scalability, high availability and security to meet the high demands of these applications.
Enterprise is ideally suited for the following usage scenarios:
- Mission critical deployments requiring high availability and uptime
- Existing large scale OLTP deployments
- OLTP deployments that expect to grow rapidly in the future
- Large scale reporting and analysis deployments
- Data Warehousing
- Server Consolidation
SQL Server 2008 StandardSQL Server 2008 Standard is a full featured data platform for running departmental online transaction processing (OLTP) and business intelligence (BI) applications. SQL Server 2008 Standard provides best-in-class ease of use and manageability for running departmental applications.
Standard is ideally suited for the following usage scenarios:
- Departmental deployments
- Small to medium scale OLTP deployments
- OLTP deployments that are not expected to rapidly grow in the future
- Reporting and analysis deployments
The table below provides a high level comparison of the key capabilities between SQL Server 2008 Enterprise and Standard: 
To obtain the entire report, with lots of really useful information..... SQL Server 2008 Enterprise/Standard Comparision
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Thu, Dec 04, 2008 @ 10:36 PM
On Saturday November 29th, I reported on my blog the Microsoft Yahoo talks were back on. I am sure this will go back and forth for a while. Its does not surprise me that Microsoft has tapped a senior executive from Yahoo for such a key position at Microsoft. Yahoo better be careful, Microsoft might go forward without them, and do it all themselves. As a Yahoo shareholder I would hate to see that happen. 
Here is a copy of the Microsoft Press Release:
Microsoft Appoints Dr. Qi Lu to Run Online Services GroupYahoo! veteran to oversee Internet offerings for consumers, advertisers and publishers. REDMOND, Wash. — Dec. 4, 2008 — Microsoft Corp. today
announced that Dr. Qi Lu will join the company as president of the
Online Services Group. Dr. Lu will lead Microsoft’s efforts in search
and online advertising and all the company’s online information and
communications services. Dr. Lu will report to Microsoft Chief
Executive Officer Steve Ballmer. Lu, 47, most recently served as
executive vice president of Engineering for the Search and Advertising
Technology Group at Yahoo!, where he was responsible for development
efforts around Yahoo!’s Web search and monetization platforms. Dr. Lu
left Yahoo! in August 2008 after 10 years of service. “I am tremendously excited to welcome Qi to Microsoft,” Ballmer
said. “Dr. Lu’s deep technical expertise, leadership capabilities and
hard-working mentality are well-known in the technology industry, and
Microsoft will benefit from his addition to our executive management
team.” “I am genuinely excited about the opportunities ahead for
Microsoft to make an enormous impact on the online industry,” Dr. Lu
said. “Microsoft has built a great foundation for its search and
advertising technologies and put an amazing team of researchers and
engineers in place to drive the next wave of innovation in online
services. I’m looking forward to working with them to help transform
the way people and businesses use the Internet to find and share
information.” Before his most recent role at Yahoo!, Lu was vice
president of engineering responsible for the technology development of
Yahoo!’s Search and Marketplace business unit, which includes the
company’s search, e-commerce, and local listings of businesses and
products. Before joining Yahoo! in 1998, Dr. Lu was a Research
Staff Member at IBM Almaden Research Center. Before IBM, Dr. Lu worked
at Carnegie Mellon University as a Research Associate, and at Fudan
University in China as a faculty member. Dr. Lu holds 20 U.S. patents,
and received his bachelor of science and master of science in computer
science from Fudan University and his Ph.D. in computer science from
Carnegie Mellon University. Lu’s first day at Microsoft will be
Jan. 5, 2009. In his role running the Online Services Group, he will
oversee several groups including the Advertiser & Publisher
Solutions business, managed by Scott Howe who was promoted to corporate
vice president; the Online Audience business, managed by Senior Vice
President Yusuf Mehdi; OSG Research & Development, managed by
Senior Vice President Satya Nadella; and OSG Finance, managed by Rik
van der Kooi who was promoted to corporate vice president. With
the successful integration of aQuantive now complete, Brian McAndrews,
former CEO of aQuantive and senior vice president of Microsoft’s
Advertiser & Publisher Solutions Group, has decided to transition
out of Microsoft, and will do so over the next several months, serving
in a consultative capacity to Steve Ballmer and Qi Lu during that time. “Brian
McAndrews built a world-class business for advertisers and publishers
and led the successful integration of aQuantive into Microsoft, setting
the foundation for our next phase of growth,” Ballmer said. “While I am
sorry to see Brian leave the company, I respect and understand his
decision and wish him nothing but the best in the future.” “I
also want to congratulate Scott and Rik on their well-deserved
promotions and look forward to their leadership in the Online Services
Group alongside Qi, Yusuf and Satya,” Ballmer said. As part of
today’s announcement, several teams will move to further align
resources. The field sales organizations in the Online Services Group
will move to Microsoft’s centralized Sales, Marketing and Services
Group led by chief operating officer Kevin Turner. This group, called
Consumer & Online, will be led by Corporate Vice President Darren
Huston and will include the Global Advertising Sales and Services
organization, led by vice president Bill Shaughnessy. Founded in
1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software,
services and solutions that help people and businesses realize their
full potential. Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass
on Microsoft’s corporate information pages. Web links, telephone
numbers and titles were correct at time of publication, but may since
have changed. For additional assistance, journalists and analysts may
contact Microsoft’s Rapid Response Team or other appropriate contacts
listed at http://www.microsoft.com/presspass/contactpr.mspx. To go to the original Microsoft Press Release...
Microsoft Appoints Dr. Qi Lu to Run Online Services Group Fresh Off the Press From Microsoft. December 10thNew President of Online Services Group Sees Chance to Make Impact at MicrosoftQ&A:
Qi Lu discusses what attracted him to Microsoft and how he plans to
boost the company’s efforts in online search and advertising.REDMOND, WASH. – Dec. 10, 2008 – On Dec. 4, Microsoft
announced Qi Lu had been hired as president of the Online Services
Group. Lu will lead Microsoft’s efforts to expand and strengthen its
search and online advertising efforts. Lu comes to Microsoft four
months after leaving Yahoo!, where he most recently held the position
of executive vice president of Engineering for the Search and
Advertising Technology Group. During his 10 years at Yahoo, Lu gained a
reputation as top-tier technologist and superb manager. Before joining
Yahoo! in 1998, Lu was a Research Staff Member at IBM’s Almaden
Research Center. He also has worked at Carnegie Mellon University as a
Research Associate and at Fudan University in China as a faculty
member. Lu holds 20 U.S. patents, and received his Bachelor of Science
and Master of Science in computer science from Fudan University in
Shanghai, and his Ph.D. in computer science from Carnegie Mellon
University in Pittsburgh, Pa. PressPass spoke with Lu shortly after the announcement of his new position. PressPass: Why Microsoft? What was behind your decision to take this new role?
 |
| Dr.
Qi Lu speaks to Microsoft employees at a Town Hall event on Dec. 8 in
Redmond, Wash. Lu will join Microsoft as president of the Online
Services Group effective Jan. 5, 2009. |
Click for high-res version.
|
|
Lu: For me, the answer is impact. In my
professional career the biggest motivating factor for me is always
being in a position to have great impact in what I do. I'm always
interested in being in a position or in a place to build the
technologies, products or businesses that enable our customers, our
users, to be able to do more and be more. I cannot think of a
better platform to have an impact than this position at Microsoft,
because we have tremendous opportunities ahead to achieve great impact
for our users, our customers and our industry. That's why I'm very
excited about this opportunity. PressPass: When you say you can have an impact through Microsoft, what is it you mean? Lu:
Specifically, it’s the strength of technology and the talent at
Microsoft – along with a broad-based online audience, the foundations
of its search products and the assets in our advertising platforms. All
those things enable our products and our businesses to reach vast
numbers of users and customers so we can make a tremendous contribution
to our industry as a whole. PressPass: When you were at Yahoo!, how do you view Microsoft as a competitor? Lu: I’ve always had a great deal of respect for Microsoft as a company. In my view, Microsoft is one of the most, if not the
most, successful companies in terms of value creation, and in terms of
producing technology and products that transform society. In my view,
Microsoft is a company that really brought computing to every
household, and that created a tremendous amount of value to the users
and to the overall economy. As a competitor, you never cut out
Microsoft. They keep coming at you. In that way, I’ve always held
Microsoft in very high regard. Also, the people at Microsoft are
extraordinary technologists – extremely capable, bright individuals.
So, from the standpoint of looking in from the outside, there is
tremendous strength in the core talent of Microsoft’s R&D. In my
view, this is one of the key foundations of building winning products
and winning business in the marketplace. PressPass: Steve Ballmer recruited you to join Microsoft. How did he make his pitch? Lu: Steve
and I first met last September, in a hotel in San Jose, California. We
spent almost half a day talking. We talked about the competitive
landscape, about the possibility to really innovate and take the user
experience [of Microsoft’s search capabilities] to the next level, and
about creating a more competitive space, particularly in the search
space. We all believe that it's better for everybody involved when we
have a healthy, more competitive environment. Two things he said
really stood out. First was the level of commitment on investment.
Steve made it very clear how he views that as critical for the
long-term future of Microsoft, and his strong commitment to invest in
R&D resources is very, very important to me. The other
thing Steve said that helped convince me this was the right thing for
me to do was his commitment to product quality, because you compete in
the marketplace on the strength of the product that you bring to the
market. You must have a strong commitment to protect the quality of the
user experience in the product that you build. PressPass: When you look broadly at the search space, what sorts of trends do you see playing out over the next year or two? Lu: There are tremendous opportunities for product innovation, and there are several key forces that are driving us towards that. One
is the advent of more powerful computing infrastructures, [such as]
cloud computing infrastructures that enable R&D teams to go through
a vast amount of data and find and fix problems very, very quickly.
This enables teams to improve the product quality at a much faster
rate, and also will help us better understand user intent when they do
a search. And the more we understand user intent, the more we can
present better search results and an overall search experience that is
dramatically improved from where we are today, whether it's through
better completion of a particular task or the discovery of very useful
and interesting information. Another trend is the Web as a
platform for publishing all sorts of content. There is more and more
rich and fresh content, and more engaging social content. So, there is
a lot more material to work with. If we're able to understand user
intent better, and combine that with the richer content available out
there, we will be able to produce a very engaging search experience. PressPass: Where do you see the opportunities for Microsoft in the search and online space? Lu: First,
I think there is a genuine opportunity to take our search products to
the next level. I see that Microsoft's search product quality is
improving at a very, very fast rate, that there are great foundations
there. And with the technology base, the talent base, the computing
infrastructures, I'm confident that we will be in a position to produce
a differentiated and compelling search experience. The second
opportunity is to continue building a very powerful advertising
platform. Microsoft has made a series of strategic acquisitions, and
also built a bunch of internal technologies and products. The key is to
put all those assets together to build powerful, highly scalable
advertising platforms. The advertising we see today will be very
different in the future because of new platforms for it. Ads will be
truly relevant and useful, and the experience will be compelling. PressPass: Whenever anyone talks about competition in search, the target always is Google. Are they catchable? Lu: Well,
we're here to win, and my view on this is that to win in the search
space, fundamentally you build on the strengths of your product. And we
know what it takes to build a compelling user experience and winning
product, which is to have a powerful infrastructure, great talent and
put great processes in place so that we can out-develop, out-market,
out-innovate our competitors. But make no mistake; I think
Google is a very, very powerful company. They are definitely ahead in
the search space. There are a lot of challenges ahead. We've got our
work cut out for us. PressPass: You begin your new job January 5. What will be your first priority? Lu: I
would say hit the gym first. That's actually literally what I do first.
Usually I get up reasonably early and try to hit the gym. But
seriously, I'm very much looking forward to hit the ground running. I
will try to meet with lots of people, teams, individuals, and work very
closely with my directs, my staff and their direct staff to try to get
up to speed as fast as I can. I want to make sure the whole
organization is very clear on what we are trying to hit, and is
energized about our mission and our goals. We have a clear path from
where we are today, to where we need to be, and to reach that next
level we need to keep executing and building winning products. Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Mon, Dec 01, 2008 @ 01:27 AM
Should We Bail Out the Auto Industry? Should be bail out the Auto Industry, Should we not. Not. My friends and I go round and round on this issue. There are a lot of jobs at stake here. I get it! ! !. I also see a lot of companies with their hands out who don’t get it. It really bothers me that they came flying in there corporate jets to ask for the money. When times are tough, it means we all make adjustments. We suck it up.  I have 3 people in my household attending college right now. Money is very tight. A college education is a very expensive undertaking. To help get by we have made adjustments in the way we live. Everything from making sure we shut lights off at nice, to save on the electricity bill, to taking much more modest vacations, to making due with what we have or doing without. Showing up in Washington D.C. via the corporate jet tells me they don’t get it. They have not taken a serious look at their companies and found ways where they can cut back and cut costs. It starts at the top and permeates all the way to the bottom. If senior management wasn’t serious about cutting back, why would else in the company be serious about it. At times of great crisis in the United States, we have had real leaders rise to the occasion. I hope the elected officials set there political views aside and do what is best for America.  Bankruptcy Is not the End of the U.S. Auto Industry, It is a new Beginning.
The U.S. auto industry is not competitive today. Handing over Tax Payer dollars to continue business as usual is a huge mistake. It may buy us a few years, it may save a few jobs for a while eventually it is doomed to failure as it exists and operates today.
Going into Bankruptcy is a chance for the industry to restructure itself and thrive moving forward. It’s a chance to rewrite Union contracts so the U.S. Auto Industry can be competitive again. It’s a chance to rewrite Management packages so they make sense. It’s a complete restructure of the business and if the stakeholders don’t work together, they all loose. Until the U.S. Auto industry has taken the time to make those changes they have no right to ask the Tax Payers to bail them out. A perfect example is the corporate jets. Perhaps it is more cost effective for a U.S. Auto maker to have a fleet of jets, on the other hand perhaps they should be sold off. I feel Bankruptcy if the path needed to help this industry get back to long-term viable health. Mitt Romney was a past Governor of Massachusetts. Mitt made a lot of money knowing what companies to invest in and what companies not to invest in. He recently posted an opinion that was picked up my the N.Y. Times. Here is a portion of that article…. Op-Ed Contributor Let Detroit Go BankruptBy MITT ROMNEY
Published: November 18, 2008 IF General Motors, Ford and Chrysler
get the bailout that their chief executives asked for yesterday, you
can kiss the American automotive industry goodbye. It won’t go
overnight, but its demise will be virtually guaranteed. Without
that bailout, Detroit will need to drastically restructure itself. With
it, the automakers will stay the course — the suicidal course of
declining market shares, insurmountable labor and retiree burdens,
technology atrophy, product inferiority and never-ending job losses.
Detroit needs a turnaround, not a check. I love cars, American
cars. I was born in Detroit, the son of an auto chief executive. In
1954, my dad, George Romney, was tapped to run American Motors when its
president suddenly died. The company itself was on life support — banks
were threatening to deal it a death blow. The stock collapsed. I
watched Dad work to turn the company around — and years later at
business school, they were still talking about it. From the lessons of
that turnaround, and from my own experiences, I have several
prescriptions for Detroit’s automakers. First, their huge
disadvantage in costs relative to foreign brands must be eliminated.
That means new labor agreements to align pay and benefits to match
those of workers at competitors like BMW, Honda, Nissan and Toyota.
Furthermore, retiree benefits must be reduced so that the total burden
per auto for domestic makers is not higher than that of foreign
producers. 
That extra burden is estimated to be more than
$2,000 per car. Think what that means: Ford, for example, needs to cut
$2,000 worth of features and quality out of its Taurus to compete with
Toyota’s Avalon. Of course the Avalon feels like a better product — it
has $2,000 more put into it. Considering this disadvantage, Detroit has
done a remarkable job of designing and engineering its cars. But if
this cost penalty persists, any bailout will only delay the inevitable. To read the entire article.....
Let Detroit Go BankruptPosted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
All Posts | Next Page
Error sending email
Email sent successfully
|