Richard Nicholson

Carriers worried about the cost of deploying fiber should concentrate primarily on lowering their installation costs and driving up their adoption rates, according to Boston-based research firm the Yankee Group.During a web seminar today on deploying fiber-to-the-home (FTTH ) connections, Yankee Group analysts said that the best way for carriers to quickly recoup their fiber investments would be to focus more on upping fiber adoption and less on generating more average revenue per user (ARPU). While the analysts said that increasing ARPU was indeed important, it did not provide as much of a return on investment as getting more users to subscribe to the technology and reducing the cost of connection per user."If you have a choice between ARPU and penetration, choose penetration," said Yankee Group senior vice president Wally Swain. "To this end, carriers should also reconsider offering wholesale services as a way to get people onto the same platform. If you can get more people selling your service that's got to be better than having to do it yourself."Yankee Group principal analyst Benoit Felten echoed Swain's view that carriers should be more open to wholesaling access to their networks, although he acknowledged that many carriers have in the past been enthusiastic about opening up network access to their competitors. He noted, however, that Dutch telco KPN and Swiss telco Swisscom had both created successful business models where they offered wholesale fiber services."We think economically it makes sense," he said. "Opening up your network is a way to deliver more value to shareholders… carriers should explore ways to generate wholesale revenues from lines that are not subscribing to a commercial service."Wholesale access to  fiber and copper services in generally more common in countries that have retain common carrier rules where an incumbent telecom company are required to allow smaller ISPs to buy space on their broadband networks at discount prices. The idea is to have incumbents wholesale access to their networks to other ISPs to compete with each other to sell Internet services to consumers and businesses. The practice has become less common in the United States after the Federal Communications Commission discarded bandwidth-sharing rules in 2005.In terms of cutting costs to connect new subscribers, the Yankee Group analysts recommended that carriers carefully decide which areas will connect the most users for the least investment. This inevitably means building out fiber in areas that have a high density of buildings or areas that already have extensive underground duct systems that will lower the costs of putting fiber into the ground. The analysts also said that carriers could lower their costs per connection by charging users connection fees when they sign up. Thus, a connection that would cost $1,000 for the carrier would be lopped down to $800 after users paid a $200 connection charge.While only building in areas with high population density generally implies that FTTH networks will be built out in large cities, some carriers have said that FTTH connections could be feasible for certain rural areas that have relatively high population densities.

For instance, Patrick Knorr, the COO of Kansas-based cable and broadband provider Sunflower Broadband, has said that there are some suburban communities in his vicinity that have been sprouting up in rural areas that would have enough population density to justify building out FTTH infrastructure.Looking at the big picture, the Yankee Group analysts said that it's only a matter of time before all major telcos start offering Web access over fiber to the home. The only dilemma for carriers isn't whether to build out more fiber, they said, but how to deploy it without seeing their profits take a nosedive."The copper networks that all broadband services rely on its more than 50 years old and it's dying," said Felten. "Soon or later it will need to be replaced with fiber. Fiber is the endgame and the telcos know it."

Microsoft Corp. is preparing to launch a public beta of Morro, the free antimalware it announced last November, according to a report by the Reuters news service.

Morro will use the same scanning engine as Windows Live OneCare, Microsoft's first consumer-grade antivirus package, and the software that the free software replaces. OneCare is to get the boot June 30, when Microsoft stops selling the program.

According to a Microsoft spokesman who spoke with Reuters, Morro is being tested internally at the company, and will be posted as a public beta "soon." The spokesman didn't offer the news service any further details about a timetable.

The company was not immediately available today to confirm the Reuters story, but it has e-mailed technology reporters offering more information in a briefing with executives if they agree to abide by a nondisclosure agreement.

Others, however, seemed to confirm that Morro was close at hand. Prominent Windows blogger Paul Thurrott noted the Reuters story, but begged off providing details.

"This puts me in an awkward spot. I can't really discuss this too much further at the moment, but since Reuters dropped the ball ..." he said. Thurrott also hinted that the news of Morro's imminent beta had leaked prematurely. "Let's just say it wasn't supposed to be today," he added.

Microsoft has been mum about Morro since November 2008, when it announced that it was dumping OneCare and would instead give away streamlined software that would sniff out PC viruses, worms, Trojans, rootkits and spyware.

At the time, Amy Barzdukas, a senior director of product management at Microsoft, only promised that Morro would launch sometime in the second half of this year. She also denied claims by security software rivals that Microsoft had thrown in the towel on OneCare because the software had flopped.

Microsoft's other consumer security software, the antispyware Windows Defender program, is bundled with Vista, will be included with Windows 7 and is a free download for Windows XP users.

Last year, John Pescatore, an analyst at Gartner Inc., questioned whether users would step up to Microsoft's Morro even if it was free. "Consumers are hesitant to pay for a Microsoft security product that will remove problems in other Microsoft products," he said. "Think of it this way. What if you smelled a rotten egg odor in your water and the water company said, 'Sure, we can remove that, but it will cost you $50.' Would you buy it?"

Not surprisingly, competitors have dismissed Morro's threat to their business and downplayed its ability to attract users. "We like our chances," said Todd Gebhart, vice president in charge of McAfee's consumer line, last year.

"Consumers have already rejected OneCare," added Rowan Trollope, senior vice president of consumer software at Symantec. "Making that same substandard security technology free won't change that equation."

OneCare isn't the only Microsoft program to get the ax at the end of the month. Yesterday, the company confirmed that it would also ditch Microsoft Money, its 18-year-old personal finance program, on June 30.

Microsoft today said it will deliver 10 security updates next week to patch serious bugs in Windows, Internet Explorer (IE), Word and Excel.

If the company follows through on its plans - sometimes Microsoft ditches an update at the last minute - next week's Patch Tuesday will be the largest since October 2008.

"We're back to a normal load," said Andrew Storms, director of security operations at nCircle Network Security. "Some may think of it as pretty big, but really, for anyone who's dealt with Patch Tuesday for the last five years, it's what we should be expecting."

Last month, Microsoft issued just one security update, a 14-patch fix for PowerPoint.

Of the 10 updates Microsoft announced today in its monthly advance notification, six will affect Windows, and one each will patch problems in Internet Explorer (IE), Word, Excel and Microsoft Office. Six of the 10 were marked "critical," Microsoft's highest threat ranking, while three were judged "moderate" and one as "important."

The six critical updates will patch Windows (which gets two of the updates), IE, Word, Excel and Office.

"The red flag is going to be [the] IE [update]." said Storms. "It's critical, it's on all versions [of Windows], and it's even critical in Vista for IE7 and IE8."

IE8, which was released in March, is Microsoft's most security-conscious browser yet. Tuesday's update will provide the first-ever production patches for IE8.

Storms also pointed out that it looks like Microsoft won't protect Mac users this month. "We don't have the PowerPoint for the Mac patches," he said after reviewing the advance notice. Last month, Microsoft took the unusual step of patching the Windows versions of PowerPoint, but not the Mac editions, saying that it didn't want to postpone the update to await Mac fixes.

Attackers had been exploiting the PowerPoint bug in Windows since at least early April. "[But] none of the exploit samples we have analyzed will reliably exploit the Mac version, so we didn't want to hold the Windows security update while we wait for Mac packages," Jonathan Ness, an engineer at the Microsoft Security Response Center, explained last month. Some criticized Microsoft's decision. Swa Frantzen, an analyst at SANS Institute's Internet Storm Center (ISC), said Microsoft was breaking its own rules about "responsible disclosure" by letting the Mac patches slide. "We all know from past experience [that] the reverse engineering of patches back into exploits starts at the time - if not before - the patches are released," said Frantzen four weeks ago. "So in the end, Microsoft just released what hackers need to attack."

Other recently-acknowledged bugs may or may not get fixed next week, said Storms. He was pessimistic about Microsoft patching a problem in DirectX that the company confirmed only last week; the bug is actively being exploited by hackers, according to Microsoft. None of the updates' revealed today seemed to fit the affected software profile of the DirectX vulnerability, Storms said.

But another outstanding advisory, which Microsoft reported two weeks ago and which involved its Internet Information Services (IIS) Web-server software, may get patched. "It's not called out as IIS, so it's hard to say if it will be patched, but I could see them putting it under one of the [six] Windows updates," said Storms. Microsoft has downplayed the IIS bug, which could be used by criminals to steal data from Web servers, because only some configurations are at risk.

Next week's update will be the largest by bulletin count since Microsoft issued 11 on Oct. 14, 2008, but users and IT administrators won't really know the extent of their patching job until the total CVE (Common Vulnerabilities and Exposure) count is revealed Tuesday, Storms argued. Microsoft often bundles multiple patches - each identified by a specific CVE number assigned to the flaw that it fixes - in each update. "The workload will depend on the CVE count out of this," said Storms. "We may get 60, or we may get 20."

While the CVE count doesn't affect the testing companies do on Microsoft's security updates, it can affect the amount of work if, as is often the case, an organization is unable to patch immediately and so implements the workarounds that Microsoft recommends. In its update bulletins, Microsoft lists separate workarounds for each CVE; in other words, if an update includes five patches for five CVEs, it could list five different workarounds.

"So it could go either way next week," said Storms. "But it's going to be an all-eyes forward on the IE update. That's the red flag for June."

Microsoft will release the 10 security updates at approximately 1 p.m. ET on June 9.