Tuesday 28 October 2008

Feature Leak - Oh, call a Plumber

OK, it's a big week - loads going on, what with the PDC in Los Angeles and Vista SP2 now in my greedy little hands. We are now getting a turn at the fire-hose  for two major technologies that are going to keep us duly entertained for the next twenty-four months or so; Windows 7 and Azure, the Windows Cloud computing initiative.

 

Just a quick recap of some of the features that have been released today (and that I will be investigating over the next few months) ;

 

  1.  The ability to encrypt USB devices
  2. More control over User Account Control (UAC)
  3. Web-slicing
  4. Search Federation (meaning enterprise ready search)
  5. Branch Office caching

 

 

With all this stuff coming along, why all of the press "leaks"... We are getting pre-release copies of Vista SP2 via the Windows updates site;

 

http://download.windowsupdate.com/msdownload/update/software/svpk/2008/10/prereqtool_033b26b3dbcf60aa698669cafe328b9c902e02a6.exe

 

And the Windows 2008 update (will this be R2?);

 

http://download.windowsupdate.com/msdownload/update/software/svpk/2008/10/prereqtool_033b26b3dbcf60aa698669cafe328b9c902e02a6.exe

 

And it looks like Paul Thurrot with his super-site blog (highly readable stuff)  is getting into the act as well with;

http://community.winsupersite.com/blogs/paul/archive/2008/10/27/pdc-2008-windows-7-m3-pre-beta-features-leak.aspx

Thursday 23 October 2008

PDC 2008 - Windows 7 in the wings

I may or may not be able to attend the Microsoft PDC conference next week  - my schedule right now is pretty hectic. I wonder about when  I get really, really busy. I think to myself, "Am I just badly organized, or is this just a normal reaction to a huge work-load. My life coach and a good friend, Chris, would admonish me and say, "you should try not to book back-to-back meetings.", My reply, "ALL my meetings are back to back".  That said, the invite to the PDC is on Microsoft's coin and I will really try to make it there.

From the pre-conference briefings and the M$ internal updates I have received (which incidentally have been incredibly well-presented, polished and very entertaining - well done guys)  we are going to see a lot about Windows 7 (the next version of Vista) and Strata.  Strata refers to Microsoft's "cloud" based operating system - or service. I am not quite sure - but it sure sounds interesting.

I am also getting the feeling that Windows 7 may ship on schedule. I have seen a build now and it looks really good. I can't provide much more detail due to my NDA with Microsoft but it looks like Vista with some really cool UI tweaks. Also, judging the presentations I have received, it looks like application compatibility is going to be a big topic for Windows 7 and a major focus for Microsoft.


Monday 20 October 2008

All aboard the Cycle Bus

A friend of mine was relaying a story about a cycle bus. He is part of the "two pedals better" troupe and was waxing enthusiastically about the idea of a bus with pedals in front of every seat. And, to get the bus moving, everyone had to pedal. This idea has some "green" merits in today's oil parched new world order - but, I thought this is great during rush hour with loads of legs to get the bus moving but would really suck for those people who lived near the end of the line.  And, would old women look so pleased when young men jumped up from their seats (and their labors)  to offer these poor, old dears something to sit on.

This idea got me thinking about shared transport and shared effort and as consequence of some really bad "Googling" I discovered some features in Vista that go back to XP that I was completely unaware of.

Vista supports peer-to-peer communication through the advanced Peer Name Resolution Protocol (PNRPv2) !

 In fact, going back a few years now, Windows XP supported peer-to-peer communications with the Advanced Networking Pack. Couple this functionality with the Microsoft Background Intelligent Transfer Service (BITS) and you have the making of an offline caching service. Just think, instead of copying everything to a central server, you could share out part of your hard-drive and let other people access your local cache. Or use your browsing history as a local web cache for band-width poor branch offices.

Following on from that,  I understand there was a few features based on these peer-to-peer ideas that did not make into the final release of Windows Vista.  Notably the project code-named "Castle" which would combine peer-to-peer transports with domain level authentication. 

And, it appears that this feature may be resurrected in Windows 7 with the new Home Group functionality. 





References:

 Peer Name Resolution Protocol (PNRPv2)

Wednesday 15 October 2008

Microsoft Patch Tuesday: October 14 2008




Executive Summary - Massive breadth/depth of changes.
Microsoft's October "Patch Tuesday" Security Update brings us a massive wave of patches with 6 Critical, 4 Important and 1 Moderate update. These are significant updates with one patch (MS08-057) updating more than 50 core files and most of the patches updating key system files, therefore requiring system restarts. The good news is that only one of the patches has wide scale issues for application compatibility. The major concern for this October release is the Internet Explorer Update MS08-058. As in the case with the September updates, updating Internet Explorer components affects a large number of applications in our test portfolio for all Windows desktop/server operating systems including XP and VISTA. Again as in September it is likely that some applications will have performance issues as a result of this update. Here is a sample snippet from the AOK Workbench report on one application. 

This example illustrates how the JAVA application package includes file level dependencies that have been updated by the MS08-085 Security Update 



These three items are critical dependencies with Java. If you have a Java application that uses the IE7 internet control you will need to thoroughly test this application. 

Examples of other applications affected include Oracle 9, several HP printer drivers and some IBM AS400 client access tools. 

We recommend organisations test their key applications affected by this patch before deploying the update and look carefully at the small number of applications affected more widely by these updates. 

Vendors supplying applications in widespead use should have the resource to quickly resolve any issues identified and are likely to have more resiliance in their code to minimize problems with MS08-057. In house developed applications are likely to be more at risk. Without a product like AOK it can takes days per application to identify the code affected by these patches. Many corporates have to 10% to 30% of their applications developed in house so this could run to hundreds of even thousands of individual packages that will need testing. 

Coprorates will be under extreme pressure to release this these new patches to the live environment but proper testing can takes months. 

Testing Summary
  • MS08-56: Marginal impact with low numbers of applications affected
  • MS08-57: Marginal impact with low numbers of applications affected
  • MS08-58: High impact with significant numbers of applications affected
  • MS08-59: Marginal impact with low numbers of applications affected
  • MS08-60: Marginal impact with low numbers of applications affected
  • MS08-61: Medium impact with low numbers of applications affected
  • MS08-62: Medium impact with low numbers of applications affected
  • MS08-63: Medium impact with low numbers of applications affected
  • MS08-64: Medium impact with low numbers of applications affected
  • MS08-65: Marginal impact with low numbers of applications affected
  • MS08-66: Medium impact with low numbers of applications affected

Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
Microsoft Security Bulletin MS08-056<1%<1%YESMNo Issue
Microsoft Security Bulletin MS08-057<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-058113033%YESCSerious
Microsoft Security Bulletin MS08-059<1%<1%NOCNo Issue
Microsoft Security Bulletin MS08-060<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-061146<1%YESIFixable
Microsoft Security Bulletin MS08-062136<1%NOIFixable
Microsoft Security Bulletin MS08-063131<1%YESIFixable
Microsoft Security Bulletin MS08-0641971%YESIFixable
Microsoft Security Bulletin MS08-065<1%<1%YESINo Issue
Microsoft Security Bulletin MS08-066127<1%YESIFixable

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

So in the example of MS08-061 we found only 8 of the c. 800 applications in our sample were affected. However a number of these have widespread dependencies. One example being Microsoft Digital Image version 9 where there were 38 separate recorded dependencies i in this application affected by this patch. 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-056Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.
PayloadHKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdo
ImpactInformation Disclosure

MS08-057Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadNosxs_mfc80cht.dll, Nosxs_mfc80deu.dll, Nosxs_mfc80enu.dll, Nosxs_mfc80esp.dll,
Nosxs_mfc80fra.dll, Nosxs_mfc80ita.dll, Nosxs_mfc80jpn.dll, Nosxs_mfc80kor.dll, Nosxs_mfc80u.dll,
Nosxs_mfcm80.dll, Nosxs_mfcm80u.dll, Nosxs_msvcm80.dll, Nosxs_msvcp80.dll, Nosxs_msvcr80.dll,
Sql90.xsl, Ul_atl80.dll, Ul_mfc80.dll, Ul_mfc80chs.dll, Ul_mfc80cht.dll,
Ul_mfc80deu.dll, Ul_mfc80enu.dll, Ul_mfc80esp.dll, Ul_mfc80fra.dll, Ul_mfc80ita.dll, Ul_mfc80jpn.dll,
Ul_mfc80kor.dll, Ul_mfc80u.dll, Ul_mfcm80.dll, Ul_mfcm80u.dll, Ul_msvcm80.dll, Ul_msvcp80.dll,
Ul_msvcr80.dll, Xlcall32.dll, Xlsrv.dll, Xlsrv.webservices.api.dll, Xmlrw.dll, Xmlrwbin.dll,
Msmdlocal.dll, Msmdlocal.dll, Msmgdsrv.dll, Msmgdsrv.dll, Msolap90.dll, Msolap90.dll, Msolui90.dll,
Msolui90.dll, Msvcm80.dll, Msvcp80.dll, Msvcr80.dll, Sql90.xsl, Sql90.xsl,
ImpactRemote Code Execution

MS08-058Cumulative Security Update for Internet Explorer (956390)
DescriptionThis security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadIecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll,
Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll,
Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll,
Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll,
Wininet.dll, Iecustom.dll,
ImpactRemote Code Execution

MS08-059Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights.
PayloadHisservicelib.dll
Rpcdetct.dll
Snarpcsv.exe
ImpactRemote Code Execution

MS08-060Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
DescriptionThis security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability.
PayloadNtdsa.dll
Sp3res.dll
ImpactRemote Code Execution

MS08-061Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
DescriptionThis security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users.
PayloadWin32k.sys
W32ksign.dll
Gdi32.dll
Wgdi32.dll
ImpactElevation of Privilege

MS08-062Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
DescriptionThis update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMsw3prt.dll
Win32spl.dll
Printcom.dll
ImpactRemote Code Execution

MS08-063Vulnerability in SMB Could Allow Remote Code Execution (957095)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.
PayloadSrv.sys
ImpactRemote Code Execution

MS08-064Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
DescriptionThis security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
PayloadNtkrnlmp.exe
Ntkrnlpa.exe
Ntkrpamp.exe
Ntoskrnl.exe
Hal.dll
ImpactElevation of Privilege

MS08-065Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
DescriptionThis security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.
PayloadMq1repl.dll, Mq1sync.exe, Mqac.sys, Mqads.dll, Mqbkup.exe, Mqcertui.dll, Mqclus.dll, Mqdbodbc.dll,
Mqdscli.dll, Mqdssrv.dll, Mqlogmgr.dll, Mqmig.exe, Mqmigrat.dll, Mqoa.dll, Mqperf.dll, Mqqm.dll,
Mqrperf.dll, Mqrt.dll, Mqsec.dll, Mqsnap.dll, Mqsvc.exe, Mqupgrd.dll, Mqutil.dll, Msmq.cpl, Msmqocm.dll
ImpactRemote Code Execution

MS08-066Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
DescriptionThis security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
PayloadAfd.sys
ImpactElevation of Privilege

Monday 13 October 2008

Bit MUI LIP

I was asked by a client today what the difference between a Microsoft MUI and a LIP. And, more importantly, "what were the application compatibility consequences of multi-language support?"

 

I thought I knew what a MUI was - the language and resource layer that you could add onto Windows XP and Server 2003 to fully support languages such as French, German and Spanish.  I remember these resource packs well as when they initially appeared in my MSDN Select CD binder - I thought that they were a god-send. After spending nearly a year on getting Windows 2K to (properly) support Chinese (all three types including Big5) and Japanese (hiragana, katakana and Kanji) through 3rd party software such as Twin Bridge's IME, I was ready for anything.

 

And, Microsoft's own words, the MUI is defined as,

 

"Multilingual User Interface Pack is a set of language specific resource files that can be added to the English version of Windows Professional. When installed on the English version of Windows, MUI allows the user interface language of the operating system to be changed according to the preferences of individual users to one of the 33 supported languages".

 

 

OK, sounds pretty clear… Now, what is this LIP stuff?

 

Again, referencing TechNet, "Microsoft Windows XP Professional Language Interface Pack (LIP) is a high-quality, localized "skin" for emerging or minority language markets, such as Catalan, Lithuanian, and Thai.

 

And, what is the difference between a MUI pack and a LIP installation? Get ready as,

 

"The main difference is in the level of localization in comparison to MUI packages: LIP packages provide the desktop user with an approximately 80% localized user experience. In addition, LIP doesn't allow users to switch languages. Once a LIP is installed, all users using that machine will have the same User Interface (UI) language. "

 

So, in summary it looks like the MUI is a "switchable" comprehensive interface while the LIP is a 80% permanent installation.

 

 

References:

 

Windows XP Multi-lingual User Interface (MUI) FAQ's

http://www.microsoft.com/globaldev/DrIntl/faqs/MUIFaq.mspx#MUIques15

 

Application Compatibility and the Microsoft MUI

http://www.microsoft.com/globaldev/handson/dev/AppCompatInMUI.mspx

 

Microsoft LIP Frequently Asked Questions

http://www.microsoft.com/globaldev/DrIntl/faqs/lipfaq.mspx

Friday 10 October 2008

Whose OS is it anyway?

I've got a question burning away in my mind - and I am not sure if I am right to ask it. I feel that, at the very core of Microsoft Vista and Windows Server 2008 rages a battle of hearts and minds over a possibly forgotten but all-encompassing issue.

The question that begs for a reply is; Whose operating system is it anyway?"

My focus is getting applications to work and the engineering effort required to deploy, install and manage thousands of applications on large heterogeneous networks. I have encountered an overcome numerous challenges including;
  • User Account Control UAC
  • Application Compatibility 
  • Security Restrictions

And now, I seem to face my greatest hurdle of them all; the mother of all technical challenges: Windows Resource Protection.

In Microsoft's own words; "Windows Resource Protection (WRP) prevents the replacement of essential system files, folders, and registry keys that are installed as part of Windows Server 2008 and Windows Vista."

Simply put; there is a system in place to ensure that you can not over-write either files or registry settings that the OS (Vista or Windows Server 2008) requires to function. In fact, most DLL's and executables within the Windows directory (the main OS directory) are protected under Windows Resource Protection (WRP) - meaning, that for most system files, you simply can not change or update these files or settings.

The principle of this system is pretty benign - keep the OS working. This increases stability, reduces support calls and generally makes most people are happy about this. The challenges begin when you need to update the OS for your own dark-hearted, nefarious purposes. Such as, to get an application to work….

Under Windows XP and Server 2003, there was a system called System File Protection (SFP) that relied on a cache (local copy) of "good DLL's". In the event that that a key OS system file was updated, the system would check the file version against this known list and replace the new file with the file taken from the local cache. This was a moderately successful security system with easy work-arounds.

HINT: stop the SFP service, update the local cache, update the target file in the system directory, restart the SFP service.

With Vista, there are a number of "approved" methods (Supported Resource Replacement Mechanisms) including;
  • Windows Service Packs installed by TrustedInstaller.
  • Hotfixes installed by TrustedInstaller.
  • Operating system upgrades installed by TrustedInstaller.
  • Windows Update installed by TrustedInstaller.
The Vista/Server 2008 WRP uses local security settings to restrict access to these protect files and settings - only allowing access to the TrustedInstaller module.

This makes things particularly difficult if you need to update a file on the OS - only Microsoft is allowed to touch these areas. My primary complaint is this; There should be a mechanism for system administrator to update the OS.

At present, I can not generate Windows Service Packs, customize Hotfixes or create my own Operating System upgrades. This is primarily due to restricted API's and Microsoft's freely acknowledged lack of documentation.

So this begs the question, "If I can't change it, who can?" And, if the answer is a certain software behemoth, I plan to raise a merry stink about this….


References:
About Windows Resource Protection
http://msdn.microsoft.com/en-us/library/aa382503(VS.85).aspx


Support Resource Replacement Mechanisms
http://msdn.microsoft.com/en-us/library/aa382540(VS.85).aspx

Wednesday 8 October 2008

SoftGrid (MAV): A Reboot Rebuttal

Vindication, sweet vindication. I have a theory that the amount of satisfaction one receives from finally being proved right on a particular issue is proportional to the amount time it takes for everyone to come around to your way of thinking. But, in this case, it took so long, that I have (almost) lost interest.

The issue at hand relates to Microsoft Application Virtualization (MAV and formerly SoftGrid) and the sequencing process.

Last year (yes, I can actually remember things from last year) a number of our clients raised an issue with the SoftGrid sequencing process if a reboot was required mid-way through the application installation. Our team conducted some initial analysis and found that beyond the SoftGrid sequencer crashing (quite often) as a result of a application mid-installation reboot, some registry settings and files would get missed. This meant that the result sequenced SoftGrid package would generally not work - and you would either to try-try-try again and possibly decide not to virtualize that particular application.

So, our company (ChangeBase) added a "Sequencer Reboot Check" to our collection of virtualization Plugins. This allowed us to proactively determine if an application was likely to require a reboot prior to starting the Sequencing process. The reporting process worked great - our clients were happy as they were getting good intelligence on applications needed special attention for sequencing.

However, some of the people at Microsoft were not so pleased. The official view of reboot issues during the sequencing process was that "it doesn't happen, there are no reboot issues or problems when sequencing an application". This was not just denial at the official level - but a lot of the technical people clearly thought that we were just making things up.

So, I was kind of pleased when I saw this blog posting today on the MAV team site;

Sequencing applications that require a reboot
http://blogs.technet.com/softgrid/archive/2008/10/08/sequencing-applications-that-require-a-reboot.aspx

The Best Practices for sequencing applications can from the MAV team can be found here:
http://blogs.technet.com/softgrid/archive/2007/07/12/sequencing-best-practices.aspx

Rebooting during the SoftGrid sequencing process is now recognized as an issue - and, now we even have some great advice from the MAV team . Good Stuff!

Monday 6 October 2008

Why wait for Windows 7?

 I was reading a blog today that referenced a Corporate IT report that indicated that;

  • 4% of companies currently use Vista versus  58% using XP
  • 7% of companies are using Windows 200 (hopefully SP4)
  • 35% of companies are not interested in Vista
  • 30% were investigating Windows 7


I have a healthy distrust of these kinds of reports due to potential reporting bias and other self-reporting errors. This was a relatively small study of 43 companies. Still, these numbers broadly support Microsoft's view that 6%  are currently using Vista. Apologies for quoting this figure, as I can not back it up with a link to a graph or website as this is  anecdotal information gleaned from my dealing with Microsoft UK and their US counterparts.

The last figure quoted relates to those companies that are investigating Windows 7. What does this mean? And, more importantly what are they investigating? With what hard data or technical specs.?  My 11th grade used the phrase "marked paucity" when describing my limited ability to accurately represent a series of events, in chronological order, with a pen and paper. And so, I use this term to describe the REAL data about Windows 7.

There are few facts about Windows 7 that are readily available to the public - but one thing seems pretty apparent. Microsoft has made a huge investment in the Windows Vista (6) core or Kernel and will not be throwing it away too quickly. Windows 7 will be based on the Vista and Windows 2008 Server core.

If you are weighing up the challenges with migrating to Vista now, then Windows 7 may have more features but it may a number similar challenges found in Vista including;
  • Driver Support
  • Legacy Application components compatibility issues
  • Security Restrictions
  • Removal of 16-bit application support
My advice is to start planning for Vista now, and if Windows 7 is shipped on time (probably 2010) then your hard-work getting your portfolio and environment into shape will pay off quickly.





Friday 3 October 2008

Adobe vs. Adobe: Acrobat, Reader go toe to toe

I have written a few blogs now on a specific application such as iTunes and  Adobe products, so you may think that I am beating up on Adobe by commenting again on their installations - their application packages.

Nothing personal. In fact, after 8 years or so of dealing with packaging and deploying repeated upgrades of Reader to over 100,000 desktops  I am delighted to say that things are much, much better than they used to be. Reverse engineering Acrobat and Reader to create a reasonable package for deployment used to keep me in gainful (even moderately well-paid) employment - so no complaints here.

However, I was asked by an associate to investigate some of the SoftGrid issues surrounding the deployment of Adobe Reader (which is fine) and as a passing comment, he mentioned that by the way, "Adobe Acrobat completely conflicts with Reader..."

You mean, "That two products from the same software vendor will cause application conflicts when installed on the same machine?" Incredible.
This of course should be said with a French accent, "Encrrrroiable!"

So, I had to a have a look .

First, let's take a look at what we mean by application conflicts.  I could not find any Google/Web definition so I thought I would cobble something together for the occasion. Where as Application Conflicts could be defined as, "At least two application installations that contain file and configurations that are mutually incompatible when installed on the same machine."

Now, of course of this definition is now a little out-dated, due to the recent advances in virtualisation technologies. So I might now add;

 "At least two application installations that contain file and configurations that are mutually incompatible when installed on the same operating system environment"
 
This means that two application installation routines contain files , registry settings and other configuration details that once put in place on the target machine breaks another application either on installation, un-installation or through an update process. 

The things to start looking for when investigating application conflicts include;
  • Different versions of files placed in the same target directory
  • Registry keys with different values
  • IniFile with different settings for similar sections
  • Environment variables that are set to different conflicting values
There is a quite a complex matrix of at least 16 values when just considering File level conflicts within an MSI  Installer package as you have consider file name, version, location and the MSI component... Hey, 4 x 4 = 16 for those not paying attention. 

So, when you have just a few packages with a few hundred files and registry settings you can easily generate 1000's of permutations and combinations. When you extrapolate these few package conflicts to an enterprise environment that includes many 1000's of applications - the possible range of application conflicts could range in the 100's of millions of permutations combinations of files and registry settings that may break other applications. Crazy, scary stuff.

So, here is a quick summary of Adobe Acrobat 9 versus Acrobat Reader 9.

Here is a list of the same files that Acrobat installs to one directory and Reader to another, different directory; vdk150.dll , AGM.dll, authplay.dll. Note: these files have different versions as well as being located in different target locations. 

And, there are over 30 files are the SAME version but installed in two different locations on the same machine for both Acrobat and Reader including;
  • A3DUtility.exe
  • ACE.dll
  • AcroBroker.exe
  • Acrofx32.dll
  • AcroTextExtractor.exe
  • AdobeCollabSync.exe
  • AdobeLinguistic.dll
  • AdobeXMP.dll
  • AGM.dll
These are core files for both Acrobat and Reader - why are the same versions of these files installed into two separate directories . If you have to install both these packages on the same machine, what will happen?

In addition, there are a further 340-odd registry settings that are shared between these two application installations that contain different values - which means that you need to ensure which application is more important and then decide to install that application last. This is required to ensure that your "most desired" application get the settings it needs to work properly. Who knows what will happen to the earlier installed version. And more interestingly (or worse depending on your viewpoint) what happens when the Adobe update process kicks in?

Fun stuff, eh?

Wednesday 1 October 2008

Apple iTunes - a Blojan

I get to deal with some of the world's most complex applications. And, now as I get ever more known for identifying for application compatibility issues (note: you will notice I didn't use the word "respected") I get to play with complex applications that don't install, that don't work and generally do not have documentation. Applications like AutoCAD, Reuters (hey, it requires 13 separate MSI's to install), Bloomberg and my nemesis; Microsoft Office.

But every once in a while, I get a little surprise - a common, seemingly innocuous little application or utility that once delved into becomes a quagmire of misplaced good-intentions. And this collection of good ideas (hey, let's include Outlook synchronization) which seems completely "right" at the time of development all adds up to build a monster. And that monster today folks is the latest release of iTunes. 

This installation;  of a simple application to manage your music collection and send music collection to a remote, portal hard-drive (your iPod) now includes the following;

  • AppleMobileDeviceSupport.msi - hardware/device level synchronisation services
  • AppleSoftwareUpdate.msi - a software update platform
  • Bonjour.msi - a file sharing service
  • iTunes.msi - the big-daddy UI for managing your music and videos
  • MobileMe.msi - the connector application for the Apple MobileMe internet service
  • QuickTime.msi - the Apple video viewing engine

What we have here  is not your standard application bloatware (http://en.wikipedia.org/wiki/Software_bloat) This is something more meaningful  than standard feature creep (Hey, let's add a file-sharing service to this installation)... This is the beginnings of a PLATFORM.  A bloated Trojan horse?

A Blojan - is what I call Strategic Feature Creep.

The result of my iTunes installation is that iTunes can act as a synchronization "engine" for my desktop, for my laptop, for my iPod and my internet based services such as Google and MobileMe. The Apple Bonjour application alone installs 2 services, plus the AppleMobileDeviceSupport installation add it's own device drivers and services to your desktop/laptop environment. 

To give you some facts/figures,  the iTunes installation packages contains;

  • Over 4,500 files and registry settings
  • Installs hardware/device drivers
  • Installs (and set running in the background) three services
  • Installs hooks into Outlook, Google
  • Takes over 500 desktop settings 
  • Grabs over 40 file extensions 
  • Updates most Explorer auto-play options 

These background services (always running, always waiting) are not huge memory hogs but they do add to your overall memory footprint - and Apple is building on these - to put Apple at the centre of your listening, viewing and sharing experience.

Which is fine - but I would really prefer to have known about the installation of these additional "bits" prior to the installation my simple music management software - iTunes. 

And, the massive impact that this installation has had on my machine.