Monday 30 November 2009

App-V .NET Managed Code Issue: Fixed!

Instead of my usual litany of woe and rails against all things that don't work to my immediate satisfaction, I thought would post today on something that WAS an issue. And, no longer is a problem.

One of the application compatibility issues that raised an issue prior to the release of App-V 4.5 Cumulative 1 (CU1) is detailed in the following post from Just Zarb

"An application compatibility" problem occurs when an unmanaged executable file (.exe) is statically linked to a managed module (.dll/.lib). "

When the .exe file is unmanaged, sftldr.dll gets loaded just after ntdll.dll, and kernel32.dll file.

After that, if the loader finds any dependent managed module during the implicit loading phase , it tries to validate that image using _CorValidateImage() function of mscoree.dll.

_CorValidateImage() performs the following 2 actions:

                1. Ensures that the code is valid managed code.
                2. Changes the entry point in the image to an entry point in the runtime.

_CorValidateImage() calls all the dllMain() function of modules that got loaded before this managed module, and the dllMain() of sftldr.dll also gets called. 

This may result in the wrong version for desired loading or worse, not loading the required DLL at all. The likely result here is that the application will fail to start.

This problem does not happen when both the .exe file and the dll module are managed. When the .exe file is managed, mscoree.dll module gets loaded before sftldr.dll.

Now, the good news is that this issue has been resolveD and verified by the good folks in the Microsoft Premier Field Engineering (PFE) team with the release of App-V CU1.


See, my blog is not so bad after all...

References:

Justin Zarb's blog (The World Simplified is a Virtual World)

You can find Microsoft's App-V 4.5 CU1 update here:

Read about Microsoft "Managed Execution Process"

Thursday 12 November 2009

Patch Tuesday: November 2009

The November Patch Tuesday update from Microsoft follows the largest patch and security update in Microsoft’s history. This month there are six updates to Office, Active Directory and Microsoft’s Office application suite.
These six updates have a low impact, bar one patch to Excel which may cause compatibility issues for some applications. The main cause for concern here is that Excel is a primary if not essential element to many environments. For example most banking, trading floor and insurance platforms. Therefore any change must be tested rigorously.
Whilst there are few applications in our sample that are affected, the ChangeBASE AOK team recommends that the Excel update (MS09-067) requires particular attention in any environments where there is a significant dependency on this,

We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following picture.



Testing Summary
  • MS09-063 : : Marginal impact and negligible testing profile
  • MS09-064 : : Marginal impact and negligible testing profile
  • MS09-065 : : Marginal impact and negligible testing profile
  • MS09-066 : : Marginal impact and negligible testing profile
  • MS09-067 : : Moderate impact and negligible testing profile
  • MS09-068 : : Marginal impact and negligible testing profile


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS09-063<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-064<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-065<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-066<1%<1%YESImportantGreen
Microsoft Security Bulletin MS09-0671%1%YESImportantAmber
Microsoft Security Bulletin MS09-068<1%<1%YESImportantGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS09-063Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
DescriptionThis security update resolves a privately reported vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI) on the Windows operating system. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attackers on the local subnet would be able to exploit this vulnerability.
PayloadWsdapi.dll
ImpactCritical – Remote Code Execution

MS09-064Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows 2000. The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter.
PayloadLlscustom.dll
ImpactCritical – Remote Code Execution

MS09-065Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
DescriptionThis security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince the user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the attacker's site.
PayloadWin32k.sys, W32ksign.dll
ImpactCritical – Remote Code Execution

MS09-066Vulnerability in Active Directory Could Allow Denial of Service (973309)
DescriptionThis security update resolves a privately reported vulnerability in Active Directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests. This vulnerability only affects domain controllers and systems configured to run ADAM or AD LDS.
PayloadAdamdsa.dll
ImpactImportant – Remote Code Execution

MS09-067Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
DescriptionThis security update resolves several privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exe
ImpactImportant – Remote Code Execution

MS09-068Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)
DescriptionThis security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWinword.exe
ImpactImportant – Remote Code Execution

Wednesday 11 November 2009

Microsoft TechEd EMEA: A few days in Berlin

It's going to be a super quick post today.

I have been working the Converter Technology (http://www.convertertechnology.com/) stand and the Getronics stands at the Microsoft TechEd exhibition all day and now have to do my day job (in the evening.)

I just thought that I would post some of the images of the stand and include some of the great people working with us.



These chaps are from Converter Technonology who automatically scan for "document" level compatibility issues and fix them... which sounds kinda familiar doesn't it?

Will post properly once I am back in the UK.


Thursday 5 November 2009

MS09-054: IE8 Security Update - Updated

    October 2009 saw the biggest Microsoft security update - both in terms of breadth and depth of patches delivered  and bugs fixed.
    However, we have seen three updates to this October Security update over the past few weeks.
    On October 14, Microsoft offered up a workaround for a problem with MS09-056, then corrected several errors in MS09-062 last week.
    The company also revised an August update, MS09-043, last week to correct a patch-detection error that may have left some corporate users who receive updates via Windows Server Update Services (WSUS) un-patched.
    Now, the Internet Explorer (IE) 8 Patch MS09-054 was updated on November 3rd with a binary level revision of the security files.
    From our last AOK Patch Tuesday assessment, here are the details for this patch.
    MS09-054
    Cumulative Security Update for Internet Explorer (974455)
    Description
    This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
    Payload
    Iecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
    Impact
    Critical – Remote Code Execution
    We at the AOK Patch team were pretty concerned about this patch and rated it an AMBER due to the number of application overlaps and the potential for impacts on the target Operating system. We have re-run the reports for this patch and the updated BITS do not materially impact the results. However, the AOK team still recommends that this patch requires extensive testing prior to deployment.
    For reference, I have included the RAG status for all of these patches in this blog posting;
    Patch Name
    Total
    Issues
    Matches
    Affected
    Reboot
    Rating
    RAG
    Security Bulletin MS09-050
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-051
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-052
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-053
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-054
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-055
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-056
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-057
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-058
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-059
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-060
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-061
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-062
    11%
    <1%
    YES
    Critical
    Red

    And, for all those not rabidly following the AOK "Language of Life", we use Red,  Amber and Green to colour our world. So, here is a legend for these results.
    Legend:
    No Issue
    No Issues Detected
    Fixable
    Potentially fixable application Impact
    Serious
    Serious Compatibility Issue

Monday 2 November 2009

5x5x5 Migration Issues: App-V 4.x to 4.6

Well,

This is the third part of my by three part blog - and, it looks like I might have to add another piece - meaning  that, this is really the 3rd part of a 4 part blog post ... oops

As mentioned in the previous two postings, we need to get applications working on Windows 7 and App-V: together. Meaning getting an application successfully deployed and running on a App-V client running on top of Windows 7.

This blog posting relates to the challenges facing administrators who have existing App-V packages (client versions 4.1 and 4.2) which were probably sequenced on Windows XP who will need to migrate these packages to the App-V client 4.5. In fact, though the most recent client version of App-V is 4.5 CU1, we really should be planning for clients to deploy to version 4.6, which is expected to be released Microsoft to production soon. Thus, I have tailored our results of the SFT package analysis to take client 4.6 issues into account as well.

With the updated release of Microsoft App-V 4.5 (and also relating to the update CU1 and 4.6 BETA), there has been a number of significant architectural changes that impacted how applications are sequenced. As a result, the sequencing practices are now different for versions for App-V 4.2 and later versions. As included in the release notes App-V 4.5, there are now several core components which may generate application compatibility issues with App-V applications including;

  • .NET Installation Components
  • Microsoft Internet Explorer Components
  • Microsoft MSI Installer Redistributables
  • Core Operating System (OS) components
  • Installation artefacts (settings left-over from MSI Installation processes)

In addition, to these issues, it appears that empty directories (or folders) that are captured as part of the sequencing process are causing the App-V VFS to crash on certain clients. We have not fully analysed this issue yet  - however, I have included the results for our AOK "Empty Directory Check" Plugin for illustrative purposes.




I am really surprised by the results. And, by means of qualifying the results, this is really a preliminary analysis of these App-V SFT file types. The AOK Plugins may need to be refined or seriously modified based on some real empirical evidence of client issues. That said, all of the manual testing of each of these "classes" of issues   did match the AOK Plugin results.

I am going to spend some time analysing these results but it looks like the big issues are .NET and IE integrations issues with a surprisingly high number of SFT packages with empty directories - something that is known to crash the Microsoft App-V client sub-system. Maybe some more thought is required here.

To help out with explaining what we are actually looking for in each App-V SFT file, I have included some brief "snippets" of the AOK Plugin descriptionsincluded in this particular report. Each description should give you an idea of the things that we are looking for in each application package, and the reason why we are looking there.

Darwin Descriptors Registry Check
This AOK Plugin will analyse each selected and loaded application for the following Registry key HKEY_CLASSES_ROOT\extfile\shell\Open\command within each application package. If a Darwin descriptor registry key has been raised, and AMBER Issue will be flagged by the AOK application.

Empty Directory Check
This AOK Plugin will analyse each loaded and selected application package and ensure that the loaded MSI or SFT file does not contain any non system empty directory table entries. This Plug-in will raise an AMBER issue if these types of directories are detected in an application package.

Internet Explorer Integration Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Internet Explorer 6  (IE6) redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.

Known DLL File Check Analysis
This AOK Plugin will analyse loaded and selected application packages for file level entries that match the list of Microsoft Known DLL's. The DLL's contained within this list will not support SxS isolation or any other Microsoft redirection technology. This AOK Plugin will generate AMBER results.

Microsoft .NET Sequenced Component Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Windows .NET redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.  Due to the Operating System and .NET installation requirements, if older versions (.NET 1.X and 2.X) are included in a sequenced package then application runtime issues may arise.

Windows Installer Redistributable Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Windows Installer  redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.

Sequencer Registry Exclusion Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are not fully captured as part of the  Microsoft App-V sequencing process. This Plug-in will raise an AMBER issue if these registry settings are detected in an application package.

The final blog posting in this series will analyse some of the results and attempt to match these results to real world scenarios and possible application compatibility issues.