Thursday 27 August 2009

App-Compat: The Pro's weigh in...

Application Compatibility is a money maker. I knew it!

Well, for most people it's a real head-ache, and so Microsoft has launched a telephone based service to deal with application compatibility issues.

The link to the service description can be found here: http://support.microsoft.com/default.aspx?pr=advisoryservice.

"The delivery time for Advisory Services is generally 20 hours or less and consists of a specific service scope. It is designed for developers, IT Professionals, and other customers who do not require traditional onsite consulting or sustained account management services that are available from other Microsoft support options."

Microsoft Professional Break-fix support is an incident based, fixed price, reactive support option that focuses on a specific problem, error message, or functionality that is not working as designed."

The service is pretty hefty I think at $210 per hour. Given that it takes, on average (at least from my experience) 2-4 hours to identify and resolve a compatibility issue with a particular application.

That works out to (on average) over $500 per application. Wow!


And, here is the best bit: "The following Advisory Services are currently available only in the United States and Canada."

Good thing Europe and Asia don't have application compatibility issues... Errhh Oopps!

Wednesday 26 August 2009

Microsoft updates Compatibility Documentation

This may be an accident, or just a minor typo.

Microsoft has updated it's overview document on compatibility strategies for dealing with Windows 7 application issues.

The document is worth a read as it sums up all of Microsoft's current strategies for mitigating application compatibility issues in a single document. Note: for you technical people out there, the price for all this information in one place is that all that compatibility information is delivered at a pretty high level. So, consider it an executive overview.


The document covers topics that include;


  • Increasing Reliability
  • Enhancing Security
  • Improving Performance
  • Advancing Usability
  • Removing Legacy Components


In addition, it delivers a high level introduction to the following Microsoft technologies;


  • Windows Virtual PC
  • Windows XP Mode for Windows 7
  • Microsoft Desktop Optimization Pack (MDOP)
  • Microsoft Enterprise Desktop Virtualization (MED-V)
  • Application Virtualization (App-V)


I suggest that the real meat of the document is included in the "Removing Legacy Components" section, which is surprisingly complete and offers a moderate level of detail.


You can find the document here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6893c7ce-5c75-45ae-9b6f-18f202420f2b


Quite amusingly, the document publishing date is September 2009. So, this may be a mistake, and you probably should download a copy sooner rather than later.


Monday 24 August 2009

XP Mode - More trouble to come

I blogged a while ago about some of the issues surrounding XP Mode under Windows 7.


For those of you who are not aware of this functionality recently introduced in Windows RTM; XP Mode provides a virtual PC version of Windows XP SP3 bundled in Windows 7. For more information on this windows 7 application compatibility functionality look here: http://www.microsoft.com/windows/virtual-pc/

The idea behind putting a virtual PC in a bundled Windows release is a good one. For many enterprise customers, this option will not be exercised as they will require more functionality offered by Microsoft's App-V or Med-V solutions. So, this option for support XP dependant applications is really targeted at the Small and Mid-Sized businesses.

There are a number of problems/issues surrounding XP Mode for Windows 7 though including; (and not in any particular order)



And, now Antivirus vendors are entering they fray:


http://www.pcpro.co.uk/news/enterprise/351016/microsoft-and-sophos-bicker-over-windows-7-xp-mode

And

http://www.theregister.co.uk/2009/08/21/win7_xp_compatability_row/


I am waiting to see how the Microsoft partner ecosystem responds to these issues. They should not be complaining - this could be a great opportunity for a new feature to their existing product sets (competitive differentiators) or even new products.

Wednesday 19 August 2009

TS Application Compatibility Tools Updated

With the RTM release of Windows 7, Microsoft is upping the revs on it's compatibility tool-sets on the desktop and their server platforms (Windows 2008 R2) with the latest version of the Terminal Services RDS Application Analyser.

Drawing straight from the TS Application Compatibility documentation, this tool is intended to cover the following areas;

• Application Installation: dealing with issues such as concurrent application installation and configuration that may cause issues with applications that are designed for single-use installations
• Concurrent Application Usage: this area covers file, registry, IP address and named pipe issues caused by multiple instances of an application
• Performance: this section with application performance issues for application usage over the network
• Devices on the TS Server: This is the "big" problem area as clip-board and drivers may not deliver full integration from the server to the client.

This updated run-time application verification tool is available at the following link:
http://connect.microsoft.com/tsappcompat

In addition, there was a posting from the Brian Madden blog site relating to application compatibility issues on Terminal Services.

This posting raised the question of whether Terminal Services causes application compatibility issues any more? The posting can be found here: http://www.brianmadden.com/blogs/brianmadden/archive/2009/08/18/is-application-compatibility-still-a-problem-for-terminal-server.aspx

I feel that in general application compatibility issues have been greatly reduced over the last few years with the recent updates to the Windows Server platform and Terminal Services in particular. However, there are a still a number of issues that plague applications, notably platform support (you still have to get an application working on the server before you can TS it...) including the following application compatibility topics;

• 16-bit API References
• Legacy Installation Routines
• Virtual Memory Issues
• Process Creation API and privilege issues

That said, Terminal Services is a great platform for a deploying a selection of your application portfolio in a very cost effective manner.

Thursday 13 August 2009

Patch Tuesday - August 2009

This AOK Patch Impact report deals with the August 11th Microsoft Patch Tuesday Security Update. This Microsoft security update includes nine patches; five rated Critical and the other four rated as Important by Microsoft.

After loading the ChangeBASE AOK application testing portfolio into the AOK Patch Impact database, the nine patches were tested for application level issues and in addition; application dependencies. For these nine Microsoft Security updates, only the Microsoft Office updates (MS09-043 and 039) raised a minor number of issues against the ChangeBASE AOK test application portfolio. All other updates did not raise any other patch impact related issues.

With these very low numbers of issues for these nine security updates, the ChangeBASE AOK team recommends that all these patches are rapidly deployed to a staging environment and then subsequently into Production.

The ChangeBASE AOK team recommends that with all changes to an environment basic UAT testing is performed on all business critical applications. However, for the Microsoft Security updates marked as Green, only marginal build level testing should be required.

Here is a sample report extract from one of the few applications in the AOK ChangeBASE Application Test Portfolio that raised a number of dependency level issues with the MS09-039 Security Update.

img

Testing Summary
  • MS09-036: Impact (both Package level and dependencies) detected across portfolio
  • MS09-037: Impact (both Package level and dependencies) detected across portfolio
  • MS09-038: Impact (both Package level and dependencies) detected across portfolio
  • MS09-039: Impact (both Package level and dependencies) detected across portfolio
  • MS09-040: Impact (both Package level and dependencies) detected across portfolio
  • MS09-041: Impact (both Package level and dependencies) detected across portfolio
  • MS09-042: Impact (both Package level and dependencies) detected across portfolio
  • MS09-043: Impact (both Package level and dependencies) detected across portfolio
  • MS09-044: Impact (both Package level and dependencies) detected across portfolio











Patch Name Total
Issues
Matches
Affected
Reboot Rating RAG
Microsoft Security Bulletin MS09-036 0 <1% YES Important Important
Microsoft Security Bulletin MS09-037 0 <1% YES Critical Critical
Microsoft Security Bulletin MS09-038 0 <1% YES Critical Critical
Microsoft Security Bulletin MS09-039 1 <1% YES Critical Critical
Microsoft Security Bulletin MS09-040 0 <1% YES Important Important
Microsoft Security Bulletin MS09-041 0 <1% YES Important Important
Microsoft Security Bulletin MS09-042 0 <1% YES Important Important
Microsoft Security Bulletin MS09-043 2 <1% YES Critical Critical
Microsoft Security Bulletin MS09-044 0 <1% YES Critical Critical


Legend:
No Issue No Issues Detected
Fixable Potentially fixable application Impact
Serious Serious Compatibility Issue


Security Update Detailed Summary
MS09-036 Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
Description This security update resolves several privately reported vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Aspnet_wp.exe, Webengine.dll, System.web.dll
Impact Important

MS09-037 Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
Description This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Spupdsvc.exe, Updspapi.dll, Wmp.dll, Wmpdxm.dll
Impact Critical

MS09-038 Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557).
Description This security update resolves two privately reported vulnerabilities in Windows Media file processing. Either vulnerability could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Avifil32.dll
Critical Critical

MS09-039 Vulnerabilities in WINS Could Allow Remote Code Execution (969883).
Description This security update resolves two privately reported vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system version. Only customers who manually install this component are affected by this issue.
Payload Sp3res.dll, Wins.exe, Winsevnt.dll.
Impact Critical

MS09-040 Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032).
Description This security update resolves a privately reported vulnerability in the Windows Message Queuing Service (MSMQ). The vulnerability could allow elevation of privilege if a user received a specially crafted request to an affected MSMQ service. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue.
Payload Mq1repl.dll, Mq1sync.exe, Mqac.sys, Mqads.dll, Mqbkup.exe, Mqcertui.dll, Mqclus.dll, Mqdbodbc.dll, Mqdscli.dll, Mqdssrv.dll, Mqlogmgr.dll, Mqmig.exe, Mqmigrat.dll, Mqoa.dll, Mqperf.dll, Mqqm.dll, Mqrperf.dll, Mqrt.dll, Mqsec.dll, Mqsnap.dll, Mqsvc.exe, Mqupgrd.dll, Mqutil.dll, Msmq.cpl, Msmqocm.dll.
Impact Critical

MS09-041 Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657).
Description This security update resolves a privately reported vulnerability in the Windows Workstation Service. The vulnerability could allow elevation of privilege if an attacker created a specially crafted RPC message and sent the message to an affected system. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to a vulnerable system in order to exploit this vulnerability. The vulnerability could not be exploited by anonymous users..
Payload Wkssvc.dll.
Impact Important

MS09-042 Vulnerability in Telnet Could Allow Remote Code Execution (960859).
Description This security update resolves a publicly disclosed vulnerability in the Microsoft Telnet service. The vulnerability could allow an attacker to obtain credentials and then use them to log back into affected systems. The attacker would then acquire user rights on a system identical to the user rights of the logged-on user. This scenario could ultimately result in remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights..
Payload tlntsess.exe, telnet.exe.
Impact Important

MS09-043 Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638).
Description This security update resolves several privately reported vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Owc11.dll, Owc11pia.dll, Atp.dll, Owc10.dll.
Impact Critical

MS09-044 Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927).
Description This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Mstscax.dll, Msrdp.ocx, Msrdpcustom.dll, 2k3mstsc.exe, 2k3mstscax.dll, 2k3mstsc.exe, 2k3mstscax.dll.
Impact Critical

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)