Tuesday, 23 December 2008

Netbooks - The new cabbage patch kid

I have done the unthinkable. Or, what was at least year would have been considered profligate and a little excessive.

 

I have bought my 5-year old daughter a laptop. A pink one. And, I love it!

 

More specifically, I have bought a Netbook. I first saw one of these small black Linux based thingies about 6 months ago and was summarily un-impressed. Really, really could not care. I have a beautiful, small, powerful laptop (a Panasonic ToughBook) that delivers great performance with a full day of battery life. Why would I suffer for a smaller form factor, with cramped keyboards, reduced performance and less battery. Less, Less, Less.

 

And today, that "Less" is definitely all I need. Now, when we travel the kids can watch videos in the back of car and I don't need to bring my laptop along - just to check my email.

 

In case you are interested, I bought the Acer Aspire One. The full specs can be found here; http://www.simplyacer.com/Aspire_One_Pink_457153.html

 

I bought the XP version - really out of the fear of the unknown. I literally have no spare time - and so, my tolerance for any sort  of learning/configuration curve is absolutely ZERO right now. Linux may be cool, faster and definitely cheaper - but I still can not afford anytime to even start the journey to learning a new desktop operating system.

 

That said, others will. Many others will definitely start considering Linux for their "Netbook"  needs. This will deliver a double blow for Microsoft. No OS revenue and definitely no Office licenses either. And, perhaps even more dangerous for Microsoft this may be just the crack in the door that Cloud computing requires to really take-off (no pun intended).

 

Anyways, I did my bit for the economy, got my kid a nice gift and get to play with a new toy as soon as she goes to bed (I have been told to wait until then- to prevent any fights). 


This Netbook thing could be the start of something good.


Thursday, 18 December 2008

IE - Is it now scary enough?

A few nights ago, a neighbor of mine called and sounded quite distressed. She's a mother of 3 and when she calls its usually about school runs or who is taking care of the kids after school. Before we could exchange the usual social graces, she blurted out, "How do I get rid of Internet Explorer?"

 

Tough question. And, given the person I was taking to, there was no point in answering the question with a, "You can't. It's embedded in the Operating System.". Instead, I replied, "Why?"

 

"Because those hackers in China can steal by computer", she replied.

 

Ohhh…  So, IE's security vulnerabilities have finally gone mainstream.  And by mainstream I mean the BBC;

http://news.bbc.co.uk/1/hi/technology/7788687.stm

 

No wonder she was terrified.

 

And she is not alone. Cruising some of the Patch related newsgroups, there was numerous comments from government and military organizations that have simply turned off internet access for IE. One organization has reportedly disconnected 65% of their work-force until they can test and deploy the latest IE patch (which can be found here;

http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

 

I work with the Microsoft security team quite a bit and given what I know, have dumped IE years ago. My journey through the browser jungle took me through Firefox, Safari, and finally Chrome - where I am sufficiently happy/unhappy to remain.

 

For those stuck on IE - download and deploy this patch IMMEDIATELY.  Then, when you have a chance to catch your breath; consider the alternatives;

 

Monday, 15 December 2008

INIFiles - Getting those legacy files into order

Handling INI files can be a little tricky these days when you have to consider new security restrictions,  virtualized environment restrictions (SoftGrid and Citrix) and legacy applications that don't install the way they should... Or, more importantly stay installed the way they were intended to.

 

INI files are configuration files used to store application, user or machine information. They have been used for the past 10 years and have been used really well (by Microsoft) and abused by some (IBM's Lotus Notes) to store information and help configure applications.

 

There is a reasonable definition of INI Files located here;

http://encyclopedia2.thefreedictionary.com/INI+file

 

The reason I making this post is that INI files are causing some considerable issues with Vista, Citrix and SoftGrid deployments. Application installations are installing and configuring INI files in semi  or secure locations and either the user or the application is not able to properly read and/or write to these text based configuration stores. For example, under SoftGrid, the application will install correctly but when a user tries to run the application, critical information is either not stored or captured during the normal application loading/running process.


There are a few solutions;


1) Employ the MoveIniToRegistry Shim

Chris Jackson has an excellent posting on this technique found here

Http://blogs.msdn.com/cjacks/archive/2008/01/03/stock-viewer-shim-demo-application.asp


2) Use INIFileMapping

Frig (i.e. Hack) your local security settings and hope for the best (hint: turn off your mobile)

  

I prefer option 2, as the INI File Mapping allows use to replace your INI Files with entries (keys, names and values) in the Registry. This is great/useful as you can neatly avoid any local security restrictions as well as benefit from roaming profiles (e.g.. Not have to copy INI files on application start-up each time a new user logs onto a machine).

 

Microsoft has a great Knowledge Note/Support article which can be found here; http://support.microsoft.com/kb/102889

 

I won't replicate what has already been said in the Microsoft article but there are a few caveats;

 

  1. INI File Mapping works great for Vista and SoftGrid - but DO NOT use for Citrix when actually installing applications. See the Microsoft support note here:  http://support.microsoft.com/kb/186504
  2. Your application needs to use the supported API's (GetPrivateProfileString and WritePrivateProfileString)
Note: you will find out really quickly if your application does not support INI File Mapping as your registry based settings will be ignored and your local INI file will be updated.



Friday, 12 December 2008

December Patch Tuesday - Will we have time?

Though is this a more personal blog - I do like to post our results for Microsoft monthly security update release bonanza - Patch Tuesday. I have included the results

It would be too easy, if I just posted the Patch Impact summaries for each update. No, I have to weigh-in with an opinion.

First, I think that M$ is doing a great job here. I think that the patches included in the following summary are necessary and judging from the CVS reports were sorely needed. Secondly, I think that we may need to re-think the schedule for Patch Tuesday to accomodate holiday season.

Most organizations will implement Change Control (or, Change Freeze) sometime this week; which is a self-induced state of paralysis that precedes each Christmas and New Year. The intent of this "Change Control" restriction is to reduce the nature and number of changes over the holiday season due to the increased risk something going wrong due to;

- missing staff (potenial reasons: holiday, sickness, drunkeness)
- reduced 3rd party or contractor staff due to the above reason
- possible end-of-year focus or other business restrictions

While Microsoft has release a massive update this month, it normally requires most organizations at least 2-weeks to deploy their patches/updates. This schedule places the likely update window right in the middle of the Christmas break; which is a bad time for IT systems to break.

My suggestion is this; for December, roll-out the patches early. Let the business end of IT have some time to determine what is critical to deploy this side of the year and then have some time to deploy it.


And, as threatened, here is the testing summary;

  • MS08-070: Marginal impact with Medium numbers of applications affected
  • MS08-071: Medium impact with High numbers of applications affected
  • MS08-072: Marginal impact with Low numbers of applications affected
  • MS08-073: High impact with High numbers of applications affected
  • MS08-074: Marginal impact with Low numbers of applications affected
  • MS08-075: Marginal impact with Low numbers of applications affected
  • MS08-076: Marginal impact with Low numbers of applications affected
  • MS08-077: Marginal impact with Low numbers of applications affected


Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
Microsoft Security Bulletin MS08-070<1%<13%YESCIssue
Microsoft Security Bulletin MS08-07116%<39%YESCSerious Issue
Microsoft Security Bulletin MS08-072<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-073<70%<35%YESCSerious Issue
Microsoft Security Bulletin MS08-074<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-075<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-076<1%<1%YESINo Issue
Microsoft Security Bulletin MS08-077<1%7%YESINo Issue

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-070Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
DescriptionThis security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. These vulnerabilities could allow remote code execution if a user browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadComct232.msm, Comct232.ocx, Mschrt20.msm, Mschrt20.ocx, Mscomct2.msm, Mscomct2.ocx, Msflxgrd.msm, Msflxgrd.ocx, Mshflxgd.msm, Mshflxgd.ocx, Msmask32.msm, Msmask32.ocx, Mswinsck.msm, Mswinsck.ocx
ImpactRemote Code Execution

MS08-071Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
DescriptionThis security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadGdi32.dll, Mf3216.dll
ImpactRemote Code Execution

MS08-072Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
DescriptionThis security update resolves eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWinword.exe, Wwlib.dll, Msword.olb, Wrd12cnv.dll, Wordcnv.exe
ImpactRemote Code Execution

MS08-073Cumulative Security Update for Internet Explorer (958215)
DescriptionThis security update resolves four privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadBrowseui.dll, Danim.dll, Dxtmsft.dll, Iecustom.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Url.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
ImpactRemote Code Execution

MS08-074Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exe, Excel.man, Excel.pip, Xlcall32.dll
ImpactRemote Code Execution

MS08-075Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
DescriptionThis security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExplorer-ppdlic.xrm-ms, Explorer.exe
ImpactRemote Code Execution

MS08-076Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
DescriptionThis security update resolves two privately reported vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload 
ImpactRemote Code Execution

MS08-077Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
DescriptionThis security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.
PayloadAdodb.dll, Bdcconn.dll, Chsbrkr.dll, Chtbrkr.dll, Danlr.dll, Dbghelp.dll, Docxpageconverter.exe, Adodb.dll, Microsoft.mshtml.dll, Microsoft.stdformat.dll, Msdatasrc.dll, Grclr.dll, Grcste.dll, Huczlr.dll, Korwbrkr.dll, Lrpolish.dll, Microsoft.office.server.dll, Microsoft.office.server.dll, Microsoft.office.server.native.dll, Microsoft.office.server.ui.dll, Microsoft.sharepoint.publishing.dll, Microsoft.mshtml.dll, Microsoft.stdformat.dll, Mir.fi.dll, Msdatasrc.dll, Msgfilt.dll, Msscntrs.dll, Mssdmn.exe, Mssearch.exe, Mssph.dll, Mssrch.dll, Natlang6.dll, Natlangnlsd0000.dll, Natlangnlsd0001.dll, Natlangnlsd0002.dll, Natlangnlsd0003.dll, Natlangnlsd0007.dll, Natlangnlsd0009.dll, Natlangnlsd000a.dll, Natlangnlsd000c.dll, Natlangnlsd000d.dll, Natlangnlsd000f.dll, Natlangnlsd0010.dll, Natlangnlsd0011.dll, Natlangnlsd0013.dll, Natlangnlsd0018.dll, Natlangnlsd0019.dll, Natlangnlsd001a.dll, Natlangnlsd001b.dll, Natlangnlsd001d.dll, Natlangnlsd0020.dll, Natlangnlsd0021.dll, Natlangnlsd0022.dll, Natlangnlsd0024.dll, Natlangnlsd0026.dll, Natlangnlsd0027.dll, Natlangnlsd002a.dll, Natlangnlsd0039.dll, Natlangnlsd003e.dll, Natlangnlsd0045.dll, Natlangnlsd0046.dll, Natlangnlsd0047.dll, Natlangnlsd0049.dll, Natlangnlsd004a.dll, Natlangnlsd004b.dll, Natlangnlsd004c.dll, Natlangnlsd004e.dll, Natlangnlsd0414.dll, Natlangnlsd0416.dll, Natlangnlsd0816.dll, Natlangnlsd081a.dll, Natlangnlsd0c1a.dll, Natlangnlsl0009.dll, Notesph.dll.oss, Offfiltx.dll, Office.odf, Osrvintl.dll, Oss.intl.dll, Pkmexsph.dll, Pkmnpw.dll, Portal.dll, Portal.dll, Query9x.dll, Searchom.dll, Searchom.dll, Sharepointpub.dll, Sharepointpub.gac.dll, Spsimpph.dll, Spsintl.dll, Srchipp.dll, Srchpml.dll, Ssocli.dll, Ssoom.dll, Ssoom.dll, Ssoperf.dll, Ssoprvad.e xe, Ssosec.dll, Ssosec.dll, Ssosrv.exe, Stdole.dll, Stdole.dll, Svrsetup.dll, Svrsetup.exe, Thawbrkr.dll, Tquery.dll, Trklr.dll, Upgrade.dll
ImpactElevation of Privilege

Thursday, 4 December 2008

Vista Service Pack 2 - Looking pretty solid

I am really surprised about this - I shouldn't be and thus, I don't want to appear unduly negative. Microsoft is planning to ship its 2nd Service Pack for Vista in mid-April 2009. Already a download of the BETA 2 release is available for MSDN subscribers and the documentation looks really good.

The BETA release of Vista SP2 can be found here;
technet.microsoft.com/en-us/windows/dd262148.aspx

Why am I surprised? Well, I shouldn't be, but this release is right on schedule. It looks like the Microsoft release management team has really got it's act together. Which means, (fingers crossed) that Windows 7 may actually be delivered on time (i.e. to a previously published schedule).

You can really tell now that application compatibility is a really key issue with Service Pack 2; as the updated documentation includes the following quote;

"It is our goal that applications that run on the Windows Vista Operating System today and are written using public APIs will continue to work as designed on Windows Vista SP2. Previously released Application Compatibility updates are included in Windows Vista SP2."

For those interested in the contents of the next Vista Service Pack, Microsoft has published a document "Notable Changes in Windows Vista SP2 BETA here; http://technet.microsoft.com/en-us/library/dd335036.aspx

And, a list of the hotfixes and updates included in Vista SP2 can be found here;
http://technet.microsoft.com/en-us/library/dd335033.aspx


A brief summary of the updates and modifications includes;

•  Blue tooth 2.1 feature pack supporting the most recent specification for Blue tooth technology
• Ability to record data on Blu-Ray media,
• Adds Windows Connect Now (WCN) Wi-Fi Configuration to Windows Vista SP2,
• exFAT file system now supports UTC timestamps, which enables correct file synchronization across time zones.
• SP2 provides support for new form factors, such as ICCD/CCID.
• Support for the new VIA 64-bit CPU Security
• SP2 includes all previously released security updates, and builds on the proven security benefits of Windows Vista
• Secure Development Lifecycle process updates
• SP2 includes previously released reliability updates
• Resume performance issue resolved when Wi-Fi connection is no longer available after resume from sleep

Maintenance and Support Enhancements include;
• Inclusion of Windows Search 4
• Improvements to the RSS feeds sidebar gadget
• Spysweeper and ZoneAlarm now working with POP3 email accounts
• Single installer for both Vista & Server 2008
• Ability to detect an incompatible driver and block service pack installation or warn users of any loss of functionality
• Better error handling and providing more descriptive error messages where possible
• Better manageability through logging in system event log
• Componentization for Serviceability of the installer

Some Specific Fixes/Additions Include:

• Inclusion of Hyper-V
• Event logging support in SPC
• DNS Server now listens over ISATAP address
• Fixes DRM issues from WMP upgrades
• Windows Vista Feature Pack for Wireless
• Reduction of resources required for sidebar gadgets
• Improved power settings for WS08

Monday, 24 November 2008

Windows 7: One Vista at a time.

OK, I admit that over the past few weeks I have been a keen Windows 7 enthusiast. I really like the UI tweaks and for a M3 build, performance is exactly on par with Vista SP1.

 

And, I am getting asked every day, "Should we wait for Windows 7?"

 

I think that the answer is a resounding NO; if you meet the any of the following criteria;

 

  1. Your organisation would require over 1 year to completely migrate your applications and desktops from one platform to another. This generally translates to organisations with over 200 applications and 3000+ desktops. Yes, I know this covers most medium to large organisations.

 

  1. You are currently using Windows XP (or worse Windows 2K). Given that Windows 7 could be 18-24 months away, vendors may stop supporting XP before you are able to move to Windows 7. See the Gartner report here:  http://mediaproducts.gartner.com/reprints/microsoft/vol4/article4/article4.html . Michael Silver has some great recommendations including;

 

"Organizations that plan to skip Windows Vista should budget to replace at least twice as many PCs as normal in 2012" and that "Most organizations shouldn't skip Windows Vista entirely".

 

  1. Windows 7 will require at least the same (possibly more) application compatibility effort and desktop engineering efforts as Vista. Windows 7 is built on the Vista kernel (core) and all Windows 7 features will be a super-set of Vista's current offering. If you start now on the application compatibility effort with the transition to Vista, then the migration effort from Vista to Windows 7 should be quite straightforward.

 

  1. Windows 7 RTM may not be suitable for immediate deployment. Many organisations may have to wait for Service Pack 1 before they can migrate their desktop platforms. Windows 7 Service Pack 1 may not be available until 2011.

 

  1. Microsoft plans to tightly couple the release of the next version of their desktop and server platforms. Vista will be able to integrate better with these new server operating systems and will make a migration from Vista rather XP much easier for application compatibility,  security configuration and user acceptance.

 

 

References:

“The Business Value of Windows Vista: Five Reasons to Deploy Now”

http://download.microsoft.com/download/c/7/5/c75ff4cd-fb38-41e0-8da5-1bcd710ceb34/Vista_WP_online.pdf

 

 

Thursday, 20 November 2008

Vista: Powerful enough, but clever enough?

This blog is a little bit of a moan. Not a moan at Microsoft or Windows Vista for application compatibility  issues. More of a whinge directed at my fellow Vista users; particularly Vista laptop users. And, I can't decide if large numbers of my colleagues and friends have seriously missed a major feature in Vista or that Microsoft has really missed a trick here.

The problem is Vista performance (and the perceived lack of performance) of Microsoft's Vista OS on laptops. We are getting some decent laptop builds out there now; Intel Dual Core 2 with 3 gigs of RAM is a decent configuration and I am still getting loads of complaints about the slow performance of Vista.

And, here is the really embarrassing bit. After a little bit of trouble-shooting I discovered on EVERY single machine, that the Power  Settings was set to "Power Saver" instead of "High Performance".

Quoting from Microsoft's Help documentation;

• Balanced. Offers full performance when you need it and saves power during periods of inactivity.
• Power saver. Saves power by reducing system performance. This plan can help mobile PC users get the most from a single battery charge.
• High performance. Maximizes system performance and responsiveness. Mobile PC users might notice that their battery doesn't last as long when using this plan.

"Power Saver" mode is deigned to maximize batter life for laptops, at the price of significantly reduced performance. Meaning; when you select this mode Vista will run slower. 

Obviously, some bright spark in the past had configured this setting for each laptop with the intent of making the battery last as long as possible. This is fine and makes sense.

But this is where I start to lose my patience with Vista. It should be a lot more clever. My laptop "knows" when it is plugged in and Vista "knows" when I am plugged into an AC outlet as it shows a little charging symbol in my system tray.

So, why doesn't Vista automatically switch from "Power Saver" mode when I am off the mains and on the road and then back to "High Performance" mode when plugged into the mains?

Could this simple configuration error be the source of so many Vista performance issues?



References:


Tuesday, 18 November 2008

I rarely get to experience this - hence the blog entry. When is the last time you worked on something that was a proper first iteration release from Microsoft. Sure, we (all ) get plenty of BETA or ALPHA code; if you work hard and are lucky. Actually, there is plenty of BETA code around these days... But, how about pure, snow-white 1.0.0.0 releases? Pretty rare, eh?

Well that is what you get with the release of the Microsoft Cloud computing Azure Software Development Kit. Compared to the Platform SDK which weighs in at over a Gig of data (including samples of course) the Azure SDK is a lean 3.5 Meg.

That said, the requirements for the Azure SDK are pretty heavy and include;

• Windows Vista SP1 (when installing on Windows Vista)
• .NET Framework 3.5 SP1
• IIS 7.0 (with ASP.NET and WCF HTTP Activation)
• Microsoft SQL Server Express 2005 or Microsoft SQL Server Express 2008
• Windows PowerShell

And, when you try to download the .NET Framework 3.5 SP1 you get the following message;

"We are sorry, the page you requested cannot be found." Oops. Even Microsoft can make mistakes when rolling out a new version, but this link has been dead for 3 weeks now.

I tried installing the Azure SDK and the installation logic required (was looking for) the prior installation of NET 3.5 SP1 - meaning that without this update, NO Azure SDK. You can't get Azure today, by following the Microsoft instructions.

So, a couple of questions;

1) Given that I am that Microsoft responds to dead-links pretty quickly - has no one else complained?
2) Does anyone care?


There are few people out there already writing about Microsoft's Azure.... And they seem to answer the question rather strongly.

Have a read of Brian's Comments here:
http://www.brianmadden.com/blogs/brianmadden/archive/2008/11/17/What-does-Microsoft-Azure-have-to-do-with-us_3F00_-Hint_3A00_-not-much-today_2E00_.aspx

Or Hoff's here:
http://rationalsecurity.typepad.com/blog/2008/10/when-clouds-encircle-islands-things-get-foggy.html


I am going to do some more digging, but it appears that the answer to question 2 maybe, "No yet!"

Friday, 14 November 2008

November 2008, Microsoft Patch Tuesday

ChangeBASE have announced their findings of Microsoft's Patch Tuesday update of November, 2008. There were two patch releases this week (MS08-068 and MS08-069) and one last week (MSO8-067).

MS067 and MS068 were critical releases as they addressed potential serious security issues. However from an application compatibility perspective they will have minimal impact on an organisation's application portfolio. This comes as good news for enterprises as it gives them a month off the full testing cycle with patch updates. In recent months the impact of patches on applications has been significant and has required a huge amount of testing to ensure business critical applications continue to work.

From our discussions with larger companies their testing activity generally falls into one of three camps:

  • Light sample testing of a small number of business critical applications - This requires limited testing resource but leaves organisations vulnerable to applications problems/failures
  • Medium testing - This takes significant resource and time but means that a wider portfolio of applications can be tested
  • Heavy testing - Many organisations do not have the resource to do this on a monthly basis and we have come across examples of corporates who only release new patches to their live environment twice a year as a result of this. The plus side of this approach is that applications are likely to be unaffected by the patch updates. The downside is that critical patches are not deployed, leaving organisations vulnerable to, for example, security breaches

ChangeBASE AOK Patch Impact Monitor identifies in minutes applications that are affected by new Microsoft releases and provides detailed information on potential compatibility issues. This can cut the testing time down to the point that heavy testing can be done on a greater number of applications in a short period of time.

Thankfully November should be a quiet time for testing as the new patches will have minimal impact on an organisation's applications.

Testing Summary

MS08-68: Marginal impact with low numbers of applications affected
MS08-69: Marginal impact with low numbers of applications affected

Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
MS08-067<1%<1%YESCNo Issue
MS08-068<1%<1%YESCNo Issue
 MS08-069<1%<1%YESINo Issue

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-067Vulnerability in Server Service Could Allow Remote Code Execution (958644)
DescriptionThis security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
PayloadNetapi.dll
ImpactRemote Code Execution

MS08-068Vulnerability in SMB Could Allow Remote Code Execution (957097)
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMrxsmb.sys
ImpactInformation Disclosure

MS08-069Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
DescriptionThis security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMsxml5.dll
ImpactRemote Code Execution

Friday, 7 November 2008

Windows 7 - the Quality Gates are open


For you all you appcompat hacks out there is a new bible; Microsoft's Windows Application Quality Cookbook: A Developer’s Guide to Application Compatibility, Reliability, and Performance has been released and contains a really good overview of what may cause your applications to fail when deployed to Windows 7 (the prettier, slightly faster version of Vista).

 

The Word document can be found here;

 

http://code.msdn.microsoft.com/Windows7AppQuality/Release/ProjectReleases.aspx?ReleaseId=1734

 

There are a couple of things I found intriguing about this "Compatibility Cookbook". The first is the location. It currently resides under the code sample area of the developer support site for Microsoft (MSDN).  Whereas the current "production" version of the Vista compatibility cookbook resides under a "proper" download destination and can be found here;

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=69C63073-FE3F-47C3-BAA5-B37943AFE227

 

The next thing,  I found interesting about the Window 7 compatibility cookbook was that it listed the potential compatibility issues in order of severity (i.e. their potential impact) and their likelihood of occurring (probability). Reading from this document it looks like the biggest most likeliest challenges for getting applications working on Windows 7 will include;

 

  • Internet Explorer 8—User Agent String
  • Internet Explorer 8—Data Execution Protection/NX
  • Removal of Windows Mail
  • Microsoft Message Queuing (MSMQ)—Removal of Windows 2000 Client Support Service
  • Compatibility—Operating System Versioning

 

For those of us in the dirtiest of trades (getting applications to work), we better get ready to sharpen our IE8 compatibility knives. With more and more cloud-based applications on the horizon, there may be carnage.

 

Wednesday, 5 November 2008

Security: Apps are the new OS

 

Earlier this week Microsoft released their bi-annual Security Intelligence Report  on security trends and detection rates across the industry for Operating systems and applications. This report focuses on industry data and trends for the past six-months on malware data, software vulnerability disclosure data and vulnerability exploit data.

 

The full report is enormous at 150 pages, while the key findings summary document is very digestible and makes incredible reading.  From the following key results; it appears that at least from Microsoft's view of the world, the security landscape is changing;

 

  • The total number of unique vulnerability disclosures across the industry decreased in 1H08, down 4 percent from 2H07 and down 19 percent from 1H07.
  • Vulnerability disclosures in Microsoft software in 1H08 continued a multi-period downward trend, both in terms of all disclosures and relative to total industry disclosures.
  • Vulnerabilities rated as High severity increased 13 percent over 2H07.
  • The percentage of disclosed vulnerabilities rated as Low complexity (and therefore easiest to exploit) increased, with 56 percent receiving a complexity rating of Low.
  • The proportion of vulnerabilities disclosed in operating systems continues to decline; more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, rather than operating systems.

 

Initially the data seems a little contradictory. Overall, vulnerability disclosures are moderately lower than last year and much lower than 2007. However, the number of  vulnerabilities rated as HIGH and easy to exploit increased from both 2008 and 2007. Meaning that there are less exposed security holes in the OS; but there are more serious, more virulent and more dangerous security exploits that are easier for people to deploy  in web pages and applications in 2008 than in 2007. 

 

Simply put, your OS is more secure, but the world (the internet) is a more dangerous place.

 

That said, you have to be a little careful here as the this report does read a little like an advertisement for Vista and the reported security vulnerabilities for Vista (especially 64-bit) are much lower than for XP. Quoting from this document;

 

  • The infection rate of Windows Vista SP1 is 48.8 percent less than that of Windows XP SP3.
  • Windows Vista is 56.2 percent less than that of Windows XP SP2.

 

These are big numbers, but I still think that this is not the REAL story here.  Reading through this large document, you find that  the number of security vulnerabilities has increased for 3rd party applications, not the Operating  System.  The report suggests that a staggering 90% of security vulnerabilities are related to applications. If this is true, then Microsoft has a very powerful story here; our OS is secure, but your applications are not.

 

In terms of security nightmares, your applications may be the new Windows 98.

 

The full report and the key findings summary can be found here;

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en

 

And, the archive and collection of previous Security Intelligence reports can be found here; http://www.microsoft.com/sir


 

 

Tuesday, 28 October 2008

Feature Leak - Oh, call a Plumber

OK, it's a big week - loads going on, what with the PDC in Los Angeles and Vista SP2 now in my greedy little hands. We are now getting a turn at the fire-hose  for two major technologies that are going to keep us duly entertained for the next twenty-four months or so; Windows 7 and Azure, the Windows Cloud computing initiative.

 

Just a quick recap of some of the features that have been released today (and that I will be investigating over the next few months) ;

 

  1.  The ability to encrypt USB devices
  2. More control over User Account Control (UAC)
  3. Web-slicing
  4. Search Federation (meaning enterprise ready search)
  5. Branch Office caching

 

 

With all this stuff coming along, why all of the press "leaks"... We are getting pre-release copies of Vista SP2 via the Windows updates site;

 

http://download.windowsupdate.com/msdownload/update/software/svpk/2008/10/prereqtool_033b26b3dbcf60aa698669cafe328b9c902e02a6.exe

 

And the Windows 2008 update (will this be R2?);

 

http://download.windowsupdate.com/msdownload/update/software/svpk/2008/10/prereqtool_033b26b3dbcf60aa698669cafe328b9c902e02a6.exe

 

And it looks like Paul Thurrot with his super-site blog (highly readable stuff)  is getting into the act as well with;

http://community.winsupersite.com/blogs/paul/archive/2008/10/27/pdc-2008-windows-7-m3-pre-beta-features-leak.aspx

Thursday, 23 October 2008

PDC 2008 - Windows 7 in the wings

I may or may not be able to attend the Microsoft PDC conference next week  - my schedule right now is pretty hectic. I wonder about when  I get really, really busy. I think to myself, "Am I just badly organized, or is this just a normal reaction to a huge work-load. My life coach and a good friend, Chris, would admonish me and say, "you should try not to book back-to-back meetings.", My reply, "ALL my meetings are back to back".  That said, the invite to the PDC is on Microsoft's coin and I will really try to make it there.

From the pre-conference briefings and the M$ internal updates I have received (which incidentally have been incredibly well-presented, polished and very entertaining - well done guys)  we are going to see a lot about Windows 7 (the next version of Vista) and Strata.  Strata refers to Microsoft's "cloud" based operating system - or service. I am not quite sure - but it sure sounds interesting.

I am also getting the feeling that Windows 7 may ship on schedule. I have seen a build now and it looks really good. I can't provide much more detail due to my NDA with Microsoft but it looks like Vista with some really cool UI tweaks. Also, judging the presentations I have received, it looks like application compatibility is going to be a big topic for Windows 7 and a major focus for Microsoft.


Monday, 20 October 2008

All aboard the Cycle Bus

A friend of mine was relaying a story about a cycle bus. He is part of the "two pedals better" troupe and was waxing enthusiastically about the idea of a bus with pedals in front of every seat. And, to get the bus moving, everyone had to pedal. This idea has some "green" merits in today's oil parched new world order - but, I thought this is great during rush hour with loads of legs to get the bus moving but would really suck for those people who lived near the end of the line.  And, would old women look so pleased when young men jumped up from their seats (and their labors)  to offer these poor, old dears something to sit on.

This idea got me thinking about shared transport and shared effort and as consequence of some really bad "Googling" I discovered some features in Vista that go back to XP that I was completely unaware of.

Vista supports peer-to-peer communication through the advanced Peer Name Resolution Protocol (PNRPv2) !

 In fact, going back a few years now, Windows XP supported peer-to-peer communications with the Advanced Networking Pack. Couple this functionality with the Microsoft Background Intelligent Transfer Service (BITS) and you have the making of an offline caching service. Just think, instead of copying everything to a central server, you could share out part of your hard-drive and let other people access your local cache. Or use your browsing history as a local web cache for band-width poor branch offices.

Following on from that,  I understand there was a few features based on these peer-to-peer ideas that did not make into the final release of Windows Vista.  Notably the project code-named "Castle" which would combine peer-to-peer transports with domain level authentication. 

And, it appears that this feature may be resurrected in Windows 7 with the new Home Group functionality. 





References:

 Peer Name Resolution Protocol (PNRPv2)

Wednesday, 15 October 2008

Microsoft Patch Tuesday: October 14 2008




Executive Summary - Massive breadth/depth of changes.
Microsoft's October "Patch Tuesday" Security Update brings us a massive wave of patches with 6 Critical, 4 Important and 1 Moderate update. These are significant updates with one patch (MS08-057) updating more than 50 core files and most of the patches updating key system files, therefore requiring system restarts. The good news is that only one of the patches has wide scale issues for application compatibility. The major concern for this October release is the Internet Explorer Update MS08-058. As in the case with the September updates, updating Internet Explorer components affects a large number of applications in our test portfolio for all Windows desktop/server operating systems including XP and VISTA. Again as in September it is likely that some applications will have performance issues as a result of this update. Here is a sample snippet from the AOK Workbench report on one application. 

This example illustrates how the JAVA application package includes file level dependencies that have been updated by the MS08-085 Security Update 



These three items are critical dependencies with Java. If you have a Java application that uses the IE7 internet control you will need to thoroughly test this application. 

Examples of other applications affected include Oracle 9, several HP printer drivers and some IBM AS400 client access tools. 

We recommend organisations test their key applications affected by this patch before deploying the update and look carefully at the small number of applications affected more widely by these updates. 

Vendors supplying applications in widespead use should have the resource to quickly resolve any issues identified and are likely to have more resiliance in their code to minimize problems with MS08-057. In house developed applications are likely to be more at risk. Without a product like AOK it can takes days per application to identify the code affected by these patches. Many corporates have to 10% to 30% of their applications developed in house so this could run to hundreds of even thousands of individual packages that will need testing. 

Coprorates will be under extreme pressure to release this these new patches to the live environment but proper testing can takes months. 

Testing Summary
  • MS08-56: Marginal impact with low numbers of applications affected
  • MS08-57: Marginal impact with low numbers of applications affected
  • MS08-58: High impact with significant numbers of applications affected
  • MS08-59: Marginal impact with low numbers of applications affected
  • MS08-60: Marginal impact with low numbers of applications affected
  • MS08-61: Medium impact with low numbers of applications affected
  • MS08-62: Medium impact with low numbers of applications affected
  • MS08-63: Medium impact with low numbers of applications affected
  • MS08-64: Medium impact with low numbers of applications affected
  • MS08-65: Marginal impact with low numbers of applications affected
  • MS08-66: Medium impact with low numbers of applications affected

Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
Microsoft Security Bulletin MS08-056<1%<1%YESMNo Issue
Microsoft Security Bulletin MS08-057<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-058113033%YESCSerious
Microsoft Security Bulletin MS08-059<1%<1%NOCNo Issue
Microsoft Security Bulletin MS08-060<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-061146<1%YESIFixable
Microsoft Security Bulletin MS08-062136<1%NOIFixable
Microsoft Security Bulletin MS08-063131<1%YESIFixable
Microsoft Security Bulletin MS08-0641971%YESIFixable
Microsoft Security Bulletin MS08-065<1%<1%YESINo Issue
Microsoft Security Bulletin MS08-066127<1%YESIFixable

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

So in the example of MS08-061 we found only 8 of the c. 800 applications in our sample were affected. However a number of these have widespread dependencies. One example being Microsoft Digital Image version 9 where there were 38 separate recorded dependencies i in this application affected by this patch. 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-056Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.
PayloadHKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdo
ImpactInformation Disclosure

MS08-057Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadNosxs_mfc80cht.dll, Nosxs_mfc80deu.dll, Nosxs_mfc80enu.dll, Nosxs_mfc80esp.dll,
Nosxs_mfc80fra.dll, Nosxs_mfc80ita.dll, Nosxs_mfc80jpn.dll, Nosxs_mfc80kor.dll, Nosxs_mfc80u.dll,
Nosxs_mfcm80.dll, Nosxs_mfcm80u.dll, Nosxs_msvcm80.dll, Nosxs_msvcp80.dll, Nosxs_msvcr80.dll,
Sql90.xsl, Ul_atl80.dll, Ul_mfc80.dll, Ul_mfc80chs.dll, Ul_mfc80cht.dll,
Ul_mfc80deu.dll, Ul_mfc80enu.dll, Ul_mfc80esp.dll, Ul_mfc80fra.dll, Ul_mfc80ita.dll, Ul_mfc80jpn.dll,
Ul_mfc80kor.dll, Ul_mfc80u.dll, Ul_mfcm80.dll, Ul_mfcm80u.dll, Ul_msvcm80.dll, Ul_msvcp80.dll,
Ul_msvcr80.dll, Xlcall32.dll, Xlsrv.dll, Xlsrv.webservices.api.dll, Xmlrw.dll, Xmlrwbin.dll,
Msmdlocal.dll, Msmdlocal.dll, Msmgdsrv.dll, Msmgdsrv.dll, Msolap90.dll, Msolap90.dll, Msolui90.dll,
Msolui90.dll, Msvcm80.dll, Msvcp80.dll, Msvcr80.dll, Sql90.xsl, Sql90.xsl,
ImpactRemote Code Execution

MS08-058Cumulative Security Update for Internet Explorer (956390)
DescriptionThis security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadIecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll,
Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll,
Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll,
Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll,
Wininet.dll, Iecustom.dll,
ImpactRemote Code Execution

MS08-059Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights.
PayloadHisservicelib.dll
Rpcdetct.dll
Snarpcsv.exe
ImpactRemote Code Execution

MS08-060Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
DescriptionThis security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability.
PayloadNtdsa.dll
Sp3res.dll
ImpactRemote Code Execution

MS08-061Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
DescriptionThis security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users.
PayloadWin32k.sys
W32ksign.dll
Gdi32.dll
Wgdi32.dll
ImpactElevation of Privilege

MS08-062Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
DescriptionThis update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMsw3prt.dll
Win32spl.dll
Printcom.dll
ImpactRemote Code Execution

MS08-063Vulnerability in SMB Could Allow Remote Code Execution (957095)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.
PayloadSrv.sys
ImpactRemote Code Execution

MS08-064Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
DescriptionThis security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
PayloadNtkrnlmp.exe
Ntkrnlpa.exe
Ntkrpamp.exe
Ntoskrnl.exe
Hal.dll
ImpactElevation of Privilege

MS08-065Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
DescriptionThis security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.
PayloadMq1repl.dll, Mq1sync.exe, Mqac.sys, Mqads.dll, Mqbkup.exe, Mqcertui.dll, Mqclus.dll, Mqdbodbc.dll,
Mqdscli.dll, Mqdssrv.dll, Mqlogmgr.dll, Mqmig.exe, Mqmigrat.dll, Mqoa.dll, Mqperf.dll, Mqqm.dll,
Mqrperf.dll, Mqrt.dll, Mqsec.dll, Mqsnap.dll, Mqsvc.exe, Mqupgrd.dll, Mqutil.dll, Msmq.cpl, Msmqocm.dll
ImpactRemote Code Execution

MS08-066Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
DescriptionThis security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
PayloadAfd.sys
ImpactElevation of Privilege

Monday, 13 October 2008

Bit MUI LIP

I was asked by a client today what the difference between a Microsoft MUI and a LIP. And, more importantly, "what were the application compatibility consequences of multi-language support?"

 

I thought I knew what a MUI was - the language and resource layer that you could add onto Windows XP and Server 2003 to fully support languages such as French, German and Spanish.  I remember these resource packs well as when they initially appeared in my MSDN Select CD binder - I thought that they were a god-send. After spending nearly a year on getting Windows 2K to (properly) support Chinese (all three types including Big5) and Japanese (hiragana, katakana and Kanji) through 3rd party software such as Twin Bridge's IME, I was ready for anything.

 

And, Microsoft's own words, the MUI is defined as,

 

"Multilingual User Interface Pack is a set of language specific resource files that can be added to the English version of Windows Professional. When installed on the English version of Windows, MUI allows the user interface language of the operating system to be changed according to the preferences of individual users to one of the 33 supported languages".

 

 

OK, sounds pretty clear… Now, what is this LIP stuff?

 

Again, referencing TechNet, "Microsoft Windows XP Professional Language Interface Pack (LIP) is a high-quality, localized "skin" for emerging or minority language markets, such as Catalan, Lithuanian, and Thai.

 

And, what is the difference between a MUI pack and a LIP installation? Get ready as,

 

"The main difference is in the level of localization in comparison to MUI packages: LIP packages provide the desktop user with an approximately 80% localized user experience. In addition, LIP doesn't allow users to switch languages. Once a LIP is installed, all users using that machine will have the same User Interface (UI) language. "

 

So, in summary it looks like the MUI is a "switchable" comprehensive interface while the LIP is a 80% permanent installation.

 

 

References:

 

Windows XP Multi-lingual User Interface (MUI) FAQ's

http://www.microsoft.com/globaldev/DrIntl/faqs/MUIFaq.mspx#MUIques15

 

Application Compatibility and the Microsoft MUI

http://www.microsoft.com/globaldev/handson/dev/AppCompatInMUI.mspx

 

Microsoft LIP Frequently Asked Questions

http://www.microsoft.com/globaldev/DrIntl/faqs/lipfaq.mspx

Friday, 10 October 2008

Whose OS is it anyway?

I've got a question burning away in my mind - and I am not sure if I am right to ask it. I feel that, at the very core of Microsoft Vista and Windows Server 2008 rages a battle of hearts and minds over a possibly forgotten but all-encompassing issue.

The question that begs for a reply is; Whose operating system is it anyway?"

My focus is getting applications to work and the engineering effort required to deploy, install and manage thousands of applications on large heterogeneous networks. I have encountered an overcome numerous challenges including;
  • User Account Control UAC
  • Application Compatibility 
  • Security Restrictions

And now, I seem to face my greatest hurdle of them all; the mother of all technical challenges: Windows Resource Protection.

In Microsoft's own words; "Windows Resource Protection (WRP) prevents the replacement of essential system files, folders, and registry keys that are installed as part of Windows Server 2008 and Windows Vista."

Simply put; there is a system in place to ensure that you can not over-write either files or registry settings that the OS (Vista or Windows Server 2008) requires to function. In fact, most DLL's and executables within the Windows directory (the main OS directory) are protected under Windows Resource Protection (WRP) - meaning, that for most system files, you simply can not change or update these files or settings.

The principle of this system is pretty benign - keep the OS working. This increases stability, reduces support calls and generally makes most people are happy about this. The challenges begin when you need to update the OS for your own dark-hearted, nefarious purposes. Such as, to get an application to work….

Under Windows XP and Server 2003, there was a system called System File Protection (SFP) that relied on a cache (local copy) of "good DLL's". In the event that that a key OS system file was updated, the system would check the file version against this known list and replace the new file with the file taken from the local cache. This was a moderately successful security system with easy work-arounds.

HINT: stop the SFP service, update the local cache, update the target file in the system directory, restart the SFP service.

With Vista, there are a number of "approved" methods (Supported Resource Replacement Mechanisms) including;
  • Windows Service Packs installed by TrustedInstaller.
  • Hotfixes installed by TrustedInstaller.
  • Operating system upgrades installed by TrustedInstaller.
  • Windows Update installed by TrustedInstaller.
The Vista/Server 2008 WRP uses local security settings to restrict access to these protect files and settings - only allowing access to the TrustedInstaller module.

This makes things particularly difficult if you need to update a file on the OS - only Microsoft is allowed to touch these areas. My primary complaint is this; There should be a mechanism for system administrator to update the OS.

At present, I can not generate Windows Service Packs, customize Hotfixes or create my own Operating System upgrades. This is primarily due to restricted API's and Microsoft's freely acknowledged lack of documentation.

So this begs the question, "If I can't change it, who can?" And, if the answer is a certain software behemoth, I plan to raise a merry stink about this….


References:
About Windows Resource Protection
http://msdn.microsoft.com/en-us/library/aa382503(VS.85).aspx


Support Resource Replacement Mechanisms
http://msdn.microsoft.com/en-us/library/aa382540(VS.85).aspx

Wednesday, 8 October 2008

SoftGrid (MAV): A Reboot Rebuttal

Vindication, sweet vindication. I have a theory that the amount of satisfaction one receives from finally being proved right on a particular issue is proportional to the amount time it takes for everyone to come around to your way of thinking. But, in this case, it took so long, that I have (almost) lost interest.

The issue at hand relates to Microsoft Application Virtualization (MAV and formerly SoftGrid) and the sequencing process.

Last year (yes, I can actually remember things from last year) a number of our clients raised an issue with the SoftGrid sequencing process if a reboot was required mid-way through the application installation. Our team conducted some initial analysis and found that beyond the SoftGrid sequencer crashing (quite often) as a result of a application mid-installation reboot, some registry settings and files would get missed. This meant that the result sequenced SoftGrid package would generally not work - and you would either to try-try-try again and possibly decide not to virtualize that particular application.

So, our company (ChangeBase) added a "Sequencer Reboot Check" to our collection of virtualization Plugins. This allowed us to proactively determine if an application was likely to require a reboot prior to starting the Sequencing process. The reporting process worked great - our clients were happy as they were getting good intelligence on applications needed special attention for sequencing.

However, some of the people at Microsoft were not so pleased. The official view of reboot issues during the sequencing process was that "it doesn't happen, there are no reboot issues or problems when sequencing an application". This was not just denial at the official level - but a lot of the technical people clearly thought that we were just making things up.

So, I was kind of pleased when I saw this blog posting today on the MAV team site;

Sequencing applications that require a reboot
http://blogs.technet.com/softgrid/archive/2008/10/08/sequencing-applications-that-require-a-reboot.aspx

The Best Practices for sequencing applications can from the MAV team can be found here:
http://blogs.technet.com/softgrid/archive/2007/07/12/sequencing-best-practices.aspx

Rebooting during the SoftGrid sequencing process is now recognized as an issue - and, now we even have some great advice from the MAV team . Good Stuff!

Monday, 6 October 2008

Why wait for Windows 7?

 I was reading a blog today that referenced a Corporate IT report that indicated that;

  • 4% of companies currently use Vista versus  58% using XP
  • 7% of companies are using Windows 200 (hopefully SP4)
  • 35% of companies are not interested in Vista
  • 30% were investigating Windows 7


I have a healthy distrust of these kinds of reports due to potential reporting bias and other self-reporting errors. This was a relatively small study of 43 companies. Still, these numbers broadly support Microsoft's view that 6%  are currently using Vista. Apologies for quoting this figure, as I can not back it up with a link to a graph or website as this is  anecdotal information gleaned from my dealing with Microsoft UK and their US counterparts.

The last figure quoted relates to those companies that are investigating Windows 7. What does this mean? And, more importantly what are they investigating? With what hard data or technical specs.?  My 11th grade used the phrase "marked paucity" when describing my limited ability to accurately represent a series of events, in chronological order, with a pen and paper. And so, I use this term to describe the REAL data about Windows 7.

There are few facts about Windows 7 that are readily available to the public - but one thing seems pretty apparent. Microsoft has made a huge investment in the Windows Vista (6) core or Kernel and will not be throwing it away too quickly. Windows 7 will be based on the Vista and Windows 2008 Server core.

If you are weighing up the challenges with migrating to Vista now, then Windows 7 may have more features but it may a number similar challenges found in Vista including;
  • Driver Support
  • Legacy Application components compatibility issues
  • Security Restrictions
  • Removal of 16-bit application support
My advice is to start planning for Vista now, and if Windows 7 is shipped on time (probably 2010) then your hard-work getting your portfolio and environment into shape will pay off quickly.