Friday 20 February 2009

A new compatibility layer: Application Platforms

I get to chat about application compatibility issues and patch impact issues quite a bit. But one of the things that I have been asked to investigate more frequently these days is the application platform stack and the virtualization stack.

 

By application stack, I am referring to what others might have called Middleware in the past. The reason for the new name is that instead of simple application level integration or dependencies, the Application  Platform is the foundation and the "vehicle" for the delivering the application experience to user. 


To contrast middleware against the Application platform, I use the following examples;

 

  • Crystal Reports is middleware
  • Oracle and Sybase are middleware
  • Microsoft Internet Information Server (IIS) is an application platform
  • .NET is an application platform

 

You may disagree with this example but the basic premise is that the Application Platform can cause two classes of application compatibility issues;

 

  • Breaking dependency changes
  • Breaking "delivery" changes

 

Breaking Dependency changes include things like;

 

  • Deprecated API's (function calls are no longer supported)
  • Removed Functionality or Features (that pivot chart function is no longer accessible
  • Increased Security restrictions (you now need elevated permissions)

 

Whereas breaking Application Platform changes can result form all of the above issues and also include some of the following;

 

  • Breaking changes to delivery protocols (no more Citrix support for RSTP)
  • Application delivery security restrictions (your controls now need to be signed on IIS 7)

 

The difference may seem minor but this new view of things has opened up my eyes to new potential compatibility issues with;

 

  • Microsoft Internet Information Server (IIS)
  • Microsoft IE7/8 (on Windows 7)
  • Office 2007

 

And, hence the need to start to identify issues not just with Vista or Windows 7; but to view the complete picture of compatibility  that includes;

 

  • Base Platform compatibility
  • Application-level conflicts
  • User-end Security restrictions
  • Delivery-end Security restrictions (server and streaming limitations)
  • Middleware Dependencies
  • Application Platform issues
  • Virtualization limitations

 

And you thought getting applications to work was easy!

 

Wednesday 18 February 2009

MS09-003 Updated

    Just a quick note as it appears that the recent Microsoft Security update MS09-003 has been updated. 

     

    This patch was rated as critical.  The Microsoft  update briefing has the following information on the change to this patch;

     

    "Reason for Revision: V2.0 (February 16, 2009): Added the Microsoft Exchange Server MAPI Client as affected software. Also, added several entries to the section, Frequently Asked Questions (FAQ) Related to This Security Update, relating to updating the MAPI Client and the Exchange System Management tools. ."

     

    Just in case you missed the original bulletin information. Here us a re-post;

     

    MS09-003

    Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)

    Description

    This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

    Payload

    Cdo.dll, Emsmdb32.dll, Emsmta.exe, Exhotfixuninst.dll, Exspmsg.dll, Mapi32.dll, Mdbmsg.dll, Store.exe, Exhotfix.cdd

    Impact

    Remote Code Execution

     

     

    And, it looks like a sample of the application packages that contained elements from the security update MS09-003 included;

     

    • ALPS Touch Pad Driver
    • CardScan
    • Microsoft Office XP Professional
    • Microsoft SQL Server Native Client
    • Realtek High Definition Audio Driver

     

    Hope this update does not affect anyone.

     

     

MSI 5 Comes to town

There is a new game in town for us "application installation" guys.  When Microsoft released Vista we got to play with a new version of MSI installer (version 4.0). And with the release of Windows 7, we get to play with release 5.0 of the "Trusted Installer" MSI Installer.

 

At first I was a little surprised that we were going to see a full version change to (from 4.5 to 5). This thinking was based on a slightly prejudiced notion that Windows 7 is not really a full version upgrade from Vista. More specifically, from the knowledge that I have about the Windows 7 kernel changes with respect to Vista - I was thinking that Windows 7 should actually be called Windows 6.5 and the MSI Installer update should be called 4.8. Or something like that.

 

However, on further thought, I was wrong.

 

Have a look at Microsoft's upgrade schedule for the past 5 major release of Windows (found here:) http://msdn.microsoft.com/en-us/library/aa371185(VS.85).aspx

 

There has been four updates to the MSI Installer in the past two years; two major upgrades with Service Packs and two minor updates (including the redistributable updates).

 

And to be fair, there is enough changes to Windows 7 now to warrant a new, full version update. It was a learning curve for me - and a somewhat humbling experience - as I have now begun my journey discovering ALL of the massive number of changes and improvements on Vista.

 

So, here we go; version 5 of Windows Installer.

 

You can find the release information here: http://msdn.microsoft.com/en-us/library/dd408114(VS.85).aspx

 

You can only get the MSI Installer update by installing Windows 7. And due to the fact that the changes to MSI Installer only relate to Windows 7, there are currently no plans to back-port MSI Installer 5 to support Vista, nor to create a redistributable for support for any operating systems prior to Windows 7.

 

There is a curious new feature included with MSI 5; the Per-User-Application or PUA. As stated by the Microsoft MSDN documentation;

 

"Setup developers can use Windows Installer 5.0 to author a single installation package capable of either per-machine installation or per-user installation of the application. "

 

And

 

"An application capable of being installed, updated, run, and removed by a standard user without elevation is called a Per-User Application (PUA.)"

 

You can find out more about the new PUA here: http://msdn.microsoft.com/en-us/library/dd408068(VS.85).aspx

 

And, for you Installer heads out here... There are five new Internal Consistency Evaluator (ICE )checks for you to enjoy...

 

  • ICE101        Checks that no value in the Feature column of the Feature table exceeds a maximum length of 38 characters.
  • ICE102        Validates the MsiServiceConfig and MsiServiceConfigFailureActions tables.
  • ICE103        Validates the MsiPrint and MsiLaunchApp control events.
  • ICE104        Verifies the MsiLockPermissionsEx and LockPermissions tables.
  • ICE105        Validates that the package has been authored to be installed in a per-user context.

 

The ICE error descriptions and definitions can be found here:  http://msdn.microsoft.com/en-us/library/aa369206(VS.85).aspx


Thursday 12 February 2009

Patch Tuesday - February 2009

This is a serious update from Microsoft for the February Security Update. This update includes two critical and two important updates - all of which require system restarts (both server and workstation platforms). The Microsoft Security Update MS09-002 should be treated with caution as a high proportion of applications in our portfolio had dependencies on these changes.

The message from the ChangeBASE team is that the Microsoft update MSO9-002 changes a large number of components and a very high proportion of applications are dependent on these changes. Organisations should seriously consider testing a good cross section of their application portfolio.

Testing SummaryMS09-002: Severe Impact (both Package level and dependencies) detected across portfolio
  • MS09-003: Marginal Impact (both Package level and dependencies) detected across portfolio

  • MS09-004: Moderate Impact (both Package level and dependencies) detected across portfolio

  • MS09-005: Moderate Impact (both Package level and dependencies) detected across portfolio







  • Patch NameTotal IssuesMatches
    Affected
    RebootRatingRAG
    Microsoft Security Bulletin MS09-002176291%YESCCritical
    Microsoft Security Bulletin MS08-00340<1%YESCCritical
    Microsoft Security Bulletin MS08-0042904<23%YESIImportant
    Microsoft Security Bulletin MS08-00553337%YESIImportant


    Legend: 

    M = Moderate 
    I = Important 
    C = Critical 
    No IssueNo Issues Detected
    FixablePotentially fixable application Impact
    SeriousSerious Compatibility Issue


    c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)


    Security Update Detailed Summary
    MS09-002Cumulative Security Update for Internet Explorer (961260)
    DescriptionThis security update resolves two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update requires a restart.
    PayloadAdvpack.dll, Dxtmsft.dll, Dxtrans.dll, Extmgr.dll, Icardie.dll, Ie4uinit.exe, Ieakeng.dll, Ieaksie.dll, Ieakui.dll, Ieapfltr.dat, Ieapfltr.dll, Iedkcs32.dll, Ieframe.dll, Ieframe.dll.mui, Iernonce.dll, Iertutil.dll, Ieudinit.exe, Iexplore.exe, Inetcpl.cpl, Jsproxy.dll, Msfeeds.dll, Msfeedsbs.dll, Mshtml.dll, Mshtmled.dll, Msrating.dll, Mstime.dll, Occache.dll, Pngfilt.dll, Url.dll, Urlmon.dll, Webcheck.dll, Wininet.dll, Advpack.dll, Dxtmsft.dll, Dxtrans.dll, Extmgr.dll, Icardie.dll, Ie4uinit.exe, Ieakeng.dll, Ieaksie.dll, Ieakui.dll, Ieapfltr.dat, Ieapfltr.dll, Iedkcs32.dll, Ieframe.dll, Ieframe.dll.mui, Iernonce.dll, Iertutil.dll, Ieudinit.exe, Iexplore.exe, Inetcpl.cpl, Jsproxy.dll, Msfeeds.dll, Msfeedsbs.dll, Mshtml.dll, Mshtmled.dll, Msrating.dll, Mstime.dll, Occache.dll, Pngfilt.dll, Url.dll, Urlmon.dll, Webcheck.dll, Wininet.dll
    ImpactRemote Code Execution

    MS09-003Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
    DescriptionThis security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
    PayloadCdo.dll, Emsmdb32.dll, Emsmta.exe, Exhotfixuninst.dll, Exspmsg.dll, Mapi32.dll, Mdbmsg.dll, Store.exe, Exhotfix.cdd
    ImpactRemote Code Execution

    MS09-004Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
    DescriptionThis security update resolves a privately reported vulnerability in Microsoft SQL Server. The vulnerability could allow remote code execution if untrusted users access an affected system or if a SQL injection attack occurs to an affected system. Systems with SQL Server 7.0 Service Pack 4, SQL Server 2005 Service Pack 3, and SQL Server 2008 are not affected by this issue.
    PayloadAtl71.dll, Atxcore.dll, Atxcore.rll, Axscphst.dll, Axscphst.rll, Bcp.exe, Bcp.rll, Cldtcstp.exe, Cldtcstp.rll, Cmdwrap.exe, Cnfgsvr.exe, Cnvrem.dll, Cnvsvc.exe, Comnevnt.dll, Custtask.dll, Custtask.rll, Dbghelp.dll, Dbmslpcn.dll, Dbmslpcn.dll, Dbmsshrn.dll, Dbmsshrn.dll, Dbnetlib.dll, Dcomscm.exe, Distrib.exe, Dtcsetup.exe, Dtsffile.dll, Dtsffile.rll, Dtspkg.dll, Dtspkg.rll, Dtspump.dll, Dtspump.rll, Dtsrun.exe, Dtsrun.rll, Impprov.dll, Mergetxt.dll, Msdbi.dll, Msgprox.dll, Msvcp71.dll, Msvcr71.dll, Msxmlsql.dll, Msxmlsql.rll, Odbcbcp.dll, Odsole70.dll, Odsole70.rll, Opends60.dll, Osql.exe, Pfclnt80.dll, Pfclnt80.rll, Rdistcom.dll,Replagnt.dll, Repldist.dll, Repldp.dll, Repldsui.dll, Repldts.dll, Replerrx.dll, Replmerg.exe, Replprov.dll, Replprox.dll, Replrec.dll, Replres.rll, Replsub.dll, Replsync.dll, Rinitcom.dll, Scm.exe, Semmap.dll, Semmap.dll, Semmap.rll, Semmap.rll, Semnt.dll, Semnt.dll, Semnt.rll, Semnt.rll, Snapshot.exe, Spresolv.dll, Sqdedev.dll, Sqladevn.rll, Sqladhlp.exe, Sqlagent.dll, Sqlagent.exe, Sqlagent.rll, Sqlatxss.dll, Sqlatxss.rll, Sqlboot.dll, Sqlcmdss.dll, Sqlcmdss.rll, Sqlctr80.dll, Sqldata.dll, Sqldistx.dll, Sqldmo.dll, Sqldmo.rll, Sqlevn70.rll, Sqlimage.dll, Sqlinitx.dll, Sqlmaint.exe, Sqlmangr.exe, Sqlmangr.rll, Sqlmergx.dll, Sqlredis.exe, Sqlrepss.dll, Sqlrepss.rll, Sqlresld.dll, Sqlresld.dll, Sqlresld.dll, Sqlservr.exe, Sqlsnmp.dll, Sqlsort.dll, Sqlsrv32.dll, Sqlsrv32.rll, Sqlstbss.exe, Sqlstbss.rll, Sqlsvc.dll, Sqlsvc.dll, Sqlsvc.rll, Sqlsvc.rll, Sqlunirl.dll, Sqlvdi.dll, Ssmsad70.dll, Ssmslpcn.dll, Ssmsrp70.dll, Ssmssh70.dll, Ssmsvi70.dll, Ssnetlib.dll, Ssnmpn70.dll, Ssradd.dll, Ssravg.dll, Ssrdown.dll, Ssrmax.dll, Ssrmin.dll, Ssrpub.dll, Ssrup.dll, Svrnetcn.dll, Svrnetcn.exe, Svrnetcn.rll, Ums.dll, W95scm.dll, Xplog70.dll, Xplog70.rll, Xpqueue.dll, Xprepl.dll, Xpsqlbot.dll, Xpstar.dll, Xpstar.rll
    ImpactRemote Code Execution

    MS09-005Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)
    DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
    PayloadDfdc.dll, Dwgcnvt.dll, Gdiplus.dll, Mso.dll, Umlc.dll, Umlsystem.dll, Visio.exe, Visiodwg.dll, Vislib.dll
    ImpactRemote Code Execution

      Tuesday 3 February 2009

      XPS Viewing - Harder than it should be

      I am a little afraid to post what my thinking here. I don't want to appear that I whinging or complaining. It's just that I thought that Microsoft has gone to a lot  effort to make something open, really accessible and the result is a surprisingly constrained experience.

       

      I am referring to the XPS (the Microsoft PDF format killer) viewing experience on Windows Vista (and Windows 7).  The Microsoft XPS format is built into Office 2007 (so you save/edit/create XPS files) and there is a viewer is built into Vista. 

       

      For more marketing information on the XPS format, you can refer to the Microsoft link here: https://www.microsoft.com/windows/windows-vista/features/xps.aspx

       

       

      And, you can download the XPS Essentials Pack here:  http://www.microsoft.com/whdc/xps/viewxps.mspx

       

      And probably, more importantly here is the link for the XPS Office 2007 pack: https://www.microsoft.com/downloads/details.aspx?FamilyID=4d951911-3e7e-4ae6-b059-a2e79ed87041&DisplayLang=en

       

      Again.... I feel that I am complaining here... And I may deserve all the difficulty that I have experienced. But, and, ... I hate to admit it... I don't use Internet Explorer... Ever!

       

      So, by default (on my numerous real and virtual machines ) I use Safari, Firefox (a lot) and Chrome. The whole idea of using XPS formatted documents on Vista is that a simple double click and you can read the document in your browser (and supposedly rather quickly). This is not the case when you use any other the other browsers (Google, Firefox, Opera, Safari) as the extension handlers for these applications merely download the app (again) and again.

       

      I knew that the XPS format  was built into Vista - and I hate to admit, I was completely stumped when I clicked on the XPS file - and nothing happened. I took me 10 minutes to realize that my default browser settings were "wrong" (according to M$)

       

      So, Vista has been around for a while, and so has Firefox and it appears that it was only last week (Jan 27th, 2009) that there is now a Firefox  Plug-in to handle the XPS format.  You can find the Firefox and Safari XPS Plug-ins here: http://www.pagemarktechnology.com/home/downloads.html

       

      OK - so, no Google Chrome support (no big deal). That said, here is something that surprised me. To load view an XPS file in Internet Explorer 7,  you simply drag a file from your local file system and drop it onto the IE window - in a few seconds, your document will appear. However, If you are already viewing  a XPS file in Internet Explorer 7  - you can't do this - you have to open a new tab/window. Weird.


      Some of you may comment that this is not a standard application compatiblity issue - you may be right... but "default settings" can be a real party pooper for getting applications to work well. So, at a stretch I think this could still be considered an application compatiblity issue. :)