Wednesday 11 March 2009

Patch Tuesday: March 2009

This month includes 3 patches, one rated Critical and the other rated as Important. These patches affect all operating systems from Windows 2000, XP through to VISTA and Windows 7 beta and will require all servers and desktops running these operating systems to be rebooted. The good news is that from an application compatibility perspective this is a minor update from Microsoft.

This will bring relief to IT departments after the February release.

Looking further at the March update, after loading the ChangeBASE AOK application testing portfolio into a Patch Impact database, all three patches were tested for application level issues and in addition, application dependencies. None of three patches (MS09-006, MS09-007, and MS09-008) raised significant numbers of application level or dependency level issues with the AOK Application Test portfolio.

Given the very low numbers of issues, the ChangeBASE AOK team recommends that these patches are rapidly deployed to a staging environment and then subsequently into Production. The ChangeBASE AOK team recommends that with all changes to an environment basic UAT testing is performed on all business critical applications. However, for these three March Microsoft Security updates, only marginal build level testing should be required.

Here is a sample report extract from one of the few applications in the AOK ChangeBASE Application Test Portfolio that raised a dependency level issue with the MS09-006 Security Update.

Testing Summary
  • MS09-006: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-007: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-008: Marginal Impact (both Package level and dependencies) detected across portfolio

Patch NameTotal
Microsoft Security Bulletin MS09-00627<1%YESCriticalCritical
Microsoft Security Bulletin MS09-0077<1%YESImportantImportant
Microsoft Security Bulletin MS09-00822<1%YESImportantImportant

No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)

Security Update Detailed Summary
MS09-006Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
DescriptionThis security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system.
ImpactRemote Code Execution

MS09-007Vulnerability in SChannel Could Allow Spoofing (960225)
DescriptionThis security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. Customers are only affected when the public key component of the certificate used for authentication has been obtained by the attacker through other means.

MS09-008Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
DescriptionThis security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS server. These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.
PayloadAfd.sys, Dns.exe, Dnsperf.dll, Dnsperf.h, Dnsperf.ini, Msafd.dll, Sp3res.dll, Tcpip.sys

Monday 9 March 2009

The Windows 7 Engineering guys are doing a superb job right now. My own experiences coupled with the feedback I am getting, is that with respect to Application Compatibility Windows 7 compatibility is "better" than Vista. 

I was trying to explain the situation to a colleage about the "Windows 7 Compatibility" story and I used the analogy, "that application compatibility with Windows 7 today is like what Windows Vista experiened 18 months after it's release". There are going to be a few "gotcha's" out there (who is using Microsoft Agent anymore?) but generally the Microsoft partner and ISV eco-system is gearing up for the release of Windows 7 rather than "waiting and see" what the final release candidate will look like. This can only be a good thing.

However, I was a  little concerned by a recent posting by the Engineering Windows 7 team blog (found here:

There is a posting on Application Compatibility testing that raised a few eyebrows within our group. The posting in question is located here:

And, the content in question is the list of applications that was tested for application compatibility. Here is a brief (non-exhaustive) list reproduced from the site; 

  • orwegian1Visma Avendo FaktureringPolish2
  • WF-Fakturka dla Windows
  • Nahlik eTeacher 5
  • Portugese1Mr. Escola Win PortSpanish3
  • Mexico Federal Taxes Simplified SAT: Individual Taxes
  • Monografias Spanglish
  • IKEA Home Kitchen Planner
  • Turkish1MYTR Filter 2.6

Now, to be fair the blog entry was intending to demonstrate some of the international applications that were included in the application compatiblity testing program for Windows 7.  This is all good stuff.

However, when you look at the titles, you see a distinct consumer bent to the applications. This could be just the small sample size of the blog posting (maybe Microsot tests 1000's of applications) but it does look like these are some of these applications are the easier titles to obtain (either cheap, easily downloadable or trial versions). 

What's missing? Some hard-core applications that are present on just about every desktop? Examples include; AutoCAD for the Engineering sector, Bloomberg and Reuters for Banking, SAP for the the Finance groups.  

From this admittedly small sample size, I have a few questions;

  • Just how big is Microsoft's application compatibility software purchasing plan?
  • Does it cover enterprise applications
  • How may applications are included in this list?
  • Is there an ecosystem or Partner program that ISV's can join to include their applications in this testing effort?
Just as a bit of a boot note, I wanted to find out a bit more about these applications and so I googled them and got the following result for WF-Fakturka dla Windows;

Is this the reason why this application was chosen? Easy to crack, easy to "app-compat". I am sure this is not the case.... 

Friday 6 March 2009

The IE8 Compatibility Journey

I wanted to take a few minutes today to outline some of the Internet Explorer 8 compatibility issues that have been documented by Microsoft. This is a little bit of a cut and paste of some of the documentation, but I have distilled some of the issues that I feel that may cause some application level issues. Here is my list, with a warning that this is just the beginnging of my investigation;

Cross-Site Scripting Filter
XSS attacks have emerged as a leading exploit against Web servers and Web applications. Internet Explorer 8 has an XSS filter that is able to dynamically detect type-1 XSS (reflection) attacks. This helps protect users and systems from attacks that can lead to information disclosure, cookie stealing, account/identity theft or other attempts to masquerade as the user without permission. 
DEP/NX Security Restrictions
DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. In turn, this may cause some applications to crash unexpectedly.
File Name Restriction
Internet Explorer 8 form submission has been changed so that a file upload control (input type=file) only submits the file path to the server. Previously, the full path was sent to the server. This change may cause application compatibility issues with applications that assume a specific location for a particular file.
Codepage Sniffing
Internet Explorer 8 prevents certain codepages from participating in its Codepage Sniffing heuristic. Any pages that rely on this heuristic to be recognized as 7-bit Unicode Transformation Format (UTF-7) will no longer be detected.
AJAX Navigation
Internet Explorer 8 (IE8) includes an Asynchronous JavaScript and XML (AJAX) navigation feature that allows sites to maintain and track changes in AJAX states by treating them as a navigation.  This can be problematic for sites that were using the "location.hash" feature  to send data between cross-domain components.
Application Protocol Detection
The Application Protocol Handler Dialog security feature protects users from accidentally executing an application with dangerous content. This feature may inadvertently cause some applications to hang or not respond as expected.
MIME Type Detection Restrictions
Internet Explorer 8 (IE8) uses web-based MIME information to determine how to handle files sent by a Web server. The MIME Handling Restrictions feature reports an unsafe content handler when the reported MIME file type does not match the observed MIME file type, and the content handler for the observed MIME file type is unsafe.
Web Proxy Error Handling Changes
Internet Explorer 8 blocks application content returned by a proxy from a failed CONNECT command, or displays the content in a context based on the hostname of the proxy rather than in the context of the origin server. This may cause an application to hang or not behave as expected.
Signed Certificate Filtering
Microsoft's Internet Explorer 8 (IE8) uses Certificate Filtering to select the appropriate certificate for client authentication. This feature has been improved  from the version in IE7 to remove certificates that are likely to be rejected by the server. This may cause some intranet or in-house developed applications to fail. 

Let me know what you think about these issues. I think that there are going to be a few more. And so, I will keep you posted.

Thursday 5 March 2009

Microsoft LOB Application Compatibility

Microsoft has recently released a new whitepaper on application testing and application compatibility. This whitepaper focuses on some of the challenges encountered by Microsoft's own IT department (MicrosoftIT).  Some notable quotes from this whitepaper include;

"Microsoft IT tests approximately 4–6 percent of the application portfolio prior to each internal product release. "

There are some really novel/interesting ideas presented here on the testing paradigm used by MicrosoftIT. As the document explains, Microsoft has a very large application portfolio, and just like everyone else, is not able to afford (time/money/resources) to test each application in their portfolio everytime a new platform update is released. Instead, MicrosoftIT identifies a small number (around 60) of key/critical applications and thoroughly tests those applications. These selected applications are referenced as "indicator" applications. The thinking here is that if any platform update is going to break anything - it will be break these selected applications.   

What is quite reassuring about this approach is that Microsoft makes testing non-Microsoft applications a priority. I assume that the reasoning for this is that since Microsoft does not "own the code for these 3rd party applications, any compatiblity issues will likely require more time to address and resolve and therefore any issues should be highlighted as early as possible.