Friday 22 October 2010

Windows 7: 12 Months On

The 22nd of October 2009 represented one of the most eagerly anticipated dates in the history of desktop computing. The launch of Windows 7 promised easier, faster and more secure computing for all. And, boy oh boy, did Windows 7 deliver.

Over the past twelve months, we’ve been working with over 200 global organisations to assist them in their Windows 7 migrations and during this time, we’ve started to see a number of emerging trends.
To celebrate the anniversary of Windows 7, we’ve put together a brief Report, you can request a copy here. In the Report we look at the emerging application compatibility trends, the primary issues and give some suggestions on how organisations can best approach their Windows 7 migration.

Over the past 12 months I experienced a number of situations with organisations that have made me really think again. Here is a quick synopsis of those surprises:
  • Windows 7 adoption rates higher than expected being led by 64bit as the primary delivery platform
  • The introduction of IE8 has added another layer of complexity into the migration. Organisations need to address compatibility issues for core web applications and browser presentation and rendering issues for internal and external websites and portals. 
  • Virtualisation has not been embraced as quickly as expected and organisations are looking towards a hybrid model of virtualised platforms to suit application capabilities
  • Windows 7 migration is easier than previous migrations, such as XP to Vista
  • Shims are not the answer to application compatibility issues
  • You need a level of technical expertise to fully use Microsoft’s application compatibility issue fixes

And, as you have probably seen already, we are still seeing the same top five application compatibility issues across all verticals and industry sectors including:

Windows 7 Compatibility Issue
% Apps Affected
% Fixable
Legacy Help Files
36%
100%
Windows Resource File and Registry Issues
35%
100%
UAC File Header Issues
24%
100%
Custom Action Security Issues
19%
100%
Legacy Control Panel Applet Security Issues
13%
100%

So, now that Windows 7 is a year old, has it met market expectations? In my view, Windows 7 has been a great success, with a rapid adoption rate, good industry acceptance, a stable OS, a small number of resolvable issues and delivers some great benefits such as increased security. 

Given these factors and our experience to date, we estimate that at least 60% of global organisations will be have fully deployed Windows 7 in the next three years. 

Stay tuned for the report - which I should be able to post in the next few days.

Note: If your browser does not display the link to the report correctly, you can find it here:

Monday 18 October 2010

Shims - those nasty bits

I have been asked a number of times about application compatibility fixes overt the past few weeks and the role of Microsoft's Shims.

As brief description of Microsoft's Shim technology; here is a snippet from the Microsoft Technet Shim article;
"The Shim Infrastructure implements a form of application programming interface (API) hooking. Specifically, it leverages the nature of linking to redirect API calls from Windows itself to alternative code—the shim itself."
To find out more about the Microsoft Shim technology, please have a read here;

Understanding Shims;

Or, Managing Shims in the Enterprise

After reading these links and documents, I have a number of problems with Microsoft's Shim approach including;

  • Microsoft owns the Shim database  and may update the database at anytime
  • No published API’s for the Shim Database
  • No published documentation for the Shim Database schema
  • No tools for managing the Shim Database in an enterprise environment
  • No Active Directory integration
  • No native integration with 3rd part deployment tools
  • No central management and control of the Shim Database
  • No centralized reporting mechanism’s available (from MS or ISV’s)
  • Any update to the Shim Database requires a complete re-compile of the database
  • No transparency or “accounting” of changes or updates to a Shim database
  • No “back-out” or roll-back facilities for the Shim Database
  • Limited Multi-Platform Support


To support these points, Microsoft has outline an additional scenario referenced in the Managing Shims in the Enterprise document which includes;
"It is possible that you will eventually find that the shims assigned to resolve a set of compatibility issues in an application are not comprehensive and that later you will need to deploy an updated version of the custom shim database that resolves the additional issues your organization later discovered. If you deployed the original custom shim database as part of the installation package, you will need to locate each client that has installed this application and the original custom shim database for it to replace it with the new version."
So, I am recommending that our customers do not use Shims but employ the Best Practices offered by Microsoft through;

  • Elevation Manifests
  • Updating the source application package (MSI Installers)
  • Creating Side-by-Side (Sxs) Isolation manifests

Hope that all this makes sense.... and, that I will be posting more on this topic soon...

Wednesday 13 October 2010

October 2010 - Patch Tuesday: Massive Update


With this Microsoft Patch Tuesday update, we see the largest collection of updates ever delivered by Microsoft in a single Patch Tuesday release. In total, there are 16 updates with the following rating; 2 Critical, 12 Important and 2 Moderate. Aside from the significant number of Security and Application updates with this Patch Tuesday release cycle, we also see a significant number of applications dependent on this large tranche of changes. The ChangeBase team recommends that the testing cycle for these particular releases is especially thorough due to application dependencies on almost all of the security patches included in this release. Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this October Patch Tuesday release cycle.
Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases.
MS10-074: Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution.





Testing Summary
  • MS10-071 : "Cumulative Security Update for Internet Explorer (2360131)"
  • MS10-072 : "Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)"
  • MS10-073 : "Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)"
  • MS10-074 : "Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)"
  • MS10-075 : "Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)"
  • MS10-076 : "Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)"
  • MS10-077 : "Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)"
  • MS10-078 : "Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)"
  • MS10-079 : "Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)"
  • MS10-080 : "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)"
  • MS10-081 : "Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)"
  • MS10-082 : "Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)"
  • MS10-083 : "Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)"
  • MS10-084 : "Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)"
  • MS10-085 : "Vulnerability in SChannel Could Allow Denial of Service (2207566)"
  • MS10-086 : "Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)"


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS10-071<1%<1%YESAmber
Microsoft Security Bulletin MS10-072<1%<1%YESAmber
Microsoft Security Bulletin MS10-073<1%<1%YESGreen
Microsoft Security Bulletin MS10-07413%7%YESAmber
Microsoft Security Bulletin MS10-075<1%<1%YESGreen
Microsoft Security Bulletin MS10-076<1%<1%YESAmber
Microsoft Security Bulletin MS10-0774%3%YESAmber
Microsoft Security Bulletin MS10-078<1%<1%YESGreen
Microsoft Security Bulletin MS10-079<1%<1%YESAmber
Microsoft Security Bulletin MS10-080<1%<1%YESAmber
Microsoft Security Bulletin MS10-081<1%<1%YESAmber
Microsoft Security Bulletin MS10-082<1%<1%YESGreen
Microsoft Security Bulletin MS10-083<1%<1%YESGreen
Microsoft Security Bulletin MS10-084<1%<1%YESAmber
Microsoft Security Bulletin MS10-085<1%<1%YESGreen
Microsoft Security Bulletin MS10-086<1%<1%YESGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS10-071Cumulative Security Update for Internet Explorer (2360131)
DescriptionThis security update resolves seven privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadBrowseui.dll, Html.iec, Ieencode.dll, Iepeers.dll, Mshtml.dll, Mshtmled.dll, Shdocvw.dll, Tdc.ocx, Urlmon.dll, Wininet.dll
ImpactCritical - Remote Code Execution

MS10-072Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)
DescriptionThis security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft SharePoint and WindowsSharePoint Services. The vulnerabilities could allow information disclosure if an attacker submits specially crafted script to a target site using SafeHTML.
PayloadCamlqry.xsd, Cfgupddl.sql, Configdb.sql, Configup.sql, Create.asx, Depl.xsd, Dwdcw20.dll, Dws.asx, Feature_0003.xml, Fldswss.xml, Msscntrs.dll_0001.x86, Mssdmn.exe_0001.x86, Mssearch.exe_0005.x86, Mssph.dll_0001.x86, Mssrch.dll_0001.x86, Nlhtml.dll_0002.x86, Offfilt.dll_0002.x86, Offprsx.dll, Onetutil.dll, Owssvr.dll_0001, Owstimer.exe_0001, Query9x.dll_0002.x86, Rgnldflt.xml, Schema.xml_announce, Schema.xml_discuss, Schema.xml_users, Searchom.dll_0003.x86, Searchom.dll_0005.x86, Sigcfg.cer, Sigcfg.dll, Sigcfg.sql, Sigsdb.cer.x86, Sigsdb.dll.x86, Sigsdb.sql.x86, Sigstore.cer, Sigstore.dll, Sigstore.sql, Store.sql, Storeup.sql, Stoupddl.sql, Stsadm.exe, Stsap.dll, Stslib.dll_0001, Stsom.dll, Stsom.dll_0001, Stssoap.dll, Stswel.dll, Stswfacb.dll, Stswfact.dll, Timezone.xml, Tquery.dll_0002.x86, Wss.rsx, Wss.search.sql.x86, Wss.search.up.sql.x86, Wss.xsd, Wsspreupgradecheck.xml, Xmlfiltr.dll.x86
ImpactImportant - Information Disclosure

MS10-073Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
DescriptionThis security update resolves several publicly disclosed vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
PayloadWin32k.sys, W32ksign.dll
ImpactImportant - Elevation of Privilege

MS10-074Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)
DescriptionThis security update resolves a publicly disclosed vulnerability in the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user is logged on with administrative user rights and opens an application built with the MFC Library. An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMfc40.dll, Mfc40u.dll, Mfc42.dll, Mfc42u.dll
ImpactModerate - Remote Code Execution

MS10-075Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
DescriptionThis security update resolves a privately reported vulnerability in the Microsoft Windows Media Player network sharing service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.
PayloadWmpmde.dll
ImpactCritical - Remote Code Execution

MS10-076Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
DescriptionThis security update resolves a privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadT2embed.dll
ImpactCritical - Remote Code Execution

MS10-077Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.
Payloadclrjit.dll, Setup.exe, SetupEngine.dll, SetupUi.dll
ImpactCritical - Remote Code Execution

MS10-078Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
DescriptionThis security update resolves two privately reported vulnerabilities in the Windows OpenType Font (OTF) format driver. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
PayloadAtmfd.dll
ImpactImportant - Elevation of Privilege

MS10-079Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
DescriptionThis security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWinword.exe
ImpactImportant - Remote Code Execution

MS10-080Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
DescriptionThis security update resolves thirteen privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file or a specially crafted Lotus 1-2-3 file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exexe
ImpactImportant - Remote Code Execution

MS10-081Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
DescriptionThis security update resolves a privately reported vulnerability in the Windows common control library. The vulnerability could allow remote code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadComctl32.dll, Controls.man, Comctl.man
ImpactImportant - Remote Code Execution

MS10-082Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
DescriptionThis security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWmp.dll
ImpactImportant - Remote Code Execution

MS10-083Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadOle32.dll, Wordpad.exe, Xpsp4res.dll
ImpactImportant - Remote Code Execution

MS10-084Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
PayloadRpcrt4.dll, W03a3409.dll, Wrpcrt4.dll, Ww03a3409.dll
ImpactImportant - Elevation of Privilege

MS10-085Vulnerability in SChannel Could Allow Denial of Service (2207566)
DescriptionThis security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow denial of service if an affected Internet Information Services (IIS) server hosting a Secure Sockets Layer (SSL)-enabled Web site received a specially crafted packet message. By default, IIS is not configured to host SSL Web sites.
PayloadSchannel.dll
ImpactImportant - Denial of Service

MS10-086Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)
DescriptionThis security update resolves a privately reported vulnerability in Windows Server 2008 R2 when used as a shared failover cluster. The vulnerability could allow data tampering on the administrative shares of failover cluster disks. By default, Windows Server 2008 R2 servers are not affected by this vulnerability. This vulnerability only applies to the cluster disks used in a failover cluster.
PayloadClusres.dll, Clussvc.exe
ImpactModerate - Tampering