Announcement for MSDN Community Distribution Program
We are pleased for becoming one of official Microsoft MSDN Community Distribution Agents in Egypt. You can now get a bimonthly CD for latest MSDN tools, reviews and libraries to help your development platform up-to-date, robust and more relible.
If you're from Egypt, Contact us NOW! for full details.
Dist. Agent: | Ahmed Mahdy |
Mobile Phone: | 002-010-333-6269 |
E-mail address: | ahmhdy@msn.com |
Word 2007 Not Bitten by Bugs
Microsoft says a preliminary investigation into reports of vulnerabilities in its Office 2007 suite has produced no evidence of a threat to users.
Reports of new security holes in MS Office have been made public on known exploit sites, including information about four bugs posted on one site. Microsoft has not released specific information about the vulnerabilities, citing potential risk to users. "Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products," a company spokesperson said April 11. "Our investigation into the possible impact of these claims on other versions of Microsoft Office is continuing." The reported flaws were uncovered by Mati Aharoni of Offensive-Security.com, in Israel. He said he was not searching for vulnerabilities in Word, but stumbled upon them while developing Offensive-Security.com course materials. "I ran a character substitution script on several Windows file formats and was left dazed by the results," he said. "The vulnerabilities I released to the public were the least dangerous of my findings—most resulted in DOS only—actually getting code to execute via these bugs is highly improbable."
Manage Windows Vista Application Compatibility
Migrating to Vista means big changes in application support. Will your applications work in Vista? Here are some strategies and tools to mitigate the impact of moving to the new OS.
As of the end of March, 2007, 129 applications were certified or designed for Windows Vista, and 922 applications worked or were compatible with Windows Vista. Think that's a lot? Well, it does add up to over 1,000 applications you can run on Windows Vista with few, if any, issues. But, given that there are tens of thousands of applications designed for Windows, this first thousand is just a drop in the bucket.
Making existing applications work for Vista is a big job. Microsoft is keeping track of each application that passes its bar and is providing weekly updates through its Knowledge Base. But this obviously doesn't suit everyone.
Take, for example, the National Institute of Standards and Technology (NIST), part of the Department of Commerce, which has decided to ban Windows Vista -- for now -- from its internal computing networks. Or the U.S. Department of Transportation and the Federal Aviation Administration, both of which have also decided to impose a temporary blackout on Windows Vista.
Besides grabbing attention, such a ban puts a focus on Vista's support of current and legacy applications. Vista contains a series of changes in the way it supports applications (after all, Microsoft performed a rewrite of all the Windows code for Vista). In some cases, these changes are system-wide -- in others they affect specific areas of application operation. In both cases, they can break applications.
Luckily, there are a number of solutions as well:
Problem: The version number for Windows has changed -- Vista is number 6. While this occurs each time a new version of Windows is released, it will affect applications because some apps check version numbers at installation, others during operation, and yet others during both installation and operation.
Solution: Installation logic is easy to modify if you have the right tools. Software packaging tools such as Altiris Wise Package Studio and Macrovision AdminStudio let you edit version numbers both in standalone installations and in installations which are integrated with the Windows Installer service. Changing the version numbers when an application is running is more difficult because you would normally need to modify the application's code, but you can also run the application in one of the many compatible modes Vista supports.
Problem: The 64-bit or x64 versions of Windows Vista don't support 16-bit code. In fact, while x64 editions of Windows support 32-bit applications as well as native 64-bit applications, they no longer support any 16-bit code at all.
Solution: Several 32-bit applications still rely on 16-bit installers; in these cases, x64 editions of Windows XP, Windows Server 2003, and Vista will automatically convert these installers to their 32-bit equivalents during installation.
(If an application is designed as a true 32-bit application, it will work well on x64 Vista and in many cases, work even better than on x86 or 32-bit editions of Windows. That's because Vista x64 breaks the 4GB memory limitation x86 systems face and grants more resources in general to applications.)
However, 16-bit applications will not install at all on x64 versions of Windows.
Vista beta testers face looming OS expiration
Microsoft Corp. has begun reminding millions of testers of Windows Vista's beta and release candidate (RC) previews that their trial runs end on June 1.
Cori Hartje, director of Microsoft's antipiracy efforts, became the first company executive to note the impending deadline. "As a reminder to those that helped with Windows Vista beta testing, the beta installations are set to expire at the end of May 2007," said Hartje in a Q&A that Microsoft posted March 30 on its public relations Web site. "So customers need to decide if they want to move to Windows Vista or back to Windows XP if they have test versions of Windows Vista on their PCs."
Details on how best to do that, however, are scant. Despite repeated requests to clarify the exact procedure beta and RC users need to take -- and whether Microsoft will provide either guidance or offer a discount to testers -- the company declined to spell out its plans.
What information the company has published is on last year's Customer Preview Program (CPP) site, which points to the June 1 expiration date and explains that once installed, the Vista previews don't allow for operating system rollbacks. "You cannot roll back to the previous operating system installation -- you will either have to acquire and install the final released edition of Windows Vista or reinstall a previous edition of Windows," the site reads.
Some hints, however, can be found on Microsoft's Vista support forums:
- Only a full version of Vista does the upgrade from Beta/RC to final. Multiple threads on the Vista forums note that it's not possible to do an in-place upgrade from Vista Beta or RC using a final, retail upgrade version of the operating system.
"You can't use an Upgrade edition to move from Beta/RC to final. Has to be a Full version," said a user identified as Richard Harper. That means Beta/RC users can't take advantage of the lower-priced upgrade Vista stock-keeping units (SKU) to retain their Vista settings and installed applications when migrating to the real deal. The price difference on Vista Ultimate is dramatic: $259 list for the upgrade edition, $399 for the full version. And that's important because ...
- $399 buys you in-place upgrade. If testers wondered why Microsoft gave them the most powerful, and expensive, Vista last year, this may be a clue: To do an in-place upgrade from a Vista preview to the final code requires not only a full edition, but a full edition of Ultimate.
"Just as in all past [Microsoft operating systems], downgrading isn't supported," said Dave B. Another user, Chad Harris, was more specific. "It has to be a Full version of Ultimate ... any other version (Home Premium, Business) is considered a downgrade to Ultimate and is not allowable."
- Revert to resume. To take advantage of lower-priced upgrade editions of Vista, or to move from the Beta/RC Ultimate SKU to a less-featured version, like Home Premium, testers must reinstall an earlier operating system -- likely Windows XP -- before upgrading from that to Vista final.
"So if I return my laptop to XP, then if I bought the upgrade version of Vista, it should work right?" asked NoSpinVette. Rick Rogers answered with a simple "Yes indeed." The reinstallation of XP, of course, deletes all data on the boot hard drive and so requires testers to backup data files and reinstall applications on the Vista-powered PC after the upgrade is completed.
Those hassles didn't sit well with some dedicated beta testers. "Do you mean to say that because I installed Vista RC2 over XP, I screwed myself out of upgrade pricing? If so, seems like MS is punishing beta testers," said a user labeled as "tom."
Others, however, brooked no whining. "You should've known better than to install a beta over your primary operating system/primary computer. Microsoft warned users not to do that," responded another poster identified as Michael.
The migration issue isn't trivial, if only because of the numbers involved. At one point in 2006, Microsoft boasted that 1.5 million users had downloaded Vista RC1 and said it expected an additional 1.5 million to download RC2
Windows XP to be phased out by year’s end
Computer makers have been told they'll no longer be able to get Windows XP OEM by the end of this year, despite consumer resistance to Vista and its compatibility problems.
By early 2008, Microsoft's contracts with computer makers will require companies to only sell Vista-loaded machines. "The OEM version of XP Professional goes next January," said Frank Luburic, senior ThinkPad product manager for Lenovo. "At that point, they'll have no choice."
Despite Microsoft's relentless promotion of Vista, manufacturers are still seeing plenty of demand from customers for systems preloaded with XP, especially in the finicky SOHO market.
In a recent post on its Direct2Dell blog, Dell reaffirmed to concerned customers that it wasn't about to force small business users -- who typically purchase PCs piecemeal, rather than in large enterprise-style orders -- to shift to Vista, which has experienced a less-than-stellar reaction from many buyers because of driver issues and moderately beefy hardware requirements.
"Dell recognizes the needs of small business customers and understands that more time is needed to transition to a new operating system," the post read in part. "The plan is to continue offering Windows XP on select Dimension and Inspiron systems until later this [northern] summer."
"From a local perspective, the post was a reminder more than an announcement," Dell ANZ corporate communications manager Paul McKeon told APC.
"This was something we'd always planned during the transition phase since businesses will have different time frames to adopt the new OS. If you're a consumer, you're unlikely to be managing more than say 2.4 OS images at home, so it's less of an issue"
There's general agreement amongst PC resellers that Vista has provided a minor boost to PC sales, but hasn't produced blockbuster numbers. A similar story applies in the retail space. Figures from marketing consultancy GfK suggest that after an initial sales surge, around 1500 copies of Vista are now being sold through Australian retailers each week, according to a recent report in the AFR.
While Dell's post suggested it wouldn't be promoting Vista systems to the home market, manufacturers still have the option of selling XP-based systems for consumers this year.
Microsoft patches Vista bug that snuck through beta test
All together it offered fixes for eight different vulnerabilities.
Microsoft Corp. today unveiled the second stage of its April security updates by releasing five security bulletins that patched eight vulnerabilities -- including one that was missed during the company's Windows Vista beta testing and ended up in the final version of the new operating system.
Of the four updates that addressed bugs in Windows, the MS07-021 update was clearly the one to patch pronto, said researchers. "This is my first [to patch] choice," said Amol Sarwate, manager of Qualys Inc.'s research lab.
"It affects everyone," agreed Minoo Hamilton, senior security researcher with patch management vendor nCircle Network Security Inc.
The update, which fixes three different bugs, includes one marked critical that affects all supported editions of Windows, from 2000 through XP and Server 2003 to Vista. The vulnerability in the error message processing of the Windows Client/Server Run-time Subsystem (CSRSS) can be exploited remotely, said Microsoft, and could result in a complete compromise of the PC.
The most likely way to deliver an attack: Dupe users into visiting a malicious Web site.
Ironically, this MsgBox flaw was acknowledged by Microsoft more than three months ago and was reported to the company's security team about the same time as the animated cursor (ANI) bug patched by an emergency fix last week.
"Number one, it affects earlier operating systems as well as Vista, so it's similar to the ANI vulnerability in that it's likely Microsoft reused [older] code in Vista," said Sarwate. "Two, it's a zero-day; it was out there [publicly] before today. Three, it has a Web-based attack scenario. And fourth, last but not least, it affects both clients and servers and is a core component of the operating system."
Hamilton concurred, especially on the reused code and the similarity with ANI. "It confirms a lot that we discussed about the ANI bug and the type of vulnerabilities Vista will likely have," he said. "The file handing- and process- and local privilege escalation-type vulnerabilities will be what attackers focus on with Vista."
But Hamilton also cast back to 2006, when Vista was still in beta testing. "This vulnerability was in the betas, so it escaped from the beta all the way to now."
The federal government's National Vulnerability Database confirmed Hamilton's charge. In a vulnerability summary first posted Dec. 21, 2006, a day before Microsoft acknowledged the bug, it listed Vista Beta 1 and Vista Beta 2 as affected. Of the remaining four updates, Sarwate and Hamilton split on pegging the next-most-dangerous bugs. Sarwate called out MS07-018 and MS07-019, both ranked critical by Microsoft; Hamilton, meanwhile, picked MS07-020 as the second-most-important update he recommended users deploy.
"MS07-019 is potentially wormable," said Sarwate, because a hacker can actively send packets to two listening ports and there's no user interaction required." Hamilton's choice, MS07-020, is rated critical on both Windows 2000 and Windows XP SP2, which account for the bulk of Windows clients.
"The one bright spot," said Hamilton, "is that MS07-020 shows us a trend. Take a look at the 'Mitigating factors' in the bulletin. It shows a progressive locking down of the operating system from Windows XP SP2 to Windows Server 2003 to Windows Vista.
"But then you turn around, and there's MS07-021, and you see Vista breaking out of those protections."
Office zero-day bugs spoil Patch Tuesday
A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.
The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.
"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.
Microsoft is investigating the bug reports as well, a company representative said in an e-mailed statement. The initial investigation has found that none of these zero-day claims demonstrates any vulnerability in the products of Office 2007, the latest version of Office, the representative said. Also, Microsoft is not aware of any attacks that exploit any of the issues at this time, he said.
In addition to the Office bugs, a zero-day vulnerability has been reported in Windows. Sample code that exploits a flaw in the way Windows handles help system files has been posted to the Internet.
"This is another heap-overflow flaw that might be exploited for code execution," McAfee's Raman wrote in an update to the Avert Labs blog late Tuesday.
Microsoft said it is aware of the issue. "Microsoft has listed .hlp files as unsafe file types and recommends customers exercise the same cautions with .hlp as .exe, as both file types are executable," it said. An attacker would have to use rigged .hlp files to exploit the flaw, according to Microsoft.
Word of the flaws comes on the day that Microsoft issued five security bulletins as part of its monthly patch cycle. The company is still dealing with the aftermath of an emergency patch released last week.
"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the exposure to these flaws until the next month’s Patch Tuesday," Raman wrote.
Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday--the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.
McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the Santa Clara, Calif.-based security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.
Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.
Researchers question Vista security after ANI exploit
Microsoft Corp.'s failure to spot the animated cursor bug in Windows Vista is, at best, a flag to hackers that old flaws may abound in the new operating system, researchers said today. At worst, it's a disconcerting sign that Vista's security-oriented development process slipped up.
This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.
The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.
Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.
Security researchers weren't so kind.
"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys Inc. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."
Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."
Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista.
The head of the company's security research lab defended the time spent investigating, developing and testing the fix. "Engineering a patch is a long, complex process," said Mark Miller, director of the Microsoft Security Response Center (MSRC). "We look at surrounding areas of code for similar vulnerabilities and, from our internal investigation, address as many as we can find."
Microsoft was alerted to the ANI file bug Dec. 20 by Alexander Sotirov, a vulnerability researcher at Determina Inc. in Redwood City, Calif. By mid-March, when Microsoft skipped its usual second-Tuesday-of-the-month updates, the investigation had been completed and a patch created, said Miller. "But it was still undergoing testing," he said, explaining why the patch wasn't released then.
On March 28, McAfee Inc. notified the MSRC that it had spotted attacks exploiting the cursor flaw. Within five days, as attackers ramped up use of the exploit to include hundreds of malicious Web sites, Microsoft promised to release a patch a week ahead of its designated monthly release date, April 10.
Miller, as have other Microsoft security officials, said that the patch could be released early because it was already on the April schedule. "We had an opportunity, and by pulling in the window by a week, it was very doable," he said.
He rejected the idea that Microsoft rushed to release the fix only when exploits appeared and publicity mounted.
"The number of people working on it doesn't change [when exploits are active], but the 24/7, around-the-globe effort does," said Miller. "When McAfee notified us, we ramped up our SSIRP [software security incident response process] to track the attacks and see what level of activity there was."
Determina's Sotirov, who found the flaw while auditing other code in the same User32.dll that contained the ANI bug, refused to criticize Microsoft for the time it needed to create a fix. "If you look at the average time it takes them, this vulnerability is not an exception," he said. "In fact, it's pretty standard."
By one metric, the numbers credit Microsoft. According to Symantec Corp.'s analysis (download PDF) of patched vulnerabilities in the second half of 2006, Microsoft took an average of 21 days between the public disclosure of a vulnerability -- code posted or mention made on a security mailing list such as Full Disclosure or Bugtraq -- and patch release. The ANI vulnerability, obviously a closely guarded secret on the part of hackers, didn't "go public" until March 28, making for a window of only six days.
But the fact that Sotirov, not a Microsoft employee, found the ANI vulnerability speaks ill of the company's emphasis on security and its claims of code review. Several analysts and researchers, for instance, have noted the similarity between today's flaw and one patched in January 2005. That bug, fixed by the MS05-002 update, also involved animated cursors and was reported to Microsoft by researchers from eEye Digital Security 57 days before the patch was issued.
If, as Miller said, Microsoft uses at least some time of the patch development process looking for similar vulnerabilities in the affected code, why wasn't the 2007 animated cursor flaw found in 2005? "We're doing an analysis of why we didn't find it then," said Miller.
Microsoft Posts Tools for Windows Home Server
Microsoft last week released a beta of documentation for a free software development kit (SDK) that helps developers build applications for its forthcoming Windows Home Server product.
The SDK documentation is available for download on the Microsoft Developer Network. It provides guidance on how developers can use the API and services in Windows along with the Visual Studio integrated development environment and Visual Studio C# tool to build new applications for Windows Home Server, which is currently in its second beta release.
Developers also must sign up and download the Windows Home Server beta on its Web site to use the SDK.
Typically, an SDK would also have libraries developers can use to build applications, but the developer libraries for Windows Home Server are available in the OS itself, said Charlie Kindel, general manager of Windows Home Server group at Microsoft.
He also said developing new applications for the product should be easy for developers because under the covers it is essentially the Windows client OS, except with tweaks aimed at specific functions. Those include features that help home users set up a network for several home PCs; store data and files from those PCs centrally; set up a security hub for the PCs; and allow users to access content from their PCs even when they are away from home.
Microsoft unveiled Windows Home Server, formerly known by the code name Quattro, at the Consumer Electronics Show in Las Vegas in January, and it is the first Microsoft server OS aimed specifically for home use. At the time of its launch, Microsoft said it did not plan to sell the product out of the box; instead, it said the OS will be distributed through original equipment manufacturers (OEMs) only on hardware built specifically to run it.
On Thursday, however, Kindel, said there might be a change in that plan. He said Microsoft may sell Windows Home Server out of the box when it becomes available later this year, alongside new MediaSmart Servers from Hewlett-Packard Co. that will be the first hardware available with the new OS pre-installed.
"We got a lot of feedback [from testers] and we want to satisfy them, so we are investigating whether [selling it separately] might be an option," he said.
Kindel said applications developers might build using the Windows Home Server SDK include those for system protection, media sharing, home security and home automation. Microsoft will continue to update the SDK beta as more information and APIs become available.
Microsoft to patch animated cursor bug early
Microsoft Corp. will patch the increasingly dangerous Windows animated cursor vulnerability tomorrow, a week early, a spokesman of the company's security team said yesterday.
"Microsoft originally planned to release the update on Tuesday, April 10, as part of its regular monthly release of security bulletins," the spokesman said in an e-mail. "However, Microsoft is aware of the existence of a public attack utilizing the vulnerability, [and] since testing has been completed, Microsoft will release the update ahead of schedule to help protect customers."
The announcement followed a weekend of escalating warnings from security organizations and reports from China's Internet Security Response Team (CISRT) of a worm in the wild using the unpatched vulnerability. Symantec Corp. and other antivirus companies confirmed the existence of the Fubalca worm yesterday.
Over the weekend, a number of events showed the speed with which attackers were moving. First, exploit source code was publicly posted on a security mailing list, then McAfee Inc. said it had seen at least one spam run that linked to the exploit, and finally, Websense Inc. claimed that it had spotted more than 100 malicious sites spreading the exploit, a tenfold increase over the day before.
Microsoft's decision to push the patch out tomorrow may have come just in time. This weekend, Ken Dunham, director of VeriSign Inc.'s iDefense rapid-response team, said, "We are in the eye of the storm. Spam run-type attacks pose significant danger to enterprises as the workweek resumes. Popularization of the exploit is under way amongst multiple hackers, and it's trivial to use and modify.
"This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers," said Dunham.
On Saturday, Microsoft's Security Response Center (MSRC) added Windows Server 2003 Service Pack 2 to the long list of Windows editions affected by the bug. Yesterday, Christopher Budd, an MSRC program manager, acknowledged that attacks leveraging the flaw had increased. "In light of these points and based on customer feedback, we have been working around the clock to test this update," Budd said on the MSRC blog.
The emergency fix, pegged as MS07-017, will be released through Microsoft's normal channels, including Automatic Updates, Windows Update and the enterprise-oriented Windows Server Update Services. MS07-017 will be only the third out-of-cycle patch from Microsoft in more than two years.