Wednesday, September 20, 2006

FAQ about the latest IE bug

Listed below are a set of FAQ questions surrounding the new IE bug.

What's the problem? A vulnerability newly discovered in Microsoft Internet Explorer could allow an attacker to take over a targeted machine -- even a machine whose patches are all up to date.

What's it called? The Common Vulnerabilities and Exposures list tentatively designates this vulnerability as CVE-2006-4868. McAfee calls it Exploit-VMLFill; Trend Micro calls it EXPL_EXECOD.A; Symantec calls it Trojan.Vimalov, reflecting its probable Russian origin. SecurityFocus assigns it a Bugtraq ID of 20096.

Which programs and versions are affected? Internet Security Systems reports that the flaw affects all versions of IE that include support for VML, which means Versions 5 and 6, though tests so far have generally looked at Version 6. There have been no reports of the attack working on IE 7. Recent versions of Outlook and Outlook Express are also vulnerable, as are all versions and service packs for Windows 2000 and XP. (On Windows 2003, IE runs by default in a restricted mode, in which certain binary and script behaviors are disabled; if those settings have been changed the system may be vulnerable.)

Are Mac, Linux or Unix systems vulnerable? What about Firefox? No, no, no and no. (Something Firefox aficionados are trumpeting loudly over in the SunbeltBlog comments That's not winning many popularity contests.)
How is the vulnerability exploited? So far, the exploit has been found in the wild on a handful of Russian sites, mostly porn-related. Propagation is via the usual routes, particularly e-mail, though IM or any service by which an HTML link can be sent will do. Users must click on an HTML link to load the affected document. Outlook or Outlook Express users who automatically open HTML messages are also at risk.

What's the sequence of events? Security veterans won't be surprised to learn that we have yet another buffer-overflow attack here. The buffer is deluged and overflows, pushing JavaScript shell code into adjacent buffers for execution. The code downloads a piece of malware and saves it to the hard drive as CPU.exe, after which Internet Explorer generally shuts down.

What's the payload? Depends, but the vulnerability can allow attackers to take complete control of the machine so the potential for mayhem is high. Most attacks so far are recruiting PCs into botnets, presumably to be used for other attacks or malware propagation at a later date. They're also depositing a stunning amount of adware on victimized machines, as Sunbelt researcher Adam Thomas described in a blog posting. The potential for trouble, rather than the current infection rate, is why organizations such as Secunia are concerned at the moment.

When can I expect an official patch? Microsoft, in a security advisory released yesterday, says it's working on a patch that's in the final stages of compatibility testing. The company expects to release it on October's Patch Tuesday, scheduled for Oct. 10.
That long?! So far, it doesn't appear that we've got another Windows Metafile zero-day mess on our hands, not least because the vulnerability was apparently obscure for quite some time. (More on the discovery process below.) If things heat up, Microsoft says it'll work to release the patch earlier.

Is that likely? Chris Mosby's blog says that Web Attacker, the notorious tool kit for Trojans, has been updated to include support for exploiting the vulnerability. Not a good sign.
What can I do in the meantime? Simply put: Turn off JavaScript execution, since the code inserted in the buffer overflow is JavaScript. More fully, Microsoft and independent experts are recommending that admins (and users with admin privileges) temporarily unregister vgx.dll, the affected library, with the following command:
regsvr32 -u "%ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll"
After the DLL is unregistered, reboot the computer. Once a patch is available, the DLL may be reregistered at your convenience. Security expert Jesper Johansson has posted some useful templates, using Group Policy, for fast fix deployment in Windows domains.
Microsoft says that Windows Live OneCare users who currently have green status are protected from all known malware, and it recommends that all users check that their antivirus protections are up to date. Antivirus software that includes protection against buffer overflows appears to protect against the exploit.
If vgx.dll is crucial to your users, the Access Control List for the DLL may be modified to forbid access to the "everyone" group.
Microsoft suggests those using IE 6 for XP Service Pack 2 can protect themselves by disabling binary and script behaviors in the Internet and Local Internet security zones. Those setting are reached through the Tools --> Internet Options -- > Security --> (zone) --> Active X controls and plug-ins for both zones.
(Several observers have noted that Microsoft is clearly taking the problem seriously, as it's rare for the company to recommend disabling functionality in its products, even temporarily!)

What does vgx.dll do? Practically speaking, not much. It's a dynamic link library supporting VML, the hypertext markup language that handles the display of vector graphics. The VML proposal has been around since 1998, but it's not very widely used online. It's unlikely that most users will even know it's (temporarily) not supported by their IE browser.
Hasn't vgx.dll been involved in security advisories before? Good memory. It was indeed one of the buffers affected in certain versions of Windows when the 2004 .jpeg processing buffer-overflow problem covered in MS04-028 was spotted.

Who found the flaw? Funny you should ask. Sunbelt first noticed the exploit in the wild around noon on Monday and posted the code to a private mailing list of security professionals, who began the vetting process. According to Alex Eckleberry at Sunbelt, this was the first the security professionals on their (closed, vetted) list had heard of the vulnerability. However, Eckleberry found out later in the day that ISS has apparently been aware of the exploit for some time and has been working with Microsoft on a fix. That organization issued an advisory on Tuesday.

The full article can be found here.

Tuesday, September 19, 2006

Does MOSS 2007 support folders?

Q: I was wondering if document libraries in SharePoint 2007 support folders within them. Does MOSS 2007 support folders?

A: Yes, MOSS (Microsoft Office SharePoint Server) does support folders within a document library (see screen caption below). To create a folder, simply click "New" and select "New Folder".

Monday, September 18, 2006

ODC vs. BDC

As discussed during our last meeting, SharePoint 2007 has many new features. And as with any new feature, some confusion is bound to be included. Two of those new features are ODC and BDC. To help clear some of the confusion around these 2 items, here's a brief explanation of the two.

ODC (Office Data Connection) is used to connect Excel Services to a specific database, without making the user remember userID, password, DB Name, server name, etc. Instead, all these items are stored in an XML format file with the extension name .ODC. The .ODC file can be created by using the Excel client to create the file, then upload the file to a Data Connection Library. Once uploaded, a user simply refers to the ODC file, where all connection string parameters are stored. The data connection can then be used by various Excel Web Parts to display the data and KPIs. To read more about the ODC, go to http://blogs.msdn.com/excel/archive/2006/02/16/533865.aspx

BDC (Business Data Catalog) is another method used to connect to a database. The BDC file is also in XML format. The key difference is that a BDC file also holds the query statement so it connects and retrieves the data. Once the data is retrieved, the BDC can be connected to 1 of 5 BDC web parts. To read more about the BDC, go to http://msdn2.microsoft.com/en-us/library/ms563661.aspx

Thursday, September 7, 2006

Spreadsheet Web Part Add-In for Microsoft Office Excel 2003

During our last meeting we discussed SharePoint 2007 and how Excel Services is one of it's big features. I recenly found a web part that enables the use of Excel 2003 with Windows SharePoint Services.

The Spreadsheet Web Part Add-In for Microsoft® Office Excel 2003 makes it easy to design your own Spreadsheet Web Parts and save them to a site based on Microsoft Windows® SharePoint™ Services.

For more information or to download the Excel web part, click here.

Wednesday, September 6, 2006

What is WinFX?

Q: What is WinFX?

A: WinFX is an Object Oriented set of APIs that leverage the .Net Framework and expose that breadth of the Longhorn OS to developers. WinFX contains .Net Framework(FW) and is available in managed code. It builds on and extends the .Net FW

As the name may suggest, WinFX consists of 2 major parts:
1. WIN (Windows): Win32 APIs.
2. FX (Framework): speaks to .Net Framework

There are 4 Portions of WinFX
1. Presentation
2. Data
3. Communications
4. Fundamentals


In addition, WinFX offers functionality from other systems:
  • Avalon fucntionality is in the System.Windows namespace. This is the new presentation SubSystem for Longhorn.
  • ASP.Net and Indigo functionality are both in the System.Web namespace. Indigo is the new technology for web services.
  • WinFS functionality is in the System.Storage namespace. It contains relational aspects of the file system.
  • Yukon Functionality for database access is in System.Data.SQL Server namespace

Tuesday, August 29, 2006

Difference between XHTML and DHTML

Q: What is the difference between XHTML and DHTML?

A: XHTML is a more structured version of HTML, which
sits nicely with the XML structure. XML (eXtensible Markup Language) is used to identify the data contents (i.e. name, address, phone, etc.) XML can then be used with XSLT to render the contents in different ways. Couple XML with HTML and you have a XHTML.

DHTML (Dynamic Hypertext Markup Language) is a Microsoft derived term. It is a combination of HTML, CSS, and JavaScript. It all works via the DOM (Document Object
Model). This is a method of referencing objects within a document so that
you can manipulate them through JavaScript.

Monday, August 28, 2006

Manipulating Event Log

A few people have asked about error logging in .Net. Listed below is an article on logging errors and events to the system event log. In addition, another article is listed to help automate parsiong the event log file when needed.

Error and Event Logging in VB.NET
This article describes an approach to writing to a custom error log and to writing events into the system event log.VB.NET; Windows, .NET (.NET 2.0); Win32, VS (VS2005)

Parsing event log(*.evt) file
An article on parsing/opening event log files(*.evt) using C# 2.0; Windows (Win2K, WinXP, Win2003), .NET (.NET 2.0); Win32, VS (VS2005)

Friday, August 25, 2006

Recovering data from a crashed hard drive

Q: I have an external USB hard drive that is no longer showing up as an active volume. What can I do to recover the data from the drive?

A: There are several tools on the market to assist with recovering data from a crashed drive. Listed below are a few of these tools.

Thursday, August 24, 2006

Microsoft IE7 RC1

Microsoft is gearing up to ship Internet Explorer 7 (IE7) for Windows XP by offering a late beta release of the Web browser, known as Release Candidate 1. Expected to ship during the last quarter of this year, well ahead of Windows Vista, IE7 is the first real upgrade of the browser since the summer of 2004. And it is the first version of Internet Explorer in this decade to offer actual new features.

IE7 Release Candidate 1 (RC1) is available for download from Microsoft. For more information about Internet Explorer 7's new features, visit Microsoft's IE site.

To read the full story, go to http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002698&source=NLT_PM&nlid=8

To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 7 as a high-priority update via Automatic Updates for Windows XP and Windows Server 2003 soon after the final version of the browser is released (planned for fourth quarter 2006). Microsoft is making a non-expiring Blocker Toolkit available for those organizations that would like to block automatic delivery of Internet Explorer 7 to machines in environments where Automatic Updates is enabled.

For those not wanting to receive IE7 as a criticial update with Windows Update, Microsoft offers a utility that will block the automatic download. To download this utility go to the Microsoft Download Center.

Wednesday, August 23, 2006

Ajax Examples

I recently found a few helpful articles on CodeProject.com, discussing various ways of using Ajax.

Using Ajax.NET Pro in a SharePoint Web Part
The article describes how to configure Ajax.NET Pro with SharePoint so that it can be used in Web Parts.

Introduction to Anthem.NET
How to do AJAX without writing any JavaScript.

Magic AJAX: Applying AJAX to your existing Web Pages
How to apply AJAX technologies to your web pages without replacing ASP.NET controls and/or writing JavaScript code.

An Introduction to AJAX Techniques and Frameworks for ASP.NET
This article introduces AJAX to ASP.NET developers implementing an example web page in different ways using ASP.NET Atlas, ASP.NET callbacks, Ajax.Net, Anthem.Net and MagicAjax.Net.

Simple AJAX implementation for ASP.NET Web applications
The article describes a simple approach of implementing AJAX functionality in ASP.NET web applications.

Tuesday, August 22, 2006

Visual Studio .NET 2003 Service Pack 1

Microsoft recently released Service Pack 1 for Visual Studio 2003 containing many fixes to problems published on KB (Knowledge Base). For a complete list of all the bug fixes, go to http://support.microsoft.com/default.aspx?scid=kb;en-us;918007&sd=rss&spid=3040.

To download the service pack, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=69d2219f-ce82-46a5-8aec-072bd4bb955e&DisplayLang=en

Monday, August 21, 2006

Microsoft Patches Contain Memory Bugs

Earlier this month, Microsoft released 12 patches for fixing 23 vulnerabilities. Of those 12 patches, MS06-040 and MS06-042 were discovered to have memory bugs causing programs to crash.

MS06-040 affects programs that use very large chunks of memory on some versions of Windows. According to Microsoft, programs such as Microsoft Navision 3.7, which require allocations of more than 1GB of memory, can crash after the update is installed.
Most Windows systems do not experience the bug, but Microsoft Windows Server 2003 and the 64-bit version of Windows XP Professional Edition are affected. Microsoft's hotfix for this problem can be downloaded from their site.

More troublesome has been the MS06-042 update for Internet Explorer, which has caused browser crashes while using Web-based applications such as PeopleSoft, Siebel and Unicenter. Microsoft issued a hotfix for this update earlier in the week and is promising to reissue the buggy update next Tuesday. For more information on this bug, please visit http://support.microsoft.com/kb/923762/

Tuesday, August 15, 2006

What is "Atlas"?

Q: What is "Atlas"?

A: "Atlas" is the code name for a set of ASP.Net technologies used to add Ajax (Asynchronous JavaScript And XML) support to ASP.NET. It consists of a client-side script framework, server controls, and more. In other words, Atlas is Microsoft's implementation of Ajax.

This new Web development technology from Microsoft integrates client script libraries with the ASP.NET 2.0 server-based development framework. In addition, "Atlas" offers you the same type of development platform for client-based Web pages that ASP.NET offers for server-based pages. And because "Atlas" is an extension of ASP.NET, it is fully integrated with server-based services. "Atlas" makes it possible to easily take advantage of AJAX techniques on the Web and enables you to create ASP.NET pages with a rich, responsive UI and server communication. However, "Atlas" isn’t just for ASP.NET. You can take advantage of the rich client framework to easily build client-centric Web applications that integrate with any backend data provider.
  • “Atlas” enables you to take full advantage of the capabilities of the browser to deliver richer web experiences that work on any modern browser.
  • “Atlas” enables ASP.NET developers to enrich their web applications with incredible ease.
  • “Atlas” includes a rich client-side Javascript framework that enables easy creation and reuse of script components and rich client-side behaviors.
  • “Atlas” makes it super easy to consume services from ASP.NET, and to build composite applications from services on the programmable web.
For more information, go to http://atlas.asp.net. To download the latest CTP (Community Technology Preview), go to http://www.microsoft.com/downloads/details.aspx?familyid=D746076A-3352-4407-B9D5-832BA4DFFC7B&displaylang=en