New Content Management Functionality in Microsoft Office 2007

Microsoft recently announced that EMC Corp's Documentum will offer better integration with Microsoft Office 2007, especially with SharePoint 2007. The Documentum product will offer it's content management functionality without requiring an upgrade.

There are two main new offerings from Microsoft:

1. Content Services for SharePoint, which provides access to the Documentum repository within SharePoint so users can check documents in and out and manage metadata and virtual documents.
2. Archive Services for SharePoint, which can either manually or automatically move content into SharePoint.

To read more about this, click here.

Microsoft due to release 11 security updates on October 10, 2006

On Tuesday, October 10, 2006 Microsoft will release 11 security updates. Six patches affect Windows, 4 affect Office, and 1 affecting the .Net Framework. A brief summary of these patches is listed below.

6 Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.

4 Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

1 Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool

In addition, Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. This tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).

Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

To help answer questions on these patches, Microsoft will be hosting a web cast on Wednesday, October 11, 2006, the day after the patch release. To sign-up for this web cast click here. For more information on these patches, goto to the Microsoft TechNet site.

Take a look at http://blogs.msdn.com/somasegar/archive/2006/09/26/772250.aspx and you'll notice an item buried in this announcement for Visual Studio SP1 Beta.

Development compatibility and support on Vista:
VS 2005 SP1 supported;
VS 2005 NOT supported;
VS 2003/2002 NOT supported;
VB6 supported!

Interesting! Thanks to Mark H. for passing this interesting tid-bit along.

*** Great Lakes Geek Freebie Software - Today Only ***

*** Great Lakes Geek Freebie Software - Today Only ***

Download NTI Ninja software free on 9/26NewTech Infosystems (NTI) is making their new Ninja software - a USB data storage and protection software solution - available free.Unlike most fixed partition USB software, NTI Ninja allows users to adjust the size of their public and private partitions on their portable storage device. In addition, the software provides users with complete storage area anti-tamper encryption and password protection.The new software was developed to meet the dramatic increase in today's mobile workforce, the increased use of USB storage devices and the need to protect content and data from being stolen or compromised on the small, portable devices.Get it on the 26th for free or pay $24.95 after that.The link is at http://www.greatlakesgeek.com

*** More Freebies ***
While you are in the mood for free stuff, check out the Free Book on Security Engineering. Ross Anderson is a professor of security engineering at the University of Cambridge Computer Laboratory and an acknowledged expert in the field. His book, Security Engineering, is now available online for free download (chapter by chapter) even though it's still for sale http://www.greatlakesgeek.com/glg/tips.htm And you can win a free copy of O'Reilly's Podcasting Hacks - Tips & Tools for Blogging Out Loud.

Check the news at http://www.greatlakesgeek.com
Thanks to Great Lakes Geek sponsors Aztek Technology, BEST Group Management Consultants, Boundless Flight, Hahn Loeser and O’Reilly Publishing. They get it. Do you? Want to join them and reach lots of business and tech professionals? Drop us a line.

FAQ about the latest IE bug

Listed below are a set of FAQ questions surrounding the new IE bug.

What's the problem? A vulnerability newly discovered in Microsoft Internet Explorer could allow an attacker to take over a targeted machine -- even a machine whose patches are all up to date.

What's it called? The Common Vulnerabilities and Exposures list tentatively designates this vulnerability as CVE-2006-4868. McAfee calls it Exploit-VMLFill; Trend Micro calls it EXPL_EXECOD.A; Symantec calls it Trojan.Vimalov, reflecting its probable Russian origin. SecurityFocus assigns it a Bugtraq ID of 20096.

Which programs and versions are affected? Internet Security Systems reports that the flaw affects all versions of IE that include support for VML, which means Versions 5 and 6, though tests so far have generally looked at Version 6. There have been no reports of the attack working on IE 7. Recent versions of Outlook and Outlook Express are also vulnerable, as are all versions and service packs for Windows 2000 and XP. (On Windows 2003, IE runs by default in a restricted mode, in which certain binary and script behaviors are disabled; if those settings have been changed the system may be vulnerable.)

Are Mac, Linux or Unix systems vulnerable? What about Firefox? No, no, no and no. (Something Firefox aficionados are trumpeting loudly over in the SunbeltBlog comments That's not winning many popularity contests.)
How is the vulnerability exploited? So far, the exploit has been found in the wild on a handful of Russian sites, mostly porn-related. Propagation is via the usual routes, particularly e-mail, though IM or any service by which an HTML link can be sent will do. Users must click on an HTML link to load the affected document. Outlook or Outlook Express users who automatically open HTML messages are also at risk.

What's the sequence of events? Security veterans won't be surprised to learn that we have yet another buffer-overflow attack here. The buffer is deluged and overflows, pushing JavaScript shell code into adjacent buffers for execution. The code downloads a piece of malware and saves it to the hard drive as CPU.exe, after which Internet Explorer generally shuts down.

What's the payload? Depends, but the vulnerability can allow attackers to take complete control of the machine so the potential for mayhem is high. Most attacks so far are recruiting PCs into botnets, presumably to be used for other attacks or malware propagation at a later date. They're also depositing a stunning amount of adware on victimized machines, as Sunbelt researcher Adam Thomas described in a blog posting. The potential for trouble, rather than the current infection rate, is why organizations such as Secunia are concerned at the moment.

When can I expect an official patch? Microsoft, in a security advisory released yesterday, says it's working on a patch that's in the final stages of compatibility testing. The company expects to release it on October's Patch Tuesday, scheduled for Oct. 10.
That long?! So far, it doesn't appear that we've got another Windows Metafile zero-day mess on our hands, not least because the vulnerability was apparently obscure for quite some time. (More on the discovery process below.) If things heat up, Microsoft says it'll work to release the patch earlier.

Is that likely? Chris Mosby's blog says that Web Attacker, the notorious tool kit for Trojans, has been updated to include support for exploiting the vulnerability. Not a good sign.
What can I do in the meantime? Simply put: Turn off JavaScript execution, since the code inserted in the buffer overflow is JavaScript. More fully, Microsoft and independent experts are recommending that admins (and users with admin privileges) temporarily unregister vgx.dll, the affected library, with the following command:
regsvr32 -u "%ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll"
After the DLL is unregistered, reboot the computer. Once a patch is available, the DLL may be reregistered at your convenience. Security expert Jesper Johansson has posted some useful templates, using Group Policy, for fast fix deployment in Windows domains.
Microsoft says that Windows Live OneCare users who currently have green status are protected from all known malware, and it recommends that all users check that their antivirus protections are up to date. Antivirus software that includes protection against buffer overflows appears to protect against the exploit.
If vgx.dll is crucial to your users, the Access Control List for the DLL may be modified to forbid access to the "everyone" group.
Microsoft suggests those using IE 6 for XP Service Pack 2 can protect themselves by disabling binary and script behaviors in the Internet and Local Internet security zones. Those setting are reached through the Tools --> Internet Options -- > Security --> (zone) --> Active X controls and plug-ins for both zones.
(Several observers have noted that Microsoft is clearly taking the problem seriously, as it's rare for the company to recommend disabling functionality in its products, even temporarily!)

What does vgx.dll do? Practically speaking, not much. It's a dynamic link library supporting VML, the hypertext markup language that handles the display of vector graphics. The VML proposal has been around since 1998, but it's not very widely used online. It's unlikely that most users will even know it's (temporarily) not supported by their IE browser.
Hasn't vgx.dll been involved in security advisories before? Good memory. It was indeed one of the buffers affected in certain versions of Windows when the 2004 .jpeg processing buffer-overflow problem covered in MS04-028 was spotted.

Who found the flaw? Funny you should ask. Sunbelt first noticed the exploit in the wild around noon on Monday and posted the code to a private mailing list of security professionals, who began the vetting process. According to Alex Eckleberry at Sunbelt, this was the first the security professionals on their (closed, vetted) list had heard of the vulnerability. However, Eckleberry found out later in the day that ISS has apparently been aware of the exploit for some time and has been working with Microsoft on a fix. That organization issued an advisory on Tuesday.

The full article can be found here.

Does MOSS 2007 support folders?

Q: I was wondering if document libraries in SharePoint 2007 support folders within them. Does MOSS 2007 support folders?

A: Yes, MOSS (Microsoft Office SharePoint Server) does support folders within a document library (see screen caption below). To create a folder, simply click "New" and select "New Folder".

ODC vs. BDC

As discussed during our last meeting, SharePoint 2007 has many new features. And as with any new feature, some confusion is bound to be included. Two of those new features are ODC and BDC. To help clear some of the confusion around these 2 items, here's a brief explanation of the two.

ODC (Office Data Connection) is used to connect Excel Services to a specific database, without making the user remember userID, password, DB Name, server name, etc. Instead, all these items are stored in an XML format file with the extension name .ODC. The .ODC file can be created by using the Excel client to create the file, then upload the file to a Data Connection Library. Once uploaded, a user simply refers to the ODC file, where all connection string parameters are stored. The data connection can then be used by various Excel Web Parts to display the data and KPIs. To read more about the ODC, go to http://blogs.msdn.com/excel/archive/2006/02/16/533865.aspx

BDC (Business Data Catalog) is another method used to connect to a database. The BDC file is also in XML format. The key difference is that a BDC file also holds the query statement so it connects and retrieves the data. Once the data is retrieved, the BDC can be connected to 1 of 5 BDC web parts. To read more about the BDC, go to http://msdn2.microsoft.com/en-us/library/ms563661.aspx

Spreadsheet Web Part Add-In for Microsoft Office Excel 2003

During our last meeting we discussed SharePoint 2007 and how Excel Services is one of it's big features. I recenly found a web part that enables the use of Excel 2003 with Windows SharePoint Services.

The Spreadsheet Web Part Add-In for Microsoft® Office Excel 2003 makes it easy to design your own Spreadsheet Web Parts and save them to a site based on Microsoft Windows® SharePoint™ Services.

For more information or to download the Excel web part, click here.

What is WinFX?

Q: What is WinFX?

A: WinFX is an Object Oriented set of APIs that leverage the .Net Framework and expose that breadth of the Longhorn OS to developers. WinFX contains .Net Framework(FW) and is available in managed code. It builds on and extends the .Net FW

As the name may suggest, WinFX consists of 2 major parts:
1. WIN (Windows): Win32 APIs.
2. FX (Framework): speaks to .Net Framework

There are 4 Portions of WinFX
1. Presentation
2. Data
3. Communications
4. Fundamentals


In addition, WinFX offers functionality from other systems:

• Avalon fucntionality is in the System.Windows namespace. This is the new presentation SubSystem for Longhorn.
• ASP.Net and Indigo functionality are both in the System.Web namespace. Indigo is the new technology for web services.
• WinFS functionality is in the System.Storage namespace. It contains relational aspects of the file system.
• Yukon Functionality for database access is in System.Data.SQL Server namespace
  

Difference between XHTML and DHTML

Q: What is the difference between XHTML and DHTML?

A: XHTML is a more structured version of HTML, which
sits nicely with the XML structure. XML (eXtensible Markup Language) is used to identify the data contents (i.e. name, address, phone, etc.) XML can then be used with XSLT to render the contents in different ways. Couple XML with HTML and you have a XHTML.

DHTML (Dynamic Hypertext Markup Language) is a Microsoft derived term. It is a combination of HTML, CSS, and JavaScript. It all works via the DOM (Document Object
Model). This is a method of referencing objects within a document so that
you can manipulate them through JavaScript.

Manipulating Event Log

A few people have asked about error logging in .Net. Listed below is an article on logging errors and events to the system event log. In addition, another article is listed to help automate parsiong the event log file when needed.

Error and Event Logging in VB.NET
This article describes an approach to writing to a custom error log and to writing events into the system event log.VB.NET; Windows, .NET (.NET 2.0); Win32, VS (VS2005)

Parsing event log(*.evt) file
An article on parsing/opening event log files(*.evt) using C# 2.0; Windows (Win2K, WinXP, Win2003), .NET (.NET 2.0); Win32, VS (VS2005)

Recovering data from a crashed hard drive

Q: I have an external USB hard drive that is no longer showing up as an active volume. What can I do to recover the data from the drive?

A: There are several tools on the market to assist with recovering data from a crashed drive. Listed below are a few of these tools.

• Spinrite from www.grc.com
• Ontrack's tools from www.ontrack.com
• PC Inspector has also received high remarks. This freeware tool is available at http://www.pcinspector.de/file_recovery/UK/welcome.htm

Microsoft IE7 RC1

Microsoft is gearing up to ship Internet Explorer 7 (IE7) for Windows XP by offering a late beta release of the Web browser, known as Release Candidate 1. Expected to ship during the last quarter of this year, well ahead of Windows Vista, IE7 is the first real upgrade of the browser since the summer of 2004. And it is the first version of Internet Explorer in this decade to offer actual new features.

IE7 Release Candidate 1 (RC1) is available for download from Microsoft. For more information about Internet Explorer 7's new features, visit Microsoft's IE site.

To read the full story, go to http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002698&source=NLT_PM&nlid=8

To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 7 as a high-priority update via Automatic Updates for Windows XP and Windows Server 2003 soon after the final version of the browser is released (planned for fourth quarter 2006). Microsoft is making a non-expiring Blocker Toolkit available for those organizations that would like to block automatic delivery of Internet Explorer 7 to machines in environments where Automatic Updates is enabled.

For those not wanting to receive IE7 as a criticial update with Windows Update, Microsoft offers a utility that will block the automatic download. To download this utility go to the Microsoft Download Center.