Every developer should know about the latest features of the operating system they are targetting, especially the new security features and how they may impact existing and new applications. Training on the security features of Windows XP SP2 is close to my heart, so I was delighted to see the free Clinic titled "Developing and Maintaining Applications on Microsoft® Windows® XP Service Pack 2".
Here's the overview of this 6 hour self-paced course: This online clinic provides students with the knowledge and skills to understand the security enhancements included with Microsoft® Windows® XP Service Pack 2 (SP2) and how these features may affect applications that need to run on Windows XP SP2.
You can find Clinic 2853 at https://www.microsoftelearning.com/eLearning/offerDetail.aspx?offerId=11678
Hopefully this is old news to everyone, but just in case it isn't...
The JPEG GDI+ buffer overrun vulnerability affects multiple software applications which need to be patch individually. Visual Studio .NET 2002 and 2003 as well as the .NET Framework 1.0 SP2 all need patching following the MS04-028 security bulletin. Here are the most common patches that a developer like you might have installed:
Don’t forget desktop applications like Office and Visio are affected too. Check out this link for a complete list of affected software, there may be more you’ve missed: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
I shall write more on the topic of why the GDI+ DLL patching has been so tricky in the near future...
Until then... happy patching!
I have always been astounded by the shear volume of content that is available on MSDN. Sadly, like security, the more of it there is, the harder it is to use! Search engines can be a great help in finding what you need, but not so good a finding updated or new information.
So, the MSDN team in Reading, UK, have come up with MSDN Connection. Lindsey Langedijk (she’ll probably kill me for mentioning her name in public ;-)) has done a great job in driving the creation of a personalised view of content, sliced and diced by the topics you select. But there’s more! It is now also possible to subscribe to an RSS feed of your selected content. Very cool and only the beginning. Sign-up today and keep coming back to MSDN UK for more great innovations in the months to come…
http://www.microsoft.com/uk/msdn/preferences.aspx
Footnote:
Now, I know some of you may be a little put-off because this service uses .NET Passport to allow you to save your preferences. .NET Passport really is only an Authentication Service and all your personal and private data is not shared or used for anything you don’t choose, so if you haven’t got a Passport, then please may I encourage you to take this opportunity to sign-up. When you do sign up, always make sure that the box marked ‘let Microsoft use this email address’ (or works to that effect) is checked because if you uncheck it, we will be obliged to remove you from any other mailing lists you may already be on at Microsoft, to comply with the UK’s Data Protection Act
An interesting article about the cost of Windows vs the cost of certain Linux deployments:
http://www.forbes.com/enterprisetech/2004/08/31/cz_dl_0831msft.html. Read and enjoy ;-)
There is only just over a month to go before I will be speaking at the Technical Summit at the Wembley Conference Centre, London. The day will begin with Rafal Lukawiecki Director of Project Botticelli Ltd, talking about Threat Modelling for ssecure design, then I will have a session on Security tips for developers. After lunch Rafal is back to talk about the features of Windows XP SP2 that developers need to be aware of and how to take advantage of them. After that practical lessons from the frontline with the Government Gateway will describe the experiences of deploying Secure Web Services in the real world. To finish the day, our very own Steve Ballmer will address the audience. Oh, I nearly forgot, that throughout the day we will be trying a first for these sort of events - chalk and talk sessions where a handful of attendees will be able to get a little more interactive on the topics under discussion. Oh, yeah, there is an ITPro (security infrastructure) track as well ;-)
To register, click here and but hurry – spaces are limited!
There is now a new version of the Microsoft Security Baseline Analyser updated. MBSA is a tool that can be used to validate the configuration and patch status of computers on your network. It is a BASELINE tool i.e. it gives you a place to start with your security configuration.
New improvements in MBSA V1.2.1 include:
• Support for Windows XP Service Pack 2 security enhancements
• Clear guidance for locating updates and necessary actions
• Prioritize results more easily by showing summary counts for each score
Localization:
• MBSA releases are available for German, Japanese, and French.
• The mssecure.xml file will be localized to these four languages and will be automatically downloaded and used by the tool when a German, Japanese, or French machine is scanned once they are available in the Microsoft Download Center.
Additional Product Support:
• MBSA can scan for security updates in the following products
• Microsoft Office (local scans only; see list of products)
• Exchange Server 2003
• MDAC 2.5, 2.6, 2.7, and 2.8
• Microsoft Virtual Machine
• MSXML 2.5, 2.6, 3.0, and 4.0
• BizTalk Server 2000, 2002, and 2004
• Commerce Server 2000 and 2002
• Content Management Server 2001 and 2002
• Host Integration Server 2000, 2004, and SNA Server 4.0
Alternate File Version Support (allows multiple sets of file details to be checked in security updates scan)
Additional Configuration Checks:
• Internet Connection Firewall configuration check
• Automatic Updates configuration check
• Internet Explorer zone configuration checks (custom Internet Explorer zone interpretation, Internet Explorer Enhanced Security Configuration checks for Windows Server 2003)
• MBSA tool version check (for new MBSA releases)
Additional MBSA CLI Switches (-unicode, -nvc)
You can get more details and download from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
On the 5th July I delivered a webcast on ASP.NET Architecture internals as a follow-on to the UK MSDN Roadshow events we ran in the UK earlier in the year. You can find the link to the download of the webcast at
http://www.microsoft.com/uk/resources/techroadshow/postevents/webcasts.mspx . The reason for blogging this now is because in the webcast I talk about the Server Version of the .NET Framework Garbage Collector and recently I came across this excellent blog entry by Junfeng Zhang that explains the Server GC configuration far better than I did http://blogs.msdn.com/junfeng/archive/2004/07/13/181534.aspx. Enjoy!
On 27th July, I was invited to a meeting at the Microsoft Thames Valley Park Campus with Vic Morris, CEO, Mark O’Neill, CTO and Stephen Byrne, SE of Vordel. I was impressed by what they had to say, not only in the capabilities of their existing products, but also in the maturity of their thoughts and planning behind it. Far too few companies in the XML Web Services Firewall space have the same breadth of thought.
Vordel SOAPbox is a free download from Vordel that is a good tool for debugging Web Service security traffic. It lets you configure some HTTP header parameters as well as more advanced things such as configuring and sending SAML in a signed SOAP message over SSL. I thought it was quite cool for a free too anyway. Find it at http://www.vordel.com/soapbox/index.html
VordelSecure is there XML Gateway or Firewall product and VordelDirector is their centralised Web Services product, offering federation and integration with identity management. They have some way to go to fully integrate with the whole Microsoft product suite, MOM, MIIS, ISA etc, but they do manage to offer a set of sophisticated products with solutions to some of the complex security issues that arise when implementing a Service-Oriented Architecture.
I’m sure that I’ll come across Vordel quite a lot in the future, but I’d be interested to hear any feedback anyone has from using their products or from anyone actively working in the XML Firewall space in the UK. I get a lot of questions about XML and Firewalls…
If you’re doing anything with secure web services using the .NET Framework, then you’ll want to get the latest version of WSE 2.0 available at http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-a4fe-6c7b56423841&displaylang=en . This first Service Pack for the WSE 2.0 at a little over 7MB is miraculously 210k smaller than the original!
To quote the update notes on it: “This updated version of the Web Services Enhancements 2.0 contains fixes to scalability and functionality based on customer feedback, as well as important security additions.”
The best list of the changes (and other things about WSE 2.0) are from Hervey Wilson at http://www.dynamic-cast.com/mt-archives/000060.html
This has turned out to be one of those weeks I didn’t plan for and suddenly it’s the Friday before a week’s vacation and I haven’t managed to achieve even half the things I’d hoped, so sadly, Security Myth #3 “Cryptography is too hard” will have to wait another week before I can really give it the time to do it justice.
“Expect the unexpected” they tell you or “plan for the unknown”. Hmmm, I’m neither psychic or good at guessing games. If only I knew that Monday morning would see the demise of my hard disk. It had indicated a few warning signs – the mouse becoming jerky as the CPU got tied up waiting for disk IO to complete. So, ‘run chkdsk’ I thought ‘that will fix these kind of problems’. Alas, on the reboot so the checker could lock the system partition the disk made a tremendous ‘THUNK’ noise and that was it – dead disk.
I replaced the laptop disk with the one from my external USB storage device and started the rebuild, getting back as much backed up data as possible. Fortunately for me, one of my colleagues, Alastair Dick, used to be an engineer at Dell and knows a thing or two about disks. With his help, standing the old disk at an obscure angle and keeping it extra cool I was eventually able to recover much of my lost data – all proving to be a tedious activity.
Ha ha! I can hear the echos on the internet – ‘why didn’t he just restore from his backup?’. Well I have an 80Gig drive – 20Gigs for system and apps, the rest for data – lots of Virtual PC images for all the demos and things I do – how do you easily back up 60Gigs of data from your laptop?
One of those virtual images was critical to the demos I will be giving at an event in Reading on 11th August. The session I’m responsible for at the event ‘What’s new in Visual Studio .NET 2005’ is on Visual Studio Team System. An impossible task to do justice to the enormity of the product in only 75 minutes!
So sadly my week was not quite what I’d planned and please accept my apologies that Myth #3 will be postponed until I’m back from my vacation in sunnier climes…
More Posts
Next page »