November 8th Patch Tuesday Report by ChangeBASE

Application Compatibility Update

By: Greg Lambert

Executive Summary

With this November Microsoft Patch Tuesday update, we see again a relatively small set of updates. In total there are 4 Microsoft Security Updates; 1 with the rating of Critical, 2 with the rating of Important, and 1 with the rating of Moderate. This is a small update from Microsoft and the potential impact for the updates is likely to be minor.

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen little cause for potential compatibility issues.

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this November Patch Tuesday release cycle.

Sample Results

 Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases:

 MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.

 

And here is a sample AOK Summary report for a sample database where the AOK Patch Impact team has run the latest Microsoft Updates against a small application portfolio:

 

A RED issue is generally one that pertains to how the code or actual program works. In this case we will flag as Red issues where a package tries to use objects or functions that have been deprecated from the OS or where their use has been restricted. In this case there are no changes that a packager (or AOK Workbench) can make to the install routine to fix the problem. The problem needs to be dealt with at the program code level by the programmer that wrote it or by providing a more up to date driver. However it is reasonably straightforward once a programmer has the information provided by AOK Workbench to make these changes. For vendor MSIs an upgrade may be required.

An AMBER issue is one that pertains to the installation routine. A packager can change things in the installation routine and so can AOK Workbench. Anywhere an issue is found and a change can be made to the installation routine to get rid of it we will flag it as amber. AOK Workbench fixes almost all of the issues it flags as amber. For the few issues that require a decision to be made, a packager can manually  remediate these using the issue data provided by AOK Workbench.

Applications flagged as GREEN have no issues identified against them.

Testing Summary

 

MS11-083	Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
MS11-084	Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
MS11-085	Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
MS11-086	Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

Security Update Detailed Summary

*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.

MS11-083	Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Description	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
Payload	Tcpipreg.sys, Tcpip.sys
Impact	Critical - Remote Code Execution

MS11-084	Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Description	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.
Payload	Win32k.sys
Impact	Moderate - Denial of Service

MS11-085	Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Description	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.
Payload	Wab32.dll, Wab32res.dll, Wabimp.dll
Impact	Important - Remote Code Execution

MS11-086	Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Description	This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.
Payload	Adamdsa.dll
Impact	Important - Elevation of Privilege

Application of the Month: Adobe Acrobat 5.05, Part 4

Here is the final section of the first Application of the Month assessment by Carl Bennett, Technical Specialist. In this section, Carl takes an in depth look at the Windows 7 compatibility issues that have been raised before offering some concluding comments on the overall behaviour of the application.

Windows 7

There are a vast array of checks and tests provided by AOK for Windows 7. This is the most commonly used set of tests in the AOK suite.

This application passes all but two categories of test. Let’s look in some detail at the results.

Legacy Help File Scan

This plugin looks for the old standard of WinHelp file. This file format is now very old, having first appeared in 16-bit windows. Back then it was a novelty to have hyperlinks in text that would take you to other pages.  You will no doubt have read about how they have been phased out due to security concerns with insecure macros and buffer overflow flaws. My personal opinion is that support for them has been removed because they appear very old-fashioned, with popups and other aspects that look dated now that we are all used to looking at web pages. When you run one on Windows 7 you receive a page that tells you that they are not supported any more rather than the contents that appeared on older versions of Windows. Most companies will run this report on all their software to assess the scale of the issue and, depending on how common it is, they will choose to embed the help engine into their operating system build from a download available from Microsoft.

Here we have just the one issue. As the name of the file is very similar to the names of the driver files, I expect that this is used by the context-sensitive help available from within the printer driver. The checkbox next to the issue shows that there is an automated solution available from AOK that will add the help engine into the package.  

Non Supported Drivers

We have already seen that these drivers are going to struggle when virtualised or run on 64-bit Windows, so it is unsurprising that they also raise issues for Windows 7.

 

Conclusion

When the Adobe Acrobat package was tested on the various platforms it was only on non-virtualised Windows XP and Windows 2003 that an extra printer appeared in the control panel and could be used for generating PDF files. This can entirely be blamed on the driver issues that AOK was reporting. All the other aspects of the software seemed to be working, although I am not an expert in using this software. If it turns out that the printer driver is one of the lesser-used aspects of the software, it would be a business decision rather than a technical decision as to whether the package is used or not.

AOK has analysed and shown us the parts of the software that are likely to fail in a wide variety of circumstances and has helped to guide us in the areas of concern to aid the testing cycle.  

Thanks for your interest in this Application of the Month assessment, and be sure to look out for the next one which will be coming soon!

Application of the Month: Adobe Acrobat 5.05, Part 3

Following on from previous posts, here is the third section of the compatibility assessment of Adobe Acrobat 5.05 by Carl Bennett, Technical Specialist at ChangeBASE, now part of Quest Software.

Symantec Workspace Virtualisation and VMware ThinApp

AOK supports running tests for many different competing virtualisation technologies. Here I have included the tests for SWV and VMware ThinApp. Every virtualisation product has different characteristics, problems, compatibilities, incompatibilities and quirks that make them unique. They have evolved in different directions specialising in different areas of focus ,and each of our categories of tests reflect the different characteristics that are relevant for software testing.

For this package we have already met these issues when looking at Microsoft App-V.

Windows 64-bit

Running older applications on 64-bit Windows has its own set of challenges. As this is a relatively new platform, many of the applications that a company will want to run on it will never have been tested on it before by the original authors. Extra security has been added into the operating systems along with new processor architectures, and this will also affect the capabilities of applications running on it.

This application has only raised issues in two areas.  One of them is the drivers issues that we saw earlier.

16-bit File Analysis

The rules here are quite simple: 32-bit Windows supports 32-bit and 16-bit executables but not 64-bit. 64-bit Windows supports 64-bit and 32-bit executables but not 16-bit. In addition to these simple checks, we also look to see which files get called from other programs to see if they need to reference libraries of the wrong bit level.

This package includes one 16-bit file, which is not always as bad as it seems. We know that the file is not going to work but we don’t necessarily know if it is going to be used.  There are no other messages telling us that it is referenced by other files and one on its own would indicate that, if it is used, it is only a very minor part of the software. It may even be possible that, as the software has evolved and been developed, this file is a leftover from an earlier version in which it was important.  It is necessary to test the software following a script made by an expert user to be sure, but it may be possible that this is acceptable.

Non Supported Drivers (Server and 64-bit OS)

The restrictions on Windows Server and 64-bit Windows are considerably tighter than those imposed on other operating systems. Incorrectly functioning drivers are the most common cause of crashes and other failures. The exact details, as ever, are explained in the green popup box shown below, shown when you click on the more info button in AOK.

We have already met many of these driver files before when looking at Microsoft App-V; based on the descriptions above you should now be in a position to understand why this list is longer than the one for this virtual platform.

Part 4 will be up next week or view the full assessment here! 

For more information please visit the ChangeBASE website.

Tools for migrating XP applications to Windows 7 - Computer Weekly looks at the ChangeBASE Technology

Computer Weekly's Technology Editor Cliff Saran has been very interested in application compatibility recently.

His latest article looks in particular at migrating from Windows XP to Windows 7, and uses the example of how Dutch transport provider RET has used the ChangeBASE solution to accelerate their migration:

---

The IT team at Holland train operator RET has been using ChangeBase's Aok to support its Windows 7 migration, as part of an office move. RET's IT team supports more than 1,300 PCs and laptops with in excess of 200 applications.

Martin Spijkers, technical system development co-ordinator, said the company currently uses Windows XP, but while it is not experiencing any problems with the OS, a hardware refresh and OS migration was necessary to get the most out of the move.Twelve people worked on the Windows 7 migration, three of whom were dedicated to the repackaging and migration of the 200+ applications. "We had five months in which to complete the project. The driving reason to migrate was the outdated hardware; it is easier to place new hardware with the latest software OS in a new building than move with old ones," he said.

By using Aok, making applications Windows 7-compliant will now take a lot less time, said Spijkers. "We can focus on the real compatibility problems that Aok tells us there are and more importantly, where they are. This is particularly important given RET only has two people working to make more than 200 applications Windows 7 compatible."

"Aok will reduce our packaging time by a third on average. Historically, most of our time was spent on resolving conflicts and searching for compatibility issues. With the Fix-It button [in Aok], minor issues are solved for you - we don't waste time any more," he said.

---

To read the full article at Computer Weekly, as well as Cliff Saran's other articles on application compatibility, click here.

Virtual Platform of the Week – Citrix XenApp

For this Virtual Platform of the Week post, Ben Cook, Senior Technical Consultant, is checking out how our chosen apps will behave on virtualised infrastructures using Citrix technologies. Using Virtualise-It, Ben has tested the applications for compatibility with Citrix XenApp in order to highlight some of the issues that organisations may encounter when virtualising their application estate. Moreover, by testing for both Citrix XenApp hosted and Citrix XenApp streamed, this week's report emphasises the difference between technologies, even from the same vendor, and the importance of recognising the impact that this may have on an application estate.

ChangeBASE AOK 4.1

No compatibility issues were detected with either XenApp hosted or streamed, so this application was safe to proceed directly to UAT. As predicted, the application is fully functional.

FileZilla 3.5.1

This application also passed the test without flagging up any compatibility issues and, as expected, this application worked on Citrix XenApp without a hitch.

Google Chrome 14

AOK revealed that this application will behave differently on Citrix XenApp hosted compared to XenApp streamed, highlighting the importance of checking applications for the specific new environment and the potential risks of assuming compatibility.

With regards to Citrix XenApp hosted, this application contains a reference to an executable in the HKLM registry hive which resides in the user profile. This machine-level registry value will be accessible by all Citrix users, but the executable will only be accessible by the user who installed Google Chrome. This could cause issues and was therefore flagged as Amber.

As far as XenApp streamed is concerned, more major issues were found. Google Chrome places an entry in the “Run” area in the registry and, as this isn’t supported in XenApp streamed, this may cause the application to fail. For this reason, a Red report was raised.

Lightroom 3.3 (x64)

AOK found that this package contains 64-bit files - exactly as you’d expect! As XenApp streaming doesn’t support 64-bit, this application was flagged as Red.

AOK has emphasised in this week's tests that all virtualisation technologies are not the same - even those from the same vendor - and that this can have a considerable effect on the overall compatibility of an application estate. Finding a platform that is suited to your environment therefore becomes all the more important.

For more information on how Quest's ChangeBASE solution set can make such an assessment, and ultimately get your applications working on virtual platforms quicker, please visit the Virtualise-It product page.

Join Point to Point, Citrix, ChangeBASE and RES Software for an exclusive Synergy update and desktop transformation seminar

The desktop is transforming...be part of the change.

Join Point to Point, Citrix, ChangeBASE (now part of Quest Software) and RES Software for an exclusive half day Synergy update and desktop transformation seminar at Citrix HQ, Chalfont, Buckinghamshire, on Thursday 17th November 2011, 9am - 1pm.

Following on from announcements at Synergy Barcelona, guests will gain an exclusive insight into Citrix's plans for 2012 along with the latest product and technology information. In addition, ChangeBASE and RES will discuss how they support and extend the Citrix desktop transformation approach and can simplify both the process of making this transition as well as the operational impact of adoption.

By attending this half day event on the morning of Thursday 17th November at Chalfont, your organisation will gain insight into: 

• The latest developments from Fort Lauderdale and Citrix's plans for 2012.
• How Quest's ChangeBASE solution set can speed up application and OS deployments, improve the quality and consistency of application packages and maintain the compatibility and integrity of application estates.
• How RES Software and Automation Manager can increase efficiency and cut the time wasted on manual tasks which may hinder IT departments.

We hope to see you and your colleagues at the event. Click here to register your attendance.