My colleague Feliciano has just made me aware of an extraordinary security bulletin we have just released for a new vulnerability discovered in ATL libraries which could allow remote code execution; here are the information I am aware of so far: Microsoft Security Advisory (973882) English Rilascio straordinario di sicurezza Microsoft del 28 luglio 2009: prime indicazioni e raccomandazioni (Feliciano’s post, if you can read Italian) The updates to install: MS09-034 MS09-035 (for developers, update for Visual Studio) Carlo Quote of the day: Those who dream by day are cognizant of many things which escape those who dream only by night. – Edgar Allan Poe
-
-
SharePoint and Office Live? Access forbidden!
I recently came across an odd problem the customer got on his SharePoint server: when the clients had the Office Live add-on installed they were constantly refused with a 403 error. The problem is well described here. If you have this problem, there is a fix for you: 970946. If you do not want to install the fix, you might consider to filter the UserAgent string you receive on the server (well, you should filter it before the web request is processed on the server) as one of my customers is testing: if the UserAgent string contains the word “Mozilla” and “Office”* or “non-browser” or “FrontPage”*, just remove the unwanted token. Carlo Quote of the day: All things are difficult before they are easy. – Thomas Fuller
-
Need a hotfix… then “Fix it!”
Things keep moving and after some discussion (here and here I already expressed my view on the matter), the first KB article with a “Fix it” button to directly download the relevant hotfix has gone live a couple of days ago, check it out: http://support.microsoft.com/kb/945402/en-us. Carlo Quote of the day: Committee–a group of men who individually can do nothing but as a group decide that nothing can be done. – Fred Allen
-
Visual Studio 2008 SP1 and .NET 3.5 SP1 available for download
Microsoft Visual Studio 2008 Service Pack 1 (exe) This download installs Visual Studio 2008 Service Pack 1 (SP1) and the .NET Framework 3.5 SP1. SP1 addresses issues that were found through a combination of customer and partner feedback, as well as internal testing. These service packs offer Visual Studio and .NET Framework users improvements in responsiveness, stability and performance. Click here for more information regarding about these service packs. Microsoft .NET Framework 3.5 Service Pack 1 .NET Framework version 3.5 Service Pack 1 provides the following new features and improvements: ASP.NET Dynamic Data, which provides a rich scaffolding framework that enables rapid data driven development without writing code, and a new addition to ASP.NET AJAX that provides support for managing browser history (back button support). For more information, see What’s New in ASP.NET and Web Development. Core improvements to the CLR (common language runtime) that include better layout of .NET Framework native images, opting out of strong-name verification for fully trusted assemblies, improved application startup performance, better generated code that improves end-to-end application execution time, and opting managed code to run in ASLR (Address Space Layout Randomization) mode if supported by the operating system. Additionally, managed applications that are opened…
-
WMI warnings 35 and 40 with ASP.NET
Over the past couple of weeks I got to almost identical cases where the customer had the event log on their servers “spammed” by the following messages: Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 40 Date: <date> Time: <time> User: N/A Computer: <computername> Description: WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_2050727_ASPNETAppsv2050727 for Performance Library ASP.NET_2.0.50727 because error 0x80041001 was returned Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 35 Date: <date> Time: <time> User: N/A Computer: <computername> Description: WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0 Article How to troubleshoot WinMgmt-based performance counter errors does not help in this case (we do not have Event ID 37, 41 or 61). The fix for this problem was scheduled to be added in .NET 3.5 SP1 (as also explained in this post) then we decided to ship a standalone hotfix too: the KB article is not yet available but you can request the fix (which by the way resolved both my cases) to CSS as usual, asking for 951683. Carlo Quote of the day: Always do right. This will gratify some people and…
-
Again on public hotfix download
I already touched the subject in a couple of previous posts and replying to direct comments and question I got, and to confirm that we’re doing something (hopefully in the right way ?) on this matter I want to highlight this news from Jeff: Migrating hotfixes to MSDN Code Gallery. The essence is that Visual Studio, .NET and other technologies hotfixes can be downloaded directly from http://code.msdn.microsoft.com/Project/ProjectDirectory.aspx?ProjectSearchText=hotfix and start a discussion with other people on the matter, hope you’ll find this useful (and keep the feedback coming of course). Carlo Quote of the day: The reason lightning doesn’t strike twice in the same place is that the same place isn’t there the second time. – Willie Tyler
-
The public/private hotfix debate
Every now and then the question comes back in the limelight: “Why some hotfixes are publicly available to download, but most of the times I have to call CSS to get one?” and “Wouldn’t be easier if we could just download the fix ourselves? At least we would save time, since we’ll get it anyway from CSS” and again “Who decides if a fix has to be public or private? How?” etc…, feel free to add more if you have (and I’m sure some of you do! 😉). I discussed this topic internally with my colleagues (both Support Engineers and Escalation Engineers) in CSS EMEA and of course there are some different views on it, but there is also a common understanding about some of the principles behind the policy Microsoft adopted. Those “private” fixes do not undergo the same amount of tests that Service Packs or “public” fixes have to pass, and this is the main reason (basically: costs); one of the parameters the Product Team(s) takes into account when producing a fix is the business impact that issue is having (or potentially will have) on customer’s applications, but also the risk of introducing regression bugs, the amount of code to…
-
Session_OnEnd not firing after applying Windows 2003 Service Pack 2
We very recently discovered a bug in classic ASP (asp.dll) you get installing the Service Pack 2 for Windows 2003; removing the SP2 makes it work again as expected, so this is a regression bug introduced by the service pack itself. Basically with SP2 installed, the Session_OnEnd() method in classic ASP is not fired anymore, thus breaking all applications which rely on that event to run cleanup code. We already have some reports from customers, either directly to CSS or in Newsgroups. I know my colleagues are already well on this, a private fix has been produced and is being tested internally (as far as I know it works) and we are writing a KB article to document this. The process is still ongoing so I don’t have (and can’t give you) further details on this, but I guess it’s a matter of days before this will be publicly available; of course I’ll update this post when we’ll have the KB available. Update (03/04/2007)The KB article is still a draft and not public yet (should be released soon, anyway) but the fix is ready; you can get it calling CSS and ask for the hotfix #934903. Update (17/04/2007)The KB article has been published: http://support.microsoft.com/default.aspx?scid=kb;EN-US;934903 …