From: Paul Baker [MVP, Windows Desktop Experience] on
Borland Delphi 7 does not mark it's SOAP client code executable, therefore
it violates DEP :) Reports on the Internet suggest this was fixed in Delphi
2009, but I cannot find a record of it in Embarcadero QC.

"Remy Lebeau" <no.spam(a)no.spam.com> wrote in message
news:e%23ZzPwvjKHA.2160(a)TK2MSFTNGP02.phx.gbl...

> Dynamically allocating a thunk is not bad code. There are plenty of valid
> usages for it (Borland's VCL uses it for its window procedues, for
> instance). Allocating a memory block that is specicially intended
> for running executable code (has PAGE_EXECUTE_... flags applied to it) is
> not disallowed by either UAC or DEP. DEP prevents non-executable memory
> from running executable code. It does not
> block intentionally-executable memory.

--
Remy Lebeau (TeamB)


From: Hector Santos on
Wilson, Phil wrote:

> The issue with installer programs is that you can't fix them. The only
> way a company can correct the fact that "Wonderful Software 2.0" (that
> you bought in 2005) won't install because of an elevation issue (in its
> setup.exe) is to ship you another install image or CD, and that's not
> realistically going to happen. The MS solutions to this include things
> like installer elevation, and compatibility settings so that, for
> example, "Wonderful Software 2.0" thinks it's installing on XP and not
> Vista.
>
> Security is never about just one thing that could be circumvented. The
> overall strategy is about defense in depth, and UAC, DEP, service
> session isolation, firewalls, encryption, secure DCOM, and so on are
> some of the pieces that help.It's also relevant that the recent Security
> Intelligence Report (SIR) shows that the vast majority of attacks are no
> longer directed at the OS or the browser, but at 3rd party apps, and
> that means that the good guys need to use these tools. I don't know what
> your app is, but I assume the that last thing any of us needs is a
> published security vulnerability.


In the past week, we got two reports:

1) Customer having trouble reinstalling from CD in his new Windows 7
machine. His version is OLD which had the old InstallShield 16
bit initial Setup.exe. I think it might still but I don't know
as we use INNO today. We told him to update or CALL MICROSOFT.

2) On Friday, today, a report of a customer updating to XP SP3 that
added two security patches. Once done, our RPC server could no
longer start. He had a 1 year old version of our server with
no expectation of failure related to any RPC issue. We told him
to CALL MICROSOFT! The customer decision was to FIRST revert
to an backed up version of XP before the the update was done.

In fact, we put out a notice for ALL our customers to begin calling
MICROSOFT for any issue they see related to OS updates. We are not
going to swallow the cost on this and if this continues I am seriously
contemplating contacting the FCC for antitrust violations. This is
not a laughing matter. While no one here needs to know any of this,
MS increasing behavior of breaking well established applications in
the name of solving their own security problems problems and possibly
using the opportunity to break WIN32 compatibility to force customers
to upgrade is unacceptable.

--
HLS
From: David Craig on
I wonder what the Federal Communications Commission has to do with antitrust
activities other than they claim exclusive rights over all the broadcast
spectrum.

"Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message
news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl...
> Wilson, Phil wrote:
>
>> The issue with installer programs is that you can't fix them. The only
>> way a company can correct the fact that "Wonderful Software 2.0" (that
>> you bought in 2005) won't install because of an elevation issue (in its
>> setup.exe) is to ship you another install image or CD, and that's not
>> realistically going to happen. The MS solutions to this include things
>> like installer elevation, and compatibility settings so that, for
>> example, "Wonderful Software 2.0" thinks it's installing on XP and not
>> Vista.
>>
>> Security is never about just one thing that could be circumvented. The
>> overall strategy is about defense in depth, and UAC, DEP, service session
>> isolation, firewalls, encryption, secure DCOM, and so on are some of the
>> pieces that help.It's also relevant that the recent Security Intelligence
>> Report (SIR) shows that the vast majority of attacks are no longer
>> directed at the OS or the browser, but at 3rd party apps, and that means
>> that the good guys need to use these tools. I don't know what your app
>> is, but I assume the that last thing any of us needs is a published
>> security vulnerability.
>
>
> In the past week, we got two reports:
>
> 1) Customer having trouble reinstalling from CD in his new Windows 7
> machine. His version is OLD which had the old InstallShield 16
> bit initial Setup.exe. I think it might still but I don't know
> as we use INNO today. We told him to update or CALL MICROSOFT.
>
> 2) On Friday, today, a report of a customer updating to XP SP3 that
> added two security patches. Once done, our RPC server could no
> longer start. He had a 1 year old version of our server with
> no expectation of failure related to any RPC issue. We told him
> to CALL MICROSOFT! The customer decision was to FIRST revert
> to an backed up version of XP before the the update was done.
>
> In fact, we put out a notice for ALL our customers to begin calling
> MICROSOFT for any issue they see related to OS updates. We are not going
> to swallow the cost on this and if this continues I am seriously
> contemplating contacting the FCC for antitrust violations. This is not a
> laughing matter. While no one here needs to know any of this, MS
> increasing behavior of breaking well established applications in the name
> of solving their own security problems problems and possibly using the
> opportunity to break WIN32 compatibility to force customers to upgrade is
> unacceptable.
>
> --
> HLS


From: Hector Santos on
Touche with the typo.

Bye.

David Craig wrote:

> I wonder what the Federal Communications Commission has to do with antitrust
> activities other than they claim exclusive rights over all the broadcast
> spectrum.
>
> "Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message
> news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl...
>> Wilson, Phil wrote:
>>
>>> The issue with installer programs is that you can't fix them. The only
>>> way a company can correct the fact that "Wonderful Software 2.0" (that
>>> you bought in 2005) won't install because of an elevation issue (in its
>>> setup.exe) is to ship you another install image or CD, and that's not
>>> realistically going to happen. The MS solutions to this include things
>>> like installer elevation, and compatibility settings so that, for
>>> example, "Wonderful Software 2.0" thinks it's installing on XP and not
>>> Vista.
>>>
>>> Security is never about just one thing that could be circumvented. The
>>> overall strategy is about defense in depth, and UAC, DEP, service session
>>> isolation, firewalls, encryption, secure DCOM, and so on are some of the
>>> pieces that help.It's also relevant that the recent Security Intelligence
>>> Report (SIR) shows that the vast majority of attacks are no longer
>>> directed at the OS or the browser, but at 3rd party apps, and that means
>>> that the good guys need to use these tools. I don't know what your app
>>> is, but I assume the that last thing any of us needs is a published
>>> security vulnerability.
>>
>> In the past week, we got two reports:
>>
>> 1) Customer having trouble reinstalling from CD in his new Windows 7
>> machine. His version is OLD which had the old InstallShield 16
>> bit initial Setup.exe. I think it might still but I don't know
>> as we use INNO today. We told him to update or CALL MICROSOFT.
>>
>> 2) On Friday, today, a report of a customer updating to XP SP3 that
>> added two security patches. Once done, our RPC server could no
>> longer start. He had a 1 year old version of our server with
>> no expectation of failure related to any RPC issue. We told him
>> to CALL MICROSOFT! The customer decision was to FIRST revert
>> to an backed up version of XP before the the update was done.
>>
>> In fact, we put out a notice for ALL our customers to begin calling
>> MICROSOFT for any issue they see related to OS updates. We are not going
>> to swallow the cost on this and if this continues I am seriously
>> contemplating contacting the FCC for antitrust violations. This is not a
>> laughing matter. While no one here needs to know any of this, MS
>> increasing behavior of breaking well established applications in the name
>> of solving their own security problems problems and possibly using the
>> opportunity to break WIN32 compatibility to force customers to upgrade is
>> unacceptable.
>>
>> --
>> HLS
>
>



--
HLS
From: Alexander Grigoriev on

"Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message
news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl...
>
> In fact, we put out a notice for ALL our customers to begin calling
> MICROSOFT for any issue they see related to OS updates. We are not going
> to swallow the cost on this and if this continues I am seriously
> contemplating contacting the FCC for antitrust violations. This is not a
> laughing matter. While no one here needs to know any of this, MS
> increasing behavior of breaking well established applications in the name
> of solving their own security problems problems and possibly using the
> opportunity to break WIN32 compatibility to force customers to upgrade is
> unacceptable.
>
> --
> HLS

Microsoft goes to great lengths to avoid breaking application, even buggy
ones. But it can't do that for all buggy apps. Programmers make all kinds of
wrong assumptions, that only hold true in the particular OS version. And
sometimes they have to break compatibility because of security concerns. I
suspect your RPC issue is because of that.

I remember CEO of RealMedia testified at antitrust hearing that MS
intentionally broke their software. In the end it was found that the issue
was in the app in question. Go figure.