AWS

Bulletin Severity Rating:Important - This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. View the full article

Windows 7 Can Learn From Vista PC World As Mary-Jo Foley says in a ZDNet blog post, Ballmer told Bloomberg that "The test feedback (on Windows 7) has been good, but the test feedback on Vista was ... I upgraded to Microsoft Windows 7 and survivedTechRepublic Poll: When will you switch to Windows 7?Hot Air (blog) Windows 7: A huge improvement over VistaSan Diego Daily Transcript (subscription) Computerworld New Zealand

The AVG Security Toolbar team has recently released a new version of their toolbar. It has a more predictable user experience and does a better job of allowing users to stay in control of their browser. It’s a great example of the Guidelines for add-on developers in action. It’s encouraging to see the example set by the AVG Security Toolbar team. They’re building valuable add-ons for people and at the same time they’re respecting user choice. Here are some high level examples of the changes they’ve made in the new version of their toolbar: [*]It no longer takes over the search provider. Instead it uses the proper IE8 set default provider API so that users can choose their default. [*]The close button is visible so that users can manage it like other toolbars. Additionally, the toolbar is positioned in a supported location which improves stability and performance. [*]It no longer modifies the new tab page to maintain a predictable new tab experience for users. Kudos goes out to the AVG Security Toolbar team. On behalf of our shared customers, thanks. Following the Guidelines and using supported extensibility points in this way means that people have a consistent and reliable experience that allows them to stay in control of their browser. This is exactly what we’d like to see from all add-on developers. Before: Previous version of AVG Security Toolbar http://ieblog.members.winisp.net/images/herman_avg_toolbar_1.png After: Newest version (2.507.24.1) of the AVG Security Toolbar provides a predictable experience and lets users stay in control of their browser http://ieblog.members.winisp.net/images/herman_avg_toolbar_2.png -Paul Cutsinger and Herman Nghttp://extremetechsupport.com/data/MetaMirrorCache/eefeae1a016a5160802a6eff2e1ae3d4._.gif View the full article

By posting in the virus forum. They will help you.

This post is a guest post from Steve Guttman, of the Expression Web team.

It’s well understood that the typical computer users today spend much of their time in their web browser, making it the most important software on their computer.

This post follows up on my original Operation Aborted post to provide some additional information and assistance for web site owners or 3rd party script libraries. http://ieblog.members.winisp.net/images/travis_operationaborted.png Recap Nearly a year-and-a-half ago, I blogged about an error that can occur on some websites that generate content via script. This content can cause Internet Explorer’s HTML parser to get into an unrecoverable state, which makes it doubly-hard to find and diagnose why this error is happening. When this state occurs, the HTML parser cannot continue, and simply throws up its hands and admits: “Operation aborted!†Early in IE8’s development, we put in a mitigation that alleviated the worst side-effects of this problem. Rather than show a modal dialog and then navigate away from the page after you press OK, instead we removed the dialog and transferred the error notification into the status bar (to the script error notification area). As a result, you are not interrupted by a dialog and you can continue to view the current web page. You may not have even noticed that this error occurred; yet the HTML parser does come to a grinding halt (for that tab only) and any additional content will never be processed. Not too long after IE8 was released, we began hearing reports of IE8 customers continuing to see the old operation aborted dialog! While we knew that we hadn’t fixed every possible scenario that could cause the dialog to appear (it’s triggered as a catch-all for many subsystems such as the navigation stack and networking), we believed that we had mitigated the worst-cases. With recent reports of users seeing the Operation Aborted dialog in IE8 we investigated further to find any additional scenarios that could be triggering the dialog to appear (rather than the script error mitigation). In the following two scenarios, the root cause of the Operation Aborted issue is the same (for details, please read my previous post), but the way in which it happens in these scenarios causes IE to bypass the mitigation that we put in place for IE8. Scenario 1: Nested Parsing after Operation Aborted document.body.appendChild(document.createElement('div')); document.write("Testing"); .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; } In the HTML above, the effect of the first line of the script is to trigger the Operation Aborted problem. In IE8 this is mitigated as previously mentioned. However, if sometime later a document.write API call is issued as shown in the second line of script, all versions of Internet Explorer, including 8, will present you with the old operation aborted dialog. Scenario 2: Operation Aborted in error handlers window.onerror = function() { var el = document.getElementById("div2"); el.appendChild(document.createElement("div")); } alert('hi';"> In this HTML file, a script error (in the onclick event handler) has a run-time error, which causes the window object's onerror handler to be invoked. In this scenario, if Operation Aborted is triggered in the error handler, the dialog will also show in IE8. Programmatically Detecting Operation Aborted When this error dialog occurs, it is very hard for web developers to find the problem and fix it. Often (and in most cases we’ve seen) the problem is introduced in third-party scripts that are referenced by the affected page. To help web developers quickly find and fix the problem, we’ve written a little script that should help. This script must be run as the first script in the page that is experiencing the Operation Aborted error. It overrides the usage of innerHTML and appendChild by first checking the parsing frontier before allowing the action. AppendChild is by far the most common DOM entry point that can trigger Operation Aborted, followed by innerHTML. The script may flag false positives, but we wanted to err on the side of being overly cautious. .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; } This script relies on a feature enabled in IE8 standards mode onlyâ€â€Mutable DOM Prototypes. Thus, it will only work for pages that use IE's most standards-compliant mode. See this post on compatibility view for more details on the mode that IE is interpreting your page in. However, the operation aborted problems that this script identifies (in IE8 standards mode) also apply to IE7 and IE6 thereby helping you diagnose and fix this issue in any version of IE. To use the following script follow these steps: Add a script element to the head of the page in question. This script element should be before any other script element on the page. Place the following script text within that script element (or reference a file containing it from the src attribute) Set the "f1" and "f2" feature values Setting "f1" to true will skip DOM calls that could potentially cause the Operation Aborted error. However, this will also result in a change in program flow, and other script errors could result. Setting "f2" to true stops program flow at the point of a potential Operation Aborted error and breaks into the debugger (external or built-in JavaScript debugger). This is where you can analyze each occurrence to see what assumptions were being made and how the program flow can be altered to prevent the problem. [*]In IE, navigate to the page in question. [*]Start the JavaScript debugger by pressing "F12" and then selecting the "Script" tab in the Developer Tools, and press the button "Start Debugging". (function() { // Feature switches // WARNING: 'true' may cause alternate program flow. var f1 = PREVENT_POTENTIAL_OCCURANCES = false; var f2 = BREAK_INTO_DEBUGGER_AT_POTENTIAL_OCCURANCES = true; if (!window.console) { window.console = {}; window.console.warn = function() { }; } var frontierCheck = function(host) { // Is host on the frontier? while (host && (host != document.documentElement)) { if (host.parentNode && (host.parentNode.lastChild != host)) // This is not on the frontier return true; host = host.parentNode; } if (!host || (host != document.documentElement)) return true; // This node is not on the primary tree // This check is overly cautious, as appends to // the parent of the running script element are // OK, but the asynchronous case means that the // append could be happening anywhere and intrinsice // knowledge of the hosting application is required console.warn("Potential case of operation aborted"); if (f2) debugger; // Step up two levels in the call stack // to see the problem source!! if (f1) return false; else return true; } var nativeAC = Element.prototype.appendChild; Element.prototype.appendChild = function() { // call looks like this: // object.appendChild(object) // Go back one more level in the call stack!! if (frontierCheck(this)) return nativeAC.apply(this, arguments); } var nativeIH = Object.getOwnPropertyDescriptor(Element.prototype, "innerHTML").set; Object.defineProperty(Element.prototype, "innerHTML", { set: function() { if (frontierCheck(this)) nativeIH.apply(this, arguments); } }); })(); We recognize that the operation aborted dialog and its mitigated cousin in IE8 are still the source of significant web developer pain. We hope this information and prevention script help you to diagnose and fix issues related to Operation Aborted in IE8 (and older versions of IE). -Travis Leithead Program Managerhttp://extremetechsupport.com/data/MetaMirrorCache/59c2eac8b3bb15f76ff2e2457a883290._.gif View the full article

If you manage your organization’s PCs using Windows Server Update Services (WSUS) I’m pleased to announce that we have made Internet Explorer 8 available via this technology for the following languages and platforms: Internet Explorer 8 releases on WSUS for August 25, 2009 Windows Vista All supported languages Windows Server 2008 All supported languages Windows Server 2003 All supported languages Windows XP English; Arabic; Chinese (Traditional); Chinese (Simplified); Czech; Danish; Dutch; Finnish; French; German; Greek; Hebrew; Hungarian; Italian; Japanese; Korean; Norwegian; Polish; Portuguese (Portugal); Portuguese (Brazil); Russian; Spanish; Swedish; Turkish Windows Vista and Windows Server 2008 Internet Explorer 8 Language Packs On September 22, 2009 all supported languages will be available via WSUS, with the release of the following versions of Internet Explorer 8 for Windows XP: Internet Explorer 8 releases on WSUS for September 22, 2009 Windows XP Bosnian (Cyrillic); Bosnian (Latin); Bulgarian; Catalan; Croatian; Estonian; Hindi; Latvian; Lithuanian; Macedonian; Romanian; Serbian (Cyrillic); Serbian (Latin); Slovenian; Slovakian; Thai; Ukranian; Vietnamese; Albanian; Assamese; Basque; Bengali (Bangladesh); Bengali (India); Gujarati; Indonesian; Kannada; Kazakh; Konkani; Malay (Malaysia); Malayalam; Marathi; Punjabi; Tamil; Telugu How do I control my Internet Explorer 8 deployment? Internet Explorer 8 is available in the “Update rollup†category, and will appear in your WSUS administration console as follows: http://ieblog.members.winisp.net/images/Eric_IE8SUS_1.jpg Note that even if Auto-Approve for the “Update Rollup†category is on, Internet Explorer 8 will not automatically be deployed- you must approve the Internet Explorer 8

Back in March, I posted a note to the IEBlog when the pre-release version of IE8’s SmartScreen Filter had delivered its 10 millionth malware block. Today, I’m happy to report that IE8’s SmartScreen Filter has delivered more than 70 million blocks in the first four months since IE8’s official release, for a cumulative total of 80 million blocks. This data is a strong indication of the value of the protection SmartScreen provides, and of just how widespread socially-engineered malware attacks are on the web today. While we were proud of the work that went into SmartScreen leading up to IE8’s release, we knew that it was only the beginning of our efforts. Microsoft’s commitment to Trustworthy Browsing didn’t end when we signed off on the final IE8 code-- the reputation services behind SmartScreen represent an ongoing investment that we strive to improve every day.

Welcome to the site.

The topic of site support for IE6 has had a lot of discussion on the web recently as a result of a post on the Digg blog. Why would anyone run an eight-year old browser? Should sites continue to support it? What more can anyone do to get IE6 users to upgrade? For technology enthusiasts, this topic seems simple. Enthusiasts install new (often unfinished or “betaâ€Â) software all the time. Scores of posts on this site and others describe specific benefits of upgrading. As a browser supplier, we want people to switch to the latest version of IE for security, performance, interoperability, and more. So, if all of the “individual enthusiasts†want Windows XP machines upgraded from IE6, and the supplier of IE6 wants them upgraded, what’s the issue? The choice to upgrade software on a PC belongs to the person responsible for the PC. Many PCs don’t belong to individual enthusiasts, but to organizations. The people in these organizations responsible for these machines decide what to do with them. These people are professionally responsible for keeping tens or hundreds or thousands of PCs working on budget. The backdrop might be a factory floor or hospital ward or school lab or government organization, each with its own business applications. For these folks, the cost of the software isn’t just the purchase price, but the cost of deploying, maintaining, and making sure it works with their IT infrastructure. (Look for “nothing is free†here.) They balance their personal enthusiasm for upgrading PCs with their accountability to many other priorities their organizations have. As much as they (or site developers, or Microsoft or anyone else) want them to move to IE8 now, they see the PC software image as one part of a larger IT picture with its own cadence. Looking back at the post on Digg, it’s not just IT professionals. Some of the ‘regular people’ surveyed there were not interested in upgrading. Seventeen percent of respondents to the Digg IE6 survey indicated that they “don’t feel a need to upgrade.†Separately, a letter to a popular personal technology columnist last week asked if people will somehow be forced to upgrade from their current client software if it already meets their needs. The engineering point of view on IE6 starts as an operating systems supplier. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments. Many people expect what they originally got with their operating system to keep working whatever release cadence particular subsystems have. As engineers, we want people to upgrade to the latest version. We make it as easy as possible for them to upgrade. Ultimately, the choice to upgrade belongs to the person responsible for the PC. We’ve blogged before about keeping users in control of their PCs, usually in the context of respecting user choice of search settings or browser defaults. We’ll continue to strongly encourage Windows users to upgrade to the latest IE. We will also continue to respect their choice, because their browser is their choice. Dean Hachamovitchhttp://extremetechsupport.com/data/MetaMirrorCache/18a815a5dbc1fbd0567a575991ba835c._.gif View the full article

To date, this blog has focused on the engineering specifics of what we've done with the IE product. From our point of view, it's been a useful forum both for talking and listening. Looking at the comments, we can understand what makes sense to readers and where we need to be clearer. At the same time, we've seen many questions about broader topics, like IE6, HTML5 and other standards, or benchmarking. With IE8's release and Windows 7's "sign-off," now is a good time to add another kind of blog post. We want to use these posts to share our Engineering Point of View about broader topics and see feedback on them ahead of the next release. Why? For many web technology questions, finding many passionate and often contradictory opinions is easy. For example, just on the topic of video codecs within HTML5 (much less the rest of the spec), finding strong language from smart people disagreeing with each other is easy. This blog is from the IE engineering team, and everything we write here continues to be from the “Engineering Point of View.†We simply want to be clearer about what we’re thinking and what we balance as we build and service IE. Your comments are always welcome. We read all the comments on this blog (and many of the posts and comments on many other blogs). We'll also keep posting and reading comments on specifics, like How to make IE open tabs faster and How to log into two webmail accounts at the same time. Comments about other posts you’d like to see are also always welcome. Thanks – Dean Hachamovitch General Managerhttp://extremetechsupport.com/data/MetaMirrorCache/2759677caa35da630d14a87024021946._.gif View the full article

Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products. This update addresses three privately reported vulnerabilities which could allow remote code execution. The security update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory and table operations. In addition, the update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations.

Welcome. We're always gentle.

User Account Control is one of those Windows features that evokes a number of different responses from folks. Most people appreciate the enhanced security UAC offers, but we did hear complaints about the high number of UAC prompts in Windows Vista. This led some customers to turn off UAC, which concerns us from a security perspective. So in Windows 7, we've given a great deal of thought to how we marry enhanced security with ease-of-use. We have written extensively about the changes in UAC for Windows 7 on the Engineering Windows 7 blog (Post 1, Post 2, Post 3, Post 4). Now, Technical Fellow Mark Russinovich weighs in on UAC with some great insight on the technology and some of our motivations around the decisions we have made. Check out Inside User Account Control now available online from TechNet Magazine. http://windowsteamblog.com/aggbug.aspx?PostID=516352 View the full article

Welcome Richard and glad to have you here to help.

(thumbslinger;1058587) Yep, it was far cheaper to get an HP laptop with the Adobe CS4 suite via an educational package than to get a new Mac laptop so I did. 18 year Mac veteran (I'm an art director) but now also using Vista. So far, I love it. Best advice I've had... disable auto-updates from Microsoft.. Vista for Dummies is awesome (as is AskWoody.com, the author) I've had zero problems. Best thing about Vista (working in Windows) for me so far? The free apps like FileZilla that work 100% perfectly and provide what I need instead of having to buy numerous small apps. Hello everyone If you like Vista you'll love Windows 7. Windows has it's advantages in the area of free software. Welcome to the Windows World.

We have been working in partnership with our independent software vendor (ISV) community to move the ecosystem to a set of new application programming interfaces (APIs) that many ISVs use to report status to Security Center (integrated within Action Center in Windows 7). The interfaces are used by many antivirus, antispyware, and firewall programs. Te interface changes were introduced in Windows Vista SP1. These new APIs supersede the ones originally shipped in Windows Vista. From the release of Vista SP1, we jointly established with the security ISVs an 18 month grace period where they could use both the old and the new interfaces. After the 18 month grace period expires, a security application using the older interface will cause the Windows Security Center system tray icon to indicate a warning. In addition, the Security Center control panel will display a " is on but is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version" warning message, a sample screen shot is included below. The grace period begins at the time Vista SP1 is installed on a Windows Vista system. As a result, the grace period will begin expiring in September 2009, 18 months after Windows Vista SP1 was released on the Microsoft Download Center in March 2008. http://windowsteamblog.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/windowssecurity/AV-API-Change-_2D00_-Small.png Through our partner outreach and the Ecosystem Readiness Program, we have been working with the ISVs since October of 2007 to help them get ready for the final transition to this new interface. As a result, we have removed the old API from the Windows 7 RC. Users who are running security software that does not use the newer API will see the "non-compatible" message shown below from the new Action Center, which instructs customers to contact their security software provider. Although you may receive this "non-compatible" message from your security software, it should continue to work and help protect your system even though it is not able to report its status through the Action Center UI. If you encounter this message today on Window 7 or in the future on Windows Vista, I encourage you to check with your software vendor to see if they have an updated version of software available. Many of our partners already have products that use the new APIs and the others have committed to having compatible versions by the end of the Windows Vista grace period and for Windows 7. Having the latest, compatible software from your security vendors will help ensure that your system remains protected and that you are accurately informed when your security software is not running properly. http://windowsteamblog.com/aggbug.aspx?PostID=513959 View the full article

RSA was great last week - security was clearly top of mind for the attendees, and I fielded a number of different questions last week about how Microsoft protects our customers. Some are pretty straightforward around how the various Windows 7 security technologies work, but many have focused on how we actually deliver protection to customers on an ongoing basis. One question that comes up more than I would have ever expected is: Who gets security updates? There seems to be a myth that Microsoft limits security updates to genuine Windows users. Let me be clear: all security updates go to all users. Not only do all security updates go to all users' systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer. For example Internet Explorer 8 has numerous security- oriented features and improvements, and it is available to all users. This isn't to say that all updates are available to non-genuine PCs. Other value-adding updates and software may or may not be blocked, at Microsoft's discretion. On Windows Vista, available updates can be accessed through the Windows Update control panel. On Windows XP, a non-genuine Windows system can access updates through Automatic Updates, but they cannot get to any of the optional updates which are only available through the Windows Update and Microsoft Update websites. Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft - Blaster, Zotob, Conficker and Sasser, just to name a few. I hope this clears up some confusion. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone. http://windowsteamblog.com/aggbug.aspx?PostID=513032 View the full article

Are you getting any kind of error messages? When you say it doesn't work what do you mean? A little more detail will help to solve the problem

Welcome to the community.

Re: Maine to skip Vista No big deal. Vista is still doing well in the market.

Go with Vista x64. That is what I use and love it.

Re: New PC/No OS XP SP3 & Vista SP1 Go with Vista x64. That is what I use and love it.

Welcome to the community.