How to make me nervous

How to make Alun nervous in 3 easy steps:

  1. Release a new version of a tool that Alun uses throughout his home and work life.
    • For bonus points, make it a back-port from a later version of the operating system. Back-port it to operating systems as far back as you can, since this is something you generally never do.
  2. Neglect to publish any information comparing the new version to the old version. Don't sell me on upgrading.
  3. Remove all download locations for previous versions of the tool. Make it impossible for me to go back to the original version if the new version has issues.

In completely unrelated news, Microsoft has just released Windows Script 5.7 for Windows 2000, Windows XP and Windows Server 2003. Windows Script 5.7 was previously known as "the version of Windows Script for Windows Vista".

There is no documentation currently available to state what has changed from version 5.6 to 5.7.

Windows Script 5.6, 5.1, previous versions are no longer available for download.

Published Monday, August 13, 2007 3:04 PM by Alun Jones
Filed under: ,

Comments

# University Update-Windows Vista-How to make me nervous

Pingback from  University Update-Windows Vista-How to make me nervous

Monday, August 13, 2007 8:55 PM by University Update-Windows Vista-How to make me nervous

# re: How to make me nervous

Hmm -

 Downloaded it and installed it.  My nightly VBScript to archive stuff to my network share is now broken.

It seems that

CSCRIPT.EXE //H:CSCRIPT

doesn't work any more.  Any .VBS file that I run now launches with WScript.

Time to call Product Support...

Wednesday, August 15, 2007 10:15 AM by Christopher G. Lewis

# re: How to make me nervous

Well, it looks like MS just never tested this functionallity completely.

With WScript 5.6, running

CSCRIPT.EXE //H:CSCRIPT //S

changes the Open/Command sub-key from WScript to CSCript.  Open2/Command is set to the opposite value.

HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command

HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command

With Wscript 5.7,

CSCRIPT.EXE //H:CSCRIPT //S

Changes the shell default to point to Open or Open2.  However, it doesn't check what Open or Open2 actually point to!  

So if you first run

CSCRIPT.EXE //H:CSCRIPT //S

in Wscript 5.6 to switch Open and Open2, then install WScript 5.7, running the //H command actually gives you the EXACT OPPOSITE of what you want!

Thanks to the SysInternals team for ProcMon for helping to figure this out...

Note that to fix this, you can't just change the shell default.  You MUST change the Open/Open2 keys back to their default values, since the //H command will blindly assume that Open2 is CScript...

Wednesday, August 15, 2007 1:37 PM by Christopher G. Lewis

# re: How to make me nervous

Alun:- I had planned to send this via your contact form but it isn't working.  Feel free to post this as a comment (it's vaguely on topic!) or not as you see fit.

I've learned something recently that worries me and might be within your field of interest.  Support for the Microsoft Java VM (remember the lawsuits?) expires at the end of this year, meaning no more security updates.  I just *know* some troublemaker is going to be holding onto a vulnerability report and releasing it 1st January!

And, no, I don't mean me. :-)

The problem is that if you've got MSJVM installed, it's hard to remove.  Microsoft have a removal tool but they're only providing it to IT pros:

support.microsoft.com/.../826878

OK, so I can get it, but even so we're going to have to muck about to deploy it.  I want to be able to distribute it via WSUS!  And, in my opinion, everybody should be getting protection against future MSJVM vulnerabilities via Microsoft Update; otherwise we're going to have a whole lot of exposed home machines one day.

The argument that the effects have to be irreversible doesn't hold water IMO.  Surely there must be a way of distributing an update that effectively disables the JVM without actually deleting it?  (For example, the security on the relevant files could be set to deny execute access.)

I'd be grateful for your opinion on this matter.

Regards,

 Harry.

Sunday, August 19, 2007 7:14 PM by Harry Johnston

# re: How to make me nervous

There are a few reasons not to panic:

1. Sun Java is a far more interesting target, especially given the ease with which an attacker can request an older, unpatched version that wasn't removed by Sun's update tool.

2. Any website relying on Java to support Windows systems is already going to be pushing the message to make Sun Java be the default Java processor.

3. If you have a machine whose last clean install was with Windows XP SP1a or later (including Windows Server 2003 or Vista), you won't have MSJVM on your systems, and can't get it installed through any normal means. Since that service pack was released on February 2, 2003, you'll find that any machines that have MSJVM on them are machines that have been updated to newer operating systems and service packs from machines purchased over four years ago. That should cut the numbers down.

4. If a serious vulnerability is disclosed, Microsoft still has the "damn the torpedoes, full speed ahead" option of issuing the MSJVM removal tool to all users, and accepting the consequences of some users experiencing issues with loss of (old, obsolete) applications as their Java Virtual Machine disappears.

5. Another option that may well be in Microsoft's back pocket is negotiation with Sun to allow the development and shipping of a security fix, if the hypothesised flaw is sufficiently important.

6. [This is the clincher for me] Along the lines of the argument that time machines are impossible because we haven't been visited by tourists from the future, it's worth noting that a zero-day bug in the MSJVM is worth far more now, when some corporate users are still hanging on to it, than it will be this Christmas, when any corporate users worth a damn will have shoveled that puppy into its little cardboard box.

Sunday, August 19, 2007 10:41 PM by Alun Jones

# re: How to make me nervous

You may be right.  One minor correction - MSJVM may be installed on newer machines as part of an older product, in particular Visual Studio 6.  Note that extended support for Visual Basic 6 doesn't expire until April 2008.

Also because there's nothing forcing third party developers that may have used MSJVM to update their software - or even stopping them from including it in new software! - there's no way to be sure it isn't installed without actually checking.

Monday, August 20, 2007 3:01 PM by Harry Johnston

# re: How to make me nervous

... and, as an afterthought, it is true that no MSJVM security vulnerabilities have been reported in nearly five years.

Monday, August 20, 2007 3:10 PM by Harry Johnston

# re: How to make me nervous

I don't think that the MSJVM was ever legally redistributable by third parties, so that doesn't appear likely to be a problem.

Unless, of course, the black market economy in pirated software reaches such a stage that an attacker can rely on there being a pirated version of software installed and ready to be abused on most otherwise legitimate machines...

Monday, August 20, 2007 11:37 PM by Alun Jones

# re: How to make me nervous

Quoting from the Microsoft FAQ here:

www.microsoft.com/.../faq.mspx

"I am a developer. Can I continue to distribute the MSJVM?

The End User License Agreements (EULAs) for both Microsoft Visual J++® and the Microsoft SDK for Java grant limited rights to redistribute the installer for the MSJVM (msjavx86.exe). However, Microsoft highly discourages continued redistribution of the MSJVM as provided for in these EULAs."

I vaguely recall installing one or two third-party products that used the MSJVM some years ago.  It isn't all that common.  As I mentioned, my main problem is going to be Visual Basic.

Tuesday, August 21, 2007 2:04 PM by Harry Johnston

Leave a Comment

(required) 
(required) 
(optional)
(required)