Entries for Mike Dimmick

That's one secure patch, all right... [That's one secure patch, all right...]

Mike Dimmick — Thu, 16 Mar 2006 22:20:34 GMT

On both my home and work computers, I've followed Microsoft's advisory, linked to Adobe's advisory, and updated Adobe (Macromedia) Flash to their latest version, 8.0.24.0. Unfortunately it now no longer works in my normal, low-privileged accounts!

Digging in the registry shows that the control's keys under CLSID can no longer be read by ordinary users: the permissions have been set so Everyone is denied access. I'm surprised that it works for administrators actually, since Everyone should cover, well, everyone. Perhaps the ACL was ordered incorrectly, with some of the Allow entries appearing before the Deny entries - the AccessCheck routine will stop parsing the ACL once all requested bits are set, which means it can miss explicit Deny ACEs if they appear after Allow ACEs.

Well, that's one way to stop exploits of the vulnerabilities, whatever they are. I hope this change wasn't Adobe's 'fix'!

Anyone else seeing this problem?

in reply to That's one secure patch, all right...

Should IE7 and IE6 work side-by-side? [Should IE7 and IE6 work side-by-side?]

Mike Dimmick — Sun, 18 Dec 2005 22:29:20 GMT

The recent revelation that the source of some of the problems with the most recent IE security update was due to people running an unsupported 'side-by-side' installation of IE7 Beta 1 got me thinking. Should IE7 be available side-by-side with IE6?

From a technical standpoint, since IE7 will only be available as a separate download for XP SP2 and Windows Server 2003 SP1, it would be possible to use the side-by-side assembly features of these operating systems to leave the version 6.0 versions in SYSTEM32, and use manifests to direct the IE 7.0 'shell' application to the side-by-side 7.0 versions. Third-party applications would then be able to opt-in to the new versions. Indeed when I heard that IE7 would only be available for XP SP2 and Server 2003 SP1, I considered whether this system feature was one of the reasons.

The benefits of this approach would be a lower risk of breaking third-party applications - indeed, also Microsoft applications which use the Web Browser component and other internet libraries - which presumably would also reduce - somewhat! - the test matrix. It would allow web developers to more easily test sites with multiple rendering engines. The downside is of course that older applications like Outlook and Outlook Express would not get the updated rendering engine, unless updates to those applications were made available.

We know that the IE team intend to keep 'quirks mode' rendering as it does currently, but that pages declared with a 'standards' doctype will use updated rendering. I presume this also applies to applications embedding a WebBrowser control. I anticipate this will have an impact on some applications no longer rendering correctly.

Explorer is an interesting issue. If a user types a URL into the address bar of Explorer with IE7 Beta 1 installed, a new browser frame is created (at least on my machine, this may be a configurable option?). This differs from the normal behaviour which is to turn the Explorer frame into an IE frame. Likewise, typing a folder name into IE7's address bar opens a new Explorer window on that folder - IE6 changes the frame to an Explorer view. We know that told that there are no plans to go side-by-side, but I'd be interested in your thoughts.

in reply to Should IE7 and IE6 work side-by-side?

Servicing betas [Servicing betas]

Mike Dimmick — Wed, 10 Aug 2005 11:52:07 GMT

Background: yesterday, Security Bulletin MS05-038 was released, a cumulative update for Internet Explorer, fixing two critical vulnerabilities, and one moderate. The IEBlog posting clarifies that these fixes were included in IE 7 beta 1 and Windows Vista beta 1.

What's Microsoft's policy on security patches for Beta software, specifically IE7? I realise that the recommendation is only to run beta software on non-production systems; however, many beta testers and some MSDN subscribers are using it as their main browser (conjecture from posts here and other forums), and the software has been made available on file-sharing networks - some 'bleeding edge' ordinary users are also using it. Back when IE betas were a more common occurrence, there was a site dedicated to them. The site still exists but has branched out more into a more general NeoWin/ActiveWin style of reporting.

As a developer, it definitely feels weird to talk about servicing unreleased software. But with the widespread use of such beta software - even if illegitimately distributed and used inappropriately - I feel that Microsoft has a responsibility to ensure that such beta software remains free of vulnerabilities.

in reply to Servicing betas

UK ID Card Pledge [UK ID Card Pledge]

Mike Dimmick — Wed, 22 Jun 2005 12:09:59 GMT

I meant to post this sooner. I know a number of my fellow Brits here were not at all keen on the idea of national identity cards, and even less keen on the use of biometrics and the back-end database of all people who paid for cards. I believe it's an expensive unworkable plan with an alarming amount of personal data held on a shared database, with access permitted to many organisations I would not like to see accessing my data.

There's a pledge running right now, organized by the NO2ID campaign. The following is the pledge text:

"I will refuse to register for an ID card and will donate £10 to a legal defence fund but only if 10,000 other people will also make this same pledge."

If you're a UK citizen or resident, I'd like you to consider signing up at http://www.pledgebank.com/refuse. Over 4,000 people have already signed up. I'm one of them.

in reply to UK ID Card Pledge

Microsoft buys Lookout Software... then kills off Lookout [Microsoft buys Lookout Software... then kills off Lookout]

Mike Dimmick — Fri, 16 Jul 2004 14:16:17 GMT

http://www.lookoutsoft.com/Forums/topic.asp?TOPIC_ID=194

http://www.lookoutsoft.com/Lookout/lookout-msft.html

Q: Why can't I download Lookout anymore?

We will be focusing our efforts on integrating our expertise and working on next-generation technologies. We are going to hold off on growing our user base until our next generation services are available. All current users of Lookout can continue to use Lookout and will be supported via the existing support process on Lookout for a year or until a new technology is available.

--

Uh, this strikes me as a bit counterproductive: you buy a company for its technology and staff, but then stop selling the technology? And you place the technology, designed for searching Microsoft Outlook data, under the MSN division?

in reply to Microsoft buys Lookout Software... then kills off Lookout