WMF Exploit

There is an extremely nasty new exploit that targets a vulnerability in Windows Fax and Picture viewers (WMF). Usually, I don’t pay much attention to the latest on spyware since IE always asks you to confirm download. But this one is really bad. No IE warnings or security toolbar. If you havigate to a rogue website that uses the exploit, it will bypass the IE security settings. By the time resident anti-spyware and virus shields catch it, it is too late and your machine will be infected, as shown here. For the time being, the workaound is to disable the viewers:

regsvr32 /u shimgvw.dll

Also, do yourself a favor and, if you are not doing this on a regular basis, enable Windows XP System Restore and create a restore point.

Microsoft has isued the following advisory about the new threat.

Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged on user when visiting a Web site, which contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:

·          In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

·          An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

·          By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

General Information

±         Overview

Purpose of Advisory: To provide customers with initial notification of the publicly disclosed and exploited vulnerability. For more information see the “Suggested Actions” section of the security advisory for more information.

Advisory Status: Under Investigation

Recommendation: Review the suggested actions and configure as appropriate.

References

Identification

CVE Reference

CVE-2005-4560

CERT Reference

VU#181038

Microsoft Knowledge Base Article

912840

This advisory discusses the following software.

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Note Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition also refer to Microsoft Windows Server 2003 R2.

±         Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.

What causes the vulnerability?
A vulnerability in the way that specially crafted WMF images are handled could allow arbitrary code to be executed.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site. It could also be possible to display specially formed Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.

Note In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text.

I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP SP2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.

±         Suggested Actions

±         Workarounds

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

±         Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1.   Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.

2.   A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

·          Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

·          Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses.” International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.

·          All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.

·          Protect Your PC

We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

·          For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.

·          Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Resources:

·          You can provide feedback by completing the form by visiting the following Web site.

·          Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.

·          International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.

·          The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

·          December 28, 2005: Advisory published

 

Excel to the Rescue

Thanks for Marco Russo’s blog, I’ve learned that Microsoft has released an updated version (version 1.5) of the Excel 2002/2003 Add-in for SQL Server Analysis Services. I discussed in details how version 1.0 could be used to generate ad hoc reports from SSAS cubes in my book Applied Microsoft Analysis Services 2005. Although version 1.0 was compatible with SSAS 2005, it was unaware of the new UDM features. For example, it couldn’t differntiate between attribute and multi-level hierarchies. The updated bits target both UDM and SSAS 2000 although not all of the new UDM features (e.g. drillthrough actions) are supported.


Easily overlooked, the version 1.5 of the Excel Add-in represents the first Microsoft OLAP browser that targets UDM. It is not perfect, but it is better than nothing. We can only expect the Excel/UDM integration to improve in Excel 12. So, I feel good about Excel analytics. Unfortunately, I don’t share the same feeling when it comes to integrating UDM with custom applications. In the past, Microsoft Office Web Components (OWC) has fulfilled the role of such a pluggable control. Unfortunately, its COM-based architecture has made it technologically obsolete. At this point, it is not clear what Microsoft plans for OWC and integrating UDM with custom applications.


In my opinion, it is optimistic to expect that all organization will embrace Excel as an OLAP browser. For example, if you develop BI applications, I doubt you will be willing to tell your customers that they need to launch Excel to whip out some cool interactive BI reports. So, I had a dream in which the MS Santa brings me a .NET-based control (let’s call it OlapViewer) which developers can use to integrate .NET applications with UDM. Similar to the ReportViewer VS.NET control, this control could ship with VS.NET. A successor to OWC, the OlapViewer would fully support UDM. It would allow developers to add business intelligence features to custom applications. For example, the developer could programmatically add measures and dimensions to the report. When the end user is done generating the report, she could save the report definition for a later retrieval. How about creating calculated members programmatically? Or, converting the OLAP report definition to a Reporting Services report? Intercepting and possibly changing the MDX query statement?


Alas, for now, this is only a dream. Hopefully, we will see it materialized sometimes next year either from Microsoft or third parties. “The future unknown is”, as the Jedi Master Yodda used to say.

Into the Multi-dimensional Space

Lately, I’ve run into a few “multi-dimensional” posts in the public SSRS newsgroup. It seems like more and more people target SSAS 2005 cubes as a reporting source. It looks like I am not the only one who have noticed this trend. Brian Welcker has recently commented about the SSRS-SSAS integration in his Fingerpops blog. Here are some notes based on my experiments with the MDX Query Designer.


Limitations
The promise of the MDX Query Designer (implemented by the SSAS team) is giving the report author a tool to produce easily SSAS-based reports without requiring MDX knowledge. Unfortunately, the MDX Query Designer and SSRS integration has left a substantial ground for improvement. For example, it should allow dropping levels of a parent-child dimension on rows to produce the report similar to this one.


I can produce this report in the SSAS cube browser (or another OLAP browser) in seconds. However, the MDX Query Designer doesn’t allow me to request dimension levels side-by-side. I understand that the SSRS can consume only flattened datasets but this doesn’t explain why the MDX Query Designer lacks behind the cube browser which uses OWC to display the results in a two-dimensional format as well. So, my SSAS-SSRS wish #1 is to see the MDX Query Designer support the same functionality as the SSAS cube browser.


Aggregates
There are two ways to request data from an SSAS cube – cellset (hierarchical) and rowset (two-dimensional). SSRS uses the second format which is, of course, more natural for relational reporting. SSRS is not an OLAP browser and it should be viewed as such. Unfortunately, as a result of flattening the data, the SSAS aggregates (All and level aggregates) are lost. You may wonder why on earth you may need the SSAS aggregates instead of re-calculating them using the SSRS Sum(), Avg(), etc. functions. Well, the short answer is that SSAS may go far beyond the standard aggregate functions. For example, the Account dimension in the report above uses custom operators to roll up account categories. For example, income categories add up while expenses subtract. This is why the Balance Sheet Total in the report is $0. Using account charts is a cornerstone of financial reporting. If you can’t bring the SSAS precious aggregates, you have no other choice but to re-invent SSAS with relational reporting which is something you should avoid.
The good news is that SSRS can ask SSAS for the “lost” aggregates. If this is the case, the Aggregates element of the MdxQuery element in the report RDL file won’t be empty, e.g.:
<Aggregates><Aggregate><Levels /></Aggregate></Aggregates>


Here is a trick to make SSRS ask for aggregates:



  1. Use the graphical MDX Query Designer to produce interactively the report dataset.
  2. Switch to the Layout tab and author your report.
  3. In a texbox inside the report Group, enter the expression =Aggregate(Fields!<FieldName>.Value), where FieldName is the field that you need to aggregate.
  4. Save the report.

If all is well, the Aggregates element will be populated and the Aggregate function will return the SSAS aggregate value. However, the problem in the aggregate story is that:



  • Sometimes SSRS refuses to ask for these aggregates.
  • It is not clear what you could do on your part to help it out.
  • The Aggregates RDL syntax is not documented and you don’t know how to force the MDX query to bring the aggregates.

For example, I attempted to produce the above report by manually creating the MDX statement. While I succeeded to some degree, I wasn’t able bring the aggregates. Neither I was able to produce the sample report with the groups I wanted.


In conclusion, SSAS and SSRS could be a winning combination for OLAP and relational reporting. I hope that future service packs and releases will improve the SSRS and SSAS integration and preserve the fidelity of the cube data.

Web ReportViewer and Multi-value Parameter Bug (or how I spent my weekend)

This weekend, I was working on the second part of my Report Viewers article for DevX. As usual, it all started with an innocent idea which turned out into a whole-day affair. I wanted to demonstrate how to integrate the VS.NET 2005 web ReportViewer with a server report that takes a multi-value parameter. Of course, to save time to lay out the presentation layer, I decided to use absolute positioning for my web controls. Much to my surprise, the ReportViewer wouldn’t expand the multi-value parameter. It would helplessly repost the page each time I would click on a report parameter.


So, I got on an ambitious and arduous quest to find out what I am doing wrong. The most puzzling finding was that the Report Manager (which behind the scenes uses the web Report Viewer) would render the report just fine. This left me utterly perplexed and convinced that I am doing something terribly wrong.  And I’ve started changing stuff around. I fixed a bunch of other issues, including some mysterious DCOM events that were logged in the Event Viewer, but the ReportViewer won’t budge.


Finally, I created a new page, dropped the ReportViewer, and configured at design time, and sure it rendered the report just fine. It turned out that there is a bug with the ReportViewer and multi-value parameters because they use absolute positioning as well. As far as I know, the only workaround for now is to change the hosting page layout to use flow positioning instead.


So, stay away from absolute positioning until this ugly bug is fixed.

My book is selling from Amazon and B&N

At last, my book “Applied Microsoft Analysis Services 2005” is available for purchase from the retail outlets, including Amazon and Barnes & Noble. This completes the arduous and time-consuming book lifecycle which readers are probably unaware of. Here is how it goes… Once the author hands off the final manuscript to the publisher, the publisher sends the electronic copy to the printer. In the case of my book, it took one month for the printer to produce the book. Next, the printer ships the book to the distributor. Then, the distributor sends the books to the wholesalers (Ingram and Baker & Taylor). 


Retailers, such as Amazon and B&N, get the books from the wholesalers. So, from the time the book is received from the distributor, it takes another 30 or so days until the books fill the channels. So, setting the book publication date on Amazon is nothing more than an educated guess about events that are completely out of the publisher’s control. This is only half of the story, of course. If the retailers don’t sell the book in six months, the retailers return the books to the distributor and the book is re-stocked. But this won’t happen to my book, right? :-)

RS 2005 Tips and Tricks Code Available

The code samples for my web seminar “Reporting Services 2005 Tips and Tricks” can be found here. They include:



  • Using external images (URL and web service)
  • Expression-based connection strings
  • XML extension to render ADO.NET datasets streamed from a web service
  • OLAP report from SSAS
  • CLR stored procedure integration
  • ASP.NET Handler to echo in the incoming URL and SOAP requests to the Report Server
  • WinReporter demo that demonstrates the WinForms ReportViewer in remote and local mode.

New Wave of Presentation Delivery – Web Seminars

Yesterday, I delivered a web seminar for WindowsITPro (sponsored by Microsoft) about RS 2005. I have to admit that I really enjoy it. I got more than 340 attendees. This broke my previous of record of 300 for my RS presentation at TechEd Europe 2004. The best thing about a web seminar is that you do it from the comfort of your house or office. No travel, hassle, and travel expenses. No cell phones and other annoying sound effects. Enjoy the silence! The questions get logged in an orderly fashion, so you could preview them before you answer (or don’t :-)). You can do polls too. What could be better?


 


The only negative thing about this particular seminar is that I was restricted to static content only and I couldn’t share my desktop for live demos. This was a limitation of the technology WindowsITPro is using, of course. Microsoft Live Meeting is perfectly capable of desktop sharing.


 


I hope the web seminars will catch up and I can do more of them in future. You can find the slides and demos of my Reporting Services 2005 Tips and Tricks web seminar here.


 


See you soon in cyberspace!