Tag Archives: Microsoft

Microsoft Unveil Windows Phone 7 with Partners

Windows 7 Mobile Images
Windows 7 Mobile Lineup
\r\n\r\nMicrosoft today joined its partners in revealing nine new Windows Phone 7 handsets that will be available this holiday season from leading mobile operators inNorth America,  Europe and Asia Pacific. With more than 60 mobile operators in over 30 countries worldwide committed to bringing Windows Phones to market, the millions of people around the world looking for a phone that plays as hard as it works will have a variety of phones from leading device-makers to choose from.As for the two other major U.S. wireless carriers, Microsoft promises that Verizon and Sprint will have phones in 2011, and that “select models” would be sold at Microsoft Stores and on Amazon.  Microsoft is gearing up for another attempt to take on RIM’s BlackBerry, Apple’s iPhone, Google’s Android, and other smartphone contenders.\r\n\r\n The hardware \r\nAT&T’s phones include the HTC Surround, LG Quantum and Samsung Focus, all pictured up top. They all have 1GHz Qualcomm Snapdragon processors, capacitive touch screens and 5-megapixel cameras. They will each sell for $199.99 with a two-year contract.\r\n\r\nThe HTC Surround has pop-out speakers and uses Dolby’s mobile technology, for better sound when watching movies. It has a “kickstand,” so that it can be propped up on, say, an airplane tray table, without the use of severely bent paperclips, intricate origami or a $30 case.The LG Quantum has a slide-out real QWERTY keyboard, so it will be favored by BlackBerry converts and people who don’t like software keyboards. AT&T says it will also play music and video wirelessly via home networks to compatible devices, so you can, say, stream a song to a Sonos wireless music system with a tap of the screen. The Samsung Focus, scheduled to be the first Windows Phone 7 device to hit retail in the U.S., on Nov. 8, is the thinnest. At 9.9mm, it’s nearly (but not quite) as thin as the iPhone 4.\r\n\r\n T-Mobile’s core offering, due out mid-November, will be the HTC HD7, also with a 1GHz processor and a 5-megapixel camera. The HD7’s distinguishing feature is a 4.3-inch touchscreen, which is the same spacious size as the HTC Evo and Motorola Droid X. Like the Surround at AT&T, T-Mobile’s HD7 also has a kickstand. \r\n\r\n The sales pitch \r\nMicrosoft CEO Steve Ballmer as saying that Windows Phone 7 is “a different kind of mobile phone and experience — one that makes everyday tasks faster by getting more done in fewer steps and providing timely information in a ‘glance and go’ format.”\r\n\r\nClearly, the marketing strategy Microsoft is employing is to show how different Windows Phone 7 is, interaction-wise, from Apple’s iPhone and Google’s Android. The trouble is, Android is doing gangbuster business precisely because it resembles the iPhone (while selling on all four carriers and in many configurations). Microsoft’s zag-while-everyone-else-zigs strategy may be risky, but no more risky than being perceived as more of the same.\r\n\r\n Why you’d buy \r\nSo what does make Windows Phone 7 “different”?  For starters, there’s the “glance and go” interface of “Live Tiles,” customizable plates on the home screen that update regularly, so that users don’t have to open apps, or wait for pop-up alerts, to receive new information. (Android users could argue that “widgets” serve a similar purpose, though they tend to be app-specific). Another differentiator is the Xbox Live integration. Microsoft is definitely sticking it to its gaming console competition.\r\n\r\nAnother differentiator is the Xbox Live integration. Microsoft is definitely sticking it to its gaming console competition.\r\n\r\n

\r\n\r\n

Windows Mobile HTC HD7
Windows Mobile HTC HD7Windows Mobile 7 DellWindows Mobile 7 Dell

Mono 2.8 is Released.

The Mono developers have released Mono 2.8, a major update to the implementation of Microsoft’s .NET technology for Linux and other platforms.Mono 2.8 Released\r\n\r\nMiguel de Icaza, project lead, said in his blog that the release “contains ten months worth of new features, stability fixes, performance work and bug fixes”. The Mono C# compiler is now a complete implementation of the C# 4.0 specification and defaults to operating as a 4.0 based platform.\r\n\r\nA new Generational GC (Garbage collector) offers better performance for applications which consume and reuse large amounts of memory; benchmarkingshows CPU use is now much more predictable. Support for LLVM has now been marked as stable with a mono-llvm command allowing server applications to run with an LLVM back end, potentially offering greater performance; JIT compilation with LLVM is described as “very slow” in the release notes and therefore only currently suits long-lived server processes.\r\n\r\nOther changes include the incorporation of a range of new frameworks; the Parallel Framework and System.XAML are new to the core of Mono, while Microsoft’s open sourced frameworks (System.Dynamic, Managed Extensibility Framework, ASP.NET MVC 2 and the OData client framework System.Data.Services.Client) are bundled with Mono. Support for OpenBSD has also been incorporated into the release.\r\n\r\nMono 2.8 is not a long term support release as the updates have “not received as much testing as they should”; Mono 3.0 will be the next long term supported release and users wanting the “absolute stability” of a thoroughly tested version are recommended to use Mono 2.6. Information on other new features and details of removed libraries are available in the release notes. Mono 2.8 is available to download for Windows, Mac OS X, openSUSE, Novell Linux Enterprise Desktop and Server, Red Hat Enterprise Linux and CentOS and other Linux systems and is licensed under a combination of open source licences.

ASP.NET Security Vulnerability Workaround

Update on ASP.NET Vulnerability

\r\n Earlier this week We posted about an ASP.NET Vulnerability.\r\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\r\n \r\n\r\nRevised Workaround and Additional URLScan Step\r\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\r\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\r\n \r\n\r\nInstall and Enable IIS URLScan with a Custom Rule\r\n\r\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\r\n\r\n \r\n

\r\nIt takes less than a minute to install on your server.\r\n \r\n\r\nAdd an Addition URL Scan Rule\r\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:\r\n

%windir%\system32\inetsrv\urlscan\UrlScan.ini

\r\nNear the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:\r\n\r\n \r\n

[DenyQueryStringSequences]\r\naspxerrorpath=

\r\nThe above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.\r\nAfter saving this change:\r\n\r\n

run “iisreset”\r\nfrom a command prompt (elevated as admin\r\n

\r\nFor the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.\r\n URL Scan Summary\r\nIf you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.\r\nOur team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.\r\nOnce we release the security update, you will no longer need to implement any workaround steps.\r\n\r\nThe alternative option: Using IIS request filtering:\r\nThese instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.\r\n1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.\r\n2. Launch Internet Information Services (IIS) Manager.\r\n3. Select the server node in the left pane.\r\n4. Double-click Request Filtering.\r\n5. Select the Query Strings tab and click Deny Query String … in the Actions pane.\r\n6. Enter aspxerrorpath= in the dialog box and select OK.\r\n\r\nAlternatively, you can also use the following appcmd command to set this request querystring:\r\n

appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence=’aspxerrorpath=’]

\r\nFor more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.\r\n\r\nConfigure ASP.Net applications to use uniform custom errors\r\nIn the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.\r\nIf the ASP.NET application does not have a web.config file:\r\n\r\nOn .NET Framework 3.5 and earlier\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx\r\n\r\nfile:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif (disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title> </title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request.     </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\nprng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd IfEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div>  An error occurred while processing your request.  </div>\r\n</body>\r\n</html>

\r\nIf the ASP.NET application already has a web.config file:\r\n\r\nOn .NET Framework 3.5 RTM and earlier\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> …  </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n]\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.\r\n3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> … </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>]\r\n</configuration>\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif\r\n(disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New  RNGCryptoServiceProvider()       prng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd If\r\nEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\nImpact of Workaround:\r\nIf an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.\r\n\r\nYou can learn more about this vulnerability and the workaround from:\r\n\r\n