Jun 13, 2011
Prof-UIS 2.92 Released!
We are pleased to announce the release of Prof-UIS v.2.92. The new major feature is popover scrollbars. They are invisible until the user performs some mouse movements over the scrollable window. Any grid cell now features a new content tip, which can host either plain text or HTML. The
CExtRichContentScrollWnd control now allows you to attach a window handle to an HTML element by element ID.
You can find the entire list of changes on the
Version History page. The new version is available for immediate
download from our web site.
Jun 02, 2011
Elegant Ribbon 4.2 Released!
We are pleased to announce the release of Elegant Ribbon v.4.2. This is a release with several new features like ListBox and CheckedListBox, new controls supported in a popup menu and a list of
other improvements.
The new version is available for immediate
download from our website. If you have a valid maintenance subscription, you can get the license key for version 4.2 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys and find the key in the list
If your subscription includes the source code, please request it via email at
support@prof-uis.com
Mar 14, 2011
Elegant Ribbon 4.1 Released!
We are pleased to announce the release of Elegant Ribbon v.4.1. This is a minor release with several
new features and bug fixes.
The new version is available for immediate
download from our website. If you have a valid maintenance subscription, you can get the license key for version 4.1 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys and find the key in the list
If your subscription includes the source code, please request it via email at
support@prof-uis.com
Feb 07, 2011
FOSS Software, Inc. has created Mobile software development department
FOSS Software, Inc. has created Mobile software development department. The new department already successfully released the line of mobile applications (iPhone, Android, Blackberry) for Access Control Systems and other solutions. Our mobile software development services are specifically designed to quickly transform your existing online business into a successful mobile one, and your new ideas into successful mobile products. We make sure that your customers will definitely reach you at the point when they really need you, wherever they would be.
Jan 26, 2011
Elegant Ribbon 4.0 Released!
We are happy to announce the release of Elegant Ribbon 4.0. The new version introduces a multi-purpose Navigation Bar control that allows you to combine similar items in vertically stacked groups so that the user can easily navigate through and access these items. You can read about all new features and bug fixes
here.
The new version is available for immediate
download from our website. If you have a valid maintenance subscription, you can get the license key for version 4.0 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys and find the key in the list
If your subscription includes the source code, please request it via email at
support@prof-uis.com
Dec 10, 2010
Elegant Ribbon 3.8 Released!
We are pleased to announce the final release of Elegant Ribbon v.3.8. The major version delivers a lot of new features including an updated backstage view with pin list controls and three Office 2010 themes, new controls (SplitContainer, NotifyIcon, DropDownColorPicker, GroupBox, ScrollableControl), improved navigation and performance and
more.
The new version is available for immediate
download from our website. If you have a valid maintenance subscription, you can get the license key for version 3.8 as it is described on
www.prof-uis.com.
Dec 02, 2010
Elegant Ribbon 3.8 Beta 2 Released!
We are happy to announce the availability of the second beta release of Elegant Ribbon 3.8. The version introduces a number of new features including SplitContainer, NotifyIcon and GroupBox controls, three Office 2010 themes for the Backstage View and more. You can read about all new features and bug fixes on the
Version History page.
You are welcome to
download it, test it and discuss it in
our forum. If you have a valid technical support subscription, you can get a license key for the new version from our web site.
Nov 02, 2010
Prof-UIS 2.91 Released!
We are pleased to announce the release of Prof-UIS v.2.91. The major new feature is a fully-fledged declarative UI we call HTML Everywhere. Now you can not only visualize UI elements with HTML but also subscribe and respond to events triggered inside those elements. A new backstage view control similar to that introduced in Microsoft Office 2010 is completely based on this declarative UI. A control like the backstage view has only one window handle and does not consume any additional window handles at all. HTML Everywhere, which first appeared as a beta version in v.2.90, is now much faster, supports most HTML and CSS features and can even visualize the HTML generated by Microsoft Word.
You can find the entire list of changes on the
Version History page. The new version is available for immediate
download from our web site.
Oct 28, 2010
Elegant Ribbon 3.8 Beta Released!
We are happy to announce the
beta release of Elegant Ribbon 3.8. The new features include an updated backstage view with new pin list controls, scrollable containers and improved navigation, a color picker drop-down and a color picker dialog and more. You can read about all new features and bug fixes on the
Version History page.
You are welcome to
download it, test it and discuss it in
our forum. If you have a valid technical support subscription, you can get a license key for the new version from our web site.
Jul 20, 2010
Elegant Ribbon 3.7 Released!
We are pleased to announce the release of Elegant Ribbon v.3.7. The new version introduces a Backstage View, a number of themed controls (Slider, MessageBox and PictureBox) and other improvements. You can read about all new features and bug fixes on the
Version History page.
The new version is available for immediate download from our website.
Jun 22, 2010
Prof-UIS 2.90 Released!
We are pleased to announce the release of Prof-UIS v.2.90. The version presents several important features that should make your MFC applications easier to interact with and more appealing to your users including support for displaying HTML content in the text area of almost any Prof-UIS control, a video control with a themed background, and themed scroll bars for the Visual Studio 2010 theme. You can find the entire list of changes on the
Version History page.
The new version is available for immediate
download from our web site.
Apr 27, 2010
Prof-UIS 2.89 Released!
We are happy to announce the release of Prof-UIS v.2.89. The version includes a new Visual Studio 2010 theme, an updated Prof-UIS Integration Wizard, which now supports Visual Studio 2010, a lot of improvements and bug fixes. You can find the entire list of changes on the
Version History page.
The new version is available for immediate
download from our web site.
Apr 07, 2010
Elegant Ribbon 3.6 Released!
We are pleased to announce the release of Elegant Ribbon v.3.6. The new version introduces three new Office 2010 themes: Blue, Black and Silver. Elegant Ribbon is now compatible with Visual Studio 2010. There are some other new features, improvements and bugs fixes that you can read about on the
Version History page.
The new version is available for immediate
download from our website.
Feb 12, 2010
Elegant Ribbon 3.5 Released!
We are pleased to announce the release of Elegant Ribbon v.3.5. This is primarily a maintenance release with some new features and enhancements. The Windows 7 theme is now available both for the ribbon and common controls so you can use this theme for your entire application. You can read the full version history
here.
The new version is available for immediate
download from our website.
Dec 14, 2009
Prof-UIS 2.88 Released!
We are pleased to announce the release of Prof-UIS 2.88. This version is a minor release with three new Office 2010 themes: Blue, Silver and Black. The new version is available for immediate
download from our web site.
Nov 13, 2009
Prof-UIS 2.87 Released!
We are pleased to announce the release of Prof-UIS 2.87. The new version features a new Office 2010 theme and new controls and grid cells that allow the user to edit numbers and currency values. There are also a lot of improvements, particularly in the visual look of controls.
You can find the entire list of new features, improvements, and bug fixes on the
Version History page.
The new version is available for immediate
download from our web site.
Oct 07, 2009
Elegant Ribbon 3.3 Released!
We are proud to announce the release of Elegant Ribbon v.3.3. The version introduces a new Office 2010 TP theme, better support for large dpi settings, eleven new localizations and a number of other features. All known bugs and issues are fixed.
You can find the entire list of changes in the Version History section.
The new version is available for immediate download from our website.
Sep 01, 2009
I-WANT-SUSHI.com e-commerce web project is released
FOSS Software, Inc. and
I-WANT-SUSHI.com Corp. have released a new e-commerce project. The goal of this project is to provide possibility for any sushi bar/restaurant to receive takeout and delivery orders online. Online ordering is 20 times quicker than through a phone call. It saves time and money to the restaurant and the client at a same time. The project web site is fully based on FOSS Software’s products
WWW Support Content Management System and
eShop e-Commerce system.
Jun 22, 2009
Elegant Ribbon 3.2 Released!
We are pleased to announce the release of Elegant Ribbon v.3.2. The version features a new theme consistent tab control with RTL support and a number of improvements. All known bugs are fixed.
You can find the entire list of changes in the Version History section.
The new version is available for immediate
download from our website.
Mar 13, 2009
FOSS Software wins ComponentSource Bestselling Publisher Awards for 2008!
FOSS Software, Inc. is a winner of
ComponentSource Bestselling Publisher Awards for
2008 all over again. During previous years, it was also among
ComponentSource's "Top 100 Publisher Awards" -
2007,
2006...
FOSS Software, Inc. is specialized in development of a wide range of products and components:
Prof-UIS,
Elegant Ribbon,
Elegant Grid.
Feb 12, 2009
New version of access control system product released
Synergistics, Inc. with the services of FOSS Software, Inc. has released new version of its flagman access control product Presidio. This version supports different types of access control devices from Mercury Security Corp. (
www.mercury-security.com) and Millennium Group, Inc. (
www.millennium-groupinc.com).
Dec 18, 2008
Prof-UIS 2.84 Released!
We are pleased to announce the release of Prof-UIS 2.84. The new version introduces a lot of new controls, features, improvements and bug fixes. The new controls include a list view, a tree view, a masked edit, a message box, a scrollable container window and more. All controls are fully consistent with Prof-UIS themes and have an advanced feature set. We are also excited to announce the availability of the first beta of a set of shell controls including a File Open/Save dialog, a Browse for Folder dialog and more. You can find the entire list of new features, improvements, and bug fixes in the Version History section. The new version is available for immediate download from our web site.
Nov 03, 2008
New customer’s web site released
FOSS Software in cooperation with Photonic Instruments, Inc. and designer Jodi Makovsky successfully released Photonic Instruments company web site
www.photonic-instruments.com. This web site uses in background WWW Support system (
www.w3spt.com) for content management, administration and email notification.
Jul 10, 2008
Elegant Ribbon 3.1 Released!
We are pleased to announce the release of Elegant Ribbon v.3.1. The version introduces a new visual theme, System, which provides a look native to the operative system on which the application is running. The theme is not based on bitmaps, so all the graphics is rendered programmatically depending on current Windows theme. From this version on, each visual theme is represented by a separate assembly so you can simply exclude any visual themes that you are not using from your installer package. The new FAQ section, Visual Themes, should help answer question you may have in regard to using themes.
Jun 10, 2008
Prof-UIS 2.83 Released!
We are pleased to announce the release of Prof-UIS 2.83. The new version introduces a lot of new features including skinned grids, frozen grid columns and rows, merged grid cells, a date browser control, support for a cue banner in the edit control and much more. You can find the entire list of new features, improvements, and bug fixes in the Version History section. The new version is available for immediate download from our web site.
Mar 04, 2008
Elegant Ribbon 3.0 Released!
We are happy to announce the new major release of Elegant Ribbon. Version 3.0 introduces right-to-left (RTL) support for all controls, MDI support for the ribbon, the ability to use ribbon galleries on forms, Calendar and Date/Time Picker controls and much more. You can find the entire list of changes in the Version History section. The new version is available for immediate download from our website.
Mar 04, 2008
Elegant Ribbon 3.0 Released!
We are happy to announce the new major release of Elegant Ribbon. Version 3.0 introduces right-to-left (RTL) support for all controls, MDI support for the ribbon, the ability to use ribbon galleries on forms, Calendar and Date/Time Picker controls and much more. You can find the entire list of changes in the Version History section.
The new version is available for immediate download from our website. If you have a valid subscription, you can retrieve the license key for version 3.0 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys
If your subscription includes the source code, please request it via email at support@prof-uis.com.
Jan 03, 2008
Prof-UIS 2.82 Released!
We are pleased to announce the release of Prof-UIS 2.82. The new major features include filtering and searching capabilities for Prof-UIS grid controls (CExtDataGridWnd, CExtTreeGridWnd and CExtReportGridWnd) and a Visual Studio 2008 theme with new docking markers. There are also lots of other new features, enhancements and bug fixes (see the complete list of changes).
Both Prof-UIS and Prof-UIS Freeware are available for immediate download from our web site.
Nov 15, 2007
Elegant Ribbon 2.2 Released!
We are proud to announce the release of Elegant Ribbon 2.2. The new major release includes ribbon galleries, contextual tabs, context menus, radio buttons, Microsoft Active Accessibility support and more. All the features are fully supported in the Windows Forms Designer and fully compliant with the 2007 Microsoft Office System User Interface Design Guidelines. You can find the entire list of new features, improvements, and bug fixes in the Version History section.
The new version is available for immediate download from our website. If you have a valid subscription, you can retrieve the license key for version 2.2 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys
If your subscription includes the source code, please request it via email at support@prof-uis.com.
Oct 19, 2007
Prof-UIS 2.81 Released!
We are pleased to announce the release of Prof-UIS 2.81. There are a lot of new features and improvements in this release including caption flashing for simple and dynamic control bars, which allows you to draw the user's attention to one or more control bars when a particular event occurs, and support for High Contrast color schemes, which is a Windows accessibility feature designed for people who have vision impairment. You can find the entire list of new features, improvements, and bug fixes in the Version History section.
Both Prof-UIS and Prof-UIS Freeware are available for immediate download from our web site.
Aug 14, 2007
Elegant Ribbon 2.1 Released!
We are happy to announce the release of Elegant Ribbon 2.1. The new version incorporates an advanced status bar similar to that in Microsoft Office 2007 ribbon-based applications, the Office 2007 Silver theme, Vista Glass support and more. All the implemented features are fully compliant with the 2007 Microsoft Office System User Interface Design Guidelines. You can find the entire list of new features, improvements, and bug fixes in the Version History section.
The new version is available for immediate download from our website. If you have a valid subscription, you can retrieve the license key for version 2.1 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys
If your subscription includes the source code, please request it via email at support@prof-uis.com.
Jul 19, 2007
Prof-UIS 2.80 Released!
We are pleased to announce the release of Prof-UIS 2.80. The new version introduces support for Visual Studio 9.0 and a lot of features and improvements primarily requested by our customers, including custom icon and text alignment for regular and toolbar buttons, multiline text in toolbar buttons and more. You can find the entire list of new features, improvements, and bug fixes in the Version History section.
The new version is available for immediate download from our web site.
Jun 26, 2007
Elegant Ribbon 2.0 Released!
We are pleased to announce the release of Elegant Ribbon 2.0. The new version introduces a number of important features, which make Elegant Ribbon fully compliant with the 2007 Microsoft Office System User Interface Design Guidelines. The new features include the Ribbon Application Menu, large buttons and button-based controls in pop-up menus, Minimize the Ribbon feature, support for two vertically distributed controls in a ribbon group and more.
We renewed the Ribbon UI sample with new tab pages and controls, so the Elegant Ribbon now looks and feels like the Ribbon in Microsoft Word 2007. We also added a new sample, Data Binding, which illustrates how to use complex data binding with Elegant Ribbon controls on the form.
The new version is available for immediate download from our website. If you have a valid subscription, you can retrieve the license key for version 2.0 as it is described below:
- Login at www.prof-uis.com
- Click My Account in the top right corner
- Click My License Keys
If your subscription includes the source code, please request it via email at support@prof-uis.com.
Feb 09, 2007
FOSS Software got award from ComponentSource
Based on trade results of 2006 year,
ComponentSource® had announced
FOSS Software among Top 100 leading publishers throughout the world.
The allocation of the awards was based on real sales orders placed by ComponentSource® customers globally throughout 2006.
The following ranking was treated by ComponentSource® to select leaders:
- total sales USD $ order value for all the individual products in their product range aggregated together
- for sales made to our customers in over 110 countries worldwide
- less the value of any refunds made due to issues with their products
- between the dates 1st Jan 2006 to 31st Dec 2006 inclusive
- sales made in non-USD $ currencies have been converted into USD $ to get a final total value
- the list has then been sorted and the awards made based on the publisher ranking achieved
Jan 24, 2007
Elegant Ribbon 1.0 for .NET Released!
Today we are proud to announce the release of Elegant Ribbon v.1.0, a set of Windows Forms controls that allow you to quickly and easily provide your application with a new-generation user interface like that introduced in Microsoft Office 2007.
Elegant Ribbon provides many powerful features like context-sensitive and windowless controls, command-oriented programming interface, XML-based skinning with Blue and Black themes provided, WYSIWYG and rich design-time support in Visual Studio, one of the fastest automatic scaling of controls and much more.
The new product is designed for Visual Studio 2005. You are welcome to download and evaluate Elegant Ribbon.
Introducing the new product, we are glad to announce a limited-time offer: a 50% discount off of the regular price.
Sep 18, 2006
Prof-UIS 2.60 Released!
We are pleased to announce the latest major release of Prof-UIS for Visual C++/MFC developers. Prof-UIS 2.60 is available for immediate download from our website.
The new version introduces the candidate release version of the ribbon bar control, which is similar to that of the new streamlined Microsoft Office user interface. The new 25 classes implementing the ribbon control are designed in a way to give you the maximum control and flexibility when creating your ribbon-based applications. The RibbonBar and RibbonPage samples demonstrate how to incorporate the new user interface.
The help has been updated to reflect new classes added in the previous minor releases. It comes with the library installer or can be downloaded directly from our website.
You can find the entire list of new features, improvements, and bug fixes in the Version History section.
Jul 20, 2006
Elegant Grid v.1.2 and Early Preview of Elegant Ribbon Available!
We are pleased to announce the release of Elegant Grid v.1.2, which is a set of feature-rich and extensible .NET components designed to help developers easily create the presentation layer of table and hierarchical data for professional Windows Forms applications. Elegant Grid v.1.2 is primarily a maintenance release and includes minor bug fixes and enhancements.
We would also like to introduce an early preview of another product for .NET Windows Forms developers: Elegant Ribbon. This UI component is conceived to implement the appearance and functionality of the new-generation user interface introduced in Microsoft Office 2007. To achieve this, we are using several innovative approaches including context-aware and windowless controls, command-oriented architecture, XML-based skinning, and WYSIWYG support. The first alpha is coming soon, so stay tuned!
Jul 14, 2006
New web site has been developed and launched by FOSS Software, Inc.
The new site www.newtoninternational.com has launched. Newton International is a leading company in Security, Life Safety and Automatic Identification industries. The site was implemented and designed by FOSS Software, Inc. using ASP .NET, AJAX, JavaScript, CSS, HTML technologies. It is fully based on FOSS Software's WWW Support CMS.
Jun 16, 2006
Elegant Grid 1.1 for .NET Released!
We are proud to introduce the final release of the Elegant Grid, our new product for Windows Forms developers. Since the last beta, we have added complete documentation, Luna Blue (see screenshot) and Obsidian (see screenshot) built-in skins to produce the Microsoft Outlook 2007 styles, and other new features and bug fixes.
The API and form designer tools of the Elegant Grid are specially designed to follow the standard approaches used in Windows Forms. This allows you to easily start your development. The grid architecture is developed with specific focus on extensibility issues. We hope that along with an extensive list of features you will get a powerful and affordable set of components for creating professional .NET applications.
The Elegant Grid is available for immediate download from our website.
Mar 22, 2006
Prof-UIS 2.53 Released!
Today we are proud to announce the release of Prof-UIS 2.53. The new version introduces greatly improved image/icon support (Vista/XP icon quality on any Windows OS starting from Windows 95/NT4 and enhanced support for hovered, pressed and disabled images), a new set of cell classes for the data and property grid controls (progress bar, slider, picture, numeric, currency, exponential, fraction, and percentage), an updated combo box with a multicolumn pop-up list box and autofilter support, and much more.
The Prof-UIS Integration Wizard is now completely renewed and based on new Prof-UIS skinning capabilities.
Prof-UIS 2.53 also introduces the first alpha version of the report grid control.
Prof-UIS, Prof-UIS Trial, and Prof-UIS Freeware are available for immediate download from our website.
Nov 01, 2005
Prof-UIS 2.50 Released!
We are pleased to introduce Prof-UIS 2.50, the new major release, which contains many new features and enhancements since the previous major release including compound properties for the property grid control, tabbed toolbars, tear-off menus, palette menus, shadow support for tooltips and much more. To see the full list of new features, improvements, and bug fixes, visit the Version History section of our website! You can download and try Prof-UIS 2.50 right now!
Besides of Microsoft HTML Help 1 (chm and chi files), the technical documentation now supports Microsoft HTML Help 2 format (HxS and HxI files) and can be integrated with the Combined Help Collection for Visual Studio 2002/2003/2005. All the new classes are fully documented.
We would also like to draw your attention to that we added the Prof-UIS Application Wizard for Visual Studio 2005 and that the Integration Wizard is capable of compiling any library configuration available in Prof-UIS and the ProfAuto library that provides a fully scriptable COM-compliant interface.
Jul 05, 2005
Prof-UIS 2.40 Released!
Today we are proud to announce the release of Prof-UIS 2.40, which includes many new features and enhancements since the previous major release of 2.30. The most important features include the property grid control, dynamic resizable control bars, RTL support, date and time picker control, time duration control, and VS 2005 Beta 2 GUI theme support. Prof-UIS is now compatible with Microsoft Visual Studio 2005 Beta 2.
To demonstrate how to use new features, we added new samples (SDI_DynamicBars, MDI_DynamicBars, and Property Grid) and updated old ones (LanguageSwitcher and Prof-UIS Controls).
New classes are now fully documented. The updated help also includes a new class hierarchy chart that features pan and zoom, class description, and simple and advanced search. The FAQ section is now categorized.
Dynamic Control Bars for MDI and SDI Applications with Tabbed Interface is a new article that explains what dynamic control bars are and how they can be used.
You can find the entire list of new features, improvements and bug fixes in the Version History section.
Both Prof-UIS and Prof-UIS Freeware are available for immediate download at www.prof-uis.com/download.aspx !
Feb 19, 2005
Prof-UIS 2.30 Released!
We are glad to announce the release of Prof-UIS 2.30. Most of the new features introduced in this version were requested by our customers. These features mostly deal with modern elements of graphical user interface implemented in the latest Microsoft products:
- tab controls, MDI tabs and tab containers like those available in One Note and Visual Studio 2005 (aka Whidbey)
- Page Navigator like the Navigation pane in Office 2003
- toolbox like that found in Visual Studio 2005
We also implemented
undo/redo drop-down buttons and menu items in toolbars and pop-up menus, and some other features.
To see the full list of new features, improvements, and bug fixes, visit the
Version History section of our website! You can
download and try Prof-UIS 2.30 right now!
From this release on, the new versions will be marked as follows:
- Prof-UIS X.X0 stands for a major version (e.g., Prof-UIS 2.30)
- Prof-UIS X.XX stands for a minor/intermediate version (e.g., Prof-UIS 2.31)
In response to customer requests, we are now publishing all intermediate releases, which are available as source code for the registered users with valid subscription. To subscribe to notifications about all new intermediate releases, updates and samples, please
- Log in at www.prof-uis.com
- Click My Profile on the green navigation pane
- Click View/Edit My Personal Information
- Check Yes, I wish to receive e-mail notifications about all new intermediate versions, updates, and samples
- Click Save Changes
We always welcome your feedback, questions, and feature requests!
Jan 18, 2005
Prof-UIS Frame Features v.1.2 Released!
Today we are happy to announce the release of the first version of Frame Features. It is an ActiveX control that uses the rich features of Prof-UIS through the intermediary OLE Automation package (ProfAuto). Whether you are using VB 6.0, VB.NET, C#, J#, or some other language, Frame Features allows you to enrich your application with the newest and most popular features of dockable toolbars, menus, and status bars available in the latest Microsoft products including Office XP/2003 and Visual Studio NET/2005.
Frame Features can be used in most of the form designers supporting the ActiveX container technology. It can also be used in any other environment that provides access to a handle of the window in which the dockable windows supported by Frame Features should be displayed.
The control comes with a set of property pages (Property Builder) with which you can easily and quickly create the user interface in the design mode. Alternatively, the user interface can be implemented completely programmatically at runtime.
To help the developers quickly start employing the power of Frame Features, we included
SDI and
MDI sample applications for the following development environments: Visual Basic 6.0, Visual Java++ 6.0, C# 7.0, C# 7.1, C# 8.0, J# 7.1, J#8.0, Visual Basic 7.0, and Visual Basic 7.1. Frame Features even perfectly works with Internet Explorer and the HTA sample application proves this.
We plan to make available support for resizable control bars and some other Prof-UIS features in the next releases of Frame Features.
Please take a look at the
key features, take a
feature tour and
download Frame Features right now! We hope you will enjoy it.
Dec 11, 2004
Prof-UIS 2.27 Released!
We are pleased to announce the release of Prof-UIS 2.27. In this version we put emphasis more on the improvements relating to the general look and feel of the interface rather than on adding completely new GUI components. These improvements are almost in every aspect of interaction between the user and the application from enhanced drawing to much better performance in dragging and docking features.
A whole new approach to loading language-dependent resources of any type is implemented in a new component, which we called the Resource Manager. It allows you to switch between the languages supported in Prof-UIS or your application on-the-fly and what is most remarkable is that it does not require you to have a bunch of resource dll files.
New features also include draggable tabs for the tab control and tab page container, a custom docking outline, and the ability to customize the Office 2003 theme. The latter, for example, allows your application to imitate Windows XP themes on OSes other than Windows XP.
Two new sample applications,
ThemeColorizer and
LanguageSwitcher, illustrate how new features can be used. A number of bugs reported by the library users have been fixed.
Check out the full list of new features, improvements, and bug fixes in the
Version History section! You can
download and try Prof-UIS 2.27 right now!
With
Christmas holidays just around the corner, we are delighted to offer a
20% discount on our standard prices! This Christmas offer is valid until
January 05, 2005.
Nov 11, 2004
Frame Features preview release is available for download!
We are pleased to announce the availability of the first version of our new product called Frame Features. It is an ActiveX control that features the dockable menu bar with automatic support for lists of MDI windows, dockable toolbars, MDI tabs, completely customizable toolbars, menus, and keyboard accelerators, and much more. Frame Features gives you full control over the implemented features both at design and runtime. This has become possible because Frame Features uses the functionality of the Prof-UIS Automation Pack, an OLE Automation layer for Prof-UIS.
Frame Features has been tested in a number of ActiveX containers including those used in Visual Basic 6.0 and Visual Studio .NET/2003/2005.
You can download and try it right now! The installation includes samples for VB, VB.NET, and C#.
We welcome your comments and questions in our new forum!
Oct 18, 2004
Prof-UIS 2.26 Released!
We are happy to announce the release of Prof-UIS 2.26. The full version introduces two major features: OLE Automation support and Visual Studio 2005-like user interface. Automation is implemented as a COM library called ProfAuto. It allows the users to use scripting languages like VBScript for customizing and controlling menus, toolbars, and status bars. All properties and methods of ProfAuto are documented which, together with a how-to article titled Scripting Support in Prof-UIS Applications and ActiveScripts sample application, should help the developers easily use this feature in their products.
The second major feature enables you to use the GUI-related features presented in Visual Studio 2005 (aka "Whidbey") including the new look and feel and docking markers. We also enhanced the Prof-UIS docking algorithm that completely eliminates flickering and makes detaching and docking tabs more perfect. The library and samples are ready to be used with Visual Studio 2005.
Check out the full list of these and other new features, improvements, and bug fixes in the Version History section! You can download and try Prof-UIS 2.26 right now!
We also released Prof-UIS 2.26 Freeware, which is free for non-commercial use. The version is also compatible with Visual Studio 2005 and supports its GUI style and docking markers although it does not support docking tabs. Download and use it now!
Sep 30, 2004
FOSS Software, Inc. and Synergistics Inc. joint project
FOSS Software, Inc. and Synergistics, Inc have signed an agreement and started developing a joint project aimed at transferring the technical support system to the WWW Support platform. As part of this project, there has already been developed and launched a new web site of the Synergistics, Inc. company
http://www.synergisticsinc.com, which uses WWW Support system to control the content.
Jul 12, 2004
Prof-UIS 2.25.1 and Prof-UIS 2.25 Freeware are available!
FOSS Software is glad to bring you the release of Prof-UIS 2.25.1, which is a minor update to Prof-UIS 2.25. The version mostly includes bug fixes for Prof-UIS 2.25, though some new minor features are also added. Read the
Version History section for details. The registered user may download the entire installation package, or just a patch to Prof-UIS 2.25 (at the bottom of the
Download page).
We also released
Prof-UIS 2.25 Freeware, which can only be used for non-commercial purposes. The version includes the features not available in Freeware 2.23, samples, and full source code. Responding to users’ feedback, we added documentation.
If you are a native speaker of any language except for Czech, English, Korean, Russian, and Swedish, we would like to offer you to become a volunteer translator. You will need to support
your language localization. We may reciprocate with a license to the full version of Prof-UIS and our technical support. If you are interested in our offer,
let us know!
Jun 22, 2004
Prof-UIS 2.25 Released!
Today we are pleased to announce the release of Prof-UIS 2.25. Among the new features are a date picker control which looks like and has the same features as the mini-calendar (the Date Navigator) in Microsoft Outlook, a dialog for managing open child windows in MDI applications (the “Windows…” dialog), and a set of enhanced standard controls.
A completely renewed
Prof-UIS Controls sample demonstrates the existing and new features.
We also provided the documentation with indexes and made it better consistent with the MSDN MFC documentation style.
Check out the full list of features, improvements, and bug fixes in the
Version History section!
Please
download and try it now!
Feb 29, 2004
Prof-UIS 2.24 Released!
We are happy to announce the release of Prof-UIS 2.24. As usual the new version contains not only bug fixes, but new features, improvements, and samples.
The very first version of a powerful data grid control promises to be very helpful to the library users.
A new very customizable flat tab control and flat tab page container should allow you to present data to your users in a handy and efficient way.
The status bar is enhanced with better support for GUI themes. It also enables you to insert controls of almost any kind into its panes and to redirect status tips not only to the pane with index 0.
Check out the full list of features, improvements and bug fixes in the
Version History section!
Prof-UIS 2.24 comes with five new samples, which demonstrate the new features and how they could be used in your applications.
Please
download and try it now!
Feb 28, 2004
Prof-UIS Freeware 2.23 Released!
We are glad to bring you Prof-UIS 2.23 Freeware, the free-for-non-commercial-use version of Professional User Interface Suite. It incorporates a new slider/scrollbar button, enhanced status bar, added support for the push-like check-box in the button control and a number of bug fixes. Full source code is available. Please
download and use it for free! You can discuss any issues on how to use the library at
our public forum.
Nov 10, 2003
Prof-UIS-AX 2.0 RELEASED!
We are pleased to announce the release of Prof-UIS-AX 2.0, the ActiveX version of Prof-UIS. Version 2.0 introduces new features and improvements such as a toolbox control, some non-visual tools, extended functionality of the toolbar and combobox, a set of animation effects and
more. Some minor bugs were fixed. The release comes with help documentation and VB and C# sample applications highlighting the Prof-UIS-AX functionality.
Please
download and try it right now!
Sep 26, 2003
Prof-UIS 2.23 Released!
Prof-UIS 2.23 has been released and is available for download. It includes a number of new features such as customizable keyboard accelerators, the Options page for the Customize form, consistent resizable combo/edit fields in toolbars and menus, the Add/Remove Buttons submenu available in chevron menus and
more.
A completely renewed Integration Wizard allows you to easily build required library configurations, set library paths, add Application Wizard and integrate renewed Prof-UIS Help to MSDN. The wizard itself was made with Prof-UIS, which is one more sample of how the library can be used.
Prof-UIS is now available in German, Polish, Russian and Swedish. Please
download and try it to make sure the library fits your requirements!
Sep 25, 2003
Prof-UIS 2.22 FREEWARE Released!
Today we are pleased to announce the release of Prof-UIS 2.22 Freeware, a free for non-commercial-use version. Alpha icons support and
experimental compatibility with the native Unicode character type introduced in Microsoft Visual Studio .NET have been added to the library. Some bugs were fixed.
Prof-UIS 2.22 Freeware comes with full source code.
Download and use it for free!
Sep 04, 2003
First ActiveX version of Prof-UIS Released!
We are pleased to introduce the first ActiveX version of the Prof-UIS library.
Prof-UIS-AX is aimed at helping developers using Visual Basic, C# and other languages that support ActiveX provide their applications with an up-to-date GUI not available in standard development tools.
Version 1.0 includes several enhanced UI components: A menu bar, toolbar, popup menu and some common controls.
You can
download and try it right now!
Jul 08, 2003
Prof-UIS 2.22 Released!
Today we are pleased to announce the release of version 2.22 of Professional User Interface Suite. This version includes customizable toolbars and menus, Microsoft Office
® 2003 theme support, a new image editor component allowing to edit icons and bitmaps with any color depth, a new easy-to-use icon editor dialog, Microsoft Visual Studio .NET 2003 compatibility, multi-monitor support and
other enhancements.
Several new and updated
samples are provided to show how to use Prof-UIS functionality. The release also includes an updated help file with colorized key words and information on new classes.
Please
download it and try it now!
Jul 07, 2003
Prof-UIS 2.21 Freeware is available!
We are proud to bring you Prof-UIS 2.21 Freeware, the free-for-non-commercial-use version of Professional User Interface Suite. It incorporates MS Office
® 2003 theme support, streamlined menus and control bars, Visual Studio .NET 2003 compatibility, multi-monitor support and a number of bug fixes. Full source code is available. Please
download it and use it for free! You can discuss any issues on how to use the library at our public
forum.
Jun 05, 2003
New Website Launched!
We are happy to introduce our new website
www.prof-uis.com that we hope to offer our Prof-UIS users enhanced functionality, content and services. A new version of Prof-UIS with new features and samples will also be released soon. Among the new features are streamlined menus and control bars, multi-monitor support, a new image editor component allowing to edit icons and bitmaps with any color depth, Microsoft Office 2003 theme support, and Microsoft Visual Studio .NET 2003 compatibility.
Feb 09, 2003
Prof-UIS Version 2.21 is available!
We are pleased to announce the availability of version 2.21 of Prof-UIS, our MFC extension library. This new version includes a number of
new features, enhancements, and bug fixes. Updated and completely new samples are intended to illustrate the features and help our customers implement the library in their projects without a hitch. The help file has been updated with information on new classes. Click
here to get the Trial or Commercial version!
Sep 16, 2002
Prof-UIS Version 2.20 is available!
The new version of the Prof-UIS library is now available. Version 2.20 contains many new features and improvements, which are listed
here. The release also includes a number of completely new samples and an extensive help file. Click
here to get the Free, Trial, or Commercial version!
Sep 16, 2002
Act Now! 30x30 Special Offer!
Act Now! 30x30 Special Offer! The first 30 buyers will receive 30% OFF the suggested retail price on all FOSS Software products!
Sep 16, 2002
TCPFOSS Version 3.15 is available!
The updated version of the TCPFOSS is now available. Version 3.15 includes some bug fixes. You can download the Trial or Commercial version
here!
Aug 30, 2002
Prof-UIS Version 2.20 is coming soon!
Prof-UIS Version 2.20 will be released at the beginning of September. The library will be available in three versions: free, trial and commercial. Here is a preliminary list of new features:
- Visual Studio .NET like resizable control bar, which optionally shows its content while dragging/resizing as the Task Area bar does in Office 2000 and Office XP. Resizable bars can be placed in all sorts of combinations relatively to each other both in the main frame window and in the smart floating containers
- Resizable dialog and resizable property sheet with styled push buttons, which both have the new system menu, and resizable property page. These windows also support the MFC automatic tooltip feature for their child toolbar windows
- Generalized template window classes for various common tasks like injecting non-client area borders into any window, providing flicker-free repainting, anchoring child windows to the borders of their parent window
- Visual Studio .NET like resizable control bar, which can be docked inside tab containers that have detachable tabs. It also optionally supports the autohide mode
- Powerful tab window, which supports the group mode like in autohide control bar areas in Visual Studio .NET, the Close and Help buttons (optional), different align modes for its tab items, horizontal and vertical styles, and the ability to dock automatically to the left/right/top/bottom side of its parent window as the control bar does
- MDI tab window, which can dock automatically to the left/right/top/bottom side of its parent window and combine the border around the MDI client area with its own border like in Visual Studio .NET
To test some of the features, you can download samples at: http://www.fossware.com/download/Prof-UIS/samples220.zip
Aug 30, 2002
FOSS Software, Inc. released WWW Support web project!
FOSS Software, Inc. released a new web project known as
WWW Support.
WWW Support includes a number of services for software and web developers such as Bug Tracking System, Forum system, Knowledge Base System, News Management System.
Both free and commercial packages are available at: http://web.fossware.com/ .
Jul 09, 2002
Next version(2.15) of Prof-UIS has been released.
Version 2.15 of Professional User Interface Suite(Prof-UIS) for Win 32 platform has been released.
This is middle version between 2.1 and 2.20. Is is not included tabbed controlbars that will be available in release 2.20 few weeks later. We publish it by request of intrested people in bug fixed release.
What's new in version 2.15:
1. Completely new dragging algorithm for toolbars and resizable conrolbars
2. Streamlined resizing algorithm for floated conrolbars
3. New generalized template classes (see ExtTempl.h )
4. Owner-draw popup menu items and popup menu left area
5. Optimized menu tracking algorithm
6. Streamlined menu expand animation effect
7. Standard windows sounds for menu support
8. Updated Hue/Saturation/Luminance roller mode in CExtColorPicker
9. Better 256 color mode painting
10. Support for windows "with holes inside" like group box common control in CExtResizableDialog
11. Updated and new samples, all sources compiled under warning level 4
12. Separated libraries for ANSI, MBCS and Unicode character systems, static and dynamic libraries (totally 18 build configurations)
13. Library build configurations
Follow this link http://www.fossware.com/eng/fr_default.asp?start=’prod_profuis.asp’ for detail information.
May 31, 2002
New version of Prof-UIS has been released.
Version 2.1 of Professional User Interface Suite(Prof-UIS) for Win 32 platform has been released.
Prof-UIS is an easy-to-use MFC extension library enabling your products to be provided with a professional and user-friendly interface.
Follow this link http://www.fossware.com/eng/fr_default.asp?start='prod_profuis.asp' for detail information.
May 16, 2002
Microsoft Security Bulletin MS02-023
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-023.asp
Issue:
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:
- A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker''s script injected into the local resource, the attacker''s script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
- An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user''s system. Further, it requires that the intended file contain a single, particular ASCII character.
- An information disclosure vulnerability related to the handling
of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user''s system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
- A zone spoofing vulnerability that could allow a web page to be
incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct
a web page that exploits this vulnerability and attempt to entice
the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
- Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file''s Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise
an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.
Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 200 with the Outlook Email Security Update and Outlook 2002 all read
email in the Restricted Sites zone by default, this enhancement
means that those products now effectively disable frames in HTML
email by default. This new behavior makes it impossible for an
HTML email to automatically open a new window or to launch the
download of an executable.
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-023.asp for information on obtaining this patch.
Acknowledgment:
- Jani Laatikainen (jani@laatikainen.net) for reporting one of the "Content-Disposition variants.
- Yuu Arai of LAC SNS Team (http://www.lac.co.jp/security/) for
reporting one of the "Content-Disposition variants.
- Cistobal Bielza Lino and Juan Carlos G. Cuartango from Instituto Seguridad Internet (www.instisec.com) for reporting the Zone Spoofing through Malformed Web Page vulnerability.
May 08, 2002
Microsoft Security Bulletin MS02-022
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp
Issue:
The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products.
An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context.
It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.
Mitigating Factors:
- A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger.
- The MSN Chat control does not install with any version of Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites.
- The HTML email attack vector is blocked by the following Microsoft mail products:
- Outlook 98 and Outlook 2000 with the Outlook Email Security Update
- Outlook 2002
- Outlook Express.
This is because these products all open HTML email in the Restricted Sites zone by default.
Risk Rating:
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-022.asp for information on obtaining this patch.
Acknowledgment:
- eEye Digital Security ( http://www.eeye.com )
Mar 29, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.
Issue:
This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates the following two newly discovered vulnerabilities:
- A vulnerability in the zone determination function that could allow a script embedded in a cookie to be run in the Local Computer zone. While HTML scripts can be stored in cookies, they should be handled in the same zone as the hosting site associated with them, in most cases the Internet zone. An attacker could place script in a cookie that would be saved to the user's hard disk. When the cookie was opened by the site the script would then run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
- A vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on the user's machine. A malicious user could create HTML web page that includes this object tag and cause a local program to run on the victim's machine.
Mitigating Factors:
Cookie-based Script Execution:
- The script would run with the same rights as the user. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user. Any limitations on a user's account, such as those applied through Group Policies, would also limit the actions of any script executed by this vulnerability.
Local Executable Invocation via Object tag:
- The vulnerability would not enable the attacker to pass any parameters to the program. Microsoft is not aware of any programs installed by default in any version of Windows that, when called with no parameters, could be used to compromise the system.
- An attacker could only execute a file on the victim's local machine. The vulnerability could not be used to execute a program on a remote share or web site.
- The vulnerability would not provide any way for an attacker to put a program of his choice onto another user's system.
- An attacker would need to know the name and location of any executable on the system to successfully invoke it.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-015.asp for information on obtaining this patch.
Mar 11, 2002
Microsoft Security Bulletin MS02-014
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-014.asp
The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
An unchecked buffer exists in one of the functions that helps to locate incompletely removed applications on the system. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. A successful attack would have the affect of either causing the Windows Shell to crash, or causing code to run in the user's context.
Be default, this is not remotely exploitable. However, under very unusual conditions, it could be exploited via a web page - specifically, if the user has installed an application with custom URL handlers and then uninstalled that application, and the uninstall failed to correctly remove the application completely. An attacker could then attempt to levy an attack by constructing an HTML web page that seeks to exploit the vulnerability, and then posting it on their web site or sending it by email.
Mitigating Factors:
- In a default installation, this vulnerability is not remotely exploitable and could only be exploited by introducing hostile code to the system.
- The vulnerability can be remotely exploited only on machines that have installed and uninstalled software which implements customer URL handlers and the software's uninstall failed to completely remove the application from the system.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
- The buffer overrun would allow code to run in the security context of the user rather than the system. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user.
Risk Rating:
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-014.asp for information on obtaining this patch.
Mar 11, 2002
Microsoft Security Bulletin MS02-006
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
Reason for Revision:
On March 5, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows NT 4.0 and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.
Issue:
Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.
A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system.
A patch is under development to eliminate the vulnerability. In the meantime, Microsoft recommends that customers who use the SNMP service disable it temporarily. Patches will be available shortly, at which time we will re-release this bulletin with updated details.
Mitigating Factors:
- The SNMP service is neither installed nor running by default in any version of Windows.
- Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user.
- Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security.
Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
- A patch is available to fix this vulnerability for WIndows 2000 and Windows XP. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-006.asp for information on obtaining this patch.
- Patches for other platforms are under development and will be available shortly. When this happens, we will re-release this bulletin with information on how to obtain and install these patches.
Mar 10, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-013.asp
Issue:
The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 95, Microsoft Windows 98, ME, Windows NT 4.0 , Windows 2000 and Windows XP. It ships as part of Windows 98, ME, and Windows 2000 and also as part of Internet Explorer 5.5 and earlier.
The version of the Microsoft VM that ships with Internet Explorer version 4.x and 5.x contains a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker's choice.
An attacker could use this flaw to send a user's Internet session to a system of his own control, without the user being aware of this. The attacker could then forward the information on to the intended destination, giving the appearance that the session was behaving normally. The attacker could then send his own malicious response, making it seem to come from the intended destination, or could discard the session information, creating the impression of a denial of service. Additionally, the attacker could capture and save the user's session information. This could enable him to execute a replay attack or to search for sensitive information such as user names or passwords.
A system is only vulnerable if IE is used in conjunction with a proxy server. Users whose browsers are not behind a proxy server are not vulnerable to this vulnerability. However, those users would be vulnerable if they changed their browser to use a proxy server at a later date.
Mitigating Factors:
- The vulnerability only affects configurations that utilize a proxy server. Customers who are not using a proxy server are not at risk from this vulnerability.
- Best practices strongly recommend using SSL to encrypt ensitive information such as user names, passwords and credit card bers. If this has been done, sensitive information will be protected from examination and disclosure by an attacker exploiting this vulnerability.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-013.asp for information on obtaining this patch.
Feb 25, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
Issue:
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources.
A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site.
An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data.
Mitigating Factors:
- The vulnerability can only be exploited via a web site. It would not be possible to exploit this vulnerability via HTML mail.
- The attacker would need to know the full path and file name of a file in order to read it.
- The vulnerability does not provide any ability to add, change, or delete files.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-008.asp for information on obtaining this patch.
Feb 25, 2002
Microsoft Security Bulletin MS02-010
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp
Issue:
By default, Commerce Server 2000 installs a .dll with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other
authentication methods.
A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server.
Mitigating Factors:
- Although Commerce Server 2000 does rely on IIS for its base web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability.
- The URLScan tool, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in an URL. It would, however, still be possible to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised web server to other machines would depend heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high-risk that machines in an uncontrolled environment, like the Internet, face by minimizing overall exposure though measures like DMZ's, operating with minimal services and isolating contact with internal networks. Steps like this can limit overall exposure and impede an attacker's ability to broaden the scope of a possible compromise.
- While the ISAPI filter is installed by default, it is not loaded on any web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-010.asp for information on obtaining this patch.
Feb 25, 2002
Microsoft Security Bulletin MS02-009
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-009.asp
Issue:
Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame.
A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker's site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information.
In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker.
In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files.
Mitigating Factors:
- The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them.
- The vulnerability would only allow an attacker to read files that can be opened in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read.
- The attacker would need to specify the exact name and location of the file in order to read it.
- The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-009.asp for information on obtaining this patch.
Acknowledgment:
- Zentai Peter Aron, Ivy Hungary Ltd ( http://w3.ivy.hu/ )
Feb 20, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp
Issue:
One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is the ability to connect to remote data sources. One capability of this feature is the ability to use "ad hoc" connections to connect to remote data sources without setting up a linked server for less-often used data-sources. This is made possible through the use of OLE DB providers, which are low-level data source providers. This capability is made possible by invoking the OLE DB provider directly by name in a query to connect to the remote data source.
An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.
An attacker could exploit this vulnerability in one of two ways. They could attempt to load and execute a database query that calls one of the affected functions. Conversely, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for an attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.
Mitigating Factors:
- The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve.
- Both vectors for exploiting the vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-007.asp for information on obtaining this patch.
Feb 15, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
Reason for Revision:
On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.
Issue:
Simple Network Management Protocol (SNMP) is an Internet standard
protocol for managing disparate network devices such as firewalls,
computers, and routers. All versions of Windows except Windows ME
provide an SNMP implementation, which is neither installed nor
running by default in any version.
A buffer overrun is present in all implementations. By sending a
specially malformed management request to a system running an
affected version of the SNMP service, an attacker could cause a
denial of service. In addition, it is possible that he cause code
to run on the system in LocalSystem context. This could
potentially give the attacker the ability to take any desired
action on the system.
A patch is under development to eliminate the vulnerability.
In the meantime, Microsoft recommends that customers who use the
SNMP service disable it temporarily. Patches will be available
shortly, at which time we will re-release this bulletin with
updated details.
Mitigating Factors:
- The SNMP service is neither installed nor running by default
in any version of Windows.
- Standard firewalling practices recommend blocking the port
over which SNMP operates (UDP ports 161 and 162). If these
recommendations have been followed, the vulnerability could
only be exploited by an intranet user.
- Standard security recommendations recommend against using SNMP
except on trusted networks, as the protocol, by design,
provides minimal security.
Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
- A patch is available to fix this vulnerability for WIndows 2000
and Windows XP. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-006.asp for information on obtaining this patch.
- Patches for other platforms are under development and will be
available shortly. When this happens, we will re-release this
bulletin with information on how to obtain and install these
patches.
Feb 12, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
Issue:
Simple Network Management Protocol (SNMP) is an Internet standard
protocol for managing disparate network devices such as firewalls,
computers, and routers. All versions of Windows except Windows ME
provide an SNMP implementation, which is neither installed nor
running by default in any version.
A buffer overrun is present in all implementations. By sending a
specially malformed management request to a system running an
affected version of the SNMP service, an attacker could cause a
denial of service. In addition, it is possible that he cause code
to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired
action on the system.
A patch is under development to eliminate the vulnerability.
In the meantime, Microsoft recommends that customers who use the
SNMP service disable it temporarily. Patches will be available
shortly, at which time we will re-release this bulletin with
updated details.
Mitigating Factors:
- The SNMP service is neither installed nor running by default
in any version of Windows.
- Standard firewalling practices recommend blocking the port
over which SNMP operates (UDP ports 161 and 162). If these
recommendations have been followed, the vulnerability could
only be exploited by an intranet user.
- Standard security recommendations recommend against using SNMP
except on trusted networks, as the protocol, by design,
provides minimal security.
Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
-
A patch is under development and will be available shortly.
When this happens, we will re-release this bulletin with
information on how to obtain and install the patch.
Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-006.asp
for information on steps to protect against the vulnerability
until the patch is ready.
Feb 12, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
Issue:
This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the following six newly
discovered vulnerabilities:
- A buffer overrun vulnerability associated with an HTML directive that's used to incorporate a document within a web page. By creating a web page that invokes the directive using specially selected attributes, an attacker could cause code to run on the user's system.
- A vulnerability associated with the GetObject scripting function. Before providing a handle to an operating system object, GetObject performs a series of security checks to ensure that the caller has sufficient privileges to it. However, by requesting a handle to a file using a specially malformed representation, it would be possible to bypass some of these checks, thereby allowing a web page to complete an operation that should be prevented, namely, reading files on the computer of a visiting user's system.
- A vulnerability related to the display of file names in the File Download dialogue box. When a file download from a web site is initiated, a dialogue provides the name of the file and lets the user choose what action to take. However, a flaw exists in the way HTML header fields (specifically, the Content-Disposition and Content-Type fields) are handled. This flaw could make it possible for an attacker to misrepresent the name of the file in the dialogue, in an attempt to trick a user into opening or saving an unsafe file.
- A vulnerability that could allow a web page to open a file on the web site, using any application installed on a user's system. By design, IE should only open a file on a web site using the application that's registered to that type of file, and even then only if it's on a list of safe applications. However, through a flaw in the handling of the Content-Type HTML header field, an attacker could circumvent this restriction, and specify the application that should be invoked to process a particular file. IE would comply, even if the application was listed as unsafe.
- A vulnerability that could enable a web page to run a script even if the user has disabled scripting. IE checks for the presence of scripts when initially rendering a page. However, the capability exists for objects on a page to respond to asynchronous events; by misusing this capability in a particular way, it could be possible for a web page to fire a script after the page has passed the initial security checks.
- A newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-058. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to use the Document.open function to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. In addition, this could be used to mis-represent the URL in the address bar in a window opened from their site.
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-005.asp for information on obtaining this patch.
Feb 07, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-004.asp
Issue:
The Telnet protocol provides remote shell capabilities. Microsoft has implemented the Telnet protocol by providing a Telnet Server in several products. The implementations in two of these products
- Windows 2000 and Interix 2.2 - contain unchecked buffers in the
code that handles the processing of telnet protocol options.
An attacker could use this vulnerability to perform a buffer overflow attack. A successful attack could cause the Telnet Server
to fail, or in some cases, could possibly allow an attacker to execute code of her choice on the system. Such code would execute using the security context of the Telnet service, but this context
varies from product to product. In Windows 2000, the Telnet service always runs as System; in the Interix implementation, the
administrator selects the security context in which to run as part
of the installation process.
Mitigating Factors:
- While the Telnet Service in Windows 2000 is installed by default, it is not running by default. As a result, a Windows 2000 system would only be vulnerable if the administrator had started the service
- Remotely exploiting this vulnerability would require the attacker to have the ability to connect to the Telnet Server. Best practices recommends against allowing Telnet access on uncontrolled networks.
- The Telnet Daemon in Interix 2.2 is not installed by default when Interix 2.2 is installed. An administrator would have to choose to install and configure this feature.
- The Telnet Daemon in Interix does not specify a security context by default. The administrator specifies the security context when they configure or run the daemon. Best practices recommend that the Telnet Daemon run in a context of least privilege, meaning that it have only those rights necessary and no more.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-004.asp for information on obtaining this patch.
Feb 07, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
Issue:
The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. It performs a variety of functions related to the on-going maintenance of the Exchange system. To allow remote administration of an Exchange Server using the Exchange System Manager Microsoft Management Console (MMC) snap in, the System Attendant makes changes to the permissions on the Windows Registry to allow Exchange Administrators to remotely update configuration settings stored in the Registry.
There is a flaw in how the System Attendant makes these Registry configuration changes. This flaw could allow an unprivileged user to remotely access configuration information on the server.
Specifically, this flaw inappropriately gives the "Everyone"
group privileges to the WinReg key. This key controls the ability
of users and groups to remotely connect to the Registry. By default, only Administrators are given the ability to remotely
connect to the Registry, by granting permissions on this key.
The flaw does not grant any abilities beyond the ability to
connect remotely. However, an attacker's ability to make changes
to the Registry once they have successfully connected would be
dictated by the permissions on the specific keys within the
Registry itself. Thus, while this vulnerability does not itself
give an attacker the ability to change Registry settings, it
could be used in conjunction with inappropriately permissive
registry settings to gain access to, and make changes to a
systems Registry.
Mitigating Factors:
- The vulnerability only grants the ability to connect to the Registry remotely. It does not weaken any other permissions in the Registry.
- An attacker's ability to connect to the Registry remotely requires the ability to send SMB traffic to and from the target system. Firewalling best practices recommends closing the ports that NetBIOS and Direct Host uses (tcp ports 139 and 445)
Risk Rating:
- Internet systems: Low
- Intranet systems: Low
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-003.asp for information on obtaining this patch.
Acknowledgment:
- Eitan Caspi ( EITANC@YAHOO.COM )
Feb 07, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-002.asp
Issue:
Office v. X contains a network-aware anti-piracy mechanism that
detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces Office's own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down.
A security vulnerability results because of a flaw in the Network
PID Checker. Specifically, the Network PID Checker doesn't correctly handle a particular type of malformed announcement - receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other users' Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines
Mitigating Factors:
- Corporate networks could be protected against Internet-based attacks by following standard firewalling practices (specifically, blocking ports 2222, those greater than 3000 traffic).
- Best practices recommends blocking both multicast and broadcast packets at the perimeter firewall.
- At best, an attacker could cause the running Office application that was loaded first to fail. There is no opportunity for an attacker to create, delete, or modify Office data.
- Even a successful attack wouldn't have any effect on the overall system, other applications or any Office application beyond the first one loaded.
Risk Rating:
- Internet systems: None
- Intranet systems: None
- Client systems: Low
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-002.asp for information on obtaining this patch.
Acknowledgment:
- Marty Schoch ( mschoch@multicasttech.com )
Feb 05, 2002
FOSS Software Inc. News
We are happy to inform you about this exciting event!
New version has a lot of improvements and valuable features like:
- table sorting
- filtering
- reports and print forms
- subscription mode
and more!
Just be a registered customer and enjoy!
-----------------------------------------------------
Check techsupport page to register.
Jan 31, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-001.asp
Issue:
Trust relationships are created between Windows NT or Windows 2000 domains to allow users in one domain to access resources in other domains without requiring them to authenticate separately to each domain. When a user in a trusted domain requests access to a resource in a trusting domain, the trusted domain supplies authorization data in the form of a list of Security Identifiers (SIDs) that indicate the user's identity and group memberships. The trusting domain uses this data to determine whether to grant the user's request.
A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identified a user or security group that is not in the trusted domain, the trusting domain would accept the information and use it for subsequent access control decisions. If an attacker inserted SIDs of his choice into the authorization data at the trusted domain, he could elevate his privileges to those associated with any desired user or group, including the Domain Administrators group for the trusting domain. This would enable the attacker to gain full Domain Administrator access on computers in the trusting domain.
Exploiting this vulnerability would be difficult, and require administrative privileges on the trusted domain, as well as the technical wherewithal to modify low-level operating system functions and data structures.
- Windows NT 4.0 provides no mechanism by which additional SIDs could be added to authorization data. To exploit the vulnerability, an attacker would need to develop and install custom operating system components to add the SIDs.
- Windows 2000 does provide a mechanism for introducing additional SIDs into authorization data, known as SIDHistory. However, there is no programming interface that would allow an attacker - even with administrative rights - to introduce a desired SID into the SIDHistory information; instead, an attacker would need to perform a binary edit of the data structures that hold the SIDHistory information.
Microsoft has developed a mechanism called SID Filtering that eliminates the vulnerability and adds further protection between trusting domains. When installed and enabled on the domain controllers of a trusting domain, SID Filtering causes the system to
inspect all incoming authorization data and remove any SIDs that do not identify a user or security group that is defined in the trusted domain.
There are, however, tradeoffs associated with using the SID Filtering mechanism. These are summarized in the FAQ and Caveats sections below, and are discussed in detail in Microsoft Knowledge Base
article Q289243 and in a technical white paper
( http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp ) that Microsoft strongly urges administrators to read before using SID Filtering. This is especially important in the case of administrators who are in the midst of migrating their networks from Windows NT 4.0 to Windows 2000.
Mitigating Factors:
- The attacker would need to have domain administrator privileges in the trusted domain in order to exploit the vulnerability.
- The attacker's domain would need to already be trusted by the target domain, or the target domain's administrator would need to approve the establishment of a new trust relationship.
- There is no capability for the attacker to unilaterally initiate a trust relationship with another domain or cause it to trust the attacker's domain.
- The attacker would need to modify operating system components and data.
Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletinletMicrosoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-001.asp
Issue:
Trust relationships are created between Windows NT or Windows 2000 domains to allow users in one domain to access resources in other domains without requiring them to authenticate separately to each domain. When a user in a trusted domain requests access to a resource in a trusting domain, the trusted domain supplies authorization data in the form of a list of Security Identifiers (SIDs) that indicate the user''s identity and group memberships. The trusting domain uses this data to determine whether to grant the user''s request.
A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identified a user or security group that is not in the trusted domain, the trusting domain would accept the information and use it for subsequent access control decisions. If an attacker inserted SIDs of his choice into the authorization data at the trusted domain, he could elevate his privileges to those associated with any desired user or group, including the Domain Administrators group for the trusting domain. This would enable the attacker to gain full Domain Administrator access on computers in the trusting domain.
Exploiting this vulnerability would be difficult, and require administrative privileges on the trusted domain, as well as the technical wherewithal to modify low-level operating system functions and data structures.
- Windows NT 4.0 provides no mechanism by which additional SIDs could be added to authorization data. To exploit the vulnerability, an attacker would need to develop and install custom operating system components to add the SIDs.
- Windows 2000 does provide a mechanism for introducing additional SIDs into authorization data, known as SIDHistory. However, there is no programming interface that would allow an attacker - even with administrative rights - to introduce a desired SID into the SIDHistory information; instead, an attacker would need to perform a binary edit of the data structures that hold the SIDHistory information.
Microsoft has developed a mechanism called SID Filtering that eliminates the vulnerability and adds further protection between trusting domains. When installed and enabled on the domain controllers of a trusting domain, SID Filtering causes the system to
inspect all incoming authorization data and remove any SIDs that do not identify a user or security group that is defined in the trusted domain.
There are, however, tradeoffs associated with using the SID Filtering mechanism. These are summarized in the FAQ and Caveats sections below, and are discussed in detail in Microsoft Knowledge Base
article Q289243 and in a technical white paper
( http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp ) that Microsoft strongly urges administrators to read before using SID Filtering. This is especially important in the case of administrators who are in the midst of migrating their networks from Windows NT 4.0 to Windows 2000.
Mitigating Factors:
- The attacker would need to have domain administrator privileges in the trusted domain in order to exploit the vulnerability.
- The attacker''s domain would need to already be trusted by the target domain, or the target domain''s administrator would need to approve the establishment of a new trust relationship.
- There is no capability for the attacker to unilaterally initiate a trust relationship with another domain or cause it to trust the attacker''s domain.
- The attacker would need to modify operating system components and data.
Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletinletin/ms02-001.asp for information on obtaining this patch.
Acknowledgment:
- Aelita Software ( http://www.aelita.com )
- Michel Trepanier of CMT Inc. and Loto-Quebec.
Jan 30, 2002
One more Microsoft Certification Professional in the Foss Software Inc.
The staff of Foss Software Inc. congratulated vice-president Oleksandr Bugrimenko with successful passing Microsoft Certification Professional exam. Now more than 30% of Foss specialists have Microsoft certificates (www.microsoft.com) and more than 65% Brainbench(www.brainbench.com) certificates.
Jan 22, 2002
C Runtime Denial of Service Fix
Visual Studio 6.0 and Visual C++ 6.0 contain the Microsoft C runtime. This file contains a problem that could cause a buffer overrun. Unlike most buffer overruns, a malicious attacker could not choose the data with which the buffer would be overrun. Instead, the buffer would always be overrun with the same values, regardless of the attacker's inputs. As a result, this vulnerability could be used as a denial of service attack only.
Due to the important nature of the C runtime to the operating system and most client software, it is recommended that this fix be applied directly to a server and not distributed with any applications that need the C runtime. The fix will appear in the next service pack for Visual Studio and Visual C++.
Symptoms
A server application such as the Microsoft SQL Server™ service could be made to fail silently without warning.
More Information
For additional information, please see Microsoft Security Bulletin MS01-060.
Solution
Click the link below to download this update file. It will update the C runtime and eliminate this security problem. For Microsoft Windows® XP, see
http://www.microsoft.com/downloads
Jan 17, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp.
Issue:
The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives - messages that advertise the availability of
UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and
Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.
The second vulnerability results because the UPnP doesn't sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description
may reside on a third-party server rather than on the device itself. However, the UPnP implementations don't adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo
the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download
cycle that could consume some or all of the system's
availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems' availability.
In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could
have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast
domain.
Mitigating Factors:
General:
- Standard firewalling practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks.
Windows 98 and 98SE:
- There is no native UPnP support for these systems. Windows 98 and 98SE systems would only be affected if the Internet Connection Sharing Client from Windows XP had been installed on the system.
- Windows 98 and 98SE machines that have installed the Internet Connection Sharing client from a Windows XP system that has already applied this patch are not vulnerable.
Windows ME:
- Windows ME provides native UPnP support, but it is neither installed nor running by default. (However, some OEMs do configure pre-built systems with the service installed and running).
Windows XP:
- Internet Connection Firewall, which runs by default, would make it significantly more difficult for an aMicrosoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp.
Issue:
The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives - messages that advertise the availability of
UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and
Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.
The second vulnerability results because the UPnP doesn''t sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description
may reside on a third-party server rather than on the device itself. However, the UPnP implementations don''t adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo
the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download
cycle that could consume some or all of the system''s
availability. An attacker could craft and send this directive to a victim''s machine directly, by using the machine''s IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems'' availability.
In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could
have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast
domain.
Mitigating Factors:
General:
- Standard firewalling practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks.
Windows 98 and 98SE:
- There is no native UPnP support for these systems. Windows 98 and 98SE systems would only be affected if the Internet Connection Sharing Client from Windows XP had been installed on the system.
- Windows 98 and 98SE machines that have installed the Internet Connection Sharing client from a Windows XP system that has already applied this patch are not vulnerable.
Windows ME:
- Windows ME provides native UPnP support, but it is neither installed nor running by default. (However, some OEMs do configure pre-built systems with the service installed and running).
Windows XP:
- Internet Connection Firewall, which runs by default, would make it significantly more difficult for an ar an ar an attacker to determine the IP address of an affected machine. This could impede an attacker''''''''s ability to attack a machine via unicast messages. However, attacks via multicast or broadcast would still be possible.
Risk Rating:
Buffer Overrun:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98, Windows 98SE and Windows ME
Denial of service:
- Internet servers: None
- Intranet servers: None
- Client systems: Moderate
Aggregate risk:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98, Windows 98SE and Windows ME
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-059.asp for information on obtaining this patch.
Acknowledgment:
- eEye Digital Security ( http://www.eeye.com )
Jan 17, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-058.asp.
Issue:
This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered
vulnerabilities.
- The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability affects IE 6.0 only. It does not affect IE 5.5.
- The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. This vulnerabilty affects both IE 5.5 and 6.0.
- The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to
misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.
Mitigating Factors:
File Execution Vulnerability:
- The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone from which the file is being received. In most attempts to maliciously exploit this vulnerability the file would be received from the Internet or Intranet zone. Therefore, disabling File Downloads in these zones can protect customers. This is not the default setting for either of these zone, however.
- This affects IE 6.0 only.
Frame Domain Verification Variant:
- The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them.
- The vulnerability would only allow an attacker to read files that can be can be opened in a browser window, such as image files, HTML files and text files. Other file file types, such as binary files, executable files, Word documents, and so forth, could not be read.
- The attacker would have to have knowledge of the exact file name and location in other to successfully read the file on the local system.
File Name Spoofing Vulnerability:
- The determination on choosing to accept a file download from an Internet site should always be based on the trustworthiness of the source and not on the file type. File downloads should never be accepted from an untrusted source, no matter how harmless the type may appear to be.
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-058.asp for information on obtaining this patch.
Acknowledgment:
- Jouko Pynnonen of Oy Online Solutions Ltd
( http://www.solutions.fi/index.cgi/?lang=eng )
Jan 17, 2002
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-057.asp
Reason for Revision:
On December 6, 2001 Microsoft released the original version of this bulletin. On December 7, 2001 an issue relating to file dependencies for the patch was identified and the bulletin was updated and
re-released to include this information. Specifically, for this patch to function
properly, the Outlook Web Access (OWA) server on which the patch is installed must have Internet Explorer (IE) 5.0 or greater installed.
If the patch is installed on a system with a version of IE older than 5.0, unexpected consequences may result. The "Caveats" section has been updated to include version requirements for this patch. In addition, it contains version recommendations for dependent components that are applicable at the time of this writing. In addition, the FAQ contains
remediation information for customers who have applied this patch on systems with versions of IE older than 5.0.
Issue:
Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser.
A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script
executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action
against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the
message in OWA, the script would then execute.
While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires
knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.
Mitigating Factors:
- A successful attack would require the victim to read the message in a IE using OWA only. The attack would fail if read in any other mail client.
- A successful attack would also require knowledge of the version of OWA in use. The attack would fail on other versions of OWA.
- A successful attack can only take action on the mailbox on the Exchange Server as the user. It cannot take action on the user's local machine. It cannot take actions on any other users mailbox directly. Nor can it take actions directly on the Exchange Server.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-057.asp for information on obtaining this patch.
Acknowledgment:
- Lex Arquette of WhiteHat Security( http://www.whitehatsec.com )
Dec 07, 2001
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-056.asp
Issue:
One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes
ASF files contains an unchecked buffer.
By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail;
in the more complex case, code chosen by the attacker could be made
to run on the user's computer, with the privileges of the user.
The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page.
However, the patch eliminates additional vulnerabilities. Specifically, it eliminates all known vulnerabilities affecting Windows Media Player 6.4 - discussed in Microsoft Security Bulletins MS00-090, MS01-029, and MS01-042 - as well as some
additional variants of these vulnerabilities that were discovered internally by Microsoft. Some of these vulnerabilities could be exploited via email or a web page. In addition, some affect components of Windows Media Player 6.4 that, for purposes of
backward compatibility, ship with Windows Media Player 7, and 7.1. We therefore recommend that customers running any of these versions of Windows Media Player apply the patch to ensure that
they are fully protected against all known vulnerabilities.
Windows Media Player for Windows XP includes components of Windows Media Player 6.4, but they are not affected by the ASF buffer overrun or by any of the other vulnerabilities discussed in the security bulletins listed above. However, the version 6.4
components that ship with Windows Media Player for Windows XP are affected by some of the newly discovered variants of these vulnerabilities. Rather than installing this patch, however, we recommend that customers install the 25 October 2001 Critical
Update for Windows XP.
Mitigating Factors:
====================
- Windows Media Player runs in the security context of the user,
rather than as a system component. At best, an attacker could
gain the privileges of the user on the system. Systems
configured in accordance with the least privilege principal
would be at less risk from this vulnerability.
- The vulnerability could only be exploited if the user opened
and played an affected ASF file.
- The attacker would need to know the specific operating system
that the user was running in order to tailor the attack code
properly; if the attacker made an incorrect guess about the user's
operating system platform, the attack would crash the user's
Windows Media Player session, but not run code of the attacker's
choice.
Risk Rating:
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-056.asp
for information on obtaining this patch.
Dec 06, 2001
Microsoft Security Bulletin
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-057.asp.
Issue:
Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser.
A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script
executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was
capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the message in OWA, the script would then execute.
While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires
knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.
Mitigating Factors:
- A successful attack would require the victim to read the message in a IE using OWA only. The attack would fail if read in any other mail client.
- A successful attack would also require knowledge of the version of OWA in use. The attack would fail on other versions of OWA.
- A successful attack can only take action on the mailbox on the Exchange Server as the user. It cannot take action on the user's local machine. It cannot take actions on any other users mailbox directly. Nor can it take actions directly on the Exchange Server.
Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-057.asp
for information on obtaining this patch.
Dec 04, 2001
FOSS Software Inc. News
We are happy to introduce a new feature on our web site!
Now you have access to our internal Knowledge Base, that include news archive, article of our technitian specialists, articles about undocumented functions of Microsoft SQL Server, C++, Java and so on... With Knowledge Base you have possibilities to know about algorithm implementation, about "ready to go" solutions... Lots, lots of examples and codes in just a cesond!
Enjoy to work with our Knowledge Base.
Dec 04, 2001
SQL Server 2000 Service Pack 2 Now Available
SQL Server 2000 Service Pack 2 (SP2) addresses specific issues that were discovered in SQL Server 2000 since its ship date.
Because SQL Server Service Packs are cumulative, SP2 includes all fixes from previously released Service Pack 1 (SP1), and can be applied to an original installation or to one where Service Pack 1 (SP1) was previously applied.
The SQL Server 2000 SP2 download is provided in three parts for the Database, Analysis Services, and Desktop Engine (MSDE) server components. SP2 also contains an additional fix to English Query that needs to be downloaded and applied separately. The three parts and the additional fix can all be downloaded at: http://www.microsoft.com/sql/downloads/2000/sp2.asp