Recently in Guest Blog Category

Software licence audits: Confidence in Your Choices

| No Comments
| More

Over the last few weeks Computer Weekly has written about software licensing and how suppliers are demanding IT departments run costly software audits. At the same time, we have started looking at the complexities of licensing, such as in a virtualised environment.

In this guest blog post, Martin Thompson, a SAM consultant and founder of The ITAM Review and The ITSM Review, provides some top tips on what to do when you receive an audit letter:

martin-thompson.jpg

Payment Protection Insurance (PPI) spam is in vogue.

You may have received one or two of these recently:

"You are entitled to £2,648 in compensation from mis-sold PPI on credit cards or loans."

PPI claims and other spam solicitations are the bane of our inboxes. The vast majority of us know to simply ignore them. Unfortunately the handful of those who do respond justifies the exercise to the spammers. 

This mass-marketing technique is used in exactly the same fashion by trade bodies such as BSA and FAST to force their agenda and start software audit activity.

Supplier audits are a fact of life, some software audit requests are serious and expensive, some are merely spoof marketing campaigns - how can IT professionals decipher between the two?

Whilst I'm not a legal expert, fifteen years in this industry has taught me that there instances when you should respond to an audit request and instances when you should simply walk away.

When to Take Software Audit Requests Seriously

In my opinion there are two instances when you should take software audits seriously:

  1. When you are approached by a software publisher directly with reference to a signed contract
  2. When you are approached by an organisation with real proof of a breach of intellectual property law.

Contracts with software publishers have 'Audit Clauses', the right to come and audit you periodically at your own cost. Your company either signed this and agreed to it or will need to fight against it. Smart companies negotiate it out of the contract by demonstrating maturity in their internal processes.

Breaches of intellectual property supported by evidence are a legal dispute and should be treated as such - by passing the issue over to your legal team in the first instance.

When to Ignore Software Audit Requests

Requests for 'Self-Audit' or other direct mail fishing exercises can be ignored.

Trade bodies such as BSA and FAST commonly write letters to companies requesting them to 'Self-Audit' or declare a 'Software Amnesty'.

These organizations are masters at crafting well-written legal sounding letters but have no legal authority whatsoever. Nor do they have the resources to follow up to every letter sent.

Just like any other complaint made to your business it should only be taken seriously if there is firm evidence or the organisation issuing the dispute is supported by the appropriate government agency. For example the Federation Against Software Theft (FAST) has no teeth whatsoever unless accompanied by HM Customs and Excise.

Confidence in Your Choices

IT departments with the appropriate Software Asset Management (SAM) processes in place have both the confidence and the supporting data to discriminate between bogus claims and genuine supplier audit requests.

Whilst much noise is made in the industry of senior management being sent to prison or the company name being dragged through the gutter - the real and compelling downside to a lack of software management is UNBUDGETED cost and DISRUPTION. Surprise license costs and massive disruption whilst IT staff are diverted from key projects to attend to an audit or hunt down the appropriate data.

Unexpected software audits can be good for your health in the longer term if it allows the organisation to realize it is out of control.

SAM is so much more than compliance and counting licenses. Organisations with a solid SAM practice are more nimble, competitive and dynamic. No more stalling on that virtualisation project because we're unsure of the licensing costs, no more uncertainty about moving to the cloud because we don't know how that leaves us contractually. SAM provides the business intelligence to innovate and take action.

Martin is an independent software industry analyst, SAM consultant and founder of The ITAM Review and The ITSM Review. Learn more about him here and connect with him on Twitter or LinkedIn.


IT service provisioning and orchestration

| No Comments
| More
In this guest blog post, Steve Nunn, managing director, infrastructure consulting group, Accenture, looks at the role of the service catalogue in virtualisation.

Stephen Nunn_Accenture copy.jpgCIOs are already well versed on virtualisation, with many having already invested into virtualisation within their data centres and server estates. For those CIOs that have, this usually prompts the question of: where next? Given that they are using their underlying hardware more productively, some CIOs assume that investment should start shifting to other IT initiatives. But this would be a mistake. A major opportunity to better utilise the enterprise's IT assets, while radically speeding up time to market, can be captured through the orchestration and provisioning of IT via a service catalogue.

Getting there requires the completion of virtualisation the IT environment, while also moving to greater level of standardisation. This virtualisation goes beyond the servers, where much attention has so far been placed, as far more can reliably be virtualised. For example, while network virtualisation is now mainstream within many organisations, relatively little has been done on application and storage virtualisation. CIOs that start to virtualise these areas are finding that they can far more flexibly allocate available resources against towards true application requirements. Overall, the goal here is the complete virtualisation of the server, storage and network environment, to provide a commoditised pool of IT capability that can be easily provisioned and orchestrated as needed.

The implementation of a service catalogue for IT assets is an important aspect of a parallel part of the journey. This essentially provides a single view for users that defines what services are available, and at what level. Putting this in place is a major step for CIOs, and should be used to lead the drive towards implementing the automated provisioning of IT assets. Orchestration then adds the necessary intelligence so that IT can dynamically match user demand against availability of the underlying infrastructure.

Achieving this gives CIOs various new options that can help drive out inefficiencies and radically speed up time to market. To give one example, specific operating areas, such as an organisation's test and development setup, can be transformed in how they are set up and run. Rather than taking days or weeks to build and deploy dedicated test and development machines for a new project, hundreds of virtualised test environments, simulating specific conditions or setups, can be created in hours and used for only as long as they're needed. This also ensures far more efficient setups, by only providing the specific test environments needed, for as long as they're needed, before the capacity is switched over to other tasks. One bank cut its test environment from 900 constant images to just 300, simply by restructuring the way it provisioned the workload in a 'just in time' basis.

A further example of how the IT environment can be more flexibly provisioned might be a rethink of how an enterprise ERP system is implemented. Such deployments typically provision sufficient capacity to ensure that any potential spikes in demand can be catered for, even though these peaks are rare. As a result, potential computing resource lies wasted for the majority of the time. In a more flexible IT environment with orchestration and provisioning, CIOs can cater for the typical operating load of the application, while "borrowing" capacity from other lesser-used systems, such as disaster recovery or training, to cater for the occasional surges in demand as they happen.

 Of course, making a successful transition to an IT environment that can flexibly provisioned and orchestrated through a service catalogue is not without its challenges. The initial software investment can be high, and there are several prerequisites: standardisation of the underlying IT assets; complete, or very nearly complete, virtualisation; the ability to share a common IT resource pool; and a service-oriented approach to IT that focuses on application service delivery.

The good news is these goals are also prerequisites for any CIO thinking about a future move into a cloud environment. And more fundamentally, this forms part of the evolution of the role of the CIO: away from being a manager of IT infrastructure, and towards that of being an orchestrator of services.


Enhanced by Zemanta

Microsoft Patch Tuesday Report - March 13

| No Comments
| More

Application Compatibility Update with Quest ChangeBASE


Executive Summary

With this March Microsoft Patch Tuesday update, we see a set of 6 updates; 1 with the rating of Critical, 4 with the rating of Important and 1 with that of Moderate. This is a relatively small update from Microsoft, and the potential compatibility impact for these updates is likely to be low.

 

Notably, the Patch Tuesday Security Update analysis performed by the ChangeBASE team has not identified any compatibility issues across the thousands of applications included in testing for this release. This makes us confident that this set of patches may be deployed with low risk of issue across the entire application portfolio.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this March Patch Tuesday release cycle.



Sample Results

Here is a sample Summary report for a sample database where the Quest ChangeBASE Patch Impact team has run the latest Microsoft Updates against a test application portfolio. As you can see, no issues have been detected:

patch mar 1.png



 

Testing Summary

 

MS12-017

 

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

MS12-019

Vulnerability in in DirectWrite Could Allow Denial of Service

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

 

 

Quest ChangeBASE RAG Report Summary

patch mar 2.PNG

Security Update Detailed Summary

MS12-017

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

Payload

Afd.sys, Dns.exe, Dnsperf.dll, Dnsperf.h, Dnsperf.ini, Mswsock.dll, Tcpip.sys, Tcpip6.sys, W03a3409.dll, Wdnsperf.dll, Wmswsock.dll, Ww03a3409.dll

Impact

Important - Denial of Service

 

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Payload

Win32k.sys

Impact

Important - Elevation of Privilege

 

MS12-019

Vulnerability in DirectWrite Could Allow Denial of Service

Description

 Could Allow Denial of Service (2665364)

Payload

D2d1.dll, Dwrite.dll, D3d10_1.dll, D3d10_1core.dll, D3d10warp.dll

Impact

Moderate - Denial of Service

 

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

Description

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Payload

Rdpwd.sys

Impact

Critical - Remote Code Execution

 

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

Description

This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Payload

Vsaenv.exe, BaseConfig.pkgdef, BaseConfig.pkgdef.version

Impact

Important - Elevation of Privilege

 

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

Description

This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

Payload

No specific file payload

Impact

Important - Remote Code Execution

Security Update Detailed Summary

MS12-017

Vulnerability in DNS Server Could Allow Denial of Service (2647170)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

Payload

Afd.sys, Dns.exe, Dnsperf.dll, Dnsperf.h, Dnsperf.ini, Mswsock.dll, Tcpip.sys, Tcpip6.sys, W03a3409.dll, Wdnsperf.dll, Wmswsock.dll, Ww03a3409.dll

Impact

Important - Denial of Service

 

MS12-018

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

Description

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Payload

Win32k.sys

Impact

Important - Elevation of Privilege

 

MS12-019

Vulnerability in DirectWrite Could Allow Denial of Service

Description

 Could Allow Denial of Service (2665364)

Payload

D2d1.dll, Dwrite.dll, D3d10_1.dll, D3d10_1core.dll, D3d10warp.dll

Impact

Moderate - Denial of Service

 

MS12-020

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

Description

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Payload

Rdpwd.sys

Impact

Critical - Remote Code Execution

 

MS12-021

Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

Description

This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Payload

Vsaenv.exe, BaseConfig.pkgdef, BaseConfig.pkgdef.version

Impact

Important - Elevation of Privilege

 

MS12-022

Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

Description

This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

Payload

No specific file payload

Impact

Important - Remote Code Execution

*All results are based on a ChangeBASE Application Compatibility Lab's test portfolio of over 1,000 applications.


For more information, please visit www.changebase.com

 


Enhanced by Zemanta

Why the next app gold rush won't just be on iTunes

| No Comments
| More

In this guest blog post, Gavin Michael chief technology innovation officer at Accenture, covers the shift from monolithic applications to the Apple AppStore-style of application deployment.


gavin-michael.jpgIt is easy to feel gloomy about the past three years, given the lingering economic turmoil across global markets. But through a different lens, it's also quite reasonable to argue that the past 39 months have been one of the most prolific periods of creativity and innovation that mankind has ever seen. As the world has gone mobile, countless apps have been created to quickly, easily and cheaply cater to nearly any conceivable need.

On July 10th, 2008, Apple's App Store debuted on its iTunes platform, providing a marketplace for its still-new iPhone. Less than 1,200 days later, over 500,000 apps are now available for download. This implies that over 415 new apps have been added for every day that the platform has been live. It's not been alone. Google's Android marketplace has over 300,000 apps for it, for example. Whatever the task, "there's an app for that" is increasingly the reply. In a few taps, you can learn how to cook, check-in for your flight, find your car, entertain your children, watch the news, book a meeting, track your run, make a film, improve your golf, balance your budget, or just irritate your friends.

For consumers, the great app rush has delivered enormous new value, with over 15 billion apps installed so far. One fundamental reason behind this success has been the creation of dedicated, easy to use marketplaces that provide a distribution, marketing and sales platform for developers. They allow a lone programmer working weekends to compete squarely against a multinational. Here, the best idea wins, not just the biggest marketing budget.

For CIOs, a similar shift at the enterprise level is starting to drive new approaches to how enterprise applications are created. The era of monolithic applications, with long development and implementation cycles, is rapidly giving way to more flexible and adaptable businesses, dynamically provisioned via the cloud. CIOs will still develop proprietary tools to give their firms a competitive edge, but they will also draw on enterprise app stores to access a growing ecosystem of apps and useful code, supplied by a far wider pool of developers.

In turn, this enables CIOs to start planning a more strategic role. They can become service orchestrators that curate and assemble the most valuable pieces of code, whether from internal development or via app stores, and use that to speed both innovation and implementation. They're still going to build enterprise applications; they're just going to build them differently.

A growing range of enterprise app stores-such as Salesforce.com AppExchange, Intuit's Marketplace or Apperion, among others-are steadily expanding and maturing. As such platforms become more commonplace, CIOs can start to focus more on the core business processes and services that help their firms stand out in the market, rather than worrying about the physical infrastructure to support this. They can focus on services, not servers.

One early example comes from Nongfu Spring, China's largest bottled water company. It has developed a new backend system that can calculate the exact time and cost of any given shipment in just 37 seconds, down from 24 hours previously. This new competitive advantage is given wings by the fact that its 8,000-strong sales team can access it via a simple mobile app, empowering them to give customers information on demand. As this example highlights, CIOs are still going to build enterprise software to give them an edge in their market, but they're going to do it differently than before.

Of course, this shift brings new challenges too. To really tap into this, CIOs will need to decouple their firm's IT architecture, while freeing corporate data to move more easily between applications and the cloud. Interoperability needs to be enabled in application environments that are often heterogeneous. Most importantly, CIOs have to componentize their business model, controlling the processes that matter most, while commoditizing the rest.

All these are significant departures, but they can bring huge benefits. Just as consumers have been able to access apps for all needs, so too will firms. Developers of all shapes and sizes are rapidly creating tools for a range of sectors, with apps emerging for a wide range of needs: tracking electronic medical records, providing customer support, speeding logistics, entering expenses, and far more. These are freeing up CIOs to focus on the services that are core to their competitive advantage. For all else, well, there's an app for that.

Gavin Michael is Chief Technology Innovation Officer at Accenture. Follow Gavin on Twitter @gavinmichael.


Gavin started working for Accenture in 2010. He previously worked at Lloyds Banking Group as the Retail Technology Director. At Lloyds he was also a member of the Retail Bank Board. Prior to this role, he served as CIO of Lloyds TSB - UK Retail Banking & General Insurance. In this capacity, Gavin set the information technology strategy and direction for growing the UK Retail Banking Division and drove strong collaboration and alignment of technology with the business.

 

ChangeBASE Microsoft Patch Tuesday Report 11th October 2011

| 1 Comment
| More

Application Compatibility Update

By: Greg Lambert

 

Executive Summary

With this October Microsoft Patch Tuesday update, we see again a relatively small set of updates. In total there are eight Microsoft Security Updates, 2 with the rating of Critical and 6 with the rating of Important. This is a moderate update from Microsoft and the potential impact for the updates is minor.

 

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen very little cause for potential compatibility issues.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this October Patch Tuesday release cycle.

 

Sample Results

MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.

patch tuesday oct 1.png

 

Testing Summary

 

MS11-075

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

MS11-076

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

MS11-077

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

MS11-078

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

MS11-079

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

MS11-080

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

MS11-081

Cumulative Security Update for Internet Explorer (2586448)

MS11-082

Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

 

patch tuesday oct 2.jpg















































 

Security Update Detailed Summary

 

MS11-075

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

Description

This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

Payload

Oleacc.dll, Oleaccrc.dll, Uiautomationcore.dll, Wow_oleacc.dll, Wow_oleaccrc.dll, Wow_uiautomationcore.dll

Impact

Important - Remote Code Execution

 

MS11-076

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

Description

This security update resolves a publicly disclosed vulnerability in Windows Media Center. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file.

Payload

Mpeg2data.ax, Msdvbnp.ax, Msnp.ax, Psisdecd.dll, Psisrndr.ax

Impact

Important - Remote Code Execution

 

MS11-077

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

Description

This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment.

Payload

Win32k.sys, W32ksign.dll

Impact

Important - Remote Code Execution

 

MS11-078

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

Description

This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Payload

 N/A

Impact

Critical - Remote Code Execution

 

MS11-079

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

Description

This security update resolves five privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

Payload

Adfs.internalerror.inc, Adfs.internalsite.de_de.xml, Adfs.internalsite.en_us.xml, Adfs.internalsite.es_es.xml, Adfs.internalsite.fr_fr.xml, Adfs.internalsite.it_it.xml, Adfs.internalsite.ja_jp.xml, Adfs.internalsite.ko_kr.xml, Adfs.internalsite.pt_br.xml, Adfs.internalsite.ru_ru.xml, Adfs.internalsite.zh_cn.xml, Adfs.internalsite.zh_tw.xml, Internalerror.inc, Internalsite.de_de.xml, Internalsite.en_us.xml, Internalsite.es_es.xml, Internalsite.fr_fr.xml, Internalsite.it_it.xml, Internalsite.ja_jp.xml, Internalsite.ko_kr.xml, Internalsite.pt_br.xml, Internalsite.ru_ru.xml, Internalsite.zh_cn.xml, Internalsite.zh_tw.xml, Mobileinternalsite.microsoft.uag.mobilebrowsing.dll, Monitor.default.asp, Monitor.exceltable.asp, Monitor.sessionparameters.asp, Signurl.asp, Whlfilter.dll, Whlfiltsecureremote.dll

Impact

Important - Remote Code Execution

 

MS11-080

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

Description

This security update resolves a privately reported vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Payload

Afd.sys

Impact

Important - Elevation of Privilege

 

MS11-081

Cumulative Security Update for Internet Explorer (2586448)

Description

This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

 N/A

Impact

Critical - Remote Code Execution

 

MS11-082

Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

Description

This security update resolves two publicly disclosed vulnerabilities in Host Integration Server. The vulnerabilities could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the Host Integration Server ports should be blocked from the Internet.

Payload

 N/A

Impact

Important - Denial of Service

 

*All results are based on an AOK Application Compatibility Lab's test portfolio of over 1,000 applications.

IT Departments as business service brokers

| No Comments
| More

In this guest post Dr Katy Ring, director, K2 Advisory looks at how internal IT should refocus, to ensure they make the best use of commodity cloud-based services. She says, "CIOs need to consider to what extent their internal IT department is acting as a service broker." 

Dr Katy Ring.JPGWe often hear of the potential demise of the IT department within the context of the Cloud. However, CIOs are expecting their IT departments to play a crucial role in ensuring Cloud services actually work within their organisations. In fact, Cloud Computing is redefining IT sourcing services quite significantly. CIOs want outcome-based Cloud contracts from vendors. They want horizontal business process platforms to outsource their non-differentiated systems. And far from outsourcing everything, they are beefing up the in-house integration skills of their IT Departments to act as Business Service Brokers for Cloud-delivered services.

K2 Advisory has just completed a new research study, "Sourcing IT services 'for the journey': The impact of Cloud on Outsourcing."   Our research shows that in-house IT is expected to play a pivotal role around Cloud integration. A third of organisations we surveyed are already forging ahead to build their own in-house integration skills for Cloud-delivered services, although 43% of the market do not expect to address integration issues for another one to two years. More than half of CIOs expect their internal IT capability to provide a service integration platform, and skills to provide business agility around the use of Cloud services. This is not something they wish to outsource.

The flexibility of the Cloud is changing the dynamics of outsourcing arrangements. Because of the speed at which services can be provisioned, CIOs need to consider to what extent their internal IT department is acting as a service broker. Understanding how the Cloud ecosystem for IT suppliers and outsourcing providers develops will be fundamental to IT strategies. Although this is currently a nascent area, and not that well understood, we believe it will become increasingly important over the next few years, and is a crucial component of sourcing IT services.

With cost to value ratios enabling organisations to work more nimbly with their suppliers, CIOs want flexible sourcing options, and in particular favour outcome-based contracts from firms supplying Cloud services. Whilst the theory is good, large scale uptake of these contracts is unlikely in the short term due to levels of vendor risk and lack of experience from both procurement and sourcing advisors. 2012 will be a pivotal year for many organisations as they look to conduct a sizeable shift towards Cloud services, or as they start to tackle the integration challenges.

Over the next two years, the number of CIOs seeking help to integrate SaaS with legacy systems, and/or SaaS, will grow as Cloud strategies develop and usage increases. A third of organisations believe that the real challenge for them could kick-in by 2013, while a further 12% expect 2012 to be the year they require assistance. Either way, 2012 will be a pivotal year for many organisations as they look to conduct a sizeable shift towards Cloud services, or as they start to tackle the integration challenges that are emerging following investments made this year and into 2012. 

Nearly two-thirds of CIOs would use a business service platform either because it would deliver the most cost-effective solutions in selected non-differentiating areas - such as HR, Payroll, Finance and Procurement - or because it was used by their fellow industry players. There is a clear preference of broad horizontal business services, rather than sector-specific capabilities. CIOs are keen to embrace the IT cost reduction in these areas without constraining organisational development. Highly differentiated systems designed to deliver high added value, are seen as less of a good fit for standard Cloud delivery.

End user services will also see one of the most rapid moves towards the Cloud in the near term. A small but growing number of organisations in the UK are already using Cloud-delivered desktop services, but an even greater number are looking to make the move. We expect this to happen in the next one-to-two years. Upgrades to Microsoft Office will serve as a trigger-point for considering the transition to Cloud in most organisations.
* K2 Advisory runs the CIO Research Forum, which currently has almost 1200 CIO members. K2 Advisory's research findings are based on 102 responses from CIOs and senior decision makers. Approximately two thirds of respondents were from organisations with more than 1,000 employees and from a variety of industry sectors.

To access the research, contact Dr Katy Ring, director, K2 Advisory

Accenture Chief Technology Innovation Officer argues the case for disconnecting your IT architecture

| No Comments
| More

A few weeks ago Accenture's Gavin Michael wrote on this blog about making information the key requirement of IT. In the blog post below he calls for a change in how IT thinks about itself. I have also explored this topic in the article - Moving to IT 2.0 >>


In the latter part of the 19th century, a technological revolution was steadily gathering speed. Following several crucial breakthroughs, such as the telephone and light bulb, electrification started to spread through cities. By the end of the century, many leading firms had set up their own electricity supplies to power their factories, phasing out steam engines. In 1904, the newly patented power plug and socket was being rapidly adopted. The days of firms having to manage their own electricity supplies were drawing to a close. Business leaders could instead focus on new electricity-based process innovations. A new era had dawned.
 
A century on, a similar revolution is underway. For the past several decades, firms have installed and managed their own server farms to supply computing power for a plethora of business needs. But a range of innovations, loosely termed cloud computing, is promising to render these monolithic internal systems obsolete. Once again, this is freeing businesses to focus on designing new processes and services, fuelled with computing power on tap. The switch from server-centric to service-centric is underway.
 
Although much of this change is understood as cloud computing, there is a bigger story at play: the fundamental re-creation of enterprise operating model. However defined, the end result is the same: an agile IT function, able to provide faster, cheaper access to computing resources as needed. The case for disconnecting IT architectures and moving to a more agile model is getting stronger by the day. This is being bolstered in particular by the maturing of key supporting technologies, such as Platform as a service and Software as a service.
 
Pharmaceutical giant Eli Lilly gives one example of the change this can bring. It is using a cloud service to provide computing resources to its global pool of scientists. In one drug discovery process, it paid just US $89 to analyse a complex dataset, something that would have required buying 25 servers internally. Its setup time for such data analysis had dropped from over seven weeks to just three minutes. 
 
This is an early example of the potential, but it highlights a key change: where CIOs were previously constrained by technology architectures, they are now empowered to think first and foremost about the desired business processes or services. Netflix, the movie rental service in the US, gives a compelling example. The firm is steadily transforming its business from a DVD mailing company and into a content streaming one. But rather than building a vast data centre to support this transformation, the firm decided to focus on its core competencies: marketing and recommending compelling content, while relying on the cloud for delivery. Rather than worrying about how to scale up IT capacity, it can instead focus on honing its marketing and service.
 
Today, the business world is only at the outset of this transformation. But some implications are already clear to see, especially for the iPad generation. Need to support a business function? Find or create an appropriate app or service and make it available to them, to use as needed--on whatever systems they use, wherever they are, and however many there are. Liveops is one early example: a specialist, cloud-based call centre provider that links up a virtual army of some 20,000 home workers. For firms like Coca Cola and Kodak, looking to provide a call centre service to clients, they can simply tap into this resource and scale it up (or down) in line with demand.
 
All this recasts the CIO as a service orchestrator, rather than a technology supplier that worries about managing server farms. And it allows firms to shift away from simply replicating their old processes in the cloud, to thinking differently about what new business models or processes could be enabled. This creative energy can now be used to find new services that provide a competitive edge, or open up a wholly new niche. Just as the first firms to create electric-powered tools in their factories stole a march on their slower rivals, so too will firms in the disconnected IT era.
 
Gavin Michael is Chief Technology Innovation Officer at Accenture. Follow Gavin on Twitter @gavinmichael


He started working for Accenture in 2010 and previously worked at Lloyds Banking Group as the Retail Technology Director. At Lloyds he was also a member of the Retail Bank Board. Prior to this role, he served as CIO of Lloyds TSB - UK Retail Banking & General Insurance. In this capacity, Gavin set the information technology strategy and direction for growing the UK Retail Banking Division and drove strong collaboration and alignment of technology with the business.
 

Patch Tuesday Report 9th August

| No Comments
| More

Executive Summary

With this August Microsoft Patch Tuesday update, we see a moderate set of updates in comparison to those lists of updates released by Microsoft for the months of June and July. In total there are 13 Microsoft Security Updates with the following rating; 2 rated as Critical, 9 rated as Important and 2 as Moderate by Microsoft. Given the scope of this month's update, the ChangeBASE team expects to find a small number of issues raised by the AOK Automated Patch Impact Assessment. In particular, Microsoft Security Update M11-060 will require careful testing prior to deployment due to the core operating system DLL's contained within this update.

 

Due to the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this August Patch Tuesday release cycle.

 

Sample Results 1: MS11-060 Vulnerability in VISIO Could Allow Remote Code Execution

patch aug 1.png 

 

Testing Summary

 

MS11-057

Cumulative Security Update for Internet Explorer (2559049)

MS11-058

Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)

MS11-059

Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)

MS11-060

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)

MS11-061

Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)

MS11-062

Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)

MS11-063

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)

MS11-064

Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)

MS11-065

Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)

MS11-066

Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)

MS11-067

Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)

MS11-068

Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)

MS11-069

Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)

patch aug 3.PNGPatch aug 4.PNG

Guest blog post: Gavin Michael, CTIO Accenture on the "I" in IT

| No Comments
| More

gavin-michael.jpgData is the number one issue on the CIO agenda this year. The challenge today is managing information, and CIOs who create a data architecture within their enterprise that supports the free flow of information will be winners. In the not too distant past, all the data an enterprise needed was generated within its four-walls. Now CIOs need to think about data in terms of the broader eco-system that surrounds their organisation. They need to understand and analyse data from Facebook, Twitter and a raft of other external sources. Also, many of the existing architectures within organisations are not able to support the exponential increases in data and variety of sources and data structures, and the cracks are starting to show.
 
To prevent these cracks deepening, organisations will be forced to go back to basics and rebuild their data platform from the foundations up. CIOs will need to think about data as a new platform.  It's not just about handling data growth and volume in terms of storage, processing power, cost, etc, it is imperative to derive value from it too.
 
A good foundation will consist of data models, data architectures, storage architectures and strong data governance (including governance of data quality). But the platform will only be effective if it allows the free flow of information around the enterprise, and can handle traditional structured data as well as unstructured data.
 
With distributed data being the new normal, the data governance function now also needs to take a more pragmatic view of data quality. The growing availability of external data sources--including social media sites--means that not all data will be of a verifiable standard. The governance function needs to determine when accuracy is needed and when "good enough" is sufficient.
 
Business leaders are also realising that timely data and analytics can create a strong competitive advantage for their organisation. This is particularly true in the financial services, telecoms and retail sectors. And it is necessary that the new data platforms provide insights in a timely fashion. In the current competitive environment, timeliness is often the difference between prospering and folding.  Companies that get it right will be able to provide a richer set of services at the right time to customers. They will be able to differentiate themselves in the eyes of their customers in a way that companies which have not dealt with this issue cannot. Having the right data platform will become a strong business driver for the way in which innovation and growth are delivered, and companies that make the investment will pull away from those who are still floundering.
 
As well as putting the right technology in place, the evolution of data as a platform also requires today's CIOs to identify the skills within the organisation to be able to deal with new data models and data governance.  When it comes to building this new platform, it is critical that not only the CIO, but the business users are also actively involved every step of the way. Building a new data platform is not just a technology issue; it is a business issue too.
 
The CIO's role in this important transition is vital. We are seeing the CIO becoming less of the supplier of technology services and more of an orchestrator. We are seeing a shift towards business outcomes rather than just driving technology operations. This is all part of the CIO becoming a true business leader; being able to understand, on one hand, the value that the data can provide to the organisation and, on the other hand, being able to deliver a set of services that can extract that value.

Gavin Michael is Chief Technology Innovation Officer at Accenture. Follow Gavin on Twitter @gavinmichael.

Gavin started working for Accenture in 2010. He previously worked at Lloyds Banking Group as the Retail Technology Director. At Lloyds he was also a member of the Retail Bank Board. Prior to this role, he served as CIO of Lloyds TSB - UK Retail Banking & General Insurance. In this capacity, Gavin set the information technology strategy and direction for growing the UK Retail Banking Division and drove strong collaboration and alignment of technology with the business.

 

 


 

About this Archive

This page is a archive of recent entries in the Guest Blog category.

Green IT is the previous category.

IT Works is the next category.

Find recent content on the main index or look in the archives to find all content.

Archives

Category Archives

 

-- Advertisement --