Reporting on Vista Security and the VS Road Map

Investigate a familiar Vista security flaw, and check out what lies ahead for Visual Studio.

After issuing an out-of-cycle fix for a highly critical Windows flaw targeting .ani animation files earlier this month, Microsoft seems to have had some bad luck regarding that fix breaking a small number of applications. While the applications broken tend not to be critical ones, Microsoft has rushed to release an update for at least one of them.

It also arose that this problem had been found and addressed more than two years ago in other versions of Windows as Microsoft Security Bulletin MS05-002.

In fact, this series of patches went with a long list of operating systems, including Windows XP, Windows NT Server 3.0, Windows Server 2003, Windows 2000, and the 64-bit editions of both XP and Server 2003. All of them had the animated cursor vulnerability.

Microsoft acknowledged that the development teams reused the older code in the cursor animation for Windows Vista. This is not a crime, but it is interesting that somehow the patch was not migrated with the original source code. It seems to indicate that there is a hole in Microsoft's much-heralded Security Development Lifecycle (SDL), which promised to significantly reduce security vulnerabilities through the use of structured reviews and automated attacks.

Microsoft is looking into how this particular vulnerability, but not the patch fixing it, may have made it through the SDL, but notes that no process can guarantee security with complete confidence.

Visual Studio Orcas and Rosario Updates
At VSLive! San Francisco at the end of March, Redmond Report and Visual Studio Magazine editors sat down with Prashant Sridharan, Senior Product Manager for Visual Studio and keynote speaker at the event, to discuss the future of Visual Studio. The upcoming release, code-named Orcas, will include the .NET Framework version 3.5, said Sridharan, as well as development tools for LINQ, the language for accessing databases as first-class programming citizens.

Orcas will also include refactoring for Visual Basic and support for all of the new Vista APIs, which came out after the release of the current Visual Studio 2005. Sridharan also noted that APIs would be tagged as "red bits" or "green bits." Green bits are interfaces that will remain unchanged over time, while red bits may have to change in future releases. This enables developers to tag the APIs they use so that they can better understand what code might be deprecated in the future.

Rosario, with the first community beta due at the end of 2007, is a Visual Studio Team System (VSTS) update, with new organization collaboration features. Sridharan pointed out that Microsoft's research showed that 60-70 percent of all Visual Studio users are also VSTS users, so regular updates and enhancements to that product are an important part of the Microsoft developer strategy.

In addition to new tools for collaboration beyond the development team and into all parts of the software development life cycle, Rosario will incorporate more features for QA testers, including a new functional testing tool. It will also incorporate better analysis tools for developers, such as an implementation of McCabe's cyclomatic complexity. McCabe provides for a way of quantifying the complexity of an application based on the number of independent paths through the system, and the probability of fixing a bug with the side effect of introducing regressions in that code.

Visual Studio Tools for Applications
At VSLive! Redmond Report and Visual Studio Magazine editors also spoke with K.D. Hallman, the Microsoft general manager for the Visual Studio team responsible for Visual Studio Tools for Office System (VSTO) and Visual Studio Tools for Applications (VSTA). In her keynote, K.D. announced the VSTA, a binary kit that developers can license for their own applications so that buyers can use Visual Studio to customize the product.

This goes one step beyond the Office tools, explains Hallman. It lets buyers of the product incorporating VSTA to use Visual Studio, along with C# or Visual Basic, to customize or write applications based on that product. Such a capability is a valuable addition to enterprise applications like CRM suites, which often require customization to fit the needs of a specific organization.

About the Author

Peter Varhol is the executive editor, reviews of Redmond magazine and has more than 20 years of experience as a software developer, software product manager and technology writer. He has graduate degrees in computer science and mathematics, and has taught both subjects at the university level.

comments powered by Disqus


Subscribe on YouTube