Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
VFP6 security patch via Setup Wizard
Message
 
To
08/01/2003 01:21:45
John Koziol
Ultimate Software
Miami, Florida, United States
General information
Forum:
Visual FoxPro
Category:
Installation, Setup and Configuration
Title:
Re: VFP6 security patch via Setup Wizard
Miscellaneous
Thread ID:
00737599
Message ID:
00739590
Views:
21
John,

The advpack.dll problem I previously reported was on a Windows 95 machine, not Windows 98. Also note that VFP's registry class only supports REG_SZ, not the required REG_DWORD flavor, so this presents something of an obstacle to me and others who are not wizards of registry manipulation.

I just tried running my setup on another Windows 95 machine, including a post-setup executable that invokes the Microsoft-supplied VFP6 security patch. Everything seems to have run smoothly, including the PSE, and completing with the setup's standard final step of rebooting the system for changes to take effect. An examination of the registry after rebooting confirmed the expected entry indicating that the Q326568 patch had indeed been applied, and all indications are that the application and its required DLLs were properly installed.

However, there seems to be a problem with the security patch. In Windows Explorer, I looked to see if the "Confirm open after downloading" option was checked for .APP files, and discovered to my surprise that it wasn't, despite the fact that the registry contained the expected entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\VFPODBC\Q326568. I'm just guessing, but could it be that the patch must be run AFTER the installation completes with a reboot? That would seem to imply that nothing I do in the PSE would matter, whether I run vfp_q326568_en.exe or manipulate the registry directly in my PSE.

I did try running vfp_q326568_en.exe again, manually, and sure enough, that caused the "Confirm open after downloading" box to be checked. The problem, though, is that this is not getting done properly in an automated setup, so I guess that one is obliged to perform the necessary registry change in the application itself. Would you please look into this and confirm my conclusions? Also, I'd still appreciate it if you could supply the necessary VFP code to perform this registry setting.

Mike

>Hi Mike,
>
>I'll pass on the issue about advpack.dll and Win98. Thanks for letting me know about that.
>
>Meanwhile, the main issue of the patch is a registry entry. In the entry HKEY_CLASSES_ROOT\Visual.FoxPro.Application.6 is the name EditFlags with data set at REG_BINARY 00 00 01 00. For maximum security, this value should actually be set to 00 00 00 00. This is what the patch does and nothing more.
>
>This has the same effect as setting confirmations for any file types using the UI for Folder Options.
>
>So, the upshot here is that if you put code in your app Main or in a VFP-based post-setup executable to look for this registry entry and change it as indicated (perhaps using the FFC reg classes), the problem goes away.
>
>Simple changing this reg entry in your Fox code should resolve your issue. Please let me know if this helps.
>
>
>
>>Thanks for replying. I gathered that something along these lines would be required, and tried what you suggested. (The /Q option is the one required to run the patch quietly.) Unfortunately, it seems that one cannot pass any arguments to a post-setup executable, contrary to what the VFP Help file says about this.
>>
>>I got around that limitation by creating a VFP-based PSE and having it invoke the patch via a RUN command. In my testing on an old Windows 95 machine, however, I encountered an error when the patch was run, with the complaint "Advpack.dll is required to install on this system". That's interesting, because an examination of vfp_q326568_en.exe via WinZip reveals that it contains advpack.dll, along with 2 smaller DLLs.
>>
>>So I tried extracting these DLLs and incorporating them into the Setup Wizard's list of files in the distribution directory, and I told the Setup Wizard to install these in the Windows system directory. I also kept the PSE logic that invokes vfp_q326568_en.exe as well. Sorry to say, that did not work: it still gripes that advpack.dll is required.
>>
>>All of this seems like quite a headache, considering that the net effect is supposed to be equivalent to simply checking the "Confirm open after download" box for .APP files, or making a tiny adjustment in the registry. I realize that you guys are busy getting VFP8 ready, but you do still support VFP6, and most people are still using it, n'est ce pas? It would sure be great if, short of actually fixing the Setup Wizard, you could supply the VFP code to perform the registry update directly in a post-setup executable.
>>
>>Mike
>>
>>>Hi Mike,
>>>
>>>The patch does registry entry adjustments and does not modify any EXEs or DLLs, so the answer is that Setups created are not "patched". After you have applied the patch, when you create future setups, you can include the EXE into your setup as the "post-installation executable" and run it in silent mode (run the patch EXE with /? or /Help for details on silent mode).
>>>
>>>
>>>>
>>>>I wonder if you could clarify whether the VFP6 security patch referred to in Q326568 - MS02-049 affects runtime distributions made via the Setup Wizard. I.e. if I build a setup.exe via the Wizard after applying the patch on my own development system, does this fix get installed on the end user's machine when they run my setup program? The KB article and TechNet Security Bulletin are not altogether clear on this point.
>>>>
>>>>Thanks,
>>>>
>>>>Mike
Montage

"Free at last..."
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform