Cooperation between Sun Microsystems and Microsoft probably won’t drastically alter the information technology landscape, analysts and IT professionals say, but it should eliminate some integration headaches.

Last month’s historic agreement between the two computing giants is most likely to create near-term progress in two areas: identification and directory services, and Web services.

Further down the road, look for better communication between servers running Windows and Sun’s Solaris version of Unix. And Sun’s StarOffice productivity package might get better at parsing documents created by Microsoft’s Office software.

“I think the benefits to customers are pretty obvious. It’s going to be easier to mix and match these environments,” said John Fowler, Sun’s chief technology officer for software.

The two companies had been “at a high state of acrimony for a long period of time, and we’ve had to do lots of reverse engineering in our products up to now to make them work with Microsoft products,” Fowler added. “Now we can make products work together in a much more direct way.”

A Microsoft representative would only e-mail a company statement on the matter: “The announcement laid the foundation for closer collaboration at various levels within the companies, though at this point it is very early to speculate as to specific impact this may have on various products, standards and pending benefits as they relate to different customers and their unique needs.”

Directory structures up first
Besides settling pending litigation between the companies, the Sun-Microsoft agreement commits the companies to sharing unspecified technologies and cross-licensing patents, with the goal of improving interoperability between systems.

Initial efforts will be focused on directory structures, identity services and communications protocols, Fowler said, to make it easier for Windows clients to sign on and share data with Sun servers.

“We can do a lot of that now,” he said, “but having an agreement to (go) after some of the more esoteric parts of Kerberos authentication, for example, would help.”

Directory compatibility is at the top of IT administrators’ wish lists. Sun servers use the Lightweight Directory Access Protocol (LDAP) standard, while Windows relies on Microsoft’s proprietary Active Directory protocols. Allowing Sun to poke around with Active Directory should lower the technical hurdles to signing on users between Sun and Microsoft systems, said Brian Conlon, chief information officer for global law firm Howrey Simon Arnold & White.

“I’m pleased at where they’re focusing their initial efforts, on identity management and the authentication and single-sign-on issue,” Conlon said. “If we can have a single facility or service for access control on customer-facing services and portals, that would save some trouble.”

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Tony Scott, chief information officer for General Motors’ information systems and services division, agreed that better directory interoperability will have immediate payoffs.

“We have Microsoft everywhere on the desktop, and Sun LDAP directory (on Unix systems), so we have Active Directory and Sun LDAP integration work between the two that we have to do on a one-off, case-by-case basis,” he said. “This is a perfect case where they can do that work for us and make that just plug in and work. We’ll be delighted if they can pull that off. We would rather spend the money on manufacturing or designing a new car.”

Web services in the wings
A little further into the future, Web services is likely to be a focus of Sun-Microsoft cooperation. Microsoft will continue to promote its .Net software for creating Web-based applications. And Sun will keep pushing its Java language, which is incompatible with Microsoft’s .Net.

But, Fowler said, the formats can be made to work together better, building on work being done by the Web Services Interoperability Group.

“We’re looking at how can we go beyond that, whether that’s standards we promulgate together or active cooperation on products,” Fowler said. “We’re still competitors–we’re not here to promote .Net. But we have to realize our customers need to work in a mixed world.”

Gordon Haff, an analyst for research firm Illuminata, said there will continue to be a basic Web services split between Sun and Microsoft on developers tools–Microsoft’s C# versus Sun’s Java–but customers increasingly expect the resulting applications to work together.

“You may very well continue to have multiple ways of developing applications,” Haff said. “The important thing is, can those applications talk to each other on a meaningful level? That’s going to happen at some level because customers are demanding it. They’re saying, and rightly so, that the underlying details of how Web services are implemented shouldn’t really matter that much.”

And the big computing companies need to listen to customers, said analyst Matt Rosoff, as it becomes increasingly difficult to push new technology.

“It’s getting harder and harder with each passing year to explain to businesses why they should upgrade,” said Rosoff, an analyst for research firm Directions on Microsoft. “Sun and Microsoft understand they’re in the same boat. They’re thinking about what do they need to do to really compel upgrades, and interoperability is a big part of that.”

Law firm CIO Conlon said that his company has focused on Java for initial work on Web services but that compatibility with .Net would provide useful reassurance going forward.

“If they can agree on a Web services framework, I think that would be a real plus,” he said. “Our target architecture is a Java-based one–there’s just more third-party support for it…But it would be good to know our choices aren’t going to be limited.”

Solaris waiting on the bench?
Besides general directory and identity improvements, analysts also see a good chance for increased links between Solaris and Windows. Solaris-specific connections to Windows technology would serve Sun’s interests by giving Solaris another distinction from Linux, said Stephen O’Grady, an analyst for research firm Red Monk. And anything that slows Linux is likely to appeal to Microsoft.

“That’s a scenario where the win-win is pretty clear,” O’Grady said. “Sun does need to have more to differentiate Solaris against Linux, and Microsoft wants to play more effectively in higher-end computing tasks.” The ability to function alongside Solaris would be a compelling pitch for Microsoft, he said.

StarOffice is likely to be a thornier issue, O’Grady said. Sun no doubt would like full access to the file formats used by Microsoft Office. StarOffice can read and manipulate Microsoft-generated documents now, but complex formatting or the presence of “macros”–mini-programs used to automate common tasks–can cause StarOffice to choke on a document.

“I do think there’ll be some degree of exchange on Office formats…but I don’t see Microsoft giving up that stuff lightly,” O’Grady said, adding that pressure from the European Union and other regulators could force Microsoft’s hand. “Microsoft isn’t going to just hand over the formats and fall into lockstep with StarOffice, but external factors could play a role there.”

Sun’s Fowler said StarOffice already has solid compatibility with Microsoft Office formats and won’t be a focus of initial efforts between the companies.

Rosoff said Sun is unlikely to push the Office issue, instead treating the Microsoft deal as an opportunity to shore up its server business and back away from desktop ambitions. “I think Sun might look at the desktop business and re-evaluate the viability of that business,” he said. “My suspicion has been Sun got into that business mainly to be a thorn in Microsoft’s side…Now they have a way to back out and refocus on the back-end stuff, where their strength is.”

Recently, Microsoft announced yet another security vulnerability. Yes, I know that Microsoft announces new security vulnerabilities every week, but this one requires your immediate attention. It’s a critical vulnerability that allows remote code execution on quite a few different Microsoft operating systems. I will explain the component affected by this vulnerability and show you how to keep your system safe.

ASN.1 library
The reason why the security hole affects so many different systems is because the bug exists within an ASN.1 library. ASN (Abstract Syntax Notation) is a set of data standards and devices. ASN.1, on the other hand, is a programming language used for defining various standards with no regard for how those standards will be implemented.

To get an idea of how ASN.1 works, think of the C programming language. You can write C code all day long, but not one line of that code is executable until the code is compiled. In order to compile the code, you need a compiler. There is no one standard C compiler. Instead, there are compilers for different platforms. For example, there are X86 compilers that compile C code to run on Intel processors. There are also Macintosh compilers that compile C code to run on Macintosh machines. The C code will remain the same regardless of which platform uses it. It’s up to the compiler to translate that code into something that a specific computer type understands.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

ASN.1 works exactly the same way. Like C, ASN.1 is a high-level programming language that also has lots of different libraries that can be referenced. ASN.1 code is used to develop various commonly used standards. The ASN.1 code is then compiled and implemented as a part of various operating systems.
Common ASN.1 standards
Even if you have never heard of ASN.1, you are no doubt familiar with some of the standards that are written in ASN.1. These standards include X.400 (an electronic messaging standard implemented in Microsoft Exchange), X.500 (a Directory Services standard used by Active Directory), X.200 (a network communications standard), Light Weight Directory Access Protocol (LDAP, the protocol used for Active Directory Access), and many others.
My point is that ASN.1 is heavily used by Microsoft operating systems. Unfortunately, the recently discovered security vulnerability exists within the Microsoft ASN.1 libraries. This means that any code based on certain ASN.1 libraries is affected by the bug, making it very widespread.

Unchecked buffer vulnerability
Like so many other Microsoft security vulnerabilities, this particular security problem involves an unchecked buffer. An unchecked buffer implies the problem code does not take steps to monitor the contents of a buffer. If too much data is crammed into the buffer, the buffer will overflow and in doing so will expose the data that was previously contained within the buffer.

Hackers could then examine this data and use it to gain full administrative access to a system. Using this access, they could install applications, view, modify, or delete data. An attacker could even create a brand new account with full administrative privileges.

Under normal conditions, the chances of this particular buffer overflowing on its own are pretty slim. However, if a hacker knows the specific details of the buffer, they could easily write a small program whose sole purpose is to flood it, causing the dreaded buffer overflow.

Now that you know how the security vulnerability works, you are probably wondering which Microsoft products are vulnerable and what you can do about the problem. In the sections below, I will address each product individually.

Windows NT
If you are still running Microsoft Windows NT 4.0, you are in a unique situation. None of the versions of Windows NT 4.0 install the affected code by default. Ironically, the affected code is installed into Windows NT as a part of a hot fix (MS03-041). If you haven’t installed this particular update, then you may not be affected by this problem. However, it is possible that other hot fixes might have installed the problem code. The only way to tell for sure is to search your system’s hard drive for a file named MSASN1.DLL. If this file exists, then you will need the update. The actual update that you apply will differ depending on the version of Windows NT 4.0 you are running. Here is a list of the various versions of Windows NT 4.0 and the locations of their respective updates:

* Windows NT Workstation 4.0 Service Pack 6A
* Windows NT Server 4.0 Service Pack 6A
* Windows NT Server 4.0 Terminal Server Edition Service Pack 6

Windows 2000
As with Windows NT, a default implementation of Windows 2000 Server or Windows 2000 Professional does not contain the security vulnerability. Instead, the vulnerability was introduced into these operating systems through service packs. Any machine running Windows 2000 Server or Windows 2000 Professional with Service Pack numbers two, three, or four are affected. Microsoft does intend to correct this issue in Service Pack five. In the mean time however, it is necessary to download and apply a fix. You can get the necessary fix from the Microsoft Download Center.

Windows XP
Windows XP is affected by the problem whether a service pack is installed or not. Both the Home and Professional versions are affected, as are the 32-bit and the 64-bit versions. If you are running the 64-bit version of Windows XP, then be sure to check out the section below on Windows Server 2003, because 64-bit versions of Windows XP use the same fix as the 64-bit version of Windows Server 2003.

Microsoft plans to include a fix for this vulnerability in Windows XP Service Pack two. In the meantime you should implement a patch to remove the vulnerability. Users of the 32-bit version of Windows XP can get the patch from the Microsoft Download Center. If you are running the 64-bit edition of Windows XP with Service Pack one, you can also get the necessary update from the Download Center. The same goes for users of the 64-bit version of Windows XP version 2003 with Service Pack one.

Windows Server 2003
As luck would have it, Windows Server 2003, the newest and supposedly most secure version of Windows in existence is also affected by this vulnerability. Because Windows Server 2003 is so new, there are currently no service packs to worry about, but Microsoft has committed to including a fix for this vulnerability in Service Pack one. In the meantime, you will want to apply a fix to get rid of the vulnerability. As with Windows XP, the fix that you will apply depends on whether you are using the 32-bit version or the 64-bit version.

Still not sure?
If you are still in doubt as to whether or not you need a fix and which fix you need, then I recommend downloading the Microsoft Baseline Security Advisor. This utility will analyze your system and tell you exactly what security patches are required.