To Microsoft (from me)

Good afternoon.

I was working in remote desktop to an online web server whilst trying to troubleshoot a problem I was having with a website but then left remote desktop inactive (still open and logged in) whilst I read some articles on my current machine through a web browser.

The timeout on inactivity is quite short (maybe 10 minutes or so) for the remote desktop and i was away from remote desktop for at least an hour.

However a rather worrying sight was presented to me when I realised it (remote desktop) was still open. When I made the window active again it had an “End Program” dialog for a program that had problems ending itself (this was probably due to remote desktop trying to terminate my session). Now the problem here is that when you click “Cancel” instead of “End Now” the dialog disappears and the remote desktop session is not terminated (i.e. I’m still logged in).

Obviously this could result in a catastrophic event occurring where (if someone left a machine with remote desktop open and logged in) another person could come onto the client machine and essentially have full reign over the entire remote system, causing serious damage (re-format, install virus, etc..).

Some key information which may be of use to you is:

• Machine is running – Windows Server 2003 Standard Edition with Service Pack 2
• Program which would not close – ClamWin (update module I believe it was)
• Client remote desktop version – 6.1.7600.16385 (win7_rtm.090713-1255)
• Logged into client machine (running under a domain) under registered NT Account with Administrative capabilities
• Logged in (through remote desktop) as Administrator

I hope this helps and if I can be of any more assistance, please contact me.

Kind regards
Daniel Richardson

From Microsoft (to Me)

Hello Dan,

Thank you for your message. This is not something that we would consider to be a security vulnerability. One of the major questions here is “how would an attacker leverage this to compromise the system?” In this situation, I believe the attacker would require physical access to the system which violates the 10 Immutable Laws of Security which is available at http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx. Additionally, Terminal Services on Windows Server 2003 allows configuration that will force programs to shutdown based on various criteria. An article on configuring this is available at http://technet.microsoft.com/en-us/library/cc787183(WS.10).aspx .

If you have additional information or believe that we mis-read something in your report, please let me know.

Best Regards,
Nate

I’m really liking my new design (if I may say so myself!), and I cannot wait to get it marked up and online. It’s not going to be fully active right away as I plan to learn and re-program it all in Ruby (on rails).

The most exciting part of this overhaul is the new “code” section. In my day-to-day job with Skylight Media, I come across lots of instances where I need/WANT to learn new/better/faster ways of doing things. I will be mainly focusing the code section on jQuery though as i absolutely love this library and constantly find myself writing a wide range of small and big plugins to make my everyday job easier.
One of my first posts on the new site will be of an image plugin I recently made for a Skylight Media client Rachel Ellen. Not another I hear you say, but this one I believe is pretty unique and is pretty scalable, best of all it rocks! :p

Keep your eyes peeled as hopefully something will be online soon! :)

Dan

The rowing and bike times for yesterday are:

Cycling 10km – 15:12 – NEW RECORD
Rowing 2000m – 8:21 – NEW RECORD

Adding to my “Cardio Tuesday’s”, i’m going to attempt the 5km run every month around the same day, and try and improve my time each month, my goal being 15 mins. All this is in an attempt to raise my fitness levels for a half/full marathon this year, not sure which one yet, will have to start looking into it VERY soon though.

Giving myself ~1 hour at the gym, i’m going/have stareted doing bike, followed by rowing and then running.

I’m going to be doing

• interval training for 10km on bike
• 2000m on the rower on level 9 of 10 (older version of this Concept 2 rower)
• running for 15 minutes
  

I will be posting my times/distances managed each week, starting with today’s!

Results

Bike (time taken to do 10km) : 16 minutes – Average of 37.5km/h

Rower (time taken to do 2000m): 8 minutes, 42 seconds – Average of 3.83m/s

Run (for 15 minutes): 3.km – Average of 12km/h

So far i’m quite liking what I see and some of it’s in-built functionality looks pretty darn sweet. I’m very much liking the scaffold command to do a quick & dirty table manipulation setup.

I’m reading a really nice simple beginner’s guide on sitepoint (which can be found here) which set’s a good understanding to the basics of Ruby On Rails.

Will probably be playing more with Ruby On Rails over the christmas period (or at least until my xbox comes back from Microsoft after its RRoD :( ), so will keep an update on here as to how I’m getting on with it.

Knowing i needed to add a “getUrl()” function and “onRelease” event handler for the dynamic movie clips, I thought to myself “what would be the easiest was to do this…”

With the clips being made inside a simple for loop, i hoped the data being pulled from the array would be retained and correct for when the event handler was eventually triggered (optimistic i know!). If you hadn’t already guessed this didn’t work, so off i went thinking how i can have the right data when the event handler fires.

After a little while and tinkering with my code i finally figured out a solution. When attaching the movieClip you can store the instance in a variable and then set a variable inside the movie clip. When the event handler is triggered it simply calls “this.linkTo” (”this”, referring to the movieClip, and “linkTo” refferring to the variable) as the getURL() address parameter

The code snippet for this is:

// Create new instance of the Section_Title movie clip
var SectionTitle = attachMovie("Section_Title", Sections[ii][0], ii, { _x:-230, _y:_yPos });

// Set a variable for this movie clip for the navigate link
SectionTitle.linkTo = Sections[ii][2];

// Create event handler for the click release
SectionTitle.onRelease = function(){
// Goto page save in thje movie clip linkTo variable
getURL(this.linkTo);
}