I was about the start compiling a list of useful links to info and tutorials for CF9 and CFBuilder, but it seems someone has beat me to it, so rather than re-invent the wheel I will just link to this chaps page and save myself some work :-) If you are looking for find out what is new in CF9 and how to do it, this is worth reading.

• CFML Language Enhancements Tutorials
• CFScript Enhancement Tutorials
• ColdFusion As a Serveice Tutorials
• Hibernate-based ORM Tutorials
• Microsoft SharePoint & Office Interoperability Tutorials
• Native JEE Portlets Tutorials
• Enhance and New UI Controls Tutorials
• Advance Caching Tutorials
• Apache Solr / Lucene Integration Tutorials
• Server Management Tool Tutorials
• Flex/AIR Integration Tutorials

A few of my favourite new features are below, of course I tend to look at things from a hosts perspective these days rather than a developer seeing as I don't do a lot of coding anymore.

Most of these improvements are especially great for me because I actually had discussion with Adobe some years ago about about what improvements needed to be made to ColdFusion to make it more suitable for shared hosting and explained how they needed to work, and these are areas I specifically addressed, so it seems that finally they did listen to me.

• View Undelivered Mail
  This new feature allows you to browse mail sitting in the undelivered folder and then delete or respool them. This is handy for manual checking or on a dev machine. Currently my company has a custom script that automatically respools all undelivered mail for 24 hours, and then deletes them, which is very useful in a shared hosting environment otherwise the undelivered folder regularly fills up. It is a shame Adobe didn't have the foresight to add this kind of automation as well, but at least the viewer allows an easy way to find missing emails.
• Application Specific Datasources
  This is a real code saver and somewhat of a security benefit as well. With this new "this.datasource" application property to can set an application wide datasource, thus negating the need to specify the DSN in every query. A full review of this feature can be found on Ben Nadel's blog.
• Server Manager
  ColdFusion 8 introduced server monitoring for single and multiple servers via a Flex based app which provided access to all sorts of ColdFusion internals, alerts, proactive problem management, and more.
  ColdFusion 9 takes this a big step further with a new tool called "ColdFusion Server Manager". This AIR based application allows you to monitor as many servers as needed (including individual ColdFusion instances on a multi-instance configuration) and even offers pop-up alerts when issues occur, it allows for remote server configuration (define a data source, for example), it also allows for settings to be applied to multiple servers at once, it can clear the template caches, it can upload hot-fixes to one or more servers, and it even allows you to select two ColdFusion servers to compare their configuration settings, highlighting any differences between them.
  Oh, and before you ask, here are answers to the three most commonly asked questions.
  
  
  1. No, this is not a separately sold utility, it is part of ColdFusion itself (and installed via a link in the ColdFusion Administrator).
  2. ColdFusion Server Manager uses APIs added to ColdFusion 9, so no, this will not work with ColdFusion 8 or earlier.
  3. Adobe have not made any decisions yet as to product edition, so no decision as to whether this is an Enterprise only feature or not.
• Server Security
  One of my big issues has always been ColdFusion's security, or rather lack thereof. You need the enterprise edition to get security sandboxes and these only sandbox CFML code, if someone writes some Java code into their CFML pages they can completely bypass the sandbox and do whatever they like, which actually makes ColdFusion one of the most insecure application servers out there in a shared hosting environment as PHP, ASP and .NET do not suffer from this problem.
  This has supposedly now been addressed with ColdFusion 9 now allowing you to restrict access to certain JAVA functionality. I have not yet looked into this, and as no-one else seems to have written an article on particular area yet I may as well do so, so a more detailed tutorial ont his subject will be coming soon.
• 64bit ColdFusion for all
  Up till now, 64bit ColdFusion has only been available to ColdFusion Enterprise customers. This will (thankfully) change in ColdFusion 9, and all customers will have access to 32bit or 64bit versions, regardless of edition. Groovy!

I have just noticed a very annoying bug in Live Writer, thus why you have have received multiple copies of my last posts. After I had posted those last 2 articles, I noticed they both had the same images, even though they clearly didn't when I posted them. It seems that if you paste in an image from the clipboard Live Writer will name it image.png by default and the thumbnail will be image_thumb.png, it will not create a unique filename, thus will simply overwrite any existing images with the same name, thus messing up all your previous blog posts with images not to mention if you have multiple images in your current post, they will all end up as the same image.

I presume this bug must have been added to the latest release (2009) as I have not noticed it previously.

I have however found the following temporary fix on the Windows Live Writer Blog

Open HKCU\Software\Microsoft\Windows Live\Writer\Weblogs\{blog-id}\UserOptionOverrides\, where {blog-id} is a GUID. You will have several of these, but should be able to tell the right one by looking at the contents of the key.

Add a new String value with name “fileUploadNameFormat� (case matters!!) and the value e
{WindowsLiveWriter}/{PostTitle}/{Randomizer}/{AsciiFileName}

hopefully they will fix this annoying bug very soon.

The use of business email has grown exponentially over a relatively short period of time, bringing with it the huge advantages of worldwide, cost-effective, easy and near-instantaneous communication. But as all those involved in the management of IT systems know, the growth in email usage has brought its own challenges.

Read more...

Mozilla's Firefox browser has earned the undesirable title of the most vulnerable software program running on the Windows platform. Something that will probably dismay most web developers, as it is the browser of choice for most of them due to its superior debugging capabilities. I would imagine this is also a shock to most of you Internet Explorer haters as well, especially as IE is not even on the list.

According to application white-listing vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs.  Here’s Bit9’s dirty dozen:

1. Mozilla Firefox:  In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
2. Adobe Flash and Adobe Acrobat:  Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issuesâ€? and malformed parameters.
3. EMC VMware Player,Workstation and other products:  A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
   Inability to prevent execution of applets on older JRE  release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications.  10 patched vulnerabilities listed.
5. Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs.  The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and  denial of service involving JavaScript arrays that trigger memory corruption.  Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
6. Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
7. Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for  remote attackers to execute arbitrary code.
8. Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
9. Aurigma Image Uploader, Lycos FileUploader:  Remote attackers can perform remote code execution via long extended image information.
10. Skype:  Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
11. Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
12. Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,� obtain contact information and establish audio or video connections without notification.

See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.

The IIS team at Microsoft has released another set of updated IIS Extensions this month, including the final RTW version of URL Rewriter. These Extensions offer additional functionality for IIS 7.0 while being fully supported and integrated with Windows Server and IIS. Learn more about IIS Extensions.

URL Rewriter enables Web server administrators to create powerful rules to implement URLs that are easier for users to remember and easier for search engines to find. By using rule templates, rewrite maps and other functionality integrated into IIS Manager, administrators can easily set up rules to define URL rewriting behaviour based on HTTP headers and server variables, or to perform redirects, send custom responses, or stop HTTP requests based on the logic expressed in the rewrite rules. URL Rewriter offers many benefits, including:

• Easily define rules that match URLs or HTTP headers to generate more friendly and consistent URLs
• Protect content and assets from unauthorized linking and scanning
• Integrate with existing IIS features to improve management, performance and troubleshooting

Some of you may already have this functionality via ISPAI_REWRITE from Helicon Tech, which is based on MOD_REWRITE for Apache, and in fact version 3 now uses the MOD_REWRITE .htaccess file format so that settings are easily transferable between systems. So if you are already using this then the URL Rewriter extension may pale in comparison, after all it is only the first release, but for those looking for a quick, simple and most of all FREE solution for URL rewriting, then the URL Rewriter extension for IIS7 may be just the ticket.