Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and Howard/Lipner's Secure Coding and SDL books.... currently written software from Microsoft is indeed following their "best practice" guidelines.
(Which my only complaint wtih both books is that they are paperback and not hardbound and thusly when I throw them at crappy app developers like ... oh.. say.. I don't know....Intuit... the bruise on the head of the Dev folks there will be slightly lessened.... the SDL book so far is very interesting....)
Older software that they purchased .. granted that statement cannot be made...
And isn't your situation solvable with having on your patch test matrix a check box that says "ensure app data redirect is still functional"... and of course testing that patch before it's globally deployed?
Matt Hargraves <[EMAIL PROTECTED]> wrote:
Matt Hargraves <[EMAIL PROTECTED]> wrote:
I believe the reason they recommend against this is because all applications are different. Another problem is that there is no guarantee that the application will remain the same. Patches and updates can change more than just a file here and a file there, they can change settings such as these and trying to redirect the location for that data can end up with a situation where the application during an update is trying to pull your information from %userroot%\appname and it's really at a completely different location.
If all application vendors use MS best practices for programming, it would be great, but unfortunately not even MS always uses their own best practices.
Redirecting application data can work fine for months or even years, but then you get an update to an application and *bam* everything's broken and you don't really know why and you spend days (or worse, weeks) trying to figure out why everyone's broken and realize that your problem is that the application data is being redirected and that's the source of the problem.
Matt
