Category Archives: Opinion

What about Dynamics NAV and Meltdown/Spectre?

So how about Microsoft Dynamics NAV and the Meltdown and Spectre exploits? This is my analysis so far.

First of all, this is a CPU bug, a bug that enables you to access data from outside your current process, data that is either owned by the kernel or other applications. This means, that if you’re running any piece of non-trusted code on your machine, that code can read anything currently in memory. Passwords and other information is typically encrypted on storage devices but exists in memory as plain data. This is the problem as the Heartbleed exploit (OpenSSL) that enabled to read memory from an SSL process.

To exploit Meltdown or Spectre, you need some control of the binary code running.

In Dynamics NAV code gets executed in 6 different ways:

  1. C/AL code in the Classic Client. This code gets executed as “P-Code”, an intermediate language. There is no way to control the assembler generated. And between “lines of code” there are several other operations taking place, making exploitation of the CPU very hard.
  2. Win32 binary as an OCX controller or an Automation Controller called from either the Classic Client or the RTC (With RunOnClient Automation Controller). It is possible to have a Meltdown/Spectre attack inside an OCX or Automation Controller.
  3. C/AL code in the Service Tier. The C/AL is transcompiled into C# that gets compiled into IL, that gets Just-In-Time compiled into machine language. The code is still interjected with control structure between statements (for debugging etc.) making it quite impossible to control the assembler generated.
  4. Add-Ins on the Service Tier. An Add-In is a .NET assembly, that can include native code and more. It has the same problem as the Win32 binaries. It is possible to have a Meltdown/Spectre attack from an Add-in.
  5. Javascript running as Control Add-In in all the clients. There are already several examples of Meltdown/Spectre exploits through Javascript. So a Javascript based Dynamics NAV Control Add-In could carry an exploit.  Control Add-Ins can download javascript from external sources (the web) making this the most open attack vector.
  6. Custom code inside RDLC reports. This code still gets compiled through the entire pipeline making it very hard to control the machine language.generated, but in theory possible on an unpatched system.

So if you are using external code in the form of DLLs (OCX, Automation Controller, Add-In, Control Add-In) there is a technical possibility of hosting an exploit. You need to make sure, that you’re only using external components from vendors that you trust, and that the DLLs you’re running are unmodified. (*)

Microsoft has already patched Windows to prevent exploitation from Meltdown and Spectre, and Intel/AMD are working with hardware vendors to update the firmware. On an up-to-date system, these exploits would not work. If the system is patched, a “NAV born” exploit will not work.

If you’re running NAV on an unpatched system, my suspicion would be that NAV is the least of your problems.

My conclusion so far, Dynamics NAV does not require patching but needs to be running on a patched Windows. This is a good reminder to make sure that you know that code your ERP system is running on.

(*) To be sure, you need to think about protecting against a combined attack. If it’s possible through other exploits to patch the NAV DLL’s on the system, NAV could be hosting a Meltdown/Spectre attack.

Can you trust a NAV blog?

So, the other day I got an email:

We noticed that you run a nice blog at ******** would like to sponsor a post on your blog. We are willing to pay a onetime fee to insert a marketing message in one of your existing posts. An example message is: “Two useful technologies for working from anywhere – Cloud Desktop and Cloud SharePoint.”, with two dofollow links going to our websites.

I replied to them:

My blog is usually completely advertising free, so how much is a one-time fee?
How about me doing a review of some of your offerings instead?

They did not seems to like me reviewing their offering, that part got completely ignored:

I have been authorized a maximum of $40 USD for two permanent links on existing posts as per site/post stats. Please let me know if that can work out this time. you can send me your PayPal ID once you integrated the message and I will get this close today itself.
Post that we like:

I respectfully declined they offer.  But this got me thinking, how many blogs do sell advertising space on old blog posts to boost somebody’s PageRank? Have any of you accepted this? What’s your opinon on stuff like this?

What is acceptable advertising on a blog like mine?

I’m a WindowsOutsider

Today Microsoft released a new offering in the ever expanding universe called Office365, called StaffHub. This is great, looks like an awesome tool for keeping schedules.

But, and here is the kicker, there is only support for iOS and Android. No Windows10 client (UWP/Phone) support?

How can a platform survive if even Microsoft will not support it?

By still using a phone running Microsoft Windows 10 Mobile I’m now a #WindowsOutsider

I wonder if my old Nokia N900 still works …