Houston, We have a bug!

Houston we have a bug!
Originally published at PocketNow.com

Windows Mobile 5.0 has arrived with great new features, and as usual, we are getting new bugs.

    Owners of this new operating system for sure have noticed that every time they run an application for the first time, the OS warns about the “un-trusted” origin of the program. An application has to be digitally signed to be qualified as “trusted,” and in order to obtain this credential; the author has to pay huge amounts to Microsoft's partners in charge of this business. Microsoft's idea behind this diabolic mechanism is that the Electronic Signature serves as warranty to users that the program is free of bugs and viruses and designed to be used in devices that use Windows Mobile. Unfortunately, the amount of money required in this process is more than what the majority of freelancers can pay. And freelancer are 80-90% of all authors currently in the market. This is the main reason why users are asked by the operating system for permission to continue with the execution of programs.

    But this is not a major inconvenience. You are asked for the permission to run the application, and when you click yes, you are never asked again the next time you run the same program, because the operating system keeps track of the application name, size and time stamp of the executable. If any of these parameters change, you will be asked again the next time you run the exe if you authorize this “new” program or not.

    At this point, I'm sure you are asking yourself that what is wrong with this process? Well, with Windows Mobile 2003, Microsoft started to implement a new method to handle the creation of programs that are going to be used by people that speak different languages. The new method is called “Multi User Interface” or just MUI. And this is how it works: all labels that are shown in the different screens of the program are saved in a resource file with extension MUI. In that way, you can have a MUI file for different languages. In the name of the file you specify the language using a code. Let say that you have a program called EXAMPLE.EXE and an accompanying MUI file for English and a MUI file for Spanish. The MUI file for English has to be called EXAMPLE.0409.EXE and the MUI file for Spanish is going to be called EXAMPLE.040A.EXE. If you plan to distribute your program in Spain, let's say, you will include in your installation the EXAMPLE.040A.MUI file and your EXAMPLE.EXE. You can even include in your installation all your MUIs, and the executable and the operating system will use the MUI file according to the language used by the operating system installed in the device.

    The MUI files can be used too for a very different matter: if you have a program that was initially designed for a QVGA machine and you want to use it in a VGA machine, you can tell the operating system that this program is going to use the real resolution of the VGA Screen 480x640 by creating a MUI file with a HI_RES_AWARE flag on it. Thus, when the operating system sees the flag, it will not apply the so-called “double pixel” feature that makes possible to use programs designed for QVGA in VGA machines.

    Ok, but again, what is the problem with all this? What is Windows Mobile 5.0 doing wrong? Well, when you are asked to authorize an “un-trusted” program that use one of these MUI files and you have previously authorized it, the operating system apparently includes the name of the executable in its authorized list but it does not include the MUI. As a result, the executable can't see the MUI file and of course, it won't work in the expected manner.

    This bug is very easy to replicate in case you want verify my claim. I have prepared a tool called MuiTest.exe that can be downloaded here. When you run this program having the Security Prompt feature activated, you won't be able to see the yellow flower in the center of the screen (second image below).



Security prompt activated.


Same MuiTest.exe with security prompt deactived.



Here is the security warning dialogue.

    Is there a work around for this problem? Yes. Unfortunately the only way around the issue at this moment is through the deactivation of this security feature using the SetSecurity.exe program or having all programmers that use MUI files sign their applications with Microsoft. What do you think is easier?

    At this point I'm asking myself a simple question: Did Microsoft know about this problem and released the OS in an attempt to push freelancer to have their application signed? It's a possibility.