Slashdot Mirror

Well Mr six dig, RanDomCapS 'n' punctuationeer extraordinare - who can say?

Apparently someone called Timothy left their name on the article for all to see.

This: https://www.microsoft.com/technet/security/advisory/2501696.mspx

was posted 28 Jan 2011.

When did you notice the bug? - We'd all love to hear your insights on it.

Cheers
Jon

Hi MR AC! If you would have read TFA or even TFS (I know I know, but I got bored) you would see they provide a link to The MSFT "fix it for me" page for this problem. Just click on "fix it for me" run the fix it, and that's it. Don't even need a reboot.

I'm sending the link to my customers and family now, and since it makes a restore point before applying it is easy to undo if you need to, although with previous "fix it for me" tweaks that I've run the MSFT patch released later took care of the fix it tweak before applying the patch.

So I don't really see why you or anyone would complain about this one. They have a quick fix that is so simple your grandma can run it, and released the fix quickly to tide people over until they have worked up a patch. I don't see how they could have done any better on this, as a full patch will take time to test and rightfully so as you wouldn't want MSFT releasing patches that break apps and/or drivers and cause more pain than the bug would you? This is easy, simple to apply, and painless to deploy. I don't see how you can get better and the guy that came up with the "fix it for me" program really deserves a raise and company car, as it really has made these fast released workarounds painless for home users..

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems**
Windows Server 2008 R2 for Itanium-based Systems
Source: http://www.microsoft.com/technet/security/advisory/2501696.mspx
Appears to apply only to Internet Explorer

Would be nice to have seen these in the article...

http://support.microsoft.com/kb/2501696

This is not true.

"The Automatic Updates feature is not affected by the WGA validation check. Therefore, you can use the Automatic Updates feature to make sure that you receive critical Windows updates."

Only some updates are marked as "genuine only," and this doesn't include security updates (which are all critical).

Except of course the various reasons why that won't happen - MS would rather have people using Windows than get paid for all the copies[citation needed]; patches will be made for the shutdown trigger[citation needed]; oh and security patches still happen on WGA failing machines. (It's the 5th question down).

OK, so the last one isn't a reason why MS won't do what you suggest, but it is important because even invalid copies aren't left unpatched - that would be disastrous.

If you manage your company or institution's IT department, please do the following:

Step 1: Turn on "telnet" on your PC. (Of course you Windows, you're management, right?)
Step 2: Try to "telnet" to your company's website, or to any other machine or service names your underlings bandy about.
Step 3: If you don't see "Connection refused" every time, FIRE EVERYONE WHO REPORTS TO YOU.

Non-executables can exploit flaws in the decoder, for example if it has a buffer overflow letting you overwrite the application code. Perhaps the most famous is the GDI+ exploit in Windows where your computer could be taken over simply by watching a malicious JPEG.

For example the VLC project has a list of security advisories related to flaws in video files (videc codecs, audio codecs, demuxers+++). There are typically a few each year, not many but they're oh so ugly when it happens.

Some friends in Cairo would like to bypass some of the online censorship measures. I've quickly suggested some things (below) to consider overnight. What have I missed?

Anonymous connection:
No:
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking

But:
https://www.eff.org/https-everywhere/

Also:
http://www.hotspotshield.com/

And services like:
http://filesharefreak.com/2008/10/18/total-anonymity-a-list-of-vpn-service-providers/
but verify on the ground.

Only if they understand the tradeoffs:
http://www.privoxy.org/
https://techstdout.boum.org/TorDns/

Avoid random lists of anonymous proxies or DNS servers.

To secure the computer:
Use a popular boot disk that leaves nothing behind, e.g.:
http://www.ubuntu.com/desktop/get-ubuntu/download

Remove metadata:
http://owl.phy.queensu.ca/~phil/exiftool/
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=144E54ED-D43E-42CA-BC7B-5446D34E5360&displaylang=en
and similar for other files they may deal with.

Delete/wipe files securely.

Many uses:
http://mailinator.com/
http://www.hushmail.com/

Consider:
http://www.disconnectere.com/
and its analogues

I've had some problems with text alignment and margins before*, so if you need to verify your LO-generated .DOC files, you can download and install Microsoft's free Word viewer. They only have the latest one based on Word 2007, but it should render 2003 files okay.

*This was four years ago, so I'm sure OO.o/LO has made improvements to the generating code.

The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password.

The Tunesian government has its own certificate authority whose root certificate is accepted at least by Internet Explorer and Google Chrome. So they could run their MIM attack over HTTPS with a real certificate accepted by the client. This root certificate was pushed by a Windows Update (KB931125).

they don't seem smart enough

They seem to be smarter than you thought: They lobbied Microsoft to enable a hard to detect MIM attack. Against this kind of attack SSL is nearly defenseless. Even when facebook would switch completely to SSL and all users would check for this, the Tunesian government could succesfully run a MIM attack.

I was wrong, I looked at the cost of the UPGRADE license, which was ~$120. A license for a new copy is ~$200. Guess it will add _more_ than $100 to the cost.

VLK guidelines for government licensing will cause problems: selling the PC's to the public, will void the license; those PC's don't fall under the governmental licensing scheme anymore.

The requirements for VLK also differs from country to country, making a distribution nightmare.

Buying an OEM PC or Netbook also uses different licensing, as Microsoft partners with the hardware vendors, giving an even more reduced rate, in exchange for making sure that the PC's _DO NOT_ get sold with any other Operating System.

As someone from Microsoft who works closely with a team at HP building the actual appliances mentioned discussed here, I'd love more feedback on the HP Business Decision Appliance (HPBDA) mentioned here. The appliance is designed to support 80-150 concurrent PowerPivot users (doing what we call Self-Service BI) in a 1U server (24 cores/96GB memory) with all the storage required inside the appliance. The appliance is configured to provide backup storage initially. The HPBDA from cardboard box to production takes less than an hour to configure and the only pre-req is existing AD infrastructure.

Here are product details to learn more and an unboxing video which can help understand what we're talking about.

Considering it can take months to design and build one of these yourself starting from scratch (choosing approach/software/hardware/tuning/etc) we're hoping this enables many of you to deliver a very cool capability called PowerPivot to your own organizations with minimal effort because of this.

Look forward to hearing what everyone thinks.

Britt...

Like most research it's incremental. They do a lot in base computer science, publish a ton of papers, and seem to win a lot of awards for their research. You can read about all you want here:

http://research.microsoft.com/en-us/research/default.aspx

http://www.microsoft.com/licensing/about-licensing/how-volume-licensing-works.aspx

Get the PDF at the bottom of the page, third paragraph on page 8.

Why don't the PCs at your work have the free Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats installed?

I'm surprised they didn't just outsource their e-mail to Microsoft in return for a few little perks, as many colleges seem to be doing. https://www.microsoft.com/education/solutions/liveedu.aspx

Actually, the Word 97-2003 formats have already been publicly documented by Microsoft. OpenOffice and its forks can read these files; the formatting will sometimes be messed up, but if what you care about is the actual contents, you should be fine.

Yes, it's the programming language - one of the most well-known pure functional languages today, and also the one where most bleeding edge research on PL design topics happens, especially the stuff that has to do with advanced type systems.

(As a side note, it's rather surprising that a Slashdotter wouldn't know what Haskell is. It's one of those "not for everyone" geek shibboleth PLs, alongside Common Lisp.)

The language itself is an abstract standard with multiple implementations. GHC (Glasgow Haskell Compiler) is the most popular implementation - a native-code compiler with many advanced optimization techniques (as Haskell is pervasively lazy, compiling it to efficient code requires a lot of effort from the optimizer). It also goes beyond the Haskell 2010 language specification, and implements many language extensions, serving as a testing platform for future language evolutions (Haskell 2010 is essentially Haskell 98 + assorted GHC extensions).

GHC is also not a Microsoft project - it's an open source (BSDL), community-developed project with many contributors. However, its two lead developers - Simon Peyton Jones and Simon Marlow - who also happen to be driving further language development, are full-time MSR employees, whose primary job is GHC development. Occasionally, MSR interns are also directed there for one-time contributions.

Peyton Jones also participated in the development of the Haskell'98 language spec (though that was before he joined MSR), and was an editor subsequent revisions.

What's in it for Microsoft? Well, FP is emerging in mainstream software development in the last few years, and GHC (and Haskell in general) is essentially the testing ground for new ideas in that department. The interesting stuff is baked there, and then it's simplified, stripped down and fed to the masses as new language features in C# and VB, or libraries in .NET (e.g.: LINQ, Rx framework); but the underpinning theory remains the same. Another MSR guy, Erik Meijer, also involved in design of Haskell in the past, and later on in design of C# 3.0 and VB 2008, shared some musings on how it all works out.

Ok, how do you explain this then?

On Office 2007:

The 2007 Office system supports the ECMA-376 Office Open XML Formats standard, which was later submitted to ISO/IEC and was published in late 2008 as the ISO/IEC 29500 Office Open XML Formats standard.

And on Office 2010:

Office 2010 provides read support for ECMA-376, read/write support for ISO/IEC 29500 Transitional, and read support for ISO/IEC 29500 Strict.

My gut feeling is that this is just idiocy in government and someone without a clue wrote this particular requirement. If Microsoft was behind this then surely they wouldn't have asked for ECMA-376 because their current version of Office can't even write it.

That would be WriteConsole,actually.

But you still know that it's a Microsoft API because it's a function that takes 5 parameters, only one of which is the string that you want to print, and at least one of which is "reserved". ~

One word: Microsoft.

Yours In Anchorage,
Kilgore T., C.I.O.

Here's the details about the bredolab trojan from Microsoft's Malware Protection Center. The file is an .exe and affects all versions Windows 95 and up. There must be some old cruft in Win7 if the same exploits it and 95.

Streaming on my 360 is perfect. I really don't notice it.

Hmm, and do you think this might have anything to do with that?

Heh, hit a nerve there. My company is switching from 2003 to 2010 and we all sort of sit around Googling all day to unwind the ribbon. It's not that the ribbon is so bad, but the built-in help is horrendous. How hard would it have been to have a help section geared towards showing you how the old way translates into the new way? Maybe something as simple as a mock-up of the old interface, where when you select something it shows you how to do it the new way

There are interactive guides that provide you with the 2003 interface and show you where the equivalent command is in 2010, have a look here: http://office2010.microsoft.com/en-us/word-help/learn-where-menu-and-toolbar-commands-are-in-office-2010-HA101794130.aspx

Maybe something as simple as a mock-up of the old interface, where when you select something it shows you how to do it the new way?

you mean something like this?

Not even MS Office is able to write OOXML as in ECMA-376:

Office 2010 provides read support for ECMA-376, read/write support for ISO/IEC 29500 Transitional, and read support for ISO/IEC 29500 Strict.

(emphasis mine) [source: http://technet.microsoft.com/en-us/library/cc179190.aspx ]

Windows!

Yours In Osh,
Kilgore Trout

I hadn't heard about the MCSE ruling, so I looked it up:
http://www.microsoft.com/canada/learning/QuebecMCSE/default.mspx

Microsoft says Quebec is the only province where you can't use the term "engineer". They continue to use it in other provinces and in Quebec, they use MCSE but recommend not expanding the acronym. Pretty funny.

The real fact of thew matter is that the "Enterprise features" are not driven by the handset itself, but the backend management. And in this, Blackberry are going to have a world of pain as the backend is where ActiveSync phones are making IT staff lives much MUCH easier. You look at the average BES and then at now what Exchange 2010 can do and the featureset is very similar - Exchange wins because it's much easier to work with.

Lots of those nice ActiveSync features go away when using Windows Phone 7. You have to use an old device (Windows Mobile 6.5) to get all of them. At this point, I think even the iPhone supports more features than WP7...

Just because the naming convention uses the phrase "LikeWord95" doesn't mean you need the Word 95 source doe to implement it:

http://msdn.microsoft.com/en-us/library/documentformat.openxml.wordprocessing.autospacelikeword95.aspx

A little known fact is that starting in 2006, MS gifted its Vista and later OSs with Parental controls enforceable for non-admin accounts. It blocks DVDs, games and even has time-of-day restrictions (uTorrent-like-scheduler GUI) and website white-lists / blacklists (the latter has logging avaiable to any Admin account also), the same as any modern TV's for off-the-air TV in the USA.

The problem is that few people know or care to use these controls. Fortunately, you guys may benefit now that you know. I don't have Seven, and it rubs me the wrong way that the demo video I linked lacks the "Windows Web filter" button... they may have moved it elsewhere or "decided" we don't need this kinda power anymore.

If the site is broken and a list of downloadable alternative browsers appears, the user may not have privileges to install the program or to run the portable version. Only an administrator can install software to Program Files, and the so-called portable version can be blocked using Windows software restriction policies.

Lol, you have no clue, do you? A gaming library is a very complicated piece of software where a correct implementation is as important as a fast implementation. This means a lot of stuff that is very specific to the hardware on which the code will run. If it were this simple, a compatible implementation would already be there; the reason why it isn't is that such a library is full of nasty stuff like quaternions (http://msdn.microsoft.com/en-us/library/bb281611(VS.85).aspx) and worse. This means that to implement something like DirectX you need developers who are great developers capable of writing very low-level code that directly accesses the underlying hardware (be it CPU instruction sets or GPU operations) and good mathematicians who understand the mathematical nuisances of computer-approximated algebra.

There is exactly one DirectX in the world. If some other entity shows that it is possible to undertake such a powerful development effort without being a company that throws lots of money to the problem, then I will be very glad.

And OpenGL is a graphics rendering system, not a gaming library, so the two are not easily compared without taking into account a fuckload of input, audio, networking and loop/windows management additional libraries.

I like the latest version of Kubuntu. But that is a separate issue.

It is easy to demonstrate that Firefox has memory problems. Run the free Microsoft Process Explorer. Watch the memory required by Firefox climb, even when you aren't using Firefox. As soon as it climbs to the limit of available memory, Firefox and Windows both become unstable.

Open several Firefox windows, each with several tabs. That makes the problem more severe.

Firefox does not cause OS instability under Linux. Linux just throws Firefox out of memory, in my limited experience.

Hum - you do realize that already at this stage, IE is the browser with the most complete implementation of HTML5 and CSS3 right?

MS has actually contributed *most* of the compliance tests (the official ones, not ACIDs) and have disclosed where IE doesn't *yet* pass the tests. You can run those test yourself and see if your favorite browser passes *all* of them (or even more than IE): http://samples.msdn.microsoft.com/ietestcenter/#html5Canvas

I'm posting this using Chrome and that chart seems to be about right, i.e. only a few of the failed tests have been corrected even though this is Chrome 8.0.552.215 and the chart is from the Chrome 7 days.

globalCompositeOperation "destination-over" is shown as "fail" for IE. If you look at the chart - and do not cherry pick like the original poster did - you will soon realize that IE is indeed the browser which is *most* compliant with the *draft* spec.

What we have here is a biased author who cannot even hide his bias, cherry picking a few areas where IE fails and trying to blow them up as all-important and outright reason to reject IE and MSs efforts. And then he goes posting it on slashdot in order to instigate a good MS bash fest. Real class.

And FYI, here is the IE security bulletin that patched and disabled by default Gopher support:
http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx

Hi there, thank you for the post. I just wanted to add a few observations on behalf of the Internet Explorer team.

Firstly, no browser offers a perfect implementation of the Canvas 2D API specification to date - we've documented and shared a few examples from our test suites here: http://samples.msdn.microsoft.com/ietestcenter/#html5Canvas

As has been well noted, the IE9 build tested was our beta.

Secondly, in response to the specific issues raised, Giorgio Sardo has posted a response on his blog here:
      http://blogs.msdn.com/b/giorgio/archive/2011/01/14/building-great-browsers-together.aspx

We'll update this entry over time.

Thanks for listening,

Tim Sneath | Microsoft Corp.

I didn't realize Windows could operate on a PowerPC-based system (X360)? I thought Microsoft abandoned that cpu sometime around windows 4.x (96).

They abandoned it for desktop systems (was it PREP or CHRP that they supported? I forget) but they didn't throw anything away internally. Different sources inside Microsoft have variously stated that each Xbox runs or does not run a Windows variant, but it's pretty obvious that both run Windows if you take a look at their software and by the fact that you can write one game codebase to run on both platforms and the APIs you're using are all hosted on Windows. The "scoop" per windowsfordevices is that Xbox 360's OS was derived from Xbox's OS, and Xbox's OS was derived from Windows 2000. But clearly it's still Windows NT.

However, I would be shocked if there were not substantial code-sharing going on with newer versions of NT, because at this point the game console is nothing more or less than a general-purpose computer with lots of hardware designed for graphics and running as few processes at once as possible. It would be foolish at best to not be working towards an entirely common codebase, and since Windows is now officially coming to ARM it's clear that portability is still a top concern in Windows-land. As we have seen with other operating systems, portability introduces significant problems but also pays substantial benefits. Linux's combination of portability and popularity make it essentially the only choice for someone who wants an operating system for "all" purposes (save the tiniest of embedded systems) today and obviously that means Google.

Google's goal is to deliver their content to everyone. If they make it easy to receive their content this will happen because they understand what makes the web great: great content. They connect you with great content and show you some ads and pick up some cash, ding! That's why Android is a winning proposition for them even if they never make a cent on it directly, even if the app store only ever pays for itself. The more eyeballs they get, and the more click tracking they do, the better the whole thing works. Microsoft can see the validity of this approach and has witnessed that the ARM revolution is coming whether they're a part of it or not. Intel had their chance with XScale but they were simply incapable of being competitive in that market one way or another. It could have been a lack of will for which they will pay dearly if they can not get x86 to where ARM is. I do not take it as a foregone conclusion that it cannot be done; I suspect that intel is incapable of doing it in OoO and will go with more cores instead.

Uh, but we're talking about Microsoft here, so here goes: Microsoft has been maintaining the portability of Windows, it is a key feature of the architecture. And Xbox 360's OS is the iOS of Windows 2000, except perhaps moreso. Let us not forget that Xbox stands for DirectX-box. It is a fairly precise hardware instantiation of Microsoft's gaming APIs to which developers may target games and sell them to people who won't pay $300 for a video card.

Probably the smartest thing Microsoft could do that would fit in with their general modus operandi is to introduce a Direct3D-light (ala OpenGL ES) and a lightweight GUI toolkit that ran atop it, for use in portable devices. The obvious operating system to run it on is an Xbox 360-like, stripped Windows. It appears that whatever it looks like, it will run atop ARM and x86 alike.

They recently changed the MSSE license to allow you to use up to 10 instances of it in a business for free. http://www.microsoft.com/security_essentials/eula.aspx

There is an old argument that public key cryptography is weaker than a private key system. In public key systems, one key is out there and inherently contains everything an attacker needs to decode a message. We rely on the security of the crypto system to ensure they can't do that. Contrast this to the SAME system where both keys are kept secret - the attacker now has zero information about the keys. It's a bit of weak argument, since we do rely completely on the cryptosystem, but being obscure on top of being effective does help a little bit. That said, I would argue that the mere existence of alureon.h should convince folks that at least one platform (that is closed source) should be avoided.

You can (and should) submit bug reports for IE9 directly to Microsoft. Complaining on your personal blog and hoping that the magic internet fairies will take care of it is less effective at getting the problem fixed.

HI MR AC, or may I call you coward? Apparently I know more than you do coward, or you wouldn't think 1+1=3. Allow me to explain in a way you may be able to understand. You have three browsers on Linux, we'll call them Web 1 2 and 3. Now Web 1 and 2 run as a normal user with normal user rights, whereas web 3 demands root to run and the ONLY work around offered is to make root look like a normal user would you HONESTLY use web 3 over web 1 and 2?

Because that is EXACTLY what you are advocating cow, because both IE and webkit are running and much lower permissions which thus minimize ANY possible damage that could be caused by any drive by malware when compared to Firefox. Since you obviously don't know anything about the subject, allow me to point you towards some reading material on the subject.

As for everyone else, please don't be as uneducated as cow here. Running an application directly exposed to the Internet while having to run third party code like a browser does everyday in a higher level of permissions than necessary is an EXTREMELY BAD idea and yes it IS punching a hole when you have a choice of running in low permissions or high permissions and choose high, because you are purposely exposing yourself to needless risk. If you really don't think that is the case cow, then why don't you explain to us here at /. why running as root is a good idea, hmmm?

Or, they can just do like Microsoft does with Xbox 360. XNA - enabling Homebrew directly on the retail console with the only rule being you can't stick it on a disk and sell it. You can stick it up on XBLA and sell it I'm told, once it's been peer-reviewed (which can't hurt, really. With the sort of folks that want to do homebrew, surely this is even consistent with the model they prefer!)

Requires an inexpensive annual subscription which also allows building apps and games for Windows Phone as well (some of which can actually be relatively easily ported, since XNA is a common framework to Xboxes and Windows Phones).

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-US.aspx

Yeah I know its proprietry, but the player is free

And cross-platform. We just got a big snowstorm here in Illinois, and when I went to look up road conditions, the page informed me that Silverlight is required -- and Silverlight won't run in Linux, nor will it run on any version of Windows prior to XP, or on an old Mac ( just acquired an old Mac a few nights ago).

The title of their page is Windows Phone home.

Just to add to this..

..the predecessor to DirectCompute was a little .NET library that came out of Microsoft Research called Accelerator which was initially available to the public in 2006.

..thats several years before CUDA (2008) and OpenCL (also 2008)

Microsoft has actually been the innovator on this one.

They probably have some ASP page refreshing in the background, to retrieve weather info or something like that...

Maybe they forgot about the VIEWSTATE and resend it at every refresh ... one of the biggest stupidities I ever saw: http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic9

At the old place I worked at, they had an internal website that had a 2 MB viewstate on a single page, this being used several times a day by about 80-100 employees.

You have a frankly racist outlook on the third world and a delusional outlook on Microsoft.

http://www.microsoft.com/presspass/inside_ms.mspx

Worldwide 88,414
USA 53,735
Puget Sound (Washington State) 40,371

Note that the 35k worldwide are distributed among many countries, including first world countries, and yes, including poor countries as well. For instance, Canada has about a thousand as of 2007. Many of the international people will be sales, marketing, and localization people.

Microsofties will read slashdot, sometimes they'll be angry at their own company (often a completely different division, just by virtue of it being so big that any given MS story will probably not involve some particular MS person), sometimes they'll think the rude slashdotters are being retarded again, often both, and sometimes they will just not care about the issue at hand.

Might as well ask "do Americans read Slashdot, hang their [sic] heads down in shame, [...]" after the vast majority of political stories that go down on this site.