Slashdot Mirror

I took me a while to figure out how this exploit works, but I think it goes like this:

I have an application, foo.exe, that can make use of an optional system component (or 3rd-party DLL), bar.dll. I don't ship that DLL, and I can't guarantee that it will be present on every user's system. So to ensure that my program degrades gracefully, I open it with LoadLibrary("bar.dll"), and if it's not found I disable the features that depend on it. Since it's not my DLL, I can't speculate on where it's installed, so I use an unqualified path and let the loader do the searching (this is, after all, the job of the loader). The ensures that, as long as bar.dll is correctly installed on the system, my application will find and use it.

From an application developer's point of view, this the right way to do things. If I did this on Linux or MacOS, it wouldn't be a problem. Unfortunately, Microsoft decided that the current directory (".") should be in the default search path (see http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx ). It's even searched before $PATH!

Now the exploit goes like this:
1. On \\evilserver\evilsmbshare, I place a file foofile.foo, an extension which is associated with foo.exe. Right next to it, I create an evil version of bar.dll.
2. I convince the user to double-click on foofile.foo, causing windows to open foo.exe, with a current directory of \\evilserver\evilsmbshare.
3. If the user's system doesn't have bar.dll installed, Windows will eventually find my evil version of it at .\bar.dll and load it into the unsuspecting foo.exe.
4. My evil code runs and does whatever evil deeds I want it to.

If this is correct, then the decision my Microsoft to put the current directory in the library search path seems pretty braindead, and it's hard to blame application developers for assuming that LoadLibrary() will load a library in a sane and secure way. But I'm having a hard time imagining an application that would break if the current directory were just removed from the search path. Shipping DLLs in the application directory is common practice, but expecting them in the current directory? Why would you do that?

It seems that this exploit requires you to trick the user into opening a file from a filesystem you have access to, at which point you could probably just as easily get them to open a trojan directly. I think local privilege-escalation attacks are more probable (e.g. tricking a system service into opening your evil DLL).

Still available on Microsoft's FTP here: ftp://ftp.microsoft.com/deskapps/games/public/AAS/Hover.exe

Indeed. In 1997, I ran my Windows 95 box with a year of Uptime without needing to reboot it,

Sorry, I call bullshit. A known issue, fixed only in 1999, would prevent Windows 95 and 98 from going over 49.7 days of uptime (2^32 milliseconds). Much hilarity ensued back in the day since "how could anyone have noticed / run into this" :-)

Microsoft created a liberal dynamic library search path that allows (or even encourages) applications to not fully specify DLL locations. Now, after the fact, they publish this security statement saying not to use the dynamic library searching they documented previously. It is of course Microsoft's fault. They didn't consider security at all when loading DLLs, and now they are blaming applications that implemented the documented specification.

The bottom line is that Windows was never designed to be secure, it was designed to have the most functionality, and trying to patch every hole now is almost impossible. Generally, when code reaches this level of complexity and brittleness, it is often the best course to start all over.

Microsoft created a liberal dynamic library search path that allows (or even encourages) applications to not fully specify DLL locations. Now, after the fact, they publish this security statement saying not to use the dynamic library searching they documented previously. It is of course Microsoft's fault. They didn't consider security at all when loading DLLs, and now they are blaming applications that implemented the documented specification.

The bottom line is that Windows was never designed to be secure, it was designed to have the most functionality, and trying to patch every hole now is almost impossible. Generally, when code reaches this level of complexity and brittleness, it is often the best course to start all over.

This is actually faulty programming in applications, not Windows. Kind of like buffer overflows. It's what happens when you don't know what you're doing nor are you following secure coding standards.

Because application developers, not Windows, are to blame, Microsoft can't patch the operating system without crippling an unknown number of programs that run on the platform.

There are no reports of any Microsoft or default Windows applications containing the bug, so unless you have a specific third party app you're not vulnerable. Also, there is already a tool available from Microsoft you can use to block it from all applications, but some of the apps might obviously break.

To protect from stupid developers you would probably need something like selinux for Windows, but considering how much pain in the ass it is on Linux too, it wouldn't really work for all the casual people. However, moving applications from languages like C/C++ to languages like C# can help just like with buffer overflows. At least it provides extra layer of security against clueless programmers.

I don't follow your logic given that Linux runs on Windows.

His logic is sound - it's precisely why Hyper-V officially supports Linux as a guest OS.

Microsoft Research pays people to work on Haskell and the leading Haskell compiler, GHC. GHC is licensed under the BSD license, which is "free" and "open source" by any definition.

To say this company has "never" helped open source is a bit extreme. Like any profit-making entity, it helps open source when doing so is in Microsoft's interest.

Microsoft Research pays people to work on Haskell and the leading Haskell compiler, GHC. GHC is licensed under the BSD license, which is "free" and "open source" by any definition.

To say this company has "never" helped open source is a bit extreme. Like any profit-making entity, it helps open source when doing so is in Microsoft's interest.

Given that most corporate stances toward(or against) OSS tend to be about the old adage "commodify your complements", I would assume that MS is largely similar. Linux is a more or less unmitigated evil; because it provides a relatively easy migration path onto cheap x86 or A64 boxes for legacy unix guys, and the cheapest commodity web-serving platform, as well as doing pretty well cutting into WinCE's marketshare. On the other hand, if people want to run Drupal or something on IIS and Windows server, why would they complain?(unless its to upsell them to sharepoint).

In point of fact, MS makes available a tool for automatically installing all of the following 3rd party webapps, largely OSS stuff, on Windows server/IIS. Commodify your complements...

You can choose to include certain libraries statically (so you include the binary code) or dynamically (so you have a reference to a .dll). You can also use the OS to dynamically load a library on-demand so that it is neither opened nor initialized until it is needed. For example, MFC has its own radio button in MS Visual Studio - do you want it static or dynamic? I believe the C runtime (msvcrt.dll) has the same choice but can't be bothered opening it to check. Plus, if it's only an estimated 40 apps, it might be something like zlib but less popular, so you can choose between static linking and building/supplying the .dll for it.

But that's not important. The SecurityFocus note for iTunes says "All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes." This suggests that you are replacing a dynamically loaded file with your file of the same name. To understand the implications read the following article. The short version is: if I name a file kernel32.dll and put it in the same folder as my application, previous versions of Windows would load my kernel32 instead of the operating system's. Only important files are protected, most files are not "known DLLs" and are handled differently but the idea is the same.

http://technet.microsoft.com/en-us/magazine/2007.01.windowsconfidential.aspx
http://msdn.microsoft.com/en-us/library/ms682600

There are certain files which will be loaded from the system always, instead of from the local folder. It appears that this bug has simply found a commonly used .dll which is not on the protected list, so no .local override is needed. Just put your malicious file in the same folder and it gets loaded.

iTunes advisory suggests it includes WebDAV somehow, but I don't think iTunes uses webDAV intentionally. So it must be something like the protected media player libraries (which should be protected) which always load something that's not on the protected dll list.

To answer your question: if an application depends on certain behavior, such as loading local .dll files without requiring a .local override, and this bug is fixed (the example I gave, regardless of whether it's the actual bug), the application will fall back into .dll hell and possibly break apps which expect specific versions of a library instead of whatever is in the system protected location.

Not that I know what the vulnerability is, I'm just giving an example based on the information available.

You can choose to include certain libraries statically (so you include the binary code) or dynamically (so you have a reference to a .dll). You can also use the OS to dynamically load a library on-demand so that it is neither opened nor initialized until it is needed. For example, MFC has its own radio button in MS Visual Studio - do you want it static or dynamic? I believe the C runtime (msvcrt.dll) has the same choice but can't be bothered opening it to check. Plus, if it's only an estimated 40 apps, it might be something like zlib but less popular, so you can choose between static linking and building/supplying the .dll for it.

But that's not important. The SecurityFocus note for iTunes says "All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes." This suggests that you are replacing a dynamically loaded file with your file of the same name. To understand the implications read the following article. The short version is: if I name a file kernel32.dll and put it in the same folder as my application, previous versions of Windows would load my kernel32 instead of the operating system's. Only important files are protected, most files are not "known DLLs" and are handled differently but the idea is the same.

http://technet.microsoft.com/en-us/magazine/2007.01.windowsconfidential.aspx
http://msdn.microsoft.com/en-us/library/ms682600

There are certain files which will be loaded from the system always, instead of from the local folder. It appears that this bug has simply found a commonly used .dll which is not on the protected list, so no .local override is needed. Just put your malicious file in the same folder and it gets loaded.

iTunes advisory suggests it includes WebDAV somehow, but I don't think iTunes uses webDAV intentionally. So it must be something like the protected media player libraries (which should be protected) which always load something that's not on the protected dll list.

To answer your question: if an application depends on certain behavior, such as loading local .dll files without requiring a .local override, and this bug is fixed (the example I gave, regardless of whether it's the actual bug), the application will fall back into .dll hell and possibly break apps which expect specific versions of a library instead of whatever is in the system protected location.

Not that I know what the vulnerability is, I'm just giving an example based on the information available.

If everything is running in kernel space, you've given up all the advantages of a microkernel.

Not when you use SIP.
http://research.microsoft.com/en-us/projects/singularity/

NT is a "hybrid" microkernel just like Darwin, which gets it the worst of both worlds.

Not acording Microsoft OS reseachers what said that NT use pure microkernel, like Singularity as well. And Darwin is not OS, XNU is. Darwin is XNU + Apples official compilation tools. When you download the Darwin package, you get the tools, XNU OS what is separated to Mach microkernel, I/O Kit and BSD parts and so on. You can compile XNU with own compilation tools if wanted, without the Apple's. But you do not get it work with Mac OS X closed ABI then. You need to know exact Darwin version to know XNU was compiled.

DragonFly has message passing tacked on, but isn't a microkernel as far as I'm aware

It has microkernel, just different way than original idea to implent Server-Client architecture. There is no such thing as "hybrid" in scientifical means, only in marketing.

L4Linux might be interesting if they aren't just using it as a hypervisor, I'll have to look into it.

Idea is to run Linux OS on VM (what L4 would be) and achieve by that faster way to load Linux OS when it crash. It is interesting idea but does not really solve any problems what the monolithic OS can have (!can!) and what reason the Server-Client architecture was done in the first place. The OS still runs in L4Linux as monolithic but just in user space. So it can help to speed up servers downtime when OS crash with few seconds.

http://www.usenix.org/publications/login/2006-04/openpdfs/herder.pdf

Because it's an API change.

If you read the linked description, it says that the problem relates to opening files from remote places. With some Win32 API knowledge, you can derive that the problem is:

- DLL loading looks into the process working directory for DLLs (i.e. getcwd())
- Some applications change the working directory to the place where the files they attempt to open reside
- If the malicious actor places a DLL in the same directory as the file to be opened, they can win the race against the application's expected DLL directory loading path.

The fix, then involves either 1) not changing the working directory, or 2) call SetDllDirectory to remove the working directory from the search path, or 3) Use SafeDllSearchMode and make sure the DLL is in one of the places before the working directory.

All of these require changing the application. If you just change the DLL search path (by removing the working directory), applications which expect the old, documented search path might fail to find the DLLs they were looking for (perhaps they explicitly changed the working directory to load the DLL, and wasn't trying to load a remote document in the first place?).

Because it's an API change.

If you read the linked description, it says that the problem relates to opening files from remote places. With some Win32 API knowledge, you can derive that the problem is:

- DLL loading looks into the process working directory for DLLs (i.e. getcwd())
- Some applications change the working directory to the place where the files they attempt to open reside
- If the malicious actor places a DLL in the same directory as the file to be opened, they can win the race against the application's expected DLL directory loading path.

The fix, then involves either 1) not changing the working directory, or 2) call SetDllDirectory to remove the working directory from the search path, or 3) Use SafeDllSearchMode and make sure the DLL is in one of the places before the working directory.

All of these require changing the application. If you just change the DLL search path (by removing the working directory), applications which expect the old, documented search path might fail to find the DLLs they were looking for (perhaps they explicitly changed the working directory to load the DLL, and wasn't trying to load a remote document in the first place?).

I guess so...can anyone comment on the jokeyness of the Mac version?

Seems to work OK from my perspective. I have to dabble in Silverlight as part of my job. Full disclosure: I don't own a Mac except for the one that I used as a home file server running Linux. The boss and most of his superiors do, and they haven't complained about it not working for what we use it for (Streaming media), of which we serve quite a bit.

I'm fairly certain all the DRM stuff works in it (We don't use it), and there are some things that can't be used (because of the way safari deals with plugins, which I've had to write around), but I'd say probably 90%+ seamless with the Windows version from my limited perspective.

As an aside, I *do* find the following two things amusing:

No 64 bit version yet for anything. More annoying than amusing, but still amusing.

Microsoft's own internal group that's developing their new Flight Sim (Flight http://www.microsoft.com/games/flight/) Didn't use it for their promo website. THAT'S a huge laugh.

[citation needed]

IE9 passes ACID3 test. http://ie.microsoft.com/testdrive/benchmarks/Acid3/Default.html - here it passes 95 of 100 tests. It now passes 100 of 100, but I'm too lazy to google the announcement.

What else do you need? HTML5? IE9 has it: http://ie.microsoft.com/testdrive/

[citation needed]

IE9 passes ACID3 test. http://ie.microsoft.com/testdrive/benchmarks/Acid3/Default.html - here it passes 95 of 100 tests. It now passes 100 of 100, but I'm too lazy to google the announcement.

What else do you need? HTML5? IE9 has it: http://ie.microsoft.com/testdrive/

Why question what they'll support in the future when you can see the support today? http://ie.microsoft.com/testdrive/Default.html Looks like their HTML5 is pretty damn good.

"Use. You may install and use any number of copies of the software on your devices in your household for use by people who reside there or for use in your home-based small business."

Whether that's enforceable I don't know, but it also lacks central management tools that Forefront has which corporations would look for.

Microsoft's security products have a good track record for detection, low overhead, and it's a relatively "trusted" brand. Free offerings like Avira or Avast! are good, but some people are afraid of them because they've never heard of the company before.

Unfortunately antitrust stuff prevents them from bundling it with the base OS, so we'll continue to see demos bloating up preinstalls, demos which will expire and provide no protection.

Your alarm is going off. Derp.

I don't have that kind of time. Here's one.

http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx

Microsoft acknowledges that it affects Windows all the way back to XP SP3 but I'd bet my lunch money it affects SP1 also.

Here is a novel idea: Stop misrepresenting what actually happened and stop ad hominem attacks questioning posters' motives .

Microsoft took five weeks to prepare the Ormandy patch. During that time, they made no comment - there was no transparency into whether or not it would be fixed.

They made no comments? Did you actually look or did you just assume?

• Tavis Ormandy reported the issue June 5th (a Saturday). He wanted MS to commit to a 60-days timeline.
• Tuesday (a busy patch Tuesday, no less) MSRT get back to him and say they can present a schedule the upcoming Friday, June 11th (which is less than 5 workdays after the bug report).
• Not good enough for Ormandy he goes public immediately, Wednesday June 9th on the 3rd workday after reporting the bug

Now to your claim that they "made no comments":

• Microsoft blogs about the issue June 10th: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
• June 10th Microsoft makes another blog entry on the issue (2nd that day): http://blogs.technet.com/b/msrc/archive/2010/06/10/security-advisory-2219475-released.aspx
• June 26th, Microsoft updates the blog entry from June 10th: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx (scroll down for update)
• June 30th, Microsoft reports on how code similar to Ormandys PoC code is used in attacks: http://blogs.technet.com/b/mmpc/archive/2010/06/30/attacks-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx
• July 16th Microsoft releases a security bulletin: http://www.microsoft.com/technet/security/advisory/2286198.mspx.
• August 2nd Microsoft updates the bulletin from July 16th,

Hardly a "no comments" approach. If you click through those posts I think you'll find them smack full of info. And I've even excluded their communication on the preliminary "fix it" tools.

Admit it. You are biased, but not classy.

Like your misrepresentation and ad hominem demonstrate more class?

It seems to me that it is indeed interesting that this fix was 2 months in the making (responsibly disclosed). And that is only measuring the time until the kernel had been fixed. Now the distros would have to pick up on it and perform their own regression testing, prepare packages/updates etc.

GP did raise some really interesting questions. For some reason you chose to disregard them right away and go straight for the mans posting history.

Will you be publishing stats on my posting history as well. Am I a shill, too?

In theory they can. However, Mozilla has spent a lot of developer time and money on making their own engine, which they believe in.

These benchmarks showed Chrome's JS engine is TWICE as fast as Firefox 4's engine.

http://ie.microsoft.com/testdrive/benchmarks/SunSpider/Default.html

That being said, Firefox's JS engine is getting faster and faster all the time. I assume they don't want to walk away from what they know.

Indeed, after enabling the Direct2D stuff in the current Firefox nightly, MS's Psychedelic demo runs nice and zippy, slightly faster than on IE9 but without sound. (Without the configs set, it runs nice and not-so-zippy: 162, versus 1774 on zippy mode,* for the color wheel on mine.)

So yeah, render speed won't be a problem for FF, especially if they iron out remaining bugs and move the settings out of The Config Page That Might Void Your Warranty.

*If private browsing is porn mode, I say GPU'd browsing is zippy mode. Whoever manages to port The Guardian Legend to canvas or SVG better assume zippy mode unless they want to make a slideshow of those scrolling corridors...

A correct link for the article above is here.

Etisalat is not in IE, Firefox, Opera, etc., but just devices managed by Verizon. But your point is still valid. CNNIC is in them all, and IMHO is not to be trusted.

What's worse, unless you disable automatic Root Certificate Authorities, Windows XP SP2 and other versions automatically add them back in when there are updates, even though you deleted them. With Vista, you cannot even delete some Root CAs.

Some criticisms here.

Why not use google's javascript engine. Isn't it the fastest? Open source too...

Actually, it looks like Opera is *still* faster than Chrome, even the nightly builds. Consider the data on this page (last updated a week or so ago). Yes, it's focused on IE9, but MS has no reason at all to try and make Opera look better than it is. http://ie.microsoft.com/testdrive/benchmarks/SunSpider/Default.html

Maybe even IE9, if it doesn't skew the Y-scale too much.

Last I checked, IE9 was faster than Firefox 4 beta by a substantial margin, and has in fact also passed Safari 5 (WebKit-based, of course). Chrome and Opera are still very slightly ahead, but not by much.

http://ie.microsoft.com/testdrive/benchmarks/SunSpider/Default.html

...And documentation where trying to figure out the class hierarchy of OO libraries is an exercise in frustration. Compare these two: Typical MSDN page (scroll down to Inheritance) and a typical Qt documentation page.

The Qt page has members, methods, properties and general description on one nicely formatted page, along with derived and parent classes. Also, functions are organized into groups and the entry for each function has "see also" links to other similar functions.

The MSDN page on the other hand, has no ref links for easy navigation or linking, a useless set of declarations for that class in various languages, no explanation of the components of the class being described, and no members list (you have to go to another page for that). The members list in itself is equally bad: it's just a long list of members, with no grouping or indeed, any ordering beyond breaking it up into properties/methods/events.

Honestly, when working on Windows, I wish I had something like man pages!

...And documentation where trying to figure out the class hierarchy of OO libraries is an exercise in frustration. Compare these two: Typical MSDN page (scroll down to Inheritance) and a typical Qt documentation page.

The Qt page has members, methods, properties and general description on one nicely formatted page, along with derived and parent classes. Also, functions are organized into groups and the entry for each function has "see also" links to other similar functions.

The MSDN page on the other hand, has no ref links for easy navigation or linking, a useless set of declarations for that class in various languages, no explanation of the components of the class being described, and no members list (you have to go to another page for that). The members list in itself is equally bad: it's just a long list of members, with no grouping or indeed, any ordering beyond breaking it up into properties/methods/events.

Honestly, when working on Windows, I wish I had something like man pages!

We still have ExpandoObject, so you can pretend that you are actually writing in JavaScript when using C# 4...

Anyway, even if all (including third-party) dynamic languages targeting CLR suddenly go away, "dynamic" is still immensely useful for COM stuff alone.

JDBC is a solid database library (unlike Ado.net)

JDBC has API that is horribly designed. One only needs to look at Statement and PreparedStatement - where one derives from the other, but they actually work very differently. Can you explain what the inherited PreparedStatement#execute(string) is supposed to do?

java.util.concurrent

TPL and PLINQ (and Java doesn't even have anything as high-level as the latter).

simpler, stabler language without a lot of needless features

That one is purely subjective. On one hand, a lot of people seem to want some features for Java that have been in C# for ages (such as properties or lambdas). On the other hand, another lot claim that e.g. generics are "needless", and I recall that before 1.5 that same lot also claimed that first-class enums are "needless"...

checked exceptions (better type checking)
more libraries (from Sun, from apache, from jboss, spring, etc..)

I love how this goes together. Maybe you should go tell Spring guys about the wonders of checked exceptions...

defacto language standard

As opposed to an ISO standard?

G1 garbage collector and a bunch of other fancy GC options

Matched in .NET 4.

Camel case is not broken in Java

Define "broken", and provide references as to why your definition is more correct. Or else admit that it is another subjective preference on the order of "how many spaces in a tab".

Javadoc format much more readable that .Nets

I'll grant you that, though it requires a separate special parser. For C# and VB doc-comments, the compiler just extracts them as-is into an .xml file alongside the compiled .exe/.dll. If you use any custom XML elements, they will be extracted as well. Then you can use your own tools to process the .xml file as you see fit - and they don't need to be just document generators...

escape analysis and automatic allocation to the stack

Largely unneeded in .NET due to presence of value types in the type system, which are allocated inline all the time (as opposed to escape analysis, which still gets things wrong more often than not).

JDBC is a solid database library (unlike Ado.net)

JDBC has API that is horribly designed. One only needs to look at Statement and PreparedStatement - where one derives from the other, but they actually work very differently. Can you explain what the inherited PreparedStatement#execute(string) is supposed to do?

java.util.concurrent

TPL and PLINQ (and Java doesn't even have anything as high-level as the latter).

simpler, stabler language without a lot of needless features

That one is purely subjective. On one hand, a lot of people seem to want some features for Java that have been in C# for ages (such as properties or lambdas). On the other hand, another lot claim that e.g. generics are "needless", and I recall that before 1.5 that same lot also claimed that first-class enums are "needless"...

checked exceptions (better type checking)
more libraries (from Sun, from apache, from jboss, spring, etc..)

I love how this goes together. Maybe you should go tell Spring guys about the wonders of checked exceptions...

defacto language standard

As opposed to an ISO standard?

G1 garbage collector and a bunch of other fancy GC options

Matched in .NET 4.

Camel case is not broken in Java

Define "broken", and provide references as to why your definition is more correct. Or else admit that it is another subjective preference on the order of "how many spaces in a tab".

Javadoc format much more readable that .Nets

I'll grant you that, though it requires a separate special parser. For C# and VB doc-comments, the compiler just extracts them as-is into an .xml file alongside the compiled .exe/.dll. If you use any custom XML elements, they will be extracted as well. Then you can use your own tools to process the .xml file as you see fit - and they don't need to be just document generators...

escape analysis and automatic allocation to the stack

Largely unneeded in .NET due to presence of value types in the type system, which are allocated inline all the time (as opposed to escape analysis, which still gets things wrong more often than not).

He's referring to low integrity processes. It's only really exposed in the Windows API. But you can start a low-integrity process two ways AFAIK:

1. Modify the image header. icacls notepad.exe /setintegritylevel low It will always start with the new privileges set from now on.

2. Do runas /trustlevel:0x10000 notepad.exe to start it at whim with low privileges.

Here's a screen capture of what happens to the latter when you try to access the user's desktop: http://i38.tinypic.com/wbs1vo.png.

He's referring to low integrity processes. It's only really exposed in the Windows API. But you can start a low-integrity process two ways AFAIK:

1. Modify the image header. icacls notepad.exe /setintegritylevel low It will always start with the new privileges set from now on.

2. Do runas /trustlevel:0x10000 notepad.exe to start it at whim with low privileges.

Here's a screen capture of what happens to the latter when you try to access the user's desktop: http://i38.tinypic.com/wbs1vo.png.

"... SQL Server 2008 (the core has a dependency, while the additional services are also largely .Net based these days, including Reporting Services)."

Does just a minor part of SQL Server 2008 use .NET, such as ADO.NET, or are there large parts of SQL Server programmed with .NET?

I'm sorry, but this post and the blog post are extremely inaccurate, and I hesitate to say flat-out wrong. EXEs are never relocated unless mapped via LoadLibrary (a debugging technique only). All code (DLLs and EXEs) are system shared with copy-on-write memory mapping. If a DLL is relocated, what typically happens is that the .reloc section is copied to the private address space and rewritten. All other binary sections should remain shared (I believe; IAT rewriting should only happen once globally). Additionally, most (all?) Microsoft DLLs have unique base addresses to minimize the potential relocations.

Um, user-initiated file downloads are not and should not be redirected. There is also no reason whatsoever to hook the import table of a shell-executed[1] process such as OOo; it's not a child process and should not be treated as such. People aren't complaining about launched apps, but rather plugins masquerading as embedded apps (Flash, WMP, etc). This is a solved problem and solid proposed (half-)solution.

[1] ShellExecute(Ex) - http://msdn.microsoft.com/en-us/library/bb762153(VS.85).aspx

Exactly ! In fact even when the update service is disabled, Windows 7 connect to www.msftncsi.com, just to check the connectivity, but Microsoft admits that they record the IP address.

Microsoft has 90,000 employees

90,000 (89,500 actually) is the total head count all over the world, though, not just in US. Of those, only 53,600 are in US. Source.

I suspect similar arithmetic needs to be applied to Intel figure you quoted.

I believe the algorithm used by Microsoft to match players for X-Box games was already beating Elo before this competition. They have a description of their algorithm at http://research.microsoft.com/en-us/projects/trueskill/

After all, it's not like other ideas haven't already been created in the meantime to address Elo's perceived shortcomings, right?

They may have stopped in later versions(my job description requires supporting XP, and you have to pay me to care about windows, so that is where my knowledge lies); but MS included flash in XP. It is version 6; because base XP is older than dirt; but they did include it.

More relevant to modern readers, most OEMs seem to ship consumer-focused systems with vaguely up-to-date-but-just-a-bit-behind versions of Flash(and acrobat reader, and other stuff). This isn't strictly microsoft's fault; but it is what you are likely to get out of the box.

That certainly depends on what the Sony recovery disk includes.

The OS X install DVD only installs OS X and it's base applications. There are no bundled 3rd party fluff applications etc. Only 3rd party stuff on it is drivers.

True, it is married to that particular model (i.e. the disk for a late 2009 MacBook Pro 15" is unlikely to work with a late 2008 MacBook Pro 15"), but at least you can use the bundled DVDs to get a completely clean install (including drivers though).

That being said, the full retail version of OS X 10.6 is cheap compared to Windows 7. 29 US$ (49 for 5 licences) vs 199 US$ for a single user license for Windows 7 Home Premium

You can do this yourself.
WinPE/BartPE will run from a thumb drive, for example.

http://lmgtfy.com/?q=windows+7+install+from+thumb+drive

http://technet.microsoft.com/en-us/library/cc709665(WS.10).aspx

There are also many complete bootable media images (liveCD/DVD and USB) with recovery and other progs available via the pyrate sytes that you can copy for examples.

That's how close we're watching costs these days?

No - this is part of "encouraging" people to buy a new PC instead of fixing their old PC. Today, I am finding people that are throwing away dual and quad core PCs because the repair costs are so high.

Microsoft go out of their way to ensure that refurbishers can't just reinstall the original version of Windows. They make it difficult for consumers to reimage their PCs easily.

If they did that, who would buy a new PC?

Exactly why I've started a business picking up these "bad" machines, doing a refurb on them, putting Ubuntu on them and selling them.. Makes a nice tidy second income...

I'm sure if you look at the HCL http://www.microsoft.com/whdc/hcl/default.mspx you'll find that including a driver on a CD doesn't magically add a piece of hardware to the list.

That's how close we're watching costs these days?

No - this is part of "encouraging" people to buy a new PC instead of fixing their old PC. Today, I am finding people that are throwing away dual and quad core PCs because the repair costs are so high.

Microsoft go out of their way to ensure that refurbishers can't just reinstall the original version of Windows. They make it difficult for consumers to reimage their PCs easily.

If they did that, who would buy a new PC?

may i recommend Steady State (if your using Windows)

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=d077a52d-93e9-4b02-bd95-9d770ccdb431

You can set it up with a point in time and set it to restore original at reboot.. - and it actually works.. very well - it's specifically designed for use on kiosks and things of that nature.

I like it because you can set it to allow/apply windows updates and virus/custom updates and not have to make a new image...