Slashdot Mirror
Weekly Microsoft Critical Security Issue
An anonymous reader sent in linkage to a zd story discussing the latest Windows Security Patches including an especially nice hole letting Java apps gain total control of your machine and assist you in reclaiming disk space by, say, reformating your drive.
... that my Java skills can be used for evil, rather than good. ;-)
Yawn.. yet another security hole. FIRST thing in the morning. What am I supposed to POST?
Bring on some news please..
which virtual machine is it that caused this? The one before or after Microsoft added their own extensions? (which caused the whole MS-Sun lawsuit)
Suicide Booth: You are now dead! Thank you for using Stop and Drop, America's favorite since 2008.
OK, so I hate MS for building unsafe software. But this time, I have to give them credit. I woke up this morning to my computer telling me that there was a critial update waiting to be installed, and it was this one. I read about the vulnerability on the web *after* installing the patch, so I am kinda glad that MS shoves updates down my throat.
That'll work out great. I just downloaded the RH9 ISOs.
Toronto-area transit rider? Rate your ride.
Couple of remote roots in Samba, a local ptrace in the kernel and a few OpenSSL probs to get you on the system initially.
Get your own free personal location tracker
Oh, you mean the vulnerabilities that I've already patched?
Forget the whales - save the babies.
They don't run sendmail! Can you imagine having to keep up with patching Windows AND sendmail?!
Doesn't it seem just a little strange that the Java VM, which MS removed from XP until it was forced to reinclude it by court order (still under appeal, I believe), has a critical security hole found?
The timing seems a little too good to be true...
Good thing Microsoft JRE is so broken, that all exploits ended up not working!
Write once, debug everwhere.
Ok well Linux users have been hammering on the "Windows is insecure" thing for what -- 6 years now? And Windows' market share is as good as it ever was, perhaps even a bit better. Time to try a new strategy? This one is getting boring!
In the second paragraph:
The three warnings, all issued on Wednesday, involve the Microsoft Virtual Machine for running Java applets on Windows
So it's Microsoft's VM implementation...
So? Does this mean that they have found Java applets on the web that actually are not intended to be malicious?
Help savingAmigaOS and a free PowerPC market
More *bad* flaws in winblows!!
Mo money for me! Everytime this happens I go out and patch up my customers. Cha-ching, cha-ching!
And I always offer and *suggest* that they go with Linux but they are *afraid* of change.
They would rather live in fear and subserviance than live in security freedom...
Go figure..
I don't agree with the intention of the message. While it is true that this bug allows the execution of commands, it does this only with the rights of the owner of the user account. In Unixian, this is not a remote root exploit.
Nevertheless, my last sentence becomes quite irrelevant, as Windows user tend to work as $root.
/* sarcasm */
Finally someone wrote something to get rid of all that spyware thats installed itself on my system! Thank you MS!
As tiring as the updates are, it's even more tiring to hear the same old whinging about MS.
Just curious. I mean, if the intent is to inform.
Geez guys, why can't you go a day without publishing anti-MS crap! Don't you think that if this were really a problem that people'd be aff.... K(R*AB(*D [NO CARRIER]
One of the vulnerabilities in the VM if exploited could allow your hard disk to be formatted. Well, that takes care of that problem.
Open source development is my way of competing with the low-cost programmers in India...
So I now have two options.
* Let baddies in at their will.
* Run Windows Update, expose my machine to Msoft, sign away my soul through the patch EULA.
Help!
YUO = TEH FUNNEY!!!!!!!!!!!!!!11!!!!!!!!1111111 LOLOLOLOLOLOLPENIS
From the office of Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob):
"Lies all Lies! The infidel Linux computers are not secure. The coilation will fall in the wake of the mighty secure Microsoft operating system!"
More at 11.
Karma: The shiznight, mostly because I am the Drizzle.
Bill? Is that you?
Hence java support not being built into XP?
We should ask a MS rep whether the java thing was actually to help clamp down on their monopoly, or if it's merely a result of their unwillingness to implement it securely.
"I'm sorry sir, but we don't make and/or sell coffee."
As the main post points out this is pretty much a weekly news release from Microsoft. It's interesting because in some ways I get suprised by the severity of the bugs such as allowing a huge hole in the Java VM, that would allow someone to format your hard drive or a bug in Proxy Server that would allow a single mal-formed packed to max the CPU at 100%. On the other hand I'm suprised Microsoft doesn't have more of these bugs.
I think this is where the philosophical differences of Open Source Software really make a big difference. Even though OSS still has bugs, the live testing cycle is un-paralleled. However I think the biggest difference boils down to this: there is no one saying we have to have this product out the door by XX date. Rather it becomes stable when it's ready, but you can use the development version if you need or want.
As the lines of code in software grows and the complexity increases, I think we will see a greater number of more sever bugs in closed source systems. Ultimately I believe this will be one of the critical factors leading to OSS's long term success.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
That's applets, not apps. as in applications. Applets are supposed to run in you're web browser's "sandbox" and not have access outside the browser to any system other than the one that it originated from. Applets can be signed and granted greater access.
Applets are under no such restrictions and can do what they want.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Big difference. Apps have total control by default, while applets are supposed to be harmless.
I can honestly say that it baffles me as to why Microsoft continues to hold such a huge stake in most of the computing world. I don't understand why people continue to digest what is carelessly tossed out of Redmond, WA.
I can understand the need for an array of software unavailable on any other platform (though, what percentage of that software is actually GOOD software?), and the platform standardization issues, maybe even "ease" of use, but honestly, the security and ridiculousness of the MS platform, ideology, and disregard of standards make me sick.
What is the continuing allure? Do you really not mind running machines that are completely insecure? And how can they not fix their own NT 4.0 code? That's absurd. They pitch this solution for years, and bail when the cost to fix their crap gets too high.
I'm not trolling, I'm baffled. Someone tell me why this continues?
It's only when we've lost everything, that we are free to do anything...
"...and assist you in reclaiming disk space by, say, reformating your drive."
Well, that takes care of the wicked-long step 1 in uninstalling windows and installing linux!
That is, of course, if this vulnerability affects the version I'm running - Windows Herpes Edition.
How are you going to keep them down on the farm once they've seen Karl Hungus?
Let me save many of us some time:
"Well here we go again. A gaping security hole in Microsoft [ Operating System ]. This never would have happened if Bill Gates weren't just trying to make more money so he could buy more [ plural noun ] to fill up his mansion in [ place ]
This is just one more reason why [ circuit court ] should [ verb ] that [ expletive ] company once and for all.
[ Unix-based operating system ] only had this problem [ number ] in it's entire history, and there was a patch posted in under [ number ] minutes!
[ Text-based word processor ] rulez! Micr- [ Insulting variation on 'soft' ] is the [ Traditional evil diety ]!"
-----
Believe me, I'm as surprised by my comment as you are.
see, this is why i print out all of the data on my hard drives in binary every weekend.
track7.org has all kinds of interesting stuff!
Given their past record, the fact that M$oft considers this "critical" implies that one of the following is now extremely likely:
-- If it isn't broken, you haven't let my users have a crack at it yet --
One more of those bugs which can crash your computer because you viewed a webpage.The irony is that the update link tries to do an update through a webpage.ie you connect to MS website and it checks your computer through IE and does an update.(it does give me a warning though)
When will microsoft(and others) understand that browsers are http clients and not meant to be used as means of running arbitrary code on a client machine, however secure it might be . The least you can do is to tell the client that code is being run on their machine.
.ACMD setaloiv siht gnidaeR
says it all.
Linus? Is that you?
<reality check>
Until someone actually writes a massivily spreading virus/worm that jumps from Windows PC to Windows PC doing precisely that (formatting hard drives) - people are just going to patch it and not even think about changing OS.
Hell, most people probably won't even patch it. What doesn't affect them, they don't care about.
</reality check>
Avantslash - View Slashdot cleanly on your mobile phone.
Well, it is now officially Thursday. Aa I've said before, I think there should be an
Official
So
Happy
It's
Thursday for announcing MS holes.
www.eFax.com are spammers
"...assist you in reclaiming disk space by, say, reformating your drive." I've been looking for a good disk partitioning tool, and along comes Microsoft to help me out. Anyone know if a Linux port is in the works?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
My Red Exclamation Mark has been lighting up much more frequently in the past couple months than my Automatic Update Icon.
Just an observation.
obviously no deficiencies vs. no obvious deficiencies
So maybe requiring MS to ship the OS with a JVM is a really bad idea! if course their jvm has always sucked anyway, better to get the latest JRE from Sun. I'm sure M$ will blame java rather than their own incompetence for this. MM
...at least they're down to one a week now.
Schnapple
OK, I am sure there are intelligent people working at microsoft. I do not use windows (except for gaming), and I am tired of seeing of the problems. Anyone who has been in a decent computer science program or has experience knows better on coding. I know linux is alot more secure so why can't they get it right? Who is leading them? I bet the help desk workers at MS are pushing the bugs into production so they can justify their existence. I mean this has to cost them alot of money (even after recoping tech support to fix their own errors), fix things already.
You watch the wolf more closely.
This clearly is a bug of 'Mass Destruction', the only thing a responsible democracy can do is invade Redmond, and pull down Bill Gates statue, Is the 10th infanty div still busy? MM
No, this is a good thing. You see, the only way Sun is going to be able to compete with Microsoft's .net implementation is if they have a special Java runtime environment designed to mimic .net's features, right down to stability and security. Don't you see, Microsoft is doing Sun a favor.
...security freedom...
Not that I love M$, but it seems that your bashing Micro$haft unjustly. Linux seems to be pumping out even more fixes and patches than old Billy boy's crappy product.
It seems like for the last month or so I have received at least 2 RedHat erratas a day, and the majority of them are for security reasons.
For my RedHat email server, there have been 98 updates put out by RedHat and the Linux community. Of those 98, 16 were bug fixes, 4 were enhancements, and 78 were for security concerns. On my W2K workstation, I have installed 12 hotfixes and 3 service packs
Linux enthusiasts like you that bash Microsoft without knowing what you are saying make the entire Linux community look bad. Instead of bashing them, we should at least praise them for responding quickly (this time), once the bug was found.
People who throw stones....
Seriously...Linux can be just as insecure as Windows. I hate when THAT is shoved down people's throats.
BTW - I use Linux & Windows so I have no loyalty either way. I just wanted to make a point.
if a virus of this sort were possible, and bandwidth bigger it would be interesting to see a rampant virus of Penguins.
You mean, like in xbill?
Carthago delenda est!
I receive patches from redhat twice or three times as often as from Microsoft. That gives me some data to compare the two.
Repeat after me...
* All software is insecure
* Open source has the potential to be more secure than closed source
* Providing updates quickly is the responsibility of the vendor or the community, depending on the software
* Patching is the responsibility of the software user
Next topic.
The offending applet would have to set the evil bit in its packets anyway... ;-)
You're right... Last year Readhat issued nearly twice as many security bulletins as Microsoft.
I'm sure the above is a troll, but I'll answer anyways. When you install windows, you get, well, windows. And internet explorer, and freecell. That's about it.
When you install linux from RedHat (or Mandrake or...) you get the OS, severl browsers and mail clients, 2+ office suites, 4+ text editors, java, perl, c, python, 25+ games, 3+ window manages, etc (not that you have to install all that - but they're available in the install).
I'd say Redhat is doing great to only have 2x the security bulletins as microsoft considering they supply 4x or 5x the software on their cd's.
Plus, it's been documented many times before that bugfixes are available much quicker in the OS world than the MS world.
I'm increasingly convinced that Linux is dying off. The lies and distortions we are seeing on slashbot have become more and more desperate over the past two years.
Name one "lie" regarding linux that you've seen on slashdot that's demonstratable not true (articles only, not posts). Remember, nobody is going to agree with all the opinions expressed on this site.
Personally its not God I dislike, its his fan club I cant stand (bash.org)
too bad you stole the headline from HardOcp
I hate sigs.
is it just me, or does surfing the web on a win box feel like living in some bad neighborhood just trying to avoid the next drive by shooting???
"You never want a serious crisis to go to waste." - Rahm Emanuel
OK, I know someone will call me a complete (l)user for this, but after I installed this update on my (mandated) Win2K laptop, going to http://www.google.com gave me only a borked up page. If I hit ctrl-refresh, everything is fine. This was confirmed on a co-workers PC. Anyone else having this problem? Is Google borked or is MS putting in an additional "fix" to help out MSN?
Signed,
Your local paranoid Penguin Activist
The question should have been, "How many people work for Microsoft?".
The answer then would have been, "About half of them!".
That operating systems are incredibly complex and complex software is almost *guaranteed* to have bugs? Both sides criticize, but neither is without some sort of problem. I use both (Windows at work, RH at home) and have simply gotten used to patching my systems on a daily basis. Its just reality
This new Samba vulnerability allowed to do this too. These problems are less severe just because of 3 reasons:
1. There are much less Linux programmers than there are Windows programmers
2. It's not "cool" to write Linux worms and viruses, because Microsoft is evil, right?
3. Linux codebase is much more fragmented and virus that works on one system is not guaranteed to work on another.
Is MS stepping up their 'you must use auto-update' program? In their security bulletin it states that except for Windows 2000, the patch can only (their emphasis) be downloaded through windows update, not through a direct link. There then follows some hemming and hawing about how "A version of the patch that can be downloaded and deployed throughout a network is available. Information on obtaining it is available in the FAQ." Cool, that sounds like a way to get the '98 patch without having to enable the auto-backdoor nonsense. Ah, but the somewhat convoluted procedure in the FAQ entails visiting the Windows Update website, which, note, only works with the latest version of IE. Am I missing something here or are they making it a LOT harder than it should be to get this patch manually?
Actually, you make a good point, but you have no idea how things are coded at microsoft. It's not like there's one guy who is sitting there "writing windows" it's a chunked, distributed, whatever you want to call it proposition. Some guy in one cube writes something and some guy in some other building writes some other part of it and eventually it's glued together, sort of QAed and eventually released.
There are billions of lines of code in the source apparently. If they were smart, they would have done as Apple did and just thrown the whole thing away and start from scratch a long time ago.
Sure this would create problems for vendors and other developers, etc...but Apple pulled it off. If they developed their APIs and put a roadmap in place they could pull it off as well.
I thought about this a lot too over the last year or so, and based on my experience, it's simply that despite all of the security risks, most companies aren't losing that much money on lack of security.
I work for a company that has a good bit of Microsoft, some Sun and some linux deployed. Now, without getting into any religious wars over who's more secure, I'll simply say that the Microsoft servers have been compromised on more than one occassion. The Microsoft servers also got hit very hard by Code Red and Nimda.
When I see stuff like that, I just shake my head, because it seems insane to me that the company considers that acceptable. But then I thought about it, and here's why I think they're okay with it: with all of the exploits, all of the headaches, and all of the patching, it really didn't affect anybody above the admin level one iota. We didn't lose any money because of the compromises (sure, we served up a lot of movies and so forth), we didn't pay extra money to clean up afterward, and we didn't lose any data. As far as management was concerned, we got hit full on with evil crackers, and it just didn't matter that much.
Now, I'll grant you that some companies have a lot to lose with poor security. Anybody who's stocking personal information or credit card numbers or whatnot should be very concerned. Financial institutions and military organizations (people who are being specifically targetted for their data) should be more concerned. But I think the majority of companies who are just serving up information on corporate websites, running some basic services, etc. just haven't been hit by security holes hard enough for it to warrant a change in their philosophy.
I think it's much the same for desktop users. There are a lot of Windows vulnerabilities out there and a lot of unpatched machines, but I don't know of anybody who's really felt any pain because of microsoft security holes. I'm certain there are some, but actual exploits are not nearly as epidemic as the vulnerabilities they exploit.
Now, if one of these things ever got any legs and started wiping out hard drives or corrupting data, and if millions of people were affected, and if millions of actual, tangible dollars (not time, effort, etc.) were lost, I think it would suddenly become a very different ballgame. But the fact is, at least for now, that despite the rampant security problems, the business community as a whole isn't suffering enough to worry, and neither are the home users.
I'm not saying it's right, but I know that my boss and his boss don't care if it doesn't cost the company anything.
The sun implementation in my personal opinion has been much better. Less vulnerabilities discovered/exploited, better performance, better compatibility.
Why use this MS crap anyway?
If you have to deal with Windows, at least get a good java implementation.
I've had no less than 4 seperate email warnings come from RedHat in the past week about programs that desperately needed to be patched. I guess that big major story slipped through the cracks, huh?
There's a huge difference between a flaw like this in the VM that microsoft ships that can be used to format your HD by viewing a web site and some bug in a library that can impact maybe a handful of people.
You have to compare the SEVERITY and NATURE of the bugs. Sure, there are bugs with whatever OS, but as to this level of Severity and of this Nature, you're just wrong, there are not that many with Linux, Apple or Solaris or whatever. Windows takes the cake.
If you think this is all overblown hogwash, your'e delluding yourself.
This is not a bug :
d on .launch/index.html
From CNN, October 25, 2001:
http://www.cnn.com/2001/TECH/ptech/10/25/xp.lon
"The system promises fewer computer crashes and will allow users to delete data from their hard drive. "
If you don't want to run Windows Update, or don't want to use Internet Explorer 5+ in order to use Windows Update, here is a list of recent security related patches that you can download individually.
Of course, you should realize that you have already signed your soul over to Microsoft by having Windows on your machine. You might as well close your eyes and agree to the EULA for Windows Update.
How many have been for the acutal operating system? Like say the kernel or glibc?
And how many patches were included in the service patches?
Could you go back and check the SEVERITY and NATURE of those bugs? Do any of them let a HD be wiped out just by surfing to a web page?
You're delluding yourself and you're not employing a correct analysis and comparison of the problems.
Linux has millions of people looking through its source code. More than Microsoft could feasibly have. And yet, your post seems to indicate that Windows has about the same amount of fixes (service packs containing multiple fixes) as Linux in the equivalent amount of time. I wonder how many more flaws there are that haven't been discovered yet?
Microsoft did well in this instance, and perhaps this is the start of their focus on security.
You'd think though, that with a software company that's as big as Microsoft, they'd be able to educate their programmers to avoid problems like this in the first place. Yes, everyone makes mistakes, but if you've got >=10 years experience, it's unlikely unless you're just not bothering to pay attention.
Follow me
At least Microsoft is on a schedule. I never know when to expect a critical security patch for [favourite Linux distro name here]!
Robots are everywhere, and they eat old people's medicine for fuel.
There is no hole that will grant Java applications unauthorised access. I swear by God, I swear by God, those who believe this are being tricked, it is a trick.
You can install Java safely. Nothing there, nothing at all.
Just look carefully, I only want you to look carefully. Do not repeat the lies of liars. Do not become like them. Once again, I blame linux zealots. Please, make sure of what you say and do not play such a role.
my home page
When is the next weekly apache bug coming out?
A Gaping Security Hole(R)(TM) in Microsoft
Sure I'm paranoid, but am I paranoid enough?
java code format c:\ echo y end java code dont know java so forgive my lame attempt at humor
I've read this one after reading the one about the Concorde.
Let me tell you something so that you feel safer: rest assured that the safety-critical systems of airplanes don't run Microsoft Windows (neither do they run Linux).
Wasn't there a model of US warship that stalled because of Windows problems?
Apparently, Slashdot and its editors have never been taught how news reporters/sites gain respectability.
/. is an editorial site, and maybe get away with it, but as such it will never really be able to sway opinion very well.
In order to report the news well, objectivity and a lack of bias should be maintained. When you start taking pot shots at what you report, you turn into the national enquirer, and people start to not take you seriously. What the people in the peanut gallery say is one thing, but what you put up in the story is another. Now you can say
I'm expecting to see how aliens took over MS soon, and Bill Gates having an affair with .
8^/
Sig
Appended to the end of comments you post. 120 chars
Java apps gain total control of your machine and assist you in reclaiming disk space by, say, reformating your drive."
The other night I was playing UT and it crashed. Windows said I didn't have enough space left for vram and to clean up my main drive. Poor thing only had 40gb free. Nice to know someone can write a Java app to clean that up for me now.
It gives the lowly sysadmin something usefull to do ... .. now *that* is innovation!
Sysadmin +1 patch, +1 new security hole. it's awesome.
keeps me in business
Thanks microsoft, I hope you keep writing insecure code,
because without you sysadmins everywhere would be jobless!
U gotta *Love* the innovation of these people,
it's nothing but top-class work! Keep up the great work!
Anyone who needs Java, for applets, webstart, applications, should install Java directly from Sun. You'll get the latest and greatest implementation (for Windows anyway) and it will integrate seamlessy with IE so you'll never notice any difference (other than the time to download the damn thing).
Looks like windowsupdate is heavily slashdotted :-)
R U retarded?
Too bad we can't rate threads. This whole thread is just flamebait in it's own way.
Goatsex!
As my mom says, "Who the heck is Sun?"
Most folks out there run whatever comes on the machine. They are NOT going to go out and "upgrade" to Sun's java. That's just the way it is.
Text adventures online. 'Nuff said.
Mod me down and I will become more powerful than you can possibly imagine!
And bugs in IE will get people to switch to Mozilla. Abso-freaking-lutely!
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
Microsoft Windows Update makes installing patches even simpler. It runs in background and doesn't hang from time to time like RH update thingie. And if you think that the fact that RH doesn't own the vast majority of the code it ships makes me feel more secure, you're WRONG. Every freaking patch to any piece of software they ship technically requires a comprehensive security review. Do they do that? Heck no. They just don't have enough people and dough. But they seem to be doing what Microsoft has been doing for the last year or so, only on a smaller scale. They go through the old code and review it. "Thousand eyes give better quality" is a myth as the last Samba vulnerability shows. There's no substitute for good engineering and professional security reviews. And thank god Microsoft stopped burying their shit in the sand and started fixing all those holes. Over time they'll get where they want to be, that's a truth that has been proven over and over. If they've really made security a priority (and I have no reason to doubt that having seen shitloads of fixes in the last year), they'll kick everyone else's ass.
Of course, not Mama nor sister-in-law nor I have ever done Windows Update, and so I find myself invited by my helpful friends in Redmond to download 66 meg of updates over her dial-up connection, and this before dinner. Well, I think, at least it gave me some checkboxes as to which updates to pick, so I pick what looks like the relevant ones, reducing the upload to a merely inconvenient 2 meg. Silly me.
There must be some dependencies among these patches, right? Under the pressure and sheer unpleasantness of the situation, I just idiotically thought, encouraged by the friendly checkboxes, that I could pick and choose. Bad idea.
Right. Windows XP no longer boots past "safe mode". Busted machine. No glory. No dinner. Back up data. Reinstall everything.
Machines being released these days are essentially useless without broadband, I suppose. "XP Home Edition" indeed.
More to the point, what were they thinking when they gave me those checkboxes? Either update altogether or don't. Anyway, my resolve never to touch XP is reinforced by these experiences. At least the mysterious error message has gone away for the time being.
mt
Microsoft is the black hole of computer security. Accept it, move on. If anyone in Redmond can even spell security, much less do something about it, I'll kiss Taco's ass.
Professional Politicians are not the solution, they ARE the problem.
I get more security updates from RHN then I do from Microsoft. I don't see news about Red Hat's security blunders.
If linux and apache are so secure, and they're open source, why is MS finding it so hard to replicate that success? They have the f'ing source!
They need to just drop the old code base, rethink their architecture and start from scratch. They have tons of brilliant programmers, and they have the source to (supposedly) secure competing products. What's the problem?
Microsoft intentionally extended the core API by introducing additional instructions to access the underlying Win32 operating system. Had they done this by providing a separate API, there would not have been any problems.
Unfortunately, Microsoft chose to take a different approach and introduced new operators into the core byte-code interpreted by the Virtual Machine. As these additional instructions were only valid within Microsoft's version, users were effectively left with no choice but to use the exact VM for which the code was compiled. This decision by Microsoft to modify the base instruction set of the Java language made it impossible to port code from one platform to another, thereby ensuring that users would have to remain on the Windows platform. In fact, Java programs compiled for MS's VM would not even work on the same OS if another vendor's VM was used to run it. This is why some applets wouldn't work with the JVM shipped with Netscape (which was Sun's JVM).
The instruction set supported by a Java VM is determined and maintained by Sun. In order to implement your own VM, you must agree to a license with Sun stating that you will not modify the core instruction set. In adding direct support for OS access (such as formatting a hard drive), Microsoft violated this license agreement. Microsoft also added their own keywords to the core language (delegate and multicast) which further ensured incompatibility.
The Java byte code is a single byte in size and, as a result, the Java VM spec supports up to 256 op codes. Not all of them are used, however. Out of those potential 256 opcodes, only 200 valid operators are specified. Opcode 186 is not used, opcode 201 is used for debugging, and codes 254 and 255 are used for trapping and tracing. The remaining opcodes are reserved for future use. Clearly, if a compiler introduces new opcodes, the other compilers won't know about them and won't be able to run programs built with those opcodes. This is in direct violation of the VM specification and is exactly what Microsoft did. This was the basis for the Sun v. Microsoft lawsuit, for which Microsoft was found in willful violation.
So, it would seem as if Microsoft did intentionally break their own version of Java.
If you still do not understand how Microsoft did this on purpose, I suggest that you take a look at the Java Virtual Machine Specification, as well as a nice book on general compiler theory.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
And today's contain 5 patches.
So please gimme a break with weekly MS updates. At least those are easy and quick to install.
Non-Linux Penguins ?
You are badly confused. You say that you read about the vulnerability somewhere on the web after the patch got applied. From this, you conclude that the problem was quickly fixed. How do you know how long the vulnerability existed prior to it appearing on the web? It may have been present for years for all you know...
Maw! Fire up the karma burner!
...I wonder how many more flaws there are that haven't been discovered yet?...
The same could be said about Linux. How may bugs are in the product that have not been found.
Download Sun's JVM instead. You shouldn't be using Microsoft's broken, outdated JVM anyway.
The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft.
This jumped off the page at me. Could someone explain the value of Microsoft's merits of their own flaws?
Speak truth to power.
It's time to quit harping on Microsoft security updates as if Linux users never have to install patches. I've already received 3 emails this week from Red Hat for various patches.
Open source doesn't necessarily make software any more bug-free than closed-source counterparts... It just seems to make Linux users giddy at pointing out MS's bugs.
this problem has already been fixed, my auto updated downloaded and applied the patch early this morning
You forgot
* Switch to something open
Ian
...How many have been for the acutal operating system? Like say the kernel or glibc?...
I could say the same thing about Windows. How many were for the actual NT kernel? Does it really matter? a fix is a fix. The only point I am trying to get across, is I can't stand the small faction of Linux Zealots out their that seem to bash any problems that pops up with Windows. Get over yourselves. All operating systems have problems. If you want to b*tch about Micro$hafts license policies, outrageous EULAS, and the fact that they are willing to rape there customers to make an extra dime, then I will be right there with you, but evertime you little cry babies start waving your finger at Micr$oft and start yelling look see Linux is better you actually hurt the cause. Anybody with 3 brain cells is going to realize that all OSes have problems and require fixes and updates. Make legitmate arguments on why to switch, and maybe then people might actually do get rid of WinBlow$ and use a more license friendly operating system.
Linux has millions of people looking through its source code.
No, Linux has millions of people with access to the source code. 99% are to dumb or lazy to do anything with it.
Linux offers the source code. This makes it much easier to find vulnerabilities, but it also makes fixing them easier. The ratio of discovered bugs to fixes is roughly 1:1..
Windows keeps the source code hidden. This makes it harder to find vulnerabilities, but means that fixing them is impossible unless you're MS. The ratio of discovered vulnerabilities to fixes is roughly 1:1..
I wonder how many more flaws there are that haven't been discovered yet?
Why does this matter? If a flaw is unknown, its not being exploited and no damage is being done. A security vulnerability is not a problem until someone discovers it.
Why does this matter? If a flaw is unknown, its not being exploited and no damage is being done. A security vulnerability is not a problem until someone discovers it.
:-)
It's a problem because it means the user has to install a patch later. If I bought a TV from Sony which developed a fault due to a design flaw, I'd expect the store I bought it from to replace it with a new version that doesn't have the same flaw.
I see the point you're making in the 1st part of your post though
Follow me
Please tell me you are joking.
I am running Win2k pro but I turned off everything (active x, java) in the internet security settings and use Mozilla with the Java plugin and never IE. Do I still need to get the patch?
What post? The one you're carrying inside your rusty innards!
holes in their own version would simply cause people to switch to Sun's version.
I don't know that people would switch if they didn't know about the holes in microsoft's java. Or even if they did know.
Look how many people still use outlook and outlook express even though it's clear they are just full of back door access and holes. Many have been patched, but each week another one is announced.
people stick with outlook instead of using some other mail client because they (mistakenly) trust that microsoft makes the best software.
You are the massive failure, little bitchtits. You are the first-post failure. You are the trying-to-be-clever failure.
You are just the silly little bitchtits.
Bring on your asshole for my blowtorch....silly little bitchtits.
>You'd think though, that with a software company that's as big as Microsoft, they'd be able to educate their programmers to avoid problems like this
:-)
... where was that from? It just jumped into my head all of a sudden...
They do... but it's called job security. How else do you think they can be that large of an employer?
Note to all of you late night programmers who have no humor (or sleep) at the moment: the above post was meant as humor
"We have no humor that we know of"
The first thing that needs to be donated is a non piss-poor site design for that organization.
This "poll" doesn't say that they trust Linux more though. And 35 experts is by no means a representative sample.
Come get me ;-)
Give a man a fire he'll be warm for a night. Light a man on fire and he'll be warm for the rest of his life.
other suggestions:
.net? nyet!
.net? not yet!
oh i give up
There's nothing in Java to allow it to format a hard drive.
Hmm... not bad Microsoft, not bad.
Perhaps we should reconsider comparing the speed with which open-source and Microsoft come out with security patches.
Oh by the way. It has nothing to so with Sun's Java. I did the test here and I do not have that virus virual machine making hackers extinct but you forgot to close the door on the safe innovation.
I'm running 98lite and java works just fine without virtual hacker installed.
See look Ma we also at not extra charge install bugs in the competitors software then we try to blame them for our sloppy programming.
True innovation.
And, now that MS has used illegal strategies to get their monopoly, it's pretty much self-perpetual. Let's just assume that these slap-on-the-wrist restrictions will actually stop MS' illegal and anti-competitive behavior (ha).
Assuming that, so what? There's still that catch-69 for ANY and ALL alternate OS'. In the current MS-monopoly environment, here's how things work. In order for an OS to become popular, it needs to have lots of software and hardware support. In order for and OS to have lots of software and hardware support, it needs to be popular. Hmmm. You can easily see how this creates a situation where there is a prohibitive cost to entry of any newcomer, and how this makes it ever-difficult for any alternate OS to gain popularity, no matter how superior it is to MS Windows (read, GNU/Linux, BeOS, NeXT, and so on and so-forth).
Mr. Garcia, you are a fucktard
The only people who I've seen use that particular term are idiots.
social sciences can never use experience to verify their statemen
y3s i'm usering linuxes
kthxbi
Um, tech support guys are not equivalent to computer "geeks". They may be above-average users, but they are hardly geeks. They are reading from a cookbook, and usually know NOTHING. Every time I've called tech-support, I've found that the person was a complete and total moron and knew less than I did. Their solution to all problems is "uninstall, reinstall, if that didn't work, reinstall OS". This is what mystifies computing. Geeks, on the other hand, tend to explain things, at least if asked to do so. You obviously haven't used Google's newsgroup feature.
Are you over 18? I don't mean this snidely
Bullshit. If you weren't trying to be snide, you wouldn't have said that. This is your way of saying, "I disagree with what you're saying, but can't find any valid way to criticize it, other than trying to label you as naive in a round-about-way". I won't contribute to your fuzzy logic (that somehow the age of a person changes the validity of his or her arguments), so I'm not going to assert that I am or am not some unverifiable age.
social sciences can never use experience to verify their statemen
How many RedHat patches have you gotten in the past month? I'm averaging about one every three days.
Um, tech support guys are not equivalent to computer "geeks". They may be above-average users, but they are hardly geeks. They are reading from a cookbook, and usually know NOTHING. Every time I've called tech-support, I've found that the person was a complete and total moron and knew less than I did. Their solution to all problems is "uninstall, reinstall, if that didn't work, reinstall OS". This is what mystifies computing. Geeks, on the other hand, tend to explain things, at least if asked to do so. You obviously haven't used Google's newsgroup feature.
You know, half my family does tech support for a living and everybody they work with is much more intelligent than that. I've also worked tech support while I was in college, and met some of the biggest geeks I've met to date, who did the job because they were in college. That's like labeling all Flight Attendants as big breasted blondes looking for a deep hard dick.
Bullshit. If you weren't trying to be snide, you wouldn't have said that. This is your way of saying, "I disagree with what you're saying, but can't find any valid way to criticize it, other than trying to label you as naive in a round-about-way".
Actually, the reason why I was asking is because your apparent lack of timespan knowledge. I was going to relate a few things depending upon you being older or younger, to help understand the growth of the computer world. You really should mellow out with the knee-jerk reactions, there. You'll give yourself a heart attack.
I won't contribute to your fuzzy logic (that somehow the age of a person changes the validity of his or her arguments), so I'm not going to assert that I am or am not some unverifiable age.
Do you always assume you know what the other person thinks, or does? You seem to be very pretentious and arrogant (especially in your definite analysis of what tech support actually is) which speaks a few things. The most important is that you propogate the myth of computers being more difficult than they actually are, because you have a strong desire to be right. You almost come straight out and say it when you claim that every technical support person was a complete and total moron who knew less than you did.
So, I want you to back up this claim. Give me the last 5 companies you have called tech support on, and the issue. I will call up each technical support place that you list, and address the same issue, and validate your claim.
Because, quite frankly, I believe you are lying about this in order to try to make your point. It's a very lacking point, and has no real bearing into the reality that geeks and anybody with further knowledge of computers than the average person tries to keep that knowledge to themselves and explain things in overly cryptic manner to prevent additional knowledge being gained. I learned what I know of computers from reading manuals, and books. I didn't have any mentor or tutor, but many people need this. The problem is, most people who do have any clue as to what is going on, tries to make themselves feel useful so they make sure they never reveal all the information they know.
Be honest, you probably do it, too.
Dacels Jewelers can't be trusted.
Regarding your arguments
* not all tech-support guys are morons
I'll grant you that. No generality for any field outside of that field's necessity holds. I'm simply saying that from my experience, tech-support guys are idiots. Haven't talked with one who offered me anything I didn't already know. Since I'm not a genius, that must mean that they are dumb. Ok, dumb is not the proper word. Uninformed, without knowledge, would be more appropriate. However, dumb is in some cases accurate. I've run into computer problems that I can't solve based on previous knowledge alone, but where I had to combine variouis pieces of knowledge and intuition; that's called thinking, something tech-support, from my experience, doesn't do at all.
However, your generality that geeks have spread about some kind of techno-mythology about computers is just as unjustifiably generalizing. Maybe some have. But most that I've talked to haven't, and have been very clear about questions put to them. For reference on this, do a Google for "dh003i FASTA". I had a particular question about how to do a certain task, and useful help was provided, which was understandable.
In regards to making information available or not, for the very reasons you cited (self-importance), I provide as relevant and clear information as I can. This may be partially because I'm from a scientific (molecular/cell/genetic/bioinf) background, and in biological sciences, you need to explain everythingr with proof to back it up, and can't just assert (most) things.
Regarding tech-support calls, I can-not remember my last 5 particular calls. However, here are some notable ones I do remember:
* Seg-fault compilation errors in GCC 3.0 (under Cygwin, btw). Called Gateway. Segfaults are usually due to some kind of hardware issue, like bad RAM, or the CPU or other components running too hot. So asked them "how do I underclock". The response: "segfault errors have nothing to do with hardware, but with software". I could not extract any information on how to underclock (indeed, it's impossible on my computer, since the BIOS is crippled, but I was hoping they could provide me with an appropriate modification). Their advice was useless. As a last-ditch effort, I opened up my computer and found cob-webs and gobs of dust inside the case, which surprised me because my house is pretty dust-free and clean. After cleaning it off, things worked fine. Nothing to do with hardware my ass.
* Faulty hard-drive. Hard drive was faulting, causing slow and predictable path towards critical corruption of critical files. Re-zeroed hard-drive several times, finally got sick of it and called Gateway. Told me to run GWSCAN, a prog they sent me. It found no errors, but I knew that the hard-drive was fucked. They told me it was fine and to reinstall. Since I knew that was bullshit, I called up a day or two later and said that I'd reinstalled several times and got the same corruption problems. This coerced them to send me a replacement.
* In regards to the faulty hard-drive. When sent the replacement, I took it in to them and had them install the new HD. (I am not good with putting together things physically). This was before my compilation problem, but it's obvious that they would have seen the dust in there. One would think they would have cleaned it off.
There are other examples, but I can't think of them all right now. In short, I've never met a technical support guy who knew more than I did or suggested something I haven't thought of. There may be intelligent knowledgeable tech-support guys out there. But they're certainly hidden from the consumer, and I certainly haven't seen any of them.
social sciences can never use experience to verify their statemen
My major concern with windows (I have a win2k laptop at work) is the huge number of both udp and tcp ports open seemingly by default. As an experiment I shutdown the majority of my services and still there were more than 10 open.
I'm mainly a unix person and I like to know what each port is connected to and why. Perhaps you can point me in the correct direction, but I have yet to find good documentation on what each port is used for. Also anyone know if there is a lsof or fuser work alike for windows? Maybe I'll go look for that right now.
Good points. But I've been a professional tech for over 22 years now and a general electronic hack for over 30 years. I've seen it all, the birth of the PC, the birth of DOS and saw it mutate into windows, and everything in between. I watched Bill Gate$ go from a nobody into a $$ Tyrant and THIEF. His tactics and practices are what piss me off and largely contribute to my hatred of M$. The other part that I find intolerable is that Windows is just simply a sloppy, shitty OS. It crashes everytime you fart, and apps are always blowing up. It's flakey, undependable and unstable.
I have a brand new system, all decked out that I built myself and with Linux on it, it's rock solid. I had to load Winblows on it to acomplish a specific task for a customer, there was no way to do it with Linux, it was a specialized program.
Total hell. With it crashing every 5 minutes I was lucky to get the job done..
Windows is simply intolerable and unacceptable as an OS. But it is what the world revolves around. It's not for everyone. Windows keeps users from using their minds, it actually rots the brain. Linux FORCES you to use your brain, and that's what I like about it the most. I had become very disconnected with the inside of the PC when I started using Windows, now I am getting back into the inner workings and I *like* it...
Again, it's not for everyone but it IS for everyone that's freaking sick of Micro$not and their big brother bullshit..
Most of the headlines give very misleading takes on nearly every semi-weekly critical patch. Rather than fix a problem they alone produced (in this case with their Java-variant) , the response seems to be to work on editors to change headlines and/or slide unfavorable articles quickly off the front of the site and into the back pages. Rather than improving performance, interoperability, stability or security, new EULAs forbid the publication of benchmarks. Or Ballmer or Gates, in extreme cases, chase after decision makers with junkets, golf trips and such.
And the same problems surface again and again.
Isn't it about time some kid points and shouts, "the emperor has no clothes"? We are not dealing with a crappy software company, but at best a skilled marketing company or at worst a pyramid scheme.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
...didn't full get the platform independence bit and port their VM to other systems or we could have had the first platform independent security hole....
:-]
Emagine the tag line to the virus "Write once hack anywhere"...
I'm just wondering as it seems that the fixes that come in service packs and stuff are a bit more intergrated into the OS then say updating BIND which you may or may not even have installed. But I don't think you can not install something such as say the telephony service in Windows2K (Yes of course you can turn it off but its still there.) As someone in another thread mentioned, red hat update is for a few hundred at least applications vs microsoft update which is for, what windows, IE and media player? Or does it do more?
If you wanted to just count a fix is a fix, you could try taking a number of every single windows application fix that is posted and every single linux application fix and compare those numbers. But as others have mentioned before, perhaps raw numbers doesn't mean as much as some think.
As for a legitmate argument to switch, I really couldn't give a shit what others use. I use what works for me. Although I've got to say Solaris on Sun hardware still has Linux beat in terms of stablility and stablility under load. Course no one compares the number of patches that Sun puts out with the ones that Microsoft puts out. (Or at least I haven't seen any sites that do)
As someone in another thread mentioned, red hat update is for a few hundred at least applications vs microsoft update which is for, what windows, IE and media player
Isn't windows media player and IE applications. I know M$ has them so tightly integrated into the OS that it is next to imposible to remove them, but they are still applications. Isn't the latest fix that everyone is screaming about a non-OS related problem. I know the JVM is installed by default and is required by the Sun lawsuit, but it's not a kernel problem. So once again, a fix is a fix, and it seems to me anyways that both OS'es seem to have lots of fixes and bugs.
Your analogy doesn't quite support your argument. If a flaw is unknown, it is not being exploited. A security vulnerability is not a problem until someone discovers it. How can you have a fix for an undiscovered problem.
If I bought a TV from Sony which developed a fault due to a design flaw, I'd expect the store I bought it from to replace it with a new version that doesn't have the same flaw
If the fault uncovered a design flaw, then yes you would be correct in requesting some kind of compensation, replacement, or fix. (I was actually part of a class action suit for RCA TV's for this exact reason. We received a whole whopping $30 in RCA coupons.) If your Sony TV and millions of others has a design flaw, and no one ever discovers it and the sets all seem to work to the end user, then do you really expect the store to replace it, even though nobody knows of the problem?
Your argument makes absolutely no sense, it is exactly like someone saying "oh, I would like to be able to help you update your redhat box but up2date does not run in windows".
Mother is the best bet and don't let Satan draw you too fast.
Try FPort, from http://www.foundstone.com. It's under "Resources", "Free Tools". It will tell you which processes are watching which ports.
Also try TCPView. There's source code for the command-line version (netstatp).
I'm talking about flaws that will eventually be discovered. With any product, I'd expect a replacement, free of charge, since it wasn't my fault that I have a faulty product. Unless of course the product was free in the first place - you get what you pay for, with most things.
Follow me
Sun has been pushing the Java Plugin (TM) for a few years now.
When you embed Java applets with the tag, the parent browser is free to use its version of JVM to execute it. (i.e. Internet Explorer on Windows will almost always try to use the MS JVM to execute it., even if you have Sun's JVM installed also.)
The Java Plugin is a plugin to IE and Mozilla, and it requires developers to embed Java applets with and tags. This way, the applets will always use the JVM specified by the Java Plugin Control Panel (you can choose other venders' JVM in the Java Plugin Control Panel if you wish).
The cool thing is, the Java Plugin is an ActiveX control. So if a Windows user browsing with IE get to a page that has an applet that uses the Java Plugin, IE automatically downloads Sun's Java Plugin and installs it (just like what happens if you go to a Flash-enabled site and you have an older version of Flash plugin).
While I don't have any official figures that I can quote, I can safely assume that many average users have had Sun's JVM installed silently and transparently through this method.
The Java Plugin has been available since Java 1.1.8 I believe. It's the recommended method of embedding java applets.
You're right about the number of Redhat patches for security concerns growing and growing, but it doesn't seem right to compare the 98 updates on Redhat to the W2k 12 hotfixes and 3 SP's. I say this because each SP represents hundreds of patches. Admittedly most of those SP patches are _not_ for security problems and many are simply enhancements, but it's still an apple and oranges comparision. I don't know which is worse, the weekly/daily flood of patches or waiting a year for a service pack.
This is the first numerical problem I ever did. It demonstrates the
power of computers:
Enter lots of data on calorie & nutritive content of foods. Instruct
the thing to maximize a function describing nutritive content, with a
minimum level of each component, for fixed caloric content. The
results are that one should eat each day:
1/2 chicken
1 egg
1 glass of skim milk
27 heads of lettuce.
-- Rev. Adrian Melott
- this post brought to you by the Automated Last Post Generator...