Slashdot Mirror


GDI Vulnerabilities: An Open Letter to Microsoft

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

14 of 444 comments (clear)

  1. Hate to quote a quote but... by diginux · · Score: 5, Funny
    which he calls 'worse then useless'
    So it gets worse, _then_ it is useless? :)
    1. Re:Hate to quote a quote but... by BlueThunderArmy · · Score: 4, Funny

      Still a step up from other MS products, which have to get *better* to become useless.

    2. Re:Hate to quote a quote but... by micromoog · · Score: 4, Funny

      If not, then your co-workers currently do.

    3. Re:Hate to quote a quote but... by sir99 · · Score: 5, Funny

      worse thæn useless?

      --
      The ocean parts and the meteors come down
      Laid out in amber, baby.
    4. Re:Hate to quote a quote but... by brianosaurus · · Score: 4, Funny
      You're almost there, but...

      You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."

      But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
      main() {
      printf("Scanning for vulnerabilites...\n");
      sleep(5);
      printf("Your computer may be vulnerable. Please update.\n");
      }
      --
      blog
    5. Re:Hate to quote a quote but... by DA-MAN · · Score: 4, Funny
      How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
      main() {
      printf("Scanning for vulnerabilites...\n");
      sleep(5);
      printf("Your computer may be vulnerable. Please update.\n");
      }


      Your right, it is cross platform
      $ uname -a
      Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux

      $ ./foo
      Scanning for vulnerabilites...
      Your computer may be vulnerable. Please update.

      Yikes, I'll be back, gotta update my system . . .
      --
      Can I get an eye poke?
      Dog House Forum
  2. Dear Tom by Anonymous Coward · · Score: 5, Funny

    When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.

    Bill

  3. Re:In case it gets Slashdotted.... by PitaBred · · Score: 5, Funny

    Hrm... the Internet Storm Center... slashdotted... that'd be interesting. Somewhat poetic. But doubtful.

  4. Re:But Microsoft customers are idiots by Anonymous Coward · · Score: 4, Funny

    The funny thing is.. no slashdotters are windows users until a cool tool like that NASA world wind one comes up.. then suspiciously its slashdoted. .

  5. No Warranty Implied by Sneeper · · Score: 5, Funny
    I like how the sans.org GDIscan (http://isc.sans.org/gdiscan.php) has the following warranty in all caps:

    HIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ....

    His letter might as well read:
    Dear Microsoft,
    How dare you take no responsibility for the code you write? I am handing out a much better version.
    P.S. I take no responsibility for the code I write.
  6. This whole open letter business by Anonymous Coward · · Score: 5, Funny

    Has anyone ever sent a closed letter?

  7. humidifier by trailerparkcassanova · · Score: 4, Funny

    My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

    Uh, an extension cord perhaps?

  8. RULES OF SLASHDOT by JoeBar · · Score: 4, Funny

    Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux

  9. Is this a Microsoft first? by corporatemutantninja · · Score: 3, Funny

    Intentionally spreading FUD about their _own_ products?

    --
    Actually, I was trying to be Insightful, not Funny.