Slashdot Mirror
Security Vulnerabilities Discovered in WinXP SP2
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
Just upgrade to Windows XP SP2.
Oh... wait...
It was only a matter of time until a major vuneribility was found in SP2. I'm sure there will be others, but at least they are being found before they are taken advantage of.
waves his hand mysteriously and says "These are not the exploits you are looking for."
"Browsing a web page" can cause you to lose the machine to a malicious hacker.
What - they just discovered Gator?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Security vulnerabilities in a 250MB update? Never would have guessed!
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
"Security vulnerability discovered in Windows" has become as common as "Britney Spears gets married".
At what point does a story become so routine that it no longer counts as news?
Technology, the cause of and solution to all of life's problems.
"I see you are looking for an exploit..."
from the article:
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"
gee... why am i not surprised that Internet Explorer once again introduces huge security problems?
in the meantime, a patch can be downloaded here
allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.
This is news because?
I don't want to sound like an apologist for M$ but we found out a long time ago that software is difficult, if not impossible, to get right. I am sure their software practices are shoddy in the extreme but hasn't this news story been flogged to death already? What does the submitter think was are going to say about this particular problem that hasn't been said about the 1000 other "M$ security hole" type stories that have graced the pages of /. in the last week!
</rant> - it's been a hard day
I used to have a better sig but it broke.
What they said: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page"
What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Step 1: Be polite to Microsoft:
Finjan has notified Microsoft of the vulnerabilities and has shared all relevant technical details with the company.
Step 2: Be polite to Microsoft:
Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them.
Step 3: Reap benefits of being polite to Microsoft:
"Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," the Microsoft statement said.
Step 4: Give your money to Microsoft:
Common Sense, "????"
Step 5: Give your money to Microsoft:
Bill Gates, "Profit!!!!"
Disclaimer: This humor brought to you by being up all night fixing a database. (And the PBRs that are keeping me company while I wait.)
It's that time of the month already?
...to express my suprise and dismay at this unprecedented event.
:-)
*re-reads story*
Oh, *this* counts as news?
I say companies can make a good name for themselves dealing with M$ and patches, and then use his name to consult security to companies.
but M$ will start thier own company, find thier own holes, and consult security out...
erm... shiiiiiit you know they will do this, or already have!!!
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Don't forget...
http://www.apple.com
Yeah, and of course we all criticize MS for releasing buggy software. The counter-argument always that of course MS can't fix every single bug. Supporting that, people point to vulnerabilities in apache, mysql, etc.
The problem with the latter is that most Linux-based software is open-source, nonfunded. Whereas Microsoft is the largest business this side of Alpha Centauri.
I'd like to say pshaw, no big deal, but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world. Stop entering new markets and release a stable, secure product in the next millenium please.
Flame on.
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
-- I have fans? Wow.
Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets, and it profits by being the first --- and so far --- only source to make the claim.
I hate to rant, but this type of poor security checking is pathetic. Surely they should have known that all they would have needed to do was check the evil bit on the remote transfers to see if the data was safe or not. Someone in the OS community would have done this.
You do have to hand it to Microsoft though, the code is very easy to implement and quite elegant if you ask me.
"My god...it's full of holes!"
The more complex the plumbing, the easier it is to stop up the works!
My rights don't need management.
I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.
Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.
It has become as predictable as day-break.
Great! I get my Windows problems solved and there is no more sun!!!
Oh... wait...
Get your Unix fortune now!
They should learn from the Duke Development Team... Don't send anything out until you're absolutely, positively, unwaveringly sure that there's nothing that needs fixin'...
And neither do you!
http://os.amiga.com/
Other than the "only a matter of time" bit. Who says these have not already been found and actively exploited? Takes a bit for the most malicious, but quiet/secretive intrusions to be found....
All aside, i'm really fucking glad our hugest client is moving to all *nix shortly.
Seriously, no OS will ever be exploit / bug free. I see it like a competition between would-be hackers and OS programmers... sure, some security holes are just obvious bad programming, but most are not, and in the end, someone somewhere, given enough time, will always find a vulnerability. If Linux had the user base MS Windows have, you can be sure that we would be seeing a LOT more of vulnerabilities popping up. If the average Linux user was as computer-inexperienced as the average Windows user, it would surely help.
Want a 100% secure OS? Run "Hello World" OS, the only unhackable OS, and its friendly, too!
Eureka Science News - automatically updated
Whereas Microsoft is the largest business this side of Alpha Centauri.
2 -fortune-500-list_x.htm
Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.
http://www.usatoday.com/money/companies/2004-03-2
Wal-Mart's revenue is 8x larger than MSFT's.
IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.
"I don't know, therefore Aliens" Wafflebox1
Finjan are a dodgy company, and always overhype securtiy "vulnerabilities" such as "a user is able to downloan an .exe and run it, thanks to Windows".. etc.
Its funny, not long ago their site was vulnerable to an old cold fusion exploit. I didnt do anything about it, 'cause frankly they are a two bit company and there seemed no point.
Believe me, when the details of this "exploit" are revealed, it will be pretty pathetic.
I.O.U One Sig.
You can't have it both ways:
Open source is better because it uses "more eyes" to be more bug free? But MS software should be better because it's highly funded?
This is almost as surprising as the revelation that, in fact, combat operations do NOT seem to be over in Iraq. What gives???
"Stop throwing the Constitution in my face, it's just a goddamned piece of paper!" - George W. Bush Nov. 2005
I have to hand it to Microsoft. I remember all those virus hoaxes I used to get in my email. "Don't even open this email or you'll get a virus!" Don't look at this image, or your machine will get hacked!" "Don't visit this web page, or your drive will get formatted!" And I used to think, "Gee, why *can't* I hose my machine by doing those things? That sounds like it would be so cool to see!"
Well, thanks to Microsoft and their brilliant innovation, tireless effort, and boundless resources, they finally made all those mid-to-late-90s virus hoaxes a reality. I raise my glass to them.
I did some searching and discovered this:r +scarin g+up+business/2100-1002_3-5449269.html
http://news.com.com/Finjan+Warning+users+o
And this quote by the Finjan CEO pretty much sums up what I thought this was:
"By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."
Its just a ploy to scare up buisness for this security company. But lets not jump to conclusions, those 10 errors may exist, but the truth is that this security company may not have followed the industry guidelines.
That is the key question, did Finjan give MS these errors 30 days ago like traditionally is done? If they did, then they have every right to publicize the problem, but if not, they are engaging in questionable buisness practices.
"Stuff that matters?"
Do I get my charity money now?
I find it disgusting that Microsoft has plans to sell anti-virus software to plug up the holes they stupidly left in their OS. Shouldn't developers be forced to make secure products?
If it's discovered my model of car has a set of brakes that have a chance of not working after a certain gear shift combination, the car company issues a recall - they don't tell everyone "oh it's not a big deal, if you want go to a mechanic and buy a new set of brakes."
We get patches for free (well kinda...after paying for the software) but they only seem to fix one problem *at best) for a hole found in the wild by people outside MS anyway. That doesn't even begin to cover spyware and viruses.
As far as you know.. We really wont know if somone has taken advantage of something 'secret', unless they either get caught, or boast about it..
THOSE are the scary ones..
---- Booth was a patriot ----
Its an interseting dillema, because they very likely would _not_ be a $40bil if they didt release awfull software .
If they were to follow a very strict engineering process similar to what defense, nasa, and energy depts follow, their software would cost more then it already does, be years behind on "features", and make it very difficult to have the knee-jerk reactions to market desires it currently does.
I would argue that their success, aside from their edgy, sometimes illegal business practices, came from focussing more on UI and integration (or lock in depending on perspective) then on things people didnt understand at the time (security, stability, standards, interoperability, etc.).
Software has thus far been treated and behaved very differently from traditional engineering and manufacturing as there is no entity like UL (Underwriters Lab), FDA, FCC, DOT, etc. enforcing standrds of safety and allowing users to sue them for selling sub-par products. MS could move quick with a shoddy product and say they clicked "agree" on the EULA, security or stability be damned.
...but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world.
I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).
The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.
Hate to say it, but they need to take the slow, steady approach to these updates/repairs.
The real question is, will they still be able to change fast enough to stay viable.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
why is it that when microsoft suffers we feel glee. most of us are probably gonna be the ones responsible for cleaning up any mess that stems from this. if anything we should be angry, or sad. but fsck it!
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
It seems that I just can't keep up with all the patching all the time. Perhaps I should just let my system be unpatched and invaded by every virus/trojan/spyware known to man.
It might even evolve into some sort of a sentient being that tries to take over the earth by seizing control of the world's computers and creating a race of robots to do it's bidding...
Gee, that sounds like a half decent plot for a movie... I wonder if anybody has made it? Maybe I could get Arnie to star in it when he's not doing governor type stuff?
It is really very very simple. My Win XP machine has been totally 100% protected from virii, et al. I will let my secret out, which I have withheld from the whole world for years, and unlike the software companies selling protection software and services, I am going to give the solution away for free! Here goes... I NEVER LET MY WINTEL BOX ON THE INTERNET! I didn't have to listenup much to understand early on that my Mac did all the internet work I needed without the constant worry and hassle of the MS OS problems. Life is so simple this way.
I was just wondering if you saw the implicit contradiction in your statements.
and
I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Your whole post drives at the point that Microsoft is in the business of making money and not making good software, yet you come along and decry those who would say the same thing in a much more concise form, "M$".
< Mode flaming = "off" >
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
So how exposed is a Firefox user with javacsript enabled, running zonealarm, with a hardware stateful firewall/nat device?
I only use Windows for a particular printer driver, visio and a couple of games.
Just wondering how exposed I am when popping out to the web for a quick Doom hint..
Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.
And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?
But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.
Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
The sky is blue!
Film at 11!
Seriously... this is "news"?
Be a PATRIOT--because the only thing we have to fear is the lack thereof.
Whereas Microsoft is the largest business this side of Alpha Centauri.
It's a funny one, I give it to you. But for information sake, in the computer world (not Alpha Centauri), IBM and HP are at least two times larger than Microsoft.
That's what I did after feeling for the n'th time the problems you mention. AbiWord isn't perfect, but it loads in a fraction of a second and handles well about 99% of my MS-Word documents.
What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page..."
So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.
No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?
Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.
Use Evolution instead of Outlook? Bewa
Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them
and
Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2
Why should people who are trying to help just get insulated? It's time to release the exploits to all of us after all, so that we can decide for ourselves who is making erroneous statements.
Hi, I use Mac OS X and Debian myself, but most of my friends use MS Windows XP, and they just don't care. Their computer has to be restartet 3-4 times every week, ok, they get a virus 2-3 times a year, but hell, they don't have time nor interest for OS, computers etc. They just need a Tool that works now and then.
THIS is why MS is always going to exist and have big market shares, and this is why MS is very lazy to to anything radical about it (this is the dilemma having a monopoly). Sad but true.
Microsoft, OTOH, is more like an economic black hole. Huge chunks of the revenue they collect just accumulates in their bank account. They don't seem to be able to figure out what to do with it, even though it's obvious that over the years they should have been investing more of it in improving the quality of their software.
Can you create limited accounts in XP Home?
Seriously, everything as large as 'windows' will have holes in it.
Its a fact of life, its time to stop blaming and start adusjsting how to minimize the risks.
Same goes for OSS stuff too, instead of worrying about 'what hole is next' lets figure out a ways that the holes will not really matter...
---- Booth was a patriot ----
Nobody expects MS to produce totally bug free code.
What we do expect is an operating system that does NOT allow the execution of programs or scripts supplied by an external source with high priviledges.
Thing with XP home is that there is no real scalable or tiered security levels like in 2k Pro, its either limited or administrator. Not sure about XP Pro's capabilities in that respect.
Our diversity is our strength
A flawed OS can only be pushed so far before patching becomes too painful.
a feature(tm)
now it seems viruses are being relaced to confound microsofts patch schedule, AND botnets are communicating. What will we see next.
shouldn't MS pays for thier findings if it turns out to be true?
MS and other software companies charge us for every small service; shouldn't they pay us for doing retail-beta testing?
you forgot www.slackware.com you insensitive clod...
Microsoft
...
McDonalds
Same out-of-the-factory quality, same style of customer base. Sure, sometimes the filliet-o-fish has maggots in, but hey. I'll have an OS that fries please.
Dear slashdot.
Why must you post these stories on the weekend? You have just ruined the saturday of the whole MS marketing department. Now everyone of them has to cancel their plans, log on slashdot and start making posts about how "no OS is secure" and "it is all the users' fault" and "these guys are just trying to scare up some business". And the ever favourite "if Linux was that popular it would have just as many security flaws".
Well that is their job and they do it well, but why must you force them to do it on the weekend? Why can't they be with their families. Even marketoids have lives (I hear).
Windows pocket pc 2003 was re-reitten from scratch, and it's shit.
a te)
As an example, by default is saves documents in volitile ram so you loose them when the battery goes flat.
It keeps applications running but can only display one at once and has no way to efficiently switch between them (menu/settings/memorytab/runningapplication/activ
It installs appliations in vram.
Basicly, it's crap.
If it were running linux I could make sure everything (except tmp) was stored on nvram and I could evens swapon to give me more ram if Iwanted to.
thank God the internet isn't a human right.
I found this url hidden in the source code, it says "Warez copy by warezhole.org". That's a security hole right?
I like muppets.
WinXP Security Phlaws 2
I'm not so sure gentoo is the answer:
http://www.securityfocus.com/bid/11617/
http://www.securityfocus.com/bid/11616/
But then again, I guess no one here is interested in any Linux flaws.
Has anyone actually received a free iPod from any of the sheister snake oil peddlers that have cropped up recently? I probably know the answer to this but it never hurts to ask.
"P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument."
Here here! The $ as a substitute for the 's' is reserved for di$ney, goddammit!
...but I run FreeBSD! that excludes me from being a turd (or...is that Turd to you M$-basher-bashers).
Doesn't it seem logical to you that the biggest OS on the consumer market gets the most attention?
Most offices aren't very secure, often anyone can get into your company's building just by finding a simple door code (watch someone type it or look the worn out buttons), pretending to be delivering something or just quickly flashing a random ID card at the security guard. Therefore, if offices aren't secure, software doesn't need to be.
This comment does not represent the views or opinions of the user.
So what if Finjan is just bluffing?
1: Send bogus security report to Microsoft
2: Tell news media about it (but not give details)
3: Sell products claiming to fix said security bugs.
4: Profit! (don't need ??? here)
Of course Microsoft will deny the legitimacy of any security report sent to them - bogus or not. (Not saying that SP2 is bug free - far from it - just that Finjan hasn't found any) This could be just a scheme to milk more money from poor MS users.
SURPRISE! SURPRISE! SURPRISE!
This is my sig. There are many like it but this one is mine.
get better educated before spewing forth you're Linux bashing.
"Please step away from the gun, you are not authorized to use it."
Step away from the English language, you are not authorized to use it.
"Tools">""Options">"OpenOffice.org">"General">"H elp Agent">"Activate" (uncheck the little box)
Simple, really.
Slashdot is my Mercer Box.
I must say that there is reason for Microsoft's operating system keeps breaking down...
Remember, IBM wanted make OS/2 bullet proof because OS market wasn't their main source of profit for the big blue. For a microsoft, it makes sense to have keep putting out the half rotten fish on the plate. If restaurant were right next hospital where owners of both restaurant and hospitals were good pals.
Operating system seldom has real reason for going from verion 1.x to 2.x, and usually companies don't charge for going from version x.1 to x.2(ie. um...patch or service pack - that's something companies put out for it's own good because they've messed up somehow), because innovations which requires entire facelift of the operating system does not happen that often. I would say from dos to windows95 were big milestone and from windows95 to windows 2000. Everything else should have been free...except bill needed more money to burn in his research lab(Whatever happened to Cairo?).
Also, there were unexpected positive side effect from putting out half rotten fish. Often people got problem with windowsblue screen of death or some clever - more or less obvious hack to the huge hole hackers often drove train through), which made microsoft in the public view(headline of lots of media)...got unexpected media coverage. Under the normal business circumstances, this kind of follies would have surly sent company dead in the water for good, but like someone else in the slashdot community porinted, that people just don't care about the security flow or the ever slowing down / memory hungry deranged monster operating system of today's era. Other side effect would be that OS had so much problem that tech support firms and microsoft support actually profit from taking tech support calls from its customer and companies who's often found working together to create stuffs which works with windows.
Bottome line is that microsoft is doing it in purpose so people can keep waiting for that perfect OS which will not break down under normal circumstances like just browsing the web and checking e-mail. That's all my dad does and why did his computer break down with error message the other day? i don't see my father's VCR or Radio stop working with blue screen of death!!!
Um..not to menstion that they must willfully bloat it's os with so much stuffs that eventually their friend intel will be able to happly sell new upcoming pentium 5 running at 6Ghz. First time I bought my ps, standard memory size was at 4MB. Today's standard memory size is something like 256MB and it's on it's way to becoming 512MB... I wonder if 4GB memroy will ever become standard on consumer pc....
Oktokie
PS: can someone tell me why my windows swap when I have 1GB of memory onboard and my windows 2000 things my 750MB or physical memory not being used isn't good for any use....so it goes and merrily creates 200-300MB of virtual memory. This is just too funny.
One big problem with running under a limited user account is that a lot of common Windows programs will not run under a limited users account. One such program is QuickBooks. This is even true with W2K.
hyperbole A figure of speech in which exaggeration is used for emphasis or effect, as in I could sleep for a year or This book weighs a ton. [Latin hyperbol, from Greek huperbol, excess, from huperballein, to exceed : huper, beyond; see hyper- + ballein, to throw; see gwel- in Indo-European Roots.]
Every Windows Update link to a bug report I've seen lately has included a plain English explanation of the bug and a thank you to those who reported it. I remain suspicious of alarmist reports published before Microsoft (or anyone else, for that matter) has had a reasonable chance to look at a potential problem.
LOL.
You think you can compare business by their revenue between markets?
You can't. The profit margins are completely different.
Last year, Walgreens had a profit margin of 3.6%. Microsoft had a profit margin of 21%. That's a 6-fold difference.
Microsoft has 37 times the cash on hand that Walgreens has.
IBM has a profit margin of 8%.
And so on. Sure there are bigger businesses than MSFT. But not very many richer ones. Get hte picture?
Believe it or not, microsoft has just finished developing their latest service pack and is guaranteed 100% to prevent exploits/viruses from allowing someone to take over your computer.
This service pack is so secure and fixes all known and unknown bugs that you can even apply it to any other operating system as well.
In an innovative and bold move not typical of microsoft, this new service pack is so advanced, you need not even download it to apply it.
step 1) Turn off the computer
step 2) Unplug the computer
step 3) Unplug all cabling (like ethernet/modem)
step 4) Remove the harddrive
step 5) Take the harddrive to the grand canyon
step 6) Thow the harddrive into the chasm
step 7) Go to the beer store
step 8) Find a friend/acquaintance who has recently been attacked by spyware/malware/virus and invite them over
step 9) Console them for their recent trouble
step 10) Laugh at them and tell them YOUR "computer" will never be exploited again.
Unfortunately, this is a costly service pack and breaks every application in existence. One would then need to 'Uninstall' the service pack and get a new harddrive, but then that means being open to new and old vulnerabilities. But, what do you expect?
The more complex and convoluted a system is ultimately designed, the easier it is to poorly implement it. Windows might have started out simple enough but over time features were added and design considrations changed, and ultimately has become such a rats-nest of modules that it's a complete mystery why the thing runs at all. I had the (dis)pleasure of writing a device driver for windows NT 4.0 once and when a driver function is called there's a structure passed to it by the O/S. Part of that structure contains memory addresses. As far as I could figure out there were six in all, three referred to virtualized memory, the others referred to physical memory. If you don't use the right pointer, it causes a BSOD. Why in the world of dirty socks must the O/S require 6 *POSSIBLE* separate pointers referring to the destination for/source of a device block read/write?
Why is it also that microsoft's IIS web server can only give any half decent performance when it is highly tweaked and runs at system level (as in not just an ordinary preemptible program, but can hang the system if it so chose)?
The traditional unix and subsequent linux design makes *ONLY* the operating system run at system level, NO EXCEPTIONS (and I am talking design here, not implementation). Everything else is just another application. With the exception of the X server that must obviously access the hardware (and even then in theory if not in practice it should still make a separation of core driver and X server) all applications running on the system should be running in user level space and is or should be governed by the rules set out by the O/S.
For example apache runs as a user level application and if set up correctly, immediately gives up its root user rights by switching to the nobody/nogroup account. From there on in even if a bug was found within it allowing remote code execution, if the design of the O/S held, all subsequent applications run would be by that nobody user and the damage would be contained. IIS on the other hand because it runs at system level can theoretically allow malicious code to completely compromise the system because at the system level, the O/S has already let its guard down and security is irrelevent.
Like others said, if you want a more secure system, you'll have to sacrifice usability and at some point you must balance your needs for the two. Microsoft has intentionally or unintentionally pushed that balance point far too far toward the usability side and has sacrificed too much security. This is news but it's not earth shattering news and it won't be the last on this subject.
into the net, you're just asking for this stuff. I've no sympathy for you anymore. It's better you just crack and shoot yourself, to make room for the people that have longer memories than just 48 hours.
Starve Microsoft and Walmart. Clean the genetic pool from the top and the bottom, but leave the middle alone.
Where do people get the impresssion that application load time has anything to do with well/badly written software?
It's too bad there's not a free licensed version of a Linux system that can successfully be run on most personal computers with a Windows-like interface (idiot-proofing, in other words) and enhanced security. It would most definitely be a good system.
With the security there and the Windows interface there, what more could you ask for? Everything would be easy and compatible (though this suggests a whole new set of programs would spawn) and in working order. Maybe not 100% security, as suggested before, but close enough to keep potential harm away from the "Windows" system.
The huge cube advertisement for the article is for Microsoft...and the copy is:
"Windows XP Service Pack 2 can help. Download and evaluate it for free TODAY."
Right.
FIREFOX 1.0 and IPCOP
Linux is not Windows
Finjian has turned over the findings, along with proof-of-concept, to Microsoft." Of course Microsoft denies that there are any problems, that security is at the top of their customers' lists and "somewhere near the top"(tm) over at Microsoft, behind profit, proposed new feature development, marketing, external investments, Xbox, wintv, anti-linux advertising, tax shelters, employee payouts, shareholder payouts, political payouts (oops, I wasn't supposed to mention that one), the Bill and Melinda Gates foundation, and travel expenses. Right after all of that is umm security, right near the top of the list.
Bullshit! There are 'standards' that can (and should) be followed by law! Software following a Posix standard --like Linux-- (and Posix is a standard described by the IEEE --Institute of Electrical and Electronic Engineers--) and has a rigid, rigorous method of development, including ISO90000 practices. Microsoft choses to ignore international standards (or any standards, even breaking forward-compatibility with it's own products), and is rented (not sold) so noone can sue them. There is no reason why software can't be reliable, easy to use, secure and dependable. People (ignorant people) simply choose Microsoft because they are gullible and don't know any better (and the really sad part is that many *DONT* want to know any better). Even when better, more stable, secure, more scalable and less expensive software is made available, stupid is as stupid does and goes after what was bad the last time. There are people who just don't learn.
Walgreens is "bigger" than MSFT
Wal-Mart's revenue is 8x larger than MSFT's.
Walgreens and Wal-mart are two different companies.
Where do people get the impresssion that application load time has anything to do with well/badly written software?
:)
Because even though there are many ways to do something, generally speaking the better way is also the most efficient way.
Normally smaller, efficient, cleaner code tends to execute faster unless the task being performed includes extensive calculations. Exceptions exist of course, but we're talking about Star/Openoffice.
I think it's pretty reasonable to assume that if an application of this type were written efficiently it would load up much faster. However, even this statement is pure speculation since as far as I know no such application has ever been written.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
[quote], but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age.[/quote] Windows 3x/9x/ME were single user OS's. They had network support. NT/2000/XP/2000 are also single user OS's. Terminal services allows the NT-based OS's to be multiple user OS's. Windows whether it be 9x or NT-based was never by design, a multi-user system. 9x has all kinds of 16-bit compatibility. NT and up has a 16-bit emulation subsystem and a Win32 layer. Windows 2000 SP3 and up has a registerable DLL known as slayerui.dll. It provides the user a GUI for compatibility layers to allow older apps to run. But that compatibility is optional. Plus NT-based OS's were designed for networking.
...but only at the office. When at home, they talk about what went on at the office, and how the home should be re-structured to better accomodate the office. Teach the kids not to ask questions, just read the pamphlet/brochure, and how to make the colors match properly for the most effective and quickest sale. How to brush aside questions about reliability, and how to deny responsibility while 1. making the customer feel silly for asking that kind of quesiton 2. make it sound like the company already looked at the problem, decided that it isn't a problem for some (ok 1) of it's customers, and so isn't really a problem. Just 'educate' customer how to use the product differently so as to avoid the problem. Example: tie an anchor to the rear-window of the car, and throw it out when attempting to stop --cures faulty brake problems. Don't surf on un-trusted web sites, only company based ones, and whatever you do, don't talk to any other marketing department or any other customers. Just talk to the company. We feel your pain.
Sorry, your question makes about as much sense as asking: "Why do people think that going slowly and smoke pouring out of the exhaust has anything to do with a badly made car?"
>Doesn't it seem logical to you that the biggest OS on the consumer market gets the most attention?
is what was typed. Ok. You wanna go with the numbers, lets go with the numbers. Microsoft desktop PC's have about 95% of the desktop computer market. Linux has about 3% of the desktop computer market. Last year there were 4500 viruses written for Microsoft based systems. A proportional share of viruses for Linux would be 3% of 4737 (4500/0.95) or about 142. But there wern't 142 viruses written for Linux last year. Not even 14. Not even 4. Not even 1. There was some (malware) (phishing), but that's all. SO you want to do the numbers game? Why did Linux not get any more attention than it did? Here's another numbers game. Apache is an Open Source web server. It currently dominates the internet with a 67% market share. Microsoft's Internet Information Server (IIS) currently has a 21% share. Surely you say that Apache *MUST* have had the most attacks and viruses (according to your proportional- risk theory). But NO! The product with the 21% market share had more than 90% of the problems!!! What the hell you say? Something must be wrong somewhere. I agree. The problem lies in the engineering, lack of quality control and generally poor approach to Microsoft products. It's garbage-ware. Quit using it and be happy!
I think those customers will be dumbstruck when they get Microsoft's "appropriate action" in the mail: "What's this Ubuntu thing?"
I have. You can @gmail.com me with cbenard before the @ if you want me to email you video proof.
Also, here's my auction where I sold my free iPod.
If you want one, just follow the link in my sig. So if the "answer" that you knew was "yes", then you were correct!
Chris
Oh, you said SQL server.
Nevermind.
How come we all know we should run pine as root to read our mail
s/should/shouldn't
"Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
http://www.wired.com/news/mac/0,2125,64614,00.html
also... lots of staff at TechTV has recieved theirs, plus, if google "free ipod guide" you'll find plenty of websites desribing the process (w/ pictures)
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Will your charity establish that they truly do believe that and then bludgeon them to death?
If so, I'm in for a buck.
What's historically been Apple's ready cash v. market share/net profit/other measures?
Comparisons across industries are always dodgy but certainly Wal*Mart is a better choice than Walgreens. Wal*Mart effects the economies of nations, Walgreens effects the economies of counties.
Feeling so good natured I could drool
Last I looked, neither Suse or RHEL were free, neither is a supported copy of Apache/SQL.
"To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name."
But somehow Apple managed to do this very successfully. Go figure.
...then carefully remove as much Microsoft software from your machine as possible.
Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox, ThunderBird and OpenOffice, respectively). Really dig in and make sure every trace of them has been removed, don't stop at believing what the MS uninstaller tells you about MS Outlook.
Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.
Run a good firewall.
Pray a lot.
One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile.
Got time? Spend some of it coding or testing
Is it Java, or is it just badly written software?
What's the difference?
*ducks*
NT's architecture used to be reasonably secure, when it was a blatant "spelling error compatible" ripoff of Digital Equipment Corporation's MICA derivative of VMS. However, once it fell into Microsoft's hands it left those glory days far, far behind it.
Got time? Spend some of it coding or testing
I agree too about OpenOffice features being so annoying. My gripe is the autosave feature, which prompts you each time to confirm the save - hence defeating the purpose of this feature.
Although, I'll say this in their favour, Open office is a brilliant Microsoft document *reader* - Abiword can't open half as much docuements and crashes easier.
I prefer to write all my documents in HTML anyways, so I don't need OpenOffice for writing documents.
Microsoft doesn't need to spend that money improving their software when they can use it obliterate competing products.
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
http://shit.slashdot.org/article.pl?sid=04/11/13/1 444232
So, like what happens to the writers of the code when a vulnerability is found? Is it someting along the lines of 'oops, better luck next time' or do heads roll?
...
STOP USING MICROSFT PRODUCTS!!! They will only cause you trouble.
Jeez, you think people would pull their heads out of their asses and wise up to other operating systems by now.
I like the "bad people who spread viruses", they keep morons like you out of the way of smart people, like me, who run Linux. Eventually, those "bad people who spread viruses" will teach idiots like you not to run a shitty OS like Windows. So, those "bad people" are of much value after all, eh?
Thank you!!! Thank you!!! Thank you!!!
Finally someone points out the real reason Microsoft products are garbage. And, thank you for the numbers you gave. You are to be commended.
The technology world was not born with microsoft in its mouth. They did get there somehow and I dont think it was only through illegal and unethical business practices otherwise SCO would have been the monopoly.
I do agree with you that software can be built for security, stability, and interoperability. I don't think, however, that you can do that quickly _and_ have lots of bells and whistles _and_ be cheap.
Open source is not immune to this. The laws of scarcity still apply. We usually have the luxury of doing things right and not being driven by sales (unlike a business which _has_ to sell to survive).
POSIX and unix in general has had 30 years and huge R&D budgets and companies behind it (AT+T, IBM, XEROX, SUN, Bell, SGI, etc. etc.). MS started with DOS and a floppy and consumer grade equipment and market (and some R&D from IBM and Apple). Very different focusses and very different products.
I dont think the market is entirely ignorant in their decisions, either. When PCs first arrived the key obstacles were "user friendliness", design, and accessibility. These design criteria are often at odds with concepts like security and stability under the best of circumstances. When you face constraints of time and money (like a business does) those two classes are very much in conflict.
Now, fast forward 10 cycles of Moores Law and presto, you have a cheap piece of consumer grade equipment that can run POSIX code and an entrenched monopoly with a trained market and semi-disgruntled user acceptance.
I am not making excuses for MS and I have always refused to work with their crap, but I also am not ready to make excuses for the POSIX world and say that there is no reason why we face a battle in the market now.
to install all those things. Just install Windows, surf around like you normally would, and by the end of the week you'll have IRC, web, proxy and all sorts of servers running, with little or no user intervention. With other solutions, it can take weeks to set all that up!
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Golly. There's a security hole in a Microsoft product. Go figure. ... I mean, has that ever happened before?
*cough*
"[F]or anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age."
Amen, brother!
I mean, when was the last time we heard of some dusty old professor writing a toy OS for the edification of his students, only to have some graduate student study it for a bit, then get together with a bunch of pals and create one of the best OSes in the world?
*blink*
Crumb's Corollary: Never bring a knife to a bun fight.
I recently upgraded a client site to WinXP SP2 with a Win2k3 server and they're quite upset at me for giving users non-administrative accounts.
They thought it was a great idea until they found out that many of their standard software packages (mostly financial) don't work properly with limited privileges *or* with "Run As..." and choosing an administrative account either.
- Michael T. Babcock (Yes, I blog)
Won't compile unless you're admin. I haven't even tried running 7.0 (2003) under normal user privileges - don't have the time to waste. MS is *hardly* spotless.
Just do "Help">"Help Agent" (there will be a check next to it, clicking it will disable it).
I've always been happy that it's been two clicks away for me to kill it (as opposed to my mother who actually likes the damn thing).
Microsoft OSes (and other software) hosts a horde of bugs. What's new? Slashdot is NEWS for nerds, stuff that matters. Bugs in Microsoft products... that's OLDs not NEWs.
There are lies, damned lies, and statistics.
Seriously, this wouldn't be news if it werent for the fact that the cash-entropy cost of Microsoft Windows is sucking the GNP of this country dry.
I know Windows costs *my* employer money bcause every time the expensive tool-chain that lets me work on our product jams-up against a windows issue, I lose my train of thought and waste ten minutes rebooting.
Might as well just at three weeks of paid vacation to my schedule and get us some shite that works. It'd make me happer too.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
"Where do people get the impresssion that application load time has anything to do with well/badly written software?"
Hmm, maybe first impressions matter?
"Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets..."
Gee, a professional security outfit claims to discover a flaw, what a surprise. I thought the next major security flaw was going to be discovered by a taxidermist or perhaps a zookeeper, but I would never have expected a security flaw to be found by someone who is paid to look for such things...the odds against that must be astronomical.
"...and it profits by being the first --- and so far --- only source to make the claim."
I'm sure their 1337 status as the people who reported a fault to Microsoft will have so much money pouring in they'll be filling their Lamborghinis with the only the finest Cognac.
Age of Mythology needs admin rights to start. Even power user won't cut it. The older Age* games also needed admin rights, and if Dungeon Seige is working in user mode, then it is the exception, not the rule.
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
Yep and then they wonder why they have such a big bill for you cleaning out the trash (worms) in their system32 folder!
This is my biggest complaint about MS and companies the develop software for MS that must run as admin.
Makes you wonder why and WHAT are they writing to the system files anyway.
Well, to start, I must say I've used XP since initial release. I never had a problem with the holes in the OS, or viruses - NEVER. I have had some spyware, but that is fault of the browser, and my stupidity. XP SP2 was released, and since not a single issue. Point is, take time to secure your connections. I run a LAN of 500+ nodes and there are no problems there either.
I've convinced many to go the Firefox browser. Why? Is it more secure? Sure, that played role, but the biggest determining factor was the fact that my users are too stupid to know what is good and bad. More so, they want convenience, were everyone else falls in.
Fact is, Windows is insecure, we know that. If you know it and don't take measures to protect yourself, then you should be at risk. Sorta like sex without a condom isn't it? You're gonna eventually get burned!
Put Firefox on XP, patch it to SP2 and any other patches as released, Patch your office applications, run virus software and the built in firewall with XP2 and PUT A LINUX FIREWALL IN - you'll be fine
...the Registry was and is a big hole, but as a peer-poster says, "big dobs of stupid". Lots of compromise architecting to make WOW work, etc.
VMS was (is) able to be secured to genuine high military levels with one configuration change. NT and children, with much work, can be certifiably secured only at the lowest levels and with ridiculous hardware configurations. The details in between are arguable, the results are not.
Similar story with MS SQL Server. Jim Gray from Digital Equipment Corporation (and I think the leaders at the Cotton Mill kind of lost the plot about 5 years before this) boosted a very lackluster corruption of Sybase to quite resonable performance, and it's been struggling to maintain that ever since. The wonder technology was not Microsoft's; their contribution was to ship it, including embedded, with a *NULL* administrator password and to leave FoxPro to whither on the vine.
Ditto again for MS Access - the wonder technology that made JET usable was bought from (with) Fox Software, not home grown. Despite leaving it to whither while they strapped and bolted evey turbo technology they could lay hand on to Access, despite an archaic underlying table format (a legacy of dBase compatibility) FoxPro still eats Access's lunch.
In each case, Microsoft took a good technology and tried to make it suck, with varying degrees of success.
Got time? Spend some of it coding or testing
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Well said. Point taken. But I'm still guilty. I just can't help it! {Takes a deep breat before trying} Micro...
Wait, wait. Let me try again.
Mirco........uuuuuughhh........aaaaaarrrrggggh.
I'm sorry, but that "$" is more addictive than nicotine.
"God is dead." - Frederik Nietzsche
The total number of syscalls on Linux 2.6.7, according to "arch/i386/kernel/entry.S", is 284: 1 less than XP. Woo!