Slashdot Mirror
Why Can't Microsoft Just Patch Everything?
paneraboy writes "If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities? Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit. Currently, more than two dozen Windows XP issues remain unpatched. Ou thinks Microsoft ought to fix them all." From the article: "Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous."
Here's one from the article flagged: "Less critical" from 2002: SA7127 Check out the first paragraph of this 'less critical' item's description.
By the way, when I read a statement like this one:
If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?
I start thinking there ought to be some kind of credibility (karma) system for anyone giving public opinions. You know, give the article '-1', give the guy 'Terrible Karma'. Make all his subsequent articles dissapear for you, or even better, replace the article with a 'joke of the day', you know, to dilute the real news a bit.
Seems like some members of the press don't understand coding. You can't just go and patch everything. Regression testing? Making sure all the changes work as needed without impacting other subsystems.
Do you really think if Microsoft COULD do it, they wouldn't.
they do care about us
To paraphrase a certain mercenary, where's the percentage in that?
"The dew has clearly fallen with a particularly sickening thud this morning"
You can only patch a leaking boat so much, even if you drydock the vessel for a few months. When it's only held together by the barnacles and the masthead, it's going to sink whether you bail it out or not. At some point, you're going to have to re-think the design of that hull, and start from scratch.
[
Because their too busy counting all the cash they got ...
I think MS has come a long way from where they were, but I agree. To the people who claim it can't be done: OpenBSD does it!
DUPE!
:)
Okay, so it's actually not a dupe, but I got to hear Slashdot users all sigh at once.
Hey.. what good would our awesome MCSE certification be good for then? You trying to put us out of work?
MS Patch Monkey
Microsoft has learned that, with its position, it doesn't HAVE to spend money fixing software that people keep on buying/using due to lock-in, popularity or whatever.
Why should they?
People will still buy thier product, people accept that it sucks.
Unless they see a good ROI on patching or developing good code they won't.
Quite honestly if it isn't a worthwhile use of their resources they shouldn't patch code.
When there is serious competition and code quality becomes a competative advantage they'll fix it.
to be any reason to fix them immediately. Common folks are either used to their computers being unstable or they don't care. MS won't rush to fix bugs because there does not seem to be a large outcry from the end-user community for them.
I meta-moderate because I care.
[Mega conspiracy mode on]
Microsoft is not patching holes to provide jobs for all of those worthless MCSE's
Microsoft is growing and profitable having their developers do other things, until such time as they are held hugely financially liable for their bloated buggy crap they won't make that their prime focus
Issuing patches is dangerous.
Every time Microsoft patches its software, hackers use their patches to discover security holes and to issue exploits!
But when they don't patch their software, no bad guys notice these vulnerabilities. In fact, no virus or worm has *ever* exploited a vulnerability before a critical update was released!
Duh.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Why can't the Mozilla Software Foundation allt the 6300
Firefox Bugs? instead, they have to release a "new" version... just freeze the freaking lreleases and patch your bugs!
No, OSS is not free of bugs
Ubuntu is an African word meaning 'I can't configure Debian'
The biggest problem that M$ has is their size. Sure they have tons of cash and an army of coders, but I bet the left hand doesn't know what the right is doing. There must be so much red tape there as to basically paralyze them. Just look at the lack of innovation coming out of M$. Windows has been stagnant since Windows 98 and Office hasn't improved much since Office 97. M$ is being crushed under their own weight.
gasmonso http://religiousfreaks.com/First post! and MS doesn't patch everything because they weigh cost of patching vs benefit of writing the patch and the risks associated with leaving it alone at the time. A seemingly small, unimportant issue will not get more attention than something that drives or will potentially make money.
If Microsoft fixed everything, then the companies that made programs that allowed users to work around the "flaws" in Windows would go to the federal prosecutors and demand that Microsoft be sued for having a monopoly on fixing their own bugs.
All kidding aside, Microsoft has a huge amount of users, maybe more than any other product in existance (I didn't do the research). This does mean that more bugs will be found, and the reason behind not fixing certain bugs may be that the bug was addressed in a future rollup or patch already. Because Microsoft is a massive corporation with so many departments, it is possible that Microsoft BugCentral says "Fix this!" and Microsoft PatchCentral says "We fixed it in Article 931321 coming next week" and Microsoft ReleaseCentral says "We're waiting for a fix on another bug before releasing that."
I'm not a fan of it, but it is really hard to just come out and say they're ignoring a bug, when it may be something deep set within the software (hard to remove) or it might be addressed but on hold for another reason (opened up another flaw?). If we think we as geeks found all the vulnerabilities, we're fooling ourselves. Windows is a massive program, and even Linux has ongoing flaws. When Linux has as many third party apps and interconnecting drivers as Windows does, I'll accept a complaint towards getting things fixed post haste. Until then, we just have to (thankfully) support third parties that give us options! (And paychecks)
You mean like when someone says "if smaller software companies can patch all of their bugs" means "if all smaller software companies can patch all of their bugs"? Thanks for the permission to flag all of your future posts as "joke".
--
make install -not war
Is this guy completely retarded?
As much as we may despise it, Windows is a very large, complex piece of software. As bugs are fixed and features added, more bugs are created and so the cycle goes on.
This is the reality of software development. Does he really think that if Microsoft could fix every bug they wouldn't do it?
I can hear Microsoft execs right now: "Well when you put it that way...why didn't we think of this before?"
"What's the status of our new software?"
"Ready for launch Mr Carver, and - as requested - it's full of bugs, so people will be forced to upgrade for years."
"Delicious."
/not serious... no, seriously.
A-Bomb
Just because MSFT has an army of programmers, it doesn't mean it has an easier time patching its old code. Larger groups of people (be they developers or military groups or a bunch of friends going out drinking) almost always require more grooming and maintenance. Look up "Dunbar Number" - here - I find it fascinating.
;)).
A smaller, and thus possibly more agile group of programmers may actually be able to patch more holes than a mammoth like MSFT. Size can be a disadvantage (don't quote me on this
Simpy
patching the holes in Ballmer's walls from all the flying chairs.
with its massive army of programmers and massive budget -- patch all of its vulnerabilities?
This is impossible. With patches, new releases, and updates there will always be new bugs introduced, some exploitable, some not. No program will ever be invulnerable to malicious attacks. As long as a person made it another person can break it. Maybe micro$oft could be doing better at realeasing patches, but it will never be error free. And that goes for all software.
Patches, no matter what they are, are woven into most things that Microsoft and developers do. There are numerous dependencies, and the numerous divisions, API sets, and partner dependencies make this difficult if even impossible to do on an ad hoc basis, as a generally available patch that breaks things is irresponsible.
Yes, it happens anyway.
Thie is the downside to having a huge, inter-dependent set of apps. Regression testing and dependency testing regimens have to be followed to ensure that small or even massive destabiliations don't happen. This also means that the easy stuff and the most urgent stuff (by their reckoning, not necessarily mine or yours) gets done first, and the tough stuff is just tough.
It's also what makes the closed source model more difficult to deal with, as Microsoft isn't just one pool of programmers, rather thousands of coders working on largely interdependent projects. While it looks like they should be able to do this, it's a reality that it cannot. And it would be irresponsible for them to do so, given so many users, and so many inter-related apps. We just wish it could. That's why OSS methodologies have a bit of an edge in this context (and others).
---- Teach Peace. It's Cheaper Than War.
no, I didn't mean that ;)
My guess is that if they did, it would take too long to test all of the patches to ensure that:
-The patches worked
-They didn't adversely affect other functions
-The patches come out on the 2nd Tuesday of the month
He who knows best knows how little he knows. - Thomas Jefferson
Just because Microsoft takes in a lot of money doesn't mean they put it all back out in developers! LOL. People have salaries too you know. Most of the profit goes into the pocket, not into investments.
Vista has already been completely rewritten, since the codee was too messy. Well, if they can do that, why can't they just rework the entire structure while they're at it. Harden the system at the core, don't make the fingertips bulletproof.
Blog -
Screenshots of the new update system. http://www.tyigo.com/viewallimages.php?eid=1111
Good thinking George Ou why didn't they think of that before?
Hmm... seeing as we're in brainstorming mode here's something I just thought up:
Why doesn't the government give its money to all the poor people in the world so that we're all rich!
The best way to find a bug is to take the code away from the original programmer and give it to a dedicated tester.
The best way to fix a bug once it's found is to give the code back to the original programmer, and tell them to go fix. Because they know the code. And it's less likely that fixing the bug will introduce more bugs. Obviously, this limits the amount of people you can set to the task of fixing them - and in a project the size of Windows, there are a lot of them.
1. It's better to release a last-minute patch, so when it breaks something, you can claim it was an urgent fix rather than a poor design choice from the start (aka: skip costly regression testing)
2. Perception of fear: how can they get you to upgrade to Longhorn if there are no security issues with Windows XP? How can their spyware and other partners suceed if they close all of the holes? How can all those consultants fill their days if they're not applying patches to every workstation? They're doing you a favour and letting you keep your job. *smirk*
3. Nobody wants to download several megabytes when they can download a single patched DLL. Bandwidth is still expensive!
[/sarcasm]
The even bigger question is, why with the power, size, and focus on security (as well as play with hardware vendors) they have, why didn't they get it right the first time? Most importantly, why wasn't the utmost care taken on anything that takes foreign input (browser parsers, etc).
-M
when you see the word 'Linux', drink!
Or dodging the chairs that randomly fly out of Microsoft's windows (small w)
He who knows best knows how little he knows. - Thomas Jefferson
No-one likes patching, that's why. When you release a product its highly likely that the night before the deadline you performed any number of quick hacks and workarounds just to make the shipping date, by that time you were probably sick of the product, sick of the way it failed to meet goals and bored of its flawed internal structure. You breathe a sigh of relief when you can finally hand off your project (and this goes for anything - software, design, art, literature etc) and get some sleep, ready to start the much more exciting next version with some great new design ideas that completely solve the previous problems. Then, a week later you're forced to stop working on your new project and go back to the old-and-busted project to fix some pointless flaws which you consider totally below you because you have already made them redundant in the new, as-yet unready version. Whats more these bugs are completely mundane and irritating to fix, there's no creativity going on and your most likely coming up with another set of hacks just to make it work and get it out of the way. Who wants to work on something like that?
This comment does not represent the views or opinions of the user.
There's no money to be made in fixing problems and issuing patches. The money is in sales. Create a new and 'better' version and charge to upgrade. New versions = profit, patches = lost revenue.
>If smaller software companies can patch all of their bugs serious or minor,
And this is already where it all goes down the drain... small software companies also cannot do that (unless they have a very slow product update cycle). I have worked for many big and small software companies and bugs/patches/testing is ALWAYS a big problem. Maybe we shouldn't focus on that, but on finding ways to design sofware in such a way that bugs can be detected by the software itself! (wow.. SF stuff) Or make sure our way of working with the business side (MORE features) is different. Software guys are from Mars and business partners are from Venus!
Part of the problem is that recovery CDs for a mass produced computers can't be patched. You end up with the quandry of restoring an insecure system, which you have to put online to update before it gets infected. If someone doesn't have a firewall or NAT, then too bad they are toast again.
Also, if you "fix" something, it's not like it doesn't impact other things. Microsoft's Rollup 1 for SP4 Windows 2000 a few months ago broke the ability to save to floppy disks in Microsoft Office products. They fixed it later with version 2 of rollup 1 for SP4. You think the average person is going to know what all those numbers even mean?
Saskboy's blog is good. 9 out of 10 dentists agree.
I couldn't have said it better
And things at huge companies tend to take a long time to finish. I wonder where the point of diminishing returns sets in. Typically mid-sized companies tend to have the resources to perform their services as well as keep customer satisfaction at an optimum level.
Maybe it's time for MS to break off into 3 sections? Just like where I work (huge municipal organization)...our project WILL save our city millions of dollars but what's happening right now? It's at a stand still because it's budget time. *sigh*
Maybe Ou is up at 4AM protecting Microsoft's customers for free because it doesn't cost Microsoft anything. Microsoft needs a class action suit loss, or steep hikes in their insurance rates anticipating such a loss. The days when publication of unsafe product exposés like Unsafe at Any Speed transform an industry are long gone. Industries have learned to insulate themselves from books read only by the tiny American intelligentsia by publishing vast overbalancing PR. Some industries even have bought immunity from liability for their unsafe products. Since the Supreme Court has now found that software companies are liable for damages caused by their users' use of their unmodified products, maybe we will see Microsoft liable for the vast damage caused when people use their products the way they promote them. Or maybe we're looking forward to an imminent release of a WiFi "Microsoft Machinegun".
--
make install -not war
If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities?
Ok have I missread something?
Small companies = 1 or 2 programs with each a couple of thousands lines of codes. Usually new program, so fresh and structured code.
Microsoft = dozens of programs, with each a couple of millions lines of codes. Usually based on ancient versions returning to the age of C when code was a little less structured than now and imprissivly patch over and over again.
This said, you also count that some microsoft software are dealing with complex coding like memory managing, thread managing, hell all the computer managing.
Also add that the goal of every microsoft user is exactly to find all flaws in microsoft and just point at them and says"HAHA! There is a bug there mr. MS." So it's not surprising that microsoft software have to deal with a lot of bugs.
I think that pretty much make a answer to why Microsoft is like this.
unchecked buffers were kind of cute in 1999....
Can't M$ run a unchecked buffer checker and then fix them all?
It is incredibly incompetent that there are still unchecked buffers in M$ software.
...is an eye patch.
Why would Microsoft want to fix these bugs, when their existence doesn't seem to be losing them much. True, Firefox is slowly gaining steam, but it seems to be that a good percentage of that switchover comes simply from the fact that Firefox offers tabbed browsing. My girlfriend's parents think that Firefox is what's causing problems with their computer (Windows XP Home with NO spyware protection or AV) With the launch of IE7, how many users will simply revert to their integrated browser?
Especially in the marketplace, no body is accountable until they are held as such. If Microsoft were held (financially) accountable, then they would patch everything they needed to, or provide something new altogether.
Corporations have a responsibility to one thing, and one thing only.
And it ain't us.
Microsoft can't just patch everything as easily as it sounds. The reason is that certain features in the program actually cause the security problem in the first place. In order to quickly patch these problems and close the security holes, you would essentially disable the entire feature. Added to this, the problem is that these features are part of Microsoft's strategy in the market place. Exactly as with he Win98/IE integration. Sure all the inherent security flaws that produced could be fixed, but then you loose browser integration the way the intended it. If you remove the browser from the OS, then it can be unbundled, then Microsoft hasn't got even the smallest leg to stand on in an anti-trust case. Basically the point is that it is completely unrelated to the software what the reasons are why they can't just patch everything.
See the Pictures of the Flood of '08
He wouldnt have a job, or his job would be really boring if they did patch ALL of their bugs...
because he doesn't understand business. Anyone with a little knowledge of how large scale projects work knows that you can't fix everything, only the things that cost your customers the most money.
Where the whole thing is allocated dynamically, based on what someone else told you the size was.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
In a company run by Software Engineers, bugs would be fixed before new features are added and we'd see life cycles similar to open source projects that produce typically stable and largely bug free 1.0 releases.
The reality of Corporate America, however, is based on quarterly results. Getting that next release out the door and being able to sell is everything. That means that all clean-up work (bugs, exploits, refactoring) will be prioritized along with new features and unless it's really critical will likely not get done for a long time, because they are lower priority since they bring no customer sales.
Unless and until those bugs affect the bottom-line, the company won't do a thing about them. A good recent example would be Sony's rootkit problem, which it turns out was pointed out to them before the public release on sysinternal's blog.
http://www.gloryhoundz.com/
It is all about attitude and focus.
Open Source proves that developers can work together asyncronous and distributed around the whole world. I can`t see any reason why any large organization can`t do the same.
OpenBSD proves again and again that their view about quality do reduce problems.
Nor did you say it! I have no idea what the hell he's talking about, even if an equally moronic moderator found it "insightful".
The article is making a very dangerous assumption here... assuming that other companies fix all their bugs. They are only fixing bugs that we know about. Who knows what they have found in-house that has remained unpatched because it was deemed too obscure.
Another thing the author is missing is that these competitors stay in business by creating the impression that all vulnerabilities are fixed. Microsoft is vastly more publicly responsible than the smaller competitors mentioned. In the interest of continued business, they are pretty much required to adopt a policy of full disclosure. Smaller companies are not required to do this as much because they are the underdog, and everyone loves an underdog.
If it was discovered Microsoft knew about some bugs and didn't publicly release the information, there would be massive outcry. If Mozilla did the same, they might get a slap on the wrist, but I doubt it would seriously affect their business. As I mentioned above, they are the underdog and everyone loves an underdog.
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
Why can't they just churn out patches? Testing. You have to be sure the patch doesn't break something else. That's just as important as fixing the holes in the software. So many things are interdependent in Windows it's impossible to know what effects changes will have.
Do you really think MS is sitting on code or ignoring security problems? If you do, you're naive. MS is a business - it doesn't pay to ignore these things.
Incompetence, disinterest, different priorities, and no business reasons to do it.
Oh, he didn't really want an answer?
Assorted stuff I do sometimes: Lemuria.org
Any intro economics class will teach you that monopolies are bad for the following reason : "They dominate the market and this means that they don't have to do any research or develop _really_ new product, so they don't."
This is classic monopoly abuse, plain and simple. If Microsoft goes out and sets the bar high for themselves, it'll cost them more in the long run, instead of costing us more.
We're used to OSS products that can be patched in a day, but we're also used to seeing those patches break things in unanticipated ways, often making things worse.
We're also used to picking on Microsoft for having buggy software. But they have extensive and long testing procedures, without which MS software would be WAY buggier on release. Their software is massive (for some good reasons and some bad ones), so it's a huge undertaking to fully test it.
In order to avoid, as much as possible, unanticipated consequences of a patch, Microsoft cannot simple make the fix and release it. An argument could be made that if they were to do that, they would often create more vulnerabilities than they started with, so releasing too quickly would be a BAD thing to do. Windows 95 is an example of something that was released too quickly, lacking certain kinds of testing entirely; you can see the unfortunate results when you try to connect a Win95 box direcly to the internet and wait 5 minutes.
So, why can't Microsoft 'patch everything'? Here are the reasons:
(1) First, you have to FIND 'everything', and Windows is just massive.
(2) When you make a change, you have to test it extensively, which takes a LOT of time.
(3) Some patches are one-liners. Some affect large amounts of code that makes it even harder to anticipate consequences.
(4) Sometimes, you have to test things one at a time. This serializes your patch process in such a way that it just takes a very long time. This is very hard to avoid.
The fact of the matter is that if Microsoft were to 'patch everything', we would have a lot more to complain about. People should stop asking for stupid things and be realistic.
Even OSS projects can't 'patch everything' successfully. Sure, many of them are better designed from the start, so there are fewer things to patch, but when a patch needs to happen, the same amount of testing is going to have to happen, one way or another (either you release a beta and let it get tested for a while, or you just stick it in and wait for the shit to hit the fan and end up fixing the consequences the same amount of time later anyhow).
Also, certain people forget that Microsoft did go on a 'patch everything' hunt and DID fix a huge number of bugs. They still didn't find everything.
Oh, and if we're just talking about patching everything that's currently known, my argument still stands. Patching a bug of vulnerability is often quite difficult.
Currently, more than two dozen Windows XP issues remain unpatched.
Really? Only two dozen? If the author is foolish enough to think that Windows only has two dozen bugs, it's no wonder he's foolish enough to think it should be easy to fix them.
This post is not a slam against MS, but the article...
There's no money to be made in fixing problems and issuing patches.
While maintenence may appear to be a money-sink rather than a money-maker, the reality is that it protects existing and future revenue streams.
Imagine if Microsoft refused to patch anything. Even ignoring the lawsuits, it would cost MS dearly in lost future revenue.
So, in a way, the money MS makes on insert-next-version-here is in part based on their reputation or lack one when it comes to maintaining insert-current-version-here.
Of course, if their code had fewer serious bugs this would be less of an issue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Maybe it should be named zero-year exploit.
Signatures are for stupids.
While it's probably true that if MS would put more programmers into patching vulnerabilities they'd be brought to market quicker, I don' think that the author realizes that
Download free e-books, lectures, and tutorials at bookgoldmine.com
If there were no IE exploits, there would be no opportunities for pr0n gangsters to rip you off with their lovely dialer virii, and if we didn't have them, we'd have less lovely pr0n to look at. So, in summary, M$ are largely responsible for my one-man love life. I think some gratitude is in order.
I think Microsoft should produce patches ASAP. But does it really matter? There are so many new issues every week that nobody, except for a few fulltime system managers, could actually keep up with the rate of patches needed. Automatic patching may be an option for some users, but not for all. Sometimes you simply do not want to change a running configuration for a while, let's say shortly before a deadline. So, my conclusion is, even if Microsoft would be able to provide patches immediately, it would not help. Besides, it usually takes a while until vulnerabilities become public or known to Microsoft.
There are two types of "patching".
... and opened a whole other category of exploits FOR THE OS.
1) Patches to fix code flaws in an otherwise sound security model.
2) Band-aids for a flawed security model (anti-virus updates are in this category).
Microsoft focused on "user friendly" and "easy of use" for so long to the detriment of security. And security cannot be retro-fitted to a system.
When they merged IE with the OS, just to be able to beat Netscape, they opened the OS to a whole new category of exploits.
And then ActiveX made web app programming so much easier
I would love to see a poll asking how many people are really effected by those IE "holes".
I would bet its such a small percentage that it is laughable. Remember, the security companies get money and PR by exposing as many holes in software as they can find. In all the lifespan of using windows and its various versions and IE I have NEVER encountered any site with any of the security problems that the "experts" jump up and down about.
Yes they should be fixed, but they should also not be treating this stuff like its the end of life as we know it.
If you are so worried about these things, stop complaining, get a job with Microsoft, and try to help them fix them. Complaining doesn't help anything.
It _is_ a less critical bug. All modern linux systems have the same 'bug' by design, and not only for 16-bit applications. The consensus is that this is not worth fixing. (To execute an arbitrary file, even one on a fs mounted noexec, simply use ldlinux.so to launch it)
Try out fish, the friendly interactive shell.
Give me $1 billon dollar (3% of microsoft's annual revenue), promote me CEO, and I fix ALL unpatched security vulnerabilities in ALL microsoft products in by the end of 2006.
An army of programmers? I doubt they could beat the Swiss Army in a fair fight. But let's face it -- we all work with colleagues who are not too swift or aren't the world's brightest bulbs. So you take the numbers you find in a typical shop, maybe 15-20% hacks, and multiply that by the number of MS progs and you figure they have so many goobers on the payroll that they'll never get out from under their bugs!
There's really no way, once a program reaches a certain size, for bugs to be easily eliminated. The deeper and more complex the code gets, the smaller the margin of error. Add to that the intricacy of some code and occasionally fixing a bug is going to either take forever or worse, spawn more bugs.
That Microsoft can stay on top of what they have is remarkable; that their software doesn't burst into flames the first time you try to run it is astounding. Eventually the bug count is going to reach critical mass for IE and at that point they may just give up on it and start over. We hope.
GetOuttaMySpace - The Anti-Social Network
If they fix all the security holes in version X, then they lose a selling point for version X+1:
"OMG New Windows X+1! The most secure version of Windows like evar!!!!"
Attention all hands! Abandon metaphor! ABANDON METAPHOR!!!
Though I must admit, it gives new meaning to "software piracy". Ahrrrrrrrr.
On top of that, complexity also increases exponentially the more interaction there is between systems, which is exactly what people have been scrambling for - they want their email client to integrate seamlessly with their web browser and their private thingamie collection.
Both of these simple facts make it staggeringly difficult to predict the impact of even small changes. The small software houses are able to fix their products quickly because they face neither of these problems - their software is, by definition, relatively small and simple (however ingenious it may be) and almost never attempts to integrate itself with every other application on the computer.
How about asking all /.'ers who have jobs that can be threatened if the exploits damage their company's ability to maintain profitability (which presumably would cause a massive layoff) to copy the list of known vulnerabilities from the article, and send it to the available M$ e-mail addresses for bug fixes.
/. effect.... never mind. Don't patch anything and wait a few months to see if they go away..."
Conversation:
"Mr. Bill (G.), our e-mail servers are getting DoS'd and/or flooded with so many requests for fixes on all our security problems."
Bill G.: "Oh wait, it's just the
Hmmm.....
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Software (despite what M$ would have us believe) doesn't wear out.
The only way to sell new stuff is have it break down. They only fix a few vulnerabilities at a time to make us believe they're trying to keep it safe, but they really built the "rust" at the factory.
Add a few new "features" (read code bloat) and the replacement cycle starts all over again.
They're probably secretly supporting a few exploits the keep the damand up.
"...why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities?"
Why can't you -- with the "massive" amounts of Microsoft history available -- understand that Microsoft products have always been over-priced, mediocre, mass-market junk? If your computing is valuable to you, you use quality products -- that has never been Microsoft.
You are complaining about water being wet. The only thing amusing about this is that you have _so_ much company.
Everything in the Universe sucks: It's the law!
Part of the problem stems from the corporate environment. It is a cost vs. benefit thing.
Management view: "If all of our existing capital is being spent on fixing something we have already been paid for then we are losing money. We should spend it on something that is going to make us more money, i.e. development."
Part of the reality is, that by selling v2.0 (new and improved!), they get to make more money selling you bugfixes.
First, Microsoft doesn't make money on patches. Second, Microsoft has a monopoly on desktop OSes so it's not as if users really have a choice to change. Thus, Microsoft has absolutely no incentive to fix its problems.
Eventually Microsoft will move us to a subscription model, where we'll pay to get updates every year. At that time it'll have the incentive to fix its software, but it'll cost us.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Why do drug companies only make you feel better and not cure everything? ;)
Blog via SMS text messaging
My apologies then, I didn't know this was the case.
That problem was fixed, um... 4 years ago?
/lib/ld-linux.so.2 ./test ./test: error while loading shared libraries: ./test: failed to map segment from shared object: Operation not permitted
$
Due to Mars being so close to earth, a hurricane system is developing in the Gulf of Mexico. Due to this there will be lot of snowfall in the Sahara desert, as a result the apes living in Madagascar have started evolving faster. Due to speeded up evolution, in another 50 years they will become software engineers. With so many software engineers available, Microsoft will go on a hiring spree and then use them for fixing bugs. So unless these monkeys evolve the bugs cannot be fixed.
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
> Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit.
How can you make a 0-day exploit (which means the vulnerability was not published until the exploit was out) on a vulnerability explicitly published 6 MONTHS ago?
Here's one from the article flagged: "Less critical" from 2002: SA7127 Check out the first paragraph of this 'less critical' item's description.
I wondered how I was able to run mIRC16 on those library computers which wouldn't seem to run any other win32 gui apps (win32 console apps still seem to work). And here I thought it was a bug in their security software. I guess they could simply block NTVDM (assuming there's no neede 16-bit apps on the system), but I sort of wonder if that's really feasible. I guess, once again, other companies will have to come to the rescue to overcome flaws in Windows.
Eurohacker European paranoia, gun rights, and h
The simple answer is Microsoft has no incentive to provide software that works. They only want to provide software that will get people to dump bucketloads of cash on the Microsoft campus. Until people value software that works (which we know from experience they don't -- except rare customers) this won't change.
The Free Software community identified this problem a long time ago. They also saw another problem. As the number of users of software increases, the number of feature requests increase as well. How do you satisfy all of these customers simultaneously? Eventually, the proprietary software model is unable to address the needs of their customer base as it grows. (Witness that there is no Icelandic Windows available anywhere.) The Free Software solution is to let the users fix it. So, if there is a problem with the software that any one person is willing to spend the time and money on to fix, then it will get fixed for everyone. Since security holes bother at least a few of the users of Free Software, and these users are also ones willing to put in the time and cash to get it fixed, it gets fixed.
Simple capitalism is the reason why Free Software is doing so much better than proprietary software. As a piece of Free Software becomes popular, it increases in security, features, and usability at a faster rate than proprietary because of the economic incentives.
The radical sect of Islam would either see you dead or "reverted" to Islam.
For those asking for patches for every possible security issue: List the software products you patch that have 100 million users. If your fix causes a problem for 1% of your users, can you deal with a million phone calls?
Comment removed based on user account deletion
Microsoft does not want to say:
"We just patched 3491 extremely critical bugs this month alone - see how secure our OS is!!!!"
It's a bit difficult to be touting your OS as the most secure, but at the same time be frantically patching hundereds, if not thousands of bugs each month.
Probably bureacracy & procedure!
Hey - You've ALL probably noted @ one point or another in your careers, especially in LARGER (relatively speaking) companies, that getting for instance, a static IP assigned to a server (especially when you have the server admins RIGHT THERE to do it in your building) should only take a few seconds.
However, in a "layered bureaucracy"?
(e.g.-> 50 VP's, most of which are overseeing dept.'s they have NO business or experience overseeing)
Well, there you have to 'ask mastuh' to get it done, slowing you WAY the hell down & impeding progress, but giving that inexperienced moron who's most likely in the job because he knows someone way high up, or was their frat brother, OR is the largest stockholder's nephew a raison d' etre!
Don't laugh - this shit happens, everyday, & it's how the "real world" (unfortunately) works & most of you doubtless know this!
That's in EVERY aspect of business, however, also in this field especially...
There are WAY too many of those types who don't even understand the division they overseeing no less - how sad!
It could be said "this field is only 50 years old" (vs. say, accounting or finance, or even marketing/sales etc.) but, that's PLENTY of time to have folks oversee dept.'s they actually understand... & to give those (because they understand it) that need some autonomy to make decisions, that ability!
It's called "delegating authority".
(Most will say some horsecrap like "I don't need to know it, I just hire someone who does" & one day, when their corporate accounts get something like (look this up->) "the salami technique" done to them? Then, they can wonder about that STUPID statement of theirs... because, w/out understanding & experience in ANY field of endeavor, you have NO business running that section - it's an opening to being hoodwinked/robbed, period!)
That's my take on it, & it's been seen (again, lookup salami technique).
So, in order to do what you need doing (and everyone's crawling down your back for it to be done) & that means "hurry up & wait", while they are out golfing or schmoozing/b.s.'ing with their 1/2 million dollar expense acc't.
APK
P.S.=> I've been around this field for 23 years now (almost 13 as more than an end-user) & seen SO much of that very thing... Is it getting better? ABSOLUTELY!
As time passes, people that actually understand how things are done in IS/IT/MIS actually hopefully get lead roles, & understand that you need SOME 'autonomy' in order to get your job done... w/out some fool's signature who doesn't even understand the topic @ hand no less & has NO business running an IT/IS/MIS dept. or overseeing it! apk
The whole issue revolves around cash. Sure, Microsoft has the ability to patch every stinking hole in its OS's, but at a terrible finincial cost. Or, it can patch just the ones that it feels wre most critical and important, yet people still buy their OS or a computer with it. It's all about opportunity costs to the company. If there is an economic reason NOT to patch it, they won't.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Does this mean that someone could just write a whole set of programs for accessing/modifying/deleting files etc. on windows as long as they were 16 bit applications and just host them somewhere for whenever they are at restricted computers, i.e. in a library or school.
IIRC, IBM tried to do just this with OS/360, which was developed in the 1960's IIRC. What they eventually found was that despite their most concerted efforts, they reached a point where trying to fix old bugs introduced at least as many, or more, new bugs.
Now consider that IBM's systems are meant to run for a LONG time, so their OS/360 team probably wasn't facing the pressure to divide their time between fixing old bugs and introducing new features. Fixing old bugs was probably key.
Contrast this to Microsoft, who (for whatever reason) seems powerfully drawn towards modifying Windows, Office, etc. to introduce new features. Not only does this reduce their attention span for fixing old bugs, but it also introduces new bugs with the new features.
As far as why they can't just throw more people at the problem: Software development teams seem to have an optimal size, beyond which adding people introduces so much chaos that it actually slows development. This effect is described in the book, "The Mythical Man Month" by Frederick Brooks.
The initial post is a strawman argument...
...which predicate the argument on the notion that small software companies patch all their bugs.
If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks
So if I go looking for bugs in say the Opera browser I wont find any, because small companies patch all their bugs?
Nobody patches all their bugs; not small companies, and not large companies. The argument is a piece of sophistry that simply sets up another round of MS bashing. A fun sport, but it shouldn't be mistaken as anything exccept sport.
"All of our products now certified 'Good Enough'(tm). The new version will fix (insert issue here) anyway."
On a related note, don't you just love the dinosaur ads MS is now using. "Still using Office 2000?!? What a relic you are! You ever heard of the dinosaurs? Well that's you if you don't upgrade RIGHT NOW! Also, the 'Good Enough'(tm) guarantee expires the day the new version comes out."
Ignore anything I said above, I actually agree with everything you believe - mod accordingly.
Why Can't Microsoft Just Patch Everything?
42
This article seems to make the case that Microsoft isn't as committed to quality software as other "smaller" companies, which I don't think is the case. In fact, Microsoft has a higher ratio of Test to Dev than any of the other big software companies (and surely OSS efforts, where testing is far less secksy than writing the newest coolest feature) around, close to 1:1 for most teams, with a big emphasis on regression testing. I also think that by taking so many people off of the Longhorn effort to release XP Service Pack 2 (one of the biggest security advancements in OS ever) the company showed that it is serious about patching and security.
I'm sure there is a reason they haven't patched the recent vulnerability yet, although I wish they would get on it as much as the next guy. Its a constant decision in software, do you keep throwing skilled manpower at patching products like XP & IE6 or do you make it a priority to get Vista & IE7 out the door? If you're Microsoft its sort of a damned if you do, damned if you don't decision.
Microsoft focuses on the attack, as in FUD, new features, etc. Once something is released, they concentrate on new things. Going back to clean up something which is already out the door takes resources from other projects which are adding new features. (Interesting to compare this to the Imperial Japanese Navy in WW II ...)
The network effect. Microsoft combined features, making everything dependent on everything else, to lock people in. That came back to bite them. When you have well designed interfaces with good separation of functionality (modularity!), it is a lot easier to isolate changes; one change doesn't necessarily affect everything else in unknown ways. Testing a change inside a module doesn't propagate to other modules unless the narrow and well-defined interface also changes. Since Microsoft has made so much of their internal code part of the interface to get that lockin, it requires a lot of regression testing, and they have reached the point where they can no longer test everything that needs it.
This is known as hoist by their own petard.
I cackle in glee at their karma!
Infuriate left and right
those aren't bugs, those are features!
Touche!
We used to call that the Clown's car syndrome : you turn the lights on, it opens the door. You close the door, it stops the engine. You restart the engine, hubcaps fall....
ohh! come on microsoft can't make miracles
- - - - - .
Microsoft has alot of employees to feed large salaries to. The teams of developers, designers, programers, PR guys.. They're still giving support and updates to an OS that's coming on 8 years old, on top of all their new product.
Now, I can't say for certain, but I imagine that means that every time they release a new OS, their support staff grows bigger, whether in house or contracted out (I'm not sure how MS handles it).
This is ALOT of people folks.
So, you're in charge of keeping MS a growing profitable company. Does it make sence to focus your time on patch after patch after patch, which does nothing but tie up your employees with aditional support and coding while in no way contributing to the effor of actually paying them? Do you focus on pushing out the new OS, forswearing support of a decades worth of previous OS's, Office, and other programs (I'm not going to venture a guess at what they're still supporting... and how many questions they have to field about things they're not still supporting, and how many questions they get for, I dunno... any program that was ever made for PC that people have trouble making run out of the box.."
Smaller companies don't have tis problem. For most of them, all they need is a relatively short testing period to make sure itruns on Windows. Microsoft has the reverse problem : to make sure ANY legitimate programs, however poorly implimented, run out of the box whilte at the same time distinguishing between those and malicious unwanted programs. They can't cater to the smart people either. Linux has less bugs, but lets face it; even the easy to instal builds are a brain job for newbies, and impossible for most grandmothers.
So yeah, Microsoft has a full plate, and as ugly as it sounds, I doubt its economically fesable for them to fix everything. They have to prioritize. New features= new money. New patches = no money + continued expenses.
Conspiricy theories aside, does anyone really think they *like* having a reputation for buggy software?
Yes, and you're not insightful or interesting, no matter how many idiots line up to mod you that way.
Well from "Get the Facts" MS doesn't have have bugs or the need to patch... =)
Cader
It is, however, to be noted that:
--
Given enough personal experience, all stereotypes are shallow.
It's a matter of priorities for MS, just like it is any company.
If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft -- with its massive army of programmers and massive budget
:)
Have you SEEN their source code, no seriously....(yeah, I peek'd, but certainly didn't poke
It _is_ a mess. Spaghetti would be what happens when you try and bolt everything onto the kernel. Poor programming at its richest, I mean finest, or should I say worst?
Actually, looking at it again, I suspect that you can't gain priveleges even if an suid file is +r, unless ld-linux.so is setuid/setgid.
--
Given enough personal experience, all stereotypes are shallow.
Note the vast majority of "bugs" in bugzilla that are labeled "enh" --> those ones are enhancements that users would like to see.
Instead of counting against Mozilla, the fact that they allow so much user input is a great OSS feature.
No one said OSS was free of bugs. Since end users are allowed to submit bugs, the only ones that should be counted are those that are confirmed.
Try the following list: bugs that are in Firefox, not marked "enh", and have an action priority (P1-P5). (note: copy/paste link since bugzilla refuses connectiosn referred by /.)
Only 179 bugs. Sure, those are only the ones that the Mozilla team deem necessary to work on; however, we've seen from their reactions with 1.06 -> 1.07 that they are very quick on figuring out what's important and patching it quickly. Sure, that's a lot of unpatched bugs. But: that list is publicly available. Any researcher can go in and say, "hmmm.... let's find the security flaws that Mozilla has left unpatched". And they do, trust me; the thing is, the Firefox team patches the bugs that cause security flaws. Other ones are cosmetic, user interaction, or feature-based in nature. They still appear as "bugs", even though they don't pose a security threat.
The issue is not that OSS has no bugs - that's an obvious farce. The issue is that Microsoft first misdiagnosed a critical bug, and then left it unpatched for 6 months and counting. The Firefox team consistently finds those bugs that do pose a threat, and they leave the work they do open and transparent so that security researcheres can check up on what happens. Microsoft - let's put it thise way: if security researchers never found the flaws in Microsoft's programs, Microsoft would save money and increase efficiency by not fixing them.
1) their source code is a bloody mess. 2) patching costs money. 3) Vista will fix lots of problems and patching XP/2000 means less people will move to Vista to get security. 4) They have a monopoly... money is rolling in and don't care about their customers.
I don't think it's entirely fair or even accurate to compare Microsofts Products to those owned by smaller companys. It's misleading at best and blatantly false at worst to state that any company patches all of its exploits. There are always bugs in software, and usually an exploit to go hand in hand with any given bug. Smaller companys software appears to be more secure simply because their program is not as widespread; Windows, for example, is the most used and most well-known operating system by a considerable margin. Therefore, any exploit found in Windows will become common knowledge quicker, and will be exploited quicker. Indeed, I'd wager that Microsoft's products have been patched to prevent a far larger total number of exploits than just about any other companies products. By the same token, I'd say that many other products are left with a considerable number of unpatched exploits, the difference being that they either haven't been discovered or haven't entered common knowledge yet.
Additionally, the size of the company is, in a sense, a two-edged sword. Sure, Microsoft has a ton of programmers and developers, which would indicate they certainly have the manpower for repairing exploits. However, when you have so many different people working on the same project, you run into problems. If you write a program entirely by yourself, it's relatively easy to look through your own code and see where you messed up. On the other hand, if you worked with a dozen other programmers together on a project, it would be considerably harder to figure out exactly where the issues was. Multiply that difficulty by 1000, and that's where Microsoft is. The term 'clusterfuck' comes to mind...
find . -name '*.[ch]*' -exec egrep -H 'strcpy|gets' {} \;
Oh, wait, that won't work on Windows, will it? Maybe you could install cygwin first. Anyway, get on it, guys.
Have you read my blog lately?
Why not make cars that don't crash and planes that don't fall out of the sky. I mean, why can't engineers simply build better cars and planes.
Software isn't simple, period. Patching software, especially in a large and mature product could introduce undesirable results or stability issues, or further security holes.
Patches are not just about writing up a few lines of code and adding it to the pile, the patching process needs to ensure that changes to an existing system doesn't affect other systems and features.
Also, don't say company X patches quicker or is able to do things better. Company X may have a smaller code base, newer code base that is easier to handle, or simply doesn't focus on preventing instability or incompatibility by introducing patches as much as Microsoft does. For instance, Apple often introduces incompatibilty and other annoying issues after releasing a patch that eventually need to be fixed as well. I would prefer a company to issue a patch that doesn't force me to patch again because they broke something, rather then one offering a knee-jerk upgrade ASAP. Few other company have a finger in 98% of computer users and the kind of scrutiny MS goes through, so few feel the pressure that MS does to release patches timely as well as ensuring stability.
I am not defending MS for having products that require so much patching. Obviously there are fundamental flaws in their code base that allows it to be exploited so easily. Systems like Unix and its derivatives were inherently secure from the ground up, they were always intended as networking OS'es. Windows was not. Networking in Windows was an afterthought.
Anyways, to whine and say that MS should fix patches faster just eludes to people's ignorance about how software development works. I don't think MS is holding back patches just to annoy and frustrate people or that they are not concerned about security like what so many zombie anti-Microsoft pundits suggest. Microsoft is releasing patches as soon as they can fix the problem while not introducing new ones, just that their system is so flawed that it takes a large team and a lot of time to do that.
I haven't thought of anything clever to put here, but then again most of you haven't either.
There was a business mantra in the '90s, and still out there today, that defines "quality" as whatever it takes to please the customer. Consultants hauled in buckets of money generating cliches out of that. Companies may be driven by customer satisfaction, which is fine as far as it goes, but it doesn't mean their products are any good.
The flaw in the cliched definition is that often the customer doesn't know what they're getting or have any basis to judge how good the product is.
Microsoft, being driven by market share, is a step removed even from that level of quality. They only want their customers to be happier with their products than with the competition (which is often another of their products or an earlier version of the same one).
Making things properly is not in their range of capability.
sigs, as if you care.
But Apple doesnt have this problem...
Can Microsoft just patch everything?
I must have missed the part where someone said they couldn't.
and your kids aren't cute or talented, either.
Had "Computer Terrorism" alerted Microsoft to the fact that the low risk vulnerability was, in fact, much more dangerous, perhaps we could have avoid last week's zero-day exploit! Not to mention the press this is generating for their company...
Dana Epp has some good comments in The Cost in Fixing Bugs and How Irresponsible Disclosure doesn't Help the Matter.
Microsoft is a business. Their cost-benefit analysis of fixing a low risk issue probably didn't give them enough justification to fix the bug. Had CT responsibly contacted MS and notified them of the increased criticality, MS would have elevated the need to patch, released a patch...and this wouldn't be a problem.
While this doesn't alleviate MS for not patching...the disclosure could have been handled with quite a bit more professionalism, IMHO.
http://imdb.com/title/tt0120347/quotes
Now excuse me while I eat this single strand of spaghetti from the middle of this massive bowl without disturbing any other strands.
They just can't, Mmkayy?
* Si hoc legere scis numium eruditionis habes *
People keep buying MS software. They may gripe and complain and moan, but they KEEP GOING BACK TO MS!!!
As a company, how much money and resources should you put into keeping your customers happy when you won't lose them even if they're miserable? The answer is as little as possible. The current rule of business is to spend as little money as possible to keep your customers, while covering your ass from liability issues. Look at MS's actions for the last five years or so, and you'll realise that that's exactly what they've been doing, quite consciously and deliberately.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Sendmail, case in point... older codebase does not mean more secure
The Geek in Black
I know my BCD's (when I'm Sober)
One explanation that seems to have been overlooked, is that there is a lot of code that was written by engineers that are no longer there, and it was written in a way that no one there really knows how to debug it. If one function has exploites, and it takes weeks just to parse the code in that function (which may also use sub functions that are obfuscated and broken), it is often easier to rewrite it, but that also takes a lot of time. Also, after veiwing a sample of their XML coding for Office 12, It's no wonder they have issues fixing thier code. Furthermore, they really need to start by fixing their tools. Some of the autogenerated code that comes out of Visual Studio is really bad (from what I've heard on other sites). As to OSS patching, the majority of open source applications follow a cleaner coding style from the beginning, although there have been applications that went through complete rewrites. Another area in Windows that can't easily be rewritten, is the undocumented function calls. They do exist, and they are used heavily internally by Microsoft. The Wine team is constantly running into them when they try to get a Microsoft app to run in Wine/Linux. And I remember when I talked to a friend that works there 12 years ago (he's still there, just haven't heard from him), that they often pass information on undocumented api calls via email or word of mouth. That really limits the documentation internally. They can't easily just do a complete rewrite for this reason. If they could, wine would be fully functional now, because all of the documented function calls are available through third party programers guides (I have 2).
The only fools Microshit needs to bamboozle are the Senior Executives at corporations who know nothing about computers, but hear the words "Trusted Computing" combined with Microshit's name recognition and they think, "Surely they've got it right this time" and instruct their IT bitches to fall in line.
It's the same old game of Lucy pulling the football away from Charlie Brown over and over again.
What he means is that no company, no matter what the size can "patch all of their bugs serious or minor" in a commercial software system.
Who reads ZDNet? Actually, a better question would be, of those who read ZDnet, how many take what they read there seriously? ZDnet is rampant with uneducated assumptions and ridiculus conclusions. If you're gonna write about technology, then at least employ people who are knowledgable. No need to have every journalist be a computer scientist, but for pete's sake run everything through a group of people who are educated on what your publication is supposed to be about - technology! Or, just continue with what you're doing and mislead/frighten people through your own ignorance of the topics at hand.
Damn linux.
Those guys fix even the bugs that nobody thinks is worth fixing... makes everyone else look bad!
If you have read permissions shouldn't you be able to make a copy and set the permissions any way you like on that copy anyway (ok, maybe it is a problem if the user has absolutely no write privileges on any part of the filesystem but in every other case it is merely a shortcut for copying and changing permissions)?
Linux is not Windows
There,
All MS problems patched.
It's never too late, stop copying, you won't win this time.
Microsoft is basically damned-if-they-do, damned-if-they-don't. If they don't patch the flaws, they're bad for providing an unsecured environment. If they do patch the flaws, they're bad for breaking existing applications. I think that Microsoft should just make their OS secure to begin with instead of leaving problems to be fixed later. This is why no one likes Microsoft, because they will not just go ahead and fix their problems, they release patches all the time making Windows users need to constantly update their sofware.
Remember when Windows 2000 initially shipped with 63000 known bugs? Microsoft has always been pretty liberal about not sweating the details and more focused on the big picture.
MS is just too protective of their source code to let an army of programmers audit it.
Imagine you write a long long book. Even if you try to correct all the typos you may miss some of them. It is hard to publish a book with no typos at all.
I think that was great fun! If MS management believes that the security problems are "typos" then I understand they cant fix them all. Of course, security problems are more like problems with the story line: contradictory events, inconsistent background and such things.
Maybe they still have not accepted that the reason for their security problems is the poor design of Windows (particularly integrating things very freely). As long as they dont accept the truth they will try to correct typos, and that will not make the story any better.
I don't think the author is aware of the hotfixes that Microsoft puts out all the time to fix vulnerabilities (which are easy to get via Windows Update). What he says was true several years ago, but MS has gotten way better about timely fixes. The number of individual fixes has dropped off lately, but I attribute that to stronger security in recently released OS versions, not lack of attention to security bugs.
Look at the first item on his "unpatched" list - UPnP GetDeviceList Denial of Service - follow the link. "Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 are reportedly not vulnerable." There you go. Perhaps he doesn't consider Service Pack 2 to be a "patch"?
Trustworthy Computing doesn't mean you can trust your computer not to be cracked/infected. M$ doesn't care the least about that. Trustworthy Computing means that M$ can trust that you will be unable to use any pirated copies of their software (and if possible, be unable to run Linux as well). That's their only concern. It's meant to lock you out of your own computer, not to protect you.
Why can people still run 16 bit apps in windows? Last I checked, Windows has been able to run 32 bit applications since at least Windows 95, which came out over 10 years ago? Obviously, this feature is there for compatibility reasons, but is that even needed anymore?
Excuse me, how much CASH do they have in hand? Some tens of BILLIONS, I believe?
(When they aren't handing it out to stockholders in one-time stock prop schemes...)
This is exactly my constant point - they HAVE THE MONEY to hire the PEOPLE to FIX their problems! AND THEY DON'T!
Period. End of story. Nuttin' more needs to be said (but will be, anyway.)
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
.. remove MS OS and install Linux or FreeBSD. FreeBSD really does a better job at patching IMHO.
Only 'flamers' flame!
Does slashdot hate my posts?
they collect revenue for support and don't spend it - which is why small companies that do fix all their bugs don't have any money.
Simple economics 101.
Money for nothing and the chicks for free...
Oh well, what the hell...
OK, some bar owners loose customers; at least, the ones who drive other customers away.
Or are you one of the internet's illiterates and meant "lose"? Nobody in their right mind would loose a customer (except the bar owners).
"Loose" is a verb that means something completely different than "lose," moron.
Read = 4
Write = 2
Execute = 1
0444 = Read by everyone
0111 = Execute by everyone
As an example of the extra hurdle copying imposes, say you want to attack someone via a set of holes in Firefox. With /lib/ld-linux.so, you need only the following, if you can't make firefox itself do arbitrary things:
With out the ld-linux vector, you have to:
So it's not a huge hurdle, but it's there!
--
Given enough personal experience, all stereotypes are shallow.
I would have modded you up but I see thats already been handled. We use a number of different operating systems in production environments and patching can be a nightmare. Breakage of course is one of the most obvious, but you've also got to count possible down-time (system restarts, trouble shooting), minor bug-hunting, possible software rewrites. All told a lot of big business doesn't want the boat rocked. At all.
Which all means that QA testing is important, and that takes time. With a company as big as Microsoft, with a consumer base that is as large as it is vocal, and trying to make in-road into more enterprise/server territory I can see why they might not be as snappy with fixes.
Sure with OSS a patch can be thrown out almost immediately, but thats a kind of 'fly by the seat of your pants' approach. When kernel updates break drivers support for X you might be in a world of hurt. And here's a hint: even Redhat has included bungles like this; that haven't been fixed to this day (sym53c8xx).
I'm really not trying to point fingers though (we use RHEL, my choice). Simply pointing out that at least at the enterprise level patching can cause some to break out in the cold sweats. And its hard to budget in test systems for every production system you have online. Especially if your company isn't (or is barely) at break-even.
Quack, quack.
I found the flaws in Visual Studio 2005 and Sequel 2005 AMAZING! VS crashed every 10 minutes, even during the MS demo at the Dallas Convention Center on Nov 30th. The things were obviously NOT ready to "rock the launch."
Sequel 2005 includes built-in encryption. Every encryption scheme MS ever launched had bugs so bad it could be cracked by a 6-year-old in 15 minutes. This will likely prove to be no exception. I can just see a script kiddie having access to every database that uses Sequel 2005.
VS includes something called "smart clients." This means that web servers have the same access to your PC as a locally run program. They can print, format a floppy, burn a CD, or save to your HDD. DOES ANYONE SEE A PROBLEM HERE!?!?! I remember in the late 1990's, when MS released ActiveX, and I learned you could turn off somone's PC via IE. I simply shut down every moron using IE who visited my web page. One friend told me he just gave up and bought a new PC, because his aparently had a bad power supply when it ran IE.
Andy Out!
Hey! =/
I love to slaughter the english language.
that is valid D code, and since D has array overflow checking then you won't have such security problems ;)
It's too bad that the Firefox people don't accept that this is a problem.
The straightforward solution is to run most of the browser in a jail. When a page is launched, a copy of the renderer should be launched with a connection to the window, a connection to the network, and no ability to open local files. The page can be displayed, and the page can run whatever JavaScript it wants, but it can't affect anything outside of that page-rendering environment. When the page closes, all state associated with that page is lost.
Of course, this breaks lots of stuff. Cookies. Cacheing. Links. Popups. Third-party toolbars. Plugins. Program launching. Some of those are handled by a messaging interface between the browser and its parent, the launcher, which has to be trusted but doesn't do much, so it can be small.
For security, we probably have to give up toolbars and plugins. People will whine, but that's probably a good move for 90% of business installations.
Program launching from the browser has to be limited to launching within the jail. A rendering process could launch, say, Quicktime, Flash, or a PDF viewer, but those would still be jailed. All they could do is talk to the network and the window.
That's how to fix it right. It's quite possible. The right way to do it is to build the secure browser first, even if it doesn't let some users do things they want to do.
We're going to be forced to this, as patch-based security breaks down, because the attackers are now finding their own exploits, rather than simply looking for unpatched systems.
I won't go into details, because this issue has already been discussed on Slashdot.
You could look up the proper definition on Wikipedia.
Fight Frist Psoting!
Browse Slashdot with 'Newest First'!
they don't have to.
Besides, they need to lay the foundation for the next upgrade.
Upgrade fever = Bill Gates is the richest pig on earth.
if they "patched everything", then they would need to find an alternate source of their weekly worldwide exposure. as we know, even bad news can be good news, it's getting your name out there that's important.
also, the constant need for patches allow them to feel they are still relevent.
Quite right. I mixed those up. Too bad I'm already at minus geekpoints; I just lost more! ;)
--
Given enough personal experience, all stereotypes are shallow.
Firefox as a 1.x product has existed for 1 year.
Firefox as a name, about 1.75ish years (Feb. 2004).
Firefox as a project about ~ 3 years. (Phoenix first released 2002-09-23, got that from here.)
Unlikely that it has bugs much older than that.
When you researched your post, maybe you didn't realize this "bug" was for the Mozilla Suite or possibly for the Gecko engine. Regardless, since the article said all Firefox security issues had been patched, I think maybe you just made it all up.
That's OK, most posts come out of people's posteriors.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
No, Anonymous fruity Coward, I decline to view your honeymoon videos. My original, vintage Zep shirts do show my persistent good taste though - thanks for noticing!
--
make install -not war
Amen. If Microsoft had less than say 50% of the consumer market, they might consider patching good business sense.
Why should they patch their software? They have too much money/marketshare to bother.
Compare this to Sony BMG's DRM 'fiasco' -- How long did it take for them to pull thier heads out their arses? We (meaning me and the rest of those who have the DRM software still installed on our computers) are still waiting for a proper uninstaller, even with 3 Lawsuits and counting.
Yet, no one is suing Microsoft (to my knowledge) for not patching their security holes immediately. Should we consider this ample opportunity?
At this stage, the only two competitive advantages that Microsoft has is that they have us by the brasseys. Too much software runs on Windows. Too many people know how to operate the OS.
Is that a lawsuit I smell? Nope. It's just another chunk of the consumer over the firepit.
--
"A democracy is not measured by the freedom it gives its conformists, but by the freedom it gives its dissidents."
--
"Business is not in business to make money for the owner or to give people jobs. It is in business to offer a product or service to the consumer. Anything more is just a side effect."
That's when we'll know that they know they've lost.
Infuriate left and right
Why don't they patch all their bugs? Probably the same reason they don't do lots other things. They don't see a financial gain by doing so or a financial loss by not doing so.
Easy enough. Next question please.
Is Windows a virus?
No, Windows is not a virus.
Here's what viruses do:
They replicate quickly - okay, Windows does that.
Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.
Viruses will, from time to time, trash your hard disk - okay, Windows does that too.
Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that's with Windows, too.
Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.
So Windows is not a virus.
It's a bug
Bug fixes can be usually be checked into source control immediately (obviously depending on the amount of code that needs to be altered). But *testing* that this fix works on 3 different architectures (x86, x64, ia64), 6 different Windows versions (2000, 2000 Server, XP Pro, XP Home, 2003 Server, XP 64-bit), and doesn't regress any other Windows component or 3rd party application takes LOTS of time. It would involve coordinating with multiple test teams across multiple Windows divisions, all of whom are undoubtedly working on something different. And even after a patch has gone through this huge test matrix, there is still a risk that it will break something, making MS reluctant to patch all but the most serious problems.
I'm not sure what industry you work in, but this sequence is normal in most industries. While a product is under development, the majority of bug reports are generated by the development/test teams. But once it has been released to the public, the product teams move on to a new project and no longer concentrate on finding bugs in the released product. Instead, post-release bug reports come from end-users and resellers. These bugs are filed, verified, triaged, and possibly fixed as deemed appropriate by product support personnel.
Perhaps you're holding Microsoft to a different standard here?
I don't consider this a design flaw, quite the opposite. Any general purpose operating system can always be told to execute arbitrary commands, that is why they are called general purpose.
./script.pl
This behaviour is perfectly analogous with how scripts work:
Read and execute access ->
just read access -> perl script.pl
The goal of security work should not be to limit what can be executed, but who can execute. If random kids can execute arbitrary commands through your firefox, they can do whatever you can. Limiting their power in that scenario would also be limiting your own power in the same way.
...ceterum censeo Carthaginem esse delendam.
Sorry, but why the hell is this modded 5 when the more accurate replies languish at 2 and 3? I just tried this it DOES run any executable without any execute permissions.
I've worked for MS in the past, in their Windows Sustained Engineering (WinSE) division. So I think I can bring some valid criticism to this situation.
The major issue is: How many customers is it affecting? Nevermind that it's a huge security flaw with the potential to be exploited. Has it been exploited yet? If so, by whom and who was affected? If nobody has been affected, why not? These things go into determining the prioritization for a fix.
Another slew of issues is: How many man-hours will it take to fix the bug? Can the functionality which causes the bug simply be removed without terribly ill effect? Does the person who originally wrote the code still work at Microsoft? Given the fondness for contingent staffing (aka CSG, contract workers) at Microsoft, a good number of people come and go on pretty much a 6 to 12 month basis. I know that some divisions tend to not let contract workers do development expressly for this reason, but there are always exceptions. (ie, a full-time employee (FTE) leaves the company and the company has a CSG with the skills to replace him in the interim while they hire a new FTE) Also, how many man-hours will it take to test the bug? If it will take 5,000 hours to test a bug that presently affects nobody, it ends up near the bottom of the priority list. If it will take 2,000 hours and they have a report or two from customers who have experienced the bug themselves, fixing it becomes a higher priority.
You also have to keep in mind that Windows isn't just one program. Windows XP, for example, is XP Home, XP Pro, the new XP N (sans media player), and Windows Media Center Edition I believe is also XP-based. So that's four platforms that need a fix developed and tested. That doesn't seem like much, right? Ok, Microsoft localizes their software in 44 different languages, which will all need to be fixed and tested. Four platforms, 44 languages, that's 176 different variations which need to be fixed and tested. They will generally not release a fix for only one language at a time.
The open-source community is filled with people with a lot of free time on their hands, as is evidenced by the fact that they are willing to do development work for free, and some of them do quite a lot of that development work. If a team of developers and a team of testers were to volunteer at Microsoft, giving their time over at no charge what-so-ever, I imagine you might see more of these bugs that don't actually affect anyone get fixed sooner. But as long as the company needs to make a risk-vs-cost analysis, bugs that don't affect anyone (yet) will not get fixed any time soon.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
And your mother smells of eldeberries!
...sometimes, in order to hurt someone very badly, you have to tell that person terrible lies. - PA
Why patch something, when not patching something gives you free publicity?
It's much more important that MS has made security priority number 1 years ago, so we can all feel safe!
No they wouldnt, it would stop you from spending
enormous amounts of wasted time trying to patch things
and seeing all sorts of ads everywhere for their other products.....
seems like you don't understand marketing!
Thanks for your thoughtful reply. I guess Microsoft's real problem is it's a monoculture, and that sometimes 'freedom to compete' is more important than 'freedom to innovate'. Heh.
UNIX hasn't been a monoculture since Bell Labs sent the first UNIX tapes to Berkley. Some old Bell Heads would argue it was never a monoculture, but I digress.
Thanks again
#6.2
"If god did not exist, it would be necessary to invent him" --Voltaire
Lack of competition...
A lot of smaller companies are dumbfuck and do not patch or fix anything.
Microsoft are just a big dumbfuck company.
UPDATE: actually, mounting the filesystem noexec is sufficient to stop ld-linux.so's maigc, it seems.
--
Given enough personal experience, all stereotypes are shallow.
You can't fight entropy. The bigger and more complex an entity comes, the more and more resources it takes just to keep said entity going, and the more complex it is to fix anything or make any changes. That is why those big huge dinosoaurs had to spend 24 hours a day eating, and the slightest upset in the envoirnment would kill a whole bunch off. Entrophy limits expansion. There gets to be a point of diminished returns when getting larger ceases to be a benifit.
Microsoft cant solve it's problems, BECAUSE it is a vast and complex corporation with huge manpower and resources. With the numbers of employees they have, the established work processes they have, and the beurocratic momentum, it requires a lot more effort and resources to make fixes and changes than it would be for a small, volunteer, open source project.
I mean, Microsoft is almost like a government agency in it's size, resources, and almost-monopoly on the OS market. Most people know that government provided postal service, government provided health care, or anything run by a vast monopolist government agency sucks, why do we think that a vast beurocratic corporation that is ALMOST like a government will be any different? We wouldn't want some government "Bureau of Operating Systems" to have a monopoly on our software, so why should we expect much different from Microsoft?
That is not to say there isn't danger in the open source community. I suppose it would be possible with corporate and government subsidies that an open source foundation could have the same problems as Microsoft if it got big enough and powerful enough. However, the chances of this happening with open source are less, because a project can always fork off and a newer, smaller group can take over development. While not completly innvulnerable to beurocracy, the open source process being by definition open and non-heirarchical tends to diffuse a lot of the problems someone like Microsoft would have.
One of the big problems is that Microsoft builds systems on a scale that are much larger and more complex than small firms do. Inherently, the bugs are caused by the complexity of the system, but it also means that they become that much harder to fix.
I'm hesitant to switch my main machines over to XP because of security. My Win 2000 machines run realitively problem free, virus spyware wise. Not that they aren't at risk just nothing has affecting their performance. My notebook running XP is another matter. If I let it sit 15 minutes logged onto the net without doing something intensive like a download or constant surfing it gets zombie botted and it's brought to it's knees. Every single app locks up and a 100% of it's resources are ocuppied. I've tried a little of everything and all softwares claim there is no problem. Made me very nervous about XP. Also the longer I run that machine the more quirks it developes. Pretty normal for a Windows machine but with a notebook it's not as simple as a desk top. I tend to redo my desk tops every six months or so. I'd do them more often but we're talking dozens of apps and a hundred file folders, God knows how many files. Major hassle to reconfigure a machine. How many consumers are going to buy an operating system that is more secure over one that has more bells and whistles? Marketing is the reason they largely don't care about security. They feel it's better to put the effort into the latest interface features and more player functions. Geeks worry about security but the average person doesn't buy because of it.
It's not so much about how complex the code is, though that should definitely factor in. The problem is that paying programmers to patch products that someone has already paid for doesn't earn you any money. It's the bottom line.
RTFA. The question was: "why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities?"
Microsoft has $49 billion in the bank and about ten thousand paid staff programmers.
Tell you what, you donate a measly 0.1% of that ($49 million and 10 brilliant developers) to the Mozilla Foundation, and I guarantee that they will get a gorgeously patched Firefox 1.6 (or 2.0) out the door by summer.
Only tens of billions? Maybe Bill Gates is worth tens of billions, but Microsoft is worth far more than that. Which only amplifies your point, of course :)
They call me the wookie man, I guess that's what I am
Nope. It didn't turn into a rewrite, just a move from the XP to Server2003 codebase.
http://www.winsupersite.com/faq/vista.asp
The reason MS can't patch anything is because MS has exactly the same technical challanges that every major Linux distro has. Dependency hell.
MS likes to pretend that windows is immune to such things, but the truth is every piece of software is interconnected. MS creates the illusion of no dependency problems by solving as much of it as possible behind closed doors, and wrapping the results in binary installers. The sheer amount of effort to resolve the problem is high
The people that patch windows (windows sustained engineering group) is located in both india and redmond. They are horribly uncoordinated and have a 12 hour time difference. When one group is working, the other is not. WinSE in redmond also has a huge (this is an understatement) turn-over rate. Most employees simply hate working for this group and are biding their time (1 year required) before they can move to another group.
The book "Mythical Man-Month" by Frederick P. Brooks addresses this EXACT issue. The idea of a "Man-month" in software development is a joke (specifically software development, but it applies to other fields as well).
Often times, the more people you put on a specific problem/project, the SLOWER it goes because of issues like communication, and stumbling over each others' toes, not to mention simply dividing tasks.
-.-- -.-- --..
One fish / Two fish / Red fish / Blue fish
ShyaOS - Think Differently!
Since the beginning Microsoft has been about stealing other company's ideas and incorporating crappy, watered down versions of their software into MS Windows products.
Had Microsoft focused entirely on the making of just the O/S, its' security, stability and interoperability and left all those other packages to the companies that invented them, Microsoft would probably be the best O/S on the planet.
But instead we're left with a half-baked, insecure O/S full of crap.
Things pioneered by others that were usurped by Microsoft and placed into their O/S in an inferior and feature poor manner.
If you're too young to remember the beginning, keep negative comments to yourself.
Add to the list if you are able:
Backup utilities
"Backstep"
CD Burning
Media Playing
Audio Recording
Antivirus
Partition utilites
Multimedia
UPS Controls
Communication software (modems)
Calendars, Calculators, blah blah blah, bloat.
Im sure there's a bunch more I've forgotten.
But all this crap didnt need to be in Windows because at one time, they were only offered by 3rd party software houses, but like the Borg, MS assimilates everything.
Imagine how good Windows would have been if MS devoted all their ability to perfecting their O/S instead of wasting time with all that other crap.
Lk4
"It's what you learn after you know it all that counts", Earl Weaver - Legendary Coach of the Baltimore Orioles
Companies must sell the shoddiest, cheapest piece of crap that the customers will still buy for a given price point; it's a basic law of capitalism. Customer satisfaction is absolutely irrelevent, except for when it impacts sales, present or future. The job of a corporation is to give people only as much as they will pay for, not what they actually want.
People have repeatedly proven they will pay for bad software. They'll pay helpdesks to explain poorly designed software instead of buying better designed software, because they can't tell the difference, and good marketers keep blurring the difference. They'll pay Microsoft "support lines" hundreds of dollars for a few hours of shoddy assistance in the vague hope of being able to work around the bugs that Microsoft put in their code in the first place. They'll buy "service packs", "upgrade versions", and "bugfix releases" of software that was shoddy to begin with.
If Microsoft sold a perfect operating system, they'ld spend millions of dollars on bugfixing, and only get one sale. If they keep selling crap, they can sell copy after copy of bugfix releases, and people will keep buying, because they only have to pay a bit more each time, and they have a pressing need to solve an immediate problem (overcome a specific bug).
So long as it's in Microsoft's financial interests to release buggy code, they will continue to do so. Bugfixes cost money, and releasing buggy code generates profits through upgrade paths and support contracts. The day those economics cease to apply, expect Microsoft's code to change. Until then, don't hold your breath: Microsoft, like all corporations, is out to maximize profit.
http://silverstr.ufies.org/blog/archives/000879.ht ml
This post pretty much sums up why is isn't practical for Microsoft to fix every single bug. The harsh truth is that it's (financially speaking) not worth it.
He's talking about Microsoft's cash on hand (about 35 billion last I read), not stock market valuation. Microsoft can't really use that stock to hire programmers because, well, they're kind of owned by other people.
Have you ever actually tried to fix a bug in a large software system. When I say "large" I define that as a system of such size that no one single person could hope to understand how it works So you have specialists. ON truely large systems I would not know who would know something so I spend time asking around. That's the trouble with having thousands of programmers, they don't and can't know each other This means that even if you have 1,000 programmers working for you they are not interchangable and you have maybe 10 that can work in any one area without starting from zero. There's more. Because of the need to specialize in narrow areas of the code a "file system guy" would not know the implications of a design change in his area to the "SQL Server guys" and would want to hold a meeting and review changes with others. What this means in large systems is that any simple change needs to get writtren up and reviewed and aproved by some "change control board" and then coded and then you need to test to seethat you have not broken something unrelated. It's a slow process one that is frustrating to developers but design reviews, change control borads and regression testing are the only way to insure quality There is a way out but it requires that you design your big system in such a way that it is not so interrelated and the parts are more "stand alone" Basically you make hard rules that one subsystem just absolutly can not enven "know" much less depend on the design of another subsystem. There are many ways to do this. The problem is that Windows is a big interrelated "house of cards" and they know it. It must be very hard to fix one thing without introducing risk that something else is not broken. The standard method for managing this kind of risk is to only do widly spaced releases of the software In my own work I have to always resist to tempation to fix a bug _now_ and get it out. I want to look responsive to user needs but no. I just have to say "it will be fixed in the next decimal point release, in about 6 or 8 weeks. And then again from Microsoft's point of view, users don't pay for bug fixes, and will stand in line at night to buy whatever junk is offered. Bug fixes are "money down a rat hole" why bother?
If they wanted to deliver a truly secure OS, they'd licence MacOS.
Download patch here.
This is the Internet Excuse. Before the Internet and broadband, patches were most costly to release. You had to ship CDs or floppies to all of your customers. Plus there were no automatic updates. In turn you could say the Internet brings many of these security issues, but before that there were modems and physical security issues.
1 14454 ) to someone thinking that PHP should magically protect him from himself when sending mail. Same idea- if you're getting untrusted information, you damn-well better make sure it's what you expect it to be.
This is exactly the problem with today's programmers. It doesn't matter what you throw at it really, the system should be able to take it. It's about saving a few dollars and making a release schedule versus producing a quality product. It passes the buck to the sysadmins and people who have to support the issues and who have to clean the worms out of your system. They aren't getting away with this for free, but rather letting someone else see the effects. I'd rather have Windows 2000 show up in 2005, but be stable, bug free, and security-issue free.
It is of course impossible to get everything, but M$ (and many developers actually) leave holes in the places they shouldn't. Race conditions often can't be seen until they happen- fine. 'Local exploits' are also reasonable, as they tend to be areas where those inside are trusted. Microsoft is building a browser for G-d sakes! It accepts input from random untrusted parties (and they know this judging by their 'Internet Zone') and should not have the ability to be exploited to execute code, overcome security, and so on. Only recently have IE versions received the joy of simple bounds checking on links and input.
These are areas where M$ _SHOULD_ pay attention. The security holes in NetBIOS are another great example back a few years ago. This should have been so well thought out that nothing could slip through it and won't do anything other than what it's supposed to.
I know bug-free code is impossible, but Microsoft is supposed to have the best teams out there (we sure as hell pay for them to have the best teams out there) who should be able to get some of the basics right.
A few days ago I wrote a post ( http://slashdot.org/comments.pl?sid=169325&cid=14
-M
when you see the word 'Linux', drink!
hey if microsoft DID patch all the bugs, then they couldn't use "Now better stability", or "less crashes" , or "more reliable" or a variation of either in their marketing campain for future OS's!
If your 16bit line-of-business application all of a sudden stopped working on Windows, I suspect you'd be a bit upset. And yes, there are a boatload of 16bit LOB applications, enough that Microsoft is willing to keep the 16bit stuff around. For whatever reason, many installers are 16bit apps, for example.
OTOH, Win64 doesn't support 16 bit apps (as far as I know).
What? There was a browser exploit? Why wasn't I in on the loop?
Oh, yeah, I remember -- that's why I use Opera.
Come on... How can problem that has been known about for 9 months be called a "day-zero" exploit? Shouldn't it be called a "day-zero + 9 months" exploit?
Have computer journalists forgotten what a "day-zero" exploit is?
The user can not execute the script. They can only execute perl. If you have a problem with them being able to run perl, then you must chmod o-x
So you have some code that asks for your name;
char name [15];
printf ("Enter your name:");
fflush (stdout);
gets (name);
Some user enters more than 15 characters, buffer overflow.
So you check for buffer overflow;
char name [15];
printf ("Enter your name:");
fflush (stdout);
fgets (name, 15, stdin);
This slows down the program by some small microsecond. However you stick this into some function of th e OS that is called over and over as well as things that are more complex, you end up with a much slower operating system.
We have had patches that we have had to backout because of this very reason. Some of our programs made billions of iterations through a library call, and we go from 8 hour processing to 15 hours. When getting employee's their paychecks on time, this matters.
While I agree, Microsoft has to fix this issue, I also understand.
> Now excuse me while I eat this single strand of spaghetti from the middle of this massive bowl without disturbing any other strands.
Just stick your tongue in there and pretend that one noodle is your girlfriend's bra strap...
Instead, you take the software and reverse-engineer a mathematical description of it. Once you have a mathematical model, you can use theorum provers to determine what parts of the code are mathematically illogical/incorrect/incomplete. Once you know what parts of the code simply don't make sense, you can restrict your debugging solely to those parts of the code. You don't need to investigate the code that works. Assuming there is any.
Of course, for "trivial" classes of bugs (buffer overflows, buffer underruns, null pointer access, etc), there are code validators which will specifically look for those flaws. splint (a lint derivative) is one, the Stanford Code Validator is another. As these form the bulk of easily exploited bugs, it would seem obvious to scan the code with these first. To make certain you've caught everything, there are also validating mallocs, such as Electric Fence, which detect obviously bogus memory accesses.
I don't know how long it would take to do a reasonable scan of the Windows source code, using such tools, but I would not think it likely to take more than a few months to do the most rigorous of these checks (convert to formal notation, then use a maths theorum prover) to locate all suspect areas, and maybe a few more months to actually correct all of these bugs. You'd probably want to use a memory profiller and/or a validating malloc first, though, to cure the really obviously bogus code.
After all that, you would then want to do regression testing to ensure you'd not broken anything in the process (or unbroken something that actually needs to be broken). This would not correct "all" of the bugs in the code, but it would reduce the number by a couple of orders of magnitude and in a timeframe that would be very reasonable.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
That's a silly thought. Dividends and other cash distributions reduce the share price by the dividend amount. Using their cash to buy back shares would be a "prop scheme".
Do you even lift?
These aren't the 'roids you're looking for.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
--
Given enough personal experience, all stereotypes are shallow.
But then you can just run /lib/ld-linux.so.2 /usr/bin/perl /usr/local/bin/script.pl
/lib/ld-*.so* on your systems just to make sure they're secure. :-)
I think you'd better chmod -x
09F911029D74E35BD84156C5635688C0
Jesus loves you, I think you suck
No, you can't, as discussed before:
/mnt/ -o noexec /bin/bash /mnt /mnt/bash /mnt/bash: permission denied /lib/ld-linux.so.2 /mnt/bash /mnt/bash: error while loading shared libraries: /mnt/bash: failed to map segment from shared object: Operation not permitted
# mount -t tmpfs none
# cp
#
bash:
#
.
When you are dealing with security, semantics are extremely important! It is important for an administrator to understand exactly what happens, what is being executed when a shell/perl/python/etc script is "run".
An administrator who does not understand the purpose/scope and usr/effect of the noexec mount option may misuse it in exactly the way you demonstrated.
Oops, I just realised what you meant. I would like to amend my original statement. Replace "chmod o-x perl" with "don't let them run perl". If I actually wanted to do this on a machine, I guess I would chroot the user away, or deploy SELinux or grsecurity, so that they could only access the programs they are allowed to.
Oh hold on a minute...
/usr/bin/perl /lib/ld-linux.so.2 /usr/bin/perl ./usr/bin/perl: error while loading shared libraries: /usr/bin/perl: cannot open shared object file: Permission denied
:)
# chmod o-rx
#
I knew I'd overlooked something!
(Goddamnit, why won't Slashdot let me break lines where I want to...)
It probably wouldn't be too hard to patch Perl, Python and others to refuse to read a script from a filesystem mounted with noexec.
He's wondering why they don't fix their security problems? He stays up till 4:00 AM to deliver an emergency set of instructions to his readers because Microsoft felt it unnecessary to patch a flaw six months ago and he still uses Microsoft.
According to the article, "...Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous." This is, presumably, in reference to the JavaScript exploit that was recently covered on Slashdot and in an Eweek article.
The thing is, this flaw didn't "mutate" -- it's just that we didn't until recently understand how dangerous this security flaw really is. That there's already a working proof of concept is alarming.
It's quite inaccurate to say that the flaw "mutated" when in reality it never changed -- only our understanding of it changed. Who's to say that someone, somewhere, wasn't already aware of the true potential for abuse when the flaw was first discovered half a year ago? Microsoft didn't make fixing this a high priority because they were lulled into the belief (along with almost everyone else, apparently) that this was a simple DoS exploit instead of the own-the-machine exploit it turned out to be. (Yeah, it takes a lot more work to actually gain control of the machine, but the same fundamental mechanism is used.)
It probably would. Ponder the following:or
...ceterum censeo Carthaginem esse delendam.
One has to remember that a program is just a sequence of instructions written down in a convenient form. Someone with access to a general purpose system can feed it general instructions. If your particular set of instructions are readable to him (which has been assumed so far in this discussion), he can feed them to the computer. He can do so with instructions he read on the Net, or on the back of a milk carton.
Perhaps what you are suggesting is that perl be configured so that it will only run when invoked from the script interpretor (i.e. when it is mentioned in a #!-statement in an executable text file). This would perhaps be an extra hoop to jump through, but would also greatly limit the usefullness of perl. I use perl -e 'something' all the time.
...ceterum censeo Carthaginem esse delendam.
Why can't microsoft just GO AWAY!
And of course perl (cat /mnt/unexecutables/evil.pl).
:)
So the real solution is, again, if you don't want a user to be able to run a program, don't give him a shell.
then it's obvious that software as it stands today in year 2005 is not worthy of patents or being called a product or being offered "for sale" or pay for use. Accept software is just a hobby and for a few decades people made some fabulous money with it, but today it can be stated it will never be good enough to qualify as a real honest product. Then, get a real full time job doing something else constructive and go back to coding in the evenings for funzies.
If you can't offer any warranty because the "product" is never good enough from bugs, then the "industry" needs to fail as a business and live on as a hobby, like stacking up legos or something.
I feel the same way about music, visual arts and etc. It's well past the point it is all that worthy of much cash. At most I'll pay for media costs and some bandwith fees, but no more cash than what that represents for any bits or bytes I receive, it's just not worth it anymore. I used to pay a lot for software, even honored all my shareware commits (I am one of those truly rare people in that regard), but *no freaking longer*. I quit, that industry gets no more cash from me-ever. I accept that all software from anyplace is perpetual buggy beta, it is never final nor fixed, all new releases break old stuff that was working fine, and they constantly introduce new bugs. And no vendors give any sort of legitimate warranty, so I treat it like what it is, someones elaborate hobby. I can get a warranty for any gadget I buy, but not for the buggy bits and bytes that run it...hmmm. Now, I guess I am a babe in the woods compared to some here, only being using computers since the 80's, but I've dropped some cash...and it's still bugware! And from what I have read, it was always bugware! This is bona fide historical precedent, gussy it up, dress it up all you want, the industry is still in diapers, now with shiny pins, but still diapers, because it REFUSES to grow up! They claim they can never produce non buggy ware, the evidence is clearly in favor of that statement, so I believe them, so I think it's ludicrous to pay for it beyond some handling fees for transfer.
Software-although complex and distributed by large companies-is not a "professionally constructed product". They promised it would be by now, decades ago they complained it was a new industry, they needed "time" to get out of training wheels. OK, it's a half century and change later since coding really started in serious earnest all over the planet, and it's no less buggy than it ever was, TIMES UP!
The software industry has proven it is incapable of being neither competent nor self regulating. Just like the music and movie industry, just way too expensive for what you get and completely filled with used snakeoil salesmen. It is no longer worth it. You can see it in meatspace, people have really stopped being excited about paid for new releases of anything unless it's videogames. This should be a major clue to "the industry". Businesses that rely on software have started to NOT upgrade as fast as they used to, because it's the same buggy crap when they do upgrade. Fool them once, you can get away with it, fool them a dozen times even the stupidest boss starts to smell a rat. Elaborate sand castles, nothing more...
That people continue to be faked out and pay huge sums for it is mind boggling, especially the suckers who continue to pay for like MS "products" and from other large software vendors who charge huge sums for bugware with no warranty. This is changing all over the planet now, the price people are going to be willing to spend on software falls between "not very much" and "none". People need to take that to heart if they are planning on depending on that for an income.
A small software company with a couple hundred, or even a thousand customers isn't finding anywhere *near* the amount of bugs as microsoft is for their applications. It's a matter of ratio's. There's no reason microsoft couldn't, if they only had the clients the small companies do. The reason they can't, is because they've got hundreds, if not thousands of times more people testing the hell out of their software and finding bugs and holes.
Just because someone doesn't report that a bug exists, doesn't mean the bug exists. I would say the only folly here, is the original author not taking that into account when bashing MS.
Wasn't "Trustworthy computing" a Microsoft ad campaign years ago? Seems it turned into a Google campaign. http://www.trustworthycomputing.com/
How true.
/mnt/unexecutables/evil.pl) example)
(Also, I must admit I don't understand your perl (cat
...ceterum censeo Carthaginem esse delendam.
I buggered it up. It should be: perl <(cat /mnt/unexecutables/evil.pl)
It's called Process Substitution. It's a great way to avoid the use of temporary files in shell scripts.
If you have read permission on a program file, you can always do whatever the program does (whether that be by running it on the CPU, running it in an emulator or by just interpreting it in your head). The purpose of the execute permission is just to make sure that noone unauthorized runs that SUID program you just wrote.
If you come up to me and say, "Hey, you know a lot about computers. What computer should I get?", and I tell you to get a Mac because it will meet your needs out of the box (yes, you told me what you need to do already), and you proceed to disregard my advice and get a Windows box, then just whom, exactly, is stupid and arrogant?
Wow, run-on sentence.
Short version: You keep saying those words. I do not think they mean what you think they mean.
MS is supporting every interface they ever sold with the exception of detail implementations of SCO Unix at the kernel level with Windows NT. that includes MS-DOS 2.10, four or five versions of windows basic runtime scripting, all kinds of stuff going back 20-plus years.
you can't unscramble that much spaghetti code and conflicting system calls to find the hooks to fix. by contrast, any wild-eyed wobbly who wants to break in and (pick one: wreak havoc, steal credit card info, make zombies, hack spy satellites) only has to find one hole in the snakepit to let his own snakes in.
so that's why they don't patch everything in windows. it's like counting to infinity.. just when you're almost there, somebody slams the door, and you lose count.
Travoltus had a SIG over here a few years ago that I copied down because I liked it so much... quoting...
63,000 bugs in the code
63,000 bugs
ya get 1 whacked with a service pack
now there's 63,005 bugs in the code.
that's where MS is at. Promoting Secure Computing, indeed. hard act to get on the road, that.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Windows contains above 100M lines of code (recollection from some time back, probably more now).
The overall design philosophy is 'tight integration', so everything affects everything.
Any software testing problem is combinatorial: all combinations of inputs checked against all outputs. This is why testing cannot be used to produce a quality product, only to check whether the development process is capable of producing a quality product.
I guarantee you that MS's bug list for each product is in the 10s of 1000s. It is a major effort to even sort through bugs and choose the most critical, consolidate by root-cause, isolate to DLLs, AND REGRESSION-TEST THE FIX(es).
In a large system, the overhead of source code management (checkout, change, test, merge with the release with the bug, and then merge into later releases of code) is enormous. The productivity of people doing bug fixes in these large systems is very low, no matter how expert they are. This is why developers HATE fixing problems in released code.
No large company can fix all their bugs, even when bug fixes don't generate new bugs.
Lew
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
That statement is meaningless, as who is always inextricably tied to what, especially when you consider "who" can be a user, an agent, a script, or another process. A site's script running in a browser is a "who" (e.g. slashdot). Just because I'm running the browser and I have full access doesn't mean I want /. having full access.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I have patched all of the bugs in my software that either I or a user have found. However, since no one uses my stuff I don't get many^Wany bug reports.
Go back and read Fred Brooks' Mythical Man Month. Microsoft doesn't have the money to hire enough coders to fix all their bugs. Their code is just too complex for that to work. Each coder coming in to change something affects all (most) of the others. Hiring more coders just makes it more difficult to fix bugs.
Where I work there are 5 programmers on a project that was written from scratch within the last year or two, and we were all on the project from the beginning. Even still we still have problems where two different coders are assigned to two seeming different bugs that have subtile interactions. More than one patch was stopped at the last minute because it overwrote a file from a different patch. (We use CVS which helps a lot, but it is not perfect - I'm told most companies do not use any version control, I have no clue how they can get any patches out)
Because there are not enough bandaids to fix everything thats completly assbacks from MS
No, obviously handing out money to shareholders entices shareholders and people who DON'T own Microsoft shares to buy them - thus driving up the price and - just incidently of course - making Bill personally richer.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I promise you ... ALL of you ... that the entire premise of this is wrong. MS patches EVERYTHING it can. The only thing holding it back is testing the maximum amount of applications (to make sure that a patch doesn't break existing applications) and the demand from corporations to slow down the patching so that they can deal with them in a timely manner.
For those that think the patching should be released and then corps can apply them whenever they want, that's not how corporations... or crackers... work. Corp IT Depts have strict SLA agreements with the rest of the company that REQUIRE them to apply patches as soon as they are released, so slowing them down is very valuable. Second, the number one discovery vector for attacks are diffs that crackers do on the patches that are released. The slower, and more regular the patches, the less time between when worms can be reverse engineered and the corps can apply them.
Think what you want, but NO corporation would ever apply a patch, even if it's instantly wormable, without doing serious testing. Unless you've worked in a place with 15,000 PCs with a thousand custom applications and a 50 PC/server configurations at minimum, you really have no idea what it's like patching. Multiply that times a hundred thousand and you might have an idea what MS goes through each time they release any patch.
i think, this reference was to _security_ bugs. and there are few companies that are so careless regarding to security bugs.
Rich
"financially liable" ??
Caveat emptor, mon ami...
Vote with you wallet. Take money away from them...
Don't whinge when you bought their software knowing they were a monopoly and it was shit. Awwwwww... it was too hard to get anything else, now they should pay, cos you are a shit-for-brains lazybones.
Did you get a WARANTEE anywhere for it? Did they tell you it would work and it was bug free?
Fuck off and die, I have had enough of your kind of bullshit.
Well, it wasn't entirely meaningless, as you understood exactly what I meant :)
I didn't intend it as a great revelation to solve all our security woes, but merely as a reminder of what the original problem we are trying to solve is. One should always keep the original objective in mind when attacking sub-problems. It is all too easy to get lost in the details and go against it.
...ceterum censeo Carthaginem esse delendam.
why Microsoft don't fix all their bugs,
like all the other decent programmers over the world have always done?
Since we all know, that the bugs are EVIL and the creation of the DEVIL,
it is clear that only worshippers of the SATAN can tolerate those bugs in their code.
Therefore, I am now bound to request,
that Microsoft shall be burned on the stake!
HP-UX had ACLs back in 1992.
See This
At the same time. Windows didn't get ACLs until 1996 with the release of Windows NT 4.0, see below.
Windows ACL
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Dividends move money from the company to the shareholder, but they don't create new money.
PS - Bill did get a big chunk of change out of it, but it went straight to the Bill Gates Foundation.
Do you even lift?
These aren't the 'roids you're looking for.
"Dividends move money from the company to the shareholder, but they don't create new money."
What part of "dividends move money...to the shareholder" don't YOU understand? Not everybody buys stocks just to see the price rise, you know. And even those who do like to get some real money from their stocks once in a while without selling out. The fact that there was downward movement during the period they did it is completely irrelevant to my point.
Look at this way - do you really believe Bill Gates would do something that seriously reduced his wealth? Oh, please.
"Bill did get a big chunk of change out of it, but it went straight to the Bill Gates Foundation."
Which is a stock laundering operation he uses to invest in companies he wants to control, while deriving PR benefit from being considered the "great philanthropist" even though the Foundation barely gives out its income every year. Standard operation for rich foundations. The Rockefeller Foundation was known for this approach.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
... welcome to the internet. And full English comprehension. You are still steaming about the OP and not actually replying to my post, which I'm pretty sure you didn't really read.
And go watch The Princess Bride. I'm surprised your ISP let you in here without verifying you'd seen it.
Maybe you should decide what your point is.
When they aren't handing it out to stockholders in one-time stock prop schemes...
handing out money to shareholders entices shareholders and people who DON'T own Microsoft shares to buy them - thus driving up the price.
You claim Microsoft gave out a one time special dividend so that millions of people would buy microsoft stock, raising the price. The fact that the share price has a downward movement when the dividend is distributed is very relevant to your point. Their miniscule regularly dividend and high volatility make them a poor choice for anyone interested in dividend income. Buying the stock for a one-time dividend and then selling is a loser proposition, given the brokerage fees and taxes on the dividend, and subsequent price drop after the dividend. It might be a nice binusfor existing shareholders, but it has nothing to do with raising their market valuation.
Do you even lift?
These aren't the 'roids you're looking for.
Christ, you really have no clue how to reason, do you?
Let me try to walk you through this again, SLOWLY:
EVERY company wants to stock price to stay up OVER TIME. They'd like it to stay up permanently, but even management isn't that stupid. They know it will go up and down. But if their business is perceived as trending downward - as Microsoft was because it's profit margins have been trending downward from double-digit to single-digit over the past few years, they know they have to do something to entice investors or their stock value WILL go down.
They also know some, if not all investors, like to receive a cash dividend from their investments.
Microsoft had tons of cash in the bank. So they conceived the notion of looking good by handing over billions of it to investors. To each investor, the amount actually received is small - but free money is always welcome. To the PR-influenced public, it looks big - and that was the point - to make Microsoft look like an attractive investment to the stock-buying rubes who don't know any better.
The downward movement of the stock after the dividend was obviously expected. That was the reaction of professional investors and institutions. It was also expected not to be permanent and to be offset by the increased in investors who are primarily after dividends or who would invest simply because they think Microsoft must be a great company to invest in if they hand out billions to people (relevant to Gates' Foundation here, as well.)
The end result was expected to be an influx of investors and a retention of existing investors, which would keep the stock value higher THAN IT WOULD BE IF THEY DIDN'T DO THIS.
What part of this can't you comprehend?
Apparently you are fixated on the day-to-day stock price which is totally irrelevant to the overall goal.
Do you really believe Microsoft issued a dividend to DEPRESS their stock price PERMANENTLY?
Are you an idiot?
I don't have any more time to explain REAL business to someone who just graduated a course in the stock market.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Also recall that in a free and competitive market, people pay exactly what things are worth to them.
The key words are free and competitive. A market with high barriers to entry, like the airline industry in which you must own a gajillion-dollar plane to compete, will obviously be less free than farming, in which any person with dirt and seed can try their hand. Competition of a market is directly related to its freedom; no-one will be around to compete with the established monopoly or oligopoly if that no-one is not allowed the chance to try.
Here's the key - is software - bugs, flaws, and all - worth its cost? It all depends on whether you accept the software market as free and competitive. If it is, prices of the software as is truly represent what people are willing to pay for them, and therfore, how much they are worth. If not, and the software industry is single-handedly dominated by Microsoft or some other generic oligopoly (cue Darth Vader breathing) then the software prices are inherently flawed and all of your assertions are correct.
Obviously, you no longer believe that the price of software accurately and truthfully reflects its value. That implies that the software market is neither free nor competitive. Yet, consider the following:
If the market for software is quite possibly the freest on the planet, and yet people still pay prices that are considered "inflated," are they truly inflated? My inflation-adjusted $0.02 - my e-mail is and AIM addresses are free to anyone who takes the effort to flame me.
DATABASE WOW WOW
The two of you seem to be arguing slightly different points. In the short term dividends harm the stock, as cash is transferred from the corporation to the private investors. In the long term high dividends, despite their cost to the company, increase demand for the stock.
In other words, paying dividends is kind-of-sort-of-almost-like marketing - in the short term, the company has thrown money out the window. In the long term, (effective) advertising causes more to be bought. Think of dividends as an investment in investment, with an initial cost and a later benefit.
Also consider that dividends are a logical extension of stocks. Shareholders, by definition, are part owners. Paying dividends is merely a way of distributing a corporation's profits to its owners.
DATABASE WOW WOW
Exactly, he's concerned with the short term, I'm pointing out the long term benefits to the company - and thus to Bill Gates' personal net worth (or at least as long term as Bill is capable of conceiving.)
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!