Microsoft's Urgent Patch Precedes Black Hat Session

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

Imagine.

[rolfc]

There are still people that think ActiveX is a gift to humanity.

Re:Imagine.

[Hassman]

Its not?

It has a cool name...I've been tricked!

Re:Imagine.

[commodore64_love]

I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely, but Mac has its own undesirable flaws. Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on.

i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

(And Linux won't install my Netscape ISP's Web Accelerator software - so that's not an option either.)

Re:Imagine.

[bstreiff]

So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

Guess what? There are upgrade fees to go from XP to Vista to 7, too.

Re:Imagine.

[m.ducharme]

I've not found the upgrades to be necessary for compatibility reasons, though we did upgrade one of our older macs (a G5) to get the benefit of the performance boost. It had been running with the OS it came with for...I'm going to say about 4 years. I'm not sure why you feel that you'd be obligated to purchase upgrades, care to offer some insight?

Certainly if you feel that a point change in the OS X world is equivalent to a service pack, I can see how you might be put out by having to pay for one. But I think they're more like the change between XP > Vista than the change between XP SP1 to XP SP2.

Re:Imagine.

[recoiledsnake]

Confusing summary. Will Wednesday's demo show how to exploit ActiveX even after the patch is applied or not?

Re:Imagine.

[hot+soldering+iron]

There, there... Just calm down and drink the kool-aid. You'll feel all better soon.

Re:Imagine.

[billcopc]

Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

Mac apps are, like their makers, excessively trendy so whenever a new OS X build is released, the great majority of developers "embrace" the new features and it seems very few are committed to backward compatibility. This much is true of both big-name vendors and homebrew/shareware authors ("Free" isn't so big yet in that sphere).

Re:Imagine.

Assuming you're referring to what I think you are when you say "Web Accelerator Software..." you know all that does is turn on http pipelining, change your cache settings, and maybe (depending on which particular one) install a "download manager" that uses multiple connections to stream content faster from overloaded servers?

All of that (with the exception of the "download manager" can be done in Firefox's "about:config" controls without the need for any special software.

"Download Manager" programs and Firefox plugins are available on Linux too, but I DO NOT recommend using them. They are the product of evil minds who don't understand how the internet works.

Under normal circumstances they actually slow down your downloads slightly (more overhead to manage multiple connections, max bandwidth is still limited by the greater of server's upstream / your downstream). The only time it can speed things up is if the server is overloaded.

(Rough example follows; the numbers are not accurate to anything, only a demonstration)
Assume the server can handle 100 average connections at full speed at one time, and 110 people are trying to download currently. Their downloads will each slow by approximately 10% as the server parcels out packets to each connection. This is fair.
What "download managers" do is add more connections from your client to grab different parts of the download faster at the expense of other people.
So the aforementioned server, rather than having 110 connections from 110 people, has 109 connections from 109 people and 31 connections from 1 person. So the server apportions bandwidth among its 140 connections. Your download is sped up as you are now receiving 22% of the packets from the server if apportioned in a CFQ manner. Everybody else's download is now about half speed. This is very much NOT FAIR.

So you can do completely without your "web acceleration software" by changing your web browser's settings yourself (it occurs to me that on Windows the software may also fix the broken TCP/IP windowing scheme they have by default - this isn't necessary on Linux as the networking stack autonegotiates with upstream routers to find the most efficient window size available). Even if you never switch away from Windows, I would recommend NOT USING any sort of "download manager" that may be included in your "web acceleration software," as it is just an awful idea. Also note that the more people who use these "download manager" things, the more overloaded servers become, meaning that soon even the people using download managers are getting slower downloads than they would if nobody were using them (this becomes more obvious if you also take into account memory and processor capacity on the servers).

Re:Imagine.

[Kratisto]

What do you mean not upgrading? He has XP!

Re:Imagine.

[Chaos+Incarnate]

2000 > XP or Vista > 7 might be better analogies--lots of fluff changes, less so under the hood. :) (Or at least, for 10.4/10.5. Not sure how to classify 10.6--lots of under the hood, but very little fluff.)

Re:Imagine.

[koolfy]

I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely

Yeah, like if mac was better at security fixes...

Re:Imagine.

(Or at least, for 10.4/10.5. Not sure how to classify 10.6--lots of under the hood, but very little fluff.)

Well, Snow Leopard is only going to be $30, so it's like a paid service pack. Then again, they rewrote Finder in Cocoa, added in LOTS more 64-bit support, Grand Central Dispatch, etc., and made the thing only take up 6 or so gigs of space on the HDD. I'd say that removing a lot of bulk and adding compatibility is worth $30 (Or, if you're upgrading from Vista>Win7, most likely the same would be ~$100 for you).

-Samriel, posting anonymously because OSX supporters get downmodded

Re:Imagine.

[whowantscream]

It IS a gift to humanity, - think of all the lives that it has touched, and not just ActiveX programmers!

It has given linux admins more clout and opened up jobs for people wanting to avoid Microsoft like the plague
It has given new Windows security admins more job security after the old one was fired
It has given hackers a means to expand and fund their personal empires
It has helped prune out the weak by allowing the destruction of their computers

You see, Microsoft is just playing its part in the circle of life.

Re:Imagine.

[commodore64_love]

>>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle, and as you pointed-out you can continue using Win2000 (or even Win98) without problem. In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.

And thus we're back to my point - "A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on. i.e. Macs are expensive to maintain."

Re:Imagine.

[daem0n1x]

Somehow people think it's normal to embed in webpages stuff that is executable code for a particular operating system and processor architecture. WTF?!?

This is soooo fucking stupid I almost can't believe it. I've tried for years to convince people of that but they look at me as if I'm an alien.

It was a tremendous lock-in strategy for Micro$oft, though. They're still cashing in on it. Fortunately, the tide is changing, but it will take a long, long time until this ActiveX shit is gone.

Re:Imagine.

[Sun.Jedi]

Did the apps you installed in 10.4 stop working or were you one of those "trendy" people?

Re:Imagine.

[cyberdrop]

The code is not embeded in the web page!

An ActiveX Control is a Plugin for your browser. The browser is also bound to an particular operating system and processor architecture!

Re:Imagine.

[TheRaven64]

Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29, and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

Re:Imagine.

[DavidTC]

No, Netscape's Web Accelerator connects to a compressing proxy server for their dialup service. It recompresses images to lower quality and makes all pages gzipped. That's it. I'm not even sure it does any caching.

I'm fairly confused as to how this doesn't work on Linux, as it's a browser proxy, but don't care enough to actually look into it.

Which means all this talk about switching OSes is nonsense. He's someone using a $6.99 a month dialup internet connection, he can't afford a new computer!

Of course, apparently the idea of using Netscape's web browser, or Firefox, both which surely would work with Netscape Web Accelerator and would protect him from ActiveX, doesn't occur to him. (Granted, it doesn't seems to have occurred to anyone else here either.)

Re:Imagine.

[hairyfeet]

Which brings me to something I've asked several times and never gotten a real response too: Why is it so damned hard for Apple guys to admit Apple is expensive? I mean you don't see Ferrari owners going "well if you figure in all the external factors its a great value for the money" because its not. Its exotic, its fast, but it sure as hell ain't cheap. Same thing goes with Apple.

As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.

Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you. But please stop with the bullshit, okay? It makes you sound delusional or like a koolaid drinker when you sit there and try to jump through all these logic hoops trying to justify how that $2200 you paid for your laptop isn't high, when we can buy the same gear for $900-1100. You don't see the Ferrari owners trying to justify with logic hoops how they are "value for the money" compared to Ford, do you? Hell no! So just accept you have a Ferrari and be happy. But trying to come up with all these crazy hoops to try to prove that Apple computers aren't expensive just ends up with a pile of bullshit as big as MSFT's with their "get the facts" campaign, okay?

If you want to spend that extra $$$$ on OSX, just do it and be happy already. Trying to justify it with these totally crazy "value for the money" arguments just makes you sound crazy or desperate to prove you didn't get ripped off. If you think OSX is worth the hundreds or even over a thousand you spend, then just spend it and be happy with your purchase.

Re:Imagine.

[Ed+Avis]

What is this Web Accelerator software? Is it similar to the 'accelerated browsing' mode in Opera?

It would be possible, I expect, to run a Windows virtual machine just doing the Web Accelerator, which you can connect to from Linux; then you get the faster browsing without the unpleasantness of having to use Windows for other tasks.

Re:Imagine.

If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

Which is close to the cost of an anti-virus subscription.

Re:Imagine.

[ozmanjusri]

Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle

It's not the long support cycle that makes that option viable, it's the almost complete lack of innovation in the past decade of Microsoft OS monopoly.

Re:Imagine.

[Ed+Avis]

I think you are asking about forward compatibility (use the older 10.4 apps on your newer system) but the other poster was complaining about the lack of backward compatibility (newer apps don't work on older OS releases). (Or is it the other way round? The definitions of 'forward' and 'backward' compatibility are even more confusing than X servers and clients.) Anyway, it's a different consideration.

Re:Imagine.

[arose]

Well, Snow Leopard is only going to be $30, so it's like a paid service pack.

But you need Leopard to use it... So $130 for those who had the nerve to not upgrade.

Re:Imagine.

[sexconker]

It's the other way around.

The OS is backward compatible with older programs.
The program is forward compatible with features in the upcoming version of the OS.

Re:Imagine.

[bdraschk]

Where are my mod points when i need them?

Re:Imagine.

[sexconker]

Durrrr.
Wrong.

Typically they also compress images, have a local (at the ISP) cache of popular sites, and if you're lucky, block some "content" (lol ads) from loading.

Re:Imagine.

[ehrichweiss]

VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".

Re:Imagine.

(And Linux won't install my Netscape ISP's Web Accelerator software - so that's not an option either.)

You could give Opera 10 a try. They have a new feature called Opera Turbo, which I think does the same thing, i.e. compresses web pages on a server before sending them to you.

Re:Imagine.

[VisceralLogic]

As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.

I think part of it is when people exaggerate the cost difference, Mac people exaggerate back the cost savings.

Please point me to a Dell/HP equivalent of a MacBook I can purchase for $100-$300 ($1000 minus $700-$900).

Re:Imagine.

Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29, and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

I'd rather roll Windows XP, which has cost me a grand total of $0 USD for SP1, SP2, and SP3 over the last 5-6 years.

Re:Imagine.

You must be rich

Re:Imagine.

[jedrek]

If $100/year to not have to deal with Windows' virus/trojan/takeover bullshit is a lot for you then you might want to consider finding a job that pays more than minimum wage.

Re:Imagine.

[Odin's+Raven]

There are still people that think ActiveX is a gift to humanity.

Well, nobody said it was a good gift. :-P

Re:Imagine.

Buy one. Then you'll understand.

Re:Imagine.

And for that equal cost, you get increasing operating system performance rather than a gradual slowdown from constantly scanning everything you access. How nice!

Re:Imagine.

Upgrade to 10.6 from Leopard is $29 ($49 for a five computer license) and 10.6 is being released almost two years after Leopard, it is also meant to be a cleaned up and optimised Leopard with few new features.. kinda like Windows 7 except not meant to fix a huge mistake.
Leopard itself was released over two years after Tiger.

10.1 was a free upgrade for users who bought 10.0. The only "yearly paid upgrade" was 10.1 through 10.3, the trend has been every two years since 2003.

Windows Vista was released in 2007, it is being replaced in 2009. Do you really think the upgrade to Windows 7 from Vista will be even close to $29, or even Apple's $50 multi-system license?

It would appear the more recent Windows trend is much more expensive than cheap, unless you do not bother upgrading Windows versions at all. At some point application makers will stop supporting the older platforms though. Even now there are plenty of apps that will not run on Windows 2000.

Re:Imagine.

[vassilios10]

http://en.wikipedia.org/wiki/Stop_Making_Sense

Re:Imagine.

[jvkjvk]

i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

And I bought a Mac with 10.4 and haven't spend a dime since then for OS updates. i.e. Cheap.

And, just for those who are complaining about software - all my software works, still, on that version of the OS. Everything I have wanted to get has happened to work on that version of the OS.

Maybe it's because I'm boring, and don't want or need all new shiney software every ten seconds, but there it is - I have had no reason to upgrade.

So much for anecdotes, you have one, so do I.

Re:Imagine.

[UnrefinedLayman]

Yes, it has cost you $0 to get SP1, 2 and 3, but there is no way you can compare the changes found between Mac OS X 10.1 (released September 2001) and OS X 10.5 (released October 2007) with the changes found between Windows XP SP0 (released October 2001) and Windows XP SP3 (released May 2008).

Service Packs are collections of hotfixes with some new features added. New revisions of OS X include entire application suite upgrades, in addition to hundreds of new features at each rev.

Re:Imagine.

[TheRaven64]

Well, obviously. By global standards anyone who can afford a computer is pretty well off. But an extra $35 per year isn't much when compared to the total cost of owning a laptop. And, of course, you don't have to buy the upgrades. My PowerBook is still running 10.4 and I have no plans on upgrading it to 10.6. I'll probably move it to OpenBSD when Apple stops supporting 10.4 (I have a PowerPC Mac Mini running OpenBSD already).

Re:Imagine.

[Runaway1956]

Linux has traffic shaping software that is far superior to your ISP's "Web Accelerator" software. I would be willing to bet that Mac has the same features.

Web accelerators are for dialup connections, primarily. You only get ~48k on that connection, no matter what. The pages can't be fed to you any faster than 56k, period, and quality and length of wire between you and the ISP will decrease that. Wondershaper or Firestarter can ensure that QOS rules are followed, and that interactive web apps (such as your browser) take priority over downloads, FTP transactions, updates, etc. A good hosts file can block advertisements and flash content that you don't want to see, which is generally 80% of the total page content.

About the only tool left that might help to speed browsing is compression - but if you have already done traffic shaping, and prevented ads and other undesirable content, compression isn't going to help very much with the remainder.

Also, with compression, your ISP isn't stripping the undesirable content. They have no incentive to do so, they will just compress EVERYTHING, and push it at you.

Put a Windows machine with accelerator side by side with a Debian or Ubuntu machine that I've optimized for QOS, there would be precious little difference. I suspect that the Debian box might be a little faster, because it pulls less total content from the ISP.

Re:Imagine.

[bstreiff]

That happens on Windows, too. Why can't Firefox keep Windows 98 support? Why can't Halo 2 support XP?

Re:Imagine.

No offense, but the upgrades 10.0 -> 10.1 -> 10.2 -> 10.3 were all $129... and the improvements were arguably more necessary. There were a lot of parts of the operating system that were broken between these releases, and *those* should have been the releases to cost $29 to upgrade. Yea, Apple was doing some serious dev to fix those issues, but they shouldn't have released OSX and touted it as an 'everyone needs this' and even axed OS9 so quickly if there were so many issues with the operating system.

Re:Imagine.

In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.

I'm confused; didn't your previous post say:

I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely, but Mac has its own undesirable flaws.

Re:Imagine.

i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

And I bought a Mac with 10.4 and haven't spend a dime since then for OS updates. i.e. Cheap.

And, just for those who are complaining about software - all my software works, still, on that version of the OS. Everything I have wanted to get has happened to work on that version of the OS.

Maybe it's because I'm boring, and don't want or need all new shiney software every ten seconds, but there it is - I have had no reason to upgrade.

So much for anecdotes, you have one, so do I.

And yet, your anecdote cost $2500 retail, while the Win box probably cost half that at most. Yearly upgrade fees ain't but the half of it. it's downright retarded for you to ignore the fact that the BASE PURCHASE of a half-assed Mac is going to be at least %50 higher than a faster PC.

Feel free to argue that, but it's very easy to prove otherwise. Hell, even at $500 for a Mac Mini, I could build a PC that would trash it in every performance aspect. If you want to talk laptops, feel free to compare what you get for the $2900 I spent on this MacBook pro and see what kind of machine that would buy you at Dell, Toshiba, or even Alienware for the same price. And *that* Ladies and Gents, is no bullshit.

Re:Imagine.

[Adm.Wiggin]

I've got a first generation Macbook, and I saw slowdowns when I upgraded to Leopard... Snow Leopard is supposedly the answer to all that, but I'm not sure I want to spend the $30 on a maybe, for an operating system that's very visually pleasing, but doesn't do what I need. I think I'll just stick to Linux, even though it's still got a few compatibility problems.

Re:Imagine.

[Adm.Wiggin]

On the other hand, I'm not saying Leopard was a bad switch. Time machine was amazingly wonderful (saved my butt a few times), but it was a pain to get it to work with something besides Apple's own remote backup solutions. Leopard added some nice features that were (arguably) worth the slowdowns, but in general, Mac OS just doesn't quite cut it for me. Every Mac fanboy I talk to tells me how "amazing" XCode is, but every time I use it, it feels outdated and crufty. Oh well.

Re:Imagine.

[thePowerOfGrayskull]

Hm - so why upgrade to new versions? I'm not familiar with mac updates, but do they stop issuing security updates once the new version comes out? If so, that's an excellent reason not to buy. If not... I can't see that it would matter, as nothing requires you to spend the money.

Linux: you could run a windows VM, or WINE for your web browsing needs. That actually might be even safer than browsing directly on any platform, assuming that you didn't use the VM for anything else.

Re:Imagine.

[hairyfeet]

You are talking about the absolute bottom of the line Macbook. Does anyone buy the absolute bottom of the line Ferrari? Not many. I have plenty of friends that use Mac (the local college is a Mac college) and the average price they paid is $2200. Now why don't you look up the $2200 Apple (whichever one that is ATM) and I bet you dollars to donuts that you can find an HP with the SAME hardware if not better for around $1200. That is fully a grand spent for OSX and pretty.

But claiming the absolute bottom of the line Macbook should be what everyone bases their pricing on is as delusional as saying mac desktops should be priced based on the Mac Mini. Look, nobody is judging you, okay? I've ridden in a Ferrari and they are DAMN nice rides. I personally couldn't bear blowing that kind of cash on a car, but riding in one I can understand why someone with lots of free cash my indulge. It is the SAME with Apple. While I have used a Mac and don't think that OSX and pretty is worth the extra $$$$ if it makes you more productive or happy, then please, enjoy yourself. But these jumping through logic hoops trying to come out with a way that Apple isn't an expensive boutique brand? It is just nuts.

Re:Imagine.

[BikeHelmet]

>>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

If you stick with free software, sure.

But all the storebought stuff won't run on a Win2k machine. It was about two years ago that I noticed many games wouldn't run on Win2k, as well as video encoding tools, etc.

It seems that for Windows, you have about 5-6 years that stuff will support your OS, and then you have to upgrade.

Re:Imagine.

(And Linux won't install my Netscape ISP's Web Accelerator software - so that's not an option either.)

I am on Netscape's (AOL) dial-up $6.95 plan (faster and more reliable than a lot of "free" wifi). I run Linux but don't have any accelerator software but posters above explain some options for that functionality. IMO, noscript and adblock are sufficient to speed the browsing process.

Re:Imagine.

[daem0n1x]

An ActiveX control contains native executable Wintel code. It's ridiculous that it can be part of a web page.

The browser is bound to a particular OS and processor? Yes, I'm OK with it, I installed it.

Re:Imagine.

I understand that ploy of repeating/restating oneself to make a point but the third time was too much for me and the forth time convinced me to call you out on it.
Get a grip.

Re:Imagine.

[jonadab]

> I bought a Mac with 10.4 and haven't spend
> a dime since then for OS updates. i.e. Cheap.

Alright, I am now officially tired of this "whose upgrades are cheaper" argument between the Mac and Windows folks, so listen up:

I got a CheapBytes Debian CD in 1998, and updates are always free. That makes my total cost something like six bucks, including shipping, in eleven and a half years, which averages out to fifty-some cents per year.

So everyone who spends more than a dollar a year on software can just SHUT UP about how cheap their option is, okay?

Re:Imagine.

[DJRumpy]

Antivirus/Dat ($50) + VisualStudio ($199) + WinDVD ($79) + CoffeeCup ($50) + $50 VScan renewal yearly for say 4 years = $578. $70 more bucks to get DVD Playback for WinDVD since anything up to Vista doesn't include MPEG-2 and neither will the basic versions of Windows 7

That's what you need to buy to get something comparable to the OS and bundled software included with a new Mac (although the Mac doesn't need the VScan software, the Windows PC will in the real world).

You also get no additional shovelware loaded onto your desktop. None...I've bought a lot of hardware over the years from the big vendors and they all load your PC with boatloads of crap that often make it more viable to just do a wipe when you get it (HP, Sony, Dell, etc..they are all guilty of it) assuming they even give you a 'clean' installer disk. Most don't. They just give you an imaging CD that puts the same shovelware back on.

You don't have to deal with any of that with an Apple.

Now tack those additional software costs, and the hidden costs in time for a $1000 Dell laptop for example. You end up with about $1500 bucks for the software + hardware not including the cleanup costs and time for shovelware and malware post purchase.

A similar Macbook Pro for $1700 doesn't look so bad to me considering the lack of hassle you get out of it for that extra $200. I was a die-hard Windows fan. I was one of those freaks that went to the movie theater for the launch of Windows 95's beta and I was in line at the store at 12AM to buy it on release night. I bought every OS they've released since then including 98, ME, 2000, XP, and Vista (Vista) which will be my last MS purchase. I used to scoff at Apple. Not any more. Unlike some here who throw out opinion without ever having actually bought one, I actually did. I now understand why the folks who use them are such a loyal group. You actually get to enjoy your computer, rather than struggle with it.

Re:Imagine.

[Kalriath]

Yes, but there are no upgrade fees for going from say Windows XP to Windows XP SP2.

Compare to Mac OS X Tiger to Mac OS X Leopard, an equivalent jump.

Re:Imagine.

[peipas]

The analogy would be complete if only Ferrari owners had to hold a button on the dash in order to brake, using the same pedal as the throttle, versus Apple laptop users.

Re:Imagine.

Oh snap... Mod Up! ;)

Re:Imagine.

[DarkJC]

Snow Leopard (10.6) costs $29.

Re:Imagine.

> Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you.

I'm judging you!

Re:Imagine.

Hell, even at $500 for a Mac Mini, I could build a PC that would trash it in every performance aspect.

In the same form factor? I'd be surprised.

A quick Google found a guy on a Ubuntu forum who came close on specs, and close on price. But acknowledged that he didn't get any of the bundled Mini sw - and unless you're going with a free OS, the OS is going to be a big chunk on top of that, not to mention iLife (since everyone else is too)

Re:Imagine.

[Think+less!]

There is one huge saving-grace with Apple OSs that easily put them in the cheaper bucket for a household of many machines. OSX does not have any of Microsoft's onerous licensing, activation, genuine disadvantage crap. Apple's license permits a single purchase of OSX to be installed on at least three machines (it might be more). There is nothing stopping you from installing it on 12 machines if you desire. You could go through four point releases of OSX, applied to two machines, for considerably less than two copies of Vista Ultimate.

Seriously, even if that weren't the case, dealing with Windows is a nightmare. I have no problem admitting that I pay more for Apple hardware. I don't show my computer off. When I go to a coffee shop it's full of artists who also own Macs, so there is no gloat factor. But the relief from dealing with Windows and Microsoft issues is a tremendous return on the value of my Apple hardware + software. Why would I crawl back into the hands of my torturous captors if nothing is stopping me from running like hell?

Let me see... money or peace of mind... hmm..... A typical nice vacation from work/life costs $1k-$2k for a mere week or two away from the drudgery. The extra $1k I put toward my macbook pro has already yielded a great deal more than 80 hours of relief. Your last paragraph said it well. Every single dollar extra that went toward my Apple gear has paid off, and I have not regretted paying more for it even one second. Tell me, is everything I just said "totally crazy" or "desperate for redemption" as you suggest?

Re:Imagine.

The reason its costs so much more than the 900-100 your saying is that the extra money is buying an operating system that actually works!
Its so true that you get what you pay for....

Re:Imagine.

[hairyfeet]

Oh boy, here we go with the logic hoops AGAIN. Seriously what is it with you Apple people? It is like you have buyers remorse or something and are damned sure that if you jump through enough logic hoops you can find a way where Macs aren't expensive. But they always fail, just as in this case.

I can get software that does the same exact things as those you have listed for a grand total of $0.00 dollars. that is right-free nada gratis big goose egg. Antivirus-Comodo Firewall/AV. Works beautifully and costs zero dollars. Have no fucking clue what coffeecup is, and since I deal with Windows users all day long and have never heard of it, I'll say it is a niche and therefor don't care. I'm sure if I actually knew what it was I could find a replacement free. DVD Playback-VLC or Klite Mega Codec pack(preferred). Plays back anything from high def to funky 90s formats, a big goose egg on price. visual Studio-well there is Visual Studio Express, there is Netbeans, hell there are plenty of IDEs, again big nada cost.

So here again we see that trying to jump through logic hoops to "prove" that a boutique expensive brand is as affordable as a Ford is yet again a total failure. Do you feel like you are getting ripped off, is that it? Do you feel guilty about the money you spent? Because as I said you don't see Ferrari owners jumping through logic hoops, in fact the ONLY group that spends good money that jumps through logic hoops is Apple users. First it was "Motorola and PPC equal much more powerful than Intel performance" which of course turned out to be BS when Steve jumped to Intel. Now it is either "the Apple experience" or "OSX is cheaper" which I believe is pretty easy to prove OSX makes Vista Ultimate look downright cheap, or like you and "extra software equals extra value for money" which I just blew a nice torpedo sized hole in since Windows users don't actually have to spend money on the things you listed.

So just be happy already! Your brand is a niche, but so is Ferrari. Both are exotic, sleek, and fricking expensive. Accept it and be happy already! Because otherwise it makes you sound like you are desperate to "prove" you didn't get ripped off (and I said nobody is judging you on that point one way or another) or are having buyers remorse (which is a personal thing and again no judging here). But the simple fact is logic ain't on your side, so logic hoops will always come back to bite you in the ass. If Apple was such a tremendous deal then they would have 40%+ of the market. They don't because they are expensive and many don't give a crap about OSX one way or the other and just want maximum hardware bang for their buck. Which yet again is quite easy to prove that is Windows.

Unless you of course can show me a Core 2 Quad fully loaded desktop for $650 from Apple or maybe a nicely equipped Core 2 laptop for $580 from Apple Inc? Hell thanks to Steve switching to Intel you could even make one a Hackentosh if that made you happy. But with those specs most folks would be quite happy with Vista, and even happier when Win7 comes around. It'll do anything and everything that the average Joe wants a PC to do, except it won't take $2000+ out of his pocket like a similar Apple does. So sorry, that logic hoop don't work either. Better luck next time and thanks for playing our game! Please enjoy your consolation prize of Rice-o-roni, the San Fransisco treat!

Re:Imagine.

[DJRumpy]

All your paying for on your 'deal' is the processor. I've bought these before for family as well as for myself from my local Frys. The power supply fails after a year. The motherboard warps, or simply stops working if you ever unfasten it from the case (assuming your lucky enough to have a working motherboard that doesn't fail for some other reason before you decide to swap it out for a decent one), and the memory is bargain bin that performs at the low end. It also uses 'integrated' graphics, meaning shared memory for a no-name or trash graphics card which no one but your dad would use and even he will complain that his desktop crawls. There's a reason these are so cheap. Because they are throwaway hardware. You'll still be adding in all of those software costs and replacing your hardware and hte new graphics card, which will still throw your 'deal' over a thousand bucks again.

I've played this game too. Anyone can go and find some basement price on the net for throwaway hardware. I get adds for these every week from Frys. You buy them, yank the processor and maybe keep the case, and toss the rest in your closet for spare parts. There's a reason no vendor like Dell, Sony, or HP will sell their hardware this cheap. They would be buried in warranty claims and returns.

Show me a price direct from a vendor (not a resaler, but a vendor like HP, Dell, Lenovo, Sony, etc) that is this cheap for comparable hardware (and I'm not talking about only the processor as your example had a integrated 128 MB no-name graphics card as well which would need to be replaced).

Re:Imagine.

[TheRaven64]

No again. 10.0 to 10.1 was a free upgrade.

Re:Imagine.

[billcopc]

Throwaway hardware is indeed a plague on the PC industry. In reality, decent (low-end) parts can be acquired for the same price as the junk stuff, or maybe a 10-15% premium.

I'm no Dell or HP, but I've built far too many "luxury" budget PCs in the $400-450 range. By luxury I mean they're noiseless, stylish and 24/7 reliable. It's just a matter of spending a little time researching your components. Our office machines cost me $600, for a much faster CPU and triple-head video. $700 gets you a quad.

The big box vendors have fallen behind the times with their Celerons and Foxconn boards and Astec power supplies. They have to cut corners, yet their high volumes constrain them to a handful of manufacturers that can keep up, so quality suffers. It's also damn hard to sell one computer design to millions of people, make it customizable and have it work perfectly for all of them. They're not going to review the entire build for every single order, like a small guy would.

Re:Imagine.

Not really an apple fan, but I recall reading an article that said that macs (when compared to a PC with the same specs) were actually pretty similar in price. However all Macs consist of pretty high end hardware so you can get a much cheaper PC with lower end hardware.

Re:Imagine.

[Ed+Avis]

The OS is backward compatible with older programs.
The program is forward compatible with features in the upcoming version of the OS.

Neither of those cases is the one the other poster was talking about: where newer applications are not compatible with older versions of the OS.

Re:Imagine.

[sexconker]

That would be forward incompatibility.

I responded to your parenthetical.

Re:Imagine.

[hairyfeet]

I build desktops PCs for a living and my big seller ATM is my "five year baby" for $500. I call it that because it will be running five years from now, no problem. How do I know? Because I cut my teeth building for construction guys, who are the worst for poorly ventilated, no AC, thick layers of dust and construction grime, etc, so I quickly learned what a PC needs to survive in that environment. I also avoid the "gamer elite" stuff, as I have found it to be buggy, often needing firmware updates after the fact to increase stability, and generally fail a LOT more often. Here is what my customers get for $500-

AMD 7550 or equivalent Intel, if AMD I use a 780v board, usually an ECS business class as I have had real good results putting serious punishment on those and I have built my latest personal with ECS business class. Very stable and haven't needed to update squat, just like how my customers like them, if Intel then an Intel board as they are more stable than Nvidia. RAM is 4Gb of Kingston, HDD minimum 320Gb WD, graphics are onboard (3400 if AMD or HD4xxx if Intel) which does what my customers want, but I will install an AMD HD4650 for an extra $100 if desired, audio is onboard but the new realtek HD sounds really good now and comes with digital out, etc. OS is XP Pro. I place an 80mm or 120mm on the front and a 120mm on the back, both low noise, so even under load you aren't gonna get past 105F, and I have builds in the wild that are pushing the decade mark. Most simply give the machines away to relatives long before they are close to worn out.

And the simple fact is I can find the same thing all day long on the net. Like System76 if you want a quality Linux notebook for example. It just takes a few minutes worth of time to find the full specs on any HP, Gateway, Dell(I personally avoid Dell like the clap), ASUS, etc. As for "throwaway" hardware? I did the research for the local school ages ago, and I'm typing this on one of those "throwaways". It is a 733MHz SFF Compaq. I have three or four of them in my closet or loaned out to relatives. These machines ran from 1999-2005 and then they got a budget increase and decided to upgrade. Not a single one at that time had failed. If you buy business class (which generally is $50-75 more) you will have a PC which will last longer than your desire to run it will.

I'm sorry, but Apple always was and always will be an exotic boutique brand. Logic hoops simply won't make the moon into green cheese and it won't make Apple computers cheap, because they ain't. How much is a desktop with plenty of expandability again? Something like close the $3k right? Just be honest with yourself, you will feel better. Say to yourself "I don't give a shit if I spend $1000 on OSX, I like it, and it makes me happy" see how easy that was? Life is too short for crazy logic hoops trying to prove 1+1=3 or Apple = cheap. Just be happy you have Ferrari money and live your life in peace. Meanwhile the rest of the planet will be getting many years from their Windows business notebooks and desktops, or buying from guys like me and having custom PCs ( something you can't do with Apple) built to their specs. Accept that Apple is expensive, logic hoops never work, and that you consider OSX worth the extra scratch. Otherwise you come off as desperate. Logic just ain't on your side dude,sorry. Have a nice day though!

Re:Imagine.

[DJRumpy]

I will ask again. Can you point me to an actual PC Manufacturer like HP, Dell, Sony, Lenovo, not a reseller, that sells a PC for that price? You can point all day if you like, but the simple fact is that Apple is a vendor, just like Dell, HP, Lenovo, Sony, etc. You will not find anything that cheap for comparable hardware on any of their sites. I challenge you to find a quad-core desktop on any of their sites for $600 dollars.

Your implying a Compaq is throwaway? Compaq IS HP, and they are definitely not Tiger Direct or Frys quality. They were one of the most expensive PC brands on the market before being absorbed into HP.

You keep implying how cheap the hardware is and that you can get this here and that there, but not one of you can provide a link for substantially cheaper hardware from a VENDOR. Your holding Apple to a home made PC cost, while ignoring the fact that every other Vendor has similarly priced comparable equipment for about the same price as Apple.

Re:Imagine.

[bstreiff]

Leopard added a lot more over Tiger than SP2 did over XP.

Re:Imagine.

[hairyfeet]

Geez, just begging for it, ain't ya? Well here you go. And notice the top o' the line business elite notebooks come with nicer gear than the $2400 Apple machine at around $1200 cheaper, fully loaded. We're talking 8Gb of DDR3, dual discrete/onboard GPU setup, nice fat HDD, ULV Intel Core 2, etc. That took all of 7 seconds with teh Google, but you knew that didn't you?

Why do you keep punishing yourself? Is there some deep seated desire to prove that you didn't blow huge gobs of money, or what? Why is it so hard for you to accept they are expensive? You can sit here and jump through logic hoops for the next 100 years, it will never change reality. Apple is expensive and gives you limited choice. That is the price that you and the other "Apple elite" are willing to pay for OSX. Nobody cares, nobody is looking down on you for your decision. Just accept it, be happy that you have that kind of cash to blow in this economy, and move on. Otherwise it is just......well it is kinda sad.

It is like those Linux guys that will come up with "gems" like "sudo is JUST as easy as runas, because it is more powerful than a GUI!". But of course we all know it isn't, because Joe average doesn't give a flying fart about "the power of CLI" and just thinks CLI is a royal PITA, and I have to agree. Just as trying to prove to Joe average that a $2200 Apple provides him a good deal like that $800 HP does is just nuts. While there are many nice things about Apple, price just ain't one of them. Accept and move on dude.

Re:Imagine.

[DJRumpy]

Nice try. I see nothing in your link but base model prices with inferior hardware. Bump them up to be comparable to a Mac, and the prices are the same or even more than an Apple.

Starting at: $ 1,249.00* - The first two for instance has a slower base processor, 800 Mhz DDR2 memory not 1066 Mhz DDR 3, no Wireless N, and shared memory for graphics for the first two cheapest ones ($1249 and $1479). Did you even browse the hardware for the link you posted?

These are the pre-configured models that are at least a bit closer to Apples hardware. Note that the second one (a 15" model) is comparable to an Apple Macbook Pro (15"), although it has less ram (2GB of DDR2 instead of 4 GB of DDR3 that comes on a Mac). It's $2,149 which is actually more than a comparable Apple. This is directly from the link you posted. The sub $1000 notebooks listed are barely above a netbooks with 12" displays, cheap integrated sub-par graphics, and DDR2 again.

Re:Imagine.

[harmonise]

So owning a Mac is exotic and fast, just like owning a Ferrari. I think I can live with that. :-)

Re:Imagine.

[VisceralLogic]

You are talking about the absolute bottom of the line Macbook. Does anyone buy the absolute bottom of the line Ferrari? Not many.

I bought the bottom end MacBook. I'm a software developer in the aerospace/defense industry. It serves my needs (GCC, UNIX, TextWrangler) better than any Windows system.

My mom and a couple of my friends are also happy owners of the lowest-end MacBook.

FWIW, I saw some numbers that indicated the average price customers paid for an Apple laptop was $1400, across the MacBook and MacBook Pro line. So if you claim the $1000 is unreasonable, I claim $1400 is then entirely reasonable. Still think you can find a comparable HP/Dell for $700-900 less?

Re:Imagine.

[hairyfeet]

The problem is the "features" you are touting are the crap nobody wants unless they want to wag their epeen! For example DDR3-total crap. The latency on DDR3 is complete shit. The ONLY way that DDR3 is worth the extra lag is if you stuff the living hell out of a machine with enough of it to make up for the lousy latency. Less than 8Gb? Crap.

-This on the other hand is complete and total overkill for 99.995% of the home and business users. of this I know because many of my customers are happy to let me run performance counters for a week or two to allow me to "tune" the performance after the sale. Most aren't even hitting 1.5Gb or 12% CPU on machine with a LOT less power than the one at that link. In fact my biggest sellers are the lowest Core 2 Dous on the laptops and the AMD 7550 on the desktop and I have yet to see a customer get above 20% utilization for any length of time.

Let me ask YOU a question: If Apple is such a "good value" then why do YOU think company after company after company keep coming out with HAckentoshes" huh? Allow me to answer that. It is because with Apple you have shitty (Mac Mini) or total overkill (Mac Pro) and pretty much nada in between. Same with their laptops. You got the shitty $1000 model and the decent ones are all over $2200. Did you look at the price of the "total overkill" laptop? It is a grand total of $1379 and completely stomps anything Apple has for less than $2400. That is a full $1000 difference. Pretty big difference,huh?

Look, if you want to spend crazy money on a shiny, that is your business. Nobody is judging you for it. But I can sell a laptop for less than $1000 that will doo all that my customers can ever ask for and then some. And of course we both know that Apple doesn't even make desktops, as the Mini is a bad joke filled with laptop parts and the next desktop is ....what? $2400+? Meanwhile I just sold a client a really nice quad core for $750, and that is with me making nearly $200 on the build!

But you can read for yourself here and here that I am not the only one who thinks Apple is like Ferrari-nice and pretty and expensive. Do you see doctors going around saying their Hummer H3 is a "good value for the money"? Or their trophy wife saying that Lincoln Navigator is "a good value"? NO! So be happy with your expensive status symbol and enjoy it. Meanwhile my customers and the other 90% of the US population that don't have a couple of grand burning a hole in their pocket will get really nice Intel and AMD (how is that AMD Apple doing you? Oh yeah, you don't get a choice there either) crotch rockets for cheap. And yes, they will last much longer than most folks actually want to use them for, as the 1.1GHz Celeron HP Pavilion I'm typing this on, or the whole damned closet full of under 3GHz desktops can attest.

Re:Imagine.

[DJRumpy]

You should get out to the Apple site more often. 3 clicks would show you that ALL of their offerings can be had for less than $1500 with the exception of the top end Quad Core Mac Pro desktop and that one weighs in at $2400. All the rest are either $999 or $1200 for the base models.

$999 Macbook
2.13GHz Intel Core 2 Duo
2GB DDR2 Memory
160GB hard drive
NVIDIA GeForce 9400M graphics
Did you even look at your linked hardware?

$1379 (sale price) HP EliteBook 6930 (regular price $1652)
2.4 Ghz Intel Core 2 Duo
4 GB 800 MHz DDR2 160GB hard drive
ATI Mobility Radeon HD 3450 (256MB)

$1699 15" Macbook Pro
2.53 GHz Intel Core 2 Duo
4GB Memory
250GB hard drive
NVIDIA GeForce 9400M graphics

You're clearly not 'stomping' anything. Your linked HP is right in the middle of these two and so is it's sale price. Regular price for the HP is the same as the 15" Macbook pro which has a faster processor, a larger hard drive, DDR3 @1066MHz instead of DDR2 @800MHz), and a larger display (probably why the HP 6930 is currently on sale).

As to what is overkill, that is totally what an end user finds valuable and where the tech market is going. You could have made this argument about XP and then two weeks later tried Vista and realized you'd made a mistake. You should always overbuy a bit on a PC's horsepower. It makes sense and typically insures that the PC will handle any OS updates over the next 4-8 years since a home user will probably keep a PC 2-4 times longer than a typical IT shop. What is 'more than enough' today will not be that way 4 years from now unless they do no upgrades the entire life of the PC. Possible on a business PC, but much more unlikely on a home PC. With a little extra, they can keep their hardware as long as possible. Please stop implying that they are twice the price of a comparable piece of hardware, when clearly they are about the same price as your own links have shown. HP won't offer Tiger's reseller prices, and neither will Dell, Sony, Lenovo, or Apple for that matter. Don't hold Apple to some imaginary standard for a resellers prices or homebuilt prices when they are not a reseller.

Re:Imagine.

[ehrichweiss]

I never mentioned any number other than the $20,000+ paid for my SGI boxes... And 900-100 isn't a range of numbers, it's 1/2 of an equation equaling 800. Please try again so I'll know what your point was...or maybe respond to the person you actually intended the reply to reach.

Re:Imagine.

[DarkEmpath]

There is no cost for anti-virus (except maybe in the corporate world). You mac people are just used to paying for what others get for free.

Re:Imagine.

I can't tell whether you're being disingenuous or not. An ActiveX control is not part of a web page, it's a component on the system viewing the webpage which the page can make calls to. The web page side of the relationship is not Windows or X86 specific at all, except in the sense that the technology was only ever implemented on Windows X86. There is nothing stopping Konqueror, for example, implementing the technology on KDE on some other architecture, and the associated controls would consequently be KDE/Other Architecture-specific.

sensationalist much?

[timmarhy]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

damned if they do damned if they dont?

Re:sensationalist much?

[noundi]

I have to agree. I don't see the reason why patching a security hole asap is an issue. Also to make it clear I'm only referring to this isolated action, nothing else.

Re:sensationalist much?

[mortonda]

You missed the part where they knew about the flaw 18 months ago. That's just... sad.

Re:sensationalist much?

[Cro+Magnon]

Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

Re:sensationalist much?

[Rashkae]

It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

Re:sensationalist much?

[noundi]

It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

Me neither, but it's still a good thing. Perhaps there should be Black Hat sessions every week? ;-)

Re:sensationalist much?

[Fred_A]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

Not only that but they patch it urgently for the 175th time. If that isn't urgent I don't know what is.

I don't know of any other OS company that's that focused on security that it patches the same kind of thing that many times : "We have to make sure, the security of our users is important to us !".

Now that's dedication !

Re:sensationalist much?

[pfleming]

Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

Re:sensationalist much?

[commodore64_love]

I thought the weridness came from using a "killbit" solution. Any spybot programmer will easily be able to override that.

Re:sensationalist much?

[mcgrew]

"Sad" isn't the word for it. Evil comes close, though. The fact that the flaw was introduced by their own development tools is what's sad. The people who get exploited by this flaw will be sad.

Re:sensationalist much?

[noundi]

You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

Nope, what's your point? I made it very clear. I'm only referring to the isolated action of patching something asap. I'm not defending nor attacking MSs methods. Please read the posts more thoroughly when you reply to them.

Re:sensationalist much?

[noundi]

Please read the posts more thoroughly when you reply to them.

Now that was embarassingly ironic. I apologise sincerely.

Re:sensationalist much?

[blincoln]

Not only that but they patch it urgently for the 175th time.

MS haven't patched this vulnerability 175 times. They've issued 175 patches that have made use of the ActiveX killbit mechanism to disable various old controls, as opposed to patching the vulnerability in those controls.

Re:sensationalist much?

wow...

your an idiot....they didnt patch the same thing 175 times, they issued 175 killbit patches. to make this easy for you to understand, killbits are like flags, microsoft uses them to 'flag' inappropriate OS behaviors and tells the OS how to handle to issue. Which means there are 175 flags (killbits) in use today..

I may have dumbed this down way to much, so if I am off please feel free to correct me.

Re:sensationalist much?

"just spent six months in a leaky boat / lucky just to keep afloat"

Re:sensationalist much?

[sexconker]

How, pray tell?

Re:sensationalist much?

[WD]

Sure, it's easy to disable killbits if you have the ability to run code on a windows system. But if you've already reached the point of running arbitrary code on a windows system, why would you go through the trouble of disabling a kill bit and then hope that the ActiveX control gets exploited so that you can... run code on a windows system? Think about it.

Re:sensationalist much?

[Bert64]

Because that makes for a very good backdoor...
If the owner of that system removes your malware, you have at least left the system open so that you can install something else more easily in the future.

Cone of Silence?

[eldavojohn]

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Re:Cone of Silence?

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

And why does a dog lick his balls? Because he can.

Re:Cone of Silence?

But why lick your balls when something far more pleasurable is right next to it?

Re:Cone of Silence?

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Do researchers lick their balls?

Re:Cone of Silence?

Who knows, maybe licking your own balls is the height of pleasure?

Re:Cone of Silence?

[nagnamer]

Not when they are wearing a cone of silence.

Re:Cone of Silence?

[foniksonik]

Oh the poor dog then... apparently he can only lick what "used to be his balls"...

Re:Cone of Silence?

[fl!ptop]

Those suck. My dog had to wear one of them for a week.

i don't think it means what you think it means.

The real mystery

[BadAnalogyGuy]

I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

Re:The real mystery

[plague3106]

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

Re:The real mystery

Protip: ActiveX has been based on COM since the beginning.
 
P.S. The developers created the bugs, not the language. Scrub.

Re:The real mystery

[xniteman]

If they were all shot which OS would we be using right now?

Re:The real mystery

[morgan_greywolf]

OS/2?

Re:The real mystery

[xniteman]

Which language will you use to write the CLR then? C# itself? Yes, it's doable. But then you can't use CLR to run your CLR implementation in C#, or it never ends. So you have to compile your C# code to binary, and consequently you can't rely on the features of CLR, such as memory management, what's the point of using C# then?

Re:The real mystery

[Bakkster]

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

I thought Vista was supposed to be built with .NET, only to have those plans scrapped. If MS isn't building their OS with C# and .NET, there must be a reason.

Re:The real mystery

[commodore64_love]

>>>Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot.

In the 1980s the C language was the best option. There wasn't anything better. And since Windows/DOS and Windows/NT were developed during the 80s, we still live with the legacy. Simple as that.

Re:The real mystery

[mcgrew]

I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".

Considering all the exploits it's made possible, I call it hActive-X.

Re:The real mystery

[VGPowerlord]

I thought Vista was supposed to be built with .NET, only to have those plans scrapped. If MS isn't building their OS with C# and .NET, there must be a reason.

I think you're confusing Vista with Singularity.

Re:The real mystery

When did .NET and C# become synonymous? C# is a language. .NET is a collection of libraries and frameworks. the .NET frameworks are available for use in C#, C/C++, Java, Visual Basic, etc.

Re:The real mystery

[recoiledsnake]

No, significant parts of Vista were supposed to be rewritten in C# but due to performance(or other) reasons, the plan was ditched in 2003/2004 and a normal C++ upgrade to XP was started. This was one of the big factors in the delay of Vista's release.

Re:The real mystery

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up...

Which is why bad things happen when you let mediocre developers loose on software products that need bare metal resource control for performance, slack off on project management, quality control or allow marketing dweebs and clueless PHB's to ruin the product with unrealistic deadlines.

Re:The real mystery

[killthepoor187]

I miss os/2. Warp 4 was great.

Re:The real mystery

[cyberdrop]

The reason was not performance. It was an compability issue.
Currently there can only one version of the CLR be loaded into a process. The CLR version of the first .NET DLL is used in the process.

This is also the reason why you should not make shell extensions in .NET. The Windows Explorer would load the shell extension dll in unknown order. If the first one is a .NET 1.0 Dll all .NET 2.0 Dlls would not load.
If a Programm delay loads the CLR a simple call to the Open File Dialog would cause the .NET 1.0 CLR to be loaded into the process.

This problem will finally be solved in .NET 4.0. I think we will see the use of .NET in Windows 8...

Re:The real mystery

You just pretty much summed up as to why .NET is a complete total failure.

Re:The real mystery

I thought it was pronounced acti-vex, for its vexing effect on normal system activity...

Re:The real mystery

[cyberdrop]

.NET is perfectly fine for anything other than writing plugins or plugin hosts for parts of the operating system.

Re:The real mystery

[rzei]

I do not think that the problem lies in use of C/C++, but in the horrible way of using it. From what I've gathered around the Internet "why win32 is great" is that they lacked any kind of stable way of creating their (old?) APIs; everyone just created a new standard for return values and parameter handling. And on top of that some crazy macros that make Symbian code look readable in comparison.

I mean, I've only learned how to program in C/C++ (at university) but been working as a Java dev for quite some time now. Still I can almost make sense of mplayer's or ffmpeg's source code but every time I see some "Windows" C++ it's just plain awful because of all the macros and #define constants. If you ever read KDE's or Qt's sources and compare those to something done with win32... There is a massive difference.

Every tool can be miserably misused.

Re:The real mystery

[weicco]

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot.

Ken Thompson & Dennis Ritchie (Unix), Andrew Tanenbaum (Minix), Richard Stallman (Hurd), Linus Torvalds (Linux) - You really think those guys ought to be shot? ;)

Re:The real mystery

[BadAnalogyGuy]

I'd say at least 2 out of those 5 could stand a good shooting. Let me express it in C:

double GuysToShootRatio = 2 / 5;

Dammit!

Re:The real mystery

[DavidTC]

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE.

ActiveX was never a browser-only technology. It was just they referred to the embedding of COM controls in web pages as ActiveX, and eventually started renaming everything 'ActiveX'.

For people who don't know what we're talking about: COM started as a way to embed DLLs that provided specific functional in programs, essentially, 'plugins' that program builders could use that all operated much the same way. I.e., a lot of them you could mark out part of the application and have them responsible for drawing it, and receive signals when they part was active, etc.

Developers could go out and license, for example, a nice TIFF control to embed a picture in their application, or whatever. All the 'common controls' soon moved to this format. They contained all their 'header' information and whatnot inside them, so developers could take a COM file and see what was exported and whatnot in a consistent manner.

Like I said, it's like shared libraries, except all the functions are named and accessible via consistent means. They all use the same way to do things, so you can load them into your application without knowing what they are. (And hand over part of your document to them, or whatever.)

Creators could even do things like license these controls, where people could redistribute them, but not program using them.

ActiveX essentially is COM and OLE2. This were .ocx controls, the successor to .vbx controls, which is where the X in ActiveX comes from. (For those of you who remember your history, the very first version of this was called OLE, Object Linking and Embedding.)

All in all, this not a bad idea. In fact, most OSes have something like it...OSes start off with something like DDE or shared memory, and then end up with higher level functionality built on that to allow you to consistently embed parts of applications in others. Linux has something called, I believe, DCOP.

The problem came about when Microsoft started letting those DLLs be embedded in its web browser, instead of making people write DLLs with customer entry points and functionality, like Netscape had done. (And then it started renaming everything to ActiveX.)

I can see why it did it, in fact, using the COM format to embed controls makes sense, it's letting it use the existing controls that was the problem.

Re:The real mystery

[hairyfeet]

You can actually still buy it and it is still supported, it is just called eComStation now. I heard it is still popular in certain sections of banking and finance because of its excellent security. Although the fact that they still brag it has Windows 3.xx support in this day and age is kinda funny.

Re:The real mystery

[sexconker]

And we still don't have anything better.

Re:The real mystery

>ActiveX was designed to replace the overly complex COM way of building components.
ActiveX is a TYPE of COM object. All ActiveX objects are COM based components, just ones that support additional interfaces thus qualifying it as an ActiveX COM object. Thanks for playing.

Re:The real mystery

No, significant parts of Vista were supposed to be rewritten in C# but due to performance(or other) reasons, the plan was ditched in 2003/2004 and a normal C++ upgrade to XP was started. This was one of the big factors in the delay of Vista's release.

There was an attempt to see if the AERO interface could be done in WPF in time for Vista but no, significant parts were not planned to be done in managed code. The biggest issue to the delay between releases was that development on Whistler-Blackcomb was reset halfway through the dev cycle to be more about correcting a set of issues around driver security and better isolation model (remember that was back when several really bad issues slammed MS and gave them a black eye in the press). Thus Longhorn, as we know it today in Vista was rescoped to be about hardening the OS. http://en.wikipedia.org/wiki/Development_of_Windows_Vista

Re:The real mystery

[shutdown+-p+now]

ActiveX was designed to replace the overly complex COM way of building components.

What? Any ActiveX control is a COM component, by definition. ActiveX is a techology to build reusable and embeddable visual components, built on COM - that's all there is to it. It's was never designed to reduce COM complexity - heck, if anything, building an ActiveX control is much more complex than building a plain COM component.

And you can build ActiveX components using C#.

Have you ever tried? I mean, yes, technically you can do that, but you cannot use either WinForms or WPF for that purpose (it might look like it's sort of working, but you'll start running into weird things very quick). So if you want to do it in C#, you'll still have to work with Win32 API directly, including all UI. At that point you lose all the advantage C# would otherwise give you, and get some headaches that you wouldn't have with ATL - and on C++, there's always the (relatively) easy way out by using MFC - if you don't mind your control being a few hundred kilobytes larger than it has to be...

but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

Heard of Singularity OS? Granted, it's a research project, but it exists nonetheless.

Re:The real mystery

[ivucica]

I pronounce it Active-ex, or when using local Slavic pronouncement "modifications", Active-eeks. In fact, the latter is quite common in my country.

Re:The real mystery

[AnyoneEB]

See Singularity, Microsoft's research operating system written primarily in C#. It uses an extended version of C# called Sing# in unsafe mode for implementing the parts that cannot be managed code (along with a little assembly and C code). The "See also" section on that page lists a few other research operating systems based on similar concepts, mostly using C# or Java. None of them are likely to see real use any time soon, but it is an interesting area of research.

Re:The real mystery

[stine2469]

Did you forget Kernigan?

Re:The real mystery

The correct pronuciation is Active eXploit.

Re:The real mystery

[weicco]

I thought he has more to do with C, not with Unix.

Re:The real mystery

[cyberdrop]

I'm currently working on something like that. Sure its hard work, but with some unmanaged code you can turn a c# app into a localserver. You can host an usercontrol in a ATL ActiveX Control and expose the object model to COM in managed code (calls must be manually switched to the ui-thread but thats easy using lambda expressions). Most of the code stays in c#.

Re:The real mystery

Obviously OS kernels should be written in a fast secure language like JavaScript. :)

Re:The real mystery

In the 90s Modula3 was a better system language for OS development, but... the mother company was buyed; was out of the c++ style oop fashion; and used mostly for "safe" systems, after java only the ones that need C like speed/foodprint are done in Modula3

Re:The real mystery

[plague3106]

I believe a native program can host different versions of the CLR simulationusly... or maybe I got mixed up somewhere?

Zombie control

Didn't Shaun of the Dead do that first?

It took 18 months...

[FunPika]

To make a patch that simply turned off ActiveX? I better be misreading this...

Re:It took 18 months...

[mortonda]

To make a patch that simply turned off ActiveX? I better be misreading this...

Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

In other news, why was my machine set to install automatically... and reboot automatically... Gah! What a stupid setting!

Re:It took 18 months...

To make a patch that simply turned off ActiveX? I better be misreading this...

If you RTFA it says they were more concerned about what might break if they did turn it off. You can't just yank something without knowing exactly what might be tied into it. Given all the libraries, files, legacy code, probably a billion lines of code made by several hundred thousand developers over the last few decades thats an awful lot to dig through to make sure stuff doesn't break. Its already off in Vista but they rebuilt a lot of vista so they were able to test it as they went.

Re:It took 18 months...

[jo42]

I'd suspect the vulnerability and solution was such a cluster frak, that it took that long to work it out without royally fraking everything else up.

Re:It took 18 months...

[intheshelter]

Eeaasssy big fella. The post had a point. 18 months is still ridiculous. It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7. . . . But no company could be THAT dumb and incompetent, could they?

Re:It took 18 months...

[Bakkster]

To make a patch that simply turned off ActiveX? I better be misreading this...

Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

Welcome to the best feature of Windows 7: turning off/on processes on demand, including IE!

Re:It took 18 months...

Eeaasssy big fella. The post had a point. 18 months is still ridiculous. It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7. . . .

Except those are different divisions of Microsoft that function semi-independently?

Re:It took 18 months...

[commodore64_love]

I'm calling Windows 7 - "Windows Vista 6.1" or "Windows NT 6.1". The truth must be told.

Actually:

  Vista/NT 6.0 ain't that bad if you upgrade your RAM to 16 gigabytes. Then it runs just as well as my XP PC with only 1/4 gig.

Re:It took 18 months...

[VGPowerlord]

The ActiveX killbits weren't the only thing updated. Microsoft also updated Visual Studio 2003 SP1, 2005 SP1, 2008, and 2008 SP1; along with their respective runtimes.

Re:It took 18 months...

[HangingChad]

Not only that, but it forced a reboot.

Woke up this am to find my token Winders box had rebooted overnight. Luckily I only use it as a weather station. I would have been pissed to wake up and find a work environment automatically rebooted. I save my work but sometimes I'll be in the middle of a project and it takes a lot of time to restore the workspace.

ActiveX is from the devil.

Re:It took 18 months...

[Chaos+Incarnate]

If you don't want your machine to reboot unexpectedly, don't use automatic updates.

Re:It took 18 months...

Except your XP box is limited to using no more than 2 processors. Vista will utilize all available processors. Also Vista handles SMP much better than XP ever has. I am running Vista on a Quad Core with 4 GB of RAM and it is a lot faster than any XP machine I've run. I can actually multitask in Vista.

Re:It took 18 months...

[sexconker]

PHYSICAL processors.
You can have 16 cores show up in task manager (and be used) in XP if you get a dual socket system (2) with two quad core (4) core i7s running HT (2).

2*4*2 = 16.

Re:It took 18 months...

[Blakey+Rat]

It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7

Yes, because Microsoft is actually just ONE extremely busy person! Either that, or you believe the guy who publishes Xbox Live games is the same guy who patches security holes in Windows and Visual Studio.

I mean, I agree with your point, it did take too long. But your complaint here is simply retarded. Microsoft has 70,000 employees. They've hired the entire Seattle area dry of good talent; creating security updates and publishing Xbox games are not mutually-exclusive.

Kill ActiveX

Instead of releasing a KillBit patch, why not releasing once and for all a Kill ActiveX patch ? The Web as yould be a safer place.

Re:Kill ActiveX

[click2005]

Doesn't Windows Update (via the webpage) use ActiveX?

Re:Kill ActiveX

[Kilz]

Yes, Im waiting to read about it being subverted by some malware or virus, its just a matter of time.

Re:Kill ActiveX

[Hatta]

So, kill Windows Update(via the webpage). Release a native, stand alone update tool.

Re:Kill ActiveX

"Doesn't Windows Update (via the webpage) use ActiveX?"

Yes ~ Tried to avoid it the other day but couldn't get a list of updates I needed without running the activeX on the page.. Its RAPE! This is in the same vein as the browse and ownage of flash that is supposed to be updated Thursday. Just browse to the wrong site and oops. I mostly only browse news, use google earth, picassa and iTunes. Still, relating to other topics such as how to clean your PC versus reformat and reinstall, I lean towards the latter just for this reason. So what my AV returns an all clear. I have trust issues!

I don't understand why we are forced to have IE installed as core components, even if we don't install it, or why there isn't a better method of sandboxing Active-X.

Re:Kill ActiveX

The one that already exists in current versions of Windows, you mean?

Standard Operating Procedure

[Drakkenmensch]

1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"

2. Secretly prepare emergency patch and bury it in driver update patches

3. ???

4. PROFIT!!!

Re:Standard Operating Procedure

[RenHoek]

I believe step 3 here is

3. Maintain that Windows is more secure then other operating systems because bugs are fixed really quick.

Re:Standard Operating Procedure

[AP31R0N]

1. Build an OS that needs to run on a few hundred mobos
2. ... in combination with dozens of CPUs
3. ... run on out of date (slow) hardware
4. ... run a thousand or so applications you have no control over
5. ... be used by a billion or so people
6. ... play nice with hundreds of peripherals
7. ... be able to play nice with other OSes and across the net
8. ... will be under constant attack by many many many crackers because it's the tall poppy
9. ???
10. have constant patches to address these issues within budget and time frame
11. people will still bitch!!!

Re:Standard Operating Procedure

[abigsmurf]

Doesn't sound like a bad tactic to me.

*Haxx0r ur world con 2009*

Today I will demonstrate on this stage a vulnerability that MS have known about for a year! I will show off an attack that will give me control of any system!

*opens IE and visits the site with his exploit*
*nothing happens*
...
*becomes aware of the sound of crickets and 2000 people in the audience*

Re:Standard Operating Procedure

You left out: design shit security model that's impossible to fix without fucking most of those other points.

Re:Standard Operating Procedure

[EasyTarget]

Nice troll, but as you are aware the fact that pretty much every peripheral and application out there works with Windoze is because the designers and developers are forced to do it by the Windoze monopoly; and is not very often an active choice on their part, since selling a non-windows device is a shortcut to unprofitability. For example, Ipods have a windows client.
Basically the pain has been transferred from Microsoft and consumers onto the developers of those products; they are the ones who have to try and behave nicely with a badly-architected and insecure-by-design OS, and who typically get blamed even when the bugs are Microsofts responsibility/fault.

Re:Standard Operating Procedure

[Bert64]

1/2 - ms do very little to ensure compatibility with hardware, they are big enough that they don't have to, the maker of the hardware has to ensure their hardware is compatible with whatever ms put out or very few people will buy their hardware.

3 - only recently, up to and including vista they didn't care about performance on old hardware and just tried to force you to buy new kit.

4 - again see 1/2, if you dont make your apps compatible with the latest ms system then very few people will use it.

6 - same as 1/2, if you make peripherals that dont work with windows, they wont sell very well

7 - hahaha, ms supported tcp/ip and a few other internet related technologies because they had no choice, they do very little to bother supporting anything else that would be used for interoperability... they don't support any filesystems other than their own, they only support their own file sharing tech (nfs support requires an optional addon), they dont support ssh out of the box only telnet, and their applications are even worse like outlook which only supports its own proprietary protocol for calendering (no ical/caldav).

8 - apache is the tallest poppy in the webserving field, webservers make better targets for hackers than end user workstations because they typically have a lot more bandwidth...

10 - considering how much money they make from windows, they could easily afford to make the budget a lot higher... also, a lot of issues are down to poor design (including lack of design, nasty kludges built on top of crufty code)... windows is a mess that really needs to be dropped and started again... incidentally unix is a lot older, and yet suffers from far less stupid design decisions

11 - people bitch because the status quo isnt good enough, in any other market you would have competition and somewhere to go if one supplier screws you around with a shoddy product, windows has gotten its users so downtrodden that they now expect shoddy products and consider that normal... computers are now perceived by many as inherently unreliable devices.

Killbits, Killbill ...

[bagsta]

When I hear about killbits, killbill comes in my mind. I don't know why though...

Re:Killbits, Killbill ...

you should have tried harder making something funny out of it before posting... now, you've clearly exposed your lack of imagination

Re:Killbits, Killbill ...

funnier still is the fact that your killbill link's host has "bits" in the name. it's a sign! D:

Re:Killbits, Killbill ...

[Maximus633]

When I think of killbits... I think of the video with Balmer running across the stage and him yelling developers. Instead of it being developers its KILLBITS! KILLBITS! KILLBITS!

Re:Let's quash this now

[Vellmont]

So in this case the "band" is simply the normal monthly patch-tuesday update. Being outside that makes it out-of-band. Why does a band have to mean an entirely different medium of communication?

In any case, you can't fight it. I've heard this usage enough that it's part of standard techno-babble.

Kill Bit Vol. 175

[xactuary]

After a while, these sequels all seem the same to me. Pass the popcorn please.

It's the commonality.

[tjstork]

The thing about Active X is that is just a way to put an object oriented wrapper around a DLL. So really, its just a DLL.

The problem with DLLs is that they are good for process re-use on a desktop but not the kind of thing you want to be shoving into a browser. However, if Microsoft closed off Active X entirely in browsers, they would break Flash and third party OpenGL and movie plugins... and probably would wind up getting ripped for it.

The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

Re:It's the commonality.

[rolfc]

I know, a lot of people believe that when there is more users, there are more incentive to exploit and that is the only difference between Windows and Linux. It's just that it doesn't work that way. They are implemented in a different way, and since my confidence in the security of Microsoft isn't that great, I don't believe you are right.

Re:It's the commonality.

[makomk]

The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

Well, part of the problem is that ActiveX isn't just used for browser plugins, so there are a huge number of ActiveX controls out there that can be loaded into a browser but really weren't meant for this purpose. Unless the control is marked "safe for scripting", Javascript can't interact with it directly, but it's still loaded.

Re:It's the commonality.

[neonsignal]

There is truth in your argument that third party additions to a browser pose a security problem, but you are comparing coffee and fish.

Plugins pose a security risk because you are running software from unknown sources as part of your browser. However, you don't need to install the plugins in order to enjoy the browser functionality.

Active X on the other hand was always intended to be integrate with web pages, which means that in many cases you would not even have been able to view the content without downloading a COM object of dubious origin. Fortunately this has largely failed, and most web content is still accessible without it (though there are a number of commercial services on the other hand that require Active X to work).

The better comparison with Active X is other dynamic web code, such as scripting languages like javascript, and of course Java, which have been used for similar purposes. There are clear differences, because Active X is running native code, and so is notoriously difficult to sandbox effectively. It is obviously a matter of degree; no system is fully secure. But whereas exploits of Active X tend to often be total (access to the host machine), exploits of systems such as javascript often revolve around more subtle issues such as masquerading.

I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues. I don't think the solution is merely to improve the containment of the downloaded code (indeed, that only makes it harder for the plugin to do anything useful). The problem is one of trust: how do I know if the binary code is trustworthy (Microsoft rubberstamp certification just doesn't do it for me!); and why do most sites need Active X at all (shouldn't we just be trying to agree on some browser standards like video formats so that typical functionality can be built into the browser!).

Re:It's the commonality.

[DavidTC]

Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

Oh, look. Have to issue a killbit for that also.

The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser

Re:It's the commonality.

[Ed+Avis]

Really? Does Flash use ActiveX? I thought it was just a browser plugin using the same old NSAPI plugin interface; that's why the same plugin (on Windows) works with Firefox and other browsers that don't support ActiveX at all. The same applies to Quicktime or whatever other plugins people are still using these days.

Re:It's the commonality.

[cyberdrop]

Flash installs an OCX (ActiveX Control) and an XPT (Firefox Plugin) to C:\Windows\System32\Macromed\Flash

Re:It's the commonality.

[hairyfeet]

As a Windows repairman, I'll let you in on a little secret: You wanna know why Windows gets exploited and Linux don't? You really wanna know why? The answer is simple: PEBKAC, that's why. Linux guys just aren't gonna run email spam attachments, Hot_Lesbos.mp3.sh, or any of the other truly fucking dumb things Windows users will do. Since I believe in good story telling examples, I'll tell you a true story. Meet Velma.

This is little Velma, who works at an insurance company. Say hi Velma (Hi Y'all!) isn't she sweet? Everybody just loves little Velma. But here in the Windows repair biz we have a name for little Velma, and it is....dum dum dum....The disaster area! Because you see, little Velma has a BFF Kim, who is what we in the Windows repair biz call a "click whore" in that she will click on ANYTHING. Spam attachments, dubious screensaver programs, adware, you name it Kim will click it. And Velma trusts her BFF Kim, because they go on vacation together and anything bad from kim must be a trick, because Kim wouldn't do that. So lets see an actual interaction between the gruff but lovable local repairman hairyfeet and Velma, shall we?

/feet/ Velma, that is a password protect email attachment. That is a virus, do NOT open and run that! /Velma/ Ohh...you worry too much. It is from my BFF Kim, see here name on there? And it says it is happy puppy pictures. Who doesn't like puppies? /feet/ Velma it is telling you to turn off the AV before running and the file is happy_pup.jpg.exe. Do NOT turn off the AV and run that or you will bone the machine! It is a bug! /Velma/ Ohhh you....go drink some decaf. My BFF Kim would never do that to me.../turns off AV, runs program. Porn popups start spewing and network crashes/ /Velma/....Oops.....but it must be a trcik! My BFF Kim wouldn't do that! /feet/..........

And there you have it, an actual infection of an actual Windows user. Could MSFT have done anything to stop it? Short of giving Velma a thin client with no install capability no. And don't worry, Linux guys! If you manage to lure Velma and all her PEBKAC friends to your OS, I'm sure your friends at the Russian Business Network and their friends in China and Nigeria will be cooking up "Happy_pup.jpg.sh" with nice easy to follow instructions so Velma and her friends can turn Linux into a virus laden whore, just like Windows! Won't that be nice?

Re:It's the commonality.

I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues.

If that's what you need, then why not distribute a binary that loads browser elements for what it needs, instead of the browser loading a binary?

Re:It's the commonality.

[nametaken]

you are comparing coffee and fish

- gag reflex -

Re:It's the commonality.

[imess]

Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript.

This is not true. You can have native DLLs in Firefox addons. Check out the Glasser addon, for example.

Re:It's the commonality.

Can you imagine a fish on coffee? Megaflops!

heheh, captcha is 'nonsense'. I delivered.

Re:It's the commonality.

[DavidTC]

Yeah, and EnigMail over in Thunderbird. Likewise the 'minimize to tray' addons somehow make the Windows calls to do that, although I think they're calling already existing functions instead of providing a DLL with them.

I'm not entirely sure how they do any of that.

So it would be more accurate to say that most Firefox extensions are Javascript. 99% of them. (They have to be, to work on multiple OSes.)

Re:It's the commonality.

[thePowerOfGrayskull]

he thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well

People tend to like to forget about that. ActiveX is no more or less unsafe than FF plugins. Executable code running on the client machine, non-sandboxed. Both FF and IE will prompt you before installing such things, and that's the extent of the protection you get from them. Both can be very easily abused by a malicious creator - all you have to do is get people to install it (bunnies!); or install it yourself as part of another application.

Re:It's the commonality.

[AmiMoJo]

The "clicking yes" problem has to be the biggest security problem in computing. It's one I think Microsoft could fix, at least for ActiveX.

The problem boils down to users not being qualified to decide what ActiveX controls are safe and which are not. Fortunately, there are actually relatively few legitimate ActiveX controls which need to run in the browser. If Microsoft audited this relatively small number of controls, and set up a system where they could disable them remotely if a problem is found (a Windows Update would work) they would be shifting from a blacklist model to a whitelist one. Whitelists of safe things are always better than blacklists of bad things.

There are only really two downsides to this plan. The first is that web sites can no longer just use ActiveX controls, unless they are willing to get them audited. That's not so bad really, as virtually the only sites which use legitimate ActiveX controls and which are not Windows Update are virus scanners. Even loosing those wouldn't be a huge deal, as they could always just switch to traditional downloads.

The second problem is for companies that use ActiveX internally. There are vertical applications (apps only used by one company) and there are things like browser based CCTV monitoring. These things could be supported through certificates and whitelist entries in the registry, i.e. things which only an admin can set up and are not accessible to the browser itself. Again, it's not a big deal really, just another script the IT department needs to push or another program update the vendor needs to offer.

Re:It's the commonality.

[jonadab]

> ActiveX is no more or less unsafe than FF plugins.

That would be true, if the average user had only three ActiveX controls installed on his computer, all three of which were *designed* to be browser plugins (typically, Java, Flash, and Acrobat Reader), and the procedure for adding additional ones involved downloading an installer, saving it to a downloads directory, logging in as administrator, and running an installation wizard.

Which, incidentally, is the direction Microsoft is trying to go with ActiveX controls in the web browser, but it's taking them a while to get there. First they fixed it so that installing new controls meant the user would be prompted, and then they made no the default except for the intranet zone, and then a few years later they made yes require admin privileges... it's a gradual progression, but yes, the general direction they're going is to make ActiveX safer and saner until it eventually becomes just like Netscape plugins.

Re:It's the commonality.

[ekhben]

(Also expressed as: you can't apply technological solutions to sociological problems.)

Re:It's the commonality.

I actually think there is merit in having internet distributable native code.

What merit? What performance-critical code needs to run inside a web page?

For everything I know of that actually belongs in a browser, it's adequately handled by Java (applets and webstart), Flash, and/or ecmascript. For crying out loud, Quake 2 runs fine in Java on all modern systems. What applications could you possibly need native code in a browser, downloaded at page load time?!

Re:It's the commonality.

[Bert64]

Which is why Linux is much better for the vast majority of people...

"Happy_pup.jpg.sh" would show up as "Happy_pup.jpg.sh" and not "Happy_pup.jpg" for starters, windows likes to hide the file extension while teaching people to trust the file extension, so they see the first extension and assume it's a picture... Linux doesn't do that.

Also, instructions for linux would be longer (and involve changing file permissions etc first and probably invoking sudo), before the malware could execute.

Linux provides most of what people need in the default package repositories, so you create a distro for such users where they can only install things from the built in repositories, and cannot execute anything else (ie their homedir is mounted noexec)... The very few people who need to install something not in the default repository can get someone knowledgeable to do it.

You don't need to give people no install capability, you just give them limited install capability... The existing install capability offered by modern linux distros is more than enough for most people anyway.

Obligatory car analogy, most people know better than to open the hood, and rely on someone appropriately trained if anything more advanced than regular driving needs to be done. Why should computers be any different? Your velma wouldn't try to change her oil, let alone install additional components into her car.

Re:It's the commonality.

[thePowerOfGrayskull]

I should have clarified that AX in its present incarnation is no worse than FF plugins -- the early versions which would simply install on demand are a completely different story. Also a valid point - FF plugins have to be specificalyl installed as FF plugins. ActiveX controls can already be installed and registered from anything...

darn it

[WeeBit]

"But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch." Or one could say that Microsoft was making a mountain out of a molehill. So what else was in that patch? I have a right to question Microsoft's antics . After all, they made me paranoid.

You DO NOT have to reboot if you install manually

[dobedobedew]

I'm not going to get into why having automatic updates on is generally a bad idea, that subject has already been beaten to death here.

WindowsXP-KB972260-x86-ENU.exe /quiet /norestart

That is the one for XP with IE6, the filenames are different for the other flavors. The list of all of the different patches is at:
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx/

Not to mention the required hardware upgrades...

[sean.peters]

I've got a Powerbook G4, running 10.5.x... which is still a fairly powerful machine, right? Well, yes, but... increasing numbers of software packages won't run on anything but Intel-based Macs, or alternatively, have features crippled when running on PPC Macs. So even though there's nothing wrong with the machine, and it still has sufficient horsepower to do just about anything... Steve is going to force me to buy a new one if I want to run modern software. Yay, Mac.

don't even know where to start, mouth gaping

[neonsignal]

You can't be serious - nearly every OS these days is written in C (with a few bits of assembler at the core). And the one viable alternative, C++, was pretty much confined to BeOS. Do think everyone just left their thinking caps at home the day they decided which language to write in? Fair swig of the whiskey. C was pretty much invented as a means of writing systems software. And you do realize that .NET is really just ActiveX by another name, smelling just as 'sweet'...

Re:don't even know where to start, mouth gaping

[jpmorgan]

You do realize that .NET and ActiveX have very little in common.

One is an extension of COM that allows for dynamic dispatch of function calls, for integration with scripting languages. The other is a JIT compiled, bytecode platform that executes within a sandbox with a common API and typesystem for interoperability between different languages.

Re:don't even know where to start, mouth gaping

[neonsignal]

Fair comment, I let my mouth run off a bit there. Though they are both an attempt to layer an object oriented interface over the system, which still makes me wonder how the grandparent could imply that .NET can replace a native compiled language for writing an operating system.

Re:You DO NOT have to reboot if you install manual

[Culture20]

Every MS patch allows a /norestart option, but sometimes the software they patch is memory resident (especially IE based stuff), so rebooting afterward makes sense.

Wasn't that the promise of Longhorn?

[ruiner13]

Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

Wasn't Longhorn (Vista) supposed to more or less be this?

NSAPI is a DLL interface

[tjstork]

Plugins are DLLs... NSAPI I though was for servers side DLLs, like ISAPI is sort of a clone of... in any case, here's the mozilla doc for the plug in run time model.

https://developer.mozilla.org/en/Gecko_Plugin_API_Reference/Plug-in_Basics#Understanding_the_Runtime_Model

Note that a plug in is a DLL that uses the same thread as the browser... just like Active X.

Re:You DO NOT have to reboot if you install manual

[mako1138]

I just installed using the automatic updates thing (prompt before install) and I was not asked to reboot.

Re:Not to mention the required hardware upgrades..

[An+ominous+Cow+art]

Yeah. I'm pissed off because my 4-or-so-year-old dual 2.7Ghz G5 tower is becoming less and less viable - even though it's still a fast, powerful machine, even by today's standards.

Remember

MS wanted Active-X to allow for web domination because when sites used it, Netscape and other OSes would no longer be able to access the sites. So, many sites did use it and everyone needed IE, but then security problems, Flash, Java, Javascript and other tools came around and who now would add Active-X to a general-user web site? Remaining support for it comes from companies that use web apps. Good luck with those rewrites.

How many kb is that?

[griffjon]

Microsoft has issued 175 killbits fixes so far.

So, how many kilobytes of killbits is that?

Re:How many kb is that?

175/8=21.875 killbytes...didn't they teach you anything in computer class? Must be a windows user.

Something worse

[Ilgaz]

Worse, there are still people who thinks something good can come out of the company who still doesn't kill the technology and even tries to photocopy it to open source, free operating systems.

We all know who they are...

But it is CPU brand changing

[Ilgaz]

All PPC here except other family members have their Intel macs. I use from G4 Mini up to G5 Quad so I had pretty good time to think about it.

It is not Apple or SJobs fault that IBM and Motorola, on Desktop CPUs, never cared enough. They don't have that culture to begin with. IBM is back to its roots, only making mainframe, enterprise CPUs and CUSTOM built Console CPUs which 2 giants like Microsoft and Sony can provide significant input for their needs. Look to MS, they could make IBM actually care about their suggestions and they could truly work with them. See the xbox 360 success compared to the earlier joke.

Compile open source software on powerpc and intel, both OS X and see the difference. Intel has all the "cool stuff", they somehow made developers code and support their (backwards) MMX and SSE while we get surprised when Altivec used by some rare and great open source developers. Mplayer for example.

The thing to blame SJobs is, he showed "universal binary" as something very easy, just click something and it compiles. It is NOT the case except for very simple applications or applications having their own frameworks (like Opera). Obviously, you can compile "Hello World" for MC68000 too, with single click but when libraries, frameworks and especially stuff like CUDA, OpenCL gets involved, that magic is instantly gone.

The Framework or Library, having millions of lines, millions of manhours doesn't run on anything other than x86. Now what to do?

It is mostly the entire deal for Snow Leopard and another reason is, Intel 64bit is a huge hack requiring "pure 64bit" to run better. PowerPC which was designed with 32/64bit in mind from ground doesn't have that issue and in fact, needless pure 64bit on PPC will run slower in most cases.

I turned off MS Update today.

My PC belongs to ME. I woke up this morning and MS had rebooted it. I was running a process overnight that was important to me. Now MS has one less auto-update user. Is that what you intended, MS?

Re:I turned off MS Update today.

Enjoy your microshit windaids.

Re:I turned off MS Update today.

Of course it's what they intended. If it wasn't you wouldn't be able to, would you?

A few points

[DJRumpy]

How many people are still using an OS that's 9 years old? Most folks would have upgraded to a newer version at some point or if they were too cheap to spread for the OS they would also probably be too cheap to upgrade their software and hardware, meaning everything still works anyway. Windows 2000 has about a 1% market share. Why would any developer go out of their way to ensure compatibility for it? I wouldn't. Hell, I'm in IT and I don't even know anyone that still uses W2K.

OS X was released 11 months after Windows 2000. It's doubtful you would find apps in today's software stores touting compatibility with Windows 98 or Windows ME as that is a closer comparison to Mac OS 9. If your apps and hardware are older than that, it's unlikely you would be upgrading to OS X to begin with. If you upgraded your hardware, you already have OS X. Even most home users upgrade every 4-5 years. They would be forced to due to hardware failure at some point.

When it comes to cost, there really isn't much of a comparison. OS X comes with a full suite of applications from iLife including iPhoto (photo editing), iWeb (web site design), iDVD, as well as support for MPEG-2, H.264, and AAC out of the box. There is no 'basic' version of OS X. You get everything in a single package. It also includes a full development suite for OS X (XCode).

Windows 7 comes with Paint, but no MPEG-2, H.264, or AAC in the basic editions and no MPEG-2/H.264/AAC support at all in previous versions.
If you want to develop for Windows it will cost you another $299 for the MS offering (Visual Studio).
The full Monty for a Windows (Ultimate Edition) costs $100 more than the 'regular' release of OS X. On top of that, if you use a pay antivirus like McAfee (the free flavors seem just as dangerous as a virus these days), you're also paying yearly subscriptions for updated DATs every year.

Lets do the math:
Windows 7 Ultimate: $219
McAfee (single pc): $50 (1 year subscription for dats)
Web Design: $50 (for a cheap one like CoffeeCup..MS's own offering is $300)
DVD Software: $80
Visual Studio: $199
Total: $598

OS X with iLife includes all of the above.
Cost for OS X/iLife $169
Now if you had to buy Windows for your home, which arguably will have more than 1 PC, you can do so for the Mac for $229 (5 license).

Windows will cost you 5 times the base cost just for the OS alone if you have a multi-pc home, which is becoming the norm.

A 5 license package from MS for the OS costs alone: ($229 x 5 = $1145).

Re:A few points

[Kalriath]

Why do you include a program to make web sites AND Visual Studio? Visual Studio has a quite nice HTML editor, thanks.

Re:A few points

[DJRumpy]

Simply because neither are included in the base OS, and it's the closest comparable product lineup to iLife although arguably, Paint isn't quite on par with iPhoto, it is at least included in all flavors of Windows. I agree if you decided to opt for Visual Studio, you could leave out CoffeeCup for $50.

Re:A few points

[jp10558]

Many Free AV vendors are as good as the pay vendors, see AntiVir, Comodo,etc... And if you're not wedded to visual studio (why?) there are about 10 free development environments ranging from various ports of gc++ to things like Eclipse etc... As posted elsewhere, there's also Visual Stuido Express editions...

Plus, you're talking about stuff that most users aren't going to use - I mean, code development? Web dev? How about watching videos and browsing the web? Many people install software, very few write programs. And McAffee is worse than a virus. Oh, and most OEMs include DVD playing software, either with the PC or with the DVD-ROM if you buy parts...

Re:A few points

[DJRumpy]

Whether they use it is irrelevant. It's included in the OS for free meaning it also adds value. The pay products are also arguably much better than the freeware versions out there. Have you ever used iDVD? You can create excellent quality animated DVD menus with a few drag and drop operations. I'm not talking about simple animated thumbnails for chapters either, but full screen animation with integrated sound, cutscenes morphed into nice presentation. I have seen nothing on the freeware side to compare.

Need I also remind you of the recent slew of freeware Virus Scanners fiasco's where the scanners ended up purging things like the iTunes db, or critical Windows system files? You have to be aware of these if your a regular /. reader as they crop up every month or two and are far too common. You get what you pay for when it comes to security...

Re:A few points

[jp10558]

I guess we'll have to agree to disagree, as the only recent reports of AV killing Windows that I've seen was a McAffee enterprise update and references in that thread to older Symantec false positives. You DO NOT get what you pay for as far as I can see.

Also, adding value is pretty subjective. How does a code development environment add value to someone who wants to play video games? Sure, it may add value to *someone*, but it may also reduce value to someone else. Here I'm thinking of things like your iDVD - if you want to make your own DVDs, it adds value. But if you're someone like me, who doesn't want to do that, I see it as making the entire product cost more for something I don't want.

Re:A few points

[DJRumpy]

It's not just about making DVD's. Windows don't even include an MPEG-2 codec, meaning you can't even play them in other words. Windows 7 is rumored to include them in the Ultimate release versions but not the basic versions. As to the XCode value, you're forgetting is also allows joe user to compile simple code, which is always useful. Even a non-technical user can download a source and compile it if the instructions are clear. A few other not so useful pieces includes an icon editor, and a rather useless text HTML editor with basic syntax highlighting.

I was referring to Windows when I suggested you get what you pay for. Virus Scan on a Mac isn't necessary at this point. They only scan for Windows viruses, they suck up resources, and are generally a headache when someone makes a mistake with DAT's.

Re:A few points

[jp10558]

And as far as my experiance with Trend Micro, McAffee, and Symantec goes, Comodo's free Internet Security is miles ahead in total security (if you count the HIPS part) and far less of a PITA on the entire system, and less likely to fubar itself. AntiVir, also available free is about equal with Symantec et al in VirusBullitin and VirusTotal testing. So what exactly am I getting on Windows here?

And if you want to talk about joe user compiling code - why not just get the PC hardware, but install Linux? Win-Win... But of course you'll claim that's not a value add there.

And if you think joe user is going to go google how to compile some code, why wouldn't they be able to install WinDVD Personal or whatever comes with the DVD-Rom they bought? Or google and find K-Lite Mega Pak with Media Player classic?

You've got some sort of odd double standard going here. And Macs are getting attacked more recently... Google it.

Doesn't the gov't monitor black hat sessions?

[inmytaxi]

Can't they just take names and watch hackers until they break a law and then throw them in the clink? How hard would it be?

no, it doesn't since Vista

no, it doesn't since Vista