Microsoft Finally To Patch 17-Year-Old Bug

eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."

Re:Nothing quite like a "timely" response

[chill]

Backwards compatibility FTW! The one thing that if Microsoft broke, they'd have a serious OS horserace on their hands. Then anyone would be free to simply choose OS X, Linux or anything else just on merits and not "it runs all my old software".

When is /. going to actually do more then just

[Liquidrage]

ms bash?

A bug no one knew about is being patched a month after it's found. WTG ms?

News for nerds? Or news for those that line your coffers?

Re:sigh...

[siride]

Remember that BSD bug that sat around for about the same length of time? Yeah, it happens everywhere.

Of course, this is only a bug that can be exploited by 16-bit programs and only on 32-bit Windows. Since I run neither of those, it's not even a problem for folks like me.

"Finally"?

[holygoat]

Isn't it a little disingenuous to say "finally" when the bug was discovered last month?

That it was introduced 17 years ago doesn't mean that Microsoft has been tardy about fixing it...

Re:Windows NT

[mysidia]

Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?

Since hardly anyone does it, and the facility is only provided for backwards compatibility, it ought to require explicit manual admin action to enable.

Given the security risk exposure of having such a rarely-used feature exposed as part of the potential attack surface.

Re:Windows NT

[slimjim8094]

That's what the NTVDM *is*. It's effectively a virtual machine, though it's closer to a virtualizer than a simulator (more like VirtualBox than Bochs)

Re:oldest bug evar... and other leet speechisms

[jabbathewocket]

since this bug was "discovered" in january its only chance at being a record would be the rapid turnaround in getting it patched..

By that I mean, rapid turnaround on Microsoft scale from disclosure in January, through to early Feb patching..

Re:oldest bug evar... and other leet speechisms

[jabbathewocket]

Reading the summary, nevermind the article would have kept both of you and the poster above you from posting sillyness.. The bug exists in a bit of 17 year old code, but was discovered last month... so not even remotely "old"

Re:Windows NT

[Bungie]

Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?

I think Microsoft wasn't concerned because DOS applications are all contained in a virtual machine. The hardware is emulated by the VDM or VXD's. If anything goes wrong NTVDM.EXE terminates like any other user process. Ideally it should be as safe to run and I'm sure Microsoft wanted to make running legacy DOS apps as seamless as possible to the end user.

Re:Nothing quite like a "timely" response

[Nutria]

Imagine if you paid $400 for Photoshop for Linux, but next year it was worthless because the latest kernel wouldn't run it? Wouldn't be very happy then, would you?

You're right: I'd be sorely peeved.

However, Linux strives for userland consistency, so any problems with old programs (like WordPerfect 8) not running are to be blamed on incompatible (glibc, for example) or non-existent (GNOME 1.4, Gtk 1.3) libraries. Gtk2, GNOME2 and glibc6 (is that a Debianism?) have been out long enough, though, that there aren't too many issues like that anymore.

Not that any non-geek would care about the real reason, so "blame it on Linux" is good enough!

I'm guessing you know this

[symbolset]

No, That's Windows 7 by itself. Office is 3GB extra.

The cited DSL fits in 64MB, all things included.

Damn Small Linux is small enough and smart enough to do the following things:

• Boot from a business card CD as a live linux distribution (LiveCD)
• Boot from a USB pen drive
• Boot from within a host operating system (that's right, it can run *inside* Windows)
• Run very nicely from an IDE Compact Flash drive via a method we call "frugal install"
• Transform into a Debian OS with a traditional hard drive install * Run light enough to power a 486DX with 16MB of Ram * Run fully in RAM with as little as 128MB (you will be amazed at how fast your computer can be!) * Modularly grow -- DSL is highly extendable without the need to customize

It includes three browsers, document processing, email, spreadsheet, VOIP, and a lot more.

The smallest pendrive I've ever heard of is the 64MB USB 1.0 device I'm holding in my hand right now that I bought my wife more than a decade ago. I paid $79 for it at Fred Meyer, because tech stores wouldn't carry it. Actually, there were 16 and 32MB versions of this, but let's not go there because this was the Windows 95 era.

I am on the record as stating that we've had no productivity increases since the advent of Windows. Let me quote from a wise man:

"Word processing was a solved problem in 1984. By 1987 spreadsheets had all the functions a normal person would ever use. Databases took a little longer, but by 1990 that was sorted. An infant could have been born that day and by now would be almost of age to vote and we've seen no real improvement in productivity since."

64MB is 0.32% of 20GB.

So let me ask you: If the Office team needs 3,000 MB to install their full application set, what can they do with 30MB - 1% of that? Splash? Can they even do that?

Re:I'm guessing you know this

[chrysrobyn]

I am on the record as stating that we've had no productivity increases since the advent of Windows.

Are you even old enough to remember word processors in 1984? Spreadsheets in 1987? I realize you're being funny and quoting someone else who said those things, but seriously stop to think about them.

I remember Word Perfect 5.1 in my 80x24 16 color display running on my 286 with 640KB of RAM. Let me tell you, Word from 1994 was worlds better. WYSIWYG is an amazing accomplishment that wasn't easy to get right. Even in 1994 there were small places where it wasn't perfect -- but being able to see bold or italic text instead of a different font color indicating "imagine this text is italic". Compare Word from a few years later -- on the fly typo correction, spelling and grammar highlights, with suggestions? That's progress.

A spreadsheet in 1987 wasn't usable by a vast majority of people who were sophisticated enough to understand basic table structure. Excel from 1997 had enough of a GUI to help even less sophisticated people use functions instead of just using it as a pretty interface to store numbers.

I'm not a fan of how much bloat has happened, but let's pause and understand what we've gained in the last 20 years. I don't see anybody volunteering to go back to their 286 with vintage software, and there's a reason for that.

Modern computers are able to solve problems only dreamed of 20 years ago. What I can accomplish in terms of text processing with Perl might be an incredibly inefficient use of memory and horsepower, but I can hack something together in an hour that will slog through gigabytes of data and the problem will be solved before a programmer 20 years ago would have been done optimizing the runtime to fit in the available memory. I'd even point to the travesty that is the chip designer's automated place and route toolset -- what's done routinely today wasn't even possible 10 years ago.

Re:Nothing quite like a "timely" response

[camcorder]

If a photo manipulation program has something broken with a new version of kernel, that means developers should be unhappy since they are doing something very wrong at the beginning.

Re:Nothing quite like a "timely" response

[snowgirl]

You're missing the key difference here. Microsoft is making money hand over fist, like mad, and were doing so before security was as important as it is now. It's not so important that they ensure security in their products as ensure that clients believe that security is taken seriously.

Re:Maybe I'll have to take your word for it?

[Timex]

....and YOUR Slash number has six digits. Mine has five. See? I can count backwards! :)

I've been using Linux since kernel version 0.99pl10, when Slackware ruled on a couple dozen floppies.... ...and get off my lawn!

Re:Nothing quite like a "timely" response

[Pharmboy]

Linux doesn't have to worry about backwards compatibility because users are paying $0 for their software.

Not exactly true. I have paid for a great deal of software designed to specifically run on Linux. AVG's coroporate anti-virus server runs on Linux, tons of CRM and database applications run on Linux, even a lot of Perl based management suites for webhosting aren't free. And worth every penny from my experience. So far, compatibility hasn't been an issue when I upgrade for most, although many require a RH based system (RH/CentOS/Fedora) to work.

Re:Maybe I'll have to take your word for it?

[binarylarry]

Apparently your Slashdot ID doesn't make you any smarter.

But what I was getting at was perhaps if Linux chose a more modular design like a Microkernel, it would be less bloated.

Although it was in jest, as I think if they chose a Microkernel it would probably have ended up like Hurd and I'd be typing this from a Mac.

I need to track down John Titor so I can test my hypothesis.