Slashdot Mirror
Microsoft Warns of Windows 7 Graphics Flaw
Barence writes "A flaw with the graphics driver in Windows 7 could compromise the stability and security of PCs, Microsoft has warned. The vulnerability lies in the Windows Canonical Display Driver (cdd.dll) for the 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft claims that the flaw could lead to machines rebooting or even allow a hacker to remotely execute code, although it claims either eventuality is improbable. Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."
and Windows Server 2008 R2
This is why you don't use unnecessary things like Aero (and graphical displays) on servers. Granted Aero isn't enabled by default on Windows Server 2008, but it's still all unnecessary. Servers are meant to be configured and left running with minimal installs. You can do everything you need to from a command line, and sftp for editing those configuration files. When you have a minimalistic install there's also much less change of some random software having an exploitable bug.
You'll get Areo when you pry it out of my cold dead... damn... it rebooted again!
Lurchicus - For Sig, see other side.
...This is why I wait to get my tech. I might be on the waning edge of things, but at least I get them when they work.
easier than cmd? you must be new here.
it might render your porn poorly.
Sheesh, evil *and* a jerk. -- Jade
GUI is still there for remote desktop and it's easier to configure then CMD only.
That's because Microsoft has a crippled CLI, and yes, that included Powershell..
When I am playing BC2 it sometimes interrupts my game to tell me I have run out of memory and Aero is turning off. I cannot imagine why, I have 1GB GPU and 6GB RAM....
It seems there are some flaws in Aero on 64 bit systems.
This is why you don't use unnecessary things like Aero (and graphical displays) on servers.
This is why you don't use unnecessary things like Windows Server 2008 R2 on servers.
There. Fixed it for you
Why do I have the feeling this is overblown? I'm running W2K8R2 x64 as a Workstation OS, it is rock stable, possibly the best OS MS ever produced. Yet I'm sure there are _plenty_ of bugs like this one. Doesn't Microsoft issue bug reports like this every month? Doesn't _any_ OS company produce bug reports like this every month? Why is this one so special? Cause, I'd like to know.
I'm not saying it's should'nt be fixed, reported, or taken care of. I'm not saying Windows is the best OS. OS X can be pwned through the WiFi drivers. I'm sure can Unbuntu can be hacked in many ways too. When OpenBSD gets cracked, then it'll be frontpage material. Until then, keep the real news rolling.
-- Home is where you eat your heart out.
I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.
But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.
As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.
SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.
Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.
Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Well, yes: Because this driver is not vendor specific. It's part of the actual OS itself. When was the last time you saw, say, a huge flaw in the Linux framebuffer, or something like that?
If the vulnerability is caused by the vendor of a chip, or the shoddy documentation of s chip maker: hell yes, blame the third part. In this case... MS can only blame themselves. Their own 'canonical display driver' is shoddy, not a 3rd party chip maker.
Canonical
Could they have released a borked up driver named after the competition so that in time people looking into Ubuntu might recognize the name Canonical and associate it with something that "compromise the stability and security of PCs?"
I think this post demonstrates a new level of paranoia when it comes to Microsoft.
CLI does have its uses. There are things it offers that no GUI can, and vice versa.
But claiming you need it for "real work" is like claiming you need a printing press to print a sheet of paper with "real text" on it. Both are equally ridiculous statements.
For most work environments, neither CLI nor GUI alone covers all needs. Welcome to the real world, where we use the appropriate tools for each task.
While you might not be able to imagine it, those who do know how to perform an administrative task both from a terminal and from a GUI often find that doing it from the terminal is more efficient and more reliable.
If there's no need to do it why is X Windows the only windowing system that does it? Why does VNC/somethingX (the new one) exist for X Windows when X servers are available on all platforms?
I don't know that you're wrong in calling Microsoft's approach wrong, or have more than an idea of why you might be wrong, but the fact that everyone else uses the "wrong" approach sets off the BS-meter.
// MD_Update(&m,buf,j);
I'm not sure if being paranoid is the right step - careful, sure, paranoid - no.
In the end, the goal of IT is to enable it's users to be more productive. Sometimes overparanoid IT guys can make life more difficult for the Users - this should be minimized.
All of the Windows Server components are always on-the-disk in Server 2008/R2. IIS on the disk, whether you use it or not. But only when enabling it you'll actually get the services you need for it.
This doesn't hurt. It doesn't compromise security.
Powershell is by far, one of the best Microsoft has created on the scripting side. Why? They basically took a shell and enhanced it by making it object aware, and giving it access to .net. In Microsoft lingo, cmdlets replace unix utilities.
I am not a fan of the naming conventions they use in powershell! It makes it harder to write terse scripts.
Please see
http://w3.linux-magazine.com/issue/78/Bash_vs._Vista_PowerShell.pdf for a comparison of powershell vs Bash.
http://blog.brandonbloom.name/2009/04/powershell-condemned-to-reinvent.html
No, they are not equal. The problem is that using GUIs as we know them today, is NOT using a computer. It is instead the same thing as fiddling with an appliance. A static thing. Good luck piping the output of a Firefox menu item to Gimp. Good luck scripting the interface. That’s the real problem. You can’t really. Everything is monolithic static applications. With the rare plug-in exception.
Real work = AUTOMATING
Do you know that saying, that the computer creates the work that you wouldn’t have without it?
That is what happens if you use it like an appliance, instead of automating your work away.
It’s sad that KDE and Gnome raped the Unix philosophy... with a 30 inch pipe... sideways... ...instead of doing it the proper way, and making everything a small module that does one thing, and does it right.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Areo isn't even installed by default with Windows Server 2008 - you have to install it, reboot, and then enable it. That's hardly any attack vector at all IMO.
throw new NoSignatureException();
Welcome to the real world, where we use the appropriate tools for each task.
I painted my house with a hammer you insensitive clod!!!
"If you are going through hell, keep going." - Winston Churchill
In my experience, working the way you like is vastly superior to working the way some Internet stranger likes, regardless of the geek cred it'll give you on Slashdot.
From the 20 pictures, copy only those that feature my dog. Start scripting... now!
Administering IIS has been a pain in the ass since day 1. Unlike NCSA, Netscape, and Apache servers, you had to point-and-click through a zillion tabs and dialog boxes in IIS to configure and tune the server - or for more advanced tuning, do something even worse: hark back to the day of C= BASIC 2.0 and do the equivalen of PEEK and POKE to the IIS Metabase. Microsoft has FINALLY seen the light and now offers the ability to edit configuration files. This makes things MUCH easier since you can see right in front of you which features are enabled or disabled, tweak things like buffers, and so forth, and don't have to click through eleventyteen places to find the bottleneck or what is breaking your server.
For a long time Apache has been kicking Microsoft's butt on the server side, and believe it or not, a large part of it is not just Apache's lesser system requirements, but the ability to easily administer it. If you're a serious sysadmin you'll appreciate the command line and the ease of administration it brings. Sure, you have to learn a little more, and put more up-front effort into the job, but once you have acquired the skills you will find you are repeating tasks only once or twice and then spend some time writing scripts to handle it automatically.
Aside from activation (I've spent thousands on Windows, Exchange, SQL Server, etc.) this is one of the big reasons we dumped Windows in favor of Linux. The only Windows server we have left is an MSDN installation, for testing, not production. All the other servers run Linux, and I have a ton of stuff automated.
Windows is really getting there - it really is. It just needs a really good CLI. Powershell is a good step, but I prefer bash. (Cygwin or AndLinux or SFU) + powershell are two ways you can get close to the flexibility of Unix administration, but even that doesn't get you 100% there.
Don't fear the CLI. Even Microsoft has seen the light and is well on its way to reinventing Unix, poorly (remember, "those who do not understand unix are condemned to reinvent it, poorly").
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
You can automate a GUI. AppleScript on Mac Classic used to be brilliant for this-- I'm not sure if it's still good or not.
Comment of the year
Since a standard 2003 install can live pretty happily with a 10GB system drive, but a 2008 install needs over 30GB to function.