Slashdot Mirror
Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7
mask.of.sanity sends this news from El Reg:
"Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"
The bugs exist for a reason. If it's not broken now why buy the new version?
The dangers of knowledge trigger emotional distress in human beings.
Windows Sustained Engineering is a different org across the street with different funding and goals, and they don't automatically fix all of the bugs the Windows feature teams fix. There's a triage process for deciding whether bugs are important enough to fix in downlevel releases.
"People are aware that Windows has bad security but they are underestimating the problem because they are thinking about third parties. What about security against Microsoft? Every non-free program is a 'just trust me program'. 'Trust me, we're a big corporation. Big corporations would never mistreat anybody, would we?' Of course they would! They do all the time, that's what they are known for. So basically you mustn't trust a non free programme."
"There are three kinds: those that spy on the user, those that restrict the user, and back doors. Windows has all three. Microsoft can install software changes without asking permission. Flash Player has malicious features, as do most mobile phones."
"Digital handcuffs are the most common malicious features. They restrict what you can do with the data in your own computer. Apple certainly has the digital handcuffs that are the tightest in history. The i-things, well, people found two spy features and Apple says it removed them and there might be more""
From:
Richard Stallman: 'Apple has tightest digital handcuffs in history'
www.newint.org/features/web-exclusive/2012/12/05/richard-stallman-interview/
Dear Microsoft,
Dear gods, please catch a ride on the clue train. Businesses don't want Windows 8 - the retraining necessary is just too costly, and all the cool features involving touch are useless for the cube farm drones.
So just stop your stupid shit, realize the Windows 7 is your nex XP, make sure that Windows 9 undoes a lot of the silly bullshit, and maybe you won't completely jump the shark.
Um also while I (fail to) have your attention - the Ribbon is still stupid. Stop wasting my screen real estate and go back to proper menus. // yeah I know it's a pipe dream, but I needed to rant and rage.
The Digital Sorceress
This is just an extension of the kind of coerced upgrade Microsoft's attempted before. With Vista and then with Win7, when they didn't take off on their own MS tried to force the issue by making the latest versions of IE and DirectX and such only available for Vista/7, not XP. This is the same thing: "Upgrade to Win8 or take the heat for running a vulnerable OS.". Thing is, it'll backfire the same way the "no latest DirectX on XP" did. Win7's such a large base that developers can't afford to write code that won't run on it, so they won't be able to use the new Win8-only safe functions. Which means applications will remain vulnerable on Win8, just like on Win7 where they also run.
I don't want to hear this. I just finished the migration from XP to Win7.
Do not want to go through that again for another 6 years.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The interesting question is: should an OS vendor be able to sell a later generation of OS as "more secure" than a previous one as a feature to induce users to migrate to it, (clearly Microsoft's position on Win 8.1 vs Win 7 ) or does it have a responsibility to make all released product as reasonably secure as it can based on what it knows to and define features as capabilities, performance, etc outside of security?
I think it's fair for Microsoft to tout improvements like more secure kernel design or other elements that are core architectural advantages of a new OS (which cannot reasonably be replicated in earlier versions) but limiting fixes to common libraries, present in old and new OS, which have been found to be insecure, that could be patched for minimal effort in the old OS, to create an artificial distinction between old and new is not a security feature difference, it's a churlish forcing function. Win 8.1 is not better on security than Win 7 if the part of that difference depends on selectively responding to vulnerabilities.
Ironically, toward the end of it's life, XP got better support than Vista, because a Vista was a short-lived, poorly received follow-on that was quickly succeeded by Win 7. I'll predict that 3 years from now, after Win Next (9.0 or what ever) has been shipping for a while, the install base of Win 7 will still be far higher than that of Win 8.x and support (Microsoft and 3rd party drivers/apps) will be much better for Win 7 than it will be for Win 8.x. No doubt Microsoft will say it's most secure OS at that time will be Win 9.x but if it stopped providing critical patches to the second most popular OS way back in 2014, there's going to be trouble. (Anybody want to bet Microsoft at some point will be providing patches to vulnerabilities in Win 7 that they DON'T bother to do for Win 8.x because no one will care about "Vista-Next" anymore?)
I believe that the updates have not been applied to Windows XP. There was a point in time when Win7 was being updated but XP was not getting those updates.
The only significance I'm seeing in this is that WIn7 is still within its support period. Still, this could make some sense if the new security implementations actually rely on technology foundations that are actually built into Windows 8 but which are not a part of Windows 7. That's one possibility that would make some sense.
Unfortunately, Microsoft may feel an incentive to categorize updates as being appropriate only for Windows 8, simply in hopes of driving people away from older operating systems.
Rant: It's not like updating only Windows 8 is sufficiently convincing to get people to move from Windows 7 to Windows 8. Even if Microsoft refused to fix a terrible flaw threatening Windows 7 machines, that doesn't mean I would worsen the situation by going to Windows 8.1 or, even worse, Windows 8. Like Vista, Windows 8 (including 8.1) is condemned to be something that should be skipped. Hopefully Windows 9 will be less useless.
Pay the upgrade or you deal with the "other" costs.
Apple is pushing the envelope: Free OS updates. Works on their hardware back 4-5 years.
My suspicion is MS, likewise, must get into the hardware business & become vertical.
These are mostly new functions added for Windows 8, they don't exist in the Windows 7 SDK.
If you wrote your programs to use them, they wouldn't work on 7, only 8, which everyone seems to hate.
If MS added them to a patch for 7, there would then be 2 fragmented versions of Windows 7, so if a customer calls you asking if your software works on Windows 7, you would have to ask if they have installed KB######, and they would say 'I don't know.', or they might lie and say yes, or no, and you'll have to walk them through checking installed Windows updates...
Sorry Microsoft, people use your product for two reasons: 1) it's well entrenched 2) it's easy to use and familiar. If you want them to switch from win 7 to win 8, you have to do it by ruining the usability of win 7, not its security.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Somebody please mod that AC idiot offtopic, and maybe a few other things as well, and let the rest of us get back to ragging on microsoft for not doing the security patches on win7.
I'm just amazed that no matter how horrible Microsoft handles their Windows dominance, there is literally no competitor ready to pick up the slack. Open Source is largely a joke when it comes to most businesses, and Apple seems more interested in the hipster and grandma crowd than actual networks. Where is the competition? It's like Microsoft has managed to reach a natural position of "too big to fail." Is it just because the young startups are more interested in creating the next Cloud Service (tm) or Flappy Birds? Is it a funding issue, where you can't get VC support on something that won't show a massive return in under a year? What's the deal?
tl;dr
Anyway, I only take me advice from APK.
Windows 8 would be fine without that new UI.
Enterprise users are on 7 and moving to 8 now when windows 9 maybe hear next year and some have just moved to windows 7?
While you get 3rd party tools to make windows 8 like windows 7 in Enterprise useing them can be iffy.
Probably best that you didn't bother upgrading if it would have taken you 2 to 3 days to learn the differences between XP and 7...
From a post to the The Register:
NumptyScrub :
The fact that these extra functions are aimed at developers, and as far as I can tell are intended to provide bounds checked variables (e.g. protected against buffer overflow shenanigans) could be cause for some concern. It does not count as a fix of existing broken functionality though, so I don't see how it would qualify as MS ''ending support'' for Win7 if they chose not to add these extras to all existing OSs of theirs.
Redmond is patching Windows 8 but NOT Windows 7, say security bods
Yep, Windows 7 and XP are so fundamentally different in terms of the UI that it *might* have taken you all of 15 minutes to learn the differences.
And of course if it was Windows 8, it might have taken you all of 10 minutes to install a UI shell which would have made the experience exactly the same. Then again if your internet is the equivalent of a string between two cans, I can see it taking 2-3 days to find this out.
Om, nomnomnom...
TL;DR
(but wrote you off as a nutter anyway)
Hopefully Google, Apple and Canonical find a way to replace Microsoft products before Windows 9 ships.
Mod me down, my New Earth Global Warmingist friends!
Well, it is relatively cheap to do things like this during development of a new major version but relatively expensive to do a security update or hotfix, so they need proof there is actually an exploitable bug, though they will often review surrounding code and do additional fixes when developing security updates.
If not, that is what you get for using out of date software. Get your wallet out and climb on board the upgrade train, or accept the situation and be happy.
Sarcasm aside, who honestly expects a company to support non-products ? I dont.
---- Booth was a patriot ----
I say de-support all OSes but Windows Server 2012r2 and Windows 8.1 x64!
Force all users to buy the latest OS and use it! I am sure the shareholders will LOVE that card trick.
Your Average Joe
Nerd rage, the funniest form of rage.
Hopefully Google, Apple and Canonical find a way to replace Microsoft products before Windows 9 ships.
Out of the frying pan, into the fire..
1.2 billion smart devices shipped without Windows last year, and more than that number will ship this year, making over 2.5 billion devices shipped in only two years and likely still in use. There are only 7 billion humans and two thirds of them are too impoverished, young, old or uninterested to be in the market for such things. So this event you are hoping for appears to have already happened.
Help stamp out iliturcy.
You tell 'em! "Get over it. It's not like you have a choice. We have all your data locked up in proprietary apps on our proprietary system so there is no escape. Your helpless pleas only bring us joy. We have no compassion for you, you feeble wretch. Hahahahaha."
Help stamp out iliturcy.
First: how long would this have lasted when the source had not been open? Three years? Four? Ten?
Second: The article you mention is from 2008, SIX years old so no longer relevant,
Third: Open Source is not ideal, nor is Closed Source. But WHEN a fault is found in OSS, as a rule it will be fixed. Failures may exist in CSS for long times, and be exploited, without anyone but the exploiter knowing about it. And when such a failure is exposed, you have to wait if and when the maker of the software fixes it.
So, OSS is, as a rule, safer then CSS. Maybe Linux is not THE answer, Windows should not even be asked for.
What person will donate an airborne act of love?
You do realize that with paying customers you can't just crank out a patch overnight and hope it doesn't affect any other piece of software. Of course when a Linux patch breaks something all you have is neckbeards sending you nasty emails. Microsoft is open to lawsuits and contract issues.
Only the State obtains its revenue by coercion. - Murray Rothbard
No, they should not consider Windows 7 a "downlevel" release. I just bought a NEW computer with Windows 7 on it for a relative, and had to pay a premium to get W7 instead of W8. I don't need a repeat of the XP debacle! Windows 7 is the MAIN operating system from Microsoft today, Windows 8 is only a trial balloon. Since I did pay for W7 I expect FULL support for its lifetime not some half assed job designed to force people to upgrade prematurely.
The advice from the computer repair shop my relative used this very week was to get W7 and avoid W8. This is not just some disgruntled people avoiding W8, it is very much mainstream.
I take it you don't have to support an older relative who lives a long distance away who calls you up every time an icon changes location. If Windows is only for the experts then it should be labeled as such, and leave Linux for the beginners.
Windows 7 is the only operating system I have ever used that has trouble deleting information from the Operating System. I just had to deal with being told that a file / folder didn't exist and couldn't be removed. This kind of issue, even though small, shows the lack of refinement and the false young nature of the Operating System. In contrast Linux is the adult in the Operating System war, I'm not saying that just to blow smoke or be a Linux fan boy, I'm saying that because when I run into issues in Windows, I don't run into them in Linux.
MS is the IBM of the new century. No, really.
IBM was the "computer company" up 'til about the 1980s. You could simply not ignore IBM if you had anything to do with computers in a way that goes beyond hobbyist interests. You had a company and that company used computers? You had IBM. You might have had some other tools and toys, but the core of your computer system, the backbone, the framework and pretty much everything that was relevant to actually getting and keeping your computer system running was IBM.
This of course led to some serious hubris by IBM. The same "my way or the highway" attitude you can see in MS today. We tell you what you buy and you will eat our shit and call it chocolate fudge. I guess it goes without say that this didn't really sit too well with the various companies, but, well, what can you do? If you need computers in your company, you can't ignore IBM.
Times changed and PCs came, and IBM ignored them as petty machines that don't fit their paradigm of the mainframe - terminal ideal. They did enter the PC market halfheartedly, but when they noticed that the PC is here to stay, they tried to regain control over it. The MCA illustrates this very well. It was a bus vastly superior to the (then standard) ISA bus. Their licensing practice ignored completely the emerging PC clone market, though, the market that became more and more important as small companies and private people wanted to use PCs and considered money a deciding factor for the choice of computers. Add that companies so far using IBM wanted to get out of their stranglehold and one can easily see why the "clones" became more and more popular and why a bus that was at least on par with the later very popular PCI bus never became popular or widely supported by third party manufacturers.
MS is now following that "my way or the highway" hubris. I guess they need to learn it, too, that you can only force people to drink your cool-aid as long as they don't have an alternative.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Liar.
http://windows.microsoft.com/e...
Help Brendan pay off his student loans
Microsoft doesn't want another Windows XP, I'll wager they are after a 5 year turn around or perhaps even faster.
$'s.
"If any question why we died, Tell them because our fathers lied."
Yep but not on the Desktop. :(
I don't see the desktop disappearing either, although its role has definitely changed.
Mod me down, my New Earth Global Warmingist friends!
I take it you don't have to support an older relative who lives a long distance away who calls you up every time an icon changes location. If Windows is only for the experts then it should be labeled as such, and leave Linux for the beginners.
Nope, they died last year at the age of 86. Until then I did, and that distance was 3200 miles. Then again, I found that explaining to them before hand that the "icons change" and why they change, and how, makes it much easier.
Om, nomnomnom...
There's GOT to be a way we can get people to buy Windows 8!
Yeah that's real secure. FYI your chrome is not even sandboxed on it because the kernel is so ancient.
http://saveie6.com/
Except that programs are running faster on Windows XP than on Windows 7, because the OS take less CPU resources.
Bang! Idiot destroyed.
Yeah on a Pentium IV. On a modern i5 the same code will run faster as a new kernel supports better smp, page swap, ram buffers, and the runtimes use all your CPU instructions. Not part as XP had to run on Pentium IIs.
http://saveie6.com/
I can't find anything to fix. 7 is better and has more features and takes advantage of modern hardware
http://saveie6.com/
I am still confounded
Aside from the fact that spreadsheet formulas cannot (easily) be ported to different spreadsheets via csv, there's a very simple supply and demand explanation, client says: "We only use MS office, that's the way we have done business for over a decade, it's what we are set up to handle now, if you can't deliver we will have to find someone who can". - Actually in the "real world" they would probably just laugh their asses off and walk away.
obig car analogy: It's like a mechanic saying I can't work on your Mazda because it's not a Ford.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Your confusing transparency with vigilance, in my 25yrs experience working in commercial software houses, I have rarely seen anyone attempt to review, debug, or modify OSS code, they just plug it in to their own application and wait for a patch to be released if something goes wrong, which is exactly what they do with CSS. Why? - Because as soon as you apply your homespun patch to the source you have forked the OSS source and you now have yet another ball of spaghetti to maintain. The unspoken principle of "you touched the source, so you own the problem" comes into force.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
more likely the fix will come from Valve
Snowden and Manning are heroes.
Simple Reality: It is profitable to release new improved [undocumented bugs] software to buyers.
It is costly to fix software bugs for free, because old buggy products are a an excellent free marketing tool.
HookWare is good for US and always good for companies and greedy.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Apple already has it. It's just that their biz model requires that it run only on their boxes.
Remember when desktop computing was bigger than pocket computing? I do. But then I remember when personal computers were new too - back before there was an IBM PC as such. Things change.
Help stamp out iliturcy.
I'm a Mac guy, but Apple's license agreement for OSX has the same kind of limitations on liability and fitness for use.
- Never attribute to malice that which can adequately be explained by stupidity.