Oracle will willingly execute multiple statements on a single line if that line is enclosed in begin/end statements. So while you can't exploit multiple statements with a semicolon in a line that was intended to only execute one statement (or rather a line that doesn't contain begin/end tokens), you can edploit it in statements that do have begin/end statements, which certainly diminishes the attack surface.. but doesn't eliminate it.
Yes, MySQL does have the ability to turn on and off the feature, but i'm unsure of what the default state is. Even if it's off by default, all it takes is for someone to turn it on because they want to use it in their code.
Regardless, more databases have the feature than do not. This greatly changes the substance of your claim.
Sorry. There are no databases other than MS SQL, Sybase, and derivatives that allow the injection of an entirely new SQL statement where a literal belongs. It is due to the way they support combining multiple statements separated by semicolons.
"(Get in the habit of including those SQL semicolons. Psql won't execute anything until it sees the semicolon or a "\g" and the semicolon is required to delimit multiple statements.)"
Windows 7 most certainly does boot up without a DX9 card.. i know, i run it on several older laptops that work just fine. No Aero, but it works. Even old XP video drivers work in many cases.
No, there's no guarantee that every piece of hardware will work, or continue to work.. but certainly the standard Intel chipset graphics on most older Dell optiplexes will, as almost all older nvidia and ATI cards will have drivers that work, even if they aren't "offical" 7 drivers.
You didn't actually answer my question, and waved your hands around it babbling about things which are unimportant.
If I have a business with machines that don't have DX9 capable video cards on the motherboard, what business apps won't work? And no, Flash 10 does not *REQUIRE* DX9, though it will make use of it if you have it.
It requires a Pentium II 450 or higher, and 128MB of Ram. Those are the only requirements to run flash. Hell, flash 10 runs on Windows 2000.
I will ask you again, which specific business applications will not work on a pc that has Windows 7 installed but does not have a DX9 compatible video card?
The attack seems to be targeting a specific application, as such it can only be as "severe" as the applications pervasiveness. If the app were installed only only one computer, it could only attack one computer. If the app is on a million, then it can potentially attack a million.
The post you're referencing is BS. Most SQL databases support multiple statements seperated by semicolons, including MySQL and Postgres. The reason is simple, because batching statements into a single query is an optimization that improves performance.
However, even if we ignore that obviously false claim, you seem to be misinterpreting the point. The point is not about PHP or ASP or anything else. The point is about applications written in those languages, if done poorly are vulnerable to this kind of attack. I don't know about Oracle, but virtually every other SQL database is.
I have never seen anyone, other than perhaps someone reading in bed, holding their iPhone out infront of them. One would think their arms would get very tired.
Most people i've seen, including myself, hold my phone so it's parallel with the floor, or slightly tilted and I look down at it. Usually, this is somewhere around lower chest or the navel area.
Name a single application that "requires" any version of DirectX, much less DirectX 9. We're talking for a business here. Not even Photoshop or Flash needs it.
Certain CAD apps might, but you would generally be dealing with very high end workstations with high end video cards for that anyways.
No application I have ever run across in any non-CAD business environment has ever needed DirectX. Ever.
How about reading the rest of the comments before commenting yourself? I've already explained to several others under this thread why 64 bit flash is needed, and it has nothing to do with needing more than 4GB files.
You're still not understanding my point. Suppose you have a closet full of crap, and occasionally you need to go in there and find something. Ok, that can take a great deal of time. But if you don't need to find anything, you can ignore it. It takes no time.
If you don't have an object tag in your html, you won't have to check the empty list at all, much less the one full of stuff.
That's not quite correct either. ftp.exe and a few other apps do use BSD code, but look closely at the copyrights. They predate the first open source version of BSD (network release 1).
The actuality is that Spider Software (who gave MS the apps in the first place) licensed BSD from Berkeley directly, not using an open source version. As such, it's a commercial license, not an open source one.
You don't have to click on the button to get the previews, just hover over it for a second. No clicking required. Also, Alt-tab or Windows-Tab show the various windows in preview as well. Finally, you can change the way the bar works so that it does open multiple buttons, one for each window. So it can work any way you want. You can also reduce the size by swiching to small icons, and it is the exact same size as it used to be.
And no, you can't switch back to the old taskbar. But, you can configure how the taskbar works.
You also throw around absolutes "Impossible" "no way" way too much. Never say never.
They've changed that for 2010. There's a new File tab that opens what they call the 'backstage" that has various functions. I guess it's their "mea culpa"
You should try the Office 2010 trial then, the Orb has been replaced with a File tab (actually, something called the "backstage", but whatever) and Outlook is significantly faster in 2010. Two great new features I love, conversations and ignoring conversations. Ever get put on someones cc list and you really don't care? Click the ignore conversation and you never heave to deal with it.
Depends really. The actual Office 2007 or 2010 functionality still works the same way, it's just accessed differently. Most of the dialogs are exactly the same, and the functions work the same, and the macros work the same, and the shortcut keys work the same. It's just got buttons instead of menus.
OpenOffice works differently than any version of office. So, even though it may still have menus.. all the items in the menus are in different places, or have different names, and when you find them the functions themselves work differently, and have different quirks. It's not just relearning a new UI, it's relearning the entire office suite. So training for OpenOffice will be significantly more than retraining for the ribbon.
There are a number of good tools to minimize the impact of rewriting a vb6 app in.net. While it would, in many cases, be most beneficial to do a rewrite, it should only take 1 or 2 programmers a few months to do a full conversion.
In fact, Microsoft has an upgrade assessment tool to help get an idea of what's involved. If the app was written well in the first place, as you say it was, then it should be even less of a problem.
For example, Artisoft offers their VB Upgrade Companion product. It really isn't prohibitive to upgrade VB6 codebases, unless the app really isn't that mission critical anyways.
Windows 7 runs just fine on a non DX 9 capable card. You just don't get the flashy aero effects. Big deal. You don't have them now. A upgrade to 7 gives you far more benefit than Aero, which is the least of the features i'd consider worth upgrading to 7 for.
Does your network have Gigabit capability? If so, SMB2 included in 7 and Windows 2008 is significantly faster on Gigabit networks. That's a possible reason. How about better GPO control? How about protected mode IE?
Actually, you can buy a Windows 7 upgrade license for XP, you just can't do an upgrade install with it. You can download a vista trial copy to upgrade from XP to Vista, then use your 7 upgrade to upgrade from Vista to 7. Or you can just do a clean install and use several mechanisms like easy transfer to transfer all your settings.
However, $171.97 is not a lot of money, especially considering the benefits you get, which are many. A system that is less susceptible to viruses and malware out of the box (Trust me, I have seen it in the clients I support, the XP users still get viruses and malware 3 or 4x more often than the 7 and Vista users). Plus, you get a lot more control over the PC's from an administrative standpoint.
Finally, XP is end of life. It's already in extended support. While MS will continue to support for several more years, you're going to have to upgrade sometime. Just bite the bullet.
Upgrading to new hardware would probably SAVE them money, unless the company is already operating at a loss, since new hardware can be a tax writeoff. And, as for Axtapa, if they are unwilling to upgrade, then business versions of Windows 7 come with a license for XP Mode, that allows you to run apps in an XP environment, even running them seamlessly on the 7 desktop. There are maybe a dozen other ways to get around that problem from Terminal Services to various VMWare technologies.
The only valid issue these days that stands in the way of upgrades is money. Even then, much of the money may be tax deductable.
Slashdot Mirror
Oracle will willingly execute multiple statements on a single line if that line is enclosed in begin/end statements. So while you can't exploit multiple statements with a semicolon in a line that was intended to only execute one statement (or rather a line that doesn't contain begin/end tokens), you can edploit it in statements that do have begin/end statements, which certainly diminishes the attack surface.. but doesn't eliminate it.
Yes, MySQL does have the ability to turn on and off the feature, but i'm unsure of what the default state is. Even if it's off by default, all it takes is for someone to turn it on because they want to use it in their code.
Regardless, more databases have the feature than do not. This greatly changes the substance of your claim.
Wrong.
http://dev.mysql.com/doc/refman/5.0/en/c-api-multiple-queries.html
Also:
http://www.postgresql.org/docs/6.4/static/install12418.htm
"(Get in the habit of including those SQL semicolons. Psql won't execute anything until it sees the semicolon or a "\g" and the semicolon is required to delimit multiple statements.)"
There is no vulnerability that is being taken advantage of in MS SQL, it's a vulnerability in the app.
If there is such a vulnerability, it exists in most major databases, including MySQL and Postgres.
Windows 7 most certainly does boot up without a DX9 card.. i know, i run it on several older laptops that work just fine. No Aero, but it works. Even old XP video drivers work in many cases.
No, there's no guarantee that every piece of hardware will work, or continue to work.. but certainly the standard Intel chipset graphics on most older Dell optiplexes will, as almost all older nvidia and ATI cards will have drivers that work, even if they aren't "offical" 7 drivers.
You didn't actually answer my question, and waved your hands around it babbling about things which are unimportant.
If I have a business with machines that don't have DX9 capable video cards on the motherboard, what business apps won't work? And no, Flash 10 does not *REQUIRE* DX9, though it will make use of it if you have it.
http://www.adobe.com/products/flashplayer/systemreqs/
It requires a Pentium II 450 or higher, and 128MB of Ram. Those are the only requirements to run flash. Hell, flash 10 runs on Windows 2000.
I will ask you again, which specific business applications will not work on a pc that has Windows 7 installed but does not have a DX9 compatible video card?
Can you name one? Just one?
The attack seems to be targeting a specific application, as such it can only be as "severe" as the applications pervasiveness. If the app were installed only only one computer, it could only attack one computer. If the app is on a million, then it can potentially attack a million.
The post you're referencing is BS. Most SQL databases support multiple statements seperated by semicolons, including MySQL and Postgres. The reason is simple, because batching statements into a single query is an optimization that improves performance.
However, even if we ignore that obviously false claim, you seem to be misinterpreting the point. The point is not about PHP or ASP or anything else. The point is about applications written in those languages, if done poorly are vulnerable to this kind of attack. I don't know about Oracle, but virtually every other SQL database is.
I have never seen anyone, other than perhaps someone reading in bed, holding their iPhone out infront of them. One would think their arms would get very tired.
Most people i've seen, including myself, hold my phone so it's parallel with the floor, or slightly tilted and I look down at it. Usually, this is somewhere around lower chest or the navel area.
You can install and run Office 2010 alongside previous versions. They don't conflict with each other.
Worst case scenario, give it a wirl on your home PC.
Name a single application that "requires" any version of DirectX, much less DirectX 9. We're talking for a business here. Not even Photoshop or Flash needs it.
Certain CAD apps might, but you would generally be dealing with very high end workstations with high end video cards for that anyways.
No application I have ever run across in any non-CAD business environment has ever needed DirectX. Ever.
So what exactly are you blathering about?
Who said anything about holding it out?
Holding it DOWN.. at about navel level.. that's where I tend to use my droid. That's about 18 inches.
Umm.. who holds their iPhone 10 inches from their face? Maybe blind people.. but I usually have mine out at armish length.. 18-24 inches.
How about reading the rest of the comments before commenting yourself? I've already explained to several others under this thread why 64 bit flash is needed, and it has nothing to do with needing more than 4GB files.
You're still not understanding my point. Suppose you have a closet full of crap, and occasionally you need to go in there and find something. Ok, that can take a great deal of time. But if you don't need to find anything, you can ignore it. It takes no time.
If you don't have an object tag in your html, you won't have to check the empty list at all, much less the one full of stuff.
That's not quite correct either. ftp.exe and a few other apps do use BSD code, but look closely at the copyrights. They predate the first open source version of BSD (network release 1).
The actuality is that Spider Software (who gave MS the apps in the first place) licensed BSD from Berkeley directly, not using an open source version. As such, it's a commercial license, not an open source one.
You don't have to click on the button to get the previews, just hover over it for a second. No clicking required. Also, Alt-tab or Windows-Tab show the various windows in preview as well. Finally, you can change the way the bar works so that it does open multiple buttons, one for each window. So it can work any way you want. You can also reduce the size by swiching to small icons, and it is the exact same size as it used to be.
And no, you can't switch back to the old taskbar. But, you can configure how the taskbar works.
You also throw around absolutes "Impossible" "no way" way too much. Never say never.
They've changed that for 2010. There's a new File tab that opens what they call the 'backstage" that has various functions. I guess it's their "mea culpa"
You should try the Office 2010 trial then, the Orb has been replaced with a File tab (actually, something called the "backstage", but whatever) and Outlook is significantly faster in 2010. Two great new features I love, conversations and ignoring conversations. Ever get put on someones cc list and you really don't care? Click the ignore conversation and you never heave to deal with it.
Anyways, just give the trial a try.
Depends really. The actual Office 2007 or 2010 functionality still works the same way, it's just accessed differently. Most of the dialogs are exactly the same, and the functions work the same, and the macros work the same, and the shortcut keys work the same. It's just got buttons instead of menus.
OpenOffice works differently than any version of office. So, even though it may still have menus.. all the items in the menus are in different places, or have different names, and when you find them the functions themselves work differently, and have different quirks. It's not just relearning a new UI, it's relearning the entire office suite. So training for OpenOffice will be significantly more than retraining for the ribbon.
There are a number of good tools to minimize the impact of rewriting a vb6 app in .net. While it would, in many cases, be most beneficial to do a rewrite, it should only take 1 or 2 programmers a few months to do a full conversion.
In fact, Microsoft has an upgrade assessment tool to help get an idea of what's involved. If the app was written well in the first place, as you say it was, then it should be even less of a problem.
For example, Artisoft offers their VB Upgrade Companion product. It really isn't prohibitive to upgrade VB6 codebases, unless the app really isn't that mission critical anyways.
Windows 7 runs just fine on a non DX 9 capable card. You just don't get the flashy aero effects. Big deal. You don't have them now. A upgrade to 7 gives you far more benefit than Aero, which is the least of the features i'd consider worth upgrading to 7 for.
Does your network have Gigabit capability? If so, SMB2 included in 7 and Windows 2008 is significantly faster on Gigabit networks. That's a possible reason. How about better GPO control? How about protected mode IE?
Does it? Seriously. How much time do you spend dealing with viruses and malware? Would a decrease in that time justify the cost?
Actually, you can buy a Windows 7 upgrade license for XP, you just can't do an upgrade install with it. You can download a vista trial copy to upgrade from XP to Vista, then use your 7 upgrade to upgrade from Vista to 7. Or you can just do a clean install and use several mechanisms like easy transfer to transfer all your settings.
However, $171.97 is not a lot of money, especially considering the benefits you get, which are many. A system that is less susceptible to viruses and malware out of the box (Trust me, I have seen it in the clients I support, the XP users still get viruses and malware 3 or 4x more often than the 7 and Vista users). Plus, you get a lot more control over the PC's from an administrative standpoint.
Finally, XP is end of life. It's already in extended support. While MS will continue to support for several more years, you're going to have to upgrade sometime. Just bite the bullet.
Upgrading to new hardware would probably SAVE them money, unless the company is already operating at a loss, since new hardware can be a tax writeoff. And, as for Axtapa, if they are unwilling to upgrade, then business versions of Windows 7 come with a license for XP Mode, that allows you to run apps in an XP environment, even running them seamlessly on the 7 desktop. There are maybe a dozen other ways to get around that problem from Terminal Services to various VMWare technologies.
The only valid issue these days that stands in the way of upgrades is money. Even then, much of the money may be tax deductable.