My impression is that Microsoft views its customers as a cash valve
I can't speak as a *consumer* since I've never really had to deal with that part of PSS, but from a corporate and especially a developer standpoint I can assure you (in my experience at least) that's not the case. Support for server and developer products is excellent. It's gotten better the past few years. You still run into the occasional asshole that asks you if the computer is turned on when you have a problem with MSMQ transport security or a Commerce Server channel or something like that. You still find the odd regional TAM that couldn't spell "Host Integration Server" if his life depended on it. But still. Honestly, that's my perception at least.
As an advocate of Microsoft products, I believe you would welcome those improvements.
Oh, absolutely. I've said it before and I'll say it again: I want open source to succeed. Not because I find it superior (at least in most cases I don't, there are exceptions), but because I want Microsoft to get off their asses and compete instead of dominate. Competition is good; competition breeds excellence. They've been stagnant at the top for too long.
For that reason alone, you and I *both* need open source to succeed.
Well I suppose if you're mentioning my placeholder Cox homepage in the same breath as Debian I should be flattered. You really shouldn't have.
Nice to know they fixed their little problem with a quarter meg download.
Like I said, it's your choice. It's still five lines of code. If you want to push the fix across the enterprise to 1,000 servers I suppose an unattended MSI package install is a bit better. But wait, what am I saying!? Only "free software" is capable of these things!
On the other hand of course you think in terms of your two Celeron Leenucks "boxen" so in a way I understand your narrow view of both the problem and the solution.
Because they've had this kind of problem before and they will have it again.
Yep, and it will get fixed and it won't be quite so the end of the world as you and Slashdot would like to think it is. But I'm sure you'll still bitch cluelessly about it.
WBEM is a fantastic framework. It's powerful, secure, flexible and extensible. The issue with it is that it was always too complicated to understand from an admin's standpoint, and it's supposed to be an administrative tool. So I've never actually seen a network or sys admin writing WBEM scripts - they rely on what they can get from the 'net or somehow have an in-house dev write them. Not very efficient.
Perhaps this says a lot about the average skillset of a *nix admin versus a Windows one, but that's another story. Theoretically you shouldn't have to be a good coder to be a decent admin.
The problem with tbray's rant is that no one expects us to deal with the "insane WS stack". That's what frameworks are for. I expect that if I'm using Java,.NET, Python or Perl that I'll have some sort of structural wrapper around the stuff. I'll leave the nitty-gritty to Don Box and friends, who actually get paid to come up with these things.
Besides, the nice thing about standards is that there is so many of them to choose from.
The problem is that it's not a simple five line change
It is, unless you want to use the module above.
it does not really fix the problem.
It did. Why would you say it didn't? It fixes the problem. How would you now if it does or doesn't fix the problem? Because "I read it on Slashdot so it must be true"? You sure as heck don't seem to be much of a developer.
What I am trying to draw out here is your opinion on whether Microsoft has any legitimate problems with their software, and if so, whether they bear any responsibility for those problems.
Yes, and yes. "Responsibility" here is of course mitigated by the way they license their products.
followed by replies by Microsoft supporters who either attempt to minimize the problem, or point to an equally egregious problem in a competing open source product.
I don't see how this is surprising to anyone. The whole modus operandi of this "community" is to offer their warez as an alternative to Microsoft products. The problem you see is that most of these people actually believe that, say, I'll be better off using OpenX over CommercialY, which is almost (almost!) always not true. This is one of those cases.
I think it's more of an eye opener for me to point out that this is the first reported vuln on a massive product like.NET in three years while something like PHP has a sorry string of bugs and exploits that stretch back to the very first release. That doesn't mean Microsoft's problem does not exist or is lessened by whatever issues PHP has, not at all. But "ominous warning" and "Microsoft recommends re-writing your code" is a bit too much FUD. It's also par for the course around here.
When it doesn't function as promised, and the customer service rep that I have on the phone attempts to make it appear that I am the cause of the problem, then I feel I have a legitimate reason to complain about that company
Yes, you do. But again let's be fair here - what customer support doesn't suck? If you listen to Slashdot all day you'd think the only company in the planet that makes commercial software is Microsoft. They are *far* better than most of their competitors, especially once you get past the first tier monkeys.
What I am asking is: "Do you believe that there are any legitimate complaints regarding Microsoft's products?"
I don't think you can expect software to be perfect, ever. In that sense, you might feel that paying for it is rather stupid, and that's fine. I've heard many people use that rationale when considering open source - "they all suck, let's at least not pay for it". But to say there's nothing to complain about Microsoft would be too much. There is a *lot* to complain about. They are getting better. They move slowly. If you think they are not meeting your expectations then you vote with your feet. It's that simple.
.NET applications do not require the registry because they do away with COM as a binary interop model. COM uses the registry for binary location resolution and invocation/activation policy..NET is based on a different (far better) model that is a cross between the "old" Windows library mapping system and a bit of how Unix works.
This is no different of course than a plain C/C++ desktop app running on Windows that didn't use COM. But those were few and in between and in any case COM was useful enough that you would want to use it everywhere.
Keep in mind that this doesn't mean the framework itself doesn't use COM or the registry - in fact it requires it. But you as the application developer are shielded from that completely. It also doesn't mean that the registry is going anywhere any time soon, and neither is COM. It's just that now you have a way to create complex apps with a full-featured framework that rivals COM without also having to deal with the registry. No registry also means DLL Hell is also largely gone. "DLL Hell" should have always been called "COM Server Hell". It worked fine and was very powerful, but it was also a bit inflexible and difficult to get right if your stock symbol wasn't MSTF.
A lot (though not all) IE problems, Nimda, CodeRed, Blaster, etc. Of course how terrible a vulnerability is depends on how much you happen to hate Microsoft - to me this is a non-issue given how long.NET has gone without one and how many people have been trying to break it for three years. And if I was making the same point about PHP I'd probably be "right", here.
Certainly given some people can claim a Mozilla or Apache vulnerability is "no big deal" gives me a great deal of room to claim this is "no big deal", if nothing else.
.NET has been live for three years almost. This is the first ASP.NET vulnerability reported. How many vulnerabilities in PHP?
There are going to be more problems found, and they are going to be identified and patched. Just like PHP and everything else.
As always, Slashdot is three days late with this bit of "news" so the only purpose this "article" serves is to let the zealots come out of the woodwork to claim yet again that Microsoft is "teh evil" and.NET should be replaced with some bit of open source that of course has no bugs, exploits or vulnerabilities because it's perfect. And free.
If this is an "ominous warning" I don't know what this is, yet AFAIK it wasn't even reported on Slashbork.
You create something like.NET, put it out there for half the world to hit on and then see if you can go three years before finding a problem with it. I'm sure it's possible; after all free software is perfect.
Good call. Everyone reading and posting on this website has the exact same opinion on every single topic
If you won't make dumb generalizations, I won't either. How's that?
The great majority of people who post to this website share the same basic value system. This is a vicious circle feed by the people who post the articles (the "editors") and the people who moderate posts to those articles. Simple evolutionary theory - survival of the zealotest if you will.
Hello,
I'm maxpubic, and I'm one of the preeminent slashbots. I'd like to take this opportunity to explain how things work around here.
- Anyone who disagrees with the slashbot collective mindset is a troll.
- Anyone who disagrees with me is a troll.
- Anyone who questions our beliefs will have his/her age, mental capacity, sexual orientation and racial characteristics put to question and ridiculed.
- There is no slashbot collective, primarily because admiting that it exists would validate the "troll" post I'm replying to and we don't want that.
- Facts are overrated. So is reality. Always remember that.
Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product
I don't contest what you're saying, and personally I think it's a bad idea from Microsoft, assuming it actually happens. But I find this argument quite interesting.
Let's assume for a second that Mozilla becomes the most widely used browser in the world (for whatever operating system). 100 million people download and install it. And then someone finds another serious vulnerability with it. The Mozilla folks patch it. Then what? 20 million people upgrade, and 80 million don't. What then? The exploits come. How does Mozilla handle this? Because they're going to have exactly the same type of problem Microsoft has today: people who just don't give a damn if their computers are turned into spam zombies or get bogged down with malware. These are the people from whose machines you and I still get those stupid mass-mailing worm messages, and of course spam.
Mozilla can very well damn rewrite the entire Gecko codebase and it will do them absolutely no good. Just like Microsoft with IE. With the small distinction that Microsoft does still support three versions of IE, while Mozilla likely won't even go there.
Today you can find thousands of Linux machines out there that have year-old holes in Sendmail, SSH and the kernel itself. It's just that very few of them are being run off Comcast cable modems and virus writers just don't see much value in taking them over. It's no different from Windows.
Even if Microsoft decided to bite the bullet and support seven versions of IE, I doubt it would do much good. What they can do is "force" users to upgrade to minimize the problem, which is what people around here call "the upgrade train" and is exactly what RedHat started doing with their corporate customers because support costs are prohibitive. And that's what Mozilla will have to do ("we don't support version X anymore, sorry. Upgrade to Y now!") because there's no other way to approach it.
And BTW, the fact that some obscure company decided to "support" older versions of RHEL means nothing in the desktop/home user space, so "having the source" is useless.
The people who write free software seem to think they can engineer all these problems away by writing "cool code" and making it "absolutely secure" from the get-go. That's not going to happen. They're still finding bufer overflows in Sendmail, for crying out loud. No, they're going to be in the same situation as Microsoft is today and they're going to get the same beatings left and right. I really hope I get to see that, if only for the chuckles.
There you go again with your "why do you like M$? Does it hurt?" routine. If you can't deal with the fact that there might be someone out there that doesn't subscribe to your cherished "join us or die" ideology and can't bring himself to hate a corporation (as if there weren't enough things to waste my emotional fuel on) then you must assume (in typical black and white zealot fashion) that I therefore must somehow must be in love with them. I imagine you're the type that also gets pissed off when someone points out the green bugger hanging out of your nose.
And BTW, if I was a "paid astroturfer" as your well-tightened tinfoil hat seems to have driven you to think, I'd be doing this 24/7 and probably wouldn't bother discussing the finer points of "shilling" with people like you. But apparently you can't make up your mind as to whether I'm into "professional shilling for an evil corporation" or still in high school.
Now if I might suggest you take a few seconds to excercise the few brain cells you have left to think about your obvious issues with sociological phenomena in schools. Maybe you'll find some enlightment there - maybe you'll even stop asking people stupid questions about their theoretical love affairs with the commercial entities that produce their shoes or their cars. Or their computer software.
Your l33t-speak cuteness doesn't apply to me as I have never claimed that OSS fixes bugs quicker than Microsoft.
Good for you - I was speaking about the slashbot collective. Certainly there are exceptions to the rule.
But the fact remains that it is not unreasonable to hold Microsoft to a higher standard
That's up to their paying clients to decide, not you. And certainly not the obnoxious sheep herd that unfortunately seems permanently attached to the open source movement and seems so full of insight into how to better manage a 50 million customer base.
Yes because we all know that six (or sixteen, sixty or six hundred) things you don't like make a product with the size and scope of.NET "fundamentally broken". Of course.
I could take any other framework or platform and make the same points you are making. You know why? Because no software is perfect and nothing caters to 100% of its user base. Nothing. If you have an example (preferably open source), I'd like to see it. Otherwise, everything is fundamentally broken.
Oh, and mad propz for the VB6 reference. "Maybe you're too stupid to understand this, but I'll try anyway..." Lovely.
The problem is that they never advocated this to the developer community until maybe six months ago. Mainly because even many of their own apps didn't work correctly under non-admin accounts. The Windows installer system was designed for this very thing, and Office 2000 was the first major non-server product to play nicely with the "power user" account, yet the technical evangelists never got this in their radar. Ergo, there's a rough three year gap in app releases from everyone that needs to be covered.
The "Designed for XP" thing is useless if there isn't a trickle-down effect to the minor vendors and independent developers. It does me no good if Corel Draw 9 works fine but "My Suppa Printshop 2.5" or whatever else I need doesn't.
Today more and more apps are dumping the registry and using per-user and per-machine plain text configuration in Windows' equivalent of the ~/ space. COM is slowly giving way to.NET, obviating the need for the registry altogether. Developers are learning they can't write everywhere and making apps that play nice that way. But it's slow going.
Again, you can't have your cake and eat it. You can't stand on the Holier-Than-Thou pulpit and gush about how "we fix bugs soooo much fastest than M$ and they suxx too and thats why free software is teh bestest!!1!" when it suits you and then claim it's OK for Mozilla or anyone else to delay three years to fix a vulnerability "because Mozilla is free".
That most applications break under such a scenario is Microsoft's fault to a certain extent, but not entirely so
To clarify this (because it sounds a bit wrong), it's Microsoft's fault in that they never really pushed vendors to design applications this way mainly because they had to contend with the 9x OSes, which obviosuly do not support the idea of a "privileged account". Microsoft should have asked large vendors to do things this way, but they didn't. Ergo, it's half their fault. The rest of the blame can be placed squarely at the vendors' feet.
There is nothing in Windows that prevents this "mode of operation" (as it were) under a non-privileged account. Windows can work fine the same way Unix variants do. It has a 'su' equivalent and so on.
It is not different. If more people stopped running under an administrator account the great majority of IE vulnerabilities would result in the same thing. Most email worms would as well.
You can happily run under a non-privileged account in Windows NT4 and higher. The opearating system has supported it for at least eight years. That most applications break under such a scenario is Microsoft's fault to a certain extent, but not entirely so. Software vendors are just too lazy to code that way and they assume that they have the go of the entire machine.
I would like to point another type of hypocrisy however - whenever there's a bug in a Microsoft product that is not "critical" in the sense you use, the slashbots come out of the woodwork claiming it's the end of the world yet again. But a bug in Mozilla that wipes out ~/ is OK, because it's "not critical". Do you really think it's "OK" for the average user to see their files wiped while/sbin is untouched? Tell you what: they would not. They'd rather have to wipe the machine and see it turned into a spam zombie than lose the vacation pics and whatever else they have under there.
The problem with your assesment of this problem is that you say "user" and you're thinking about a developer or a sysadmin (in a corporate environment perhaps) with nightly backups and whatnot. In that scenario this bug is a nuisance. In reality it's a disaster.
Slashdot Mirror
I can't speak as a *consumer* since I've never really had to deal with that part of PSS, but from a corporate and especially a developer standpoint I can assure you (in my experience at least) that's not the case. Support for server and developer products is excellent. It's gotten better the past few years. You still run into the occasional asshole that asks you if the computer is turned on when you have a problem with MSMQ transport security or a Commerce Server channel or something like that. You still find the odd regional TAM that couldn't spell "Host Integration Server" if his life depended on it. But still. Honestly, that's my perception at least.
As an advocate of Microsoft products, I believe you would welcome those improvements.
Oh, absolutely. I've said it before and I'll say it again: I want open source to succeed. Not because I find it superior (at least in most cases I don't, there are exceptions), but because I want Microsoft to get off their asses and compete instead of dominate. Competition is good; competition breeds excellence. They've been stagnant at the top for too long. For that reason alone, you and I *both* need open source to succeed.
Couldn't said it better =)
Cheers.
Well I suppose if you're mentioning my placeholder Cox homepage in the same breath as Debian I should be flattered. You really shouldn't have.
Nice to know they fixed their little problem with a quarter meg download.
Like I said, it's your choice. It's still five lines of code. If you want to push the fix across the enterprise to 1,000 servers I suppose an unattended MSI package install is a bit better. But wait, what am I saying!? Only "free software" is capable of these things!
On the other hand of course you think in terms of your two Celeron Leenucks "boxen" so in a way I understand your narrow view of both the problem and the solution.
Because they've had this kind of problem before and they will have it again.
Yep, and it will get fixed and it won't be quite so the end of the world as you and Slashdot would like to think it is. But I'm sure you'll still bitch cluelessly about it.
Perhaps this says a lot about the average skillset of a *nix admin versus a Windows one, but that's another story. Theoretically you shouldn't have to be a good coder to be a decent admin.
Besides, the nice thing about standards is that there is so many of them to choose from.
Impressive.
M$ ... Windoze
They did.
The problem is that it's not a simple five line change
It is, unless you want to use the module above.
it does not really fix the problem.
It did. Why would you say it didn't? It fixes the problem. How would you now if it does or doesn't fix the problem? Because "I read it on Slashdot so it must be true"? You sure as heck don't seem to be much of a developer.
Feeling enlightened yet?
No, not really. Amused, I guess.
Yes, and yes. "Responsibility" here is of course mitigated by the way they license their products.
followed by replies by Microsoft supporters who either attempt to minimize the problem, or point to an equally egregious problem in a competing open source product.
I don't see how this is surprising to anyone. The whole modus operandi of this "community" is to offer their warez as an alternative to Microsoft products. The problem you see is that most of these people actually believe that, say, I'll be better off using OpenX over CommercialY, which is almost (almost!) always not true. This is one of those cases.
I think it's more of an eye opener for me to point out that this is the first reported vuln on a massive product like .NET in three years while something like PHP has a sorry string of bugs and exploits that stretch back to the very first release. That doesn't mean Microsoft's problem does not exist or is lessened by whatever issues PHP has, not at all. But "ominous warning" and "Microsoft recommends re-writing your code" is a bit too much FUD. It's also par for the course around here.
When it doesn't function as promised, and the customer service rep that I have on the phone attempts to make it appear that I am the cause of the problem, then I feel I have a legitimate reason to complain about that company
Yes, you do. But again let's be fair here - what customer support doesn't suck? If you listen to Slashdot all day you'd think the only company in the planet that makes commercial software is Microsoft. They are *far* better than most of their competitors, especially once you get past the first tier monkeys.
What I am asking is: "Do you believe that there are any legitimate complaints regarding Microsoft's products?"
I don't think you can expect software to be perfect, ever. In that sense, you might feel that paying for it is rather stupid, and that's fine. I've heard many people use that rationale when considering open source - "they all suck, let's at least not pay for it". But to say there's nothing to complain about Microsoft would be too much. There is a *lot* to complain about. They are getting better. They move slowly. If you think they are not meeting your expectations then you vote with your feet. It's that simple.
Ho would you push an update to a text file (code at that) through "Windoze Update", oh Master Developer Guru. Please enlighten us.
This is no different of course than a plain C/C++ desktop app running on Windows that didn't use COM. But those were few and in between and in any case COM was useful enough that you would want to use it everywhere.
Keep in mind that this doesn't mean the framework itself doesn't use COM or the registry - in fact it requires it. But you as the application developer are shielded from that completely. It also doesn't mean that the registry is going anywhere any time soon, and neither is COM. It's just that now you have a way to create complex apps with a full-featured framework that rivals COM without also having to deal with the registry. No registry also means DLL Hell is also largely gone. "DLL Hell" should have always been called "COM Server Hell". It worked fine and was very powerful, but it was also a bit inflexible and difficult to get right if your stock symbol wasn't MSTF.
What do you mean "competing software"? Those are worm code names, not product names. Correct?
A lot (though not all) IE problems, Nimda, CodeRed, Blaster, etc. Of course how terrible a vulnerability is depends on how much you happen to hate Microsoft - to me this is a non-issue given how long .NET has gone without one and how many people have been trying to break it for three years. And if I was making the same point about PHP I'd probably be "right", here.
Certainly given some people can claim a Mozilla or Apache vulnerability is "no big deal" gives me a great deal of room to claim this is "no big deal", if nothing else.
Apparently not.
Of course.
Unlike free software apparently, where the answer is always "you're free to ask for your money back", "fix it yourself" or "fuck off".
There are going to be more problems found, and they are going to be identified and patched. Just like PHP and everything else.
As always, Slashdot is three days late with this bit of "news" so the only purpose this "article" serves is to let the zealots come out of the woodwork to claim yet again that Microsoft is "teh evil" and .NET should be replaced with some bit of open source that of course has no bugs, exploits or vulnerabilities because it's perfect. And free.
If this is an "ominous warning" I don't know what this is, yet AFAIK it wasn't even reported on Slashbork.
You create something like .NET, put it out there for half the world to hit on and then see if you can go three years before finding a problem with it. I'm sure it's possible; after all free software is perfect.
If you won't make dumb generalizations, I won't either. How's that?
The great majority of people who post to this website share the same basic value system. This is a vicious circle feed by the people who post the articles (the "editors") and the people who moderate posts to those articles. Simple evolutionary theory - survival of the zealotest if you will.
I'm maxpubic, and I'm one of the preeminent slashbots. I'd like to take this opportunity to explain how things work around here.
- Anyone who disagrees with the slashbot collective mindset is a troll.
- Anyone who disagrees with me is a troll.
- Anyone who questions our beliefs will have his/her age, mental capacity, sexual orientation and racial characteristics put to question and ridiculed.
- There is no slashbot collective, primarily because admiting that it exists would validate the "troll" post I'm replying to and we don't want that.
- Facts are overrated. So is reality. Always remember that.
Thanks, and happy posting!
I don't contest what you're saying, and personally I think it's a bad idea from Microsoft, assuming it actually happens. But I find this argument quite interesting.
Let's assume for a second that Mozilla becomes the most widely used browser in the world (for whatever operating system). 100 million people download and install it. And then someone finds another serious vulnerability with it. The Mozilla folks patch it. Then what? 20 million people upgrade, and 80 million don't. What then? The exploits come. How does Mozilla handle this? Because they're going to have exactly the same type of problem Microsoft has today: people who just don't give a damn if their computers are turned into spam zombies or get bogged down with malware. These are the people from whose machines you and I still get those stupid mass-mailing worm messages, and of course spam.
Mozilla can very well damn rewrite the entire Gecko codebase and it will do them absolutely no good. Just like Microsoft with IE. With the small distinction that Microsoft does still support three versions of IE, while Mozilla likely won't even go there.
Today you can find thousands of Linux machines out there that have year-old holes in Sendmail, SSH and the kernel itself. It's just that very few of them are being run off Comcast cable modems and virus writers just don't see much value in taking them over. It's no different from Windows.
Even if Microsoft decided to bite the bullet and support seven versions of IE, I doubt it would do much good. What they can do is "force" users to upgrade to minimize the problem, which is what people around here call "the upgrade train" and is exactly what RedHat started doing with their corporate customers because support costs are prohibitive. And that's what Mozilla will have to do ("we don't support version X anymore, sorry. Upgrade to Y now!") because there's no other way to approach it.
And BTW, the fact that some obscure company decided to "support" older versions of RHEL means nothing in the desktop/home user space, so "having the source" is useless.
The people who write free software seem to think they can engineer all these problems away by writing "cool code" and making it "absolutely secure" from the get-go. That's not going to happen. They're still finding bufer overflows in Sendmail, for crying out loud. No, they're going to be in the same situation as Microsoft is today and they're going to get the same beatings left and right. I really hope I get to see that, if only for the chuckles.
Wow, I must be reading another web site. But hey, if you say it doesn't exist then that must be the case.
I am a paying client. What made you assume I wasn't?
Nothing, good for you again. I give them grief whenever I can - just not here. It's just not very productive.
And BTW, if I was a "paid astroturfer" as your well-tightened tinfoil hat seems to have driven you to think, I'd be doing this 24/7 and probably wouldn't bother discussing the finer points of "shilling" with people like you. But apparently you can't make up your mind as to whether I'm into "professional shilling for an evil corporation" or still in high school.
Now if I might suggest you take a few seconds to excercise the few brain cells you have left to think about your obvious issues with sociological phenomena in schools. Maybe you'll find some enlightment there - maybe you'll even stop asking people stupid questions about their theoretical love affairs with the commercial entities that produce their shoes or their cars. Or their computer software.
Awwww, am I getting your panties all in a bunch here? Too much reality maybe? I understand. It must be hard.
I am glad you are having so much fun slaying your straw men.
Go ahead and prove me wrong. Certainly that will give you some more credibility. Calling me a "shill" just doesn't do it, here.
knows exactly how much of a pain in the ass it is.
As much a "pain in the ass" as letting clueless users run as admins.
Good for you - I was speaking about the slashbot collective. Certainly there are exceptions to the rule.
But the fact remains that it is not unreasonable to hold Microsoft to a higher standard
That's up to their paying clients to decide, not you. And certainly not the obnoxious sheep herd that unfortunately seems permanently attached to the open source movement and seems so full of insight into how to better manage a 50 million customer base.
I could take any other framework or platform and make the same points you are making. You know why? Because no software is perfect and nothing caters to 100% of its user base. Nothing. If you have an example (preferably open source), I'd like to see it. Otherwise, everything is fundamentally broken.
Oh, and mad propz for the VB6 reference. "Maybe you're too stupid to understand this, but I'll try anyway..." Lovely.
The "Designed for XP" thing is useless if there isn't a trickle-down effect to the minor vendors and independent developers. It does me no good if Corel Draw 9 works fine but "My Suppa Printshop 2.5" or whatever else I need doesn't.
Today more and more apps are dumping the registry and using per-user and per-machine plain text configuration in Windows' equivalent of the ~/ space. COM is slowly giving way to .NET, obviating the need for the registry altogether. Developers are learning they can't write everywhere and making apps that play nice that way. But it's slow going.
Again, you can't have your cake and eat it. You can't stand on the Holier-Than-Thou pulpit and gush about how "we fix bugs soooo much fastest than M$ and they suxx too and thats why free software is teh bestest!!1!" when it suits you and then claim it's OK for Mozilla or anyone else to delay three years to fix a vulnerability "because Mozilla is free".
How quickly does this descend into The Two-Step Plan for Denying All Problems With Open Source While Also Ignoring Them Because They Hurt
Step 1: "Microsoft is worse" ... ...
Step 2: "Fuck off"
No profit here, of course.
Enjoy,
To clarify this (because it sounds a bit wrong), it's Microsoft's fault in that they never really pushed vendors to design applications this way mainly because they had to contend with the 9x OSes, which obviosuly do not support the idea of a "privileged account". Microsoft should have asked large vendors to do things this way, but they didn't. Ergo, it's half their fault. The rest of the blame can be placed squarely at the vendors' feet.
There is nothing in Windows that prevents this "mode of operation" (as it were) under a non-privileged account. Windows can work fine the same way Unix variants do. It has a 'su' equivalent and so on.
It is not different. If more people stopped running under an administrator account the great majority of IE vulnerabilities would result in the same thing. Most email worms would as well.
You can happily run under a non-privileged account in Windows NT4 and higher. The opearating system has supported it for at least eight years. That most applications break under such a scenario is Microsoft's fault to a certain extent, but not entirely so. Software vendors are just too lazy to code that way and they assume that they have the go of the entire machine.
I would like to point another type of hypocrisy however - whenever there's a bug in a Microsoft product that is not "critical" in the sense you use, the slashbots come out of the woodwork claiming it's the end of the world yet again. But a bug in Mozilla that wipes out ~/ is OK, because it's "not critical". Do you really think it's "OK" for the average user to see their files wiped while /sbin is untouched? Tell you what: they would not. They'd rather have to wipe the machine and see it turned into a spam zombie than lose the vacation pics and whatever else they have under there.
The problem with your assesment of this problem is that you say "user" and you're thinking about a developer or a sysadmin (in a corporate environment perhaps) with nightly backups and whatnot. In that scenario this bug is a nuisance. In reality it's a disaster.