The benefits at MS are some of the best in the industry. Not only do we get medical insurance with small deductables and extensive coverage, but we get access to discounts on all kinds of services. For example, if you live in WA, you get big discounts at restaurants (the list is extensive), stores and events (museums, movie tickets, etc...) My favorite is MS' policy of matching dollar-for-dollar your donations to non-profits, so I am able to make sizable donations to causes I support but only put up 1/2 of the money.
While you have a point, this patch obviously didn't get too much review -- decbuf is reallocated using realloc, and as far as I can tell the value is never checked before being dereferenced to make sure the allocation didn't fail. So this patch needs another patch, and it is the kind of thing that 'the other operating systems' wouldn't be able to get away with.
"So once that function was ported over from the 95 family to the NT4 family [ported=modified to fit the needs of the platform], it probably remained untouched [=not much maintenance done after it became a stable part of the codebase]"
The developers themselves have said that the code was created during a very different time in the company, implying that they did not revisit the function when they developed the newer platforms.
I do apologize for the use of 'NT4', apparently the function has been present since the first version of the NT family.
Like I said, the function was ported to NT from the 95 line (ports can include changes). Afterwards, barely touched, and it was grandfathered in to every other OS.
Something that people don't seem to realize is that when a new OS is created for a particular windows family (95/98/ME or NT4/2000/XP/2003/Vista), functions aren't 'ported'. Instead the same codebase is worked on until you arrive at the next version. So once that function was ported over from the 95 family to the NT4 family, it probably remained untouched, with this vulnerability. So it's not necessarily correct to say 'why did they keep porting this function across OS?!'.
The reality is the windows codebase has a ton of legacy in it. One positive step taken for Vista is that *all* code, including legacy (actually, most importantly, legacy), was SAL annotated so that static analysis of the full codebase could be performed for a large variety of coding mistakes that lead to vulnerabilities. Related to that, all memory/string functions that don't take bounds have been removed from the codebase, which allows SAL to statically analyze for buffer overruns. There's been a few times when thanks to updates to the SAL agent I've had bugs assigned to my code that catch obscure issues. You can read more about the technique at: http://research.microsoft.com/slam/ At the same time, WIM is doing a second security sweep of all windows components. This is in no way complete, given that things like this WMF vulnerability still got through, but still it is a start, and is a process that is evolving every day.
I'd like to point out that in Vista WMF is mitigated by the fact that unless you are logged in as the straight Administrator account, the arbitrary code executed from the WMF exploit will only have limited user access to the system (no access to write to the windows directory, program files directory, and system registry for example) even if the account is part of the Administrators group. Honestly this is probably the #1 reason to move to Vista -- it finally has a coherent LUA story and by default I can run all my apps with low priviledges.
Sony said the same thing about the PS2 (toy story quality real-time renders), and we all know how it turned out (looks great to be sure, but nowhere near Toy Story quality). The cell's strength is the sheer amount of parallel processing units, and it's weakness is that each *individual* unit is underpowered by today's standards. Currently, game makers are not the best multi-threaded programmers. If they can make the transition from 1-2 threads to 8 threads, then this will get interesting. If not, then the PS3 won't seem as giant a leap as they say it will be.
You may want to take a look at their quarterly earning reports. Last quarter alone they had a 9% increase in revenue (that's a 900 million increase, 10 billion dollars total revenue, just for the *quarter*). And with what? They've barely had any new software releases, and have had security issues with their OS's. But they are still going strong. I'd keep my eye on them in '06. They are having new releases of essentially every big property -- Office, Windows, Visual Studio, SQL, Xbox -- and are predicting double digit growth.
They have the market sewn up but they are still losing corporate customers hand over fist (dispite what they tell us it is obvious people are dropping Windows for *nix).
I guess if we ignore the positive growth numbers for win2k3 server adoption, then we could arrive at your conclusion.
Well... with Vista they are making some pretty big moves away from ease-of-use over security, which I think shows that they are at least now seriously committed about security. And instead of leaving in insecure things for sake of compatibility they are using some interesting technologies (like virtualization) to work around unsafe applications in a safe manner, instead of making an unsafe OS so it can run an unsafe application. For example, gone are the days where everyone runs as Administrator, and people will probably be pissed off that they'll have to elevate privileges to sysadmin but that's the only way to be secure.
In terms of IE7 they are doing similar changes. When browsing the internet by default IE will not have priviledges to write to your computer, instead limited to the internet cache folders, severely limiting scripting vulnerabilities. It also has a way to run it sans any kind of extension for the worst-case scenario where you get hit by spyware and need to go online to get the patch. There are bunch of similar fixes that I think will make IE 7 very solid security wise.
Yeah, the Xbox 360 is going horribly. I love it how I can walk into the local Best Buy and there are mountains of xbox 360's just waiting there. And the media is just ignoring the console altogether. I feel bad for MS./sarcasm
The way the IE team has been killing themselves lately developing IE7, I'd be pretty surprised if MS turned around and bought Opera. It would also seem like an odd time to make the buy, given that IE7 ships next year.
Well, Media Center extender is one of the major reasons I'm considering the Xbox 360. My living room will look a lot nicer with the sleek xbox 360, and my MCPC moved into the home office. I'll hang tight though until the hd-dvd Xboxes are released, and more good games are available, but the extra features you deride really do differentiate the console from others.
Well, apparently the CPU contains hardware for the "trusted computing platform" on-die which restricts what the CPU will allow to execute. So writing on the disk is probably the easy part.
Ah now I get it -- you don't understand what user-privildeges are.
If you run ANY process, not just IE, as Administrator (or root in linux/OSX/unix terms) you can change system binaries. Take your user out of the Administrators group, and no IE exploit can root your system.
Which vulnerabilities are you talking about? An IE exploit cannot do anything to the kernel except modify system binaries so that the next time they are loaded by the kernel you are rooted.
IE does not run in the kernel. IE exploits have nothing to do with any 'integration into the OS'. IE exploits are the same as any other user level running process. If you could run Active-X in Firefox, or found the same javascript exploite, or other exploits, you would get the exact same range of system impact as with IE. The issue is that for 'ease of use' MS chose to have everyone run as root, which is probably one of the most boneheaded decisions ever. If you run as Limited user IE exploits are contained to your user directory, the same as they would be as non-root in linux. Vista will finally push everyone to the limited user realm, and IE 7 on Vista is absolutely anal when it comes to having any kind of priviledge on the system. We'll see how well it all works out.
Wasn't Google Base revealed in mid November? Damn those MS programmers are QUICK!
The less fanboy reasoning would be that both Google and MS were working on the project pretty much simultaneously, and they were both copying from previous implementations already on the web.
There's a difference between OEM pricing (having DELL include the software in your PC), and buying it stand-alone at Best Buy.
Re:Doesn't it strike you as a bit odd
on
Xbox 360 Very Unstable
·
· Score: 2, Insightful
yes, from the utterly scientific method of a website poll, and one user's pictures, we can determine that the xbox 360 has problems for an inordinate amount of users... sigh... People here are just making a big deal about a few people's issues because it is Microsoft. When you are manufacturing such a complex device you are bound to have a small percentage that may have issues. Does anyone here remember the PS2 launch, and the horrific stability/overheat problems the first gen machines had? PSP with dead pixels? Ipod nanos? etc...
This is why I will wait for the second or third round of manufactured xboxes. Even with the testing they put the hardware through, some are bound to get by on the first run.
So, up to now we know that the hardware won't be up to par, and the controller will be a bit odd... Nintenfans' defense is that it's all about the games, yo! Well... where are the games? Isn't this machine supposed to be out next summer? And they don't have any games in good enough shape to demo yet? Have they at the very least released a list of publishers and games that are planned for the console? I'm just not sure what there is to get excited about.
Slashdot Mirror
"dominate for generations to come"? Don't you think you are jumping the gun a bit?
What's a soul?
The benefits at MS are some of the best in the industry. Not only do we get medical insurance with small deductables and extensive coverage, but we get access to discounts on all kinds of services. For example, if you live in WA, you get big discounts at restaurants (the list is extensive), stores and events (museums, movie tickets, etc...) My favorite is MS' policy of matching dollar-for-dollar your donations to non-profits, so I am able to make sizable donations to causes I support but only put up 1/2 of the money.
While you have a point, this patch obviously didn't get too much review -- decbuf is reallocated using realloc, and as far as I can tell the value is never checked before being dereferenced to make sure the allocation didn't fail. So this patch needs another patch, and it is the kind of thing that 'the other operating systems' wouldn't be able to get away with.
Sigh.
"So once that function was ported over from the 95 family to the NT4 family [ported=modified to fit the needs of the platform], it probably remained untouched [=not much maintenance done after it became a stable part of the codebase]"
The developers themselves have said that the code was created during a very different time in the company, implying that they did not revisit the function when they developed the newer platforms.
I do apologize for the use of 'NT4', apparently the function has been present since the first version of the NT family.
Like I said, the function was ported to NT from the 95 line (ports can include changes). Afterwards, barely touched, and it was grandfathered in to every other OS.
Something that people don't seem to realize is that when a new OS is created for a particular windows family (95/98/ME or NT4/2000/XP/2003/Vista), functions aren't 'ported'. Instead the same codebase is worked on until you arrive at the next version. So once that function was ported over from the 95 family to the NT4 family, it probably remained untouched, with this vulnerability. So it's not necessarily correct to say 'why did they keep porting this function across OS?!'.
The reality is the windows codebase has a ton of legacy in it. One positive step taken for Vista is that *all* code, including legacy (actually, most importantly, legacy), was SAL annotated so that static analysis of the full codebase could be performed for a large variety of coding mistakes that lead to vulnerabilities. Related to that, all memory/string functions that don't take bounds have been removed from the codebase, which allows SAL to statically analyze for buffer overruns. There's been a few times when thanks to updates to the SAL agent I've had bugs assigned to my code that catch obscure issues. You can read more about the technique at: http://research.microsoft.com/slam/ At the same time, WIM is doing a second security sweep of all windows components. This is in no way complete, given that things like this WMF vulnerability still got through, but still it is a start, and is a process that is evolving every day.
I'd like to point out that in Vista WMF is mitigated by the fact that unless you are logged in as the straight Administrator account, the arbitrary code executed from the WMF exploit will only have limited user access to the system (no access to write to the windows directory, program files directory, and system registry for example) even if the account is part of the Administrators group. Honestly this is probably the #1 reason to move to Vista -- it finally has a coherent LUA story and by default I can run all my apps with low priviledges.
Sony said the same thing about the PS2 (toy story quality real-time renders), and we all know how it turned out (looks great to be sure, but nowhere near Toy Story quality). The cell's strength is the sheer amount of parallel processing units, and it's weakness is that each *individual* unit is underpowered by today's standards. Currently, game makers are not the best multi-threaded programmers. If they can make the transition from 1-2 threads to 8 threads, then this will get interesting. If not, then the PS3 won't seem as giant a leap as they say it will be.
You may want to take a look at their quarterly earning reports. Last quarter alone they had a 9% increase in revenue (that's a 900 million increase, 10 billion dollars total revenue, just for the *quarter*). And with what? They've barely had any new software releases, and have had security issues with their OS's. But they are still going strong. I'd keep my eye on them in '06. They are having new releases of essentially every big property -- Office, Windows, Visual Studio, SQL, Xbox -- and are predicting double digit growth.
They have the market sewn up but they are still losing corporate customers hand over fist (dispite what they tell us it is obvious people are dropping Windows for *nix).
I guess if we ignore the positive growth numbers for win2k3 server adoption, then we could arrive at your conclusion.
Well... with Vista they are making some pretty big moves away from ease-of-use over security, which I think shows that they are at least now seriously committed about security. And instead of leaving in insecure things for sake of compatibility they are using some interesting technologies (like virtualization) to work around unsafe applications in a safe manner, instead of making an unsafe OS so it can run an unsafe application. For example, gone are the days where everyone runs as Administrator, and people will probably be pissed off that they'll have to elevate privileges to sysadmin but that's the only way to be secure.
In terms of IE7 they are doing similar changes. When browsing the internet by default IE will not have priviledges to write to your computer, instead limited to the internet cache folders, severely limiting scripting vulnerabilities. It also has a way to run it sans any kind of extension for the worst-case scenario where you get hit by spyware and need to go online to get the patch. There are bunch of similar fixes that I think will make IE 7 very solid security wise.
Yeah, the Xbox 360 is going horribly. I love it how I can walk into the local Best Buy and there are mountains of xbox 360's just waiting there. And the media is just ignoring the console altogether. I feel bad for MS. /sarcasm
The way the IE team has been killing themselves lately developing IE7, I'd be pretty surprised if MS turned around and bought Opera. It would also seem like an odd time to make the buy, given that IE7 ships next year.
Well, Media Center extender is one of the major reasons I'm considering the Xbox 360. My living room will look a lot nicer with the sleek xbox 360, and my MCPC moved into the home office. I'll hang tight though until the hd-dvd Xboxes are released, and more good games are available, but the extra features you deride really do differentiate the console from others.
When it was news in November 2004.
Happy Holidays!
Well, apparently the CPU contains hardware for the "trusted computing platform" on-die which restricts what the CPU will allow to execute. So writing on the disk is probably the easy part.
following the trend for MS, it looks like hotmail is copying gmail and checking for viruses as well. :)
Ah now I get it -- you don't understand what user-privildeges are.
If you run ANY process, not just IE, as Administrator (or root in linux/OSX/unix terms) you can change system binaries. Take your user out of the Administrators group, and no IE exploit can root your system.
My work is done here.
Which vulnerabilities are you talking about? An IE exploit cannot do anything to the kernel except modify system binaries so that the next time they are loaded by the kernel you are rooted.
IE does not run in the kernel. IE exploits have nothing to do with any 'integration into the OS'. IE exploits are the same as any other user level running process. If you could run Active-X in Firefox, or found the same javascript exploite, or other exploits, you would get the exact same range of system impact as with IE. The issue is that for 'ease of use' MS chose to have everyone run as root, which is probably one of the most boneheaded decisions ever. If you run as Limited user IE exploits are contained to your user directory, the same as they would be as non-root in linux. Vista will finally push everyone to the limited user realm, and IE 7 on Vista is absolutely anal when it comes to having any kind of priviledge on the system. We'll see how well it all works out.
Wasn't Google Base revealed in mid November? Damn those MS programmers are QUICK!
The less fanboy reasoning would be that both Google and MS were working on the project pretty much simultaneously, and they were both copying from previous implementations already on the web.
There's a difference between OEM pricing (having DELL include the software in your PC), and buying it stand-alone at Best Buy.
yes, from the utterly scientific method of a website poll, and one user's pictures, we can determine that the xbox 360 has problems for an inordinate amount of users... sigh... People here are just making a big deal about a few people's issues because it is Microsoft. When you are manufacturing such a complex device you are bound to have a small percentage that may have issues. Does anyone here remember the PS2 launch, and the horrific stability/overheat problems the first gen machines had? PSP with dead pixels? Ipod nanos? etc...
This is why I will wait for the second or third round of manufactured xboxes. Even with the testing they put the hardware through, some are bound to get by on the first run.
Links? I'm not trolling, I'd legitimately like to see them.
So, up to now we know that the hardware won't be up to par, and the controller will be a bit odd... Nintenfans' defense is that it's all about the games, yo! Well... where are the games? Isn't this machine supposed to be out next summer? And they don't have any games in good enough shape to demo yet? Have they at the very least released a list of publishers and games that are planned for the console? I'm just not sure what there is to get excited about.