If there was no 32bit 7, it would be a huge boon for Linux on Atom based machines (think netbooks) which are 32bit only.
Since the Atom based computers are the fastest growing class of machine out there, I simply can't imagine Microsoft leaving all that revenue on the table.
Ah, interesting. That wasn't my take on your comment. I thought you were writing this as "See, this is an indication that OEMs are starting to choose 3rd party browsers because they believe in open standards (or free software or competition)".
My point was simply that OEMs don't give a rip about open standards (or free software or competition). All they care about is who's going to pay them. As long as Windows comes with basic functionality that their customers want, they have no incentive to replace for that functionality.
On the other hand, if someone's willing to pay them to install their widget (pick one: DVD buring software, music player, web browser, anti-spyware, DVD player, whatever) they're more than willing to replace the version that's included with Windows - because the manufacturer of that software has given them an incentive (cash) to replace it.
In my experience, a code's age/maturity is one of the better indicators of it's INsecurity.
We've learned a LOT about security (and more importantly about writing secure code) over the past 10 years.
10 years ago, nobody knew about arithmetic overflow vulnerabilities or heap overflow vulnerabilities. Now every coder needs to worry about them. And all that old code was written non knowing about those vulnerabilities so it's highly likely to contain issues.
Note to moderators: "Troll" is an inappropriate moderation when you disagree with a comment.
According to the/. FAQ, "Troll" is:
Troll -- A Troll is similar to Flamebait, but slightly more refined. This is a prank comment intended to provoke indignant (or just confused) responses. A Troll might mix up vital facts or otherwise distort reality, to make other readers react with helpful "corrections." Trolling is the online equivalent of intentionally dialing wrong numbers just to waste other people's time.
A declarative solution still requires that the entire web be updated to adopt it before you're safe. That's why a combination of non declarative (MSFT's XSS filter) and declarative (FireFox's CSP) is the best option.
This is especially true if there's no visual indication that a site has opted into CSP - otherwise you have no way of knowing which sites are "safe" or not.
Sure, but the instant that you hit a web site that hasn't opted in, the protections are worthless.
MSFT's version of this feature works by inspecting the HTML on the page and blocking all scripts that appear to be hostile - it's not a perfect solution but it doesn't require the site to opt-in.
I think a hybrid solution of both MSFTs and FF's solution is likely to be the best option for customers - the FF solution allows for a declarative solution for sites that want to opt-in, the MSFT solution helps protect other sites.
Yeah, that's right. Especially since the DRM happy fools at Microsoft built the ability to record what's being played right into the audio engine without requiring a patch cable at all (see the AUDCLNT_STREAMFLAGS_LOOPBACK flag.
Not starting with Windows Vista. It closed a huge security hole (see "shatter attack" for more details).
And even before Vista, services interacting with the desktop didn't really work - there were scenarios (like fast user switching and terminal server) where the UI didn't show up.
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).
Slashdot Mirror
Interesting. It's my underatnding that the number of apache vulnerabilities AND exploits is significantly higher than the number of IIS vulerabilities and exploits (reference: http://www.zone-h.org/archive/published=0 and http://www.infoworld.com/d/security-central/continuing-web-server-security-wars-iis-or-apache-more-secure-098 (full disclosure: The author of the 2nd link works for MSFT).
And a CDRom driver - GEARAspi which totally screws up CDs sometimes.
Why would Microsoft implement GCD when they already have ConcRT which appears to be a better (more scalable) implementation of the same functionality?
And while the NT 3.1 TCP stack was based on the BSD TCP stack, that TCP stack was replaced in Win95/NT4.
If there was no 32bit 7, it would be a huge boon for Linux on Atom based machines (think netbooks) which are 32bit only.
Since the Atom based computers are the fastest growing class of machine out there, I simply can't imagine Microsoft leaving all that revenue on the table.
Actually they said that Windows Server 2008 was the last 32bit server OS. They said nothing about client OS's.
They're basically lambda functions which are a part of C++0x.
In other words, Apple just re-invented Superfetch
Photocopiers anyone?
Ah, interesting. That wasn't my take on your comment. I thought you were writing this as "See, this is an indication that OEMs are starting to choose 3rd party browsers because they believe in open standards (or free software or competition)".
My point was simply that OEMs don't give a rip about open standards (or free software or competition). All they care about is who's going to pay them. As long as Windows comes with basic functionality that their customers want, they have no incentive to replace for that functionality.
On the other hand, if someone's willing to pay them to install their widget (pick one: DVD buring software, music player, web browser, anti-spyware, DVD player, whatever) they're more than willing to replace the version that's included with Windows - because the manufacturer of that software has given them an incentive (cash) to replace it.
When was the last time that a browser vendor was wiling to pay the (PC) OEM to include a browser other than IE?
OEM's will be more than happy to replace MSFTs stuff IF someone's willing to pay them for it.
In my experience, a code's age/maturity is one of the better indicators of it's INsecurity.
We've learned a LOT about security (and more importantly about writing secure code) over the past 10 years.
10 years ago, nobody knew about arithmetic overflow vulnerabilities or heap overflow vulnerabilities. Now every coder needs to worry about them. And all that old code was written non knowing about those vulnerabilities so it's highly likely to contain issues.
Note to moderators: "Troll" is an inappropriate moderation when you disagree with a comment.
According to the /. FAQ, "Troll" is:
Unfortunately experience has proven you wrong.
If the copyright owners want DRM, they're going to get DRM. TC allows them to implement DRM without destroying your machine.
Why would they update the RC?
Does any OS vendor issue security fixes for their betas once the product has shipped?
I actually think it's closer to the OP browser than it is Chrome OS.
A declarative solution still requires that the entire web be updated to adopt it before you're safe. That's why a combination of non declarative (MSFT's XSS filter) and declarative (FireFox's CSP) is the best option.
This is especially true if there's no visual indication that a site has opted into CSP - otherwise you have no way of knowing which sites are "safe" or not.
Sure, but the instant that you hit a web site that hasn't opted in, the protections are worthless.
MSFT's version of this feature works by inspecting the HTML on the page and blocking all scripts that appear to be hostile - it's not a perfect solution but it doesn't require the site to opt-in.
I think a hybrid solution of both MSFTs and FF's solution is likely to be the best option for customers - the FF solution allows for a declarative solution for sites that want to opt-in, the MSFT solution helps protect other sites.
Neither solution is perfect.
Yeah, that's right. Especially since the DRM happy fools at Microsoft built the ability to record what's being played right into the audio engine without requiring a patch cable at all (see the AUDCLNT_STREAMFLAGS_LOOPBACK flag.
Oh wait...
AA3 is probably trying to load a 32bit driver (for copy protection) and 32bit drivers aren't supported on 64bit systems.
That's strange, on my machine you can adjust bass and treble.
It all depends on the abilities of your sound card - some cards don't support tone controls, some do.
This is the same as XP.
The other major problem with this solution is that it requires changes at the web site level.
In other words, you're only safe if the web site author opts into the security solution.
What are the chances that the hundreds of millions of web sites out there will all opt into this feature?
Not starting with Windows Vista. It closed a huge security hole (see "shatter attack" for more details).
And even before Vista, services interacting with the desktop didn't really work - there were scenarios (like fast user switching and terminal server) where the UI didn't show up.
If you can believe Microsoft, they're not the only ones. Lots of ODF implementations have interoperability issues.
Doug Mahugh at MSFT has been blogging about this: http://blogs.msdn.com/dmahugh/archive/2009/05/09/1-2-1.aspx
and
http://blogs.msdn.com/dmahugh/archive/2009/05/13/tracked-changes.aspx
When your corporation decides to move it's data processing to Google Apps, there is an expectation that your company's data remains private.
It's not "free and open" but do you mean a source code analyzer like this one which is available in Visual Studio 2005?
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).