I knew a guy like you a few years back. He was real smug about having his whole portfolio in Enron and WorldCom. Turns out that was a really dangerous idea.
It isn't like Wikipedia is some lame-ass piece of shareware I use twice a year; I use it almost every day, expecially when I'm arguing on Slashdot and need a quick citation. Where else can you reliably go to get the gravitational constant, an article on Duverger's law, a bio of Robert Johnson or a really cool picture of a dragonfly?
I agree with all of that. Hell, I still tend to think of it as gdi.exe, which is about the last time I cared what Windows internals really looked like. But this "bug" is even better than that - it's not in the image format parser, it's in the freakin' WMF API!!! Believe it or not, WMF files are allowed to have callback functions (user or kernel mode unknown by me) in them - in other words a (picture) data file can contain executable code to "help" Windows display it!! <drools, whaps forehead> It gets better: change the file extension to "jgp" or "gif" or another image type, hell, probably any file type that has a custom icon/is previewable, and Windows will look at the file and go "oh - that's really a WMF file - I know what to do..." (I'm dyin' here). Even Windows Explorer (with thumbnails enabled) will execute the code if you look at a directory that contains one of these files.
If there ever was a smoking-gun lead-pipe indictment of Microsoft's sloppy love of whizzo features, security, stability, maintainability, administerability be damned; this has GOT to be it. If the filetype API is that flawed, we need to just get rid of.WMF files, period.
1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
2) The vulnerability is in the Microsoft Windows Graphics Rendering Engine, which is a part of the Windows kernel, and is why the exploit affects Windows versions from Win98 to WinXP.
3) Virtual PC and WINE running under Linux do not use the Microsoft Graphics Rendering Engine.
4) Even if they did, a Windows program trying to run in a Linux environment is a fish out of water, and can't do much besides SEGFAULT and exit.
5) Therefore, Linux (and Mac) users are safe, even if they are running IE or Office - just like the article said.
Yeah - I remember laughing my ass off in a machine room while all the PHBs who had "concerns" were partying their asses off. I still chuckle when I think about it to this day.
It doesn't have to be RNA and DNA exactly, if fact, it probably wouldn't be. Almost any self-replicating error-correcting organic molecule would do, we're just stuck on a local maxima.
You've put your finger right on the problem. Either the data and meta-data are in the same file, (no matter what the extension is) subject to the same security concerns we have today, or the meta-data is in a repository somewhere, subject to single point failures and multi-user versioning problems.
I'm sure I don't really need to point out to a 3 digit UID that Microsoft's other efforts with meta-data (the registry) have been less than stellar. Seems like we're doomed to lack of security or a single point of failure.
Slashdot Mirror
Yes, it was really snowing methane.
That's no big deal, we had methane snow here in Chicago last month.
It would if it was Uranus.
I was thinking of installing the latest Longhorn beta, or playing Russian roulette with an automatic - haven't decided yet.
I knew a guy like you a few years back. He was real smug about having his whole portfolio in Enron and WorldCom. Turns out that was a really dangerous idea.
HAHAHAHAHAHAHA!!!
Yep, that is "interesting"!!
It isn't like Wikipedia is some lame-ass piece of shareware I use twice a year; I use it almost every day, expecially when I'm arguing on Slashdot and need a quick citation. Where else can you reliably go to get the gravitational constant, an article on Duverger's law, a bio of Robert Johnson or a really cool picture of a dragonfly?
If there ever was a smoking-gun lead-pipe indictment of Microsoft's sloppy love of whizzo features, security, stability, maintainability, administerability be damned; this has GOT to be it. If the filetype API is that flawed, we need to just get rid of .WMF files, period.
1) Yes, Virtual PC and WINE allow you to run Microsoft programs like Internet Explorer and Office.
2) The vulnerability is in the Microsoft Windows Graphics Rendering Engine, which is a part of the Windows kernel, and is why the exploit affects Windows versions from Win98 to WinXP.
3) Virtual PC and WINE running under Linux do not use the Microsoft Graphics Rendering Engine.
4) Even if they did, a Windows program trying to run in a Linux environment is a fish out of water, and can't do much besides SEGFAULT and exit.
5) Therefore, Linux (and Mac) users are safe, even if they are running IE or Office - just like the article said.
Windows XP Flaw 'Extremely Comical'
Kiww de wabbit!
...
Kiww de wabbit!
Oh Bwunhiwda, your so wovewy..
Yes I know it, I can't help it...
Excellent choice! Now only the administrator account can run IE!
Er.... Mac and Linux machines are no more succeptable to Windows XP exploits than you are to kennel cough or feline leukemia.
Bless you brother, best laugh I've had all day.
But it's:
AOL Names Top Spam Subjects For 2005
NOT
AOL Named Top Spam Subject For 2005
Paris Hilton never writes me any more :(
1) James Clerk Maxwell ;-)
2) Max Plank
3) Gordon Moore
4) All of the above
Yeah - I remember laughing my ass off in a machine room while all the PHBs who had "concerns" were partying their asses off. I still chuckle when I think about it to this day.
And the corollary would be:
Of course men will gather when a whole new world of "Pr0n!!!!" is at their uhhhh.... fingertips.
It doesn't have to be RNA and DNA exactly, if fact, it probably wouldn't be. Almost any self-replicating error-correcting organic molecule would do, we're just stuck on a local maxima.
You've put your finger right on the problem. Either the data and meta-data are in the same file, (no matter what the extension is) subject to the same security concerns we have today, or the meta-data is in a repository somewhere, subject to single point failures and multi-user versioning problems.
I'm sure I don't really need to point out to a 3 digit UID that Microsoft's other efforts with meta-data (the registry) have been less than stellar. Seems like we're doomed to lack of security or a single point of failure.
Like Big Bird says, remember to put your infants in the back seat, so the "safety" devices don't kill them.
It's still there, you just can't find the damn thing.
My worst write-only nightmare...
*runs screaming from building*