Microsoft Scrambles to Fix Flaw

Turgon

http://uk.news.yahoo.com/5/20081217/twl-microsoft-scrambles-to-fix-flaw-3fd0ae9.html

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Webmaster

HeroPsycho wrote:

Webmaster wrote:

Notice how all 11 fixes apply to Windows XP/Vista and only 4 also to Mac OS X. Even at Apple they can't write secure code for Windows

OR...

Apple is filled with human beings as programmers who also make mistakes, especially when they code for an OS they don't know as well as their own.

Yeah, maybe. I like my explanation better, probably because it was meant to be a cheapshot

JDMurray wrote:

Webmaster wrote:

and everyone should change to Mac OS X with its less complex, less compatible, and minimalistic design

I can't wait until you put the high-level applications programming aside and delve into the world of BSD UNIX programming. Then we'll see if you still think that OS X is less complex and with a minimalistic design.

It sounds like I need to send you some more 'promotional' screenshot of Xcode and its tools to lure you over to the good side.

The minimalism of Apple doesn't only apply to the looks/design of their hard and sofware, the approach is clearly present in Mac OS X development as well . My recent dev experience on the Mac (yeah it's 'a' PC and 'the' Mac

) surely causes me being more biased but my suggestion/conclusion is not a result of that but directly of agreement with your first reply. If for a huge corporation like Microsoft Windows being "a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications" is a valid reason for the number of patches (not even judging the amount) maybe that is the problem they should try to address. E.g. by taking a more minimalistic approach like Apple for example, Macs don't need to retain compatibility with as many applications as Windows and that obviously goes for hardware, and bells-and-whistles as well, i.o.w. if meeting less of the users' demands would lead to less (need for) patches and a more secure and more stable Windows (and run as smooth as my Mac

) I'd be all for it.

dynamik

I think that Microsoft breaking compatibility would be one of the biggest steps forward they could make for Windows. With the power and affordability of CPUs and memory, along with the advancements in virtualization technology, it seems like it would be feasible to make some sort of XP-based application virtualization that would still permit legacy applications to run.

HeroPsycho

dynamik wrote:

I think that Microsoft breaking compatibility would be one of the biggest steps forward they could make for Windows. With the power and affordability of CPUs and memory, along with the advancements in virtualization technology, it seems like it would be feasible to make some sort of XP-based application virtualization that would still permit legacy applications to run.

What do you think Vista and User Account Control does?

dynamik

No, I'm talking removing all the workarounds in the actual code of the OS that had to be put in for compatibility reasons. UAC wouldn't have anything to do with that.

The only thing that was written from scratch in Vista was the networking stack, right? I thought they carried all the other crap from previous versions over.

royal

UAC was just a new feature that didn't work well until application vendors made their software compatible. Has absolutely nothing to do with removing all the compatibility code that's deep rooted in the OS.

Edit: Dynamik beat me to it. Damn you!

tiersten

Microsoft put in a huge amount of work into making Windows work with applications. They have lots of compatibility fixes not just because the API changed in a newer version but because very widely distributed applications depend on some bug or obscure undocumented behaviour of the API. If they just fix the bug or change the undocumented behaviour in a patch then people will complain. Microsoft sucks! They released a patch and it totally broke RandomCrapApp 95 I've been running with no problems!

Read Raymond Chen's MSDN blog if you want to find out more about it. His blog only covers the UI side of things but there is already enough material for that.

HeroPsycho

royal wrote:

UAC was just a new feature that didn't work well until application vendors made their software compatible. Has absolutely nothing to do with removing all the compatibility code that's deep rooted in the OS.

Edit: Dynamik beat me to it. Damn you!

Actually that's not true. UAC does intercept calls and tries to make them work properly with Vista when the program may have been coded in a manner that would be incompatible. If you want proof, people who got annoyed with UAC turned it off, and then suffered a bunch of problems with Adobe products, which Adobe responded by releasing a KB article that said turn UAC back on to avoid those problems. UAC worked actually with most applications, although some did not, but as the Adobe example above illustrates, turning UAC off actually broke other applications while allowing some to work.

Also, notice I said Vista and UAC. Vista includes system file, app file, and registry virtualization (which works in conjunction with UAC) to improve compatibility with older apps as well as for increased security and reliability, which is precisely what dynamik was suggesting Microsoft should do. As I'm sure everyone here knows, virtualization doesn't have to be heavy virtualization offered by the likes of HyperV, VirtualPC, VMware Workstation, etc.

Edit: Check this article out about all that UAC + virtualization stuff in Vista is doing. Good read:
http://www.dcr.net/~w-clayton/Vista/UAC/UAC_app_compat_and_virtualization.htm

And I would say UAC and DX10 would have been written from scratch as well in Vista. DX9 compatibility is effectively emulated in DX10, which points to DX10 being something more written from scratch than based on DX9. (GDI is also emulated in Vista, so you could argue the entire OS's GUI rendering engine is new.) Also, I would argue UAC and all the virtualization stuff I mentioned above is more from scratch than based on previous code.

dynamik

I don't think that adequately addresses the issue though. These seemed to be much more significant fixes; I don't think the problems are as simple as writing to areas of the registry or file system that are off limits. I'm not knocking UAC (unless I have run cmd as an admin to renew an IP address) or saying you're wrong. I just think we're talking about two slightly different things.

Oh, and I thought it was a given that all Vista-specific features were written from scratch

I was referring to components that existed prior to Vista and that were included in Vista. The network stack is the only thing, AFIAK.

HeroPsycho

dynamik wrote:

I don't think that adequately addresses the issue though. These seemed to be much more significant fixes; I don't think the problems are as simple as writing to areas of the registry or file system that are off limits. I'm not knocking UAC (unless I have run cmd as an admin to renew an IP address) or saying you're wrong. I just think we're talking about two slightly different things.

But we're not. It's not required to do hardware virtualization to achieve what you're saying. Is what is in Vista perfect? No.

Is it good? IMO, yes.

Is Vista more secure than XP? Yes. I think that's pretty clear by now.

dynamik

I never said it was, did I? It would absolutely be along those lines. I guess I took your original comment the wrong way. It seemed like you were saying it addressed that specific issue. Looking back, it seems like you were just saying that they have something heading in that direction.

I think Vista is more secure than XP and think UAC is a step in the right direction as well. Are we still friends?

HeroPsycho

dynamik wrote:

I never said it was, did I? It would absolutely be along those lines. I guess I took your original comment the wrong way. It seemed like you were saying it addressed that specific issue. Looking back, it seems like you were just saying that they have something heading in that direction.

I think Vista is more secure than XP and think UAC is a step in the right direction as well. Are we still friends?

No, now go away, or I shall taunt you a second time!

snadam

Devin McCloud wrote:

Wow... what a bunch of IE fanboys....in one of those articles the guy announcing the story actually recommended using something other then IE. Everyone here must work for Microsoft.

I'm sorry, but when is it a bad thing that a company releases security patches?

When it takes months for a billion dollar company to patch holes that ever Chinese hacker and xxxxxxx site are already exploiting!

I'm not a 'fanboy', and I dont work for MS. Its just the subjective reasoning behind your statements which leads to a negative conclusion about an entire company that upsets me. Unfortunately, alot of people think like this, and its quite sad.