[News] Windows Gets Another 'Hack' to Fix Inherently-insecure System
Roy Schestowitz
,----[ Quote ]
| During the creation of Windows Vista, more than 140,000 unsafe API calls
| were banned and Howard hinted that one more -- "memcpy" -- might be
| added to the list for new code coming out of Redmond.
|
| [...]
|
| ""The SDL is not perfect, nor will it ever ever be perfect," Howard
| argued. "We still have work to do, and this bug shows that. We have
| a new -GS pragma that adds more stack cookies; we?ve updated our
| fuzz tools; we will pay closer attention to exception handlers that
| could mask vulnerabilities, and we will investigate the impact of
| banning "memcpy" for new code," he added.
`----
http://blogs.zdnet.com/security/?p=181
How about this one?
Student evades Cisco NAC; gets suspended
,----[ Quote ]
| A default setting in Cisco NAC gear allowed a University of Portland
| student to dodge a security scan by Cisco?s NAC software agent and
| get on the school network.
`----
http://www.networkworld.com/news/2007/042607-cisco-nac-unversity-portland.html
At least the flaw was a result of human error (negligence).
Related:
Microsoft Patches Not One, But Three Vista Holes
,----[ Quote ]
| Microsoft today released an update for the recently popular 'animated
| cursor' vulnerability. The update was originally scheduled for April
| 10th, but due to recent exploits, was rushed out today. The update
| wasn't just for this one vulnerability though, in Vista, it addressed two
| others, and in all covered seven vulnerabilities in Vista, XP and
| 2000.
`----
http://itsvista.com/2007/04/microsoft-patches-not-one-but-three-vista-holes/
Erik Funkenbusch
> Microsoft mulling major changes to ward off .ANI-type flaws
>
> ,----[ Quote ]
>| During the creation of Windows Vista, more than 140,000 unsafe API calls
>| were banned and Howard hinted that one more -- "memcpy" -- might be
>| added to the list for new code coming out of Redmond.
>|
>| [...]
>|
>| ""The SDL is not perfect, nor will it ever ever be perfect," Howard
>| argued. "We still have work to do, and this bug shows that. We have
>| a new -GS pragma that adds more stack cookies; we?ve updated our
>| fuzz tools; we will pay closer attention to exception handlers that
>| could mask vulnerabilities, and we will investigate the impact of
>| banning "memcpy" for new code," he added.
> `----
>
> http://blogs.zdnet.com/security/?p=181
I'm struggling to find *ANY* way that you could possibly not be lying here.
This article talks about Microsoft's software development lifecycle, and
how they are taking steps by barring the use of functions that have a
history of unsafe use, as well as various tools to help identify flawed
code. Yet your title says that Microsoft is issuing some hack patch to fix
windows.
They're two *ENTIRELY* different concepts. One is a proactive stance taken
by professional developers (OpenBSD uses a similar approach), and the other
is creating a crappy piece of code.
Do you not even read the articles you link to? How do you justify
fabricating these subject lines?
![[H]omer's profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWMQWyYwHeIwxhG3nGUeGWmLQD0R8TeZrvdWDiv5-2S_z3rHg=s40-c)
[H]omer
> Microsoft mulling major changes to ward off .ANI-type flaws
LOL!!!
Exactly how much of the Vista OS is dependent on this *animated cursor*?
Are they going to have to spend another six years, and another 10
billion dollars just to fix something (that should have been) so trivial?
This is the most ridiculous "Windows issue" I've ever heard. I don't
know whether to laugh or cry.
No, I do ... I'll laugh.
ROTFLMFAO!!!!!
--
K.
http://slated.org
.----
| I found [Vista] to be a dangerously unstable operating system,
| which has caused me to lose data ... unfortunately this product
| is unfit for any user. - [H]ardOCP, <http://tinyurl.com/3bpfs2>
`----
Fedora Core release 5 (Bordeaux) on sky, running kernel 2.6.20-1.2312.fc5
09:11:07 up 11 days, 6:43, 4 users, load average: 0.40, 0.17, 0.15
7
> Microsoft mulling major changes to ward off .ANI-type flaws
>
> ,----[ Quote ]
> | During the creation of Windows Vista, more than 140,000 unsafe API calls
> | were banned and Howard hinted that one more -- "memcpy" -- might be
> | added to the list for new code coming out of Redmond.
What about banning /* */ ??
If they didn't ban that, security through obscurity
is guaranteed to fail at micoshaft corporation!!!!
Roy Schestowitz
Subject lines modified to get past filters, eh?
Do you consider the following measure a step towards security? Or is it just
a workaround for flawed design?
Program Names govern admin rights in Vista
,----[ Quote ]
| "This is a little bit silly: just name the installer something
| else, and Vista lets it through," Chess said. He added that
| although the feature is imperfect and inconvenient, it's
| "better than nothing".
`----
http://www.theregister.co.uk/2007/04/23/vista_program_naming_oddness/
--
~~ With kind regards
For governments that eavesdrop, here is a quick list of tags: Communism,
Hawaiian shirts, China, Suitcase, Martha Stewart, Encryption, Prison,
Stalin. Thanks for tuning in.
http://Schestowitz.com | RHAT GNU/Linux Ś PGP-Key: 0x74572E8E
run-level 5 Apr 14 23:12 last=S
http://iuron.com - help build a non-profit search engine
Doug Mentohl
> your title says that Microsoft is issuing some hack patch to fix windows.
'planned changes to fix some warts in the SDL (Security Development
Lifecycle)'
'changing the compiler is a long-term task. In the short-term, we have a
new compiler pragma that forces the compiler to be much more aggressive,
and we will start using this pragma on new code'
Sounds like a hack to be ..
Roy Schestowitz
Thank you. Exactly the sorts of phrases that caught my eye. In that other
article, clear criticism was appended (not just in the many comments). To
repeat Ron House's nice analogy, it's like detecting metal using a metal
detector that identified objects with "metal" printed on them. It puts a
spin (or reality) on Microsoft's flawed ideas and analogy. They just can't
bear the thought rewriting their O/S from scratch. Doing this will moreover
be admission of failure.
--
~~ With kind regards
Roy S. Schestowitz | $> apt-get -not windows
http://Schestowitz.com | Open Prospects Ś PGP-Key: 0x74572E8E
Tasks: 91 total, 1 running, 89 sleeping, 0 stopped, 1 zombie
http://iuron.com - knowledge engine, not a search engine
Roy Schestowitz
*bump*
Runs away again?
> Program Names govern admin rights in Vista
>
> ,----[ Quote ]
> | "This is a little bit silly: just name the installer something
> | else, and Vista lets it through," Chess said. He added that
> | although the feature is imperfect and inconvenient, it's
> | "better than nothing".
> `----
>
> http://www.theregister.co.uk/2007/04/23/vista_program_naming_oddness/
--
~~ Best regards
Roy S. Schestowitz | Proprietary cripples communication
http://Schestowitz.com | Open Prospects Ś PGP-Key: 0x74572E8E
Tasks: 114 total, 1 running, 112 sleeping, 0 stopped, 1 zombie
The Ghost In The Machine
<sp...@uce.gov>
wrote
on Sat, 28 Apr 2007 09:18:14 +0100
<7jcbg4-...@sky.matrix>:
> Verily I say unto thee, that Roy Schestowitz spake thusly:
>
>> Microsoft mulling major changes to ward off .ANI-type flaws
>
> LOL!!!
>
> Exactly how much of the Vista OS is dependent on this *animated cursor*?
>
> Are they going to have to spend another six years, and another 10
> billion dollars just to fix something (that should have been) so trivial?
>
> This is the most ridiculous "Windows issue" I've ever heard. I don't
> know whether to laugh or cry.
>
> No, I do ... I'll laugh.
>
> ROTFLMFAO!!!!!
>
You at least are in a position to do so, as am I; I have
not purchased (nor do I willingly contemplate purchasing)
Vista. However, one does have to at least consider
shedding a tear for unwittingly duped OEMs...though I'm
not sure how many for such as Michael Dell, but I wonder
if he knew how bad Vista was going to sell -- or if anyone
did, really.
Is it Microsoft BOB all over again, perhaps?
--
#191, ewi...@earthlink.net
Is it cheaper to learn Linux, or to hire someone
to fix your Windows problems?
--
Posted via a free Usenet account from http://www.teranews.com