DirectX Flaw Leaves Windows Vulnerable 530
cryonic*angel writes "Just when you thought it was safe to start buying music from BuyMusic, another another Windows security flaw is found, in DirectX this time, that basically affects every possible windows configuration that is still supported. I wonder, will they indemnify me for this?"
...So? (Score:2, Interesting)
Sounds like every other OS out there! : )
Nah, thanks for calling attention to this, I'm going to be patching my clients to 9.0b tonight.
Windows ... (Score:0, Interesting)
Hey, it isn't news any more. Windows security, that is.
I'll go back to considering the possibility of using Microsoft profucts when I haven't heard a single security problem for
In the meantime, I've completely stopped using all Microsoft products. For good. Anyone else?
Re:patch me up baby! (Score:3, Interesting)
Re:Windows ... (Score:5, Interesting)
Re:Wha... (Score:5, Interesting)
That's the kicker. I know a LOT of sites that do this. A couple of financial services sites I frequent have Registered Reps that seem to think a MIDI that runs in the background lends "ambiance" or some such to their site. They INSIST on it.
Why was there no mention of the RPC flaw? (Score:4, Interesting)
LSD has produced two proof of concept exploit codes (which they have not released)which they were able to get to work even with Server 2003 and it's new buffer overflow prevention mechanism. The nature of the flaw makes it ripe for exploitation by a worm.
As discussed here [yahoo.com], the reports are unusually embarrassing as they affect Server 2003, Microsoft's most powerful and safest software yet. It is ironic that the announcement comes one day after the Homeland Security Department announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.
DirectX Bloat... (Score:3, Interesting)
Re:Nice System My Ass (Score:2, Interesting)
Automatic notices are the default option, if memory serves. Certainly, thats what my XP Home machine is set to do. You can choose to have automatic install should you wish, but you don't have to. I left it on notify only, not because I find their EULA notices scary, but simply because I didn't want it deciding that I really shouldn't check my 3 items of email over a 56k connection without installing 20Mb of patches for unrelated things first.
Re:Windows ... (Score:3, Interesting)
I want an OS that can go a year without an exploit in ANY of the software they consider part of their 'distribution'. And still have enough functionality to be useful as a general purpose Internet server. I realize a secure desktop is going to be a lot harder, but lets at least shoot for a real secure server.
Re:Windows ... (Score:3, Interesting)
:Actually its been known for a long time ago, but (Score:4, Interesting)
DirectX controls have been a problem in music notation software for years.
Maybe now someone will write a real piece of music notation software that doesn't use f'ing midi timing to set note placement. One of my main peeves with commercial notation software.
I have seen the possibility that midi could be used as a hack for years! In fact a little friend of mine has used this exploit to demonstrate a flaw in the whole concept of midi as a scripting control. He has written a replacement algorythm that directly generates wave at the processor level and then sends it to the sound card without the use of shitty DirectX. DirectX sucks for security and flexability always has and always will, because of its fork processes. I personaly do not care if my notation software can make sound, so I just have to put up with useless junk midi. Read my journal entry about more music #32862
Re:I won't EVER be buying music from BuyMusic.... (Score:3, Interesting)
If I buy a CD (which I won't, because they are too expensive nowdays, I own about 600 of them thus far though) I can play it in my computer (technically my old stereo), in my surround system, in my car, in mine or my girlfriends portable CD player, at work, or at a friends place.
If I could buy the music legally in high quality ogg format, and then put it whereever I want (except trading to people) I would be happy. Very much so even. It would appeal to my sense of fairness (yes they made the music, I should pay them and not pirate) and my laziness (*burn* and it goes into the car).
Hell, wasn't OGG even made just for this? When are they going to stop thinking about the tech stuff and give ogg some more uses than for us hackers?
On another note, I have patched all the windows computers I use before this story came on slashdot and I don't find this worse than a new Linux kernel corrupting the filesystem. This is a piece of non news!
*Another* buffer overrun? (Score:3, Interesting)
The class taught us about error checking ond control. Something MS seems to desperately need.
Re:Turn to Slashdot for breaking news! (Score:2, Interesting)
Windows security hole counter (Score:5, Interesting)
At the root of the problem (Score:2, Interesting)
The reader with 200 NT/2K boxes to patch would probably be grateful if he didn't have to worry about patching whatever bogus components MS includes by default.
I say we take 'em back to court and get them to rip out ALL the unnecessary functionality from the kernel.
Well done Microsoft (Score:3, Interesting)
My only complaint is that MS seems less concerned with many less severe vulnerabilities. You'd think a corporation of their size would have a whole department devoted solely to fixing all security (and other) flaws.
Comment removed (Score:3, Interesting)
Re:Tough one... (Score:1, Interesting)
Just don't do stupid shit like:
char buf[1024];
sprintf(buf, string_of_unknown_length);
Use the proper function: snprintf
Code can be mathematically proven to be safe. The problem is that most coders do not have the time, inclination, or neccessary expertise to do so.