Microsoft Finally To Patch 17-Year-Old Bug 251
eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."
Nothing quite like a "timely" response (Score:5, Interesting)
How in the world can a bug exist for 17 years when they've released so many versions of Windows in that time? Hasn't the kernel been revamped three times? (Win98/ME, WinNT/Win2K/WinXP, Vista/7)
Re:oldest bug evar... and other leet speechisms (Score:5, Interesting)
You joke, but I think he'd like to (Score:5, Interesting)
"We are not the streamlined, small, hyper-efficient kernel I envisioned 15 years ago. Our kernel is huge and bloated. Whenever we add a new feature, it only gets worse." -- Linus Torvalds [computerworlduk.com], September 2009.
Re:Not discovered in January (Score:1, Interesting)
Which still doesnt make it 17 years, like most of these comments assume in their madman ravings...
Re:Nothing quite like a "timely" response (Score:2, Interesting)
no.. that was just the excuse they gave. the real reason is that 7 isn't much of a code change from vista.
Re:Windows NT (Score:2, Interesting)
Backwards compatibility was Windows' great asset. Note that it is somewhat gone in Windows 7, unless they've fixed things such that Civ II Multiplayer Gold works, or the five or so other games I tried. It and Battlezone (another fail when I tried it) fail in VirtualBox OSE (haven't tried the real one) but work in VMware Workstation... under Windows XP. In the XP days it was still possible to just double-click most DOS games' executable to show off just how antiquated Windows could pretend to be. Dunno how that's working out on Windows 7; certainly XP would run a lot less DOS software than DOS, shock amazement. In fact I had DOSBOX installed on XP to run something or other that flailed on XP. Now I use DOSBOX and Windows XP in VMware workstation since my Gigabyte motherboard won't install XP (Gigabyte says "it works here") to play my games under Linux. It's amazing how well some games work in a virtual machine, 3D and all.
Re:Nothing quite like a "timely" response (Score:2, Interesting)
http://www.winsupersite.com/reviews/winserver2k3_gold1.asp [winsupersite.com]
You mean the N-Ten the Intel i860 emulator. Funny how people listen to marketing and treat the meaning of something can change :)
Comment removed (Score:5, Interesting)
Re:Nothing quite like a "timely" response (Score:5, Interesting)
Windows 7 is very much still built on the NT codebase.
You lie! Longhorn (Vista, Server 2008) was built from the ground up [microsoft.com]. Microsoft told me so!
They wouldn't lie to me. <sniff>
Re:When is /. going to actually do more then just (Score:2, Interesting)
Outlook is the best mail server there is.
If you're going to shill with a sub-million UID account, you should get your facts straight. "Outlook" is a client, and no, it's not the best one out there, that's a matter of opinion, with the only alternative choice typically being Lotus Notes. If you really meant "the best mail server", you probably ment to say "Microsoft Exchange", although I would have said "sendmail" or "Whatever Sun/Oracle calls their mail server now", or "anything except Domino".
Re:Nothing quite like a "timely" response (Score:5, Interesting)
I've known about this bug for many years - it's one of a few that date back to my college days when I had a scholarly interest in such things. Back then I used to haunt the dark corners of the Internet where these things were good for a laugh. Now they're good for a quarter million dollars because GO's haunt the dark corners now and they pay good money, and only now are ones like this coming out in common knowledge. You may be sure that if you're a high value target you've been exploited this whole time and that's why your competitors mysteriously beat you to market, or how knockoffs appeared more suddenly after your innovation than reverse engineering would allow.
What's absurd is that there are hundreds more just in the core OS. Go to apps and WMP doesn't have a streaming format that doesn't have pwnership, and let's not even talk about IE. Then there's all the forgotten formats and services, each with its vestigal exploits that still work. And then there's Office. Good Lord, as if providing multiple Turing machine capable development environments were not enough, every app includes embeds for hundreds of formats that can hose any machine that opens a document, and for each of those there's a Microsoft-only undocumented interface that's truly trusted to be exploited, because that's how they roll. And one of those apps is an email client - think about that for a bit.
Each fix only adds to the problem. Even if the patch doesn't add new exploits (most do) most people don't patch, and half of the few who do patch slowly to avoid incompatibilities. In the meantime the patch gives clues to the amateurs on which features to exploit. For 90% of systems you only need to pwn it once and leave some obvious malware and the idiot running it will clean it and think it's all good. So the smart black hat builds a database of servers running Windows he can get at from his previously Pwned boxes (yes, some of them are probably inside your firewall and most but not all of them are clients) and crafts a package to pwn the rest of your network and if necessary leave some cleanable traces. The truly nefarious black hats exploit the patching system itself - of course it has exploits and hidden hooks too.
Each rewrite leads to new problems. In 2008 how the hell do you write a server OS that hangs on a bad packet on the file sharing service [microsoft.com]? That's not what Bill promised us in 2002 [cnet.com]. In six years they couldn't even get that right? That's your clue that they're not even trying or at least they're not able. At the very least they're struggling just to copy a file [technet.com] as if that were a new requirement.
You would think with the billions they have to throw away on XBox and Pink, from Bing to Zune, Microsoft could afford to hire a few Pakistani code geeks to haunt the dark corners and report what they find written on the wall there. They're getting rid of their profits but they're not doing it well. You would think code security audits would extend to the historical catalog of code, but no... that group has enough to do just vetting this month's patches, let alone the output of the dev teams. I imagine the rest of them are building Bing interfaces into Yahoo's services as if they had a hope in hell of getting us to use Bing. For sure they're not throwing a ton of quality code geeks into saving their butt on WiMo 7. Fixing bugs widely known in the Underground that consumers like you don't know about? That's a 0 priority task.
Windows shops: not only are we laughing at you - we always have and we always will. You poor bastards.
Re:You joke, but I think he'd like to (Score:1, Interesting)
Re:I'm guessing you know this (Score:3, Interesting)
Bah, just couple of years back* I compiled myself a linux from scratch to test if I could get it running on an old discarded 486dx with 8M of mem and a 40M hard drive. I had to cheat a bit by throwing in a 120M hard drive while compiling stuff. Source and object code takes a lot of space.
I can't remember what I used as a bootstrap to start the process. I think I made a custom initrd disks from some old debian netboot images.
* Well, shit. -98 was over ten years ago. I feel like a git.
Re:Nothing quite like a "timely" response (Score:2, Interesting)
Re:I'm guessing you know this (Score:3, Interesting)
Notably without on the fly spelling or grammar highlighting, and zero ability to transparently turn "teh" into "the". "Next question" indeed. You remember the 1984 single purpose word processor without integration into a general purpose computer, without the ability to paste images, screenshots or graphs from a spreadsheet program. And yet you stick by "Word processing was solved in 1984"? Shall I assume you're still using that machine today for professional reasons, and you never find it lacking in any niceties?
Those time sinks have been around for ages. In modern times, they've been hula hoops, books, comics, video games and countless other things. Computers have certainly become integrated into our modern lifestyle of leisure, and while I certainly agree that bringing a leisure machine into the workplace may have its detriments, I still believe it's a net positive. Gone are the days of relying on a squad of secretaries to synchronize schedules to hold a meeting, now we can do it transparently ourselves. For every person using Netscape when they shouldn't, there's a person who would have been reading a book or a newspaper. Nobody even brings newspapers into the workplace today! Computers aren't the slam dunk productivity multipliers, but saying that they've been stagnant since 1990 when the last database obstacle was overcome is either nieve, foolhardy or pandering to those pining for a time they don't even remember.
Take Boeing. The 787 is a marvel. For all its problems, even if you assume they cost 10% productivity, simply having the computers enabled an airplane to be designed that will add 15-25% efficiency to routes it flies. Given how long it'll fly, that's an immense efficiency multiplier. Winglets weren't even fully understood until computers came along and explained how the vortexes were working. Now that we know, that stuff seems obvious -- but winglets alone add 10% efficiency over an otherwise identical plane without them. And if you design the entire wing around having that feature in the first place, it can be 20-25% shorter, which means less weight and less drag.
Re:I'm guessing you know this (Score:3, Interesting)
Dude, if you 'tune' it differently (read: recompile with completely different sets of code) is it *really* the same kernel anymore?