Microsoft Warns of Windows 7 Graphics Flaw

Barence writes "A flaw with the graphics driver in Windows 7 could compromise the stability and security of PCs, Microsoft has warned. The vulnerability lies in the Windows Canonical Display Driver (cdd.dll) for the 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft claims that the flaw could lead to machines rebooting or even allow a hacker to remotely execute code, although it claims either eventuality is improbable. Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."

Servers

[sopssa]

and Windows Server 2008 R2

This is why you don't use unnecessary things like Aero (and graphical displays) on servers. Granted Aero isn't enabled by default on Windows Server 2008, but it's still all unnecessary. Servers are meant to be configured and left running with minimal installs. You can do everything you need to from a command line, and sftp for editing those configuration files. When you have a minimalistic install there's also much less change of some random software having an exploitable bug.

GUI is still there for remote desktop and it's eas

[Joe The Dragon]

GUI is still there for remote desktop and it's easier to configure then CMD only.

Re:

[Anonymous Coward]

easier than cmd? you must be new here.

Re:

[Mascot]

CLI does have its uses. There are things it offers that no GUI can, and vice versa.

But claiming you need it for "real work" is like claiming you need a printing press to print a sheet of paper with "real text" on it. Both are equally ridiculous statements.

For most work environments, neither CLI nor GUI alone covers all needs. Welcome to the real world, where we use the appropriate tools for each task.

Re:

[Hurricane78]

No, they are not equal. The problem is that using GUIs as we know them today, is NOT using a computer. It is instead the same thing as fiddling with an appliance. A static thing. Good luck piping the output of a Firefox menu item to Gimp. Good luck scripting the interface. That’s the real problem. You can’t really. Everything is monolithic static applications. With the rare plug-in exception.

Real work = AUTOMATING

Do you know that saying, that the computer creates the work that you wouldn’t

Re:

[Blakey Rat]

You can automate a GUI. AppleScript on Mac Classic used to be brilliant for this-- I'm not sure if it's still good or not.

Re:

[Lumpy]

If your OS only has configuration options in the GUI, then your OS is horribly broken. EVERYTHING should be configurable via CLI. if not then the people designing it made gigantic mistakes.

Re:

[dubbreak]

Welcome to the real world, where we use the appropriate tools for each task.

I painted my house with a hammer you insensitive clod!!!

Re:

[IICV]

CLI does have its uses. There are things it offers that no GUI can, and vice versa.

Can you provide an example that is applicable to the configuration and maintenance of a server? The only thing I can think of are graphical representations of server usage logs, and honestly those aren't useful enough to warrant having a full graphical desktop installed (and you can just expose them on an internal web page).

The argument is not that the GUI is useless. The argument is that the extra complexity of installing a

Re:

[nabsltd]

The argument is not that the GUI is useless. The argument is that the extra complexity of installing a GUI stack is not worth the minimal benefits it brings.

On Windows, editing the registry is a PITA using the command line.

For one-off "add this registry item" work, the command line programs are fine, but for doing things like "find all mention of 'C:\Users' and replace it with 'D:\Users'", a graphical registry editor is not just the easiest, but pretty much the only way.

Re:

[IICV]

... seriously, I expect people to not RTFA, but you didn't even read the next sentence. Here it is, because I specifically mentioned exactly what you said:

Windows is kind of retarded in that there are significant configuration options that are difficult if not impossible to change via the command line (and that's if you can find out how to change them like that in the first place!), which means that you basically have to run the GUI stack - but that's okay, because it's almost impossible to uninstall.

Basica

Really?

[Petersko]

"I didn't grow up around DOS and still prefer a command line to a GUI for getting real work done."

Okay, that's twice in this thread that I've squinted at my monitor and said, "What the fuck?"

Is the bar really so very low on slashdot that saying you prefer a command line gets you +5 insightful? Actually, it clearly is.

We need to be able to moderate something "completely devoid of insight but somehow I connect with this". Or maybe we need "so obvious even a caveman can see it".

Re:GUI is still there for remote desktop and it's

[psbrogna]

While you might not be able to imagine it, those who do know how to perform an administrative task both from a terminal and from a GUI often find that doing it from the terminal is more efficient and more reliable.

Re:

[drachenstern]

and scriptable far more easily, for repeating later when we're not around...

Re:

[aztracker1]

I know how to do it from both, and will honestly alternate depending on what I'm trying to get done. It really depends, but sometimes using the GUI is more straight forward, when there's a well designed gui in front of the configuration. Many times the gui isn't so great though. Also, if it's a smaller change, I'll lean towards an ssh/cli interface, if there's more to it, I'll go gui.

Re:

[Lumpy]

Poor underprivileged kids.... I grew up around Unix. we had a wyse terminal at home and I had my own login on the Uni mainframe (mom being a administrator had advantages) CLI in a real computing environment, with it's near endless scripting abilities Completely kicks the butt of a GUI.

call me when you can script a GUI as easily as a CLI.

Re:

[LinuxAndLube]

From the 20 pictures, copy only those that feature my dog. Start scripting... now!

Re:

[DarkKnightRadick]

example fail.

How about, in one operation, finding all the text files on the entire disk, (I'll even let you assume a .txt extension on this one and exclude all files that don't have an extension), must follow a certain naming pattern, and also contain certain keywords inside the file.

Do that with your gui in less time then it would take me to read the man page to write the regex and then execute the command.

Starting...now!

Re:

[DarkKnightRadick]

also, if you haven't already sorted your files before you need to move them that's your own fault. :p

Re:

[Hatta]

I can backup all my documents to an external drive with a simple drag-and-drop. I can't imagine trying to do that with a CLI.

Really? Typing 'rsync -av /home/user /mnt/external' takes longer than drag & drop? How would you do something like backing up all PDFs (and only pdfs) in a tree with a GUI? Does drag & drop recognize when two files are identical and only transfer files that have changed? Can it resume an interrupted transfer without copying the entire thing again? Can drag & drop tran

Re:

[The End Of Days]

In my experience, working the way you like is vastly superior to working the way some Internet stranger likes, regardless of the geek cred it'll give you on Slashdot.

Re:

[Hatta]

When I can rattle off half a dozen features one has that the other doesn't, it ceases to be a matter of opinion. rsync is just plain better. It's ok for you to use the GUI if that's what you like, but don't go around saying that it's better.

Re:

[aztracker1]

In the gui, I can use ctrl+click on each of the documents I want to copy, say 5 out of 45, then drag them to the mount shortcut on the desktop. You'd have to type in 5 command lines to do that. Given, you can get through that almost as quickly at a command prompt, just the same there are advantages to both types of interfaces. As I've stated elsewhere in this thread, I'll alternate between the two.

Re:

[g0bshiTe]

Well yeah because, xcopy "C:\backup\*" "H:\backup\" /s /y /e" is just so hard to type. Not to mention takes less time to actually move the data vs GUI.

Re:

[kimvette]

Administering IIS has been a pain in the ass since day 1. Unlike NCSA, Netscape, and Apache servers, you had to point-and-click through a zillion tabs and dialog boxes in IIS to configure and tune the server - or for more advanced tuning, do something even worse: hark back to the day of C= BASIC 2.0 and do the equivalen of PEEK and POKE to the IIS Metabase. Microsoft has FINALLY seen the light and now offers the ability to edit configuration files. This makes things MUCH easier since you can see right in fr

Re:

[DarkKnightRadick]

On a desktop that would be ridiculous.

On a server, on the other hand, everything should be editable from the command line. In my opinion, the installation of a GUI shouldn't even be considered. sftp and ssh are perfectly usable and acceptable for remote access. At no time in the history of a server should a GUI ever consider coming into play. As has been previously stated, you're just introducing more points of failure and vectors for attack when you do so.

Re:

[Anonymous Coward]

GUI is still there for remote desktop and it's easier to configure then CMD only.

That's because Microsoft has a crippled CLI, and yes, that included Powershell..

Re:

[kestasjk]

Please elaborate, I've only heard good things about Powershell (but am willing to accept that this may say more about people willing to learn Powershell than Powershell itself)

Re:Idiotic Moderators.

[brennz]

Powershell is by far, one of the best Microsoft has created on the scripting side. Why? They basically took a shell and enhanced it by making it object aware, and giving it access to .net. In Microsoft lingo, cmdlets replace unix utilities.

I am not a fan of the naming conventions they use in powershell! It makes it harder to write terse scripts.

Please see

http://w3.linux-magazine.com/issue/78/Bash_vs._Vista_PowerShell.pdf [linux-magazine.com] for a comparison of powershell vs Bash.

http://blog.brandonbloom.name/2009/04/powershell-condemned-to-reinvent.html [brandonbloom.name]

Re:

[IWannaBeAnAC]

GUI is still there for remote desktop and it's easier to configure then CMD only.

But a remote desktop shouldn't require any kind of display driver on the host.

Re:

[bhtooefr]

CDD (the affected driver) is for GDI (read: pre-Vista, although quite a lot of current software still uses GDI) applications to display on a display using the Desktop Window Manager. Disable Aero, and you're using XPDM instead of DWM, and it's GDI all the way.

Although I believe the DWM disables itself for remote desktop, anyway.

Re:

[flyingfsck]

Well, that is the point where Microsoft copied X Windows wrongly. There is no need to run the windowing GUI on the remote machine if the local machine is already running a windowing GUI.

Re:

[kestasjk]

If there's no need to do it why is X Windows the only windowing system that does it? Why does VNC/somethingX (the new one) exist for X Windows when X servers are available on all platforms?

I don't know that you're wrong in calling Microsoft's approach wrong, or have more than an idea of why you might be wrong, but the fact that everyone else uses the "wrong" approach sets off the BS-meter.

Re:

[JasterBobaMereel]

There was no freely availalbe Xserver/XClient for Windows until recently .....

VNC will work on any graphical system, Windows, X, And most others .... that's the point it is *not* tied to X and so can be universal

The X approach is wrong (for various reasons)
- But X is simple enough that it's inadequacies can be worked around
Windows is wrong (for various other reasons)
- But this is Windows so there is no way to work around it's inadequacies...

Re:

[Sir_Lewk]

Why?

Because those that don't know X are doomed to reimplement it poorly, and those that do know X just use X.

Re:GUI is still there for remote desktop and it's

[natehoy]

I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.

But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.

As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.

SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.

Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.

Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.

Re:

[lukas84]

I'm not sure if being paranoid is the right step - careful, sure, paranoid - no.

In the end, the goal of IT is to enable it's users to be more productive. Sometimes overparanoid IT guys can make life more difficult for the Users - this should be minimized.

All of the Windows Server components are always on-the-disk in Server 2008/R2. IIS on the disk, whether you use it or not. But only when enabling it you'll actually get the services you need for it.

This doesn't hurt. It doesn't compromise security.

Re:

[natehoy]

If you are running systems so close that running Aero has an actual practical effect, then you are running underpowered servers.

Personally, I don't think that a server needs a video card with DirectX 3D support, a hardware pixel shader, 32 bits per pixel, etc. If you really, honestly need a GUI to administer a server, a much simpler VGA card will suffice, and will have much more stable drivers.

Once you start turning on 3D effects, you will send a lot more data over the stream for your remote desktop. Maybe not enough to affect your network, but it certainly adds complexity to the whole process.

You have to make decisions for your o

Re:

[Bakkster]

IT does NOT add a 'lot more' traffic, or a 'lot more' complexity.

It add a minor bit of each.

As we can see, it adds enough complexity to open an additional potential security hole. For what?

Pretty windows on your server.

It's like putting doily [wikipedia.org] drapes in your warehouse: it has no useful effect, yet marginally increases your fire hazard. Should be a no-brainer.

Re:

[clone53421]

Does Aero even work if you remote desktop in?

My guess is it drops back down to Basic.

Re:

[commodore64_love]

Bah. I always switch to the classic mode anyway. It updates the screen faster, is more responsive, and seeing as how I grew up with this (see links), I already think it's pretty enough - http://toastytech.com/guis/c64g.html [toastytech.com] http://www.guidebookgallery.org/pics/gui/desktop/full/amigaos10.png [guidebookgallery.org]

Question:

Why does this flaw affect NT 6.1 and 6.2, but not 6.0 (vista)??? And why's the driver called "Canonical"?

Re:

[tomhudson]

And why's the driver called "Canonical"?

Because it's fugly?

Re:

[djdanlib]

Right - but Aero is not installed or enabled by default, and drivers that support Aero are not included in the box either. RDP won't show you Aero if it's not available on the system. So out of the box, you get a plain if a bit ugly GUI that a low-end graphics card can handle.

Most servers do not come with a display adapter that supports Aero. I've tried just to see if it was even possible, but the ATI ES1000 that comes standard in my IBM xSeries servers just doesn't cut it :)

So, most of the people using Ser

better yet

[batistuta]

This is why you don't use unnecessary things like Aero (and graphical displays) on servers.

This is why you don't use unnecessary things like Windows Server 2008 R2 on servers.

There. Fixed it for you

Re:Servers

[gotpaint32]

Its called Windows 2008 Server Core and Powershell. But theres a time and place for everything, try running terminal services from a box with no GUI, I'm sure your users would be very happy with just greenscreen access.

Re:

[Hurricane78]

Then don’t use stupid terminal services? Who came up with that crap anyway? You have a decent powerful CPU and graphics system right there on your system. Stop making excuses, and use it.

Re:

[dc29A]

I guess you didn't bother checking out this [microsoft.com] or this [microsoft.com].

Re:

[geekoid]

You idiot, they were there 10 years ago~

Re:

[Viol8]

Amazing. So they only took 30 years to catch up instead of 40! Incredible!

Re:

[Janek Kozicki]

This is why you don't use unnecessary things like Aero (and graphical displays) on servers.

Why on Earth would you connect a screen (be it CRT or LCD) to a server, in the first place? I cannot think of any reason for doing this, if it is a SERVER.

Re:

[pyrbrand]

For most server uses you're right, it doesn't make sense to use Aero, which is why it isn't turned on by default. However, aside from running a terminal server for your users to connect to (for example with a nightly build of an app you're building for testers to use), a lot of devs use WS as their desktop OS for development. This was even more common with WS2k3 as early versions of WS2k8 made it hard to do, but they've added back in optional "desktop services" to make it possible to do again. Think abou

Or even worse...

[ArsenneLupin]

... machines could start spontaneously displaying goatse...

No way!

[Lurchicus]

You'll get Areo when you pry it out of my cold dead... damn... it rebooted again!

Oh, sure, fine...

[MediaCastleX]

...This is why I wait to get my tech. I might be on the waning edge of things, but at least I get them when they work.

Re:

[Monkeedude1212]

Signs of infection include a symbol with quadrants 1 through 4 as green red blue yellow.

Worse yet,

[Black Parrot]

it might render your porn poorly.

Re:

[WrongSizeGlass]

it might render your porn poorly.

Or cause you to reboot prematurely.

Re:

[jgagnon]

There's an app for that...

Re:

[eulernet]

You might become infected just by watching porn.

Re:

[Thanshin]

my fellow admirer of the pornographic arts.

It's better to just say "man".

Otherwise we'd end up with heroes called Superfellow-admirer-of-the-pornographic-arts.

I have noticed something related

[HopefulIntern]

When I am playing BC2 it sometimes interrupts my game to tell me I have run out of memory and Aero is turning off. I cannot imagine why, I have 1GB GPU and 6GB RAM....

It seems there are some flaws in Aero on 64 bit systems.

Re:

[ZosX]

BC2 is probably trying to cache everything into your available video ram, hence aero shutting down because it is out of ram. It does require 128megs, so perhaps BC2 is trying to utilize the whole 1 gig since its there.

Re:

[Anonymous Coward]

You are correct, lots of games will try to claim all available video ram when running in fullscreen. It's generally a good idea to turn of aero when gaming, although it's kind of a hassle. There is a method for apps to request Aero to shutdown without the need for user intervention (of all games Civ IV actually does this) but very few games seem to make use of it.

Re:

[ZosX]

You can just right click and go to the compatability tab and select disable windows themes. It will turn off aero automatically.

Re:

[tweak13]

Maybe they changed this in 7 and I didn't notice, but in Vista if you are running a fullscreen 3D program aero should get disabled automatically.

Re:

[Spad]

It doesn't if you're running a multi-monitor setup.

Re:

[HopefulIntern]

Correct. In fact, having several monitors has proven to screw around with other programs too. I loaded up SWAT4 again, to revisit a decent shooter, and it doesn't even launch until I disable the second monitor.

Re:

[HeronBlademaster]

I'd prefer not launching to what the original Hitman does if you try to run it in windowed mode - it centers itself, meaning it's half on each monitor, and there's no title bar... of course fullscreen doesn't work properly either.

Re:

[EvilIdler]

I have disabled Aero (I think it's ugly) on my gaming system, and I still run into issues related to it. When starting certain games, a "helpful" bubble pops up to tell me Aero has been disabled, but its appearance causes the game to end before it even has finished loading. At least Microsoft is an equal opportunity employer, with all those mentally handicapped developers. "Look at me! I detected a USB device!"

Will a future edition of Windows have a TREAT button for the system to be rewarded whenever it doe

Re:

[HopefulIntern]

Wasn't sayin that, just saying it sounds related. It could very well be BC2 or even the nVidia driver.

Yawn,

[Massacrifice]

Why do I have the feeling this is overblown? I'm running W2K8R2 x64 as a Workstation OS, it is rock stable, possibly the best OS MS ever produced. Yet I'm sure there are _plenty_ of bugs like this one. Doesn't Microsoft issue bug reports like this every month? Doesn't _any_ OS company produce bug reports like this every month? Why is this one so special? Cause, I'd like to know.

I'm not saying it's should'nt be fixed, reported, or taken care of. I'm not saying Windows is the best OS. OS X can be pwned throug

Re:

[Sycraft-fu]

I think it's special because there haven't been all that many bugs with Windows NT 6.1 OSes (7 and R2). They seem to have less security issues than past Windows OSes, and are doing quite well compared to other OSes out.

However, this is Slashdot and the editors do not like Windows at all as evidenced by the broken Windows logo the Gates Borg logo and so on. They often go out of their way to find things wrong with Windows to post as front page news. Hence something like this makes the news since there hasn't

There is talk of useing GPU Computing in them and

[Joe The Dragon]

There is talk of useing GPU Computing in them and will something like this make easier to hack them?

This has been happening to me for months

[PHPNerd]

My box will randomly crash. The screen wigs out and then the box reboots. It's not even a BSoD, the whole screen goes completely crazy for about 5 seconds before it reboots, and it occurs at totally random times. I have triple (probably quadruple at this point) checked that all hardware is compatible, all software is completely up-to-date, all drivers are up-to-date, and I have paid top-of-the-line antivirus software. I finally gave up and chalked it up to Win7 64-bit....looks like I was right.

Re:

[fuzzyfuzzyfungus]

You might want to verify that you don't have a hardware problem there. Graphical corruption caused by software bugs is certainly far from unknown; but "screen wigs out, system dirt-naps" is classic dying GPU behavior. I saw it all the time when dealing with a batch of laptops with the NVIDIA GPU package fault issue.

Re:

[Itninja]

I would recommend you swap out some hardware, namely the graphics card. What you describe sounds less like a Windows issue and more like a graphics card issue (though I don't know what you mean by 'wigs out'). Get yourself a different graphics card and swap it out and see if the issue goes away. And honestly, who pays for AV on a non-corporate machine?

Re:

[CAIMLAS]

I have paid top-of-the-line antivirus software.

Well then. This is evidently your problem. :)

Re:

[Blakey Rat]

Anti-virus software can't do anything about your busted-ass overheating video card. (Which is exactly what you're describing.)

Reminds me of jwz's discussion of toolkits

[gringer]

http://www.jwz.org/xscreensaver/toolkits.html [jwz.org]

My favourite bit (at the moment):

Let's suppose that down in the bowels of some particular version of some particular toolkit library, there lurks a bug. Let's suppose that the nature of this bug is something relatively obscure: say that it's something like, if you hold down 5 keys on the keyboard for 10 seconds then drag the middle mouse button, the text entry widget gets a SEGV. (In fact, I'm not making this up: I saw this very bug once, years ago.)

Now, that's the sort of bug that is not likely to be noticed or fixed, because it's the sort of thing that people "never" do. If that bug was reported against, say, a web browser, nobody would much care: User: "I can crash my web browser by doing this crazy thing!" Developer: "Uh, don't do that then." And that's not a totally unreasonable response.

However, in the context of security software, it matters, because then it's not merely a cute trick that crashes the program: now it's a backdoor password that unlocks the screen.

WinServer?

[Toreo asesino]

Areo isn't even installed by default with Windows Server 2008 - you have to install it, reboot, and then enable it. That's hardly any attack vector at all IMO.

Windows 7 first thing I did.

[jameskojiro]

After installing it was to disable all of the extra GUI junk in the UI. It now looks like Windows 2000 and runs slightly better too.

Truth be told if I could replace the GUI with the one from windows 95 I would, and why do they keep changing how control panel looks/works, I would like some freeking consistency.

Re:

[Paradigm_Complex]

why do they keep changing how control panel looks/works, I would like some freeking consistency.

The not-so-savvy computer users out there won't notice or care about improvements under the hood. Making visual, easily noticeable changes is about the only way to ensure the average end-user even realizes it's a different OS.

The annoying changes for you and me lead to more sales, in theory, from the layman.

Ring 0

[sohp]

Is Windows 7 still running the graphics driver in Ring 0? They moved it from Ring 3 (least privileged) to the most privileged mode in NT 4.0 as a performance hack. Still reaping the 'benefits' of that decision today.

Re:

[jack2000]

What? You can't trust your own video adapter card?
True driver writers are morons but still...

Re:

[jpmorgan]

Since Vista, Microsoft have been moving most drivers back into userspace. In Vista and Win7, display drivers are hybrids: they contain a small kernel space (ring 0) driver that handles direct communication with the graphics device (i.e., scheduling DMA operations and such), and a user space (ring 3) driver that does all the heavy work.

That's why, even in the early days of Vista when the drivers were terrible, it didn't actually blue-screen much. You'd get a screen flicker then a message informing you that t

Re:

[Blakey Rat]

Is Windows 7 still running the graphics driver in Ring 0? They moved it from Ring 3 (least privileged) to the most privileged mode in NT 4.0 as a performance hack.

Windows Vista and 7 only run a small portion of the video driver in Ring 0... just the part that directly talks to the hardware. The rest runs in the same abstraction layer as the rest of the drivers on the system. That's why Vista and 7 can reboot a crashed video driver most of the time without requiring a reboot.

BTW, NT4? Seriously? Why don't yo

It was a feature

[Jim Hall]

"64-bit versions of Windows 7 and Windows Server 2008 R2. [...] Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."

I recall that Microsoft made a huge deal about the new Aero look, back when Windows Vista was released, [microsoft.com] touting it as some kind of major revolution for PC computing (even though it was "just" a GUI.) They even used bullsh*t "hype" language that it would "enable you to manage the windows on your desktop by arranging them in a visually striking yet convenie

Re:

[PalmKiller]

And your point is?

Re:

[jellomizer]

The point is. Linux has a lot of problems that most people excuse and overlook or blame elsewhere, vs actually trying to fix them. Windows has problems too but even for smaller problems they will get hounded for being such a horrible system. Sure lets discuss windows problems, we should demand that Microsoft keeps their product at high quality, but I am tired of this "well I use Linux so I am so much better off" nonsense. Wow they are two different systems with different code bases and they have diff

Re:

[DavidR1991]

Well, yes: Because this driver is not vendor specific. It's part of the actual OS itself. When was the last time you saw, say, a huge flaw in the Linux framebuffer, or something like that?

If the vulnerability is caused by the vendor of a chip, or the shoddy documentation of s chip maker: hell yes, blame the third part. In this case... MS can only blame themselves. Their own 'canonical display driver' is shoddy, not a 3rd party chip maker.

Re:

[natehoy]

This vulnerability was found in Aero, not in a video driver.

Vulnerabilities have been found in X before, and fixed. This is no different.

Not sure where the anger comes from, but you might consider a nice hot cup of tea and a short break. Cheers.

Re:

[Viol8]

XFree86 was even worse.

One day Linux will get a decent stable X server but I won't hold my breath. Thank god for alt-sysrq.

Re:

[DarkKnightRadick]

I won't debate it a lot, but I did like XOrg better than XFree86.

Re:

[clone53421]

(. .)

You missed two brackets in your comment.

Re:

[clone53421]

You’re thinking of |. .|

Re:

[clone53421]

You never know... he might’ve been born back when breast-feeding was more common.

Re:

[GauteL]

Canonical

Could they have released a borked up driver named after the competition so that in time people looking into Ubuntu might recognize the name Canonical and associate it with something that "compromise the stability and security of PCs?"

I think this post demonstrates a new level of paranoia when it comes to Microsoft.

Re:

[tehcyder]

Canonical

Could they have released a borked up driver named after the competition so that in time people looking into Ubuntu might recognize the name Canonical and associate it with something that "compromise the stability and security of PCs?"

I think this post demonstrates a new level of paranoia when it comes to Microsoft.

If you choose to name your company by using a word in common usage like canonical, you're bound to get problems at some time, not least because you can't TM it.

Re:

[Archangel Michael]

Yeah!

Same reason xWINDOWS is so screwed up, to taint Microsoft! YEAH!!!

Re:

[Jeng]

They just get it coming and going don't they?

Microsoft is not releasing information about their bugs, they are trying to hide them.

Microsoft is releasing information about their bugs, why are they doing this, they should not tell us about this and just fix it.

I guess its true what they say, you can't please everyone.