Microsoft Warns of Windows 7 Graphics Flaw

Barence writes "A flaw with the graphics driver in Windows 7 could compromise the stability and security of PCs, Microsoft has warned. The vulnerability lies in the Windows Canonical Display Driver (cdd.dll) for the 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft claims that the flaw could lead to machines rebooting or even allow a hacker to remotely execute code, although it claims either eventuality is improbable. Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."

Re:GUI is still there for remote desktop and it's

[Anonymous Coward]

GUI is still there for remote desktop and it's easier to configure then CMD only.

That's because Microsoft has a crippled CLI, and yes, that included Powershell..

Yawn,

[Massacrifice]

Why do I have the feeling this is overblown? I'm running W2K8R2 x64 as a Workstation OS, it is rock stable, possibly the best OS MS ever produced. Yet I'm sure there are _plenty_ of bugs like this one. Doesn't Microsoft issue bug reports like this every month? Doesn't _any_ OS company produce bug reports like this every month? Why is this one so special? Cause, I'd like to know.

I'm not saying it's should'nt be fixed, reported, or taken care of. I'm not saying Windows is the best OS. OS X can be pwned through the WiFi drivers. I'm sure can Unbuntu can be hacked in many ways too. When OpenBSD gets cracked, then it'll be frontpage material. Until then, keep the real news rolling.

Re:Servers

[gotpaint32]

Its called Windows 2008 Server Core and Powershell. But theres a time and place for everything, try running terminal services from a box with no GUI, I'm sure your users would be very happy with just greenscreen access.

Re:GUI is still there for remote desktop and it's

[flyingfsck]

Well, that is the point where Microsoft copied X Windows wrongly. There is no need to run the windowing GUI on the remote machine if the local machine is already running a windowing GUI.

Re:GUI is still there for remote desktop and it's

[natehoy]

I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.

But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.

As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.

SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.

Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.

Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.

Re:GUI is still there for remote desktop and it's

[DarkKnightRadick]

I didn't grow up around DOS and still prefer a command line to a GUI for getting real work done.

Re:Yawn,

[Sycraft-fu]

I think it's special because there haven't been all that many bugs with Windows NT 6.1 OSes (7 and R2). They seem to have less security issues than past Windows OSes, and are doing quite well compared to other OSes out.

However, this is Slashdot and the editors do not like Windows at all as evidenced by the broken Windows logo the Gates Borg logo and so on. They often go out of their way to find things wrong with Windows to post as front page news. Hence something like this makes the news since there hasn't been a whole lot of issues in Windows to report on. I mean note that they also had a story on an attack that could possibly allow you to fool an AV program, if you were already running code on the system and could determine on which core you ran on and did very precise timings (never mind that with code running on the system you could just turn the AV off).

Just standard fare for Slashdot. You see lots and lots of stories on Windows bugs, even when said bug is very trivial. However you only see a story on a Linux vulnerability if it is something extremely critical, like a 0 day that affects a lot of systems. Otherwise, there's little to nothing.

They are reporting the news that generally conforms to their idea of how things ought to be. Happens a lot, unfortunately.

Re:GUI is still there for remote desktop and it's

[Mascot]

CLI does have its uses. There are things it offers that no GUI can, and vice versa.

But claiming you need it for "real work" is like claiming you need a printing press to print a sheet of paper with "real text" on it. Both are equally ridiculous statements.

For most work environments, neither CLI nor GUI alone covers all needs. Welcome to the real world, where we use the appropriate tools for each task.

Re:GUI is still there for remote desktop and it's

[psbrogna]

While you might not be able to imagine it, those who do know how to perform an administrative task both from a terminal and from a GUI often find that doing it from the terminal is more efficient and more reliable.

Re:GUI is still there for remote desktop and it's

[kestasjk]

If there's no need to do it why is X Windows the only windowing system that does it? Why does VNC/somethingX (the new one) exist for X Windows when X servers are available on all platforms?

I don't know that you're wrong in calling Microsoft's approach wrong, or have more than an idea of why you might be wrong, but the fact that everyone else uses the "wrong" approach sets off the BS-meter.

Re:GUI is still there for remote desktop and it's

[lukas84]

I'm not sure if being paranoid is the right step - careful, sure, paranoid - no.

In the end, the goal of IT is to enable it's users to be more productive. Sometimes overparanoid IT guys can make life more difficult for the Users - this should be minimized.

All of the Windows Server components are always on-the-disk in Server 2008/R2. IIS on the disk, whether you use it or not. But only when enabling it you'll actually get the services you need for it.

This doesn't hurt. It doesn't compromise security.

Re:GUI is still there for remote desktop and it's

[The End Of Days]

In my experience, working the way you like is vastly superior to working the way some Internet stranger likes, regardless of the geek cred it'll give you on Slashdot.

Re:GUI is still there for remote desktop and it's

[LinuxAndLube]

From the 20 pictures, copy only those that feature my dog. Start scripting... now!

Re:GUI is still there for remote desktop and it's

[Blakey Rat]

You can automate a GUI. AppleScript on Mac Classic used to be brilliant for this-- I'm not sure if it's still good or not.

but it does compromise disk space

[RzTen1]

Since a standard 2003 install can live pretty happily with a 10GB system drive, but a 2008 install needs over 30GB to function.