Slashdot Log In
GDI Vulnerabilities: An Open Letter to Microsoft
Posted by
michael
on Mon Sep 27, 2004 01:34 PM
from the your-call-is-important-to-them dept.
from the your-call-is-important-to-them dept.
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
This discussion has been archived.
No new comments can be posted.
GDI Vulnerabilities: An Open Letter to Microsoft
|
Log In/Create an Account
| Top
| 444 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Hate to quote a quote but... (Score:5, Funny)
(http://diginux.net/)
Re:Hate to quote a quote but... (Score:4, Funny)
(http://www.shaunmanning.com/)
Re:Rules for this story (Score:5, Insightful)
(Last Journal: Sunday November 12 2006, @07:08PM)
Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.
If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.
Re:Hate to quote a quote but... (Score:5, Interesting)
Please back up your assertion that this is "bordering" on criminally neglient.
Do you claim there are some laws regarding network security that are applicable, or this just a verbal flourish gone one step to far.
Re:Hate to quote a quote but... (Score:4, Insightful)
Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.
You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".
Re:Hate to quote a quote but... (Score:5, Funny)
(http://www.brianosaurus.org/)
You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."
But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
Re:Hate to quote a quote but... (Score:5, Funny)
(http://www.kabewm.com/)
Your right, it is cross platform
$ uname -a
Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux
$
Scanning for vulnerabilites...
Your computer may be vulnerable. Please update.
Yikes, I'll be back, gotta update my system . . .
Re:Hate to quote a quote but... (Score:5, Funny)
Re:Hate to quote a quote but... (Score:5, Informative)
Re:Hate to quote a quote but... (Score:5, Informative)
(http://www.littleblur.com/ | Last Journal: Wednesday June 27, @07:32PM)
Re:Hate to quote a quote but... (Score:4, Insightful)
I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.
Re:Hate to quote a quote but... (Score:5, Informative)
(http://sententia.org/)
So it gets worse, _then_ it is useless?
So far, everyone else responding seemed to have missed your point. The article correctly uses "worse than usless". It is the submitter and/or our ever so thorough Slashdot editors to blame for the "worse then useless" grammar mistake.
And for all of you that missed the grammar mistake and are debating the meaning of "worse than useless", yes, things can be worse than useless. Things can be harmful. They can cause additional harm or frustration, as opposed to a useless item which just does not do anything useful.
Re:Hate to quote a quote but... (Score:5, Funny)
(Last Journal: Friday February 28 2003, @03:28PM)
er, (Score:3, Insightful)
Re:er, (Score:5, Informative)
(http://www.howtobeinvisible.com/ | Last Journal: Thursday October 04, @07:42AM)
Likely no master list (Score:5, Informative)
But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.
So, any VB program that does image manipulation may be poetentially vulnerable.
Re:Likely no master list (Score:5, Informative)
Its worse than that, the DLL in question is distributed (with permission to redistribute) in the free Platform SDK download.
So, any VB program that does image manipulation may be poetentially vulnerable.
I've used the DLL in question from C++ and Java/JNI programs before now. _Anything_ might be vulnerable. Check for "GDIPLUS.DLL" in your applications' install directories. Or use the tool linked from the article.
Re:er, (Score:5, Insightful)
Kinda silly eh?
Of course 3rd party apps might have exploits. It's up to those 3rd party vendors to supply patches. Even if the code is originally based on MS code, the 3rd party vendor may have modified it in any variety of ways and MS has no idea if those will be dangerous versions or not. MS has identified the bad code, the 3rd party vendors have been notified about it. It's up to them to tell you if their version is bad or not, and patch their software.
RULES OF SLASHDOT (Score:4, Funny)
Re:er, (Score:5, Insightful)
If Linus wrote the code, and told the application authors that they were only allowed to use it by accessing a
Of course, nobody behaves like this in the Linux world. Shared libraries are installed to
Re:er, (Score:4, Insightful)
(http://www.pjrc.com/ | Last Journal: Thursday June 27 2002, @04:31PM)
I believe you missed the zlib buffer overflow, which turned out to be staticly linked into many applications, as well as in the shared library.
Yeah, not quite the same, since static linking is different (perhaps worse) than having lots of copies of the DLL in different directories, as far as updating is concerned. Also, a different situation because developers had the option to link the way they wanted.
But to say this sort of thing never happens in the "linux world" and that all library security bugs are easily cured for all apps by updating the shared libs neglects some really unfortunate occurances like the zlib buffer overflow.
Re:er, (Score:4, Insightful)
Re:er, (Score:5, Informative)
(http://slashdot.org/)
While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.
Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.
Good try (Score:1)
In case it gets Slashdotted.... (Score:3, Informative)
Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft
GDI Vulnerabilities: An open letter to Microsoft
Dear Redmond Folks:
When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."
And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.
Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.
MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.
Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.
[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]
What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)
When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?
Please stop treating your customers like idiots and give us information; information that we can use.
In other words: Turn on the lights and open the door. We're ready to come back upstairs now.
-TL
Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
Re:In case it gets Slashdotted.... (Score:5, Funny)
(http://pitabred.dyndns.org/)
Dear Tom (Score:5, Funny)
Bill
Disabled this tool in SUS (Score:4, Informative)
Dosn't know any better. (Score:2, Funny)
I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.
It's actually a tough job even on Linux (Score:5, Insightful)
You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.
Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.
Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.
Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
Nero? (Score:4, Informative)
(Last Journal: Saturday October 26 2002, @11:59PM)
C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
Security is Microsoft's number 1 priority... (Score:2, Funny)
Dear Tom (Score:1, Interesting)
Next time, less cutesiness and more explaining what the fucking point is.
HTL. HAND.
Like We're Not Idiots? (Score:5, Insightful)
(http://millionnumbers.com/)
Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.
I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.
Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
Re:Like We're Not Idiots? (Score:5, Insightful)
(http://conceptjunkie.blogspot.com/ | Last Journal: Monday August 25 2003, @10:22PM)
So really, the tool doesn't serve anyone well.
Re:Like We're Not Idiots? (Score:5, Insightful)
That's a little harsh especially considering your example. You can, of course, be a very smart person and not know much about wireless networking. That "gentleman" could be, for example, the lead scientist in a bio research project and if he asked you a question about something he had detailed knowledge of and you didn't know the answer he, too, could conclude most people are idiots.
The world is full of technology that no one person can, or has the time, to absorb it all.
Re:Like We're Not Idiots? (Score:5, Insightful)
(http://slashdot.org/)
Everyone's an idiot in a field they know little or nothing about. Computer users want their machines to work; they don't want to know how they work, and why should they? You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function, yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work, or for not wanting to learn how these things work.
Computers don't get a special exemption to this rule. They're just tools like any other tool, nothing more.
Max
Other ways (Score:5, Insightful)
Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?
Not only would it be more interesting to read, but they might actually be more willing to consider it.
Re:Other ways (Score:4, Insightful)
However, I would argue that the guys point wasn't to garner browny points with geeks as much as to get the frustration off his chest AND get geeks to recognize once again the flaws in MS's security protocols.
Furthermore it isn't a "cheap pot-shot". He's venting, he's not bootlicking. He's saying "for crying out loud, you guys have Billions of dollars, resources up the wazoo and you can't get it right, damn I'm mad and I'm going to vent(but I'm going to be humorous in doing so)!" Haven't you EVER felt that way. The beauty of the web is that he can post that and hopefully feel better about it.
So, your right, this isn't for MS, it's for the masses, including the press and geeks who might read it, giggle a bit, and maybe as a group hold MS's feet to the fire on this.
How old is this guy? (Score:2, Funny)
I second that "information we can use" point (Score:5, Insightful)
(http://slashdot.org/~Asprin | Last Journal: Wednesday November 05 2003, @03:24PM)
I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.
Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT [us-cert.gov] to issue their bulletins because they do a slightly better job of relaying useful information.
No Warranty Implied (Score:5, Funny)
His letter might as well read:
Re:No Warranty Implied (Score:5, Insightful)
(http://--/ | Last Journal: Monday December 09 2002, @05:12PM)
i don't think so.
well, maybe he'll give you your money back!
Either way you choose... (Score:3, Insightful)
(Last Journal: Thursday December 11 2003, @11:03AM)
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
The GDIscan tool worked fine for me. (Score:3, Interesting)
(http://www.lazylightning.org/)
So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.
That's at least how I saw it.
So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?
This whole open letter business (Score:5, Funny)
Also vulnerable from Microsoft... (Score:3, Informative)
humidifier (Score:5, Funny)
Uh, an extension cord perhaps?
Full text of TFA: (Score:1, Informative)
In "How not to write an open letter 101"... (Score:4, Insightful)
Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
NEWS FLASH!! (Score:2, Funny)
int main(){
printf("Hello World!");
}
Microsoft recommends heading over the windows update to patch this flaw.
What I want to know is... (Score:5, Interesting)
(http://roelschroeven.net/)
Re:What I want to know is... (Score:4, Informative)
(http://slashdot.org/)
F--- that (Score:2, Interesting)
Not to mention that their client scanner for the Windows vulnerability didn't even correctly identify vulnerable machines until several days AFTER the initial patch was release.
This was a badly handled security update, even by Microsoft standards. I think Microsoft should start focusing at least SOME of their efforts on some sort of security initiative or something.
This is NOT just a Microsoft bug! (Score:5, Insightful)
(http://www.cs.stanford.edu/~mwang/ | Last Journal: Saturday January 25 2003, @07:55PM)
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/ [openwall.com]
pissing in the wind (Score:2, Funny)
Internet Explorer DLL's (Score:1)
(http://onedittyaday.com/ | Last Journal: Friday October 03 2003, @09:21AM)
However I'm still looking for a site that can direct me on how to delete the malicious DLL's that are loaded up with IExplore. Anyone have any tips?
Should have used libjpeg! (Score:2)
(Last Journal: Friday July 04 2003, @03:37PM)
Let's talk basements... (Score:2, Interesting)
Is this a Microsoft first? (Score:4, Funny)
I wrote a letter to Gill G "Unit" Gates (Score:2, Funny)
Abridged for the Slashdeft impaired (Score:2)
(http://homepage.mac.com/ryanrafferty/)
Dumb Question (Score:5, Interesting)
(http://ewhac.best.vwh.net/ | Last Journal: Saturday August 18 2001, @10:28PM)
I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:
Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?
See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.
So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?
Schwab
Re:Dumb Question (Score:5, Informative)
So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.
But, the trend had taken root and like any good weed it is hard to get rid of.
I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.
Why not offer a common jpeg DLL? (Score:5, Insightful)
(http://www.doofus.org/)
Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.
We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
I know I'm not the first to think... (Score:2)
kulakovich
So how do I repair? (Score:2)
And at a fundamental issue, why does my system need multiple copies of this gdiplus library? Isn't the whole purpose of DSOs to avoid needing multiple copies?
Hi Tom... (Score:2)
I remember back in the day when I used to rat-race CAT's just for jollies and hack on CP/M systems for the money. Those were good times.
But, frankly, as I have aged, a couple of things have come up: one, I know have a helluva' property-tax to get out of...er... pay, yeah, pay. And you think we can send all those poor kids in Africa medicine with cheap software? No sir, buckeroo, it requires a lot of dough.
As for treating our customers "like idiots", I take umbrage at the remark. We treat everyone exactly the same. No favoritism. Except for Michael.
We have responded to the problem. After all, we have said security is job #1. Well, actually, we said profits, didn't we? Okay, let's call it job #2. Or maybe #3? We can't forget all those poor African children. Or do you have something against African children, now?
Again, I hope for the best for you. Perhaps this is merely a subject you and I can agree to disagree.
Your pal,
Bill
Vulnerable program thread (Score:1)
C:\Program Files\RecordNow!\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
TiVo Software uses gdiplus.dll (Score:3, Informative)
(http://aqfl.net/ | Last Journal: Wednesday July 09 2003, @01:16AM)
Stop Whining (Score:3, Funny)
(http://slashdot.org/ | Last Journal: Wednesday October 23 2002, @05:38PM)
and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.
I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?
That letter... (Score:1)
(http://appliedkungfu.com/)
An Expert (Score:1)
(http://devintorres.com/ | Last Journal: Saturday May 14 2005, @05:11PM)
the answer (Score:2)
Course, that then results in dll hell because breaks with the new version which is why they shipped the old version in their app folder in the first place
Talk about worse than worthless... (Score:2)
(http://www.wou.edu/~spowell)
Let's write a completely nonpolitic letter to Microsoft and see if they respond.
Hello? The way to change things is to convince MS that their policies are incorrect, not blaspheme and curse at them. They'll just ignore such letters as hatemail, the same way you or I would.
Knowing is half the battle (Score:1)
(http://www.pjkix.com/)
So now I run this scanner which actually tells me what files may be vulnerable, fantastic! Knowing is half the battle, but now what about the other half like actually fixing the problem?
How do I patch these files? Can I just copy over all affected gdiplus.dll's with good ones? What about the other files it detectes? Do I need to get patches? if so where from? each software manufacturer? If these all came from MS can't they just patch them all and not a few here and there ?
So in the meantime should I just avoid all jpg's and just duck and cover or what?
Bleeping Computer has a tutorial on this app (Score:1)
Get Serious (Score:1)
When a third party vendor wants to ... (Score:1)
No.
"Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll?"
No.
"Can you tell us what they are?"
You tell me....
OK, so Dreamweaver is vulnerable... WTF DO I DO?! (Score:1)
Re:Yeah, right. (Score:5, Informative)
(http://pitabred.dyndns.org/)
Re:But Microsoft customers are idiots (Score:4, Funny)
Re:Yes, Microsoft can fix everybody's code! (Score:1, Informative)
RTFA!
Re:Yes, Microsoft can fix everybody's code! (Score:4, Insightful)
(http://www.calumny.demon.co.uk/)
"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"
Re:Yes, Microsoft can fix everybody's code! (Score:4, Insightful)
(http://www.geocities.com/shenobi_us | Last Journal: Thursday October 19 2006, @01:24PM)
For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.
MS needs to warn developers (Score:5, Interesting)
No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.
However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.
MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.
So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.
Re:An open letter to Tom Liston (Score:1)
(http://slashdot.org/)
Re:Yes, Microsoft can fix everybody's code! (Score:2)
You might if it was a Harley manufactured component that was failing.
Or, more accurately, if you have a Ford car which you've installed a Kenwood stereo in, but that stereo uses a special Ford component to integrate with the car; then if that component failed, who would you expect to fix it?
Re:Wrong quote (Score:2, Funny)
I think "learn how to cut-n-paste" would be the appropriate admonition.
Re:Don't go for pretty software (Score:4, Insightful)
Re:Don't go for pretty software (Score:1)
(http://www.arctangent.net/~formatc/)
Re:what is the work around? (Score:2)
One word.
Guess which word.