Security Vulnerabilities Discovered in WinXP SP2 343
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
Well, users can... (Score:5, Funny)
Oh... wait...
Re:Well, users can... (Score:2)
hell, i'd love to be able to do even that.
my windows machine at work cannot be upgraded to SP2, since we have pretty conclusively determined that a piece of software/hardware that is critical to my job cannot be used with sp2 (Agilent LogicWave logic analyser + XP-SP2 = instant crash). so now mine (and most others in the office) windows machines are no longer able to keep up with windows patches and do our jobs at the same time, and the exploits keep coming out on schedule.
Re:Well, users can... (Score:3, Insightful)
Re:Well, users can... (Score:2, Insightful)
If you must run unpatched and connected... (Score:4, Insightful)
Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox [mozilla.org], ThunderBird [mozilla.org] and OpenOffice [openoffice.org], respectively). Really dig in and make sure every trace of them has been removed [litepc.com], don't stop at believing what the MS uninstaller tells you about MS Outlook.
Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.
Run a good firewall [diamondcs.com.au].
Pray a lot.
One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile.
Not supprising (Score:2, Insightful)
Re:Not supprising (Score:5, Insightful)
Re:Not supprising (Score:5, Interesting)
Re:Not supprising (Score:2)
Well, consider this the "ping" waiting for the "pong".
Anyone at Microsoft awake?
Found Before Exploited? (Score:3, Insightful)
THOSE are the scary ones..
Re:Not supprising (Score:2)
See items described as "delivers a number of security enhancements and is recommended for all Macintosh users [apple.com]".
Sometimes people single out a certain kid in the playground because of jealousy. Microsoft's not in the "in group" here for obvious reasons. But c'mon, let's pick our fights fairly.
Re:Not supprising (Score:2)
Of course there don't seem to be any more of these on the security charts for Apple right now, however such security flaws come and go amongst the various OS's (moreso on Windows it seems). I cannot guarantee OSX or any other UNIx-like OS will not be on the charts again in the future with a browser problem. As far as ownin
Re:Not supprising (Score:5, Insightful)
Re:Not supprising (Score:5, Insightful)
Re:Not supprising (Score:3, Funny)
IE makes it easy (Score:3, Funny)
Re:Not supprising (Score:2)
That said, I'll just throw out there that Microsoft vulnerabilities are as a rule much more plentiful, severe, and easily exploited than those found in Linux. Even more so for the BSD's. This is fact.
Re:Not supprising (Score:5, Insightful)
"Please step away from the gun, you are not authorized to use it."
Re:Not supprising (Score:2)
Only one is needed for a breach to occur. When security is concerned, majority does not rule. Numbers play differently.
"Please step away from the gun, you are not authorized to use it."
Okay, so you can play with the Linux gun, but the guy before you cannot. However now YOU may
"Please step away from the security gun." Thanks.
Re:Not supprising (Score:2)
Gaim is NOT integrated into the OS.
I did not refer to Gaim, but I would include the apparent more severe issues spoken about in the
Re:Not supprising (Score:5, Insightful)
Re:Not supprising (Score:2)
A number of the items you called applications are infact "libraries" which are used by applications and are quite fundamental to making your application work and making your computer useful.
What i mean is Xfree86 a GUI, CUPS - printing, libxml2, kdelibs, libtiff
Re:Not supprising (Score:4, Informative)
Everytime I have to reinstall windows, I spend about a day going out to get the latest software from the internet to install...Newsreader, IRC, WebBrowser, Image viewer, etc. I don't have to do this with my LInux installs since it is already provided for me. With your logic, then windows shouldn't come with an internet connection, since they don't support what you could potentially download and install. Distros provide this as a very helpful option package(s). One reason I started buying Linux instead of downloading it, is because I loved the multiple cd/dvd's that had everything I could possibly want on it (re: SuSE distro).
And if you want to talk about not having the resources to check things before they include it, then Windows should come without anything, just an empty box, because...
My Windows' uptime 36 hours
My shortest of 6 Linux' uptime = 8 months 2 weeks and 3 days (had to change UPS battery, heh).
Last Windows reformat due to system file corruption: 3 months; average 1 time per year.
Last Linux reformat due to system file corruption: NEVER; average 0 times in 7 years.
Last Windows breach: 3 months ago, between install and d/l of SP4 (yeah, I couldn't even download the service pack before getting hit, I had to get the redistributable package via my Linux box and burn it to CD!)
Last Linux breach: NEVER
Re:Not supprising (Score:3, Insightful)
Re:Not supprising (Score:3, Interesting)
Microsoft feels I know what I'm talking about when I tell you that MS software cannot be secured to the point where a system running it should EVER be connected to the internet or any other large network.
Further, I've RTFM'd a few windows versions. I've never really found any useful information in the little getting started booklet. I've been looking for further documentation of note but haven't found any yet. Seriously
Re:Not supprising (Score:5, Interesting)
Well, in a way, you're absolutely right. The very first thing you have to realize before you even do a preliminary security screening/threat assement is that security is always a trade-off. That's the major point that most managers fail to understand.
Basically, there are three elements that you need to balance: security, usability and costs (there a re also lot of other relevant factors like existing infrastructre, resistance to change, scalability, etc. that make real security work, ie. more breaking out the pen test kit and print a report, so damn expensive).
There is no such thing as a 100% secure system. That's the common wisdom and that's true. But you can design a 98% secure system. The only problem is that this system will require a huge overhead and be so cumbersome that your employees will spend most of their time doing anything but actual work. That way they'll either avoid it and use something else (ie. something less secure and more usuable), if given the choice. Or they'll be largely unproductive, which in turn means you'll have to spend a lot of money to even keep things running. Which of course means you'll not be able to compete (that's one of the reasons a lot of secure systems are designed for government use only because they government doesn't really have to compete or be efficient).
Multics [multicians.org] implemented usuable security exceptionally well. You could get the job done in a timely but relatively secure manner. For some more information about user centered security check out this paper [uni-bielefeld.de] or "Multics Security Evaluation: Vulnerability Analysis" by Karger & Schell (1974). The latter is available online too [nist.gov].
It's really a shame there's no "Open Multics". I wouldn't really run it in a secure production envionment but I'd sure like to have my own Multics machine.
Re:Not supprising (Score:2)
Re:Not supprising (Score:3, Insightful)
Then Billy Gates.... (Score:5, Funny)
...and Clippy sez... (Score:5, Funny)
Re:...and Clippy sez... (Score:5, Funny)
And Open Office sez: Hey, hey, I'm a lightbulb!! Lower right hand corner? HELLO? LIGHTBULB HERE! That means I have an idea to make your life better...HEY LOOK AT ME! HAHA preferences - they mean nothing. Just try and turn me off! YOU CAN'T! Oh, let me capitalize that first letter for you in your spreadsheet. WHAT? You don't like that? Preferences you say? Perhaps you didn't hear me the first time.
OpenOffice.org: enhanced annoyances on par with MS (Score:5, Interesting)
And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?
But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.
Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...
Re:OpenOffice.org: enhanced annoyances on par with (Score:4, Interesting)
That's what I did after feeling for the n'th time the problems you mention. AbiWord isn't perfect, but it loads in a fraction of a second and handles well about 99% of my MS-Word documents.
What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
Re:OpenOffice.org: enhanced annoyances on par with (Score:3, Funny)
Re:...and Clippy sez... (Score:2)
Chris Mattern
Re:...and Clippy sez... (Score:3, Funny)
Love the article (Score:5, Funny)
What - they just discovered Gator?
Who'd have thought it (Score:5, Funny)
Re:Who'd have thought it (Score:3, Insightful)
With all the service packs you have to do an "all or nothing" approach, which causes lots of wasted time and money because you have to test, test, test before deploying a SP.
On Linux, when there is a problem with package X version y, I can just upgrade to version y+1.
I also don't need to set up a test machine because I can go back to version y if version y+1 doesn't work for some reason. (ha, try to go back a service pack. You can't, it's reinstall-time)
Hmm... (Score:5, Funny)
Re:Hmm... (Score:5, Funny)
I'm sure I'll get tired of hearing about Microsoft too.
Re:Hmm... (Score:2)
Re:Hmm... (Score:3, Funny)
So surprising.... (Score:5, Insightful)
Re:So surprising.... (Score:2)
Re:So surprising.... (Score:5, Funny)
When it doesn't get any comments.
Re:So surprising.... (Score:2, Funny)
Re:So surprising.... (Score:4, Funny)
Re:So surprising.... (Score:3, Funny)
Re:So surprising.... (Score:2)
After the second duplicate posting on Slashdot in the same day usually.
=)
As usual, working and playing well with others.... (Score:5, Insightful)
Re:As usual, working and playing well with others. (Score:5, Interesting)
Re:As usual, working and playing well with others. (Score:4, Interesting)
Its funny, not long ago their site was vulnerable to an old cold fusion exploit. I didnt do anything about it, 'cause frankly they are a two bit company and there seemed no point.
Believe me, when the details of this "exploit" are revealed, it will be pretty pathetic.
Internet Explorer Again? (Score:5, Interesting)
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"
gee... why am i not surprised that Internet Explorer once again introduces huge security problems?
in the meantime, a patch can be downloaded here [mozilla.org]
allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.
Does this apply to firefox? (Score:5, Insightful)
What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer
You missed the part about Finjan (Score:5, Insightful)
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Re:You missed the part about Finjan (Score:5, Interesting)
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Back in the NT4 days I happened on a major IIS exploit. I did what I could for our code, then reported it to Microsoft. A few email exchanges - reported the bug, gave a few code examples to show the remote privilege escalation (guest to admin), then silence. Noticed the issue was fixed two service packs later.
Not so much as an email saying thank you after providing drivers to demonstrate the issue, much less any type of 'reward'. For those who wear a white hat (even accidentally) I have no problems with these guys showing how clever they are and using it for marketing purposes. That is about all the payback you get when you find something that does not behave like it should.
What? (Score:5, Funny)
Re:What? (Score:2)
Now I need to kill my self fo making such a bad joke.
Let me be the first... (Score:3, Funny)
*re-reads story*
Oh, *this* counts as news?
I say companies can make a good name for themselves dealing with M$ and patches, and then use his name to consult security to companies.
but M$ will start thier own company, find thier own holes, and consult security out...
erm... shiiiiiit you know they will do this, or already have!!!
Exploit code sample (Score:5, Funny)
I hate to rant, but this type of poor security checking is pathetic. Surely they should have known that all they would have needed to do was check the evil bit on the remote transfers to see if the data was safe or not. Someone in the OS community would have done this.
You do have to hand it to Microsoft though, the code is very easy to implement and quite elegant if you ask me.
Quote from Scotty on Star Trek 3: (Score:3, Insightful)
Re:Quote from Scotty on Star Trek 3: (Score:2)
Long live 98SE!
98SE + Mozilla + 5 minutes of tweaks to kill NetBIOS = no open ports, and therefore no remote exploits.
Take a Ghost image (oh, no product activation either!), throw in a software firewall as an early warning system for spyware printer drivers, and the only really interesting hole is the JPEG GDI exploit from a few months back, because you can never be sure whether any particular closed-source application is pack
Windows needs a rewrite (Score:5, Insightful)
I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.
Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.
Re:Windows needs a rewrite (Score:2, Interesting)
Re:Windows needs a rewrite (Score:3, Interesting)
They won't. Not anytime soon, atleast.
It's not because it's impossible (just take a look at Apple), but becase the mess that it's Windows nowadays is the result of having backwards compatibility prioritized over everything else. Gates and co. are not stupid; they know that the applications are what make the OS. If you introduce a new Windows that need new apps and supports older ones with a VM (performance hit and issues waiting there), all of the sudden other optio
Re:Windows needs a rewrite (Score:2)
Re:Windows needs a rewrite (Score:2, Interesting)
Because clueless devs and shitty game copy prevention tools require it.
Ever played a Microsoft game, say Dungeon Siege? Admin rights are not required, and all per-user stuff (save games, settings, etc) go in your own file area (eg C:\Documents and Settings\username\...)
Compare that with most other games, that often require admin access just so they can use some copy prevention mechanism. That was certainly the case with the original Sims - if
They've done it, and it's umm... shit (Score:3, Interesting)
As an example, by default is saves documents in volitile ram so you loose them when the battery goes flat.
It keeps applications running but can only display one at once and has no way to efficiently switch between them (menu/settings/memorytab/runningapplication/activ a te)
It installs appliations in vram.
Basicly, it's crap.
If it were running linux I could make sure everything (except tmp) was stored on nvram and I could evens swapon to giv
Re:Windows needs a rewrite (Score:2)
I'd say their is a very good chance that your problem would become many other people's problem when your machine is compromised.
Good work (Score:5, Funny)
Well, thanks to Microsoft and their brilliant innovation, tireless effort, and boundless resources, they finally made all those mid-to-late-90s virus hoaxes a reality. I raise my glass to them.
Finjan scaring up some buisness (Score:3, Informative)
http://news.com.com/Finjan+Warning+users+o
And this quote by the Finjan CEO pretty much sums up what I thought this was:
"By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."
Its just a ploy to scare up buisness for this security company. But lets not jump to conclusions, those 10 errors may exist, but the truth is that this security company may not have followed the industry guidelines.
That is the key question, did Finjan give MS these errors 30 days ago like traditionally is done? If they did, then they have every right to publicize the problem, but if not, they are engaging in questionable buisness practices.
Yawn ... why is this "news"? (Score:2)
Leave some holes, charge cash to plug 'em (Score:4, Insightful)
I find it disgusting that Microsoft has plans to sell anti-virus software to plug up the holes they stupidly left in their OS. Shouldn't developers be forced to make secure products?
If it's discovered my model of car has a set of brakes that have a chance of not working after a certain gear shift combination, the car company issues a recall - they don't tell everyone "oh it's not a big deal, if you want go to a mechanic and buy a new set of brakes."
We get patches for free (well kinda...after paying for the software) but they only seem to fix one problem *at best) for a hole found in the wild by people outside MS anyway. That doesn't even begin to cover spyware and viruses.
No Security Issues in Win XP SP1 for me! (Score:3, Interesting)
Re:No Security Issues in Win XP SP1 for me! (Score:3, Insightful)
Exposure for Firefox users? (Score:2)
I only use Windows for a particular printer driver, visio and a couple of games.
Just wondering how exposed I am when popping out to the web for a quick Doom hint..
It's all clear now (Score:5, Funny)
Exploits work as limited users? With firewall on? (Score:3, Informative)
So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.
No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?
Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.
Re:Exploits work as limited users? With firewall o (Score:2)
Re:Exploits work as limited users? With firewall o (Score:3, Informative)
Microsoft's gratitude (Score:3, Insightful)
and
Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2
Why should people who are trying to help just get insulated? It's time to release the exploits to all of us after all, so that we can decide for ourselves who is making erroneous statements.
No kidding? Who would have thought.. (Score:2)
Its a fact of life, its time to stop blaming and start adusjsting how to minimize the risks.
Same goes for OSS stuff too, instead of worrying about 'what hole is next' lets figure out a ways that the holes will not really matter...
Please don't post these stories on the weekend (Score:5, Funny)
Why must you post these stories on the weekend? You have just ruined the saturday of the whole MS marketing department. Now everyone of them has to cancel their plans, log on slashdot and start making posts about how "no OS is secure" and "it is all the users' fault" and "these guys are just trying to scare up some business". And the ever favourite "if Linux was that popular it would have just as many security flaws".
Well that is their job and they do it well, but why must you force them to do it on the weekend? Why can't they be with their families. Even marketoids have lives (I hear).
Conspiracy Theory (Score:3, Interesting)
Remember, IBM wanted make OS/2 bullet proof because OS market wasn't their main source of profit for the big blue. For a microsoft, it makes sense to have keep putting out the half rotten fish on the plate. If restaurant were right next hospital where owners of both restaurant and hospitals were good pals.
Operating system seldom has real reason for going from verion 1.x to 2.x, and usually companies don't charge for going from version x.1 to x.2(ie. um...patch or service pack - that's something companies put out for it's own good because they've messed up somehow), because innovations which requires entire facelift of the operating system does not happen that often. I would say from dos to windows95 were big milestone and from windows95 to windows 2000. Everything else should have been free...except bill needed more money to burn in his research lab(Whatever happened to Cairo?).
Also, there were unexpected positive side effect from putting out half rotten fish. Often people got problem with windowsblue screen of death or some clever - more or less obvious hack to the huge hole hackers often drove train through), which made microsoft in the public view(headline of lots of media)...got unexpected media coverage. Under the normal business circumstances, this kind of follies would have surly sent company dead in the water for good, but like someone else in the slashdot community porinted, that people just don't care about the security flow or the ever slowing down / memory hungry deranged monster operating system of today's era. Other side effect would be that OS had so much problem that tech support firms and microsoft support actually profit from taking tech support calls from its customer and companies who's often found working together to create stuffs which works with windows.
Bottome line is that microsoft is doing it in purpose so people can keep waiting for that perfect OS which will not break down under normal circumstances like just browsing the web and checking e-mail. That's all my dad does and why did his computer break down with error message the other day? i don't see my father's VCR or Radio stop working with blue screen of death!!!
Um..not to menstion that they must willfully bloat it's os with so much stuffs that eventually their friend intel will be able to happly sell new upcoming pentium 5 running at 6Ghz. First time I bought my ps, standard memory size was at 4MB. Today's standard memory size is something like 256MB and it's on it's way to becoming 512MB... I wonder if 4GB memroy will ever become standard on consumer pc....
Oktokie
PS: can someone tell me why my windows swap when I have 1GB of memory onboard and my windows 2000 things my 750MB or physical memory not being used isn't good for any use....so it goes and merrily creates 200-300MB of virtual memory. This is just too funny.
Re:Conspiracy Theory (Score:4, Interesting)
The first version of NT was numbered 3.1 so it would be aligned with the other Windows (I guess marketing thought it was a good idea). NT started with a completely fresh code base, so it should have been called 1.0. That would make NT4 version 2.0, Windows 2000 version 3.0, XP 3.1, and 2003 3.2. So, the NT line has only gone through two major revisions. NT4 added 95's shell environment, some DirectX and moved Win32 into kernel mode. I don't know if it deserved a major rev. alone, but compared to NT3.1, it does. Windows 2000 (NT5.0) uses Active Directory, a new version of NTFS, Plug+Play, all of DirectX, USB support, and many small improvements. It definately deserves a major revision.
The 'Available Memory' field in Task Manager does not mean 'Free Memory'. It is the amount free plus the standby list. See here [microsoft.com]. Basically, memory is agressively moved into the standby list. Memory on the standby list is in limbo: it is still in memory, but a copy is also written to the pagefile. That way, if it needs to go back, no disk access is needed because it is still in memory and if the memory is needed for something else, it can be discarded without disk access because a copy is already in the pagefile. It avoids disk access during light-moderate memory requests by doing it ahead of time. It avoids the condition of loading something into memory while trying to page something else out to make room; hard disks don't handle multiple simultaneous IO requests at the same time efficently because of all the seek overhead.
The pagefile is still used to make copies of memory that hasn't been used recently, even when you have lots available because it would be a waste to keep unused pages of memory resident. It could be put to better use in a cache or made available in case it's needed later. This is true no matter how much memory you have.
'Available Memory' is the amount of memory that you can allocate without having to write anything new to the pagefile, mostly because a copy is already there.
Re:Supprise supprise (Score:3, Insightful)
Unfortunatly (or fortunatly for some of us
Re:Supprise supprise (Score:2)
Microsofts' software issues came by design. Too many features, too many pieces of code interfacing with each other, endless hacks and patches (most of them to ensure backwards compatibility), and, as most major software producers expect, usually rushed deadlines. It's just bound to happen. Every soft has bugs, but Microsoft doesn't seem able to catch a break.
Re:Supprise supprise (Score:2)
Re:Supprise supprise (Score:2)
I say prove it. Show me a list of ten non-trivial programs in widespread use that have never reported a significant bug. To make the problem realistic, let's assume that the programmers operated under significant constraints of time and money.
Re:expected (Score:5, Insightful)
The problem with the latter is that most Linux-based software is open-source, nonfunded. Whereas Microsoft is the largest business this side of Alpha Centauri.
I'd like to say pshaw, no big deal, but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world. Stop entering new markets and release a stable, secure product in the next millenium please.
Flame on.
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Re:expected (Score:5, Interesting)
Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.
http://www.usatoday.com/money/companies/2004-03-2
Wal-Mart's revenue is 8x larger than MSFT's.
IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.
Re:expected (Score:5, Informative)
Microsoft, OTOH, is more like an economic black hole. Huge chunks of the revenue they collect just accumulates in their bank account. They don't seem to be able to figure out what to do with it, even though it's obvious that over the years they should have been investing more of it in improving the quality of their software.
Re:expected (Score:5, Insightful)
If they were to follow a very strict engineering process similar to what defense, nasa, and energy depts follow, their software would cost more then it already does, be years behind on "features", and make it very difficult to have the knee-jerk reactions to market desires it currently does.
I would argue that their success, aside from their edgy, sometimes illegal business practices, came from focussing more on UI and integration (or lock in depending on perspective) then on things people didnt understand at the time (security, stability, standards, interoperability, etc.).
Software has thus far been treated and behaved very differently from traditional engineering and manufacturing as there is no entity like UL (Underwriters Lab), FDA, FCC, DOT, etc. enforcing standrds of safety and allowing users to sue them for selling sub-par products. MS could move quick with a shoddy product and say they clicked "agree" on the EULA, security or stability be damned.
Re:expected (Score:5, Interesting)
I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).
The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.
Hate to say it, but they need to take the slow, steady approach to these updates/repairs.
The real question is, will they still be able to change fast enough to stay viable.
Re:expected (Score:3, Insightful)
I was just wondering if you saw the implicit contradiction in your statements.
and
I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Your whole post drives at the point that Microsoft is in the business of making money and not making good software, yet you come along and decry those who would say the same thing in a
Re:expected (Score:2)
What we do expect is an operating system that does NOT allow the execution of programs or scripts supplied by an external source with high priviledges.
OH NO!!! (Score:2)
Great! I get my Windows problems solved and there is no more sun!!!
Oh... wait...
Re:No OS is 100% secure (Score:2)
There you go - that's the problem. Think about why people do that.
I don't run windows as an admin by default. Nor do savvy users.
But neither do I open dubious attachments, enter the numeric password supplied in the email, and then run the executable.
There's no big difference between Linux/BSD and Windows NT/2K/XP in security, architecturally.
If you had an O/S that by default ran user programs in a sandbox - sound, graphics, write acc
Re:No OS is 100% secure (Score:3, Interesting)
The big difference with Windows is in the first stage, the infection. There are entire classes of security holes on Windows that don't exist on any other widely used operating system. Yes, any system can have a buffer overflow, but only Windows can suffer from a "cross zone attack", because only Windows tries to reconstruct the rights an objec