GDI Vulnerabilities: An Open Letter to Microsoft 444
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Hate to quote a quote but... (Score:5, Funny)
Re:Hate to quote a quote but... (Score:4, Funny)
Re:Rules for this story (Score:5, Insightful)
Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.
If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.
Re:Rules for this story (Score:3, Insightful)
Please read the letter again (assuming you read it once).
Re:Hate to quote a quote but... (Score:2, Informative)
Re:Hate to quote a quote but... (Score:2)
Kind of reminds me of it.
Re:Hate to quote a quote but... (Score:3, Insightful)
So it gets worse, _then_ it is useless?
With 40+ subvariants of the patch, just saying "there's a vunerability on this here machine" without giving the source of the vunerability and the solution to patch said vunerability is dangerous, bordering on the criminally neglient concerning network security.
Comment removed (Score:5, Interesting)
Re:Hate to quote a quote but... (Score:4, Insightful)
Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.
You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".
Re:Hate to quote a quote but... (Score:5, Funny)
You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."
But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
Re:Hate to quote a quote but... (Score:5, Funny)
Your right, it is cross platform
$ uname -a
Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux
$
Scanning for vulnerabilites...
Your computer may be vulnerable. Please update.
Yikes, I'll be back, gotta update my system . . .
Re:Hate to quote a quote but... (Score:3, Insightful)
Yes, yes. We all know how apologists will assert to their death that there is no negligence or violation of expected product quality unless there's death and dismemberment.
Microsoft has been charging money for a product which has demonstrated it's ability to be substandard for over a decade. Open source software, at the very worst, is on par AND it gives customers infinite flexibility.
Re:Hate to quote a quote but... (Score:2, Funny)
Re:Hate to quote a quote but... (Score:5, Funny)
Re:Hate to quote a quote but... (Score:5, Informative)
Re:Hate to quote a quote but... (Score:5, Informative)
Re:Hate to quote a quote but... (Score:4, Insightful)
I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.
Re:Hate to quote a quote but... (Score:5, Informative)
So it gets worse, _then_ it is useless?
So far, everyone else responding seemed to have missed your point. The article correctly uses "worse than usless". It is the submitter and/or our ever so thorough Slashdot editors to blame for the "worse then useless" grammar mistake.
And for all of you that missed the grammar mistake and are debating the meaning of "worse than useless", yes, things can be worse than useless. Things can be harmful. They can cause additional harm or frustration, as opposed to a useless item which just does not do anything useful.
Re:Hate to quote a quote but... (Score:5, Funny)
Re:Hate to quote a quote but... (Score:3, Informative)
Re:Hate to quote a quote but... (Score:3, Insightful)
er, (Score:3, Insightful)
Re:er, (Score:5, Informative)
Likely no master list (Score:5, Informative)
But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.
So, any VB program that does image manipulation may be poetentially vulnerable.
Re:Likely no master list (Score:5, Informative)
Its worse than that, the DLL in question is distributed (with permission to redistribute) in the free Platform SDK download.
So, any VB program that does image manipulation may be poetentially vulnerable.
I've used the DLL in question from C++ and Java/JNI programs before now. _Anything_ might be vulnerable. Check for "GDIPLUS.DLL" in your applications' install directories. Or use the tool linked from the article.
Re:er, (Score:3, Informative)
...and do you do everything you're told? People are using unlicensed files all the time *cough* mp3s *cough*.
Besides, 3rd party vendors are using a lot more than just gdiplus.dll. They may use mfcxx.dll, msvbvm60.dll (VB6 runtime), and a myriad of other modules. Few programs like cygwin don't touch modules installed by the OS.
It's rediculous to think Microsoft is somehow responsible for every third-party application, whether it's using licensed components or not. But then again, the minions of /. are al
Re:er, (Score:2, Insightful)
Also, if you write a program for searching out infected DLL's, why not do it for all libraries on the system?
Re:er, (Score:5, Insightful)
Kinda silly eh?
Of course 3rd party apps might have exploits. It's up to those 3rd party vendors to supply patches. Even if the code is originally based on MS code, the 3rd party vendor may have modified it in any variety of ways and MS has no idea if those will be dangerous versions or not. MS has identified the bad code, the 3rd party vendors have been notified about it. It's up to them to tell you if their version is bad or not, and patch their software.
RULES OF SLASHDOT (Score:4, Funny)
Re:er, (Score:5, Insightful)
If Linus wrote the code, and told the application authors that they were only allowed to use it by accessing a
Of course, nobody behaves like this in the Linux world. Shared libraries are installed to
Re:er, (Score:4, Insightful)
I believe you missed the zlib buffer overflow, which turned out to be staticly linked into many applications, as well as in the shared library.
Yeah, not quite the same, since static linking is different (perhaps worse) than having lots of copies of the DLL in different directories, as far as updating is concerned. Also, a different situation because developers had the option to link the way they wanted.
But to say this sort of thing never happens in the "linux world" and that all library security bugs are easily cured for all apps by updating the shared libs neglects some really unfortunate occurances like the zlib buffer overflow.
Re:er, (Score:2, Funny)
They just are, okay. Now quit asking questions or you'll be forced to hand in your
Re:er, (Score:4, Insightful)
Re:er, (Score:2)
Interesting logical trap there...
Re:er, (Score:2, Funny)
Can't MS establish and enforce guidelines for third-party libraries so that they don't essentially break the OS (or parts thereof)? If one doesn't conform, the scanning tool from MS should warn the user: "Hey, we don't like this file because [insert reason.]
The downside for Redmond would be this tool barfing on their own code.
Re: (Score:2)
Re:er, (Score:5, Informative)
While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.
Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.
Re:er, (Score:3, Informative)
I've created many Windows applications and I've never distributed any MS DLLs.
Re:er, (Score:3, Interesting)
Did the vendors have the ability to change these DLLs or were they given binaries or restrictions on what changes (if any) were allowed?
Re:er, (Score:3, Insightful)
MS however, has ZERO idea how the vendor modified the code, or how the rest of their app interacts with it, and if it is a security risk or not. The vendors DO know. They are the ones that should patch their own app.
Sanity check: can you modify Microsoft SDK libraries? No. They are distributed in binary, not source.
this is liked saying the since some Linux code may have been used in some 3rd party app like the Gimp [...] Linux should be responsible for checking the Gimp and any of a million and one o
In case it gets Slashdotted.... (Score:3, Informative)
Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft
GDI Vulnerabilities: An open letter to Microsoft
Dear Redmond Folks:
When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."
And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.
Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.
MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.
Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.
[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]
What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)
When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?
Please stop treating your customers like idiots and give us information; information that we can use.
In other words: Turn on the lights and open the door. We're ready to come back upstairs now.
-TL
Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
Re:In case it gets Slashdotted.... (Score:5, Funny)
Re:In case it gets Slashdotted.... (Score:3, Insightful)
Re:In case it gets Slashdotted.... (Score:3, Insightful)
Dear Tom (Score:5, Funny)
Bill
Disabled this tool in SUS (Score:4, Informative)
Dosn't know any better. (Score:2, Funny)
I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.
It's actually a tough job even on Linux (Score:5, Insightful)
You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.
Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.
Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.
Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
Re:It's actually a tough job even on Linux (Score:2, Informative)
Well, say that it's hard on one of those commercial distros then. For MY choses Linux setup, it's generally condensed down to:
$ apt-get update
$ apt-get upgrade
Nero? (Score:4, Informative)
C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
Re:It's actually a tough job even on Linux (Score:3, Insightful)
It's a complete different world...
Normally you can see on security lists like bugtraq what kind of vulnerabilities are discovered, or patches which are available.
Now you have different options.
1. fix it yourself (you have the source)
2. wait for maintainer of the program or library to release a patched version
3. wait for your linux distro to release a patched version
What I mean to say is, in Linux or other Open Source projects, it's pretty obvious what to fix or where the problem itself
Re:It's actually a tough job even on Linux (Score:3, Insightful)
The problem with Microsoft's system is that even after you follow their patching procedure, you still don't know if the problem is fixed, and they give you no way
Re:It's actually a tough job even on Linux (Score:3, Insightful)
- It doesn't resolve the issue raised by your parent. If you execute your distribution's 'upgrade all new packages' function, after it has updated its repositories, you will get the new package. The problem is that the distributions don't update their repositories in a useful or regular way, and it's often difficult to execute this function.
- What if the new code has serious flaws that make it worse to use than the old? You would prefer to regress. Especially if the security f
Security is Microsoft's number 1 priority... (Score:2, Funny)
Like We're Not Idiots? (Score:5, Insightful)
Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.
I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.
Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
Re:Like We're Not Idiots? (Score:2, Informative)
That's probably because WAP is a way of using web pages on cell phones. Perhaps you meant AP? Don't be so fast to call people idiots . . .
Re:Like We're Not Idiots? (Score:5, Insightful)
So really, the tool doesn't serve anyone well.
Re:Like We're Not Idiots? (Score:2)
So
Windows is made for idiots?
Re:Like We're Not Idiots? (Score:2)
Re:Like We're Not Idiots? (Score:5, Insightful)
That's a little harsh especially considering your example. You can, of course, be a very smart person and not know much about wireless networking. That "gentleman" could be, for example, the lead scientist in a bio research project and if he asked you a question about something he had detailed knowledge of and you didn't know the answer he, too, could conclude most people are idiots.
The world is full of technology that no one person can, or has the time, to absorb it all.
Re:Like We're Not Idiots? (Score:5, Insightful)
Everyone's an idiot in a field they know little or nothing about. Computer users want their machines to work; they don't want to know how they work, and why should they? You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function, yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work, or for not wanting to learn how these things work.
Computers don't get a special exemption to this rule. They're just tools like any other tool, nothing more.
Max
Re:Like We're Not Idiots? (Score:3, Insightful)
I'm not saying you're wrong, but computers are totally different from factory machines or cars.
But, really, you're arguing semantics. Idiots isn't the best word to use to describe users. Unknowledgable is better. They don't know about the system they're using, and they shouldn't have to. We trust car designers and vacuum cle
Other ways (Score:5, Insightful)
Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?
Not only would it be more interesting to read, but they might actually be more willing to consider it.
Re:Other ways (Score:4, Insightful)
However, I would argue that the guys point wasn't to garner browny points with geeks as much as to get the frustration off his chest AND get geeks to recognize once again the flaws in MS's security protocols.
Furthermore it isn't a "cheap pot-shot". He's venting, he's not bootlicking. He's saying "for crying out loud, you guys have Billions of dollars, resources up the wazoo and you can't get it right, damn I'm mad and I'm going to vent(but I'm going to be humorous in doing so)!" Haven't you EVER felt that way. The beauty of the web is that he can post that and hopefully feel better about it.
So, your right, this isn't for MS, it's for the masses, including the press and geeks who might read it, giggle a bit, and maybe as a group hold MS's feet to the fire on this.
How old is this guy? (Score:2, Funny)
I second that "information we can use" point (Score:5, Insightful)
I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.
Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT [us-cert.gov] to issue their bulletins because they do a slightly better job of relaying useful information.
Re:I second that "information we can use" point (Score:3, Insightful)
Another system claims that there 'may' be vulnerabilities. Installed all the patches that would apply. The tool still says the same thing.
Another pretty stupid thing is that they have this run as part of Windows Update, but they really need to be able to have a wa
No Warranty Implied (Score:5, Funny)
His letter might as well read:
Re:No Warranty Implied (Score:5, Insightful)
i don't think so.
well, maybe he'll give you your money back!
Re:No Warranty Implied (Score:3, Insightful)
would you give warranty for something you give for free?
Sure! If it doesn't work, they can have their money back...
Either way you choose... (Score:3, Insightful)
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
The GDIscan tool worked fine for me. (Score:3, Interesting)
So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.
That's at least how I saw it.
So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?
This whole open letter business (Score:5, Funny)
Re:This whole open letter business (Score:3, Insightful)
Re:This whole open letter business (Score:3, Funny)
Also vulnerable from Microsoft... (Score:3, Informative)
humidifier (Score:5, Funny)
Uh, an extension cord perhaps?
In "How not to write an open letter 101"... (Score:4, Insightful)
Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
Re:In "How not to write an open letter 101"... (Score:3, Funny)
don't ever bother to check your spelling
No, that belongs in "How To Write A Slashdot Headline".
Oops, just violated the rules. Let me korrect that.
What I want to know is... (Score:5, Interesting)
Re:What I want to know is... (Score:4, Informative)
This is NOT just a Microsoft bug! (Score:5, Insightful)
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/ [openwall.com]
Re:This is NOT just a Microsoft bug! (Score:3, Insightful)
And they obviously never looked at it either, right?
Not during their last "security initiative" and not during their PREVIOUS "security initiative" either.
Anybody remember the "code freeze to tighten up security" several years back?
Is this a Microsoft first? (Score:4, Funny)
Dumb Question (Score:5, Interesting)
I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:
Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?
See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.
So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?
Schwab
Re:Dumb Question (Score:5, Informative)
So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.
But, the trend had taken root and like any good weed it is hard to get rid of.
I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.
Re:Dumb Question (Score:3, Insightful)
The file in question is gdiplus.dll. This file was included in Windows XP and Windows Server 2003, but was not part of previous operating systems.
Therefore, apps that used this
So some apps ship with their own copy, then along comes WinXP/2K3, and they add a second, syste
Re:DLL Hell (Score:3, Insightful)
Why would upgrading an application also upgrade a shared system library at the same time? If the application needs the later library version, then the system needs upgrading as well (and probably a good thing, too). Only the system vendor, or the user by direct action, should be messing about in the system directories. Applications shouldn't be fscking around in there at all. If they do, then the result is guaranteed to be a complete and utter mess. (This is obvious, right?)
Further, why would upgradi
Why not offer a common jpeg DLL? (Score:5, Insightful)
Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.
We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
Re:Why not offer a common jpeg DLL? (Score:3, Insightful)
What about programs that have been compiled statically? It wouldn't be a good thing to patch the library and then assume all of your apps are fixed. I realize that not many people do static compilations when they can avoid it, but it does happen in the name of portability, or maybe in the odd binary package where the packager didn't feel
TiVo Software uses gdiplus.dll (Score:3, Informative)
Stop Whining (Score:3, Funny)
and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.
I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?
Re:Yeah, right. (Score:5, Informative)
Re:But Microsoft customers are idiots (Score:4, Funny)
Re:Yes, Microsoft can fix everybody's code! (Score:4, Insightful)
"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"
Re:Yes, Microsoft can fix everybody's code! (Score:4, Insightful)
For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.
MS needs to warn developers (Score:5, Interesting)
No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.
However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.
MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.
So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.
Re:Don't go for pretty software (Score:4, Insightful)
Re:NEWS FLASH!! (Score:3, Interesting)
Re:NEWS FLASH!! (Score:3, Funny)