×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft's Urgent Patch Precedes Black Hat Session

Soulskill posted more than 4 years ago | from the no-time-like-the-present dept.

Microsoft 232

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

232 comments

Imagine. (5, Interesting)

rolfc (842110) | more than 4 years ago | (#28864929)

There are still people that think ActiveX is a gift to humanity.

Re:Imagine. (2, Informative)

commodore64_love (1445365) | more than 4 years ago | (#28865473)

I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely, but Mac has its own undesirable flaws. Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on.

i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

(And Linux won't install my Netscape ISP's Web Accelerator software - so that's not an option either.)

Re:Imagine. (5, Insightful)

bstreiff (457409) | more than 4 years ago | (#28865683)

So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

Guess what? There are upgrade fees to go from XP to Vista to 7, too.

Re:Imagine. (2, Informative)

billcopc (196330) | more than 4 years ago | (#28865861)

Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

Mac apps are, like their makers, excessively trendy so whenever a new OS X build is released, the great majority of developers "embrace" the new features and it seems very few are committed to backward compatibility. This much is true of both big-name vendors and homebrew/shareware authors ("Free" isn't so big yet in that sphere).

Re:Imagine. (2, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#28866057)

>>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle, and as you pointed-out you can continue using Win2000 (or even Win98) without problem. In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.

And thus we're back to my point - "A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on. i.e. Macs are expensive to maintain."

Re:Imagine. (4, Insightful)

hairyfeet (841228) | more than 4 years ago | (#28866675)

Which brings me to something I've asked several times and never gotten a real response too: Why is it so damned hard for Apple guys to admit Apple is expensive? I mean you don't see Ferrari owners going "well if you figure in all the external factors its a great value for the money" because its not. Its exotic, its fast, but it sure as hell ain't cheap. Same thing goes with Apple.

As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.

Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you. But please stop with the bullshit, okay? It makes you sound delusional or like a koolaid drinker when you sit there and try to jump through all these logic hoops trying to justify how that $2200 you paid for your laptop isn't high, when we can buy the same gear for $900-1100. You don't see the Ferrari owners trying to justify with logic hoops how they are "value for the money" compared to Ford, do you? Hell no! So just accept you have a Ferrari and be happy. But trying to come up with all these crazy hoops to try to prove that Apple computers aren't expensive just ends up with a pile of bullshit as big as MSFT's with their "get the facts" campaign, okay?

If you want to spend that extra $$$$ on OSX, just do it and be happy already. Trying to justify it with these totally crazy "value for the money" arguments just makes you sound crazy or desperate to prove you didn't get ripped off. If you think OSX is worth the hundreds or even over a thousand you spend, then just spend it and be happy with your purchase.

Not to mention the required hardware upgrades... (1)

sean.peters (568334) | more than 4 years ago | (#28866751)

I've got a Powerbook G4, running 10.5.x... which is still a fairly powerful machine, right? Well, yes, but... increasing numbers of software packages won't run on anything but Intel-based Macs, or alternatively, have features crippled when running on PPC Macs. So even though there's nothing wrong with the machine, and it still has sufficient horsepower to do just about anything... Steve is going to force me to buy a new one if I want to run modern software. Yay, Mac.

Re:Imagine. (1)

m.ducharme (1082683) | more than 4 years ago | (#28865781)

I've not found the upgrades to be necessary for compatibility reasons, though we did upgrade one of our older macs (a G5) to get the benefit of the performance boost. It had been running with the OS it came with for...I'm going to say about 4 years. I'm not sure why you feel that you'd be obligated to purchase upgrades, care to offer some insight?

Certainly if you feel that a point change in the OS X world is equivalent to a service pack, I can see how you might be put out by having to pay for one. But I think they're more like the change between XP > Vista than the change between XP SP1 to XP SP2.

Re:Imagine. (1)

Chaos Incarnate (772793) | more than 4 years ago | (#28865901)

2000 > XP or Vista > 7 might be better analogies--lots of fluff changes, less so under the hood. :) (Or at least, for 10.4/10.5. Not sure how to classify 10.6--lots of under the hood, but very little fluff.)

Re:Imagine. (0)

Anonymous Coward | more than 4 years ago | (#28866015)

(Or at least, for 10.4/10.5. Not sure how to classify 10.6--lots of under the hood, but very little fluff.)

Well, Snow Leopard is only going to be $30, so it's like a paid service pack. Then again, they rewrote Finder in Cocoa, added in LOTS more 64-bit support, Grand Central Dispatch, etc., and made the thing only take up 6 or so gigs of space on the HDD. I'd say that removing a lot of bulk and adding compatibility is worth $30 (Or, if you're upgrading from Vista>Win7, most likely the same would be ~$100 for you).

-Samriel, posting anonymously because OSX supporters get downmodded

Re:Imagine. (0, Informative)

Anonymous Coward | more than 4 years ago | (#28865891)

Assuming you're referring to what I think you are when you say "Web Accelerator Software..." you know all that does is turn on http pipelining, change your cache settings, and maybe (depending on which particular one) install a "download manager" that uses multiple connections to stream content faster from overloaded servers?

All of that (with the exception of the "download manager" can be done in Firefox's "about:config" controls without the need for any special software.

"Download Manager" programs and Firefox plugins are available on Linux too, but I DO NOT recommend using them. They are the product of evil minds who don't understand how the internet works.

Under normal circumstances they actually slow down your downloads slightly (more overhead to manage multiple connections, max bandwidth is still limited by the greater of server's upstream / your downstream). The only time it can speed things up is if the server is overloaded.

(Rough example follows; the numbers are not accurate to anything, only a demonstration)
Assume the server can handle 100 average connections at full speed at one time, and 110 people are trying to download currently. Their downloads will each slow by approximately 10% as the server parcels out packets to each connection. This is fair.
What "download managers" do is add more connections from your client to grab different parts of the download faster at the expense of other people.
So the aforementioned server, rather than having 110 connections from 110 people, has 109 connections from 109 people and 31 connections from 1 person. So the server apportions bandwidth among its 140 connections. Your download is sped up as you are now receiving 22% of the packets from the server if apportioned in a CFQ manner. Everybody else's download is now about half speed. This is very much NOT FAIR.

So you can do completely without your "web acceleration software" by changing your web browser's settings yourself (it occurs to me that on Windows the software may also fix the broken TCP/IP windowing scheme they have by default - this isn't necessary on Linux as the networking stack autonegotiates with upstream routers to find the most efficient window size available). Even if you never switch away from Windows, I would recommend NOT USING any sort of "download manager" that may be included in your "web acceleration software," as it is just an awful idea. Also note that the more people who use these "download manager" things, the more overloaded servers become, meaning that soon even the people using download managers are getting slower downloads than they would if nobody were using them (this becomes more obvious if you also take into account memory and processor capacity on the servers).

Re:Imagine. (2, Interesting)

DavidTC (10147) | more than 4 years ago | (#28866423)

No, Netscape's Web Accelerator connects to a compressing proxy server for their dialup service. It recompresses images to lower quality and makes all pages gzipped. That's it. I'm not even sure it does any caching.

I'm fairly confused as to how this doesn't work on Linux, as it's a browser proxy, but don't care enough to actually look into it.

Which means all this talk about switching OSes is nonsense. He's someone using a $6.99 a month dialup internet connection, he can't afford a new computer!

Of course, apparently the idea of using Netscape's web browser, or Firefox, both which surely would work with Netscape Web Accelerator and would protect him from ActiveX, doesn't occur to him. (Granted, it doesn't seems to have occurred to anyone else here either.)

Re:Imagine. (2, Insightful)

koolfy (1213316) | more than 4 years ago | (#28866007)

I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely

Yeah, like if mac was better at security fixes [tuaw.com]...

Re:Imagine. (5, Informative)

TheRaven64 (641858) | more than 4 years ago | (#28866419)

Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29 [apple.com], and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

It's the commonality. (4, Informative)

tjstork (137384) | more than 4 years ago | (#28865557)

The thing about Active X is that is just a way to put an object oriented wrapper around a DLL. So really, its just a DLL.

The problem with DLLs is that they are good for process re-use on a desktop but not the kind of thing you want to be shoving into a browser. However, if Microsoft closed off Active X entirely in browsers, they would break Flash and third party OpenGL and movie plugins... and probably would wind up getting ripped for it.

The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

Re:It's the commonality. (2, Insightful)

rolfc (842110) | more than 4 years ago | (#28865741)

I know, a lot of people believe that when there is more users, there are more incentive to exploit and that is the only difference between Windows and Linux. It's just that it doesn't work that way. They are implemented in a different way, and since my confidence in the security of Microsoft isn't that great, I don't believe you are right.

Re:It's the commonality. (5, Insightful)

DavidTC (10147) | more than 4 years ago | (#28866701)

Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

Oh, look. Have to issue a killbit for that also.

The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser

Re:It's the commonality. (1)

makomk (752139) | more than 4 years ago | (#28866175)

The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

Well, part of the problem is that ActiveX isn't just used for browser plugins, so there are a huge number of ActiveX controls out there that can be loaded into a browser but really weren't meant for this purpose. Unless the control is marked "safe for scripting", Javascript can't interact with it directly, but it's still loaded.

Re:It's the commonality. (5, Informative)

neonsignal (890658) | more than 4 years ago | (#28866475)

There is truth in your argument that third party additions to a browser pose a security problem, but you are comparing coffee and fish.

Plugins pose a security risk because you are running software from unknown sources as part of your browser. However, you don't need to install the plugins in order to enjoy the browser functionality.

Active X on the other hand was always intended to be integrate with web pages, which means that in many cases you would not even have been able to view the content without downloading a COM object of dubious origin. Fortunately this has largely failed, and most web content is still accessible without it (though there are a number of commercial services on the other hand that require Active X to work).

The better comparison with Active X is other dynamic web code, such as scripting languages like javascript, and of course Java, which have been used for similar purposes. There are clear differences, because Active X is running native code, and so is notoriously difficult to sandbox effectively. It is obviously a matter of degree; no system is fully secure. But whereas exploits of Active X tend to often be total (access to the host machine), exploits of systems such as javascript often revolve around more subtle issues such as masquerading.

I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues. I don't think the solution is merely to improve the containment of the downloaded code (indeed, that only makes it harder for the plugin to do anything useful). The problem is one of trust: how do I know if the binary code is trustworthy (Microsoft rubberstamp certification just doesn't do it for me!); and why do most sites need Active X at all (shouldn't we just be trying to agree on some browser standards like video formats so that typical functionality can be built into the browser!).

Re:Imagine. (1)

whowantscream (911883) | more than 4 years ago | (#28866035)

It IS a gift to humanity, - think of all the lives that it has touched, and not just ActiveX programmers!

It has given linux admins more clout and opened up jobs for people wanting to avoid Microsoft like the plague
It has given new Windows security admins more job security after the old one was fired
It has given hackers a means to expand and fund their personal empires
It has helped prune out the weak by allowing the destruction of their computers

You see, Microsoft is just playing its part in the circle of life.

Re:Imagine. (2, Insightful)

daem0n1x (748565) | more than 4 years ago | (#28866091)

Somehow people think it's normal to embed in webpages stuff that is executable code for a particular operating system and processor architecture. WTF?!?

This is soooo fucking stupid I almost can't believe it. I've tried for years to convince people of that but they look at me as if I'm an alien.

It was a tremendous lock-in strategy for Micro$oft, though. They're still cashing in on it. Fortunately, the tide is changing, but it will take a long, long time until this ActiveX shit is gone.

Re:Imagine. (2, Informative)

cyberdrop (939759) | more than 4 years ago | (#28866239)

The code is not embeded in the web page!

An ActiveX Control is a Plugin for your browser. The browser is also bound to an particular operating system and processor architecture!

sensationalist much? (5, Insightful)

timmarhy (659436) | more than 4 years ago | (#28864945)

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

damned if they do damned if they dont?

Re:sensationalist much? (1)

noundi (1044080) | more than 4 years ago | (#28864977)

I have to agree. I don't see the reason why patching a security hole asap is an issue. Also to make it clear I'm only referring to this isolated action, nothing else.

Re:sensationalist much? (1)

Cro Magnon (467622) | more than 4 years ago | (#28865075)

Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

Re:sensationalist much? (2, Insightful)

pfleming (683342) | more than 4 years ago | (#28865395)

Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

Re:sensationalist much? (1)

noundi (1044080) | more than 4 years ago | (#28866097)

You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

Nope, what's your point? I made it very clear. I'm only referring to the isolated action of patching something asap. I'm not defending nor attacking MSs methods. Please read the posts more thoroughly when you reply to them.

Re:sensationalist much? (1)

noundi (1044080) | more than 4 years ago | (#28866127)

Please read the posts more thoroughly when you reply to them.

Now that was embarassingly ironic. I apologise sincerely.

Re:sensationalist much? (3, Informative)

commodore64_love (1445365) | more than 4 years ago | (#28865501)

I thought the weridness came from using a "killbit" solution. Any spybot programmer will easily be able to override that.

Re:sensationalist much? (1)

Rashkae (59673) | more than 4 years ago | (#28865081)

It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

Re:sensationalist much? (1)

noundi (1044080) | more than 4 years ago | (#28865187)

It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

Me neither, but it's still a good thing. Perhaps there should be Black Hat sessions every week? ;-)

Re:sensationalist much? (4, Informative)

mortonda (5175) | more than 4 years ago | (#28865073)

You missed the part where they knew about the flaw 18 months ago. That's just... sad.

Re:sensationalist much? (3, Insightful)

mcgrew (92797) | more than 4 years ago | (#28865607)

"Sad" isn't the word for it. Evil comes close, though. The fact that the flaw was introduced by their own development tools is what's sad. The people who get exploited by this flaw will be sad.

Re:sensationalist much? (0)

Anonymous Coward | more than 4 years ago | (#28866551)

"just spent six months in a leaky boat / lucky just to keep afloat"

Re:sensationalist much? (3, Funny)

Fred_A (10934) | more than 4 years ago | (#28865343)

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

Not only that but they patch it urgently for the 175th time. If that isn't urgent I don't know what is.

I don't know of any other OS company that's that focused on security that it patches the same kind of thing that many times : "We have to make sure, the security of our users is important to us !".

Now that's dedication !

Re:sensationalist much? (1)

blincoln (592401) | more than 4 years ago | (#28866147)

Not only that but they patch it urgently for the 175th time.

MS haven't patched this vulnerability 175 times. They've issued 175 patches that have made use of the ActiveX killbit mechanism to disable various old controls, as opposed to patching the vulnerability in those controls.

Re:sensationalist much? (0)

Anonymous Coward | more than 4 years ago | (#28866295)

wow...

your an idiot....they didnt patch the same thing 175 times, they issued 175 killbit patches. to make this easy for you to understand, killbits are like flags, microsoft uses them to 'flag' inappropriate OS behaviors and tells the OS how to handle to issue. Which means there are 175 flags (killbits) in use today..

I may have dumbed this down way to much, so if I am off please feel free to correct me.

Cone of Silence? (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#28864995)

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Re:Cone of Silence? (0)

Anonymous Coward | more than 4 years ago | (#28865009)

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

And why does a dog lick his balls? Because he can.

Re:Cone of Silence? (0)

Anonymous Coward | more than 4 years ago | (#28865381)

But why lick your balls when something far more pleasurable is right next to it?

Re:Cone of Silence? (0)

Anonymous Coward | more than 4 years ago | (#28865523)

Who knows, maybe licking your own balls is the height of pleasure?

Re:Cone of Silence? (1, Funny)

Anonymous Coward | more than 4 years ago | (#28865503)

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Do researchers lick their balls?

The real mystery (1)

BadAnalogyGuy (945258) | more than 4 years ago | (#28864999)

I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

Re:The real mystery (4, Interesting)

plague3106 (71849) | more than 4 years ago | (#28865115)

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

Re:The real mystery (1)

xniteman (1598779) | more than 4 years ago | (#28865411)

Which language will you use to write the CLR then? C# itself? Yes, it's doable. But then you can't use CLR to run your CLR implementation in C#, or it never ends. So you have to compile your C# code to binary, and consequently you can't rely on the features of CLR, such as memory management, what's the point of using C# then?

Re:The real mystery (1)

Bakkster (1529253) | more than 4 years ago | (#28865459)

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

I thought Vista was supposed to be built with .NET, only to have those plans scrapped. If MS isn't building their OS with C# and .NET, there must be a reason.

Re:The real mystery (4, Informative)

VGPowerlord (621254) | more than 4 years ago | (#28865641)

I thought Vista was supposed to be built with .NET, only to have those plans scrapped. If MS isn't building their OS with C# and .NET, there must be a reason.

I think you're confusing Vista with Singularity [microsoft.com].

Re:The real mystery (3, Informative)

recoiledsnake (879048) | more than 4 years ago | (#28865763)

No, significant parts of Vista were supposed to be rewritten in C# but due to performance(or other) reasons, the plan was ditched in 2003/2004 and a normal C++ upgrade to XP was started. This was one of the big factors in the delay of Vista's release.

Re:The real mystery (3, Informative)

cyberdrop (939759) | more than 4 years ago | (#28866169)

The reason was not performance. It was an compability issue.
Currently there can only one version of the CLR be loaded into a process. The CLR version of the first .NET DLL is used in the process.

This is also the reason why you should not make shell extensions in .NET. The Windows Explorer would load the shell extension dll in unknown order. If the first one is a .NET 1.0 Dll all .NET 2.0 Dlls would not load.
If a Programm delay loads the CLR a simple call to the Open File Dialog would cause the .NET 1.0 CLR to be loaded into the process.

This problem will finally be solved in .NET 4.0. I think we will see the use of .NET in Windows 8...

Re:The real mystery (0)

Anonymous Coward | more than 4 years ago | (#28866237)

You just pretty much summed up as to why .NET is a complete total failure.

Re:The real mystery (2, Informative)

cyberdrop (939759) | more than 4 years ago | (#28866321)

.NET is perfectly fine for anything other than writing plugins or plugin hosts for parts of the operating system.

Re:The real mystery (0)

Anonymous Coward | more than 4 years ago | (#28865677)

When did .NET and C# become synonymous? C# is a language. .NET is a collection of libraries and frameworks. the .NET frameworks are available for use in C#, C/C++, Java, Visual Basic, etc.

Re:The real mystery (0)

Anonymous Coward | more than 4 years ago | (#28865839)

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up...

Which is why bad things happen when you let mediocre developers loose on software products that need bare metal resource control for performance, slack off on project management, quality control or allow marketing dweebs and clueless PHB's to ruin the product with unrealistic deadlines.

Re:The real mystery (0)

Anonymous Coward | more than 4 years ago | (#28865139)

Protip: ActiveX has been based on COM since the beginning.
 
P.S. The developers created the bugs, not the language. Scrub.

Re:The real mystery (3, Informative)

commodore64_love (1445365) | more than 4 years ago | (#28865555)

>>>Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot.

In the 1980s the C language was the best option. There wasn't anything better. And since Windows/DOS and Windows/NT were developed during the 80s, we still live with the legacy. Simple as that.

Re:The real mystery (4, Funny)

mcgrew (92797) | more than 4 years ago | (#28865633)

I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".

Considering all the exploits it's made possible, I call it hActive-X.

Re:The real mystery (0)

Anonymous Coward | more than 4 years ago | (#28866289)

I thought it was pronounced acti-vex, for its vexing effect on normal system activity...

Re:The real mystery (2, Insightful)

rzei (622725) | more than 4 years ago | (#28866413)

I do not think that the problem lies in use of C/C++, but in the horrible way of using it. From what I've gathered around the Internet "why win32 is great" is that they lacked any kind of stable way of creating their (old?) APIs; everyone just created a new standard for return values and parameter handling. And on top of that some crazy macros that make Symbian code look readable in comparison.

I mean, I've only learned how to program in C/C++ (at university) but been working as a Java dev for quite some time now. Still I can almost make sense of mplayer [mplayerhq.hu]'s or ffmpeg's source code but every time I see some "Windows" C++ it's just plain awful because of all the macros and #define constants. If you ever read KDE's or Qt's sources and compare those to something done with win32... There is a massive difference.

Every tool can be miserably misused.

Re:The real mystery (1)

weicco (645927) | more than 4 years ago | (#28866597)

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot.

Ken Thompson & Dennis Ritchie (Unix), Andrew Tanenbaum (Minix), Richard Stallman (Hurd), Linus Torvalds (Linux) - You really think those guys ought to be shot? ;)

Re:The real mystery (1)

BadAnalogyGuy (945258) | more than 4 years ago | (#28866657)

I'd say at least 2 out of those 5 could stand a good shooting. Let me express it in C:

double GuysToShootRatio = 2 / 5;

Dammit!

Zombie control (0)

Anonymous Coward | more than 4 years ago | (#28865003)

Didn't Shaun of the Dead do that first?

It took 18 months... (2, Funny)

FunPika (1551249) | more than 4 years ago | (#28865015)

To make a patch that simply turned off ActiveX? I better be misreading this...

Re:It took 18 months... (1)

mortonda (5175) | more than 4 years ago | (#28865135)

To make a patch that simply turned off ActiveX? I better be misreading this...

Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

In other news, why was my machine set to install automatically... and reboot automatically... Gah! What a stupid setting!

Re:It took 18 months... (1)

Bakkster (1529253) | more than 4 years ago | (#28865477)

To make a patch that simply turned off ActiveX? I better be misreading this...

Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

Welcome to the best feature of Windows 7: turning off/on processes on demand, including IE!

Re:It took 18 months... (1)

HangingChad (677530) | more than 4 years ago | (#28865809)

Not only that, but it forced a reboot.

Woke up this am to find my token Winders box had rebooted overnight. Luckily I only use it as a weather station. I would have been pissed to wake up and find a work environment automatically rebooted. I save my work but sometimes I'll be in the middle of a project and it takes a lot of time to restore the workspace.

ActiveX is from the devil.

Re:It took 18 months... (0)

Anonymous Coward | more than 4 years ago | (#28865213)

To make a patch that simply turned off ActiveX? I better be misreading this...

If you RTFA it says they were more concerned about what might break if they did turn it off. You can't just yank something without knowing exactly what might be tied into it. Given all the libraries, files, legacy code, probably a billion lines of code made by several hundred thousand developers over the last few decades thats an awful lot to dig through to make sure stuff doesn't break. Its already off in Vista but they rebuilt a lot of vista so they were able to test it as they went.

Re:It took 18 months... (2, Insightful)

intheshelter (906917) | more than 4 years ago | (#28865341)

Eeaasssy big fella. The post had a point. 18 months is still ridiculous. It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7. . . . But no company could be THAT dumb and incompetent, could they?

Re:It took 18 months... (0)

Anonymous Coward | more than 4 years ago | (#28865515)

Eeaasssy big fella. The post had a point. 18 months is still ridiculous. It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7. . . .

Except those are different divisions of Microsoft that function semi-independently?

Re:It took 18 months... (1)

commodore64_love (1445365) | more than 4 years ago | (#28865625)

I'm calling Windows 7 - "Windows Vista 6.1" or "Windows NT 6.1". The truth must be told.

Actually:

  Vista/NT 6.0 ain't that bad if you upgrade your RAM to 16 gigabytes. Then it runs just as well as my XP PC with only 1/4 gig.

Re:It took 18 months... (2, Insightful)

jo42 (227475) | more than 4 years ago | (#28865269)

I'd suspect the vulnerability and solution was such a cluster frak, that it took that long to work it out without royally fraking everything else up.

Re:It took 18 months... (2, Informative)

VGPowerlord (621254) | more than 4 years ago | (#28865775)

The ActiveX killbits weren't the only thing updated. Microsoft also updated Visual Studio 2003 SP1, 2005 SP1, 2008, and 2008 SP1; along with their respective runtimes.

Kill ActiveX (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28865019)

Instead of releasing a KillBit patch, why not releasing once and for all a Kill ActiveX patch ? The Web as yould be a safer place.

Standard Operating Procedure (4, Insightful)

Drakkenmensch (1255800) | more than 4 years ago | (#28865037)

1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"

2. Secretly prepare emergency patch and bury it in driver update patches

3. ???

4. PROFIT!!!

Re:Standard Operating Procedure (2, Insightful)

RenHoek (101570) | more than 4 years ago | (#28865621)

I believe step 3 here is

3. Maintain that Windows is more secure then other operating systems because bugs are fixed really quick.

Re:Standard Operating Procedure (0, Troll)

AP31R0N (723649) | more than 4 years ago | (#28865813)

1. Build an OS that needs to run on a few hundred mobos
2. ... in combination with dozens of CPUs
3. ... run on out of date (slow) hardware
4. ... run a thousand or so applications you have no control over
5. ... be used by a billion or so people
6. ... play nice with hundreds of peripherals
7. ... be able to play nice with other OSes and across the net
8. ... will be under constant attack by many many many crackers because it's the tall poppy
9. ???
10. have constant patches to address these issues within budget and time frame
11. people will still bitch!!!

Re:Standard Operating Procedure (0)

Anonymous Coward | more than 4 years ago | (#28866005)

You left out: design shit security model that's impossible to fix without fucking most of those other points.

Re:Standard Operating Procedure (2, Funny)

abigsmurf (919188) | more than 4 years ago | (#28865949)

Doesn't sound like a bad tactic to me.

*Haxx0r ur world con 2009*

Today I will demonstrate on this stage a vulnerability that MS have known about for a year! I will show off an attack that will give me control of any system!

*opens IE and visits the site with his exploit*
*nothing happens*
...
*becomes aware of the sound of crickets and 2000 people in the audience*

Let's quash this now (-1, Flamebait)

Lincolnshire Poacher (1205798) | more than 4 years ago | (#28865039)

``Microsoft's latest emergency out-of-band patch ''

Out-of-band has a specific meaning, and this is not it.

An out-of-band patch would have been deployed on CD in the post, or printed out on paper and sent by courier, or been transmitted over FIDONet. That is, via another band than the Internet.

This corruption is becoming more frequent. Yes, English needs to develop, but not through laziness.

The submitter was probably intending to say ``off-schedule''.

Lecture ends.

Re:Let's quash this now (1)

Vellmont (569020) | more than 4 years ago | (#28865119)

So in this case the "band" is simply the normal monthly patch-tuesday update. Being outside that makes it out-of-band. Why does a band have to mean an entirely different medium of communication?

In any case, you can't fight it. I've heard this usage enough that it's part of standard techno-babble.

Killbits, Killbill ... (2, Funny)

bagsta (1562275) | more than 4 years ago | (#28865091)

When I hear about killbits [technet.com], killbill [howbits.com] comes in my mind. I don't know why though...

Re:Killbits, Killbill ... (0)

Anonymous Coward | more than 4 years ago | (#28865369)

you should have tried harder making something funny out of it before posting... now, you've clearly exposed your lack of imagination

Re:Killbits, Killbill ... (0)

Anonymous Coward | more than 4 years ago | (#28865627)

funnier still is the fact that your killbill link's host has "bits" in the name. it's a sign! D:

Re:Killbits, Killbill ... (1)

Maximus633 (1316457) | more than 4 years ago | (#28866121)

When I think of killbits... I think of the video with Balmer running across the stage and him yelling developers. Instead of it being developers its KILLBITS! KILLBITS! KILLBITS!

darn it (1)

WeeBit (961530) | more than 4 years ago | (#28865701)

"But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch." Or one could say that Microsoft was making a mountain out of a molehill. So what else was in that patch? I have a right to question Microsoft's antics . After all, they made me paranoid.

You DO NOT have to reboot if you install manually (3, Informative)

dobedobedew (663137) | more than 4 years ago | (#28866135)

I'm not going to get into why having automatic updates on is generally a bad idea, that subject has already been beaten to death here.

WindowsXP-KB972260-x86-ENU.exe /quiet /norestart

That is the one for XP with IE6, the filenames are different for the other flavors. The list of all of the different patches is at:
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx/ [microsoft.com]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...