lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0A3287CF-ECF0-11D8-B4E4-00306584AF20@intrinsix.net>
From: luke at intrinsix.net (Luke Lussier)
Subject: SP2 is killing me. Help?

spamfp@...rinsix.net
On Aug 12, 2004, at 10:19 PM, Phillip R. Paradis wrote:

>> -----Original Message-----
>> From: full-disclosure-admin@...ts.netsys.com
>> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of xtrecate
>
>> Ultimately what difference to an end user does it make if the
>> applications
>> are broken by a service pack install or a virus?
>
> None at all. But the user has control over installing service packs. 
> And the
> user should have read the warnings BEFORE installing it, not after 
> they discover
> something is broken.
>
>> I think the update
>> provides some long needed changes to the fundamental
>> operation of Windows,
>> however if Microsoft knew of the potential problems via RC2
>> testing, I'd
>> have thought they'd do a little more to rectify those
>> problems than simply
>> releasing and disclaiming.
>
> Most of those problems are a result of a very simple problem. For 
> certain
> security issues, it is possible to remain compatible with old, 
> generally poorly
> written code, or to fix the security problem, but not both. There are 
> some
> security issues that simply could not be fixed without creating 
> compatibility
> issues. The data execution issue is one clear example; making blocks 
> of memory
> allocated for data non-executable is a very effective way of 
> preventing buffer
> overrun exploits from executing arbitrary code. The downside is that 
> software
> (such as DivX) that intentionally tries to execute data won't work 
> anymore.
> Given the choice between a secure system and a few badly written 
> programs, I'd
> rather take the secure system and let the developers of those few 
> programs that
> don't work due to lazy coding fix their products. Microsoft has in the 
> past
> always taken the route of less security and more compatibility, and I, 
> for one,
> think it's a good thing that their attitude has changed somewhat.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ