lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <411C6C72.8010906@cavionplus.com>
From: sjohnston at cavionplus.com (Shannon Johnston)
Subject: SP2 is killing me. Help?

Luke Lussier wrote:

> spamfp@...rinsix.net
> On Aug 12, 2004, at 10:19 PM, Phillip R. Paradis wrote:
>
>>> -----Original Message-----
>>> From: full-disclosure-admin@...ts.netsys.com
>>> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of xtrecate
>>
>>
>>> Ultimately what difference to an end user does it make if the
>>> applications
>>> are broken by a service pack install or a virus?
>>
>>
>> None at all. But the user has control over installing service packs. 
>> And the
>> user should have read the warnings BEFORE installing it, not after 
>> they discover
>> something is broken.
>>
A-men brother! I feel that this is a bigger problen than originally 
thought.  After reading all the complaints about what is wrong with SP2, 
I feel completely un-sympathetic to those who don't bother to read the 
release notes...'

Shannon Johnston

>>> I think the update
>>> provides some long needed changes to the fundamental
>>> operation of Windows,
>>> however if Microsoft knew of the potential problems via RC2
>>> testing, I'd
>>> have thought they'd do a little more to rectify those
>>> problems than simply
>>> releasing and disclaiming.
>>
>>
>> Most of those problems are a result of a very simple problem. For 
>> certain
>> security issues, it is possible to remain compatible with old, 
>> generally poorly
>> written code, or to fix the security problem, but not both. There are 
>> some
>> security issues that simply could not be fixed without creating 
>> compatibility
>> issues. The data execution issue is one clear example; making blocks 
>> of memory
>> allocated for data non-executable is a very effective way of 
>> preventing buffer
>> overrun exploits from executing arbitrary code. The downside is that 
>> software
>> (such as DivX) that intentionally tries to execute data won't work 
>> anymore.
>> Given the choice between a secure system and a few badly written 
>> programs, I'd
>> rather take the secure system and let the developers of those few 
>> programs that
>> don't work due to lazy coding fix their products. Microsoft has in 
>> the past
>> always taken the route of less security and more compatibility, and 
>> I, for one,
>> think it's a good thing that their attitude has changed somewhat.
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ