lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <009201c480e4$666ec210$0501a8c0@andromeda>
From: prp17 at adelphia.net (Phillip R. Paradis)
Subject: SP2 is killing me. Help?

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of xtrecate

> Ultimately what difference to an end user does it make if the 
> applications
> are broken by a service pack install or a virus?

None at all. But the user has control over installing service packs. And the
user should have read the warnings BEFORE installing it, not after they discover
something is broken. 

> I think the update
> provides some long needed changes to the fundamental 
> operation of Windows,
> however if Microsoft knew of the potential problems via RC2 
> testing, I'd
> have thought they'd do a little more to rectify those 
> problems than simply
> releasing and disclaiming. 

Most of those problems are a result of a very simple problem. For certain
security issues, it is possible to remain compatible with old, generally poorly
written code, or to fix the security problem, but not both. There are some
security issues that simply could not be fixed without creating compatibility
issues. The data execution issue is one clear example; making blocks of memory
allocated for data non-executable is a very effective way of preventing buffer
overrun exploits from executing arbitrary code. The downside is that software
(such as DivX) that intentionally tries to execute data won't work anymore.
Given the choice between a secure system and a few badly written programs, I'd
rather take the secure system and let the developers of those few programs that
don't work due to lazy coding fix their products. Microsoft has in the past
always taken the route of less security and more compatibility, and I, for one,
think it's a good thing that their attitude has changed somewhat.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ