__/ [ Roy Schestowitz ] on Saturday 28 April 2007 11:50 \__
> __/ [ Erik Funkenbusch ] on Saturday 28 April 2007 08:45 \__
>
>> On Sat, 28 Apr 2007 03:52:30 +0100, Roy Schestowitz wrote:
>>
>>> Microsoft mulling major changes to ward off .ANI-type flaws
>>>
>>> ,----[ Quote ]
>>>| During the creation of Windows Vista, more than 140,000 unsafe API calls
>>>| were banned and Howard hinted that one more -- "memcpy" -- might be
>>>| added to the list for new code coming out of Redmond.
>>>|
>>>| [...]
>>>|
>>>| ""The SDL is not perfect, nor will it ever ever be perfect," Howard
>>>| argued. "We still have work to do, and this bug shows that. We have
>>>| a new -GS pragma that adds more stack cookies; we?ve updated our
>>>| fuzz tools; we will pay closer attention to exception handlers that
>>>| could mask vulnerabilities, and we will investigate the impact of
>>>| banning "memcpy" for new code," he added.
>>> `----
>>>
>>> http://blogs.zdnet.com/security/?p=181
>>
>> I'm struggling to find *ANY* way that you could possibly not be lying
>> here. This article talks about Microsoft's software development lifecycle,
>> and how they are taking steps by barring the use of functions that have a
>> history of unsafe use, as well as various tools to help identify flawed
>> code. Yet your title says that Microsoft is issuing some hack patch to
>> fix windows.
>>
>> They're two *ENTIRELY* different concepts. One is a proactive stance
>> taken by professional developers (OpenBSD uses a similar approach), and
>> the other is creating a crappy piece of code.
>>
>> Do you not even read the articles you link to? How do you justify
>> fabricating these subject lines?
>
> Subject lines modified to get past filters, eh?
>
> Do you consider the following measure a step towards security? Or is it
> just a workaround for flawed design?
*bump*
Runs away again?
> Program Names govern admin rights in Vista
>
> ,----[ Quote ]
> | "This is a little bit silly: just name the installer something
> | else, and Vista lets it through," Chess said. He added that
> | although the feature is imperfect and inconvenient, it's
> | "better than nothing".
> `----
>
> http://www.theregister.co.uk/2007/04/23/vista_program_naming_oddness/
--
~~ Best regards
Roy S. Schestowitz | Proprietary cripples communication
http://Schestowitz.com | Open Prospects ¦ PGP-Key: 0x74572E8E
Tasks: 114 total, 1 running, 112 sleeping, 0 stopped, 1 zombie
http://iuron.com - knowledge engine, not a search engine
|
|
