__/ [ Roy Schestowitz ] on Saturday 28 April 2007 11:50 \__
> __/ [ Erik Funkenbusch ] on Saturday 28 April 2007 08:45 \__
>> On Sat, 28 Apr 2007 03:52:30 +0100, Roy Schestowitz wrote:
>>> Microsoft mulling major changes to ward off .ANI-type flaws
>>> ,----[ Quote ]
>>>| During the creation of Windows Vista, more than 140,000 unsafe API calls
>>>| were banned and Howard hinted that one more -- "memcpy" -- might be
>>>| added to the list for new code coming out of Redmond.
>>>| ""The SDL is not perfect, nor will it ever ever be perfect," Howard
>>>| argued. "We still have work to do, and this bug shows that. We have
>>>| a new -GS pragma that adds more stack cookies; we?ve updated our
>>>| fuzz tools; we will pay closer attention to exception handlers that
>>>| could mask vulnerabilities, and we will investigate the impact of
>>>| banning "memcpy" for new code," he added.
>> I'm struggling to find *ANY* way that you could possibly not be lying
>> here. This article talks about Microsoft's software development lifecycle,
>> and how they are taking steps by barring the use of functions that have a
>> history of unsafe use, as well as various tools to help identify flawed
>> code. Yet your title says that Microsoft is issuing some hack patch to
>> fix windows.
>> They're two *ENTIRELY* different concepts. One is a proactive stance
>> taken by professional developers (OpenBSD uses a similar approach), and
>> the other is creating a crappy piece of code.
>> Do you not even read the articles you link to? How do you justify
>> fabricating these subject lines?
> Subject lines modified to get past filters, eh?
> Do you consider the following measure a step towards security? Or is it
> just a workaround for flawed design?
Runs away again?
> Program Names govern admin rights in Vista
> ,----[ Quote ]
> | "This is a little bit silly: just name the installer something
> | else, and Vista lets it through," Chess said. He added that
> | although the feature is imperfect and inconvenient, it's
> | "better than nothing".
~~ Best regards
Roy S. Schestowitz | Proprietary cripples communication
http://Schestowitz.com | Open Prospects ¦ PGP-Key: 0x74572E8E
Tasks: 114 total, 1 running, 112 sleeping, 0 stopped, 1 zombie
http://iuron.com - knowledge engine, not a search engine