Re: [Full-Disclosure] SP2 is killing me. Help?

From: Shannon Johnston (sjohnston_at_cavionplus.com)
Date: 08/13/04

  • Next message: Luke Lussier: "Re: [Full-Disclosure] SP2 is killing me. Help?"
    To: Luke Lussier <luke@intrinsix.net>
    Date: Fri, 13 Aug 2004 01:23:30 -0600
    
    

    Luke Lussier wrote:

    > spamfp@intrinsix.net
    > On Aug 12, 2004, at 10:19 PM, Phillip R. Paradis wrote:
    >
    >>> -----Original Message-----
    >>> From: full-disclosure-admin@lists.netsys.com
    >>> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of xtrecate
    >>
    >>
    >>> Ultimately what difference to an end user does it make if the
    >>> applications
    >>> are broken by a service pack install or a virus?
    >>
    >>
    >> None at all. But the user has control over installing service packs.
    >> And the
    >> user should have read the warnings BEFORE installing it, not after
    >> they discover
    >> something is broken.
    >>
    A-men brother! I feel that this is a bigger problen than originally
    thought. After reading all the complaints about what is wrong with SP2,
    I feel completely un-sympathetic to those who don't bother to read the
    release notes...'

    Shannon Johnston

    >>> I think the update
    >>> provides some long needed changes to the fundamental
    >>> operation of Windows,
    >>> however if Microsoft knew of the potential problems via RC2
    >>> testing, I'd
    >>> have thought they'd do a little more to rectify those
    >>> problems than simply
    >>> releasing and disclaiming.
    >>
    >>
    >> Most of those problems are a result of a very simple problem. For
    >> certain
    >> security issues, it is possible to remain compatible with old,
    >> generally poorly
    >> written code, or to fix the security problem, but not both. There are
    >> some
    >> security issues that simply could not be fixed without creating
    >> compatibility
    >> issues. The data execution issue is one clear example; making blocks
    >> of memory
    >> allocated for data non-executable is a very effective way of
    >> preventing buffer
    >> overrun exploits from executing arbitrary code. The downside is that
    >> software
    >> (such as DivX) that intentionally tries to execute data won't work
    >> anymore.
    >> Given the choice between a secure system and a few badly written
    >> programs, I'd
    >> rather take the secure system and let the developers of those few
    >> programs that
    >> don't work due to lazy coding fix their products. Microsoft has in
    >> the past
    >> always taken the route of less security and more compatibility, and
    >> I, for one,
    >> think it's a good thing that their attitude has changed somewhat.
    >>
    >>
    >> _______________________________________________
    >> Full-Disclosure - We believe in it.
    >> Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Luke Lussier: "Re: [Full-Disclosure] SP2 is killing me. Help?"