Re: Endless Buffer Overruns
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 09/23/04
- Next message: PA Bear: "Re: SP2 and IE 6 Error message on first page"
- Previous message: Joe Richards [MVP]: "Re: Endless Buffer Overruns"
- In reply to: Hamlet: "Re: Endless Buffer Overruns"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Sep 2004 01:39:27 -0400
He isn't attacking open source, he is saying that they are in the same boat as
everyone else or that MS is in the same boat as everyone else. A further point
is that even with lots of people not within a company looking at the code
doesn't make it error free either.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Hamlet wrote: > Dude, > Why do you always insist on working the fact that the Open Source folks > have problems into your posts? Didn't we leave the "I know you are, but what > am I?" stuff on the playground? > > H > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > news:e51f18d1.0409170656.5cfe967a@posting.google.com... > >>The fact that even www.OpenBSD.org and Linux have been vulnerable to >>both local and remote buffer overflows and requires frequent patching, >>despite the fact that OpenBSD contains way fewer lines of code, the >>code is open source and has been reviewed by many, has no GUI, little >>interoperability and almost all functionality is disabled by default >>proves that preventing buffer overflows is way harder than you would >>expect. >> >>Windows and MS software, by comparison, is programmed by large teams >>of people, each team working on different sub-sub-components. >>Communication between teams working on the same software, let alone >>between sub-teams working on different software like Windows, Office >>and IE, has to be a huge challenge. >> >>You might ask why so many buffer overflow vulnerabilities for Linux, >>Mozilla, SSH, BIND, etc. continue to be found and released. >> >> >>"Duane" <nospam@aol.com> wrote in message > > news:<Oy9#qgDnEHA.1672@TK2MSFTNGP09.phx.gbl>... > >>>I see yet another update (JPEG) involving the same type of ongoing > > buffer > >>>overrun vulnerability. Could someone please help me understand why this >>>situation has not been corrected? >>> >>>I'm approaching this from a programmer point of view. I have made > > mistakes > >>>and overlooked errors in my code. However, when I am made aware of a > > type > >>>of error, I go back and fix ALL of those types of errors. At least as > > many > >>>as I know about. Why doesn't Microsoft? If they don't know about all > > the > >>>buffer overrun areas, shouldn't they have a team that verifies the code? >>> >>>Maybe I don't understand what buffer overrun is/does. I would think it > > is > >>>when some programmer makes a mistake in address pointers and his program >>>writes outside of allocated memory. Since this is a big (there's > > endless > >>>updates on such) and repeating security issue, why not at the very > > minimum > >>>check, double check, and triple check all areas where there could even > > be a > >>>potential of buffer overrun? Or, even better, design the system so that >>>programs cannot even possibly write outside of their allocated memory? > > Or, > >>>if there is some reason that's necessary under such-and-such > > circumstances, > >>>I would think Microsoft's programs shouldn't do that and therefore > > should > >>>have a flag that prohibits them from writing outside allocated memory. >>> >>>Maybe someone can explain why this is an ongoing issue that cannot be >>>corrected, but otherwise I see no excuse for it. >>> >>>Duane > > >
- Next message: PA Bear: "Re: SP2 and IE 6 Error message on first page"
- Previous message: Joe Richards [MVP]: "Re: Endless Buffer Overruns"
- In reply to: Hamlet: "Re: Endless Buffer Overruns"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
