Microsoft urges computer users to install security tool (1 Viewer)

scotjimland

LIFE MEMBER
Jul 25, 2007
2,084
9,006
Suffolk Coastal District, UK
Funster No
15
MH
Timberland
Microsoft has urged Windows users to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.

The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said customers should install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

It affects Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7 operating systems. IE 10 is not affected. Malicious code is downloaded to computers when users visit infected websites.


Read more: http://www.smh.com.au/it-pro/securi...curity-tool-20120918-263vv.html#ixzz26nj4H7A9

Microsoft Security Advisor
 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
When will Microsoft learn that simply publishing untested software is not acceptable?

It doesn't help when journalists publish statements like "Zero-day vulnerabilities are rare, mostly because they are hard to identify - requiring highly skilled software engineers or hackers with lots of time to scrutinise code for holes that can be exploited to launch attacks."

Is there anything which is more round objects than something like that? You don't "scrutinise code for holes" any more than you build a ship and launch it into the water to discover whether any welds have gaps. You construct a watertight business specification and then test code against that.
 

injebreck99

Free Member
Dec 5, 2011
1,706
1,795
norfolk
Funster No
19,123
MH
Low profile C Class
Exp
Since 1997
Microsoft security

I was advised to download a anti virus called Microsoft Essentialls by a so called "Expert",looked and appeared to be a genuine Mocrosoft addition, I did so and it completely ****ed up my laptop, had to have it completely wiped and start again, now back with my origional Norton AV, which has been no trouble at all. :Doh:
 

ShiftZZ

LIFE MEMBER
Feb 19, 2008
21,379
84,094
Dark Side of the Moon
Funster No
1,546
MH
A class
Exp
Since 2007
This is version IE9 and they are still finding holes, Microsoft, far too big, far too lazy and making far too much money..

Subscribers  do not see these advertisements

 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
This is version IE9 and they are still finding holes, Microsoft, far too big, far too lazy and making far too much money..

Only finding holes or creating more? ::bigsmile:

As I've often said, a computer system is like a pyramid.

Properly designed it starts life sat on a firm base. Some, as they are added to over the years, without any proper consideration of what effect changes have on the original specification and without proper testing, gradually turn until they are completely upside down and teetering on a tiny point.
 

Geo

Trader - Funster
Jul 29, 2007
11,757
14,563
Mansfield,Notts
Funster No
35
MH
Autotrail Tracker FB
Exp
45 +years with breaks
Only finding holes or creating more? ::bigsmile:

As I've often said, a computer system is like a pyramid.

Properly designed it starts life sat on a firm base. Some, as they are added to over the years, without any proper consideration of what effect changes have on the original specification and without proper testing, gradually turn until they are completely upside down and teetering on a tiny point.

Australian Pyramids:thumb:
 

slobadoberbob

Free Member
Jun 1, 2009
6,151
1,960
Kent, garden of England
Funster No
6,953
MH
Winnebago 23' something
Exp
25 years & counting
so much better with an MacBook Pro etc.,

Do not seem to get these continued issues with a MAC:ROFLMAO::ROFLMAO::ROFLMAO:

Bob:Blush:

Subscribers  do not see these advertisements

 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
When will Microsoft learn that simply publishing untested software is not acceptable?

It doesn't help when journalists publish statements like "Zero-day vulnerabilities are rare, mostly because they are hard to identify - requiring highly skilled software engineers or hackers with lots of time to scrutinise code for holes that can be exploited to launch attacks."

Is there anything which is more round objects than something like that? You don't "scrutinise code for holes" any more than you build a ship and launch it into the water to discover whether any welds have gaps. You construct a watertight business specification and then test code against that.


I can't believe I am going to come to Microsofts defense here.

Graham, I have to ask you when was the last time you developed a program that included millions of lines of code, linked to external libraries and ran on the worlds most popular target for hackers? How did that go was every single line of code perfect in every way? did you anticipate every stupid thing your users could do? Did you you rely on any calls to the operating system and if so did you always sanitise all parameters you passed before passing them? Did you always check returns and ensure they within bounds even for something that should not fail? Did your unit testing cover every possible not just conceivable problem?

I could go on...

Writing software is incredibly difficult to get 100% right. I used to slam Microsoft for the security and reliability in their software but over the last 10 years they have done a lot and keep doing more. I now believe it is their top priority and I do applaud the progress they have made. They introduced DEP and ASLR in previous releases of windows which has improved thing dramatically. Zero day exploits that don't require a dumbass user to do something stupid are rare these days in comparison to what they used to be.
If you want to launch at a company for insecure software I personally hate Adobe and Oracle, I refuse to have their crap on any of my computers.
 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
I can't believe I am going to come to Microsofts defense here.

Graham, I have to ask you when was the last time you developed a program that included millions of lines of code, linked to external libraries and ran on the worlds most popular target for hackers?
Never millions of lines of code (only thousands) and in pre-hacking days but that is not the point. To test properly, data has to be set up to test against the (business not program) specification not against the program as coded.

How did that go was every single line of code perfect in every way?
Very nearly.

did you anticipate every stupid thing your users could do?
It doesn't matter what stupid things users do as long as every condition which can be returned is trapped and dealt with.

Did you you rely on any calls to the operating system and if so did you always sanitise all parameters you passed before passing them?
Yes.

Did you always check returns and ensure they within bounds even for something that should not fail?
Yes.

Did your unit testing cover every possible not just conceivable problem?
Yes - and so did system testing.

All of the above was what we did as a matter of course 40 years ago. It was in later years that companies started cutting corners by reducing testing. That does not make it acceptable or excusable.

I could go on...

Writing software is incredibly difficult to get 100% right.
Software development is no more incredibly difficult than any other engineering. It would be unacceptable if something like The Shard fell apart and it should be just as unacceptable if software on which people rely falls apart.

Subscribers  do not see these advertisements

 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Software development is no more incredibly difficult than any other engineering. It would be unacceptable if something like The Shard fell apart and it should be just as unacceptable if software on which people rely falls apart.

I disagree. The shard falling apart is a much bigger problem than a computer being exploited. There are cost/benefit/risk issues here.

For instance aircraft manufacturers and NASA for example use three computers running different systems which each comparing their results against each other. They still make cock ups such as the Airbus crash (Air France Flight 296). Where the system was not designed to anticipate the situation. If Microsoft were to apply the same engineering principles (disregarding risk and cost benefit analysis) they would insist that it was only run on computers with 3 different processors. Internet explorer would be written in 3 different languages by three different teams and they would have to compare results before displaying them. Each instance would be run in a sandbox with an extra program monitoring all memory and transactions for out of bounds or other risk indicators. The security restrictions alone would make the internet unusable. Internet explorer wouldn't be free it would cost £5,000 per copy to reflect the cost of development and would only run on these triple cpu computers. With computers you have to balance ease of use against security. It is possible to make a close to 100% secure computer but it wouldn't do anything useful.

Another example is of the twin towers. They were very well engineered but didn't anticipate jets being flown into them. In the same way a computer programmer will write software designed for a purpose. He will attempt to test every input/output operation but there will always be some unanticipated input that will cause the system to fail. New tower blocks are now built with the jet impact possibility in mind. The terrorists will have to come up with a new way of destroying big buildings or move to a different target. This is what is happening in the software engineering world. With the addition of DEP and ASLR the "building" is now engineered to withstand all the old school attacks and makes the cost to the hackers so much higher. This is why we have fewer 0 days now. Hackers are now finding ways around these because the value in exploiting a computer is so high that the benefit outweighs the cost.

I am an old school programmer who started off on Z80 assembler moving through 6510, 68K asm. Then through C and C++ these days I mainly do server admin but still develop in PHP.. I regularly study up on best practices and security as this is essential to my living. I consider myself a competent programmer with a firm understanding of the underlying architecture and system security. However I am not complacent or conceited enough to think that my software would withstand a full on attack by expert or experienced security professionals if they set their minds to it.

I will add one more question.. Was your software a huge target for hackers due to it being installed on 100's of millions of computers world wide? Are you confident that your software could have stood up to extremely close scrutiny by security experts who specialise in exploiting systems?

PS: I am not denigrating your obviously vast experience of programming. I just believe your expectations are way too high.
 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Do not seem to get these continued issues with a MAC:ROFLMAO::ROFLMAO::ROFLMAO:

Bob:Blush:

:ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO:
http://www.zdnet.com/blog/ou/extremely-critical-mac-os-x-zero-day-exploit-released/163

This guy has a regular punt at OS/X he may be due for another look... Last time he found 20 Zero Day expoloits.
http://www.engadget.com/2010/03/19/charlie-miller-to-reveal-20-zero-day-security-holes-in-mac-os-x/

He also has the odd pop at IOS
http://www.engadget.com/2011/11/07/charlie-millers-latest-ios-hack-gets-into-the-app-store-gets-h/

He even has goes at the processor in the battery pack :ROFLMAO::ROFLMAO:
http://www.engadget.com/2011/07/22/charlie-miller-finds-macbook-battery-security-hole-plans-to-fil/

He can even hack your iPhone using a single character SMS message:Doh:
http://appleinsider.com/articles/09/07/29/sms_hack_could_leave_every_iphone_vulnerable.html

I could list more but you get the idea:Eeek:

Just imagine how bad Apples security reputation would be if Apple had 50% market share and became of interest to the majority of the black hats? Imagine 1000's of Charlie Millers all gunning for your secure Macs and iDevices?
 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I was searching for a quote by Charlie Miller for my previous post but couldn't find it. I have found it now...

Why Safari? Why didn't you go after IE or Safari?
It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
Full article here
http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-charlie-miller/2941

Another quote for those who won't read it..

On a scale of 1-10, how impressive was the Broken Link Removed?
I was surprised. For IE 8, I'd give him a 9 out of 10. For Safari, maybe a 2. It's just too easy to pop Safari. For Firefox on Windows, I give him a 10. That was the most impressive of the three. It's really hard to exploit Firefox on Windows.

Subscribers  do not see these advertisements

 
Last edited:

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
I think the salient point in your argument, Karl is "Where the system was not designed to anticipate the situation." That is where the upside down pyramid comes from - companies cut back on design and testing in order to save money and so what if the consumer suffers. Hacking has been a problem for long enough now for us to expect that combating it is part of the design and that the software has been properly tested against that design.

That is not, though, what Microsoft and other companies do. They take short cuts and do not trap the full range of invalid conditions. A few years ago I discovered a bug in IE which meant that it just stopped if anything other than two values appeared in a particular field. That should never, ever happen. Properly written software should always return an error condition when a test on a field identifies an invalid value. Microsoft admitted at the time that they only undertake field trials not proper testing - note the end of the last sentence below
If a problem isn’t encountered or no one tells us about it, then it will be missed.* I searched our database and this is the first report of the problem, which is surprising seeing how easy it is to reproduce.*
That is not an acceptable standard of testing.

If IE (and other Microsoft software) were simply sold as part of hobby systems (which is what the vast majority of PC owners run), then it would be a different matter. The thing is, though, that it isn't; it is sold as a a business tool - so what would be wrong with IE costing £5,000 a copy if that is what it takes to engineer it to the claimed standards?

With all due respect, Z80 assembler is not old school programming. We were producing far more complex systems before Zilog was even formed. Obviously that software wasn't vulnerable to hackers because it was run on closed systems. That, though, is immaterial. The testing regimes we ran were the equivalent of hackers because the testing regimes were deliberately designed to find any faults
 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I think we will have to agree to disagree Graham:thumb:

Google has chucked vast amounts of resources at making Chrome secure and fast. They have some of the best programmers around and they are still suffering from zero day exploits... You can't design for something you can't anticipate.

What I meant by old school was I understand things at the processor level. I started writing games where individual instruction timings and every byte of memory mattered. I had to do everything within a fixed amount of time (vblank) consistently and reliably.

In comparison to todays kids who only learn high level languages, don't understand the underlying processor and build against vast libraries of code rather than writing everything themselves.

How many kids today could write a simple bubble sort in asm? How many could write a version of space invaders that would fit on the boot sector of a floppy disk (just under 1K). I will let even them use mode 13h:thumb:
 
Last edited:

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
Google has chucked vast amounts of resources at making Chrome secure and fast. They have some of the best programmers around and they are still suffering from zero day exploits... You can't design for something you can't anticipate.
But the point is that you can anticipate if you undertake a rigorous requirements definition - which says what the resulting system must allow and what it must reject (i.e. anything which is not allowed). Problems arise when testing is not done against what the requirements say but against what the design says (or, even worse, what the code says). If a data field has valid values of 1, 2 and 3 the lazy programmer (probably coder these days) will test for 1 and 2 and, if it is neither, assume the value must be 3. A real programmer will test for 1, 2 and 3 and trap anything else as an error. Scale that up to the level of the business requirements and it is still only, logically, the same.

What I meant by old school was I understand things at the processor level. I started writing games where individual instruction timings and every byte of memory mattered. I had to do everything within a fixed amount of time (vblank) consistently and reliably.

In comparison to todays kids who only learn high level languages, don't understand the underlying processor and build against vast libraries of code rather than writing everything themselves.

How many kids today could write a simple bubble sort in asm? How many could write a version of space invaders that would fit on the boot sector of a floppy disk (just under 1K). I will let even them use mode 13h:thumb:
Now there we do agree :Smile: Although 1K is rather a large amount of space isn't it? :Smile: Seriously, it pains me when I see business systems running like 3 legged tortoises on modern hardware when they have no more functionality than their counterparts of the early 70s which ran much more efficiently on a 360/30.

It doesn't matter if kids at home are simply plugging modules from code libraries together like Lego blocks. It does matter when major software companies do the same.

Subscribers  do not see these advertisements

 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
But the point is that you can anticipate if you undertake a rigorous requirements definition - which says what the resulting system must allow and what it must reject (i.e. anything which is not allowed). Problems arise when testing is not done against what the requirements say but against what the design says (or, even worse, what the code says). If a data field has valid values of 1, 2 and 3 the lazy programmer (probably coder these days) will test for 1 and 2 and, if it is neither, assume the value must be 3. A real programmer will test for 1, 2 and 3 and trap anything else as an error. Scale that up to the level of the business requirements and it is still only, logically, the same.


Now there we do agree :Smile: Although 1K is rather a large amount of space isn't it? :Smile: Seriously, it pains me when I see business systems running like 3 legged tortoises on modern hardware when they have no more functionality than their counterparts of the early 70s which ran much more efficiently on a 360/30.

It doesn't matter if kids at home are simply plugging modules from code libraries together like Lego blocks. It does matter when major software companies do the same.

I totally agree on all of that....

Any software that gets exploited through a simple example like yours deserves for the author to be birched. Even stack overflow exploits are extremely rare now. The blackhats have moved beyond such simple problems. With garbage collection and high level memory management routines problems like you list and stack overflows are rare now. DEP makes even stack overflow exploits difficult.

I think if you were to look into this a little more you would see that it is not simple bugs that are being used by the blackhats.

Not checking the validity of variables is the equivalent of leaving your keys in the ignition and walking away. That is not what happened in this case.

This particular zero day exploit involved downloading a flash file which amongst other things did heap spraying. It was another running program that did the damage possible by changing the environment in which IE was running.
 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Here is a simplified example (not technically accurate but for explanation purposes)

In the old days a plugin would run with the same execution privileges as the browser. All a naughty plugin had to do was run. Back then they didn't anticipate things like online banking and how important the internet would become.

The browser makers then changed the privileges at launch of a plugin so that the plugin ran as a different user to the browser and didn't have access to certain features of the underlying operating system. It could no longer modify system files. In IE this is called security zones and levels.

The blackhats then had find a new trick. This time they had to look for privilege escalation bugs. What they looked for was buffer overflow or stack overflow bugs. For many years this was the main security risk to browsers and still occasionally happens today. This is now well tested for so is increasingly rare.

To stop these the OS writers created DEP. Data Execution Protection. This prevented blackhats pushing data onto the stack or into a buffer and causing it be executed. So should a programmer make a mistake that isn't caught by unit testing or other tests it is mitigated by the OS itself.

The blackhats then had to find a different method. They started loading registers with specific values and jumping to system memory at specific places. You can imagine how this caused problems. Other methods involved changing system data tables manually. Routines that were not designed to be jumped directly into were exploited sidestepping checks.

To prevent this the OS creators implemented ASLR. Address Space Loading Randomisation. This is where the modules that make up the OS are loaded to a different place in memory each time (other things are randomised as well). This makes the above attacks difficult if not impossible,

Browser makers are also working just as hard with things like sandboxing and virtualisation.

Each time one means of attack is discovered the programmers of Browsers and OS step up the defences. It is a war and nothing like the clean and predictable science of engineering.
 

Carol

LIFE MEMBER
Oct 2, 2007
14,044
111,471
North Wales.
Funster No
519
MH
A class
Exp
18 years s Motorhome (33years caravans)
Now because I am one of those people who most of that is double dutch to me, but I do know to trust Graham / Grommet and others so is there a link I need to press to safeguard my windows 7 system. Thanks :Smile:

Subscribers  do not see these advertisements

 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
(snip)To stop these the OS writers created DEP. Data Execution Protection.(snip)
To prevent this the OS creators implemented ASLR. Address Space Loading Randomisation.(snip)
I know it's a bit old fashioned but why didn't they just include such measures in the first place rather than add them on when they discovered a problem? If it could be done in the 11970s it could be done now :Doh::Smile:

Subscribers  do not see these advertisements

 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I know it's a bit old fashioned but why didn't they just include such measures in the first place rather than add them on when they discovered a problem? If it could be done in the 11970s it could be done now :Doh::Smile:

Because it wasn't needed and why waste valuable memory on something that wasn't needed or even anticipated. Hackers will always find a way into a system if they are determined enough.

This is what I am trying to say.. It doesn't matter how rigorous you make the software design and creation process there will always be a way around it.

It's a bit like the Vaughban fortifications in France. They were amazingly well engineered. Brilliantly so. But the second the plane came along they were defunct. Tanks are amazing bits of technology that have developed over the last 100 years? The latest ones have grills and active armour to overcome RPG's. But they are superfluous to needs these days as an enemy can take them out with precision air munitions.

The battle with the hacker is pretty much like that.

Back in the day when computers had 1Kb of memory or even 64Kb you could validate every byte and make sure it was there for a reason. Nowadays with 4294967296 Bytes in your average home computer it is no longer possible especially with all the apps, plugins, utilities on top of an enourmously complex operating system.
 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
Because it wasn't needed and why waste valuable memory on something that wasn't needed or even anticipated.(snip)
Strange. If it wasn't needed I must have dreamt about using such techniques ::bigsmile: All hackers are doing is exploiting holes - holes into which unwary programmers fell by mistake in the past. The same sorts of techniques now being stuck on in a manner which unbalances the pyramid were built in to IBM mainframe operating systems as a matter of course to prevent abends which wasted expensive computer time

Back in the day when computers had 1Kb of memory or even 64Kb you could validate every byte and make sure it was there for a reason. Nowadays with 4294967296 Bytes in your average home computer it is no longer possible especially with all the apps, plugins, utilities on top of an enourmously complex operating system.

But it doesn't matter about the amount of memory, it's how you address that memory. There is nothing complex about properly written code; that's a myth which we debunked donkeys years ago. There are complex applications but every program written is merely a series of very simple instructions. It is only when those simple instructions are not put together properly that "complexity" is built into the final product.

Subscribers  do not see these advertisements

 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Strange. If it wasn't needed I must have dreamt about using such techniques ::bigsmile: All hackers are doing is exploiting holes - holes into which unwary programmers fell by mistake in the past. The same sorts of techniques now being stuck on in a manner which unbalances the pyramid were built in to IBM mainframe operating systems as a matter of course to prevent abends which wasted expensive computer time



But it doesn't matter about the amount of memory, it's how you address that memory. There is nothing complex about properly written code; that's a myth which we debunked donkeys years ago. There are complex applications but every program written is merely a series of very simple instructions. It is only when those simple instructions are not put together properly that "complexity" is built into the final product.

You are telling me that ASLR was used by IBM mainframes in the 70's? WOW. I always knew they were good didn't realise they were that good.
I have just done a quick google and the earliest reference I can find to it was 2001..

DEP was implemented at the hardware level on IBM mainframes if it was implemented. The x86 series processors didn't support hardware memory protection until the 386. This was only at the page level so didn't work when OS's used the flat memory model. It was AMD that implemented the necessary NX bit to allow it to work on the flat memory model.
Intel added support in the P4. It took a while to upgrade the os to enable support for the NX bit. This came in with windows XP.

Back in the 70's the interactions between different software components was limited. You knew exactly what was going off with everything on the system. These days the interactions are of a magnitude greater. As with any system the more you increase the complexity the more chance there is of unforseen failures. It is the unforseen interactions that cause most zero day exploits.

I would love to see your perfectly engineered software from the 70's thrown into the harsh environment of todays internet and being exposed to the level of attention that Windows gets from the blackhats.

I am just going to have to agree to disagree with you. I doubt you will be persuaded and I know I won't.

Possibly a nice debate to have in person over a few beers next time I see you :thumb:
 
Feb 27, 2011
14,670
74,872
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
After my last couple of posts I got to thinking... Is it possible given unlimited funds and other necessary resources to write a completely secure OS/Application base...

I tripped across an old Microsoft Article (2007) By Michael Howard who was a Principal Security Program Manager of the SDL.

http://msdn.microsoft.com/en-us/magazine/cc163310.aspx

It was 10 years ago that Bill Gates handed down an edict that security was the first priority. This article is from 5 years into that process. It is worth reading the full article.

An interesting quote..
You'll Never Reach Zero Security Vulnerabilities
It's sad but true, but you'll never get to zero security vulnerabilities. I remember when we issued one of the first security updates for Windows Vista. Some users were surprised because they thought Microsoft claimed to have solved the security problem with Windows Vista. First, I don't know of anyone who made the claim and second, zero security vulnerabilities just isn't achievable.
While zero security vulnerabilities would be nice, thinking you can reach such a state is folly. The fact is the technology landscape is always in flux, threats are a moving target, and security research is ongoing. I said earlier security is an arms race. We add defenses to our products and the attackers adapt.



In another blog article he gives an example of a bug that led to an exploit.
He explains this in some detail and covers the code testing tools used and why they didn't catch it. I found this article fascinating...

.

Even if you don't understand everything I still think it is worth a read for an example of what goes into creating the software we all run on our computers.
 

GJH

LIFE MEMBER
Aug 20, 2007
29,450
38,828
Acklam, Teesside, originally Glossop
Funster No
127
MH
None, now sold
Exp
2006 to 2022
You are telling me that ASLR was used by IBM mainframes in the 70's? WOW. I always knew they were good didn't realise they were that good.
I have just done a quick google and the earliest reference I can find to it was 2001..(snip)

No Karl, not Lego add-ons but safeguards designed in from the start ::bigsmile:

Not sure you will want a debate. I'll have my Assembler Porn loving mate with me at Lincoln ::bigsmile:

Subscribers  do not see these advertisements

 

Join us or log in to post a reply.

To join in you must be a member of MotorhomeFun

Join MotorhomeFun

Join us, it quick and easy!

Log in

Already a member? Log in here.

Latest journal entries

Funsters who are viewing this thread

Back
Top