Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday April 09 2018, @06:12PM   Printer-friendly
from the (unsigned⠀int) dept.

https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug/

A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use.

[...] Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by anubi on Tuesday April 10 2018, @02:29AM (9 children)

    by anubi (2828) on Tuesday April 10 2018, @02:29AM (#664785) Journal

    C++, like a power saw, can be used to make really fine work, rapidly.

    It can also make a helluva mess, rapidly.

    C++ has enormous power, as it was designed in an age where it was to be a "one size fits all".

    If you wanted to "expand" C++, you did not even think of using another compiler... nah - you wrote a library of the functions you needed. C++ with libraries of anything special could do anything.

    C++ has pointers. That made it extremely powerful; the only thing more powerful was an assembler.

    And it was a really close call whether or not the C++ compiler would write tighter code than I could in an assembler.

    My favorite was Borland's C++ ver 4.51 for Windows, and ver. 3.0 for DOS, the Windows version also came packaged as "C++ Builder" for Windows.

    The assemblers and compilers were actually given away in the day, as premiums on a CDROM on the cover of "PC Plus" magazine.

    And Borland also released an equivalent Pascal version for Windows... never got too much into that one though. Both +Fravia and Gibson Research used to talk a lot of using Assembler. I could write some really concise code with it. Took forever to write 10K of code, but boy was that code dense. I could do a helluva lot of stuff in 10K of code.

    Incidentally, does anyone still do assembly anymore? That was my prime language in my younger years. You know, TASM, MASM, NASM, and lots of little custom variants...

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   2  
  • (Score: 2, Flamebait) by PiMuNu on Tuesday April 10 2018, @03:03AM (8 children)

    by PiMuNu (3823) on Tuesday April 10 2018, @03:03AM (#664795)

    C++ is a real mess, however.
    * Syntax is inconsistent - e.g. calling constructor with no arguments has different syntax to constructor with arguments
    * Syntax is awful - ever tried doing anything complicated with templates? Ever done it *quickly*?
    * How much implicit darkness does C++ do behind your back? Default constructors, "implicit" keyword, etc

    (I use C++ as my main low-level programming language, I just don't like it)

    • (Score: 1) by anubi on Tuesday April 10 2018, @07:14AM (1 child)

      by anubi (2828) on Tuesday April 10 2018, @07:14AM (#664852) Journal

      Those are excellent points.

      To me, the C++ is more like the English language... it has a few quite illogical exceptions, but I can use it to communicate to others. Its the most effective communications thing I have.

      Gotta admit I would hate to lay out a web page in C++.

      I do mostly embedded, so C++ for the big stuff and assembler for bit-banging the hardware driver.

      I was programming Fortran 77 before, and really fell in love with C++ structures.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 2) by PiMuNu on Tuesday April 10 2018, @08:46AM

        by PiMuNu (3823) on Tuesday April 10 2018, @08:46AM (#664867)

        It's a nice analogy...

    • (Score: 2) by tangomargarine on Tuesday April 10 2018, @04:24PM (5 children)

      by tangomargarine (667) on Tuesday April 10 2018, @04:24PM (#665008)

      * Syntax is inconsistent - e.g. calling constructor with no arguments has different syntax to constructor with arguments

      * How much implicit darkness does C++ do behind your back? Default constructors, "implicit" keyword, etc

      I've been under the impression that C++ is one of the most consistent languages you can find anywhere. Whether you *understand* or *agree with* why it does stuff a certain way is another thing.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 0) by Anonymous Coward on Tuesday April 10 2018, @06:43PM

        by Anonymous Coward on Tuesday April 10 2018, @06:43PM (#665058)
        I heard there are Lisp style languages that are so consistent till they can be used to prove math theorems.
      • (Score: 2) by PiMuNu on Tuesday April 10 2018, @08:26PM (3 children)

        by PiMuNu (3823) on Tuesday April 10 2018, @08:26PM (#665086)

        Well, what does consistency really mean? I argue that it means doing what it does with the smallest possible number of syntactical exceptions/keywords/junk to remember (shannon entropy anyone?). C++ has absolutely tonnes of magic keywords and weird exceptions. I highlighted a few in GP. I found a list of keywords here for C++ (about 100 reserved words):

        http://en.cppreference.com/w/cpp/keyword [cppreference.com]

        Compare with python (about 40 reserved words):

        https://www.programiz.com/python-programming/keyword-list [programiz.com]

        and java (about 50 reserved words):

        https://docs.oracle.com/javase/tutorial/java/nutsandbolts/_keywords.html [oracle.com]

        Not definitive, but gives a feel for how complex the language is.

        • (Score: 2) by tangomargarine on Tuesday April 10 2018, @08:48PM (2 children)

          by tangomargarine (667) on Tuesday April 10 2018, @08:48PM (#665096)

          "Fewest keywords" seems like a somewhat odd hill to make your stand on, but okay I guess. Fewer keywords is what I'd call more simple, not more consistent, though I can kind of see where you're coming from.

          Python was explicitly designed (6 years later) to be elegant, and has things that it can't do that C++ can. From what I've read, Java would be more streamlined still if they had designed generics into it from the get-go instead of 1.2. But again, there's a lot of stuff Java can't do because of the JVM. So yes, naturally Python and Java will be simpler than C++. Kind of a tautology.

          (shannon entropy anyone?)

          Shannon entropy H is given by the formula [math I won't figure out how to reproduce here] where pi is the probability of character number i appearing in the stream of characters of the message.

          Erm...okay bleeding from the eyes now after looking that up and not sure what your point is. It sounds like you're arguing from a standpoint of which language is more "beautiful" than which, rather than the principle of least surprise.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
          • (Score: 2) by PiMuNu on Tuesday April 10 2018, @08:59PM (1 child)

            by PiMuNu (3823) on Tuesday April 10 2018, @08:59PM (#665099)

            Can you think of a better estimator of "easiest syntax"?

            • (Score: 2) by tangomargarine on Tuesday April 10 2018, @09:44PM

              by tangomargarine (667) on Tuesday April 10 2018, @09:44PM (#665112)

              We weren't talking about "easiest." The original term was "most consistent," which ironically we are very lacking in this conversation.

              I would generally agree that Java/Python are easier and more elegant to use. You want C++ for large, complex projects, that you want to be efficient and maintainable || embedded programming. Or at least that's my impression.

              Mostly I'd contrast C++ with Ruby and JavaScript. I really don't like duck typing. Just the ideas of not being able to figure out what sort of data a variable holds from a glance at the code, having no compile-time checking--the only way to tell whether your code works is to run it--make me feel nervous and icky. Stuff like this [destroyallsoftware.com] just bends my principle of least astonishment over a chair and fucks it senseless.

              Personally I think it would even be a better idea to teach students Ada than C++ as their first language (no, stop laughing! :) because it forces you to think in terms of diligent consistency. Programming isn't something you can just wildly chuck at a wall and hope for the best with. And I found my crash course in assembly pretty informative as to explaining why we do fundamental things certain ways in programming.

              Still not sure whether I really like C++. I was doing a year of unit testing in it in 2016, and wrestling with the compiler output was a constant struggle. It would never outright lie but it usually seemed to be doing its best to mislead me as to what the problem was. Forget to initialize a member of a structure and it spits out some cryptic thing about memory alignment difficulties. Once you got into the right line of thinking about it, it usually made some perverse sort of sense, though. And C++ doesn't try to hide the fact that it's using pointers like Java. And you can specify how to pass parameters! Just being able to tell the code exactly what you want it to do is nice sometimes. No "Java is pass by value...except the value is the reference...except for primitives" mindtwisters.

              I'm doing mostly JavaScript now, but prefer Java (CLI) or C# (GUI) for personal projects. Just going to trail off now. I'm 28 so that's my $0.02.

              --
              "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"