Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Tuesday June 10 2014, @02:50AM   Printer-friendly [Skip to comment(s)]
from the incomplete-updates-are-available dept.

Darren Pauli writes at the Register that researchers who scanned 900 Windows libraries have uncovered a variety of security functions that were updated in Windows 8 but not in Windows 7. Researcher Moti Joseph speculates Microsoft had not applied fixes to Win 7 to save money. "Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money. Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers14 conference.

Joseph along with Marion Marschalek developed a diffing (comparison) tool dubbed DiffRay which compares Windows 8 with 7, and logs any safe functions absent in the older platform. In a demonstration of DiffRay, the researchers found four missing safe functions in Windows 7 that were present in 8 (Youtube). Future work will extend DiffRay's capabilities to find potential vulnerabilities in Windows 8.1 (PDF), add intelligence to trace input values for functions and incorporate more intelligent signatures used to find potential holes. "If we get one zero-day from this project, it's worth it," says Joseph.

Editor's update: For those who prefer, the Presentation Slides (PDF) are also available.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Tuesday June 10 2014, @02:56AM

    by Anonymous Coward on Tuesday June 10 2014, @02:56AM (#53543)

    You should pay Microsoft for a support contract. Seriously. Microsoft doesn't owe you free support forever.

    Monetary compensation for services rendered, it's how an economy works, jerks.

    • (Score: 3, Insightful) by EvilJim on Tuesday June 10 2014, @03:11AM

      by EvilJim (2501) on Tuesday June 10 2014, @03:11AM (#53549) Journal

      Seriously. Microsoft doesn't owe you free support forever.

      you're so right... they agree to 5 years free for residential, 10 years free for business... now if they'd only use some of that money every win7 owner has paid to fix they bugs they are supposed to have then we could all go away happy.

      http://support.microsoft.com/gp/lifepolicy [microsoft.com]

      Until then, Fuck you M$ I'm still dealing with bugs from office 2003 era which I'm pretty sure haven't been addressed even in 2010. it's another grab to get customers onto win8 upgrade treadmill so they can claim it is a success.

      • (Score: -1, Troll) by Anonymous Coward on Tuesday June 10 2014, @03:43AM

        by Anonymous Coward on Tuesday June 10 2014, @03:43AM (#53562)

        Hey you know what. Linux distributions have even shorter support schedules. Releases are supported for one or two years, maybe five years if you're fucking lucky. And why? Because those Linux distributors want you on that treadmill consuming the new releases, that's why. FUCK LINUX. FUCK IT HARD.

        • (Score: 5, Insightful) by EvilJim on Tuesday June 10 2014, @03:51AM

          by EvilJim (2501) on Tuesday June 10 2014, @03:51AM (#53566) Journal

          That's pretty damn good value for free if you ask me, what's your point again? I got lost laughing when you raged over free updates that no-one is forcing you to use. the only reason it is advisable to use windows updates is to stop the multitude of viruii out there exploiting all those holes that you had to pay to leave open.

        • (Score: 5, Funny) by Marand on Tuesday June 10 2014, @03:55AM

          by Marand (1081) on Tuesday June 10 2014, @03:55AM (#53569) Journal

          Hey you know what. Linux distributions have even shorter support schedules. Releases are supported for one or two years, maybe five years if you're fucking lucky. And why? Because those Linux distributors want you on that treadmill consuming the new releases, that's why. FUCK LINUX. FUCK IT HARD.

          If you feel Debian's charging you too much for each release, you can always try a rolling-release distro. You only pay $0 once and get unlimited security updates for life, unlike those assholes that expect you to pay $0 for each version.

          • (Score: 3, Funny) by EvilJim on Tuesday June 10 2014, @04:20AM

            by EvilJim (2501) on Tuesday June 10 2014, @04:20AM (#53579) Journal

            Even that sounds steep you know? I might settle for something completely non debian... like Mint or Ubuntu ;p

          • (Score: 0) by Anonymous Coward on Tuesday June 10 2014, @06:49PM

            by Anonymous Coward on Tuesday June 10 2014, @06:49PM (#53876)

            Debian's[...]rolling-release
            That's one way to get infinite support for your Linux install.
            (There are other bloodlines that are also available as rolling releases; Arch springs to mind.)

            $0
            If you like paying for support ("having someone to blame"), there's RedHat and its ~10 years of support for releases.

            In addition, there are gratis spins which use the RedHat codebase and get that long support.
            Scientific Linux -or- CentOS [google.com]
            Not cool enough out of the box? No problem. [dedoimedo.com]

            My big question:
            What portion of the computer-using public continues to use ONE computer (hardware) for 10 years--much less the same version of the same OS?
            Historically? Currently?
            With my -not- ditching hardware due to boredom with it (or at the first sign of trouble) and only abandoning stuff after it is completely unrepairable with easily-substitutable pieces, you'd be correct to assume that I've gone through several OSes on each of my rigs.

            In the big picture, I'm pretty sure that guys like me/us who keep their old stuff running are -not- so common.
            My impression is that most folks "update"/"upgrade" by buying something entirely new.
            With Good Enough(tm) having been achieved years ago WRT hardware, and with $0 easily-substitutable FOSS becoming more common, and with more and more people forced to watch every penny, we'll have to wait and see whether the old meme remains the standard practice.

            -- gewg_

      • (Score: 1) by redneckmother on Tuesday June 10 2014, @03:48AM

        by redneckmother (3597) on Tuesday June 10 2014, @03:48AM (#53565)

        Sounds like MS has adopted an old IBM policy:
          Don't fix it, Feature it!
        It's only two-ninety-nine hundred dollars, in easy payments - once a month, twice a week, and never on Sundays.

        --
        Mas cerveza por favor.
        • (Score: 2) by EvilJim on Tuesday June 10 2014, @03:54AM

          by EvilJim (2501) on Tuesday June 10 2014, @03:54AM (#53568) Journal

          See here AC... this is an actual 'funny' post worthy of mod points, unlike you using a second account to mod yourself up :)

    • (Score: 4, Insightful) by EvilJim on Tuesday June 10 2014, @03:41AM

      by EvilJim (2501) on Tuesday June 10 2014, @03:41AM (#53561) Journal

      score 2 funny huh? some people with mod points just shouldn't. this post is like someone trying to be Futurama's Bender, but without a valid point.

      • (Score: 2) by c0lo on Tuesday June 10 2014, @04:26AM

        by c0lo (156) Subscriber Badge on Tuesday June 10 2014, @04:26AM (#53584) Journal

        score 2 funny huh? some people with mod points just shouldn't.

        May come as a surprise to you, but... you know? ...the mod points are earned.
        How would you feel to receive advices on the appropriate way to spend your wage?

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0
        • (Score: 2) by EvilJim on Tuesday June 10 2014, @04:35AM

          by EvilJim (2501) on Tuesday June 10 2014, @04:35AM (#53587) Journal

          Society and the government already does that :) doesn't mean I have to listen though. if it's a second account being used to mod up an inane comment then there is something wrong with that, if someone actually found it funny... well ok, I feel a little sorry for the modder... thanks, now I'm sad.

          • (Score: 2) by c0lo on Tuesday June 10 2014, @05:06AM

            by c0lo (156) Subscriber Badge on Tuesday June 10 2014, @05:06AM (#53598) Journal

            if someone actually found it funny... well ok, I feel a little sorry for the modder... thanks, now I'm sad.

            When younger, I used to have a name for the symptoms you just exposed above: hypoalcoholemia syndrome a.k.a. "too high concentration of blood in alcohol for far too long".
            The clearest sign for it: the sufferer can't just let go, always seem to take everything as a grave matter and seems tense or depressed about the reality of this world, either for long periods (a chronic condition) or just for absolutely trivial matters (an acute attack).

            if it's a second account being used to mod up an inane comment then there is something wrong with that

            If it helps you, trust me... I know for sure it is not the case this time.

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0
            • (Score: 2) by EvilJim on Tuesday June 10 2014, @06:02AM

              by EvilJim (2501) on Tuesday June 10 2014, @06:02AM (#53612) Journal

              You might be on to something with the alcohol there. I'll take that advice with gusto and get back to you... if capable.

              • (Score: 2) by c0lo on Tuesday June 10 2014, @06:12AM

                by c0lo (156) Subscriber Badge on Tuesday June 10 2014, @06:12AM (#53617) Journal
                Good luck... I hope it helps.
                --
                https://www.youtube.com/watch?v=aoFiw2jMy-0
      • (Score: 2) by SlimmPickens on Tuesday June 10 2014, @06:17AM

        by SlimmPickens (1056) on Tuesday June 10 2014, @06:17AM (#53618)

        I do like the idea that Bender had a valid point lol

      • (Score: 2) by tangomargarine on Tuesday June 10 2014, @04:04PM

        by tangomargarine (667) on Tuesday June 10 2014, @04:04PM (#53824)

        Microsoft: You all can bite my shiny metal ass. Like I'm gonna do two things! (sell you software and support it)

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 3, Interesting) by mcgrew on Tuesday June 10 2014, @02:52PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday June 10 2014, @02:52PM (#53781) Homepage Journal

      Bullshit. Do owners of ten year old GM cars with defective ignition switches have to pay to get the switches replaced? Patches and security updates are actually recalls of defective products. Microsoft is flipping its paying customers the bird.

      SOFTWARE IS NOT A SERVICE! Neither is a product recall. This is almost as irresponsible as their dropping support for 25% of the computers on the internet.

      If Joe Sixpack gets a trojan, then he needs to take it to someone like Hairyfeet and pay for service. If he gets a drive-by virus or worm without having to click "I agree" than Microsoft should fix it free; it's their fault Joe got infected. And when all those XP computers are a giant botnet that takes the whole internet down, the irresponsibility belongs solely to Microsoft.

      BTW, I ran across a hack [pcworld.com] that makes Microsoft think your XP computer is an ATM will happily supply upgrades.

      There is no excuse whatever for hardware outliving its software.

      --
      Free Martian whores! [mcgrewbooks.com]
      • (Score: 2) by tangomargarine on Tuesday June 10 2014, @04:07PM

        by tangomargarine (667) on Tuesday June 10 2014, @04:07PM (#53829)

        SOFTWARE IS NOT A SERVICE!

        *cough* [wikipedia.org]

        (yay caps filter blah blah blah)

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by EvilJim on Friday June 13 2014, @05:27AM

        by EvilJim (2501) on Friday June 13 2014, @05:27AM (#54826) Journal

        oooh... it pretends to be an ATM... smart move. I didn't bother reading the articles about the hack as they made it sound like they were repurposing win7 updates to use in XP, this makes a hell of a lot more sense.
        sweet, I'll be installing ~50 ATM's at work tomorrow.

        • (Score: 2) by mcgrew on Friday June 13 2014, @04:04PM

          by mcgrew (701) <publish@mcgrewbooks.com> on Friday June 13 2014, @04:04PM (#55021) Homepage Journal

          I don't think I'll do that to my XP computer (but of course, you won't have the luxury I do since they're company computers). I'll just install Linux dual-boot and remove all the Windows networking components. Then I can use the one program I have that needs XP, and Linux can read and write to the Windows partition, so for moving files I'll just boot into Linux.

          Right now it's seldom turned on. When I need to move a file I just disconnect the cable feed to the router first, turn on the XP PC, move the file, shut the XP PC down and reconnect the cable.

          --
          Free Martian whores! [mcgrewbooks.com]
          • (Score: 2) by EvilJim on Saturday June 14 2014, @01:07AM

            by EvilJim (2501) on Saturday June 14 2014, @01:07AM (#55163) Journal

            haha, we've got an upgrade plan for win7 but if there's delays and some threat looms we'll investigate it. our new database system appears to have an RDP connection for the front end, as soon as we get rid of the last two (that require IE7) I want to get the office on linux, that would make me so proud, and possibly close to redundant :)

  • (Score: 3, Insightful) by Subsentient on Tuesday June 10 2014, @03:09AM

    by Subsentient (1111) on Tuesday June 10 2014, @03:09AM (#53548) Homepage Journal

    Another corporation putting profit above product. That is kinda their legal duty you know.

    --
    “Man is not a rational animal; he is a rationalizing animal.” ― Robert A. Heinlein
    • (Score: 0) by Anonymous Coward on Tuesday June 10 2014, @03:34AM

      by Anonymous Coward on Tuesday June 10 2014, @03:34AM (#53559)

      So pay them. Make it profitable for them to improve their product to meet your standards. What's that? You don't want to pay? Guess what then. You're the problem.

      • (Score: 3, Insightful) by EvilJim on Tuesday June 10 2014, @03:44AM

        by EvilJim (2501) on Tuesday June 10 2014, @03:44AM (#53563) Journal

        What's that? You don't want to pay? Guess what then. You're the problem.

        Hmm, no, I think that would make them a user of any one of the many fine free OS's out there. when you buy a microsoft product, you are promised updates and security fixes for a period of time, if M$ isn't holding up there end then it sounds to me like a breach of contract... IANAL so you can trust me and my assumptions completely. :)

      • (Score: 2) by c0lo on Tuesday June 10 2014, @04:06AM

        by c0lo (156) Subscriber Badge on Tuesday June 10 2014, @04:06AM (#53573) Journal

        So pay them. Make it profitable for them to improve their product to meet your standards. What's that? You don't want to pay? Guess what then. You're the problem.

        For workstations... building one from components is a matter of 4-5 hours, the doxing (the compatibility and bang-4-the-buck components) and travel to the component supplier included. I surely don't want to be a burden for the poor-poor MS.

        Other than that, now and then, I'm throwing MS a pittance without asking them to incur the patching cost
        Every time I'm buying a laptop (happens approx once every 3-4 years), I pick one "on sale" (both "Boxing day" and "end of FY" are good times of the year), wipe clean whatever the OEMs install from MS and ...
         
        ... wait for it...
        install - as recommended by TFS - a higher operating system: Linux (other options exist).

        As MS is already paid by the OEM, it's their (OEM and MS) problem, see?

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0
      • (Score: 2) by tibman on Tuesday June 10 2014, @05:23AM

        by tibman (134) Subscriber Badge on Tuesday June 10 2014, @05:23AM (#53603)

        You've got it backwards. Security fixes are free for the lifetime of the product. If Windows7 becomes too insecure then it becomes worthless. If they did that then i would have no incentive to buy Windows8. I paid for Windows7 and expect a decade of free security patches. MSDN subscriptions have to be providing a lot of income as well. Linux does not seem to have this kind of security patching problem. Just donated $50 to Gentoo. Realized how much more i pay MS each year : /

        --
        SN won't survive on lurkers alone. Write comments.
    • (Score: 1) by No Respect on Tuesday June 10 2014, @09:35AM

      by No Respect (991) on Tuesday June 10 2014, @09:35AM (#53669)

      Putting profit above product is actually not a legal duty of corporations (more specifically their officers and directors). The last time I looked at legal guidelines prepared for corporate directors and officers there was nothing there about holding profit sacrosanct above all other considerations. It's not on the list of things they are supposed to do. It's simply not a legal requirement.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday June 10 2014, @07:31AM

    by Anonymous Coward on Tuesday June 10 2014, @07:31AM (#53636)

    The article is lacking in details. It is written as if a security hole was closed in Windows 8, but left open in Windows 7. Yet, the closest we come to a description is a change is that a "security function" was added to Windows 8.

    Like this is actually a new function. Only software written to use new funcitons are going to see any advantage of them. So even if MSFT had added those functions to Windows 7, it wouldn't magically have maid your software more secure anyway, unless you update all the software that uses the less safe versions of those functions. And how many of those are going to get updates in the first place? If this is new functions, they are likely only going to be of use for new software.

    Besides, if (as it appears), this is a new safer version of one of the str*cpy functions, anyone who cares is going to have their own preferred safe versions anyway (OpenBSD reportedly have some really good ones, and being BSD, anyone can grab those), they are not required to use the OS provided ones. And anyone who doesn't care is going to use strcpy regardless of what the OS provides.

  • (Score: 0) by Anonymous Coward on Tuesday June 10 2014, @10:04AM

    by Anonymous Coward on Tuesday June 10 2014, @10:04AM (#53679)

    To just dump microsoft. Don't use anything output by Redmond, ever. When you do that, the non-security of windows becomes a non-issue for you.

    Remember, microsofts true reason for being is to get you to pay them more money. If you are tired of handing over your money to them, then just quit using their stuff - problem solved.

  • (Score: 2, Interesting) by acharax on Tuesday June 10 2014, @10:24AM

    by acharax (4264) on Tuesday June 10 2014, @10:24AM (#53683)

    This doesn't appear to be about patching at all; if I understood the (scant) featured article correctly, what happened here is that MS didn't bother to backport certain new "safe" versions of shell API functions to win7. Big deal. If the "safe" parachute-happy versions of various c functions that MS added to the CRT in past years are any indicator this just reeks of a feel good measure anyway.

  • (Score: 2) by jasassin on Tuesday June 10 2014, @09:10PM

    by jasassin (3566) <jasassin@gmail.com> on Tuesday June 10 2014, @09:10PM (#53922) Journal

    For downloading an md5 sum verified copy of windows 7 ultimate and using daz windows loader to activate it. I guess I get what I paid for. I almost feel bad for the people who paid for it.

    --
    jasassin@gmail.com Key fingerprint = 0644 173D 8EED AB73 C2A6 B363 8A70 579B B6A7 02CA