Re: Endless Buffer Overruns by Joe
Joe
Thu Sep 23 00:36:43 CDT 2004
XP isn't really new code in terms of the turnaround at MS for security purposes.
Windows Server 2003 really isn't even new as the turnaround occurred at the
tail end of the 2K3 development work. I think XP came out in like Oct 2001. Code
freeze was probably some time in July 2001 or so. Also if you think that XP is
an entirely new OS, it isn't, it is building on what was in 2000 and NT and even
some stuff from Win9x. There are some newer pieces like the GDIPLUS piece but
that doesn't mean they are perfect.
If I need an update of my immensely popular ADFIND or OldCmp tools I can sit
down in a night and crank it out in a couple of hours tops including publishing
to the web site. I could probably rewrite them from scratch over a weekend. That
doesn't describe these OSes and yes, it is amazing they work at all with all of
the complexity involved. A simpler OS would be nicer but being simpler doesn't
mean no bugs, it simply means less bugs. A simpler OS means people having to buy
more and more third party tools to get functionality they expect out of an OS.
Go look at the OSS solutions, how much is base OS, how much is add-ons? I would
also recommend signing up for the patch bulletins for a few of the vendors. I
think I updated one of my favorite OSS apps about 4 times in the last 5-6 months
due to various bugs including security issues. This isn't an MS only issue. It
is a state of programming issue. It is harder to code for every possibility and
then test for it versus code and test for the most likely things. Most people
writing code don't think, what if someone puts a complete garbage value into
this spot right here. If they did that for every single possible location, the
code gets huge and it takes forever to release. Throwing an exception that there
is a bad value is rarely the right answer, people want it to also be handled
automatically and as under the covers as possible. That takes a lot of logic to
be put into the code.
Once again, the software will never be perfect. There is no way to test every
piece of functionality with every possible bad value that could be sent into
code. Yes, I agree there could be better bounds checking and exception handling,
but it won't happen immediately.
There are several descriptions floating around of exactly what that jpeg issue
is about. If you are into coding it is worth reading, if you aren't, the
specifics of the issue will probably be lost on you.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Duane wrote:
> Ok, thanks all, that helps me understand it a little better. Too big, too
> complex, with too many people. I guess we should be thankful it works as
> well as it does. And, I didn't know that open source operating systems are
> also having similar problems.
>
> Joe, I don't expect MS to go back and fix all past problems, but these last
> few issues are new problems - at least the release is new (Internet Explorer
> and XP for JPEG). Maybe old components of the code reused? But, I find it
> interesting that XP has the problems, but they said Windows 98 does not.
> That to me appears as if they went to extra work to put the problem in (not
> saying intentionally) - or didn't check new code or old module very well for
> new software. Having a JPEG create a buffer overrun seems like hard to do.
> But, maybe there is some new "feature" that causes it. JPEGs with code?
>
> They want people to update and no longer support '98, but there keeps coming
> up problems with only XP.
>
> Duane
>
>
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:%239sthrGnEHA.2708@TK2MSFTNGP10.phx.gbl...
>
>>I sort of agree with you but it isn't something that can be implemented
>
> over
>
>>night. At a guess, you could look through all of your code that you have
>
> ever
>
>>written and especially what you currently maintain in less than 6 months.
>
> You
>
>>have the further benefit of being the person who wrote all of it.
>>
>>Microsoft has millions upon millions of lines of code, some of it
>
> purchased,
>
>>some of it written by people long gone. No one is familiar with all of the
>
> code
>
>>and there are probably sections that haven't been seriously touched in so
>
> long
>
>>that no one is really familiar with it. It is a completely different case
>
> from
>
>>you or I looking over what we have written and having MS look over
>
> everything
>
>>they have. Additionally as Roger indicated, there are several different
>
> ways the
>
>>overflows can get generated so it isn't always something that can be
>
> easily
>
>>located programmatically.
>>
>>All that being said, MS is working on it and slowly correcting it.
>
> However, I
>
>>don't ever expect all of the code for anything currently out to ever be
>
> free
>
>>from possible holes. If you expect this, you are living in a dream world.
>
> It is
>
>>not possible to produce a huge complex software project like Windows and
>
> have
>
>>perfect code. Even open source has found that to be the case as I get the
>>notifications for patches for those right alongside the MS notifications.
>>
>>The goal should be for MS to keep refining processes and procedures so
>>everything new gets better and better and less likely to have the holes
>
> that
>
>>have plagued us in the past. Should that have started a long time ago,
>
> yes. But
>
>>it never had the visibility it has now and quite frankly, MS is a
>
> business, they
>
>>aren't there to make perfect software, they are there to make money. The
>
> current
>
>>emphasis is such that to ignore the issue now will have fiscal impact so
>
> will
>
>>force changes and correctes. But again, don't ever expect your old MS
>
> software
>
>>to ever be patched to perfection. It isn't a realistic expectation nor
>
> goal.
>
>> joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>Duane wrote:
>>
>>>I see yet another update (JPEG) involving the same type of ongoing
>
> buffer
>
>>>overrun vulnerability. Could someone please help me understand why this
>>>situation has not been corrected?
>>>
>>>I'm approaching this from a programmer point of view. I have made
>
> mistakes
>
>>>and overlooked errors in my code. However, when I am made aware of a
>
> type
>
>>>of error, I go back and fix ALL of those types of errors. At least as
>
> many
>
>>>as I know about. Why doesn't Microsoft? If they don't know about all
>
> the
>
>>>buffer overrun areas, shouldn't they have a team that verifies the code?
>>>
>>>Maybe I don't understand what buffer overrun is/does. I would think it
>
> is
>
>>>when some programmer makes a mistake in address pointers and his program
>>>writes outside of allocated memory. Since this is a big (there's
>
> endless
>
>>>updates on such) and repeating security issue, why not at the very
>
> minimum
>
>>>check, double check, and triple check all areas where there could even
>
> be a
>
>>>potential of buffer overrun? Or, even better, design the system so that
>>>programs cannot even possibly write outside of their allocated memory?
>
> Or,
>
>>>if there is some reason that's necessary under such-and-such
>
> circumstances,
>
>>>I would think Microsoft's programs shouldn't do that and therefore
>
> should
>
>>>have a flag that prohibits them from writing outside allocated memory.
>>>
>>>Maybe someone can explain why this is an ongoing issue that cannot be
>>>corrected, but otherwise I see no excuse for it.
>>>
>>>Duane
>>>
>
>