> You can't expect modern Windows to ship 20+ year old DLLs that allow running Windows 98 APIs as that's a major security vulnerability since older APIs had direct hardware/memory access without any kind of checks and balances.
That doesn't make sense. If those old DLLs could bypass some security protections in Windows than that would be still a major vulnerability in recent Windows itself.
No; the point is that if a USER SPACE library can compromise the security of Windows the operating system _in any way_ then that by definition is a Windows issue, not an issue of the library.
E.g., Wine ships other implementations of the same libraries and this causes zero extra security problems in Linux.
>Wine ships other implementations of the same libraries and this causes zero extra security problems in Linux.
Because Windows malware can't infect Linux, so why would that be a security issue for Linux? But if you run Windows, you definetly don't want to sideload and use unmaintained libraries and APIs that are 20 years out of date.
Why would be sideloading an "unmaintained library" be a security issue for Windows ?
To put it simply, it doesn't really matter what libraries you ship, they _cannot_ cause _new_ security issues in the operating system, by simple definition of user space.
And Windows malware can definitely infect Linux. That was not my claim.
Old games require being run as Administrator. In addition, user/kernel isn't the important security boundary you think it is. My tax returns, my pictures, my passwords, all of the data I actually care about is stored in files accessible in user space.
> My tax returns, my pictures, my passwords, all of the data I actually care about is stored in files accessible in user space.
So are the passwords of everyone logging in to this very website (stored in user space). I think you are confusing user/privilege separation with kernel-userspace separation.
You have not yet made a point. How can distributing a user-space shared library, no matter how fully loaded with ancient security holes, decrease the amount of security of your system?
We literally have this on Chen's today: https://devblogs.microsoft.com/oldnewthing/20221011-00/
Totally sure malware authors are going to compromise the files of an ancient game in order to trigger some bug in a library to get to your tax returns. No way they will not just change the game exec or something.
> How can distributing a user-space shared library, no matter how fully loaded with ancient security holes, decrease the amount of security of your system?
They probably want to put pressure on publishers to use newer libraries that don’t need administrative permission, so hopefully eventually getting a version of the program that doesn’t need admin. Encouraging better security hygiene.
I agree that user-space compromise is still really really really bad.
That doesn't make sense. If those old DLLs could bypass some security protections in Windows than that would be still a major vulnerability in recent Windows itself.