NT 3.5 had the GUI entirely outside the kernel. For compatibility with Windows 95, much of the Windows 95 GUI code was moved into the kernel. 20 years later, that decision is still causing bugs.
Also, it could be argued that vulnerabilities like these which are only locally exploitable are not all that scary, as a personal computer should be by definition one that obeys its user no matter what. It's a bug, but not a "someone can take over your computer without you doing anything". Maybe it's because I grew up with personal computers that practically invited you to do whatever you want with them and had absolutely no "protection" whatsoever (early 8-bit machines, then DOS on a PC) that I find it hard to get scared or excited by local-only exploits like these.
In the 8-bit world, if you don't have a hard drive, and your only "network" is trading floppies with your friends, and "Elk Cloner" is the nastiest virus you have to worry about, then there isn't much reason to be scared.
Nowadays, though...if you consider inserting an infected USB stick to be a local-only attack vector, then Stuxnet was local-only.
It's the internet age, now. Local-only really isn't any more.
Part of the reason it's so easy to infect technically illiterate crowd nowadays is that they didn't develop an immunity system - something us who grew up with computers take almost for granted. It doesn't really take that much to become almost completely immune to malware - 90% of it is simple to spot (don't download things from CNET or any other site that has lots of ads, and especially those that try to trick you into clicking them; don't open .exe's you didn't explicitly requested; know what's an .exe; don't open attachments you didn't expect; etc.) - but somehow the society at large doesn't bother. And yet they expect someone else to fix it for them. As the saying goes, "Any fool can use a computer. Many do.".
I understand how we got there. I don't like it, but well, Moloch does what he wants. The thing to remember is, the increased sterility of the ecosystem and all those things done "for Security!" come at the cost of the ability of general-purpose computation. Future systems will tend to be dumbed down to the point they're not general-purpose computers anymore.
I wish, I hope, they'll let us keep PCs as specialized machines, like lathes and mills.
Security is fundamentally broken - there is a lot of innovation that needs to happen to make our computers more secure. There are a lot of non mainstream systems that have better security, we need to move their practices/architecture into the mainstream.
Hell, when you see things like quantum insert - how can any user be expected to keep their machine secure.
You're spot on that most people don't bother learning these things anymore, and particularly in the tablet ecosystem where apps are expected to be doctored for them as they come from a trusted source.
For all these years, I never clearly understood
just what was meant by open an attachment.
I don't have a clear description, definition,
or explanation. Help! [No joke]
In about 1995, I was using some OS/2 e-mail program
that wanted to put an icon somewhere for each
e-mail message, screamed bloody murder at all
those absurd icons
throat was sore, got out the e-mail RFCs, and
in about an hour used the TCP/IP interface of the
scripting language Rexx to write my own POP3
Did all the e-mail reading and writing in just
my favorite text editor, KEdit.
The pair worked great -- used them for years.
Then, sure, just as in the e-mail RFCs,
especially about multi-media internet
mail extensions (MIME) or some such,
there were attachments. So, again in
Rexx, I wrote the basic base 64 en/decode software
to handle attachments.
of course, I could receive a virus via e-mail
totally safely -- to me, an attachment was just
some simple ASCII characters to be interpreted
as the base 64 encoding of something, maybe
a JPG file. No harm in receiving the ASCII
characters -- they look like just
gibberish of simple typing by a very
busy kitty cat walking on a keyboard, no harm in that --
or the base 64 code or translating
that base 64 code to bytes and storing
the bytes in a disk file. A file is just
a sequence of bytes, any bytes at all --
So, if an attachment claimed that it was a JPG,
then I might give the corresponding file
from translation from base 64
to some graphic software to
display the JPG. If in fact the attachment
was an EXE to do harm to my computer data, etc.,
then I would trust the graphics program to notice
that the attachment was not a JPG -- should be
easy enough for the graphics program
Then I moved to Windows XP and then SP3 and
Outlook 2003, and I'm still there and see
little or no reason to change but just want to
get on with my real work where XP SP3 is fine.
So, Outlook has attachments. Still, I never
knew just what the heck was meant by open
an attachment. So, if an attachment, say,
in some MIME
e-mail header line or some such, claims
that it is a JPG file, then maybe give the
attachment, translated from base 64, to some
graphics program and trust that the graphics
program will (1) display a real JPG
without harm or (2) give an error message
at anything else. Similarly for PNG, GIF,
BMP, HTML, CSS, JS, etc.
For an EXE, of course, certainly, no way would
Windows let the thing try to execute as software,
right? I mean, not a chance, true? Or, the old,
rock solid, first rule of computer security was
to never, but never permit data from an untrusted
source to execute as software, right? Handle
such data just as bytes, sure, okay, safe, etc.,
but just no way ever let it execute as software,
and that should be okay, right?
So, what does open do that is not safe?
No joke: In all these years, I've heard
about e-mail and open an attachment
and still have no clear description,
definition, or explanation that would
say just what open does or why it's
As far as I can tell, the people, maybe
who wrote Outlook 2003, who talked about
doing an open on an e-mail attachment
never really made at all clear just what
the heck they were talking about.
Since many people still are afraid of
open, where I see little chance of
harm, maybe others would like some
Help! [no joke].
So, JPEGs get handled by the JPEG shell handler.
DOCs get handled by the DOC shell handler.
And unfortunately EXEs get handled by the EXE shell handler. This breaks the rule that you stated, that you should never ever permit data from an untrusted source to execute. This is where the problem lies!
As far as "open" means, it is a piece of terminology to explain the concept of saving data to a temporary store and then passing that file reference to the shell, which typically for most programs gets passed as a parameter to that file-type-handling program. Explorer > Tools > Folder Options will list file types in there and you can see how different types are handled, and the parameters passed to programs.
Of course, the base64 encoding, temporary file saving, shell passing is a bit more complex to explain to someone than using the expression "open", hence why people just say "open the attachment".
It's a terminology thing.
in that NYT piece on hacking banks in
Russia there is:
"In many ways, this hack began like any
other. The cybercriminals sent their
victims infected emails — a news clip or
message that appeared to come from a
colleague — as bait. When the bank
employees clicked on the email, they
inadvertently downloaded malicious code.
That allowed the hackers to crawl across a
bank’s network until they found employees
who administered the cash transfer systems
or remotely connected A.T.M.s."
So, to get infected all they had to do
was just click "on the email"? Not even
click on an attachment! That must be some
strange, dangerous e-mail software!
Attachments, be it EXEs or DOCs or whatever, exist as bytes in memory but don't (at least, they shouldn't) get processed - that is, opened - until you explicitly ask to.
But this is basically orthogonal to the modern application of (OS-level) privilege boundaries, which is to protect the user from compromised application processes. This escalation doesn't let someone "take over your computer without you doing anything" by itself, but once someone has exploited an IE bug and found themselves able to run arbitrary code on users' computers in a sandbox - which happens all the time - that's exactly what it allows.
I'm not that familliar with Docker but looking at http://en.wikipedia.org/wiki/Docker_%28software%29 it is built on the same resource isolation features as LXC which I am using on two of my test systems.
The resource isolation features are, in fact, built on top of a large multi-user system, which happens to have powerful security context support and abstractions built in. The contained applications operate, from a userspace perspective, as if they are their own system when in reality their kernel is actually the host kernel and their users really virtually re-mapped to distinct accounts within the host kernel.
That didn't seem to be the case to me? It seemed to be a privilege escalation bug.
EDIT: I'm stupid. Some other user talked about physical access bugs, so confused that with locally exploitable.
Meaning instead of doing things with your user account, they can instead hijack your whole system. A keylogger on windows, for instance, does not need ring0 to function. The difference isn't really that large on a personal single-user windows setup. You're pretty screwed even if they don't manage to get ring0.
If we are talking about a corporate user, then it means a lot more.
I think MS is eternally hamstrung by performance and legacy issues because those two things are in demand for so many of their customers. Windows fits this market, which is fairly sizeable. Of course now with hardware at the speed its at, you can get a lot more slack. I've found the linux desktop to be horribly slow until the past couple of years where there's a glut of CPU/GPU performance on even the most commodity equipment. I can run, and have run, Win7 on equipment that shipped with XP and its been a fairly pleasant experience. Running, say, a gnome or KDE WM on that equipment is a nightmare. MS, for all its faults, is fairly conservative in many regards, especially performance.
At the end of the day this is yet another security issue that needs to be patched. The larger issue in my mind isn't MS decisions from 15 years ago, but why so much of our software infrastructure is being written in languages that more or less beg for stack/malloc vulnerabilities. These constant tirades about MS are just more "the beatings will continue until morale improves" and not really a constructive conversation about security. I think in the near future we'll be looking at all our stuff written in Rust-like languages and wonder why the hell it took so long to do.
Lastly, Win10 is a technical preview. Finding bugs is exactly what should be going on here. Are we really being this critical on pre-release software? I don't see any other software held up to such a standard.
FTA: "We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview."
The specific "Windows 10" aspect is click-bait; the exploit is for Windows
Well i don't buy that part. When I first came across sysmon/regmon/procmon, I found it to be an amazing piece of work. An extremely small free standalone program that gave you a realtime insight into the OS? Heck, if I kept a list of people to hire, he would definitely be on it!
That thing was even 1/10 of the "hello world" Go program I compiled!!!*
*(~100Kb vs 1Mb) I know Garbage Collection adds a lot to size but its still a fun comparison.
Having said that, he was quite vocal at the time, and I personally think that he may have been a large part of the huge Vista -> Win7 improvements, although have no evidence to support this. The timing just seems about right.
I think MS just wanted to hire one of the best Windows hackers of all time, and they pounced as soon as they got a window of opportunity for whatever reason. Everything else was a bonus.
Great programs he produced though! Really really helpful. One of the first things I install on a new OS.
This sounds nonsensical, like folk history. You can already create a boot disk to do this using all Microsoft tools: Assuming the volume is not BitLocker'd it's pretty simple to do all of this stuff with WinPE , including the version that shipped in 2006, or with a Windows setup DVD. Or you could simply move the drive to a machine where you are an admin.
I am pretty sure they bought winternals because they wanted to hire MarkRuss.
... and they tasked him with this obnoxious and highly dispensable cloud computing project. Anything just to keep Mark shut up, ANYTHING.
and for a windows system, it needs to support a range of hardware configurations...Some could be really slow...
On my last count, you needed to swallow 11 different types of messages.
it's pretty core to the idea of windows though. kind of like a printer - i wouldn't be surprised if a printer driver was in the kernel. or age of empires, which is a Microsoft property. just load it into the kernel in case you need it and you dont need much DRM, if people end up buying it it can get unlocked.
in essence i was agreeing that a microkernel is no place for a scroll bar!
I respect the NT kernel but it has visible warts. I will give you that they are not always the same warts as what people complain about on HN.
Personal attacks are not allowed on Hacker News, regardless of whether someone else is wrong.
I am more than happy to criticize microsoft. I truly hate windows and everything it represents. But the system seems to have worked here. The bug was reported and patched before it became a widespread issue. I'll save my venom for those all-to-common days where Microsoft fails to address a problem in a timely manner. (or also Apple, plenty of venom for them too.)
I'm hoping for an in-depth substantive analysis of the factors leading you to come to such a conclusion, but I don't want to take up a bunch of your time or make it seem like I'm asking you to justify anything.
I have never met anyone who truly likes windows. They tolerate it. They are used to it. But they never say "Yes, I am happy with this new version. The upgrade sure made my life easier!" I'd rather have my wisdom teeth re-installed and re-pulled than be part of another office transitioning from one version of windows to another.
I gave up on windows when, after buying a little netbook, I decided to give it a chance. I plugged in an MS-brand optical mouse and was told that windows needed to connect to the internet to download the driver to run the mouse. That was windows's last breath on any of my personal machines.
And death to docx.
I used to have the same "that upgrade DIDN'T make my life easier" with every new version of Fedora that I installed, until GNOME3, which completely removed any trace of productivity that I had.
I then ditched desktop Linux.
I don't think people enjoy new versions of anything (look at the backlash to Lion since Snow Leopard), there are still vocal complaints about Yosemite in OSX land.
My parents like Windows.
My brother likes Windows.
I use it daily and find it tolerable, like you.
But I think it would be naive to say that nobody likes Windows, don't you? Try giving any of my family or my wife my MacBook and see how angry they get in a short space of time.
>Windows is a proprietary ecosystem where choices are made for the benefit of microsoft's shareholders and nobody else.
All software distributors make choices for someone's benefit, maybe sometimes even for the users', but the difference with non proprietary ecosystems, like Linux, is that users can make their own choices if they don't like the ones made for them. Sometimes this requires coordinated effort (like forking gnome2) that can sometimes be so effortful it might as well be as out of reach as changing choices in the closed ecosystem, but many other times it's as simple as installing a different desktop environment through your distro's package manager. What if I don't like the new look of Windows or OS X? I can choose not to upgrade the entire platform, but that's it, unlike in Linux land where I can upgrade piecemeal. It's even worse if I don't like a webapp's new look -- I can't even use the old version. I can of course stop using it. Great choice that, when it's the only alternative to 'tolerate'.
I agree with you that it's silly to say no one genuinely in a non-fanboy way likes Windows. (I live with such a person.) Personally I find Windows intolerable for anything but playing games on Steam and NoMachining into a Linux workstation. If my day-job was programming C# applications, I'd probably tolerate Visual Studio too. If that was my hobby and all my time was with Windows, and I forgot all I know of the Linux world, and like my housemate I installed various 3rd-party tools to change the boneheaded choices Microsoft occasionally makes (this does make my last paragraph hyperbole) then I might even like Windows as a whole.
You underestimate the customisability of Windows. Its ecosystem is mostly proprietary and closed-source, but that didn't stop people from modding what they could - just look at all the "post your desktop" threads that appear in various forums and you'll see lots of examples that are barely recognisable as Windows anymore. A lot of these involve little more than copying/replacing a few files, or some registry editing, so it's actually not so difficult at all.
In fact I'd say that "upgrade piecemeal" with Linux is made more complex because of all the dependencies that often arise with various apps all wanting very specific versions of libraries, multiple competing standards that do not interoperate (count all the GUI toolkits...), and emphasis on portability that tends to reduce the availability of binaries.
Some people go as far as replacing the shell:
...or even removing/replacing more fundamental components:
As for OS X... I agree there's not much customisation going on there, but I'd attribute that more to the demographic of Apple users. If Apple had the same marketshare with Mac OS as Microsoft has with Windows, I bet there would be a ton more modding happening.
I've used both Windows and Linux, and can say that I like and hate both, but for different reasons.
You're right though - it's impossible to change the UI on OSX (other than grey or blue for the buttons, that is all, and now with a "dark" menubar which I like) and Windows is limited. I too keep my proper Windows dualboot partition for playing games (hurray for Homeworld Remastered this month eh!).
I think once we've been exposed to other OSes and use them daily for different things (I used to maintain racks of Linux and Windows servers of differing ages, some ancient machines along with new), the differences sort of fade and the rabid fanboyism for each OS gets wearisome. They each have their faults, their good points, and are all useful for getting stuff done, each with differing or potentially irritating approaches for doing that!
I myself sigh using Windows 8/8.1 and find Explorer under Windows 7 to be irritating compared to the XP one but that's just me and I should get used to it. It will be interesting to see what Windows 10 brings.
I like windows.
I wouldn't mind some elaboration on this point; I would think it's a step up from .doc at the least.
DocX has some silly compression built in. Microsoft pitched this to some large customers on the basis of all the disk space it would save. How large are text documents? Are they really in need of compression? Only he most massive of corporations see any appreciable reduction in storage needs over the old doc format.
Plenty of people felt that way about the Vista to Windows 7 upgrade. (fewer felt that way about the 7 to 8 transition)
Interestingly, I've seen a small group of Windows fanbois arise within the last couple of years. Very much like the Apple fanbois; just as irrational and quick to take offense at any criticism of MS and Windows.
But I agree with you that most people I know also tolerate windows. Some are even happy with it because they can do things with a computer that has windows.
That was until Windows 8 came out. I was surprised by the amount of hate windows 8 received, and it was well deserved IMHO. But then I was also surprised by the few people who didn't hate Windows 8, some even liked it. The fanbois.
Windows 8.1 is terrific on tablets and devices with touch screens. My wife loves it. I think most if not all the hate came from stuck-in-the-mud XP users, and from Windows 7 users with non-touch screens. Which is fair enough.
Those are, of course, the vast majority of Windows users, so -- even though most of them have never used it seriously -- they drown out the real Windows 8/8.1 users.
You can dismiss the vast majority of people who have that experience, but that would be ignoring the reality for most people. Fortunately for Microsoft, MS has decided to listen to the huge amount of complaints and get rid of the problematic interface.
I've always wondered what the win8/8.1 supporters would have MS do about the situation. Tell the vast majority of "unserious" users to suck it up, shut up, and use Win8? No change is necessary, you just have to get serious about using it? I'm asking because I don't understand the point of view of win8 supporters.
BTW, I really do think that there are MS fanbois out there. Not trying to be insulting or anything, just something that seems to be a new trend. Peace.
My point is that there is no discontinuity between lots of people loving Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it -- or, more often, hating the idea of it -- on non-touch machines.
So, the solution is to retain the best parts of Windows 8 on touch-based devices while making it more usable on non-touch devices. Which is what Microsoft is doing.
Either way, you'll note that Windows 7 Pro is still available from Microsoft as a current product, and that it will be supported until 2020.
Does that mean if someone doesn't like Win8, they don't have any experience? Or they're not serious? Sounds like an insulting dig at people you don't agree with.
"My point is that there is no discontinuity between lots of people loving Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it -- or, more often, hating the idea of it -- on non-touch machines."
??? Not sure what you're trying to say here.
"Windows 7 Pro is still available from Microsoft as a current product"
Good news if you don't want Win8 on your laptop/desktop. I guess you'll have peace when Windows 10 comes out, and you don't have to hear any negative comments about Windows 8.
Yes, I shouldn't insult people just because they're ignorant and can't be bothered to learn how to use Windows 8, which in my experience, is predominantly the case.
It's certainly usable on desktops etc without touch screens, but it's suboptimal on those systems, which is why I don't load it on them. That doesn't mean I can't use it and appreciate its qualities on touch-screen PCs.
CP/M (circa 1974) had a command line prompt like this:
Windows (circa 2014) has a command line prompt like this:
Basically the same after 40 years. Forty ... years. Same old totally obsolete "drive letter" file system architecture.
Although the comparison is to be obviously taken with a grain of salt, it is clear to old-timers like me that Windows has been ultra-conservative with advanced software technologies (modular filesystems, ZFS, etc...) and this has hurt tremendously the evolution of OS software "for the masses".
It does not require a big leap of faith to believe that we could have had a far more advanced <consumer> OS if Windows had not existed.
Quite a pity.
You can have filesystem drivers, filesystem filter drivers, and pseudo-filesystems. It's just that the documentation is buried in the DDK. And there isn't a "community" of users for Windows in the way there is for Open Source.
That's the cool thing, we don't really have a huge attachment or loyalty over any reasonable time frame. We use the best tools for the job. There's plenty of room for Microsoft to start providing incredible value to its developers.
I'm looking forward to containers on Windows. I'm looking forward to faster upgrades and better package management. I'm looking forward to seeing the best they can do. There's a lot of talent in there somewhere, I hope they let us see it.
Apparently, chromium - which uses seccomp on linux - uses ProcessSystemCallDisablePolicy on windows: https://src.chromium.org/chrome/branches/1312/src/sandbox/wi...
So it either wasn't found or they found it and continued to bake it in to the OS nonetheless. Which is better?
There's your problem right there.
The Windows API and all related systems are stable and mature.
And I'm saying this as an OSX user.
No, I'm saying that implementing scrollbar handling in the kernel is a bad idea. It's not something which requires privileged system access, and thus should be done in user mode where bugs like this won't lead to privilege escalation.
I think OSX got around this problem by removing scrollbars haha only kidding
You make an excellent point, sorry to misunderstand your original post.
I'm not sure if that's enough though, considering that, in general, the kernel can't assume anything passed to it by reference via a system call isn't mutated by another userland thread. Furthermore, even if everything were written in Rust, the kernel can't just trust that a userland process was actually compiled in a way that faithfully employed Rusts compile-time safety guarantees... so I think any notion of shared garbage collection is tricky without a program loader that did code verification.
Microsoft have done some work in this area with their Singularity and Midori projects. Singularity in particular eliminates hardware isolation between processes.
I think the simple answer here is that the kernel should be copying anything passed to it by reference if it intends to do anything beyond a single atomic read operation. This is why, on Linux for instance, send() can't return to user space until the data has been copied in to kernel controlled memory, and why we have nice things like splice() and sendfile() to deal with the performance hit of doing so for common cases.
One option would be for the kernel to temporarily mark the page(s) referenced as read-only, and do copy-on-write where necessary. This would prevent the (presumably) common case of not having the page modified by another thread while the kernel processes the data to not incur the delay of copying the data. Might only be worth it for larger amounts of data, though.
Rust is memory-safe so assuming the rust implementation is correct, it should never lead to executing user data. OTOH there have been plenty of e.g. JVM exploits over the years, which were mitigated by DEP, and the JVM offers the same kind of safety guarantees.
Rust would help as long as unsafe code blocks aren't exposed to the outside world. Which still seems a bit hard to accomplish, as many Github projects suffer from unsafe overdose.
However, even memory safe languages suffer from logical errors.
I have used flawfinder, cppcheck and Xcode (clang's) analysis which has helped me find issues.
Wait, now I'm confused... was it a single bit, or an entire word that triggers this bug? ;)