From: Paul Baker [MVP, Windows Desktop Experience] on 13 Jan 2010 08:57 Borland Delphi 7 does not mark it's SOAP client code executable, therefore it violates DEP :) Reports on the Internet suggest this was fixed in Delphi 2009, but I cannot find a record of it in Embarcadero QC. "Remy Lebeau" <no.spam(a)no.spam.com> wrote in message news:e%23ZzPwvjKHA.2160(a)TK2MSFTNGP02.phx.gbl... > Dynamically allocating a thunk is not bad code. There are plenty of valid > usages for it (Borland's VCL uses it for its window procedues, for > instance). Allocating a memory block that is specicially intended > for running executable code (has PAGE_EXECUTE_... flags applied to it) is > not disallowed by either UAC or DEP. DEP prevents non-executable memory > from running executable code. It does not > block intentionally-executable memory. -- Remy Lebeau (TeamB)
From: Hector Santos on 15 Jan 2010 23:32 Wilson, Phil wrote: > The issue with installer programs is that you can't fix them. The only > way a company can correct the fact that "Wonderful Software 2.0" (that > you bought in 2005) won't install because of an elevation issue (in its > setup.exe) is to ship you another install image or CD, and that's not > realistically going to happen. The MS solutions to this include things > like installer elevation, and compatibility settings so that, for > example, "Wonderful Software 2.0" thinks it's installing on XP and not > Vista. > > Security is never about just one thing that could be circumvented. The > overall strategy is about defense in depth, and UAC, DEP, service > session isolation, firewalls, encryption, secure DCOM, and so on are > some of the pieces that help.It's also relevant that the recent Security > Intelligence Report (SIR) shows that the vast majority of attacks are no > longer directed at the OS or the browser, but at 3rd party apps, and > that means that the good guys need to use these tools. I don't know what > your app is, but I assume the that last thing any of us needs is a > published security vulnerability. In the past week, we got two reports: 1) Customer having trouble reinstalling from CD in his new Windows 7 machine. His version is OLD which had the old InstallShield 16 bit initial Setup.exe. I think it might still but I don't know as we use INNO today. We told him to update or CALL MICROSOFT. 2) On Friday, today, a report of a customer updating to XP SP3 that added two security patches. Once done, our RPC server could no longer start. He had a 1 year old version of our server with no expectation of failure related to any RPC issue. We told him to CALL MICROSOFT! The customer decision was to FIRST revert to an backed up version of XP before the the update was done. In fact, we put out a notice for ALL our customers to begin calling MICROSOFT for any issue they see related to OS updates. We are not going to swallow the cost on this and if this continues I am seriously contemplating contacting the FCC for antitrust violations. This is not a laughing matter. While no one here needs to know any of this, MS increasing behavior of breaking well established applications in the name of solving their own security problems problems and possibly using the opportunity to break WIN32 compatibility to force customers to upgrade is unacceptable. -- HLS
From: David Craig on 16 Jan 2010 01:20 I wonder what the Federal Communications Commission has to do with antitrust activities other than they claim exclusive rights over all the broadcast spectrum. "Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl... > Wilson, Phil wrote: > >> The issue with installer programs is that you can't fix them. The only >> way a company can correct the fact that "Wonderful Software 2.0" (that >> you bought in 2005) won't install because of an elevation issue (in its >> setup.exe) is to ship you another install image or CD, and that's not >> realistically going to happen. The MS solutions to this include things >> like installer elevation, and compatibility settings so that, for >> example, "Wonderful Software 2.0" thinks it's installing on XP and not >> Vista. >> >> Security is never about just one thing that could be circumvented. The >> overall strategy is about defense in depth, and UAC, DEP, service session >> isolation, firewalls, encryption, secure DCOM, and so on are some of the >> pieces that help.It's also relevant that the recent Security Intelligence >> Report (SIR) shows that the vast majority of attacks are no longer >> directed at the OS or the browser, but at 3rd party apps, and that means >> that the good guys need to use these tools. I don't know what your app >> is, but I assume the that last thing any of us needs is a published >> security vulnerability. > > > In the past week, we got two reports: > > 1) Customer having trouble reinstalling from CD in his new Windows 7 > machine. His version is OLD which had the old InstallShield 16 > bit initial Setup.exe. I think it might still but I don't know > as we use INNO today. We told him to update or CALL MICROSOFT. > > 2) On Friday, today, a report of a customer updating to XP SP3 that > added two security patches. Once done, our RPC server could no > longer start. He had a 1 year old version of our server with > no expectation of failure related to any RPC issue. We told him > to CALL MICROSOFT! The customer decision was to FIRST revert > to an backed up version of XP before the the update was done. > > In fact, we put out a notice for ALL our customers to begin calling > MICROSOFT for any issue they see related to OS updates. We are not going > to swallow the cost on this and if this continues I am seriously > contemplating contacting the FCC for antitrust violations. This is not a > laughing matter. While no one here needs to know any of this, MS > increasing behavior of breaking well established applications in the name > of solving their own security problems problems and possibly using the > opportunity to break WIN32 compatibility to force customers to upgrade is > unacceptable. > > -- > HLS
From: Hector Santos on 16 Jan 2010 02:24 Touche with the typo. Bye. David Craig wrote: > I wonder what the Federal Communications Commission has to do with antitrust > activities other than they claim exclusive rights over all the broadcast > spectrum. > > "Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message > news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl... >> Wilson, Phil wrote: >> >>> The issue with installer programs is that you can't fix them. The only >>> way a company can correct the fact that "Wonderful Software 2.0" (that >>> you bought in 2005) won't install because of an elevation issue (in its >>> setup.exe) is to ship you another install image or CD, and that's not >>> realistically going to happen. The MS solutions to this include things >>> like installer elevation, and compatibility settings so that, for >>> example, "Wonderful Software 2.0" thinks it's installing on XP and not >>> Vista. >>> >>> Security is never about just one thing that could be circumvented. The >>> overall strategy is about defense in depth, and UAC, DEP, service session >>> isolation, firewalls, encryption, secure DCOM, and so on are some of the >>> pieces that help.It's also relevant that the recent Security Intelligence >>> Report (SIR) shows that the vast majority of attacks are no longer >>> directed at the OS or the browser, but at 3rd party apps, and that means >>> that the good guys need to use these tools. I don't know what your app >>> is, but I assume the that last thing any of us needs is a published >>> security vulnerability. >> >> In the past week, we got two reports: >> >> 1) Customer having trouble reinstalling from CD in his new Windows 7 >> machine. His version is OLD which had the old InstallShield 16 >> bit initial Setup.exe. I think it might still but I don't know >> as we use INNO today. We told him to update or CALL MICROSOFT. >> >> 2) On Friday, today, a report of a customer updating to XP SP3 that >> added two security patches. Once done, our RPC server could no >> longer start. He had a 1 year old version of our server with >> no expectation of failure related to any RPC issue. We told him >> to CALL MICROSOFT! The customer decision was to FIRST revert >> to an backed up version of XP before the the update was done. >> >> In fact, we put out a notice for ALL our customers to begin calling >> MICROSOFT for any issue they see related to OS updates. We are not going >> to swallow the cost on this and if this continues I am seriously >> contemplating contacting the FCC for antitrust violations. This is not a >> laughing matter. While no one here needs to know any of this, MS >> increasing behavior of breaking well established applications in the name >> of solving their own security problems problems and possibly using the >> opportunity to break WIN32 compatibility to force customers to upgrade is >> unacceptable. >> >> -- >> HLS > > -- HLS
From: Alexander Grigoriev on 16 Jan 2010 12:01
"Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message news:uYeN8TmlKHA.3128(a)TK2MSFTNGP02.phx.gbl... > > In fact, we put out a notice for ALL our customers to begin calling > MICROSOFT for any issue they see related to OS updates. We are not going > to swallow the cost on this and if this continues I am seriously > contemplating contacting the FCC for antitrust violations. This is not a > laughing matter. While no one here needs to know any of this, MS > increasing behavior of breaking well established applications in the name > of solving their own security problems problems and possibly using the > opportunity to break WIN32 compatibility to force customers to upgrade is > unacceptable. > > -- > HLS Microsoft goes to great lengths to avoid breaking application, even buggy ones. But it can't do that for all buggy apps. Programmers make all kinds of wrong assumptions, that only hold true in the particular OS version. And sometimes they have to break compatibility because of security concerns. I suspect your RPC issue is because of that. I remember CEO of RealMedia testified at antitrust hearing that MS intentionally broke their software. In the end it was found that the issue was in the app in question. Go figure. |