Windows Media Player 9 is a security risk

Discussion in 'Digital Photography' started by Steve Young, Oct 22, 2003.

  1. Steve Young

    Mxsmanic Guest

    Nor I. It did match and surpass the old Mac OS, but since the old Mac
    OS was a fossil that Apple kept on life support long after it should
    have died, that is no surprise. Even the last versions of the consumer
    Windows were poorly written, at least to the eyes of someone who has
    seen (and produced) well-written code.
    A lot of Windows applications depend on the lack of security that
    consumer versions of the OS provide. They like being able to directly
    access hardware or capture the mouse even when it isn't in their window,
    and so on. But NT doesn't allow these things, as they destabilize the
    system and breach security. So many, many things routinely used by
    Windows applications (unless they were written with great discipline)
    are unavailable in NT systems. That was a constant complaint in the
    early days, from users who wanted the security and stability of NT but
    were unwilling to part with their insecure, unstable consumer
    applications. You can't have both.

    Recent versions of NT-based operating systems have been compromised in
    security and stability in order to increase compatibility with the
    aforementioned applications. DirectX is one example of this. Windows
    Explorer is another. The formerly separate GUI and Win32 subsystems
    have had more hooks placed in the kernel, improving performance but
    reducing stability and security. And so on. Microsoft is still aiming
    for the desktop, but I don't think it realizes that.
    KB = Knowledge Base, in this context
     
    Mxsmanic, Nov 1, 2003
    1. Advertisements

  2. Steve Young

    Mxsmanic Guest

    The fact that he would even mistake passwords for his IP reveals how
    clueless he was.
    I run verified backups on my home machines, and any error in
    verification requires investigation. I haven't found any way to run
    verified backups on UNIX, though, so I have to run those unverified.
    I've always been able to restore from backup without problems, though.
    Of course I still require that the backups complete successfully, at
    least.
    Well-designed operating systems and applications allow for online
    backups, or incremental backups that can be completed very rapidly.
    How did you roll back any updates made by the previous run that aborted?
    Some people have to learn the hard way.
    The only excuse I was ever given was that all those ASPs and scripts
    were necessary in order to collect statistics. Why this had to be done
    with active content, instead of just by analyzing the logs in the way
    that every other Web site in the world does, was not explained. The
    webmasters had extremely fast machines connected via extremely fast
    pipes to the servers, and so they didn't realize how slowly the pages
    downloaded or how long the browsers took to render them under normal
    circumstances. All of these design problems persist today.
     
    Mxsmanic, Nov 1, 2003
    1. Advertisements

  3. In not so many words, I told him the same. The boss and ex-admin
    played tit-for-tat for a few days, and the ex-admin told the boss he
    might could figure them out with some obscene consulting fee, at which
    time the attorney got call into play. The ex-admin, a very good friend
    of mine, called me and asked me what the heck was going on, as the
    boss was attacking him with criminal and civil charges. He argued for
    a bit that it was his IP, and I couldn't argue against him. I made my
    point by suggesting he contact an attorney and see what they thought.
    He had the passwords delivered by registered USMail, email, and
    hand-delivery first thing the next morning.
    I back up my data sets to CDR. Given the OS I use, I don't back it up.
    Everything I archive I verify using custom software.

    With Xenix we used an app known as CTAR, which worked well.
    Does XP provide such a thing? Nothing stands out that I recall.
    Aborted runs weren't a problem, only hardware crashes. My apps ran a
    lot like some of the unix apps, that being they accepted one file for
    input, and wrote the results to another file. This kept critical data
    from getting hammered in the event of an error, and was necessary as
    there was no way the dataset would reside entirely in memory, at least
    at the beginning of the system's life-cycle.
    I saw a guy in tears one day because three years worth of data quite
    literally went up in smoke when we were servicing his computer. He
    brought it in for a hard drive replacement, as it started "making
    funny noises." He was an accountant, and had a ton of customer's data
    on the hard drive. He purchased a tape unit immediately thereafter,
    but those Colorado Memory Systems drives were always crap, IMO.
    You have to love the logic of someone who surfs through a LAN what the
    outside world sees on a much slower connection. Unless I'm on
    broadband, I usually try to stay away from sites like that.

    Sad they couldn't figure out what was going on from log analysis.
    Though I wasn't running an e-business, I did run Apache on my cable
    modem equipped PC for some time, and I could tell very quickly what
    most people found interesting from the logs. Even wrote a script that
    allowed users to see and surf my site's pages ranked by popularity.
     
    David W. Poole, Jr., Nov 1, 2003
  4. I often made the comment that had I written code like that for the
    consumer level of Windows, I would not have had my job much longer
    than a year.
    It's been so long since I've followed the rags that report on stuff of
    this nature I've forgotten about the security/design issues. Given my
    current development platform, I'm wondering if I even need to consider
    supporting 9x and it's ilk. If so, I'm going to have to put together
    another machine for testing purposes, but I don't know if the effort
    is worth it. I know from limited experience that the apps I write seem
    to work on 98SE and 95 machines, as well as XP home, but have
    difficulties on ME. Of course, I'm not doing anything fancy, yet.
    I remember reading about the compromises made for DirectX, but didn't
    realize Explorer fell into this category, too. Strange, as I'm an avid
    fan of ACDSee, using it to perform my file maintenance operations. It
    doesn't seem to me (except for the explorer serving as the OS UI) that
    security issues would be necessary for explorer. Why/what is the
    nature of the compromises for explorer?
    Ah, ok. So many acronyms, so few living and functional brain cells.
    :-D
     
    David W. Poole, Jr., Nov 1, 2003
  5. Steve Young

    Mxsmanic Guest

    Beginning with NT 4.0, it was too closely integrated into the system,
    and it accepts hooks and add-ons and plug-ins. As a result, lots of
    third-party stuff can hang or crash Explorer, and since Explorer has so
    many hooks in the kernel, that can effectively hang the OS, too.
    Usually the OS does continue to run, you just can't do anything with it
    because Explorer and its add-ons have hosed the GUI.
     
    Mxsmanic, Nov 1, 2003
  6. Steve Young

    Mxsmanic Guest

    The pro edition might; I don't think the home edition does.

    I copy my essential stuff to my NT and UNIX servers, both of which have
    DAT drives, and they do the back-ups.
    I'm not sure that they ever look at logs.
     
    Mxsmanic, Nov 1, 2003
  7. This makes sense. I see Explorer loose it from time to time, and all
    of the desktop icons have to be repainted. I haven't thought about the
    shell Exploder hooks being a source of problems; thanks for pointing
    that out.
     
    David W. Poole, Jr., Nov 1, 2003
  8. Good point. And I ain't about to pay for the pro version of this
    disaster.
    Makes sense. Unfortunately I don't have the resources for DAT drives,
    and given my experiences with those el-cheapo tape drives for the PC
    ala Colorado Memory Systems, I won't be backing up to those, either.

    I back up to CDR when the whim/content hits me, which includes a great
    deal of disparate content. I try to pack the CDRs efficiently. Most of
    this content is MP3s I've ripped, images acquired from various digital
    cameras or scanners, or downloaded content, usually textual. Given the
    varying rate at which I acquire stuff, stuff goes unburned for maybe a
    couple of weeks. Verification involves a file comparison with the hard
    drive and CDR, and files passing verification are deleted (this may
    have been the previously mentioned "locked file" issue.) The next disc
    I burn will be joining it's 1174 siblings. :)
    You gotta if you want to know why people are coming and what they're
    coming for! :)
     
    David W. Poole, Jr., Nov 1, 2003
  9. Steve Young

    Mxsmanic Guest

    Nor am I. XP is not a bad OS, but the pro edition costs too much, and
    it's just the same code base with a few switches changed.
    You should have bought this stuff while you still had a good job.
    I archive photos to CD-R mainly. Sometimes other stuff.
    Not if every page is an ASP.
     
    Mxsmanic, Nov 2, 2003
  10. Steve Young

    Ron Hunter Guest

    When Explorer crashes on WinXP (which it does often), nothing much
    happens. WinXP reloads the necessary tray applications, and the OS
    continues. Rarely it is necessary to log off the active user.
     
    Ron Hunter, Nov 2, 2003
  11. A reasonable amount of the time I end up with a desktop that is
    displaying no icons, and not responding to anything.
     
    David W. Poole, Jr., Nov 2, 2003
  12. Steve Young

    Ron Hunter Guest

    Never seen that here. May have to do with settings somewhere.
     
    Ron Hunter, Nov 2, 2003
  13. Steve Young

    Mxsmanic Guest

    I've never had a crash of Explorer on Win XP.

    Note that Explorer essentially never crashes by itself. It crashes
    because some other application has hooked into it, and that application
    is buggy. Since Explorer has to be running to have a taskbar, though, a
    crash of Explorer is serious--it's an "optional required" application,
    of the type so common in poorly written consumer operating systems.
    Usually restarting Explorer works, but it may not work exactly the same
    way after a restart as it did before, depending on the other
    applications hooked into it.
     
    Mxsmanic, Nov 2, 2003
  14. Steve Young

    Mxsmanic Guest

    Even Ctrl-Alt-Del?
     
    Mxsmanic, Nov 2, 2003
  15. The instance of explorer that manages the desktop is what gives me
    problems on occasion. I prefer an old version of ACDSee for file
    management operations. The 'desktop' goes down several times a day,
    but I can't pin it down to the use of any one particular app that
    causes this.
    Interesting; I'll keep this in mind as I try to locate the offending
    app(s) that cause my system grief.
    Most of the time the system fares ok as it will restart Exploder on
    it's own. Rarely do I have to restart the machine using a power-cycle.
     
    David W. Poole, Jr., Nov 2, 2003
  16. Yup; task manager won't launch, either, when it goes off the deep end.
    Have to reach for the old power button.
     
    David W. Poole, Jr., Nov 2, 2003
  17. Steve Young

    Ron Hunter Guest

    I have Explorer set to restart when it crashes and usually have no
    trouble afterwards. As for crashing, it does this EVERY TIME I access
    my wife's computer through the network. As soon as Win98SE stops
    communicating, down it goes.
     
    Ron Hunter, Nov 2, 2003
  18. Steve Young

    Ron Hunter Guest

    Do you have a USB mouse or keyboard? That symptom happens more often to
    those who do as the USB drivers aren't as robust as the regular drivers
    for these devices.
     
    Ron Hunter, Nov 2, 2003
  19. Steve Young

    Mxsmanic Guest

    I'm not sure that I've _ever_ seen that in Windows XP. If I have, it
    would have been with a driver problem, I think.

    However, Windows XP isn't as good about catching the Ctrl-Alt-Del as
    earlier versions of Windows NT were. On the original Windows NT,
    _nothing_ would stop a Ctrl-Alt-Del; it was indeed the "secure attention
    signal" (a signal that no process can catch) that it was intended to be.

    Secure attention signals are a requirement for any secure operating
    system--there must be some sort of signal that no application can ever
    trap, so that you know you are talking to the system, not a trojan
    horse. Usually secure attention is used mainly for login and logout.
     
    Mxsmanic, Nov 2, 2003
  20. Steve Young

    Mxsmanic Guest

    Look through Explorer and see if you can find any add-ons, like unusual
    icons in the folder tree, unusual displays for folder contents, etc.
    These are usually apps that have hooked Explorer, and they often are
    buggy.

    The other possibility is a bad driver, as always. For ages I was
    getting occasional BSOD on NT that I was sure were coming from a network
    device, but I never was able to pin it down until I went from ISDN to
    ADSL and a router, at which point the BSODs disappeared. I now think
    that the Eicon ISDN drivers were buggy. They are still installed but
    they never get called now, thank goodness.
    Like I said, examine the folder tree, folder contents pane, and taskbar.
    Also look in the task list for the system and note any unusual processes
    running that may be hooked into Explorer. Often the names have "tray"
    in them, although this is not a requirement (PGPTray, AcroTray, etc.).
    I'm not sure if I've ever cycled my XP machine. I think that in six
    years I may have cycled the NT machine only a handful of times. In all
    cases, it was never the OS that screwed up, but always some other
    program, usually a driver or privileged program, sometimes an ordinary
    app exposing holes in the later versions of NT-based systems that
    sacrifice stability for compatibility.
     
    Mxsmanic, Nov 2, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.