Redmond is patching Windows 8 but NOT Windows 7, say security bods Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day …
Interesting. They announced the end of security patches for Windows XP with years of advance warning and fanfare, so they obviously thought it extremely important to warn users about it.
Which gives them a lot to explain if they've ended Windows 7 security support on the quiet a few days later.
Or potentially they just decided not to add extra functions to Windows 7, that they did add to Win8:
quote from the article: "Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money - Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers14 conference.
The fact that these extra functions are aimed at developers, and as far as I can tell are intended to provide bounds checked variables (e.g. protected against buffer overflow shenanigans) could be cause for some concern. It does not count as a fix of existing broken functionality though, so I don't see how it would qualify as MS "ending support" for Win7 if they chose not to add these extras to all existing OSs of theirs.
You did know that Window 7 introduced a lot of new safety features that were never back ported to Windows XP, don't you?
Google do the same with Android and ChromeOS, Apple the same with iOS and OS X, the Linux community as well.
The world moves on and each new iteration of a platform introduces new safety features that the old one do not have. They don't get them because they are no longer current and the architecture in the newer versions include extra hooks which are missing in the older versions, so the new safety features can't simply be backported.
I think it is disgusting, Toyota improved the safety features in the new Verso and they won't build them into my 2010 model for free!
It's pretty easy to replace the old version of Linux with a new version. Since Microsoft charges quite a bit for operating system upgrades, and, furthermore, newer versions of their operating systems do not have the same hardware requirements as older versions (I ran Windows 3.1 under DOS without problems on a 386 with 2 Megabytes of RAM; can I upgrade to Windows 8?) failure to correct mistakes they made in the software when they released it which allow unauthorized misuse of people's computers is a problem.
Windows XP shouldn't have had any mistakes in it, any possible exploits, and since it did, that was Microsoft's fault, therefore Microsoft should have to fix them. Until Microsoft finally gets it right.
Unlike putting safety features in cars, after all, no physical parts that are made of metal that costs money are involved. They can just write the patches once, although I have to admit there's no easy way for Microsoft to let someone else bear the expense of hosting them, given the Windows Update mechanism.
@John Savard
Easy to replace the old version of Linux? Not so easy. We still have customers running SUSE 6.0, because the software they rely on was written for that Kernel and they are unwilling to pay the supplier for an upgrade to a newer version.
Likewise, Linux used to run on a 386 with a couple of MB RAM as well. Good luck getting Ubuntu on anything that small or with a processor with that architecture.
The core of Windows XP was developed before the Internet. And due to poorly written 9x software, they couldn't turn on the security it did support without breaking everything. Because people carried on using Administrator accounts, the situation didn't improve for a long time. Plus you are talking about millions of lines of code written by humans! Even a short story published to Amazon is going to have lots of spelling mistakes, heck living in Germany I look at some of the translations that are done to classic novels and I can only shake my head at the mistakes and inconsistencies in translation that some publishers make. Computer code is a lot more complex. You will never get it 100% bug free and 100% safe, not in our lifetimes - unless you manage to find an infinite number of monkeys and can convince them to work on XP instead of Shakespeare...
And if it were the case, that the OS had to be 100% bug free before it could be released, we would probably still be using MS-DOS or we might have made it to Windows 3.1. Linux would also still probably be awaiting its first "stable" release. Code is made to the best standards we can and at some point somebody has to take a decision, "is it stable enough, good enough to be released?" The same goes for most industries, just look at the number of car safety recalls, cars are death traps and should never be let on the road!
Unlike putting safety features in cars, after all, no physical parts that are made of metal that costs money are involved.
So all those thousands of programmers working at Microsoft to fix the bugs and come up with new methods are working for free?
"The development of NT was begun before Windows 95 and before PCs were generally put on the Internet."
Not quite.
It was begun before Microsoft acknowledged they'd lost this battle.
Before then Microsoft was trying to get people cloistered in Microsoft proprietary protocols (NetBIOS, SMB,...).
The development of NT was begun before Windows 95
While hyper-technically correct, your shifting grounds shows the faultiness of your original statement.
Generally when one speaks of the "core of XP" that means Windows 2000, which yes, was built on the NT kernel begun way way back with Windows NT 3.5. But the shifts from 3.5 to 4, to 2000 are so significant that when you speak of the kernel you actually call it out. By NT4.0 MS had already realized the internet was not going to be the fading fad Bill Gates confidently predicted it would be. That's pretty much what the whole IE monopoly case was all about, and that centers around Windows 95B-D/98. Gates shit a brick when he realized what a colossal mistake he'd made and reached for his monopoly power to fix it. With the help of a daft judged and an incompetent prosecution he managed to slip through.
@Tom
Correct, I was simplifying the whole thing for brevity. You are correct, but the development of NT started at a time when the Internet was reserved for a few mainframes and the odd PC connecting via modem. How many PCs back then were internet connected? A couple of percent?
They weren't designed with that level of security in mind. The systems were designed to be secure on a closed network, where the biggest risk was a rogue employee, so buffer overruns etc. were the least of the worries, as were firewalls etc.
Security has been slapped on in layers as each new layer has shown its cracks.
Mix that in with purposely weakening the default security on XP so that poorly written 9x code would run on it - such as making the standard user also an administrator, something which every best practice book says you should never do - and you have a system that was never designed to be let loose on the Internet.
Each newer version has tightened up the security at the expense of the ability to run unsecured or poorly written legacy code.
Actually, the Linux guys usually do backport security fixes. Possibly more importantly, they also don't charge for the next version.
Hey look at that! You got a free Toyota 2010 model, a free Verso upgrade but are left with a rather broken car analogy.
Not that is has anything to do with what MS are doing.
"I think it is disgusting, Toyota improved the safety features in the new Verso and they won't build them into my 2010 model for free!"
Right, because backporting lines of code in an IDE and recompiling is really on the same level of difficulty as designing and then physically adding new hardware to millions of vehicles isn't it.
Idiot.
>>"Right, because backporting lines of code in an IDE and recompiling is really on the same level of difficulty as designing and then physically adding new hardware to millions of vehicles isn't it. Idiot."
You're either not a programmer, have never worked at Systems level programming or you have management that never do regression testing or impose timescales.
>You're either not a programmer, have never worked at Systems level programming or you have
>management that never do regression testing or impose timescales.
LOL! My friend - I've done unix systems programming for over 20 years - I probably read Stevens when you were still in short trousers. I've also done mechanics. Believe me - designing a fix for a vehicle when there are structural , safety, efficiency and space considerations to take into account, not to mention the warranty to consider if you feck it up and the owners want a replacement - is a lot harder than updating and testing some software which has to worry about none of the above.
>>"LOL! My friend - I've done unix systems programming for over 20 years - I probably read Stevens when you were still in short trousers"
If you really want to go with the "I'm right because I'm an expert" argument with a side of sneering dismissal of the other person as inexperienced, then I'm actually about the same career-wise. UNIX programmer about fifteen years ago, still do some programming today though I've dipped in and out of management for the last ten years in between programming contracts. And what I said was absolutely right. What you wrote was rubbish - to dismiss backporting code to earlier OS versions. You ignore finite resource, regression testing.
And your response is essentially to try and claim superior experience over someone you don't even know and to build up your car metaphor even further - as if by showing difficulties with cars you can argue that deep-level OS changes are trivial.
I'm honestly inclined to call bullshit on your whole bigging yourself up.
"I'm honestly inclined to call bullshit on your whole bigging yourself up."
If you actually had a clue about designing mechanical systems I might take some notice of your sad little hurt pride rant. However clearly you don't and obviously don't know anything outside of software (and as for implying working project management gives you more of a heads up - oh please) so don't even pretend to be able to make a valid statement on the difference.
Testing and releasing system software is a walk in the park compared to releasing safety critical new hardware. This is a fact and it is NOT up for debate. Now go back to your gant charts and powerpoint presentations where clearly you belong.
It's my understanding that Windows 8.1 could not be upgraded to directly from Windows 7. My last upgrade was from 7 to 8 to 8.1 ! How can Microsoft just a abandon Windows 7 users ? Oh yeah, their answer to everything, wipe the drive (data, applications & configurations) and DO A "CLEAN INSTALL" .. YOU KNOW WE'RE THE CUSTOMER; WE ALL HAVE PLENTY OF FREE TIME TO KILL !
ummm. But this has nothing to do with security patches. Or patches.
And the word "Safe" is used only as a convention for this class of C library functions: it's a bit of a misnomer really: unlike other languages, the "safety" still depends on.programmer programming checks on the length of strings, it just provides a structured way of doing so.
Are these really security holes? It looks to me like Microsoft is simply not including some quality-of-life functions into their Windows 7 libraries. Not having these functions means a programmer has to be more careful but it shouldn't make the library any less secure if said programmer is following best practices.
Or it could simply be that Windows 7 doesn't need these patches, or need to call these functions in as many places. It's not impossible that Windows 8 had a security hole that needed fixed that Windows 7 didn't.
There are dozens of perfectly rational explanations more likely than this simplistic "count then speculate" song and dance.
I spy publicity stunt.
@Gav, more likely that Windows 8 has new safety features that weren't even conceived when Windows 7 was built.
Windows 7 includes a lot more safety features than Vista did, Vista has more safety features than XP, XP has more safety features than Window 9x...
The same is true for OS X, iOS, Android etc. the older versions don't get the new and improved security features. If you want them, you need to upgrade.
The truth is, if Security is Job 1 this comparison software is an obvious hacking tool. Therefore you have a protocol in place to make sure that exactly that sort of thing can't happen. Because everybody knows all those mundane things will torpedo anything less than that protocol being in place and backed by the CEO.
Exactly the same way Windows 2000, XP and 2003 are all version "5". Microsoft changes the major version number of an OS only when it makes deep, major changes to the kernel. Otherwise only the minor release number is changed: 2000 = 5.0, XP = 5.1, 2003 = 5.2, Vista/2008 = 6.0, 7/2008R2 = 6.1 and 8/2012 = 6.2,
The next step is then finding who calls that specific function in win8 and you have candidates galore.
Maybe they are late with the fix for w7, however, they should have delivered the patches the same day ... now they are helping crackers find the holes in the sieve.
Paris coz she knows: the more the merrier !
My old Escort didn't have airbags, when the newer version was introduced with airbags, Ford didn't retrofit them in my Escort either.
The world moves on, new security measures are built into newer products, it is a fact of life.
Apple did the same with OS X, with Lion they brought out a lot of new safety features that earlier versions didn't enjoy, such as the App sandboxing and restricting downloads from unknown sources etc. Mountain Lion improved upon that and so on.
Android is the same, every OS is the same, heck most industries are the same. With each new version the people making the product realise where they can improve on security and safety over the previous version and they implement that. It is usually not practicable to retrofit it.
I'm sure that people would be screaming blue murder as well, if MS had retrofitted the security improvements in Windows 8 in Windows 7 and legacy software suddenly stopped working.
The same with XP, if MS had retrofitted the UAC and other advanced security features from Vista and 7 into XP, corporates would have thrown their hands up and cried foul, because their old, badly coded software no longer worked.
My old Escort didn't have airbags, when the newer version was introduced with airbags, Ford didn't retrofit them in my Escort either.
Your car analogy is flawed. Ford do carry out recalls to fix issues, rather than telling their customers to just buy the latest model.
http://spectrum.ieee.org/cars-that-think/transportation/safety/ford-recalls-695-000-vehicles-for-airbag-transmission-software-updates
So (assuming this is true) Microsoft will sell you a new copy of Win 7 with security holes they know about, and know (at least in general terms) how to patch, but won't provide a patch? To my unlawyerly eyes that does not seem to be "merchantable quality".
Better call Saul! (No wait, doesn't he work for MS now?)
It doesn't really matter honestly if they don't, aside from pissing off enterprises that have upgraded to Windows 7 from Windows XP. They make no warranty about the software. Just like with the GPL's "no warranty/as-is" clause (Paragraph 15 or 16 IIRC), and the BSD license's as-is clause at the end of it, the Windows EULA has very much the same thing.
This post has been deleted by its author
I grant the security bod is working the PR angle since they haven't identified any new exploits with their fancy tool.
On the other hand, this is an obvious path to use to look for holes. As such it can't simply be cut by the accountants to save money. Given all the useful stuff they won't tell you in their security bulletins without an NDA this is really shoddy behavior from MS.
AFAIK those functions are in the Windows SDK C code, they are not Windows API calls. A simple diff of safeint.h and strsafe.h from the Windows 7 SDK and the Windows 8 one show a lot of differences - although most just comsetic ones (and some to add ARM/WinRT support) - thereby any code compiled with one or the other will show differences as well.
Any Windows 7 installation will have a lot of code compiled with the 7 SDK I guess (being 8 not available yet, of course...), while some later one may have been compiled with the 8 SDK (or maybe not, depending on the build systems and MS policies about them). To eliminate all differences MS should recompile the whole 7 code with the newer SDK, and deploy a huge SP - actually the whole OS. But just using a different version of the compiler and its libraries will show differences.
I guess most security researches are already "diffing" SDKs and look what changed. Then some changes may be just optimizations or additions, not patches - and some changes may even introduces flaws absent in the previous versions.
This post has been deleted by its author
Yep... after all they discovered that 7 code is different from the 8 one. I would have been worried if they were the same <G>.
Re-reading the article and looking at the picture, it looks they're promoting a tool that can identify fucntion calls signature inside compiled code, and it looks they had found that 8 code calls more "safe" functions than 7.
I am not surprised about it - that's a refactoring that requires time to be performed on a large codebase, especially since "safe" functions are not a transparent replacement you can perform with a search&replace, but need code changes (they return an HRESULT instead, for example, the string output requested, which is now returned into a function parameter).
"Safe" functions do protect against some programming errors, but if the code is properly written it should already perform the requried check. And they are not "patches", just more "defensive programming" - a good technique, sure. The updated code could be vulnerable in the old version, or it could not be - and of course patches are applied to known vulnerable code, not to code which may not be.
Thereby, after all, what they had found that despite the UI 8 is an improved OS over 7, from a security perspective - not that 7 is not being patched - it's just not "refactored". Guess many 7 patches released in these years were probably made calling a "safe" function instead of an "unsafe" one..
I think I understand this now, and I have to admit that indeed this is very different from patching an error in the operating system. This is an improvement to Windows, not a correction, that makes it easier for application writers to avoid vulnerabilities in their applications. Not porting this kind of thing back to earlier versions is indeed entirely legitimate.
It's been a while since I did Windows development, but aren't the functions in question shipped with the Visual C runtime (VCredist) as well as (rather than) with the OS? And, for developers, the source headers and matching libraries are provided as part of this week's Visual Studio?
Or is it different these days? Or I could be misremembering.
The whole thing as described so far sounds like a lot of fuss over very little. ICBW.
The OS doesn't use the "VCRedist" C runtime that applications uses. Microsoft stopped that when instead of following proper deployment practices developers started to rely on the VC runtime used by the OS, or even tried to "updated" it.
http://blogs.msdn.com/b/oldnewthing/archive/2014/04/11/10516280.aspx
(there's also an interesting not on how using published code the wrong way can actually cause more trouble than not having it...)
Thereby the "VCRedist" files are updated separately from the C runtime the OS uses - and there are chances 7 may use an older runtime than 8.
Anyway most of those functions "safe" functions are often linked statically or even inlined for performance reasons, especially the integer conversion ones.
So these people have found differences but not (yet) actual vulnerabilities. Wouldn't it just be a tad more convincing if they'd used their new tool and pursued some of these differences all the way to a genuine vulnerability? As it stands, they are open to the rebuff that the differences aren't significant.
Proving their point would have delayed the announcement by what ... days, months, years, forever? Inquiring minds want to know. (Well, this one does, at least.)
"you can't buy Windows 7 directly, at least not directly from Microsoft."
Who cares if you can't buy Windows 7 from MS?
Amazon, ebuyer, and others will still sell you a genuine Windows 7 OEM disk+COA for any sensible edition, and there are plenty of dodgier ones on the fleamarkets. No support direct from MS, obviously, but whoever got anything useful out of that avenue anyway?
You apparently could and still can even download the WIndows 7 ISO(s) from digitalriver (Keys/CoAs? Separate story, not covered here)
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/cannot-find-digital-river-download-site/66a8439b-0d16-4b70-92f7-1c8486a46ebf
If that's the treatment Windows 7 gets, I wonder how the unloved Windows Vista fares.
We still have machines to support that are running Vista.
I was assigned to the Microsoft team that was setup to support Vista and patch it following release. Unfortunately the team was disbanded not long after. The problem we had was on a complete review of the codebase we discovered there are memory leak in the application, I did a count of NEW and DELETE statements, and there are less DELETEs than NEWs
>>"I did a count of NEW and DELETE statements, and there are less DELETEs than NEWs"
You should be careful with humour like that in these parts. I bet half of your updates are from people who get the joke and the other half from the anti-MS brigade who will now be quoting you as an authority. ;)
And XP? No. Really!?
When Vista came out, it included a lot of security enhancements that XP never had. But it also meant a lot of badly written code stopped working.
The same with Vista and 7, 7 improved over Vista, Vista didn't get the improvements. 8 improved on 7 and 7 doesn't get the improvements. What a shock, the world improves products with each new release (generally) and the older version doesn't get the benefits, because, well, it is the older version.
Is using Microsoft software, of ANY version, worth the inherent risk? If MS is showing that they are unwilling, or unable, to support their software, which IS still supposed to be supported, then they are breaking trust with their customers. Between embarrassments like this (and others) from security professionals, to the HUGE breach of trust with their love/hate relationship with the NSA, is it any wonder that entire COUNTRIES are banning Windows? Or that others are actively looking at open source replacements?
The effects of this will take years to fully be felt, but make no mistake, Microsoft is ACTIVELY harming their own brand with EVERY SINGLE STORY like this that hits the web!
"Is using Microsoft software, of ANY version, worth the inherent risk?"
Microsoft still manage to have far fewer vulnerabilities than say SUSE, Redhat or OS-X - so the 'inherent risk' is lower than the alternatives...
And if you look at their application servers like SQL Server - Microsoft often have a couple of orders of magnitude fewer holes than competing products!
Care to back that up with some data? Don't forget to account for like-with-like, so you can't count say a buffer overflow in a bittorrent client since Windows doesn't ship with one!
Also don't forget that one of the benefits of Microsoft's monthly patch scheduling is that they can roll up a lot of fixes into a single security advisory, while on Linux they are patched as they're found. Windows might have 7 IE fixes in a single monthly bulletin, while if Linux had 7 vulnerabilities found in a month it would account for a lot more bulletins.
Care to back that up with some data?
http://secunia.com/advisories/product/1174/
http://secunia.com/advisories/product/12192/
http://secunia.com/advisories/product/96/
"Don't forget to account for like-with-like"
http://blogs.technet.com/b/security/archive/2008/10/27/download-h1-2008-desktop-vuln-report.aspx
"http://blogs.technet.com/b/security/archive/2008/10/27/download-h1-2008-desktop-vuln-report.aspx"
You do know that the source of your "information" is a microsoft employee - don't you ( and the 'report' is also 6 years old ). Is that the best you can do - go ask The Vogon
I also suggest you read your own 'refs.' (snigger). The secunia one includes :-
PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.
and
A direct and fair comparison of unpatched issues for e.g. Microsoft Windows and Linux distributions is therefore NOT possible using the aggregated Secunia statistics
That MS Technet blog you reference was written by Jeff Jones.
That would be Jeff Jones, Microsoft's Director of Trustworthy Computing, would it?
E.g. here's Jeff Jones back in 2007 when he was claiming that, after a whole six months out in the wild, Vista was more secure than Linux and OS-X?
From http://www.pcmag.com/article2/0,2817,2149851,00.asp
"According to the numbers given in a new report from Microsoft, Windows Vista has blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest amount of serious security vulnerabilities in the six months since its release. The numbers were compiled by Jeff Jones, the security strategy director in Microsoft's Trustworthy Computing Group.
"The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL [Secure Development Lifecycle] and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process)," Jones wrote in a blog posting about the report on June 21. " (continues)
Jones' blog article:
http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report
I will never run windoze not great (8.*) unless required by work, because it is not just a horrible UI; we all know that it is much more insecure to the NSA, by design! So neglecting windoze 7 will cause me to find ways to punish them.
I will only switch from windoze if I run the software I need on the new OS; I currently can't run all of mine in Linux or FreeBSD; I've tried via VirtualBox and Wine, it's not usable despite tweaks,
I've already migrated an old netbook to Mint because of the XP frack up, it works OK, my RAIDs run FreeNAS (FreeBSD based), and if this gets bad enough, my Win 7 PCs will probably migrate to Mint too! Mint is OK, but the VM hosting could be better.
At work we plan to add new Dev servers, and I'll request that the VMs are running Linux to host our servers, except where we need windoze to run microsad servers, because windoze is tired and costs. If this goes well, we may look at selling the idea of customers using Linux servers too, because PostgreSQL could easily replace SQL Server, and Linux would probably be the only workable alternative for windoze XP on old boxes.
microsad are losing it, and will slowly lose it all if they are not careful, because it keeps getting easier to run more stuff not on windows.
"we all know that it is much more insecure to the NSA, by design"
I think you are confusing Windows with Open BSD.
And actually it would be far easier for the NSA to try and subvert Open Source code via strategically placed development efforts than it would be to attack commercial software during the development process. As we know from HeartBleed, Open Source code is often very untrustworthy and obvious major flaws can go unseen for years.
"And actually it would be far easier for the NSA to try and subvert Open Source code via strategically placed development efforts than it would be to attack commercial software during the development process."
Actually, no, it's the exact reverse. Commercial SW can be subverted easily (couple of thousands bucks) contrary to open source which is open to public eyes.
Granted, openssl is such a smoking mess it didn't work for it, indeed.
"Researcher Moti Joseph (@gamepe) - formerly of Websense - speculated Microsoft had not applied fixes to Win 7 to save money."
"Saving money" - the ultimate smokescreen for "accidentally" leaving systems unpatched and open.
Of course, once a slew a "supposedly secure" WIn 7 machines get the claps, Microsoft will again have some explaining to do, may be getting a few lawsuits thrown their way (in particular as the legal landscape may shift in sudden and unontrolled manner) and will leave even more possibilities for competitors to gain traction with consumers looking for a way out of flea bag.
All of which could have been avoided by pumping a week worth of Office 2013 sales into bug fixing and testing.
It doesn't compute.
But well, it COULD be that Win 7 does not even need any patching... who knows?
Sound like a publicity gimmick to stir up the usual (Linux) suspects and get noticed.
I've never heard of gamepe before.
The "safe" functions are only wrappers around the standard functions that make it a little harder to do things like run off the end of a buffer. There absence from Windows 7 is not a vulnerability. Assuming that is what the report is saying.
Could it be that Microsoft itself bankrolled this "scandal", to get reluctant Win 7 users to make the jump of faith to WIN 8, with its (ahem) fabulous GUI, straight from modern cell phones ? It is the Microsoft version of sneaking up on a bunch of chickens, and blowing an air horn. MS expects Windows users to run straight to the nearest Win 8 vendor, and plead "Save me, please. I need WIN 8". Such are the dreams of MS executives.
I'll stick with Win 7 until it gets bricked by a hacker. After that, I will switch to the Android OS on my cell phone for basic email and internet. Who needs Windows anymore, really ? Icon for Win 8 - a major MS fail - as bad as the "New Coke" fail.
"I will switch to the Android OS on my cell phone for basic email and internet"
Android is based on Linux and Java - which is like mixing Swiss Cheese and a colander. It's completely insecure. They have to use bolt-ons like 'Knox' to even come close to the security that other platforms such as Windows Phone and Blackberry provide out of the box...
This post has been deleted by its author
Despite the fact that, only last year, I did move my previous employer (a large independent school) from XP (32-bit!), Server 2003, Office 2003 to 8, Server 2012R2, Office 2013 - I can't agree with you here.
We threw it onto every PC, every client. In fact, I had one image whereas with XP I'd needed several (CPU architecture differences, etc.). I set up the image with 8 with Classic Shell, and to be honest it was pretty indistinguishable. All software ran - over 200 pieces of it - apart from a single 1990's-era Quicktime-based heap of educational junk that had never been updated and the company went bust years ago - which still ran, but crashed on a certain function. All hardware was supported (did not install a SINGLE driver across a network of 200 machines, all booted from the same PXE image) - I deleted 5Gb of old XP drivers that I'd needed for the same machines!
It all worked. And, with the fudginess of the XP-backwards compatibility, imaging and network setup, there were speed IMPROVEMENTS to running 8. Things felt, and were, faster. XP - for instance - didn't have AHCI drivers for quite a lot of our hardware and we were running in IDE mode.
We held off for ever until we couldn't hold off no more. And, single-handedly, I deployed a network of it after managing the same network on XP for many years. In one school summer (six weeks). There was nothing wrong with it. It just worked. Things just ran. And Windows looked like Windows (all Metro apps were uninstalled, for instance). On the same hardware.
I don't quite know what you're holding off against, though I admit I held a huge amount of scepticism on my own part. To be honest, if we had needed XP for anything, I'd have virtualised it on PXE-deployed images, the transition was just that easy. That's how you're going to have to do eventually, and if you use Linux underneath the VM, nobody will care - and I quite understand that kind of philosophy. But XP x64 on raw hardware? Give in, mate. At least just throw it inside a VM and admit the usage - you like the interface, not the OS running your machine - VM it and put a modern OS (any OS, even a thin-hypervisor) on the actual hardware and save yourself an awful lot of hassle. And then no disk-sector issues forever more.
Though I'm not the kind of person to dive into anything early (hell, I'm a Slackware guy and the above network had at least two Slackware servers!), there's really no reason to hold back on newer Windows except paranoia. You're used to configuring XP, get used to configuring 8 to the same depth and all the stuff you don't like about it can be turned off.
In fact, I'm about to do the same again for another independent school - same kind of size, but coming from 7. They were 8-fearers who'd even had a failed 8-trial - until they saw my 8 image. This summer I'm redoing every 7 PC to 8. We have no software that demands 8, and we have licensing which means that it costs no more to deploy 8 than to deploy 7 - but the fact that we stay on supported configurations with a long lifetime and, more importantly, a lot of new features (some of which we switch off, like Metro, of course) for basically zero downsides means that it's not an issue. And our banks are starting to make noises towards only supporting the smartcard readers on 8, and various educational suppliers debating similar.
XP was great. I used it myself for years. I'm on 7 at home. But I do most of my real work in VM's of various OS. The fact is that the base OS does not matter anymore. If you're a home user, VMWare is free. If you're an 8 user, you have Hyper-V for free - or you can just use the free Hyper-V hypervisor on the bare hardware. If you're commercial, the cost of a hypervisor software is either free (with Server editions) or lost in the noise of any upgrade.
Bite the bullet, put your hardware on something recent. Stop making problems for yourself. And admit that what you like about XP is the GUI and the working pattern. Not the OS.
This post has been deleted by its author
You're wasting a lot of your HW resources using an outdated OS - I'd suggest you to read "Window Internals" to understand what changed since then and how more recent OSes take far better advantage of newer, powerful HW in many ways. I think you'd be surprised...
Anyway most recent software won't run on anything older than 7, thereby, good luck....
This post has been deleted by its author
"there is a large pregnant pause every time I open up my home folder, and I for one don't appreciate it."
On my Win8.1 machine it doesn't show that much of a pause. You many want to check if your sysadmin has redirected this folder to a network location.
This post has been deleted by its author
It looks most "experts" don't know what a standalone Windows machine does at boot and what a domain-joined one does.
Beside BIOS features (my Dell T5500 SAS RAID controller takes ages to perform its checks...), a standalone machine boots, ask you a password, checks it with its internal database and it's done.
A domain joined one has to (and this is a simplified list):
1) Find a domain controller - maybe waiting before for DHCP assign address and DNS servers.
2) Logon the machine to AD (yes, there's a machine account too, with its password).
3) Download and apply per machine group policies
4) Display the logon screen, get the user account and password, and logon it,
5) Download and apply per user group policies
6) If roaming profiles are used, synch user profiles folders and files
There are other tasks it will perform, like synching the machine clock with the domain controller, reestablishing network shares if there's any mapped, etc etc.
If switch port authentication is used (802.1x), or NAP or other network checks, they take time as well.
This post has been deleted by its author
You have a issue that is not related to Windows 7. I'd suggest you to use Sysinternals' Process Monitor and try to understand what happens on your PC when you open the document folder, because on any 7 PC I used such a thing never happens. Run Autoruns also, and look at how much stuff is run on user logon, and what it does.
Usually before saying "X is slower than Y", you should assess if it is really true - or the real cause is something else.
I'll have to try that approach here. Much more sensible than deploying "hardened" remote XP VM's that can be readily (seconds) be recovered. Windows 8 has been pretty nice here even on the my hard-core, non-touch workstation but having done 45 years of UI/UX changes, what's another one. My *only* problem is the modifications MS are making for a bunch of retards (yep strong words) that I have to incorporate into my workflow here.
So if Microsoft are going to do the same with Windows 8, shortly after Windows 9 appears, then we can assume that (a) they have not intention of supporting Windows, period (b) Windows very quickly becomes insecure.
Time to move to another operating system. Looks like Linux or Android is calling.
Funny old thing expectation.
If I contracted to buy Windows (or anything else from anyone else) I'd expect them to fix everything that was broken PDQ. No excuses. Your new car has dodgy brakes ???
But I guess they leave that peach out of the contract. They are a commercial company who have sufficient market share and cash to not have to worry about pandering to users. And in reality the people who really matter are the shareholders. As a user you are as much the product as the software.
So I gave up on that idea. I use linux everywhere. It probably has as many holes as the paid for offerings. Maybe more. But it makes no promises. I understand that, and live with the consequences of my choice.
I also don't have to worry that the license police will catch me using something, even if it isn't fit for purpose. Dodgy brakes sir ? You're nicked mate.
As a M$ user you should have the right to demand quality and proper support as with any paid for product (that's what the Sales of Goods Act was designed for), and hey should be called to account for any failures. Good on the people who search them out and keep them on their toes.
Unless you use a paid for/supported distro you have paid your money (or not) and taken your chances.
Personally I prefer a reasonably honest approach, even if it has its flaws :-)
I can live with that, and don't feel cheated.
So your expectation is that in any difference of opinion, Microsoft are wrong. Regardless of how obviously-flawed the counter-opinion.
Meanwhile, if you're saying that if by selling their products, if they can't make them secure, while even if neither can Linux developers, they should be sued, doesn't that amount to believing nobody should develop a modern operating system as a business? If so, personally I think we'd still be using DOS if home computing had evolved without the profit motive.
Anyway, to assume that this disclosure is indeed what the disclosers claim is to leap to the conclusion you want to be true.
@AC
I'm not sure I exactly said any of that did I ? I certainly never said M$ are always wrong regardless.
Indeed the report could be false and a load of tripe. Does that mean no one can comment ?
I said that if a company contracts to support something for a given period of time, I have reasonable expectation of them doing so, no matter what the product or who the company is. There is reasonable expectation to fix anything they find is wrong PDQ.
That's part of what you pay for.
In which case, in this instance, and if it is found to be true, then they should be given a kick up the butt.
I would have no expectation that they should support XP now. It 'ran out of warranty' for want a better word. Yes it may still work well. But they no longer offer to support or maintain it, unless you take out the extortionate 'extended' warranty (where have we heard that before ?). Like pretty well any other product you buy - few give genuine 'lifetime' guarantees.
IMHO there are too many large companies who ignore and ride roughshod over basic consumer rights and more concerned at flogging you something new than maintaining something they sold you 6 months ago. Shareholder and profits are king and I was only commenting that I think it is great to see other companies keeping the large ones on their toes. (if indeed that is what they are doing)
Yes, if companies thought they were going to get sued for not releasing 100% secure code, they quite possibly wouldn't produce any. However they don't offer to do that, and I don't believe that anyone reasonably expects them to be able to do so. I also don't believe making profit is a bad thing at all - it keeps a roof over my head. However, you just can't ignore an agreement because you changed your mind, brought out a new toy and now can't be bothered and it costs to much to do.
With unsupported Open Source expectations are different - that you use it without warranty - and there are the usually liberal warnings plastered about the fact. I didn't say that a Linux developer could never be sued. But it's a lot harder to do so when there is no consideration/contract and no offer of warranty.
You pays your money (or not).......
"So your expectation is that in any difference of opinion, Microsoft are wrong".
What a funny vague, woolly thing to say! "Wrong" in what sense?
I do believe that, in any circumstances, Microsoft is guided overwhelmingly by the prime directive to maximize its own profits in the medium to long term. Any other consideration is utterly dwarfed, which is why Microsoft has amassed such immense piles of money over the years. If you expect Microsoft to worry in the slightest about customer satisfaction, customer security, honesty, fair dealing, or anything else *for its own sake*, you will be severely disappointed.
Apple or Google are guided differently? How do they amassed their pile of money?
But remember to "amass a pile of money" you need to keep your customer satisfied and secure enough. MS had to invest a large amount of money to improve the security of its product - otherwise it would have lost a lot more. The very functions the article is about were introduced to enable developers to write safer code even if they forgot to check what their code was really doing. as part of the effort of delivering safer products.
Companies may be stupid sometimes (i.e. Metro, or Apple when it was in deep troubles, or Google when it snooped wifi traffic "by mistake"), but if they are for too long they fail. Those who don't, are not so stupid, after all...
"Ignorant and misled" are only those blindly believing guys like Stallman... somone who doesn't make money writing software and selling it - but very good at selling you his "vision", and making money out of it. The Ron Hubbard of IT, after all.
Customers are far less "ignorant and misled" than you think. Just most don't worship software just because it is software. Most use software to accomplish a task they need, and as long as a given software does what they need well and easily enough, they'll use it. That's something in Linuxland most developers still stubbornly refuse to understand, and they believe their "code superiority" deserve lots of users that never materialize - exactly because they don't code with the user in mind, as the one commenting in another thread here, showing is dislike for time spent with users and QA teams "who never saw a line of code" - surely not a "ignorant and misled" attitude... <G>
Sure, everybody buys MS only because they are "ignorant and mislead", if they were "intelligent and well lead" they'll buy LInux! That's exactly how many frauds work - fraudster convince their victims that their products are the best, and if you don't buy them it's just because you're "ignorant and mislead". Amway and Herbalife do that, for example. Try to sell Linux that way, maybe it helps...
>Personally I prefer a reasonably honest approach,
So I take it that you will be boycotting Diffray and The Register for misleading you into thinking that MS was not patching security flaws on Win 7?
I really dispair sometimes: By your own admission, you are a Unix/Linux user. Clearly you don't understand the MS eco-system, and care less. You haven't bothered to read the comments correcting the misinterpretation you have adopted. But you feel qualified to comment about "M$" anyway...
"I remember why I hate Microsoft, and am revelling in their universal failure in all of their Business Sectors."
Erm - I guess you havn't noticed but Microsoft's market penetration and revenue is increasing in most areas - especially business sectors like cloud and servers. Their share price is the highest it's been in a decade...
For instance IIS server is now only 0.15% away from overtaking Apache in market share!
For instance IIS server is now only 0.15% away from overtaking Apache in market share!
However, amongst sites that actually matter, the story is significantly different. Nginx is the up and coming new kid there, and Apache still enjoys a very strong lead. In fact amongst the top million busiest sites, and amongst sites that are actually active, IIS share is continuing on its long-term decline.
It could be that lots of people start on IIS because it's like building with lego bricks and about as easy. As soon as the admins want to do anything reasonably complex, IIS becomes a pain in the neck, because it's like building with lego bricks.
Try again in a couple of years and we'll see if that one-year rise in IIS share amongst all sites including crappy Geocities-esque personal blogs continues, or if, like every other rise in IIS share, it's been a blip that drops as soon as the newbies discover that IIS isn't all it's cracked up to be.
Think that statistics usually don't take into account internal sites... and believe me, in many companies most intranet sites run on IIS, not Apache. After all is far much easier to deliver SSO on Windows using IIS than trying to setup a pile of modules and libraries to achieve that - sometimes only partially - with Apache or other web servers (at least Lego bricks work very well with each other. It's when you have to put together bricks from different sources like in Apache that trouble begins). Many internal web applications need much more user authentication and authorization support than public web sites where often you do not much more than promoting your products...
Many is not most.
In any case, the April edition of the Netcraft stats is even more interesting to read. Not only is most of the IIS gain due to a single company, but the vast majority of sites hosted by that company are link farms.
IIS: The choice of web server for spammers and black-hat SEO specialists. Hardly a wonderful accolade.
Also interesting that amongst the statistics that actually matter (million busiest sites, active sites), IIS is now being beaten by not only Apache, but in a narrow margin by the open-source nginx. Like I said, that's the new kid on the block. Certainly one to watch.
I'm sorry, but this is just too funny. Is www.notruescotsman.com one of those sites? :D
Considering the majority of IIS's rise in the last year has come from one company, and the majority of the sites hosted by that company are apparently link farms and domain holding pages... I dunno, what do you think?
The "No True Scotsman" fallacy would only apply if those sites weren't basically spam and black-hat SEO. Are you suggesting that sites like that matter in any way except perhaps needing to be added to crudware statistics? Don't take my word for it though. Follow the links, and see for yourself.
.>So wait, now there are some extra functions you can call in Win8 and not Win7?
No.
It's more subtle than that. You can call these functions on Win8 or Win7 when the next MS C upgrade appears. Or you can write your own version and call it on Linux or OsX. The report is that software using these functions has already appeared on Win8, but not yet on Win7. Standard MS procedure will be that these versions of these functions will appear on supported platforms when software that uses them is re-written. If the purpose of rewritting the software is for a security patch, we expect to see these library functions appear in the Win7 library, as part of a security patch. If the purpose of re-writting the software is a Win8 bug fix or feature upgrade, we don't expect to see that on Win7.
"Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems".
And I shall - the move to Linux is already underway, with three of my home systems already running OpenSuSE and the fourth dual-booting while I make sure everything I need is running smoothly. Then - so long M$, it's been good to know ya! (Although actually not).
I have an unused Win7 disk, that I bought with a motherboard upgrade some years ago, and I wonder if it will be like an XP disc when I finally get around to using it. My Linux machine has been so stable I really don't want to break it by trying to make a double boot system. Can I make a VM from the disc? Maybe some one will make an offer?
The way modern Windows development works is that when changed code is checked in it has to meet certain security gateways, which prevent the use of things like older "unsafe" C functions. So if a developer has to do some work in a library to add new functionality, they'll also replace older function calls with their safe replacements at the same time.
That doesn't necessarily equate to the old code path having a definite vulnerability, but does mean that going forward the potential for unnoticed issues should go down. These sort of preventative changes won't necessarily be backported to previous versions though, because there is a higher risk of some weird application compatibility issue that could arise from the change. Once the OS has shipped and people are relying upon the fact their apps work on it, there is a much higher bar to be met to ensure on going compatibility.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
