Customers can't have it both ways. You (the editorial "you", not you specifically) can't require MSFT to always provide compatible interfaces and then scream when that causes problems.
Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, August 26, 2010 10:11 AM To: NT System Admin Issues Subject: Re: Insecure Library Loading Vulnerability On Thu, Aug 26, 2010 at 9:56 AM, Michael B. Smith <[email protected]> wrote: >> Microsoft's software has been criticized for its search path behavior >> for literally decades. > > This has been documented as an issue -- for decades -- and MSFT has > told people how to do it right -- for decades. A design which is prone to failure is a bad design and should be corrected. You don't make something unsafe by default and then say, "Oh, well, you can make it safe if you do this." > Don't blame MSFT as a company for people (including some internal > programmers!) for not following safe programming recommendations. If I am going to treat Microsoft as a company for their good behavior, than I am also going to treat Microsoft as a company for their bad behavior. You can't have it both ways. One goes to a given company because one expects that company to stand behind their products. > Changing this behavior removes functionality that MAY BE DESIRABLE. So make the default behavior safe and allow unsafe behavior to be specified as needed. For example, remove the current directory from the default search path algorithm. For example, something along these lines: SET PATH=.;%PATH% SET DLLPATH=.;%DLLPATH% That could have been done in any major milestone: MS-DOS, or Win 3.x, or Win 9X, or Win NT, or Win 2000, or Win Vista. A solution was well-known and easily accomplished decades ago. Yes, I blame Microsoft for waiting until they were attacked. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
