That's just for the suckers customers
Posted by aogThursday, 18 December 2008 at 12:48 TrackBack Ping URL

Haha, yet another major security flaw in Internet Explorer. What’s truly funny to geeks like me is that the Dark Empire has been touting its new Common Language Runtime(VS.71).aspx with its Managed Code as technologies for building more robust applications with fewer security flaws. One of the ways this is alledgedly achieved is that because managed code has all sorts of meta-data the run time environment can verify that the code is not misusing its data structures. Such data mishandling is probably the number one vector for external attacks on applications, so closing that hole would be a big deal.

But it didn’t work for Internet Explorer, did it? Is the CLR / Managed Code approach fundamentally flawed? Badly implemented? Or just not used in Internet Explorer? I can’t think of an answer that looks good for the Dark Empire.

Of course, it makes my decision to avoid the entire CLR / Managed Code fiasco look smarter. What’s additionally amusing is that there are plenty of good C++ code habits that avoid this problem as well as CLR / Managed Code does and which I adopted years ago so my code simply isn’t vulnerable in this way. The downside is that using these techniques requires having the discipline of a craftsman, to always do The Right Thing, which is usually not the easy thing, to do it always even when it really does not matter, so that it becomes habit. But that’s old fogey talk, isn’t it? Especially for Microsoft, Code Spew Central.

Comments — Formatting by Textile
cjm Thursday, 18 December 2008 at 17:55

what is it that makes a programmer “veer” off and do something they know is going to be a problem later? “check every return value” becomes “check the return values that might indicate a problem, and let the ones you know are ok go without checking”.

it seems like microsoft is always looking for that magic formula that will replace good programming practices, and automatically produce good results; i.e. automate programming completely. ain’t going to happen.

Annoying Old Guy Friday, 19 December 2008 at 10:02

Shoddy is a pervasive property of human activity, and it would be odd if it didn’t pervade programming as well. Shortcuts are easier and you don’t know that it will be a problem.

And I don’t want to be too hard on the Dark Empire, as any craftsman appreciates that he can do a better job with better tools. After all, most of my techniques depend on specific features of C++ and were far harder to do in C. It’s just that one should judge tools by results and if the tools don’t even help in Microsoft code…

Post a comment