On occasion, I take on a number of system administration duties when it comes to either my employer's or my personal network. Both networks contain Windows workstations as well as servers. Black Tuesday, as the second Tuesday of a month has been referred to by sysadmins, has come and my monthly ritual of testing and installing hotfixes and updates begins.
Of great concern this Tuesday, is the WMF vulnerability. Personally, I find it rather disconcerting that an image format has the capacity to execute code by design. According to Computer Associates the vulnerability occurs because of "inproper bounds checking in the ANIMATEPALLETTE function when rendering a Windows Metafile (WMF) files."
That is rather disconcerting. Once again, we see the dangers inherent in buffer overflows. It has been two years since Microsoft's security initiative began, and we still have buffer overflows. I can recall my days in my various Computer Science classes, where the class was warned of the dangers of not checking the bounds on strings, arrays, and buffers. And here is a multi-billion dollar company, not following what I consider to be a basic lesson.
It isn't for a lack of support or comprehension. In fact, standard C++ libraries include a variety of string manipulation functions, known to me as "N-String" functions such as strncpy() and strncat() that explicity check bounds. And the functions they replace have been deprecated. I can recall points being deducted from my assignments for using the non-"N-String" functions.
But, this vulnerability does remind us of the precarious paradigm that is End-User License Agreements. The software industry is the only industry I can think of that can release (knowingly or not) a substandard product, include idemnification against any defects, and has convinced the consumer that this is standard operating procedure. Every EULA I have read (well, all three for that fact), include something to effect that the manufacturer is not responsible for defects or any damage caused to your computer by its use. Think about that, not responsible for defects or damage caused by its use. Name any other industry that can get away with that sort of idemnification. Go ahead, I'll give you a moment to think.
I couldn't think of any either. Disturbing isn't it? I, as a developer, am not responsible if my program corrupts your data, crashes your computer, causes you to spend hundreds of dollars in repair or data recovery services, or anything else for that matter. What a comfortable position for a developer, what a sad state for consumers. Unfortunately, the state of retail is such that if you disagree with the EULA, you probably cannot return the opened software package, even though you had to open it to find you don't agree with the contract presented to you. I wonder if legally I could print off the EULA and line-item veto portions I don't agree with, and is that binding?
In any event, software has become so ingrained in our day-to-day activities, that it is practically impossible to get by without. And thus, we are at the mercy of these indemnified software companies that release buggy or defective software.
Caveat emptor, indeed.