Again, *know* what you're talking about. We're not talking about just any generic theoretical JIT. We're talking about the .NET CLR which *does* cache all of the JIT compiles in the GAC. Here, let me help you know more about what you're talking about: http://en.wikipedia.org/wiki/Global_Assembly_Cache

.NET is a great platform, and C# is a great language. All of this .NET hate from anti-Microsoft types with no knowledge of the platform is just about as useful as all of the patent fear-mongering associated with Mono. Anything Microsoft invents, these people are going to try to tear down, whether it's a good innovation or a bad one.

Except AJAX of course. They just pretend Microsoft didn't invent XMLHttpRequest or iframe.

How exactly is .NET interpreted? CIL (formerly MSIL) is JIT compiled, just like Java is. The JIT compiles of assemblies are cached in the GAC, so it only happens once. After that it's native code for the platform you're running on, whether that's 32bit Intel, 64bit Intel, or Itanium. Or you can choose a specific platform in Visual Studio and compile directly to that platform and avoid the intermediate language altogether. From your description of .NET it seems like you have no knowledge of the platform.

Insightful? Come on mods, do better.

No, as you can see from the following, the standard Win32 message pump isn't an infinite loop...

while(GetMessage(&Msg, NULL, 0, 0) > 0)
{
        TranslateMessage(&Msg);
        DispatchMessage(&Msg);
}

Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Direct2D and Direct3D are a part of the "hardware graphics calls in Windows". The fact that it's not in the GDI/GDI+ libraries doesn't change that. DirectX ships with the OS, is required for the OS to function, and thus DirectX IS literally one of the OS APIs for rendering graphics.

At the same time as people like you are grousing about how the web isn't composed of static HTML and GIF files anymore, we have the web developers of the world going on about the need for supporting HTML 5 canvas, video, and SVG. Microsoft decides that it makes sense to do all of those things with hardware acceleration, making use of the expensive video card many of us have paid for, and this is somehow their fault? Microsoft isn't the one pushing canvas, video, and SVG, they're just responding to the web moving in that direction.

This may shock you, but Firefox, Chrome, and Safari for Windows all take advantage of another proprietary API... Win32 API. Or to be more specific, GDI. The fact that Microsoft is using DirectX rather than GDI doesn't change anything. It's not an open source application and it doesn't support multiple platforms. What APIs they use internally is of no relevence to the merits of IE9 as a Windows based browser, and it's performance.

It's not like Firefox, Chrome, and Safari are all taking the (ridiculous) high road you're implying by doing 100% of their rendering in OpenGL currently. They're using a proprietary Microsoft API.

Managed code is the future. Doesn't matter if it's C# .NET, VB .NET, Java, Python, or something else. The languages save as intermediate language or bytecode, but in the end they're cached as platform specific optimized native code. The performance is very near that of the most optimal C. As our hardware power increases thanks to crazy leaps in processor and memory performance (thank you Nehalem) the costs of managed code performance are being minimized. And what is it that slows managed code anyway except for the checks that you should be hand coding in your C? Those same checks that prevent these kinds of attacks on a managed application.

I was a C developer for years who focused on writing the highest performance code at every turn. And for kernels, drivers, and maybe the highest performance demanding services, properly written C may be the right answer. But for many services and almost all applications, there is absolutely no reason I can see why a managed language shouldn't be used. There will still be security flaws but they will be much fewer and far between.

Yeah, because Firefox's exploit stats aren't worse than any other modern browser right? Maybe you need to do a little research.

If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.

Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?

13th base is when you get a Z-job.

Core product ends? Why would their core product end though? Because someone bundled Linux with a browser? Haven't we watched the Year of the Linux Desktop repeatedly fail to appear, and now Google is going to come in an magically make it happen? Look at Chrome's current market share for hints as to their ability to market software. How the hell are you going to get people to install an entire OS (or buy a PC with that OS) if you can't get them to install a browser?! Google is search. Everything else avoids looking like complete failure by being propped up with Google search funds.

You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.

What about all the other vendors of SSL dependent software? SSL based VPNs like OpenVPN for example. No love for them either? Just Mozilla?

It shows how people like Dan K are smart enough to recognize major vulnerabilities that can potentially affect massive amounts of service/traffic/commerce need to be handled differently. It doesn't reduce the respect you gain as a security researcher for finding such a major flaw to give vendors notification in a reasonable time period before publication. I'm all for full disclosure as a means of punishing companies that don't respond, but for larger vulnerabilities I think notification and a deadline are the way to go.

Funny thing is, the Firefox 3.5 exploit doesn't work on Vista either according to our testing. Only works on Windows 2000 and XP. Good thing everyone's bashing Vista like it has no features of value and as if it's still broken like pre-SP1 when SP2 is out.

So your average Microsoft-hating fanboi who is running Firefox 3.5 because IE8 isn't cool enough, and who is running Vista because XP is "way better", is the one who is vulnerable to this Firefox exploit.