Comments (4)
There's no formal position on EOL, I generally ask, "What seems to be common?".
For example, while officially Windows 7 is end-of-life, over 30% of all client systems (not just Windows systems) use Windows 7 today. So if something impacts Windows 7, it's a serious issue. Stats here.
I take Python in a similar vein. Officially Python 2 is end-of-life, but in practice Python 2 is everywhere & there are still many systems that only have Python2, so I continue to support it.
As of August 2005, over 600,000 sites ran Windows Server 2003 even though it was out of support according to Netcraft. I don't know the numbers now, but if the numbers are significant, it seems worth worrying about. Eventually it's not worth worrying about, of course, but what matters is the number of systems actually deployed.
Too many people in the tech bubble think that when a new version of software is released, everyone magically updates to it. That's not how things work in the real world, and I want to help people out in the real world.
from flawfinder.
Agree - but I think you missed of what I was saying.
I'm not asking about Win 7 (the fix as made before Win 7 was released).
InitializeCriticalSection
Windows Server 2003 and Windows XP: In low memory situations, InitializeCriticalSection can raise a STATUS_NO_MEMORY exception.
Starting with Windows Vista, this exception was eliminated and InitializeCriticalSection always succeeds, even in low memory situations.
According to your stats, XP has a 1.7% market share. Is that enough people to leave it on the list - probably, but the warning message should change to indicate that it does not happen on modern versions of Windows.
On old versions of Windows (including and before XP and Server 2003), exceptions can be
thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead
EnterCritcalSection
EnterCriticalSection
- as something that will not throw errors on XP (released October 25, 2001), .NET Server (released April 24, 2003), and later _(including Win 7 (released October 22, 2009).
What we are talking about being susceptible is these operating systems:
Windows 1.0 (November 20, 1985), Windows 2.0 (December 9, 1987), Windows 2.10 (May 27, 1988), Windows 2.11 (March 13, 1989), Windows 3.0 (May 22, 1990), Windows 3.0 with Multimedia Extensions (October 20, 1991), Windows 3.1 (April 6, 1992), Windows for Workgroups 3.1 (October 27, 1992), Windows NT 3.1 (July 27, 1993), Windows for Workgroups 3.11 (November 8, 1993), Windows NT 3.5 (September 21, 1994), Windows NT 3.51 (May 30, 1995), Windows 95 (August 24, 1995), Windows NT 4.0 (August 24, 1996), Windows 98 (June 25, 1998), Windows 98 SE (May 5, 1999), Windows 2000 (February 17, 2000). Windows Me (September 14, 2000)
From the list you provided, even if you look at the top 1000 operating systems:
- Windows Me doesn't even make the list
- Windows 2000, Windows 98, Windows NT, Windows, 95 all have zero percent.
- The older ones - also doesn't make the list.
I think the risk is low/non-existent of removing this check.
from flawfinder.
Great points! I've made the change, it'll be in the next release.
from flawfinder.
Thanks for following up.
from flawfinder.
Related Issues (20)
- Add a --ignore option
- Invalid helpUri generated HOT 1
- SARIF artifact location paths HOT 3
- Character Encoding Error on UTF-8 Encoded Source File with U+0441 HOT 18
- Warn when PQExec is called with a non-constant to warn about SQL injection in PostgreSQL
- --csv option wont output hits to csv file from mac terminal
- FF1057 is missing CWE attribution in the warning text HOT 1
- Flawfinder does scan the directory with symlinks and exits quietly with error code HOT 1
- binary/hex integer literals with separators lead to parse error HOT 2
- Flawfinder reports abseil::StrCat the same as std:strcat HOT 1
- Can I Modfy more CWE? HOT 1
- SARIF output malformed due to incorrect URI, which causes GitHub upload to fail HOT 1
- Supported python versions HOT 1
- Allow skipping bad characters HOT 4
- flawfinder mis-identifies symbols named "system" as CWE-78
- Declaration of simple C++ method named "read()" triggers CWE-
- Grouping issues by vulnerability title
- Add a smell score for each file
- Improve sscanf and friend vulnerability context
- False positive when a variable is named "system"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flawfinder.