Bad programming and the virus lanscape

Years ago I was a programmer - long before object-oriented programming became the norm. These were the days when the programmer had to ensure that the user did not press any keys or input any strings that the program would choke on. It was called "bounds checking" - min/max characters, only ascii characters, that sort of thing.

For you click n' pray programmers, bounds checking meant that I had to limit what the user could type - characters, length, etc. And then, when they hit the key, my program had to make sure that the string was correctly formatted (sanitized, if you will) before the string was sent to my program functions.

Today we see more and more viruses exploiting vulnerabilities through the lack of bounds checking. From Symantec on the recently discovered vulnerability in the MS Agent....

Microsoft Agent (agentsvr.exe) is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately bounds-check user-supplied data.

When did programmers quit checking users input...and why?

So now, every vulnerability researcher and hacker gets a list of program objects, functions or input routines and starts throwing large strings at it to see if it pukes. Oh, and what if we sent it some strings or any of the HTML representations of strings.

Do we blame the programmers for this gaping hole in the security of our systems? Or do we blame MS and other application development companies that convinced us that object-oriented programming was going to save the planet and our jobs? And who decided that a user's input doesn't need to be checked/sanitized?

P.S. - Here's another one.....
Microsoft MSN Messenger is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. From Symantec

New laptop won't run XP

Customer brought in a Toshiba Satellite with Vista on it. Very upset that his new laptop was having trouble he didn't have time to deal with. Asked us to remove Vista and install XP. Fine, we can do that. But........

THERE ARE NO XP DRIVERS FOR THE COMPUTER!!!

I downloaded the XP drivers from nVidia for the GeForce 7900GS. Install says no supported hardware. Go to Toshiba web site, download Vista drivers for the GeForce card, install says I have an unsupported O/S.

Right now I'm waiting on hold (have been now for > 30min) trying to talk with second level Toshiba tech. Now, one hour on hold - I hung up.

Have we reached the point where the MS monopoly can now dictate, via hardware, what version of their OS we can use? Am I the only one that thinks this is unacceptable?

Apparently, with the complexity of today's O/S's, manufacturers have to choose which O/S they're going to develop drivers for. Is this a product of the cost of developing drivers for multiple O/S or is it the MS monopoly dictating which O/S we can use on the hardware we buy?

Personally, I think MS learned their lessons from 98/2K/XP (no money in keeping old PCs running). So when MS decided MS needed a new O/S to fulfill promises to stockholders, they made sure we would not be able to extend the life of old computers. To do so, they had to

1 - completely rewrite the O/S so that no other drivers would work
2 - make sure that old hardware was gone (have you tried to find a Pentium 4, socket478 motherboard lately?)
3 - make sure that manufacturers don't develop XP drivers for their "Vista Ready" computers.

I've been working on/with computers since 1984. I remember when I could choose my O/S - different flavors of DOS (Dr. Dos, SeattleDos, etc.). But MS took care of that and bought up all the competitors (what kind of monopoly would they be if they let competitors exist?).

Whenever new hardware came out, manufacturers had to provide the drivers needed for operation in the different O/S environments. Manufacturers knew that even older machines would benefit from updated drivers thereby keeping customers happy.

Then we started seeing more and more integration of the add-on components (NIC, video, sound, USB, etc.) throwing the driver development onto the chipset manufacturers (Via, SiS, Intel, et al). Good for me cause it makes resolving drivers issues much simpler.

But it seems that this has also allowed the MS monopoly to take hold and gain control of the manufacturers driver development.

So when Toshiba (or any other PC manufacturer) says "XP will not run on this machine", who's to blame for that? Has the component manufacturer really said that they're happy to throw out all their XP development and write only Vista code for the component? Or has MS threatened the PC manufacturers O/S margins?

Whatever the reason, customers are being screwed, AGAIN, by a company that has put stockholder profits ahead of customer satisfaction.

Why would a manufacturer close the door to those customers that want their computer but not the O/S MS says you'll use?