Programmers Didn't Start the Fire

 

But they sure get blamed when users get burned

Martin McKeay is picking on us poor programmers. Okay, he was picking on us last week, I'm still trying to catch up. As a former code monkey, it's my responsibility to speak up for all of us and set the record straight.

Which brings up the question, why would a game program need to access your system32 directory  and registry when it's just placing files in a single directory?  The answer is, it shouldn't, but that's exactly the power Vista gives the installer.

When Microsoft released Windows 95 it encouraged, nay nearly forced, programmers to start using the registry instead of INI files. Most desktop management suites are now based on the registry, thus forcing programmers to use the registry for everything if they want applications to be distributed in a consistent, easy to manage manner. Preferences for your game, licenses, menu entries - nearly everything is stored in the registry nowadays.

This isn't just a problem created by Microsoft, though they are guilty of perpetuating it. 

Whoa nelly! Yes it was created by Microsoft. It's the programmers who continue to perpetuate it, mostly because they have little other recourse at this point in the game.

Programmers are, quite frankly, lazy. 

Ummm... can't argue with this. Next!

Okay, 'lazy' is a bad term for it, but the reality is, they want to do things in the easiest possible way so they can get on to all the other problems in their programs.  So when it comes to building the installation routines for their programs, they want to be able to assume that they'll have access to everything in the OS, rather than having to deal with permissions issues if they're running as a user with lesser privileges. [ emphasis added ]

Almost all programmers today use an installation system that packages and delivers applications from one of two vendors: InstallShield or (wait for it... wait for it...) Microsoft MSI, with MSI being the primary mechanism of developers outside the enterprise.

Now, you could argue that developers could simply instruct the installation program to dump necessary files in a single directory and be done with at least the need to access system32, but there's this little thing called DLL Hell that we're all trying to avoid, as well as potential conflicts between DLLS due to system path prioritization that seems to change in every new release of Windows.

So while we aren't doing anything to solve the security problem introduced by accessing the registry or the system32 directory, and Microsoft's new UAC may further complicate the installation of third-party-software, we really aren't the root cause here - we're just as much victims of change as everyone else.

Imbibing: Coffee

Technorati tags: McKeay, security, F5, applications
Published Feb 22, 2007
Version 1.0
security
us

Was this article helpful?

No CommentsBe the first to comment