Ready to Go?

November 14, 2009

Earlier this week, Google announced a new, open-source programming language, called Go, intended for systems programming use.  According to the Go project site, the language is “expressive, concurrent, garbage-collected”; syntactically, it is another of the many descendents of C.

Having been around the IT world for a while, I confess to being somewhat skeptical of the benefits to be had by the introduction of yet another programming language.  Some new languages — for example, FORTRAN when it was introduced — are genuine advances.  Some have been developed for specialized niches — for example, JOVIAL, “Jules’s Own Version of IAL”, used extensively by the US Air Force.   There are languages that approach programming from a different perspective: most notably LISP, the list processing language, and the functional languages, of which Haskell is an example.  And some have just been intended as a joke, like INTERCAL, with its “computed COMEFROM” statement (this was intended to complement the GOTO statement, you see). But I really can’t think of a language that has dramatically affected the course of software development, although of course the idea of using high-level languages (as opposed to assembler) certainly was an important step forward.

So, in looking at Go, my expectations are modest.   It is a fairly simple or “small” language, like C; here is the basic “Hello, world!” program in Go:

package main
import "fmt"
func main() {
fmt.Printf("Hello, 世界\n")

One useful feature of Go, illustrated in the above example, is the native support for non-European character sets; Go programs are defined to be encoded in UTF-8.   The language, like C, includes pointers; unlike C, it does not provide pointer arithmetic.  Storage allocations are automatic, and garbage collection for storage no longer in use is built in.  This is, of course, one of the many attempts to address the fact that dangling pointers and memory allocation blunders have been among the most fruitful sources of bugs and security problems with software written in C.

The project team claims that, additionally, Go is fast, both in compilation and execution time, and that it is well-designed for software that requires a high degree of concurrency in execution.

There is a Go tutorial available at the project site.

Microsoft Advisory on Windows 7 Exploit

November 14, 2009

Microsoft has now issued a Security Advisory [977544] about the SMB-related vulnerability that I mentioned on Thursday. The advisory confirms that, while the flaw can be exploited to cause a denial-of-service attack (by crashing the target system), it does not appear possible to use it to install software or otherwise take control of the target.  Microsoft confirms that the affected systems are:

  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems*
  • Windows Server 2008 R2 for Itanium-based Systems

The exploit works when a vulnerable PC attempts to browse or otherwise access an SMB share on a “toxic” server.

The principal suggested workaround is to block TCP ports 139 and 445 at the network firewall.  Port 139 is used by the NETBIOS Session Service, and port 445 by Microsoft CIFS.  There is really no good reason I can think of that these ports should be visible from the outside world, generally speaking.  Of course, if the bad guys are already inside your network firewall, you have a serious problem.

32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems*

Windows Server 2008 R2 for Itanium-based Systems

%d bloggers like this: