Microsoft on Tuesday issued two security updates, one of them rated critical that fixes nasty bugs in Windows Vista that could allow an attacker to gain complete control over a user's machine. The patch, which also applies to the XP, 2003 Server and 2000 versions of Windows, plugs two holes in the way the operating systems …
Yet another reason...
to switch to Linux. Currently I am trying/testing Mandriva and so far, so good.
well, yeah, its tuesday
To be fair, im not sure why we have to wait for a tuesday for fixes, often years in the case of 2000/XP, having a 'bug fix' day is always a sign of a failing project.
Im not sure its even worth reporting on these anymore since :
a) its a pretty regular occurance (every tuesday)
b) it uses valuable disk space that could be used to report on PH, or show the eee girl
Q: Since these exploits were never discovered in XP or 2k, does this mean that Vista is easier to find exploits in?
Bill, you promised that Vista was the most secure OS out there now and forever!
Now, now, don't be too hard on Bill. After all, he's been a visionary, predicting the future with certainty, for example:
"Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981
And his company expanded on that:
"DOS addresses only 1 Megabyte of RAM because we cannot imagine any applications needing more." Microsoft on the development of DOS - 1980
"Windows 95 needs at least 8 MB RAM." -- Bill Gates, 1996
And now, looking at the "minimum system requirements" for Windows Vista, the bare minimum of system RAM is 512 MB (Vista Home Basic), or 1024 MB (Home Premium / Business / Ultimate).
So let's cut Bill some slack on Vista's security. He's been right about so much, so often, that one little mistake shouldn't be held against him!
Are you suggesting that Linux doesn't release updates to fix security bugs? If not, then do you believe it doesn't have any security holes?
Microsoft keeps fixing bugs, keeps hiring scary Germand and Russian "penetration engineers" to attack their system, and the open source guys continue to believe in the ideological purity of their software. In the long run, who is winning?
or slightly less tin foil
> The bugs addressed by Microsoft Security Bulletin MS08-001 are evidence that the
> program doesn't always work as advertised
It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.
The "correct" quote is:
"640K ought to be enough for anybody."
And he never said it. If you insist, I challenge you to find out when, where and to who he said it. A proper quote always contain a source, and it shouldn't then be too hard to find out where.
While you are at it, I seriously doubt the second quote aswell. Why would an OS maker say such a thing when the hardware they designed for had an absolute limit of 1MB of RAM. When you write software it is very little you can do about the hardware you design for. In this case they couldn't even switch hardware, since they wrote for IBM, and it thus was IBM's call.
For the third quote, I like it when software designers tell me system requirements so I know if I can use software before I buy it.
Bestest of luck in your source hunt.
Need to be a coward for this one. Sticking up for Gates, pfft, I spit on you.
Once again we see that Vista is bug compatible with a previous operating system from Microsoft.
So how much of Vista _is_ new code?
With the OSS community, you don't have to wait for a tuesday several months hence until the patch is posted... and that's one of the great points about OSS. If you don't like to wait until somebody else fixes the problem, you can even fix it yourself. Try talking any commercial software developer into giving you access to their code so you can fix their problem for them...
Every OS, without exception, have security holes in them. get over it.....
Stop this crappy Linux / Mac / Unix / Atari / Amiga/ Speccy / BBC MicroB bollox and grow up! Shhesss when do the pubs open so I can get away from these people !
> It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.
The 'effected' protocol was TCP/IP. So, no, that's not possible. Next question?
I tend to regard the way this whole patching business gets reported (regardless of *who* is patching *what* code) to be a bit upside down, to be honest. After all, the argument for Open Source has always been that, because the code can be scrutinised, security vulnerabilities can be found more easily, and patches can be issued more swiftly and more frequently. The same logic holds for any other software, be it OS X, Windows, proprietary Unix, or the flash hardware on your domestic home router. A flaw has been found, a patch is available: apply the patch, or be an idiot.
Unless you assume that programmers can see into the future, and program flawless code, in advance, you should regard frequent code patching as a Good Thing, and not a sign of vulnerability. Infrequent patching is more likely to mean that flaws are either not being looked for, or are being found but hushed up.
@ he never said it
It's to *whom* he said it.
XP Pro in 2003 had 30 security advisories. 50% were rated as 'moderate' or higher. 40% were exploitable from a remote connection.
Ubuntu 7.04 in 2007 had 91 security advisories. 62% were rated 'moderate' or higher. 76% were exploitable from a remote connection.
Vista in 2007 had 17 security advisories. 53% were rated as 'moderate' or higher. 59% were exploitable from a remote connection.
Data taken from secunia.com, looking at the data for the first year of release on a OS. It's worth noting that Ubuntu Linux is on a 6 month lifecycle, so a new version is released after just 6 months - thus viewing it over a longer period of time isn't really possible with accuracy.
My view? I'll stick with Vista thanks. According to the stats it seems a better choice for security than Ubuntu Linux.
Oh, and having one or two 'critical' patches/bugs is better to manage than 91 moderate or high security holes.
Ubuntu Linux 7.04 had more securtiy advisories, more advisories that were rated 'moderate' or higher and more security holes that could be exploited remotely during it's first year of release compared to XP or Vista's first year of release.
Yes Linux & OSS needs to be patched and has vulnerabilities, but unless the kernel needs to be patched (which doesn't happen too often) the machine doesn't need to be restarted. You just stop the service, patch it & restart.
Where as my XP workstation is asking me to reboot every 5 minutes (I've now got a shortcut on my Start menu to stop the windows update service), my 2003 Server wants to install it's updates and says it may (read definitely will) need to restart afterwards.
Basically, it's not vulnerabilities that I take issue with (they will happen with every OS), it's the fact a reboot is required nearly every time.
Any chance this is related to MS insistence of having everything in one big slab? http://www.theregister.co.uk/security/security_report_windows_vs_linux/#monolithic
I think you'll find that the TCP/IP stack is completely new in Vista and 2008 server so it’s possible that they criticality is different.
@ Stu Reeves
Well said. Why people are so surprised that a large piece of software like Vista needs a patch is beyond me. My Ubuntu box reminds me about patches on a regular basis and sometimes they mess things up that's just what happens.
Anyone else noticed that the latest patch cripples the ability to right-click in Explorer and shrink a photo for sending? It hangs after the photos have been shrunk and never creates the mail window.
"with OSS... you can even fix it yourself"
lol, this is the worst argument ever against Windows. You really want the rabid masses who are at this very minute opening BritneySpearsNude.exe to have any choice over how and what is patched? If Windows was OSS, malware and backdoors would be sneaked into various community 'patches', and some idiots would fall for it. This would also create a support nightmare.
Like it or not, most computer users don't understand or care, and a closed OS that auto updates is probably the best solution for them.
"Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981
Don't forget that in 1981 by far the most common home computer in the UK was the Sinclair ZX81 with a massive 1K of RAM or if you were really extravogant 16K with the RAM pack. Most Vista machines today probably have 2GB RAM - what applications can you think of that will need a million times as much memory?
It's very easy to make snide remarks about Bill's predictions but I don't recall anybody predicting the scale of the computing revolution that has occured. In 1981 I only knew three other people who had computers at home, now most homes have at least one.
So easy to overlook the fact that the advisories for Ubuntu include the advisories for applications that are installed with Ubuntu. Like OpenOffice.org, Mozilla Firefox, Evolution, etc...
Specifically it is related to multicast traffic (IGMPv3). Windows 2003 does not have any multicast addresses active by default, hence the lower criticality than XP or Vista which do.
Um off the mark a bit there.
In OSS someone with the appropriate knowledge can fix a bug for themselves then submit the fix to the maintainers/developers to be included in the official version of the software. They could also post their patch online, of course.
Sure, someone with the appropriate knowledge (so NOT the britneynude.exe-clicking brigade) could write a backdoor, install it on their own machine and stick it on a website but it almost certainly wouldn't make it into the official source tree.
Anyone installing anything from outside a trusted source tree does so at their own risk - just like anyone clicking on thet britneynude.exe link does.
Lies, damn lies, and statistics
http://secunia.com/graph/?type=sol&period=2007&prod=13223 shows that Vista was 6% full of unpatched holes whereas the comparative graph for Ubuntu shows no such horror.
Reading Secunia's pages will inform one of the lack utility in comparing this data as its like comparing apples to useful computers or even oranges.
...from the people that brought you edlin.
Like Frank said Ubuntu's vulnerabilities also included everything that Ubuntu includes in it's repositories which included thousands of packages!
>Oh, and having one or two 'critical' patches/bugs is better to manage than 91 moderate or high security holes.
Really?! I'd rather use an OS that doesn't have *any* critical patches (e.g. Ubuntu).
It's interesting how you, Steven, quoted the stats to suit your argument. If you'd gone for 'High' or 'Extreme' critical vulnerabilities then Vista doesn't look so favourable: 47% vs 21%. Not so good for an OS that was developed and publically advertised as a secure system.
Plus, every single vulnerability has been patched in Ubuntu, but MS despite it's amount of resources and 'fewer' vulnerabilities still can't be bothered in patching them all. 6% of vulnerabilities are still unpatched.
You can keep Vista I'll stick to Linux, thanks.
Reboots not needed
If you think a reboot is needed for every Windows patch, you've not been patching lately. It's now increasingly rare to need a reboot.
I would, in fact, say that Microsoft is better than many deeply shitty third party software vendors on this point.
Re: Nobody will ever need more than 640k RAM!
On a system with an 8086 chip that's probably *still* true.
Like Windows Media Player, IE7 and Windows Mail...? (Fair enough with OpenOffice though!)
To be fair, I'm not trolling or saying that one OS is 'better' than another - I use a mix of platforms and have to patch them all regularly.
I just hate seeing the constant comments when a patch is out for Windows then the OSS fanboi's start their attack.
A few weeks ago when the random number generator in Windows was discovered to not be as random as we first thought. How strange that El Reg in it unbias glory didn't post the same article that was on SecurityFocus regarding the same flaw... (http://www.securityfocus.com/bid/25348/discuss)
Let's all try and remember that ALL systems and applications need patching. From Windows and Linux through to Cisco IOS and even printer drivers.
Good administrators keeps systems secure - not the platform.
So according to that graph you linked to (http://secunia.com/graph/?type=sol&period=2007&prod=13223), 6% of Vista's 17 advisories were unpatched - that's actually just 1 advisory.
bloody xp system autoupdated overnight then rebooted. fek . will have to try again P2P tonight for those linux ISO's lol. only thought Vista was being fixed...
@Glenn and @Chris
As AC said - thats ONE SINGLE unpatched advisory. Just one. Plus you need to be a locally authenticated users first, and then you can view the filenames of files in a directory which is protected. That's the security issue.
Needless to say Secunia give it the lowest of it's ratings - "not critical".
Yep, if you look at the severity of the advisories then Vista has more higher severity ones than Ubuntu. Then again if someone can get access to my system I couldn't careless what rating the advisory gives it. Generally speaking, a moderate rating allows access to the system remotely.
It's obviously personal choice - but I would rather have a system with 53% of the holes being of a high rating but with just 17 advisories than a system with 61% of the holes being high rating with 91 advisories. (i'm using 'high rating' as moderate or above. Secunia marks advisories that are remotely exploitable resulting in system access or denial of service as moderate)
Regardless of how you want to dice the facts (and lets face it, anyone who wants to prove a point can always twist the facts - including me!) the bottom line is that Ubuntu had more advisories than Vista, and more advisories that were remotely exploitable than Vista.
No matter how you cut that cake, the facts are there.
And again - to repeat myself - this isn't one OS is more secure than another. I'm pointing out the massive misconception that Vista is very insecure compared to Linux. It's not - it's the user base that are the muppets rather than developers. And that can be said for the majority of software out there regardless of your OS religion.
@ Steven Hewittt
Any stats on Mandriva? I did try Ubuntu, but for some reason the only applications that would work with it were the ones that it installed itself. Any other Open apps that I installed in Ubuntu would just hang or not work at all. Alas, could have been user error, I am still new to Linux.
As for Vista, XP, 2000, ME, 98, 95, Workgroups 3.11, 3.1, 3.0(shudder) and DOS 2.1 through 6.22, I have tried them all, and done support on these for family, friends and co-workers over the years.
After various malware has thoroughly compromised the Windows system to the point that nothing loads very fast or is rendered inopperable I must admit that the fix is always simple enough on a Window box.
Backup any relevant data, delete the primary partion, low level format the drive, and reinstall the operating system and any applications if the user still has the original disks. Voom, brand new and very fast, until the next bugfestation.
Having said that, frustration and boredom with the endless updates patches and reboots has driven me to try Linux. I suspect that is the main reason Linux even exists, but I could be wrong.
And a choice of operating system is simply that, a choice. Someone wise once said that all Operating Systems suck in some way or another.
There's even a Linda Lovelace scale of suckieness that goes from water up a soda straw on the low end to watermellons through a swizzle stick into low earth orbit on the highest end.
@Steven Hewitt pt2
OK. Maybe 6% unpatched vulnerabilities (i.e. one) is over-stating the fact.
Also, I must admit that Vista is an improvement (statistically) in terms of security over previous versions of Windows, although that isn't hard ;)
However, you still forget that the numbers of 91 (ubuntu) vs 17 (Vista) advisories are not comparable in absolute terms as Ubuntu bundles many, many more applications with the OS than Vista does. Plus, there's the thousands of apps available from the repositories, which aren't directly under the control of Ubuntu, but are included in Secunia's advisories for Ubuntu e.g. MySQL, VMWare, perl, Firefox.
A nearer comparison would be if you added the vulnerabilities for MS Office, Explorer, WMP, Photoshop, Realplayer, Shockwave, Dreamweaver et al to Vista.
BTW the stats for Mandriva are here:
@ tony trolle
why dont you reconfigure things so windows does not automaticly install and reboot updates.....
why not have it just tell you updates are available?
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Pics Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Storagebod Oh no, RBS has gone titsup again... but is it JUST BAD LUCK?