Microsoft on Tuesday patched a record number of security holes in its Windows operating systems and other software, a haul that included at least one security flaw that was already under attack in the wild. One of the updates fixed a vulnerability in Windows Media Runtime that allows an attacker to remotely execute malware by …
Did they actually release the 13 patches at 13:00 on the 13th?
That was the schedule. If so, it's good to know that Microsoft isn't superstitious, eh? Actually, my machine shows 16 major patches pending--but I'm afraid to install them yet, and afraid not to install them...
The black hat hackers are destroying us from below, and the white hat hackers are crushing us from above. They've already passed each other and we're left in the limbo of not knowing how much we can trust our so-called own machines. Or should we just admit that Microsoft has pwned all of the Wintel boxen?
The certificate bug
Tell me, how DOES Windows verify that it's patches haven't been tampered with?
I DO hope Microsoft has a way of verifying it's patches' certificats that does not use the same codepath as the SSL code. But it almost certainly IS the same, so there is basically no way to be sure if you're either
a) Installing a Microsoft issued patch
b) Installing a rootkit
Luckily the sourcecode patch at Microsoft.com can be hand applied so you can verify that everything is in order yourself.
Too bad this problem won't even be considered by the security experts at your local government.
News flash for you all
Windows sucks - time to look else where you tards,
for the have nots you have linux and for the haves Apple.
...they're fixing the bugs. Something Apple should really get on.
Chill. The risk analysis for Patch Tuesday *always* strongly favours installing the patches, unless you are personally responsible for a fleet of servers.
Of course, several of the people who comment here *are* in that position and they will now chime in to tell me about how they once installed a patch and it lost the company squillions of the local unit of currency. They should chill, too.
So kick off Windows Update and have a beer.
or you could just use a real OS like Linux and let your worries wash away ;)
Well seeing as KB974571 causes Office Communicator Server to think it's an unlicensed version and stops it working....bit of a blow when you've moved loads of remote users over to it....maybe we should have tested this morning instead of drinking.
It does not work...
Tried to install the update twice and got an error message on one part of it indicating failed to install... So, business as normal?
@Hein-Pieter van Braam
if you're getting that paranoid, you can't assume whatever is intercepting your communication with the binary patch servers isn't intercepting your communication with the mythical source patch servers. In any case the point is moot, because updates don't just have to be signed by _A_ certificate, they have to be signed by a microsoft certificate, which means you can't just get one from an automated system on some random issuer's website. It's still possible - all you'd need is an inside man at MS - but much less likely.
Realistically, if someone is intercepting and proxying all your internet comms AND they have an inside man at MS, you're screwed anyway.
That'd put you in the minority of approximately 0.87% of users. No wonder nobody bothers writing viruses for Linux... (Web stats from c.300,000 users in 2009 to date).
It's time to ditch Microsoft and go for Linux
A year and a half ago I migrated everything I do from Windows to Linux. And this is one of the reasons why... I became tired of downloading and installing security patches, and rebooting everything every few weeks. Since I migrated to Linux, I can sit back, relax, and USE my PC rather than MAINTAIN it. I also use Linux to run the servers of my personal business since 2001. I never have to reboot the servers. The only time they've been rebooted were times when the power was off so long that the UPS batteries couldn't keep them running any longer. This has happened several times over the 8 years, other than that, we've never needed to reboot for maintenance. I take this into consideration as this means our services are more available to our customers.
My Ubuntu desktop downloads patches all the damn time and servers need rebooting when there's a kernel update or patch required, not a really frequent occurrence but more than every 8 years, are you running very out of day software?
Actually, no. The point is that because of the vulnerability you DO NOT NEED a Microsoft certificate, you can fake one. That is the whole problem of this epically downplayed vulnerability.
You only need someone with the ability to do a man in the middle attack and I think that this something that governments and large companies SHOULD BE prepared for.
As for the 'source server' the point is that you can verify the code, thus actually KNOWING if there is a rootkit in your patches or not, which is actually he ONLY WAY you can be sure in this case that everything is on the up and up.
How do you verify the patch for linux or for OSX in that case
@ apexwm #
The only time you should need to reboot a Linux machine is for a kernel upgrade. I've had to reboot for a kernel upgrade or two, but my point is that's about it. Whereas with Windows, about 80% of the patches need to reboot. For servers, this is results in excessive downtime when there doesn't need to be. With the ability of Linux to update packages on the fly, administration is made a LOT easier. Yes, there are a lot of patches needed for a lot of newer Linux distros, but a majority of them aren't needed to address remote exploits. You simply don't have all of the same exploits as Windows does where users suddenly have viruses and spyware just from using Internet Exploder and visiting websites. Sometimes I wonder if it's absolutely necessary to make it a habit of installing every patch that is available by default, in Linux. It seems a good practice in Windows where there are more security issues. Personally I've had better luck only installing Linux updates that necessary, to address a specific issue.
MS Updates changed my resolution.I was unable to bring back the original res
till 5pm est.
Gets all the updates offered.
Haven,t had any problems in the approx two years I have been using it.
Ubuntu has nowhere near the number of Windows patches from what I am reading here
How Big !!.
My WSUS server had 163 updates waiting for approval this patch Tuesday.
Total size 5.1GB !!.
There goes my WAN links for another week.