Microsoft has expanded its vulnerability disclosure program to include security bulletins about third-party Windows software as well as its own applications. The first bulletins, released last weekend, cover two flaws in Google Chrome and one in Opera ll, both of which were patched by December 2010. Microsoft has promised to …
The rate that Adobe has to push its fixes out, I'd really rather not wait until once a month anyway...
"bolster the security of the Windows ecosystem"
Or, as it's otherwise known, point fingers to the fact that other browsers have security vulnerabilities too. The patches were issued 5 months ago and you get notification now? Wow! What a wonderful service.
It does sound like a lot of finger pointing and going "nanana you have problems too"
The way that something was patched a long time ago and they are releasing just sounds like they are trying to discredit the browsers. No code is 100% secure but most code isn't written by Microsoft...
"Or, as it's otherwise known, point fingers to the fact that other browsers have security vulnerabilities too. The patches were issued 5 months ago and you get notification now?"
Nice try, but Windows Update only shows you patches you need - i.e. for products you have installed that have not already been patched. So nobody will see any mention of these vulnerabilities in Windows Update if they don't have Opera/Chrome or if they have already patched them. As to including 5 month old patches - why not? If people don't have them, they need them. If they do have them, they won't see them, so no harm done.
Still, it's a MS story so a slew of ill-conceived critical comments was only to be expected.
While I'm normally first in line to point out Microsoft's failings, here I think you're being harsh. We're moving from a time when the flaws we all needed to worry about were in the OS to a time when the really big problems are in the applications (and plugins). Not doing this would give people a false impression of their security status.
So while I'm sure it will share the embarrassment and blame - I think Microsoft are right to do it.
(I can't believe I gave Bill a halo icon... wow I think Satan just put on a vest)
This is good.thing that should really p*ss off all those people who blame every slight fault on Windows.
A good thing?
It isn't the slight faults that tend to p*ss people off.
If this is a genuine attempt to help, then I doubt that anyone will be unhappy. If it really is just an exercise in finger-pointing, then stand back and wait for the fur to fly!
They blame how windows work
windows isn't less secure, it is the way itself and apps are developed and ms doing nothing against it. Heard a non system utility on os x which can't run without sudo? Instead of thinking how to force developers to true NT model development, they allowed them to code as windows 98. That is where the problems started.
Both right and wrong....
I agree fully that many (but by no means all) problems with Windows come because of software that still requires too many privileges to run... I had to tweak my users' systems since I would not allow them to run as admins. So you are absolutely correct that part of the problem is in the application software.
On the other hand, why then are these programs (some of them from major players) allowed to advertise themselves as "Windows [whatever] compatible" and display the MS logo? When I got my first MS certification I actually glanced at the legalese surrounding any use I might make of their logo and apparently I will be vaporized if I use their logo in any way that might possibly bring discredit on their company.
In sum, by allowing these poorly written programs to advertise themselves as compatible, MS is endorsing them and thus has remained part of the problem, whatever improvements they may have made to their systems.
Not "allow" but "require"
I'm not a programmer but I've done tech support for programmers. As we were trying to develop a locked down Windows environment we kept running into one huge obstacle: Visual Studio .Net. Programmers couldn't use it without being elevated to admin, which shot the whole model to hell and back. If MS can't make the programs work on their own dog food, they need go back to the cannery.
Maybe they've improved since that fiasco, but I doubt it. No longer working at that company, so I don't know what the current status is.
Apple politely pushed developers
Apple managed to move their "single user, no kind of permissions" model developers to NeXT.
I mean there is a good success story there. They could use it as an example, how to politely do it without breaking existing software. I use Carbon, MacOS8/OSX software on Snow Leopard. It works flawlessly, without any kind of "run as admin" tricks.
They aren't the only ones to blame but they don't do something like "it is 2011, your application isn't writing to its own directory." and push developer to right way. Ask windows admins about firefox update process ;)
Do As I Say Not As I Do
Absolutely correct Tom. Some of the worst behaving apps I've seen come out of Redmond, they seem fundamentally incapable of following their own rules. How many times have you installed patches only to find a pile of crap left behind in the root directory? They seem to delight in abusing the power of the system account. They are utterly incapable of properly using a TEMP directory, even when one is provided for them. Once I had a foreign drive mounted on a Windows system for some testing and MS used IT as TEMP.
The one major app that I have to name and shame that is not Microsoft's is Quickbooks. There is no way that POS should get a Windows logo. Way too many versions have required all users to have local Admin rights.
'bout time too
I suspect these vulnerabilities are now being exploited en-masse and MS want to make sure that people apply the fixes; the fact patches were issued doesn't mean they have been applied.
1. The people who take the time to read advisories like these are those already interested in keeping their software up-to-date, so have likely already installed the updates.
2. The two applications mentioned both have automatic updating built in and on by default, so it's unlikely that the patches have not been applied except in the case of people who specifically don't want to apply them.
3. The two applications happen to be two of the best examples of how much better software can be than Microsoft software has led the masses to believe. Microsoft's action couldn't have been much more transparent, except possibly if they released "bulletins" on the insecurity of iOS software.
truly gigantic windows scene
Of millions of software titles, they choose couple of browser rivals which have auto updating capability. In case of Chrome, it is forced auto updating capability.
Let them install trial of Kaspersky antivirus and run a software/os security report on an ordinary os. They may find way more interesting issues like vulnerable flash plugin embedded in a HP printer driver.
Don't you even ask what flash does in printer driver. Animations? Epson handles it with gifs
Pointing fingers make very little difference. The first thing MS needs to do, if they're half serious about security on their platforms, is to extend their software-management tools so that they are just as easy to utilise for third-party developers as those on competing platforms. MS is worst in class in this respect, and has been for quite some time already. Any third-party product installed under windows should be upgraded and/or patched whenever any windows component is. That must become the rule, not as to day, the exception.
They could deal with Adobe for Flash
I don't know who to blame on this, it could also be adobe who makes great amount of cents from checked by default google toolbar. :)
Flash plugin is still small and it does a very stupid way of installing ringing the bells on any quality heuristic software.
They could make a deal with Adobe like: "we will update the flash to current minor revision whenever a security issue happens". Notice:minor revision, e.g. people won't be forced to upgrade from 9 to 10.
Obviously, cheap trickery like needless progress bar show off, ads while installing aren't acceptable. What they will do is: backup the flash ocx, put the new one and store the backed up file with some adobe entry.
If they do things like these, everyone will believe they don't do usual ms trickery. However, they came up with Opera and Chrome stuff...
Security needs to recognise good code not bad
There's simply too much bad code out there too easily runnable by end users who lack the wherewithal to evaluate the integrity of the origin let alone be sure about the identity of the source. Antivirus uses too much memory and CPU trying to recognise the bad stuff, and will always be out of date. The rate of new malware being discovered is so high the signatures used to recognise it can't be very carefully engineered any more, resulting in an increase in false positives and negatives. The solution is to be able to identify good code and not to run anything else.
Sorting this problem out using cryptographic signing and trust mechanisms isn't an unsolved problem. The fact that a solution exists already benefits most Linux users. The fact that Windows is behind here makes life worse for all net users, including Linux users who also have to filter out all the spam and DOS attacks which result from compromised Windows PCs. (There are compromised Linux systems too, typically used as botnet command and control servers, but these tend to be compromised through faulty administration as opposed to through inadequate software verification).
Windows also needs to move towards an ecosystem in which Microsoft signs application developers keys based on developer having an independent QA certification based around internal code review procedures independently audited. Those wanting to install applications self certified by smaller developer which can't afford the QA certification can be advised to check that the developer is bona fide themselves and take the risk of adding that developers keys into the registry for which Windows should provide an easy procedure with suitable advice and warnings.
This is a very small step in the right direction, but which doesn't really acknowledge the primary cause of the problem.
I was momentarily excited about the announcement.
MS ought to be providing a method for third party vendors to integrate their patches into the Windows deployment system (not necessarily require, but at least an opt in solution). But it turns out to be a hash of a PR ploy.
The only time Opera gets a mention is to state it has security flaws :(
I guess they had better hope they are right when they sling aspersions at other people's software. Or perhaps their lawyers are bored and promoted this idea so they'd get more work.
Just because Ballmer makes Jobs look innocent.
... is Opera and Chrome.
Call me a cynic but I suspect that software which is less portable and/or made by companies or people MS finds more useful will get fewer mentions in security bulletins.
The vulnerability was fixed and disclosed by both Opera and Chrome roughly FOUR MONTHS AGO. And only now, Microsoft releases its own advisory. Not to mention the video vulnerability was for a feature Internet Explorer did not even HAVE.
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Ex-Soviet engines fingered after Antares ROCKET launch BLAST
- Hate the BlackBerry Z10 and Passport? How about this dusty old flashback instead?
- NASA: Spacecraft crash site FOUND ON MOON RIM
- NATO declares WAR on Google Glass, mounts attack alongside MPAA