back to article Rare critical Word vuln is the star of December Patch Tuesday

Microsoft is planning to release seven bulletins next Tuesday, five of which tackle critical vulnerabilities, as part of its final Patch Tuesday update of 2012. All currently supported operating systems (including Windows 8 and Windows RT) will need patching. The updates feature critical updates for Redmond's IE 9 and IE 10 …

COMMENTS

This topic is closed for new posts.

so, it's a good thing that the number of 'critical' remains the same. Good marketing spiel. I wo0uld personally be working to reduce the critical ones and the important ones would fall as well. hmmm.

1
2
Anonymous Coward

Criticals went up... how this is "good" I'm not sure

4
0
Silver badge

Jumped from 34% to 42% in fact.

In reality it means little as it tells us nothing about how many vulnerabilities there are in a fully patched install (could be none, could be millions, if we knew, they'd be fixing them!). That extra one they found this year could be the last (though I doubt it). Stats really are meaningless in this area, unless your aim is to say "We fix things once we know they're broken"

4
0
Silver badge

"We fix things once we know they're broken"

Which is better than "we know it's broken but we can't be arsed", as seen from time to time...

5
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Re: "We fix things once we know they're broken"

Eadon you talk Rubbish.... http://www.theregister.co.uk/2011/02/16/ms_silent_security_fix_rationale/

3
1
Bronze badge

Re: "We fix things once we know they're broken"

Agreed

[ cough] Apple [ cough]

Sorry, I had better get that seen to.

2
1
Anonymous Coward

Re: Security FAIL

I guess you havnt looking at the figures for Linux distribtions then. They have a far worse security record than Windows and the gap is growing. This is why you are much more likely to be hacked / compromised if you run Linux servers compared to Windows ones: http://www.zone-h.org/news/id/4737

0
3
Facepalm

Re: Security FAIL

Windoze is probably no more or no less secure that any other OS.

The security bug in windoze is that it is homogeneous mess where a bug in any component exposes the whole system. LookOut can be used to preview attachments that means that LookOut must have access to the Word, Excel, Visio and Adoboe code/dlls and $DEITY knows what else.

Why? Are Mickeysoft looking for ways to create security vulnerabilities?

0
1
Bronze badge
Mushroom

Critical Vulnerabilities went up from 34 to 35. Versus the vast growth in functionality and number of code lines in Microsoft products, that's an obvious improvement. And an order of magnitude better than Linux or OS-X.

1
3
Anonymous Coward

Re: Security FAIL

Windows might be targetted by viruses (because it has a market share above 1% on the desktop), but Linux is several times more vulnerable to remote exploits than Windows. Just look at any internet hacking / defacement statistics...This is due to the much higher vulnerability counts for Linux, and the much higher number of days at risk...

1
2
Anonymous Coward

Re: Security FAIL

Erm - but Linux is the 'homogeneous mess' with a monolithic kernel. Windows has a much more modern hybrid microkernel architecture....

1
2
Bronze badge

Re: All of those down votes!

Cue the fanboys. They can't stand the attention, their O/S God gets. And, not the kind of attention they would want.

WRT to his premise, my employer recognized that one years ago, and got off the rotten and worm ridden WindblowZE platform years ago. For exactly those reasons. While that decision predates me, I have had the rationale explained. The IT department was wasting too much of its time putting out fires[1]; expending resources for no improvement in productivity. IT was spinning its wheels dealing with stupid lusers who don't get it. The worst part of that, was that some of the stupid lusers were managers damagers who should have known better.

So, WindblowZE and those lusers are both gone, IT is able to get shit done, and we do not have to worry about what web site some luser may surf to, as it is harder to infect, and corrupt a Linux box.

[1] Means having to suddenly drop what you are doing, and immediately tend to someone's PC that is fucked up with malware; the urgency, exacerbated by the loftier position the luser has on the corporate totem pole. Finally, it came down to something the owner/CEO can easily understand: dollar$ and cents (out of her pocket).

1
2
Silver badge

Re: Security FAIL

@AC 10:54

Hello RICHTO

0
0
Silver badge

Re: Security FAIL

"Conversely, the reason NT is not a microkernel system is because most of the system components run in the same address space as the kernel,"

In any case "modern" != "better"

0
0
Silver badge

@AC Re: Security FAIL

guess you havnt looking at the figures for Linux distribtions then. They have a far worse security record than Windows and the gap is growing.

In a thread where we're observing that vulnerability figures are useless, you decide to point to figures as evidence that one OS is less secure?

Just a wild stab in the dark here, but given that Windows is closed source, wouldn't it be entirely possible for MS to ignore 99% of vulns (so long as the public don't know) giving them some nice low vuln counts. Not saying that's what's happened, but it's another example of why you need to look at more than a vulnerability count.

As far as site defacements go, how many sites are hosted on Windows servers and how many on *nix servers? The stats would suggest the latter is far ahead, so there's always going to be more defacements (which is strangely similar to an argument trotted out by fanboys about how Windows isn't really insecure).

Anyway, only replying as my fingers are freezing and I need to warm them up before doing any proper work!

0
0
Bronze badge

@AC, defacements etc

How many vulnerabilities were exploited in all of these defacements and hackings, like in the Stuxnet's case?

The number of vulns reported by LInux distros comprise much more code than MS Windows could ever produce, since it includes much more 10s of gb's of software. And we're talking about real gb's (unlike Win8 RT 12gb + office). Not many of the vulns are of severe nature, BTW.

You can deface or hack a server/desktop in many ways without vulnerabilities.:

1) SQL injection

2) cracking a weak ssh password (a blunder root allowed to login / ssh keys should have been used etc)

3) DNS hijacking

4) DDOS-ing by overwhelming the capacity of the server

6) poor CGI/PHP practices

0
0
Anonymous Coward

Re: Security FAIL

"As I say, Windows is the most insecure OS out there. Is it sane to bet your company's data (or customer's data) on an operating system that is vulnerable to viruses? (And remote exploits)."

Companies do. I have worked on distributed systems that process multiple billions of $'s, £'s etc. of trades and swaps daily. Guess what? Delivered to Windows Server with clustered SQL Server behind it.

If you cut me in for a percentage, I'll provide you with contact details so you can go and make the case for the switch ;)

Big business could do better and move to say OpenBSD. It's arguably proven itself to be more secure than Linux. (Cue downvoters who can't see past Linux).

0
0

This post has been deleted by its author

Anonymous Coward

Re: @AC, defacements etc

"How many vulnerabilities were exploited in all of these defacements and hackings, like in the Stuxnet's case?... The number of vulns reported by LInux distros comprise much more code than MS Windows..."

In my experience, systems that suffer major issues are not confined to any one platform. The common factor, again in my experience only, is the Ops team running the network.

All the debate about Windows Server and Linux is trivial. If you have a shit ops team then you are going to have problems, whether Windows, Linux, BSD or whatever.

0
0

is there ever going to be a service pack 2 for windows 7? With clean installs this is getting very silly

6
0
Anonymous Coward

Not planned at this time

...from what I hear. I imagine at some point the corporates - who seem to be skipping Win8 for the most part - will bitch and moan enough to get one.

Or not... I don't think Microsoft wants 7 to be the next XP. IIRC, a Service Pack release restarts the support lifespan clock.

0
0
Unhappy

One word answer?

No.

0
0
N2
Meh

SP2 for W7?

I think they called it Windows 8.

0
2
Bronze badge

Re: Not planned at this time @AC

Microsoft support policy for service packs:

"Support ends 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first."

Windows 7 is supported until 2020, which is about 2 years less than XP support. The original mainstream support for XP was until 2006 but that was extended to 2009 because Vista was late to the party and the reasoning was that companies would - quite reasonably - wait for SP1, and the XP support should overlap until that SP1.

0
0
Anonymous Coward

Just slipstream the patches into your Windows 7 build: http://dfarq.homeip.net/2011/09/how-to-slipstream-ie9-and-hotfixes-into-windows-7-step-by-step/

0
0
Thumb Up

wsusoffline

Is also well worth checking out. (for those without the luxury of a wipe and reinstall from an image)

0
0
Silver badge
Windows

Which Word?

Would that be Word 2010 or Word 2012 ?

I know the latest Office isn't available through public channels yet but it is already out there, so I wouldn't be surprised to see such patches pop up as well.

0
0
Silver badge
FAIL

And they said they re-wrote Office from the ground up for RT

Yet there are oddly similar patches coming out for Office x86 and Office RT.

I'm pretty sure there's Program Manager buried somewhere in Win RT. When will the source code reach critical mass? (When the Visual Sourcesafe database corrupts of course.)

2
0
Silver badge
Meh

Re: And they said they re-wrote Office from the ground up for RT

MS use Team Foundation Server.

But hey, it was more imaginative than Eadon's FUD. Well done.

4
3
Anonymous Coward

Re: And they said they re-wrote Office from the ground up for RT

Probably not, Program Manager bought it with the upgrade to Windows XP SP2.

And just to go a bit off topic, grouping your different types of program into groups (with the same program being available in multiple groups if you wanted) was actually a pretty nice way of working. Certainly nicer than the daft 'everything on the one desktop' model they adopted with Windows 95- in fact it was revived by some of the custom ROMs for Windows Mobile 5 (and then copied by Android) doing exactly that with it's home pages idea.

1
1
Anonymous Coward

Re: And they said they re-wrote Office from the ground up for RT

As I've said before here: Writing something from scratch, based on specification documents, can mean that you end up with the same bugs in pre-rewrite and post-rewrite versions of the code, because the specification was where the problem originated.

I speak as someone who specifies software as a living - I research systems and then specify how I want the software my company makes to interact with that software that we interact with. We work on software that runs on Windows, Linux and UNIXes and quite often see the same problems on all OSes, when the problem is my specification.

1
0

Re: And they said they re-wrote Office from the ground up for RT

Microsoft really need an electrician to check that floating ground of theirs.

1
0
Silver badge

Re: And they said they re-wrote Office from the ground up for RT

I obviously do recognise that they haven't re-written everything from the ground up. I do wish they'd stop the marketing nonsense. If I were president of the world they'd be banned from selling just for claiming that.

0
0
Windows

Yay! The initiative is working!

Boo! Still far too many findings!

0
0
This topic is closed for new posts.

Forums