Feeds

back to article Get up, shake off the hangover: These 57 Microsoft holes won't fix themselves

A bumper Microsoft Patch Tuesday has rolled out 12 security bulletins that collectively address a hefty 57 vulnerabilities. Five of these bulletins reveal critical holes in the software giant's products: one bulletin (MS13-009) covers 13 bugs found in Internet Explorer, while another (MS13-016) tackles a privilege-escalation …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

The web is just one big lunp of Swiss Cheese HOles!

0
1
Anonymous Coward

Er, no, the Web is not the problem. Read the article again until you understand.

2
1
Silver badge
Coat

57 Varieties

Life's a minestrone

1
0

Re: 57 Varieties

Mongrel code strikes again. So looking forwards to another night of server patching:-(

1
0
Anonymous Coward

How do we know those holes won't fix themselves? As the BOFH has taught us there are no faults but user error - take away the users and the network works fine.

1
0
Go

Speaking of drive-by download prevention...

...I found this tidbit: a guide to Software Restriction Policies for the noob-to-intermediate Windows (XP/Vista/7/8) Pro user. He goes overboard perhaps, but the idea is sound: Anywhere a non-admin user can save files, deny execute permissions.

I tried doing this with file system permissions on non-pro editions. It's a lot more work than this solution, and some jokers who run ntfsundelete figured out how to modify permissions of a file in Javascript or something.

0
0
Bronze badge

Re: Speaking of drive-by download prevention...

I'm a huge advocate of SRP's and have been for years, they complately prevent entire classes of attacks and do far better than anti virus in preventing infections. Your going about it the wrong way though, deny everything and then just allow program files. That blocks off removable media and network shares as well without having to specify every single path under the sun.

The problem with SRP's is that too few people use them for Microsoft to develop them properly. For instance, if you create a shortcut to a location that's denied and then run the shortcut from an allowed location (such as the desktop) then the program runs. Extremely lazy programming from the coder involved there!

1
0
Thumb Up

Re: Speaking of drive-by download prevention...

I've this on my two home PC's and have done so since XP but every I mention this to anyone at work, some of whom see them selves as being some king of IT related wunder being, mainly because they run a jailbroken iPhone or run copied game son their Xbox they look at me like I'm mad. So glad to see it get a mention here, but MS really need to make it more obvious during initial system setup, I'm very pro windows, but having your default login as an administrator account and not even hinting to the user the other account options is insane.

2
1
Go

Re: Speaking of drive-by download prevention...

Your going about it the wrong way though, deny everything and then just allow program files. That blocks off removable media and network shares as well without having to specify every single path under the sun.

Fair enough; this is why the example also sets the SRP policy to affect non-admins only. An admin could still install software from CD or USB devices. The shortcut file type (.lnk) is specified in the default SRP policy and the example instructs you to remove that particular one, or yes, personal shortcuts do stop working.

It's not my example and I want to flesh it out into a comprehensive how-to guide, but tossing it out there should get some brains thinking. I also want to run it against my software library to see what doesn't work, and then replace the broken garbage.

0
0
Bronze badge
Devil

Same S---, Different Day

Another Patch Tuesday, more unnecessary work for the IT staff, just so some corporate beancounter gets to keep their chosen WindblowZE application. I truly feel for those who toil in shops that are infected with the WindblowZE virus, regardless of the specific strain (XP, Vista(ster), 7, 8; $DIETY forbid 95, 98, ME, NT3.x, NT4.x, 2k, etc.), all of that effort wasted in putting out fires.

Why don't you just get a firehose, and flush that shit down the drain?

</troll alert>

Icon, most appropriate for WindblowZE.

3
12
Bronze badge
Happy

Re: Same S---, Different Day

/me band selects all of the required patches in WSUS, right clicks and selects "Install".

Finished applying patches for the month.

I would wager it took you longer to type your post than it did for most of us to roll the patches out.

5
3
Bronze badge

Re: Same S---, Different Day

Eadon, is that you?

3
2
Silver badge
FAIL

Re:Re: Same S---, Different Day

Do the words 'Test Environment' mean anything to you?

Didn't think so.

0
2
Bronze badge

Re: Re:Same S---, Different Day

Yep. Do the words "WSUS Computer Groups" mean anything to you?

The canary group had the patches yesterday.

1
0
Pint

Is is DOUBLE your PLEASURE day

Abode also released a slew of updates for Air, Flash etc….so in total hundreds of MB's of patches to install.

Time to go to the pub me thinks...

0
0
Joke

57 vulnerabilities

That is Heinz's new slogan for their new ketchup made with raw ingredients from a compromised food chain - it has 57 opportunities throughout the production process for horse-meat to find its way in!

Bloody Microsoft nicking other peoples ideas again! They'll be putting horses in Windows phones next just to get publicity!

1
1
Anonymous Coward

Re: 57 vulnerabilities

> Bloody Microsoft nicking other peoples ideas again! They'll be putting horses in Windows phones next just to get publicity!

They should try that. They might sell better than the current turkeys they're putting out.

5
1
Anonymous Coward

SOS, DD

Just more proof of how insecure Windows O/Ss really are. When tens of thousands of security holes are discovered every year and a few hundred fixed, the odds of all Windoze powered PCs being compromised is very high.

2
5

Flash on MACOSX

Dont forget to remove the 'phone home' crap in Library/LaunchDaemons

and move the Install Manager from Utilities, its really not worthy of living there!!

0
0
Silver badge
Joke

Updates difficult?

Repeat after me:

# yum update

Now that wasn't too hard. Works for me!

3
2
Bronze badge
Devil

Re: Updates difficult?

didn't work for me.

Oh, wait I'm running Debian...

0
0

Are you that concerned?

Just curious about others experiences, but in our organization of about 12,000 machines, all of which are windows, we have had 0 issues with being hit with malware/viruses since about 2002 (that was Blaster IIRC, date might be off somewhat). We use SCCM to deploy patches now and it's been pretty good from what I can see. Still use WSUS on servers though, which is very good for what we need.

1
0
Silver badge

Re: Are you that concerned?

There is an addendum you missed:

we have had 0 issues with being hit with malware/viruses since about 2002... that you know of.

It's plausible that some are zombies but you haven't spotted them yet - if their traffic patterns aren't too far away from normal and the end user hasn't complained, how would you know?

The average end user won't complain until the computer is "running really slow", so could be devoting an entire CPU core to malware without noticing.

I recall doing a Malwarebytes sweep and finding half of Sales with possibly bad things installed.

(And nobody in technical roles, but that's self-selection for you)

0
2
Stop

There's vigilance, and there's paranoia

And this: "...that you know of..." is paranoia. Lovely technique to sell security products. Not so lovely a technique to do actual security.

Understanding how Windows really works goes a long way to preventing exploits. I've said many times before that there's better security built into modern versions of Windows than any security product you can buy for it. Even a non-security product can prevent malware before so-called security products can; in that case, it was Microsoft word, which could stop Word macro viruses before anti-virus products could.

Give the fellow credit for doing something pro-active. If you really are trying to sell something, it's better than blasting them for not using the popular security-blanket-of-the-day.

0
0
Silver badge

Re: There's vigilance, and there's paranoia

Sorry, I should clarify.

No matter what you do or how much money you throw at security companies, as long as you have users or are connected to the Internet there will still be ways for malware to get in.

You can't sit on your laurels.

Excellent start, however constant vigilance is still required.

Vigilance, not just A N Other security tool.

0
0
Gold badge

These 57 holes *will* fix themselves, you know.

Home systems will be set up with automatic updates. Corporate systems will be updated when the sysadmin pushes the big switch on the WSUS server. Similar options exist in Linux land.

Anyone out there who is still updating manually is doing it by choice.

0
0

What's the big deal?

It's only 57 security holes. When they patch the remaining 100,000 then that will be news worthy.

0
0
This topic is closed for new posts.