Feeds

back to article Microsoft preps UPDATE EVERYTHING patch batch

Microsoft plans to deliver seven bulletins next week, four critical, and three important, as part of the March edition of its regular Patch Tuesday update cycle. The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows - from XP SP3 up to Windows 8 and Windows …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Silverlight

"Silverlight is widely used as an alternative to Flash"

<BOGGLE>

28
0
Happy

Re: Silverlight

Actually I thought referring to SharePoint as "enterprise server software" was even funnier

10
0
Bronze badge
Stop

Re: Silverlight

Sadly that might be true given that both Netflix and Lovefilm use it to stream their stuff in.

Upshot why you can't use 'em under Linux or a Linux XBMC install...

0
1
Gold badge

Re: Silverlight

widely

That's actually a novel way to spell "nowhere". Must be a Microsoft spell checker.

4
2
Meh

Re: Silverlight

Weird. My television is a Panasonic, and runs Linux. Well, a Linux kernel. One of the applets is Netflix.

Don't know if Panasonic made something specially for it - or if Netflix can use something else...

1
0
Bronze badge

Re: Silverlight

Well when I said Linux I was speaking about Desktop / HTPC (Desktop) Linux, and not embedded Linux which is likely some encrypted closed source binary package that wouldn't work outside of that environment.

Or maybe Netflix are making good on their promise to fully go HTML5. In any case I'm not aware of any proper Linux being able to run Netflix. 'cause if it did, and were only like 6.00€ a Month for their "all ya can eat" deal. I so would ditch my Cable Operator in a snap!

0
0

Silverlight

"Silverlight is widely used as an alternative to Flash"

Not really:

http://w3techs.com/technologies/details/cp-silverlight/all/all

R

9
0
Silver badge

Re: Silverlight

Even Microsoft no longer encourages its use. It is now pretty much limited to providing the DRM for streaming services.

4
0
Anonymous Coward

"Latest turn of the Hamster Wheel of Pain" - patching Microsoft stuff is at worst very simple, at best fully automatic, and is virtually always issue free and well tested.

Shame the open source world doesn't work like that, but is a mishmash of dependency issues and not fully regression tested patches released on a random schedule. Not a good foundation for anything mission critical or enterprise targeted.

10
28

This post has been deleted by a moderator

Re: FUD

Yep - I'm responsible for patch management of (currently) 216 Windows servers, about 1/3 of them live production systems - mostly IIS hosting line-of-business financial websites.

I spend 3 or 4 hours a month doing due-diligence checks, but the automation runs fine, the resultant downtime is zero, and the servers are secure, last signifficant patching-related security compromise was 7 or 8 years ago.

Wish the other aspects of my job were as "painful" as that.

8
0
Silver badge

Re: FUD

@CreosoteChris

I think you missed the point - the FUD was directed at opensource update mechanisms.

7
1
Anonymous Coward

Re: FUD

I use updates systems from MS, Red Hat and Debian. They all have their advantages and disadvantages, all three of them have gone wrong at some point.

If you claim to have never had a problem with any update on FOSS, I seriously question your FOSS credentials, in the same way that I'd seriously question the Windows credentials of someone who claimed to have not had a problem with MS updates.

Painting Windows=Bad and Linux=Good (assuming you've chosen the correct distro, natch) is grossly simplistic.

14
1

Re: FUD

@Eadon

Last year some time I tried to update Ubuntu but as they didn't have time to fix a major OS bug (that was known prior to release) with a popular graphics card before the code freeze it locked up mid install and rendered my system unbootable. I never reinstalled, I was only installing it to give it a spin to see what it was like these days. Now I use Windows & BSD, the former handles Binary updates well and it seems the latter can compile from source smoother than Ubuntu handles binary updates.

I seem to recall mentioning this before on El Reg in the past and it didn't go down well. But yeah, I have good reason to have uncertainly, fear and doubt over the update processes of Linux distros.

7
6

This post has been deleted by a moderator

Silver badge
Unhappy

@Eadon Re: "I use Linux Mint and before that various distros"

Dear heaven Eadon you are at it again. I am forced to use the words that Oliver Cromwell used when writing to a particularly intransigent group of Scottish Presbyterians "I beseech you, in the bowels of Christ, think it possible that you may be mistaken".

9
1
Bronze badge
Linux

@Eadon Re: FUD

Well, I suppose that RedHat were using Windows when this breach occurred?

http://www.theregister.co.uk/2008/08/22/red_hat_systems_hacked/

2
1
Bronze badge

Updates for Linux work IF they have not changed the kernel API/ABI or libraries. So for Long Term Stable versions for 3-5 years after the version came out. IF the stuff you need is in the matching/approved repository. If not the old Twilight:2000 broadcast applies: "Good luck, you are on your own"

Not that repositories or any other auto-update from a non-controlled source is useable in a company environment. Patching systems without prior checks is acceptable on a privat box assuming system and data are separated. Worst case you loose your weekend re-setting the computer. A sane company will test and than use a local "repository" to push the patches. WSUS or it's surely existing FOSS equivalent(1) will do the job then.

(1) That, as Eadon or Old Warhorse will tell us is FAAR better anyway

1
2
Anonymous Coward

Re: FUD

OSX had no viruses or malware until it became more popular. The fact is Linux on the desktop is a minuscule target. I could install BeOS and claim that it was superior because there is no viruses for it.

There are always holes being patched in all manner of open source software.

1
3
Silver badge

Re: FUD @Eadon

Because Desktop Linux is a teeny tiny percentage of the PC user base.

There's an easy answer for you.

2
4
Bronze badge

@eadon

Still at your task of trashing what you claim to love I see. If Arctic Fox can get literary then permit me also: "Yet each man kills the thing he loves / By each let this be heard / Some do it with a bitter look / Some with a flattering word"

Assuming it is the one you love - you *still* haven't answered my question so for the fourth time, and please forgive me if I missed your answer...

Eadon, what is your relationship with Microsoft, or any third intermediate party between you and Microsoft?

0
0
Bronze badge
Flame

Fail

Nonsense. The open source world *does* work like that:

Debian (like): apt-get update; apt-get [upgrade | dist-upgrade]

Red Hat (like): yum update

And I am pretty sure that there are GUI applications that would do the same.

And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.

Windows, on the other hand almost always requires at least one reboot. I recall a time when a Windows XP bearing laptop I was patching required three consecutive applications of patches, each followed by a reboot, to be brought up to date. While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot. And the patch set will have been reasonably tested and thoroughly integrated (assuming the update is from the "stable" target). I am less familiar with Red Hat or SuSE, but suspect they are much the same.

6
1
Anonymous Coward

Re: Fail @tom dial

And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.

Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.

Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time.

While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot.

I cannot speak for Debian but updating a couple of years old supported distro doesn't certainly mean that it will be up to date. With RHEL or Centos, Firefox/Libreoffice etc. won't update to latest versions and you manually need to update them because repos haven't been refreshed.

1
4
Bronze badge

AC @11:47

Stop licking the garage floor!

0
0
Bronze badge

@AC

Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.

You seem to be in the wrong here. If the xen touches the kernel it does require a reboot (unless there ksplice is not used). As far as glibc (hal and dbus) is concerned it very rarely does. When that happens all necessary services are restarted by the updater (apt in my case). When you do absolutely need to reboot the whole machine it prompts for this (creates a file /var/run/reboot_required (again, speaking for a Debian based system)

My own server/desktop example:

Thu, Feb 28 2013 09:46:36 -0600

------------------------------------------------

[UPGRADE] libdbus-glib-1-2 0.84-1ubuntu0.2 -> 0.84-1ubuntu0.3

uptime:

3:22:35 up 37 days, 21:45

============================

Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time

Never had to reboot my desktop after updating firefox/chromium/konqueror/epiphany even lynx and libreoffice, gnumeric ;-) However Microsoft says this:

Bulletin 1 Critical,Remote Code Execution: Microsoft Windows, Internet Explorer --> Requires restart. The other one bull.3 for Office "may require restart".

3
0
Anonymous Coward

Re: FUD

"please explain to me why you virtually never see remote exploits or viruses in Linux systems" - You What?! Do you live under a rock? Virtually all of the many exploits in Linux are remote. This is why it is by far the most hacked server OS - http://www.zone-h.org/news/id/4737

It doesn't have viruses because pretty much no one uses it on the desktop to there is little opportunity for interaction based infections. It has however had a number of worms.

0
5
Silver badge

Re: FUD

@AC 10.19

Your OWN link doesn't mention remote exploits at all !

It only mentions local exploits and remote password guessing/bruteforcing

2
1
Silver badge
WTF?

Silverlight is widely used as an alternative to Flash

Really? I knew of only one site that uses Silverlight prior to this article and now I know of two.

I block Silverlight installs on all but one of my PCs (which is used for watching the one site I knew of) and have never noticed it was missing.

3
1
Anonymous Coward

Re: Silverlight is widely used as an alternative to Flash @Irongut

"Really? I knew of only one site that uses Silverlight prior to this article and now I know of two."

Doesn't mean much really, does it? A lot of people could say they couldn't name 2 amino acids.

4
2
Silver badge

Re: Silverlight is widely used as an alternative to Flash @Irongut

"A lot of people could say they couldn't name 2 amino acids."

That's a very strange way of stating the bl**ding obvious. Most people can't know most things, given the size & complexity of the universe .

Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight

2
0
Anonymous Coward

Re: Silverlight is widely used as an alternative to Flash @Chemist

Sigh.

"Most people can't know most things, given the size & complexity of the universe ."

Yup, that is indeed the point. Just because one person hasn't seen something doesn't mean it's not widespread, so Irongut's comment is pretty pointless. Other than the old feeble "It's from a company i don't like so I'll try to play it down" attack. Of course you've used the same argument yourself, so I can see why you'd defend it.

"Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight"

So from what I've seen so far (responded to this before looking for any later responses,) a sample of one. Who calls himself a chemist. Even if 100 Reg readers can name 2, or 20, so what? As I see it my point still stands.

2
2
Silver badge

Re: Silverlight is widely used as an alternative to Flash @Irongut

I'm going to go for arginine and proline. Or possibly gamma-amino-butyrate, but you probably meant alpha-amino acids, didn't you?

0
1
Silver badge

Re: Silverlight is widely used as an alternative to Flash @Irongut

"I'm going to go for arginine and proline."

Don't know who your post was directed to. If it was me and you're suggesting that arginine and proline are rare then think again. Arginine is very common, being one of those amino acids found on the surface of proteins and is also the source of the vasodilator nitric oxide that we all depend on, proline is also common especially in collagen where it is post-translationally modified to hydroxy-proline and seems necessary to generate the triple helix form of collagen.

On the other hand if you didn't mean me have a good weekend.

0
1
Stop

Silverlight

My company use Silverlight in a number of their products, I'm certain that V5 isn't supported yet with only support for unpatched V4. It'd be fun if our customers decided that this was a threat and uninstalled it from their PCs!

1
0

This post has been deleted by a moderator

Silver badge
FAIL

Re: Counting security holes is not a good guide - windows has HUGE HOLES

"This is one of the main reasons I use Linux "

Yawn,

Yer right El Reg - charge the fuckers!

2
6
Silver badge
Go

Re: Counting security holes is not a good guide - windows has HUGE HOLES

Gotta love linux users that think their boxes are unhackable :)

11
6
Bronze badge

Re: "Linux avoids the need for AV"

Isn't "security through obscurity" eventually going to run out?

1
9
Anonymous Coward

Re: "Linux avoids the need for AV" @Lamont Cranston

To be honest I wouldn't call it security through obscurity. Though given how awesomely impenetrable Linux is, I have to wonder whether crims who want something really badly are going to start kidnappping the families of people running Linux systems rather than faffing about with hacking. Reductio ad absurdum at the moment, but it's a thought. :>

2
1
Anonymous Coward

Re: Counting security holes is not a good guide - windows has HUGE HOLES

"Also Linux avoids the need for AV"

Linux, as a desktop operating system, hasn't attracted the attention of malware writers much; but it's cousin, Android, certainly has.

Comparing linux' A/V requirements with Windows' is like comparing a ballet dancer's requirement for body armour with a soldiers.

4
6

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

Bronze badge
Joke

Re: Counting security holes is not a good guide - windows has HUGE HOLES

..."I repeat, I am not saying Linux is perfect"...

I had to read that statement three times to believe it was coming from Eadon.

4
0
Anonymous Coward

Re: Counting security holes is not a good guide - windows has HUGE HOLES

Two fucking down-votes?! I don't believe it!!! Eadon must have a friend somewhere!

1
4
Silver badge

Re: Counting security holes is not a good guide - windows has HUGE HOLES

Eadon must have a friend somewhere!

I find this unlikely.

5
5
Bronze badge

Re: "Linux avoids the need for AV" @Lamont Cranston

@Eadon

I'm thinking that open source makes it easier than ever to find the security holes - am I wrong (I'm not a programmer, hacker, nor a security researcher, so I honestly don't know)?

TBH, I was thinking more of the potential rewards that motivate virus writing - if you're after credit card details, surely you'll have more luck putting keyloggers on Win/OSX machines, due to their higher user numbers (and those users being on average less tech savvy)?

1
1
Bronze badge

Re: Counting security holes is not a good guide - windows has HUGE HOLES

Unix (and Linux is just Unix slow brother) is so much more secure that the original work (On Virii and Worms) was done on a Unix box. And the first real viri/worms - Attacked Unix boxes...

Open source is so well checked that Cyanogen had tracking code delivered that was plainly "malware". And there was a nice problem with IIRC the SSH implementation of Linux. Not to mention cute holes in Linux-based routers last year.

Windows has OOB a security level as high as a modern UNIX and higher than the classic pre-ACL variants. Users operation as "admin" are NOT a fault of the OS - you can do that on a Unix just as well. So the code on Windows can no more (or less) self-replicate.

As for the "three letter organisation" backdoors - ja, they exist. A friend of a friend of my old commander from my Bundeswehr days (I was working in S2 branch) is rumored to be working for the MAD and he told me someone told him they can read my mails. Guess that explains the KreisSparKasse-Wennies outside - should not have send the T2K "play by email" messages to my old comrads from the Jägers

2
6
Gold badge

Re: Counting security holes is not a good guide - windows has HUGE HOLES

"Windows is intrinsically vulnerable to viruses, whereas on Linux code cannot self-replicate."

Crap. It's probably *easier* to self-replicate on Linux because almost every distro includes a full compiler suite. You may be thinking of the RWX access bits, but if you can't hack your way around that then you are beneath contempt. Anything an end-user can do, malware running with that end-user's privileges can do.

Of course, Linux applications tend not to auto-execute scripts they've just pulled off the web, but that's not an *intrinsic* vulnerability of the OS and you can easily avoid the same problem on Windows by (gasp) not running the shitware.

"Windows has a huge attack surface area, with massive and complex API's - many of which are unofficial."

You can't call an API until you are in, and then only at the privilege level you have got into. Attack surface area depends on the number of services that are offered from one level (kernel or user) to a lower level (user or net-facing). These forums are crawling with Windows admins who can tell you how to lock down a Windows server so that its attack surface is zero and even Microsoft eventually got it into their heads that most services should be off by default.

Not for the first time, I'm reminded that the annual "can you crack this" contests (November?) no longer bother with their "Can you crack the bare OS?" contest because no-one could. (A slight exaggeration, but basically the number of holes in the bare OS at any given time was either zero or one, depending on whether there was a zero-day known at the time of the contest.) I'm afraid that if you want holes then you need to run some dodgy apps.

"Windows code is less modular than Linux code, with more inter-dependencies between, say, the kernel and the GUI levels and even browser (IE) levels."

Ah, the old "IE is part of the kernel" shit again. Look Eadon, Microsoft may have sworn blind to a judge on all their mothers' graves that this was true, but it never was.

"Windows code is closed source and there is a greater reliance on security by obscurity."

Given that nearly every major government has the source code for Windows *legitimately*, large parts of it are available to squillions of MVPs whose only qualification is that they lurk on the web and do lots of Microsoft's technical support for free, and the rest is available to anyone willing to point a debugger at the code on their own machine, I hardly think you can describe Windows as obscure. Certainly it may be harder for you, personally, to make changes to the official codebase, but there is very little stopping a determined attacker from finding out exactly how it works.

"Also there is the possibility of "back doors" allowing spying by the FBI and even the RIAA."

Again, given that the code is out there in plain view of anyone who wants to reverse engineer it, I find it unlikely that the FBI have planted anything worthy of the name "back door". (That's not to say they don't take full advantage of the unlocked front doors, side windows and missing roof, but hey...)

7
3
Gold badge

Re: Counting security holes is not a good guide - windows has HUGE HOLES

This is one of the main reasons I use Linux - it is more secure, remote vulns are extremely rare for the Linux kernel. Also Linux avoids the need for AV, hence avoiding the perils of the Kaspersky problems that are also in the news (again).

Bzzzzzzzzzzzzt

That was the logic fail bell, Eadon.

Let me ask you a very simple question: if you don't have any anti virus product installed, how do you KNOW that you don't have resident malware? Note: I said KNOW. Evidence based, not the assumption you love spouting "I use Linux so I'll never get infected".

You proclaim to be some sort of scientist, but when it comes to Linux you seem to be more a religious nut.

2
4

Page:

This topic is closed for new posts.