back to article Black Tuesday patchfest: A lot of digits plug security dykes

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical. Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8. " …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Err...

"Both Mozilla and Google pushed browser updates within hours..."

So, they're either not very well tested and engineered patches, or patches for incredibly simple problems. Or are we actually talking the equivalent of saying "it's patched" when actually there is a patch that's gone into the nightly unstable releases and will take about a month to get into an actual distribution.

0
2
Silver badge
Thumb Down

Re: Err...

It depends on the nature of the exploit as to whether it can fixed quickly or not. Both Chrome and Firefox have extensive automated testing setups so there is no reason why they can't push out patches quickly. For details on what they have patched see the release notes.

1
0

Re: Err...

>So, they're either not very well tested and engineered patches, or patches for incredibly simple problems

Most security flaws are simple problems, implementation errors that can lead to serious problems (off by 1 error).

A few patches need to be well engineered because of a design flaw that cannot be fixed trivially (ActiveX).

Firefox will push a serious release to stable within a day, if whatever f'ed up distribution takes a month that's not their fault. Go back to being abused by Microsoft and Oracles terrible patching schedules and stop trolling here.

3
1
Bronze badge

Re: Err...

Yeah, if you ever get a chance, do try Mozilla Litmus out sometime.

Its actually really easy to use for automated testing, they even include scripts so you can run an entire testing evolution in one command. Plus the more data the QA team has, the faster they can work, every little bit helps the QA team. As does participating in bug triage days and hacking on Aurora and Betas, and hell, some people like nightlies but I don't tend to test them myself. With a full time and very demanding civilian job, and my Army Reserve stuff, I dont have time for the extensive amount of work that working on nightlies entails.

I don't know about Chrome, I don't use it. I honestly use Internet Explorer much more than Chrome (And before the rain of downvotes happens, hear me out, I strongly detest IE. One of the reasons I started volunteering time to Mozilla Quality was because even the sometimes sketchy betas and RCs were better browsers than IE 6, which is what I had. Though IE 10 is pretty good as its blazing fast, at least on Windows 7. It is still definitely not my first choice, but its pretty good. The problems with IE were never really with Trident though, the Trident Engine's actually quite good, it was all the other bullshit like ActiveX and its rather dodgy idea of Microsoft cherry picked standards).

However, my distrust of Microsoft is nothing compared to my distrust of Google and Apple. If I'm going to use WebKit, I use Konqueror, since KHTML is WebKit's daddy. So, given my limited knowledge about Chrome, or WebKit for that matter, I have no idea what Apple's rules in regard to taking on bugs as well as pushing patches to WebKit are (like if anyone besides Apple themselves can do it) or even how Google tests it, since IIRC they have both the Chromium volunteer testing community as well as paid QA Oompa Loompas who work for the Chocolate Factory directly.

0
0
Anonymous Coward

Standard smug response.

Turning off flash = easy: Firefox + NoScript = flash never runs unless you specifically allow it.

4
0
Silver badge
Facepalm

Re: Standard smug response.

And in Opera I have to click on plug-ins to run them. Doesn't that make me clever? However, how am I going to know in advance whether a particular item is compromised or not?

0
0
Silver badge

Win RT updates

I don't have a Win RT device, but am wondering - what's the patch experience like with them?

0
0
Anonymous Coward

Re: Win RT updates

Relativity quick compared to other versions of Windows.

1
0
Bronze badge

Re: Win RT updates

Yeah, Taylor's right at least from what Ive seen.

From what the salesman here in Orlando at the Florida Mall Microsoft Store showed me, its alot like Windows Update meets the Google Play store. Its pretty quick even with bigger files. But most apps in the store are Microsoft First Party which shouldn't be surprising for a 4 month old tablet in a different architecture and OS than most Windows Developers are used to writing for.

RT could be really cool if Microsoft didn't halfass it. As could Windows 8, but they tried form over function and it worked out so far worse than Vista. I just hope Microsoft will show some agility and accede to what the market wants by changing Windows 8 SP 1 into a traditional desktop environment based but touch enabled OS, like a Windows 7 you can fondle if you will, without TIKFAM or Charms or Gestures or any of the crap that reminds me of Unity. And something like that for the RT tablets.

1
0
Silver badge
Stop

Irksome

This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

I humbly contend that it is not as irksome as having the machines compromised by an exploit. I, for one, welcome Adobe's frequent release: better patched than gaping. Corporates can usually disable plugins by policy.

3
0
Bronze badge

You know, I hear this alot

This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

Aside from one applet my credit union uses to deposit checks electronically, I honestly haven't seen anything else thats wanted me to use Java in quite awhile, excluding the Army intranet called Army Knowledge Online, and the Defense Department's Defense Knowledge Online. As well as some other stuff like AKO webmail,

I keep it deactivated unless I need to scan a check or have to get on AKO/DKO's unsecured network, or any of the Unclassified or Confidential networks handling privacy act, personnel, pay, dependent, medical, and some other FOUO areas to check my official mail and do administrative work. And when I'm done with whatever requires it, I clear the Java temp files, delete my browser cache and cookies and then Java goes right back off. Its just too unstable at the moment to leave on all the time.

Flash is a bit harder, but I only ever use it for YouTube anyway, and most of the time YouTube's in HTML 5 for me, so I dont even notice. Its only on stupid videos with commercials before them that you have to use flash from what Ive noticed anyway, so most of the time I keep it turned off, but constantly updated so when I have to turn it on, I know Im as protected as I'm going to get.

0
0
This topic is closed for new posts.

Forums