Feeds

back to article Who's riddling Windows PCs with gaping holes? It's your crApps

Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software. That's according to security biz Secunia, which analysed flaws found in the most-used 50 Windows programs - 29 from Microsoft (including its operating system …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Delete Java

It has no business being installed on a client PC, it's home is a server.

Java UIs are as ugly as sin, buggy in general (never mind security exploits) and platform specific, bloated monstrosities. The only place to have Java is off on a server somewhere doing heavy lifting for business processing. And even then, there's good argument to not use it as there are other, much more flexible and scalable options.

8
16
Anonymous Coward

Re: Delete Java

Yet another, well I don't need it idiot...

Ok I'll listen to you and delete Java,

Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported, but's it ok as I've been told I don't need it.

21
6

Re: Delete Java

Maybe change that to "If at all possible delete that sh$t" I've not had it installed for years and have never missed it, unfortunately it is still required in places.

4
0
Anonymous Coward

Re: Delete Java

You could port it to .Net and ditch all of those security and performance headaches...

2
9
Anonymous Coward

Re: Use .Net

>> ditch all of those security and performance headaches.. <<

and get some new ones....

11
1
Anonymous Coward

Re: Use .Net

"and get some new ones...."

But far fewer of them.

1
6
Silver badge
Thumb Down

Re: Delete Java

"Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported,"

If your directors had a brain they wouldn't have any large scale projects written in java in the first place. Its a bloated memory hog and its only promoted by 2nd division developers who find C++ too difficult.

2
16

Re: Use .Net

Or maybe some of us just want to finish a project before Jesus returns. See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped most of the project and are relaxing at the pub. It's a question of productivity.

5
3
Silver badge
WTF?

Re: Use .Net

". See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped"

Ah , the old memory management meme. If you knew anything about C++ you'd know that these days you hardly need to do manual memory management at all if you don't want to if for example you use the STL, Boost or even just plain old stack based automatics for your object creation and destruction. And when you do use a pointer manually its usually to do something faster and quicker than Java can manage.

6
3
Bronze badge

Re: ditch all of those security and performance headaches

What security/perfomrance issues? Only java security issues are in applets, a legacy technology that should be avoided where economically possible. If you experience performance issues that is nothing to do with java but the developers.

3
0
Silver badge

Re: 2nd division developers who find C++ too difficult.

And C++ is just for third rate engineers who can't do assembler properly.

Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. No language is the best for every job. A first rate engineer would know that....

6
3

Re: Delete Java

And these second division developers will write their Java code quicker and with less bug than you will with your C++ :-)

1
0
Bronze badge
Happy

Re: Delete Java

In the computers I'm responsible for all problems including infections were traced to Java.

Last November we uninstalled Java on all laptops except those doing Android programming, and on those Java was disabled in all browsers. My God, I haven't had one problem since.

0
0
Anonymous Coward

Re: Delete Java

And the other vulnerabilities? If you look at 'Vulnerabilities in the 50 most used programs (including Windows)', Java is in fifth place. Here's the top 10:

291 - Google Chrome

257 - Mozilla Firefox

243 - Apple iTunes

67 - Adobe Flash Player

66 - Oracle Java JRE SE

56 - Adobe Air

50 - Microsoft Windows 7

43 - Adobe Reader

41 - Microsoft Internet Explorer

29 - Apple Quicktime

4
0
Silver badge
Headmaster

Re: 2nd division developers who find C++ too difficult.

"And C++ is just for third rate engineers who can't do assembler properly."

Actually modern x86 assembler is virtually impossible for a human to use properly, not only because there are so MANY instructions now, but because you'll constantly having to be second guessing the pipelining and caching. Leave it to a compiler.

"Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. "

C++ with high enough level libraries is portable between systems. And yes, java is device independant, but its not JVM version independant so it simply exchanges one set of portability problems for another.

1
0
Anonymous Coward

Re: Delete Java

I dont know how you can blame user space programs such as Adobe Reader for generating security vulnerabilities in the OS. The OS should be secure enough to not be hijacked by Adobe Reader or a third party app going via Adobe Reader.

4
1
Anonymous Coward

Re: Delete Java

Unless you're a Java developer or want to play Minecraft or you need it for your online banking.

0
0
Anonymous Coward

Re: Use .Net

More likely they get patched quicker as Microsoft is on the ball, Oracle don't give a toss.

0
1
WTF?

Re: The OS should be secure enough

"...to not be hijacked by Adobe Reader or a third party app going via Adobe Reader."

Yeah, right, because application vulnerabilities are no problem on other operating systems like Linux or OS X. Oh wait, they are.

I guess that all operating systems are fails then.

1
4
Silver badge
Happy

Use the right language

The Tao gave birth to machine language. Machine language gave birth to the assembler.

The assembler gave birth to the compiler. Now there are ten thousand languages.

Each language has its purpose, however humble. Each language expresses the Yin and Yang of software. Each language has its place within the Tao.

But do not program in COBOL if you can avoid it.

- The Tau of Programming

1
0
FAIL

Re: Delete Java

And while you're at it delete everything. Everything is bollocks. The only thing left for you to do might be to go dance naked on the M1.

0
0
Anonymous Coward

Paging Mr Eadon

Soooo, anything to say? Mmm? We're listening...

5
1
Anonymous Coward

Re: Paging Mr Eadon

On previous form, I'd imagine that what he'll say will be along the lines of:

"Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."

Then there would be an extended rant about how terrible Microsoft are, he'll probably say that educating children about a user interface he doesn't like (the ribbon) is actually child abuse. Then there will be an obligatory caps lock accusation of "fail".

8
2
Gold badge
Meh

Re: Paging Mr Eadon

I doubt you'll get a response.

He's probably in a coma from the total brain meltdown caused by finding out that his beloved MS swiss cheese security is mostly everyone else's swiss cheese security.

Either that or the first case of spontaneous human explosion has just occurred under a rock somewhere.

3
2
Silver badge
Unhappy

Re: Paging Mr Eadon

"Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."

Damn I was just about to wright that too.

3
0
Bronze badge
Paris Hilton

Re: Paging Mr Eadon

I am not a betting man, but I would lay a fiver on at least one of those AC posts above being from our much tolerated Eadon.

0
0
Bronze badge

Re: Paging Mr Eadon

Nah, Eadon doesn't post under AC - or so he claims...

0
0
Bronze badge

Re: Paging Mr Eadon

"...Nah, Eadon doesn't post under AC - or so he claims..."

lolololol

Its either that or his "second" account then ;)

0
0
Bronze badge
Linux

Let me try...

The Danish biz added that sysadmins must not forget to roll out updates for all installed code rather than just Microsoft's and the few "usual suspects from other vendors".

Sorry... got confused about the point? Doesn't it happen all at once? Your update manager pops up, you click on the button, enter you password and every single piece of software that has an update ready is updated (you could also choose to defer an update for any individual item there). Oops...my bad... I thought they were talking about GNU/Linux systems. No 3d party software, everything is #1.

1
1
Anonymous Coward

Re: Let me try...

Well, I did a "yum update" on my netbackup master server and some of our DB2 and Oracle database servers the other day and none of the commercial software was updated, so I'm going to go with: No, it doesn't happen all at once, if you work in the real world.

We also have problems that we need to keep certain versions of certain bits of software we use at a fixed level, doing a "yum update" (from an Internet hosted repo) would actually take out some key servers due to updates breaking some features we use. Again: In the real world it turns out to be more complicated than updating everything at the same time.

Linux is great, patching from repos is great, but it's not a panacea, you get some control running your repo locally, but it's not as easy as all that. Likewise, if I setup an MS WSUS server I can update everything from a single operation, assuming I've put all the updates that I want onto the WSUS sever.

1
1
Bronze badge

Re: Let me try...

You're trying to be a pessimist and an optimist in the same bottle, I see, hence an AC mask.

..DB2 and Oracle database servers the other day and none of the commercial software was updated

Wow, what a surprise? Maybe you should be using something like PostgreSQL, MariaDB or similar. Proprietary stuff is a pain in the arse. At the same time, some GNU/Linux distros provide important (or so they say) updates for binary-only proprietary stuff, like flashplayer.

if I setup an MS WSUS...

So, you yourself have to set this up first (manually,right?) how convenient,. And every Windows user is so delighted to do just that... or not.

Anyways, you stay with MS and Windows, I'd rather not, thanks.

1
0
Anonymous Coward

Re: Let me try...

No, what I'm saying is that Linux has a great update model, but it has some significant problems. Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.

Suggesting that running PostgreSQL or MariaDB suggests that you don't really know much about databases, even if we could just change from Oracle or DB2 to FOSS databases most of them - good as they are - just aren't up to the standards of the big commercial databases. I notice that you can't cite a FOSS backup server.

You obviously don't really know what a WSUS server is, otherwise you would realise that your comment doesn't make sense.

Then you suggest that I'm a Windows user, the implication being that I can't also be a linux user. This is tired old crap that gets trotted out again and again by the fanboys. It's possible to know both criticise both and praise both where appropriate. To paint either system as a panacea is just simplistic and tribal.

2
0
Bronze badge

Re: Let me try...

Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.

Not sure, what you mean by that exactly. apt, yum and others have a pretty good dependency logic (especially aptitude). You still can force whatever you want , things can break though this way. No alternative on Windows for that.

...just aren't up to the standards of the big commercial databases.

I know enough about databases to discern that this is bullshit. First, even if that was true in 99% of the cases DB2 (and even more so) Oracle databases in industry are used where even sqlite would easily suffice.

You obviously don't really know what a WSUS server is...

I looked at this guide and imagined how many buttons I would have to press, folders to open, tickmarks to check, uncheck and click to make it do (with all vendors or just a few?) what I could do with one click or command and maybe one edited line in the /etc/apt/sources.list. Interesting to note here, that it only took MS (2011) ... 14 years years to do partially similar to the Debian apt system.

0
2
Gold badge
Unhappy

I'm amazed "how to create security holes" is not a part of *every* CS course.

Because it seems to be one thing developers across the industry manage quite well.

You've got to wonder, is it them? Is it the pressure to produce something now? Or are the vulns in the libraries their using that are not being fixed?

0
0
Anonymous Coward

Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

I'd say it's probably a failure to clean up after themselves.

You create library v1, then you build on it and make v2, v3 v4 etc etc. By that point you have v5 changing a pointer created in v4 which was to an object created for v3, which was extended from a different object which had been created in v2 which originally came from v1.

v6 comes around, you need to fix bug A, to do this you change the object from v1, and suddenly the enitre chain is incorrect, you have memory being misallocated etc etc. Your simple fix of changing that long to a uShort has suddenly caused a cascade of bullshit which flows downhill like a mountain of the brown stuff.

All the while you have a backend structure several tens of thousands of lines long, most of which is supersceded or no longer used, and could probably be replaced with a few hundered lines of code which do the same job faster more securely and are easier to read.

But because the code 'works' anyway execs will never give the go ahead to improve / rewrite it because they're too stupid to see the porential benefits even when they're stodd in their face slapping them with a trout.

9
1
Unhappy

Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

Because software development, maintenance, and support in an enterprise environment is subject to a million things out of your control, and f***ing hard.

0
0
Gold badge

Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

Cutting corners (and introducing security holes) saves developers (or their employers) money and gets them to market ahead of their competitors. The costs are borne by the customers. The customers can only move to a better supplier if the better supplier hasn't yet been eliminated from the market (owing to their higher development costs).

Any developer with half a clue can write shit in any language. Bugs have nothing to do with programmers, languages or education. It's all economics.

0
0
Facepalm

Surely

Isn't it the job of the OS to prevent bugs in applications being security holes?

8
1
Anonymous Coward

Re: Surely

Like the way Linux prevents all of those exploits in third party apps you mean? Oh, wait.... http://www.youtube.com/watch?v=DhpTdiEKq_0

2
4
Anonymous Coward

Re: Surely

See! It's not the OS's job to do this because Linux has problems too! That's not actually an argument, it's the same problem on another OS....

4
0
JDX
Gold badge

Re: Surely

If you want to allow applications to do something useful then they have to be able to do stuff on the system - modify/delete files for instance.

Of course you could have an OS with different permissions "modify files outside own directory" etc but it won't help because everyone will accept the permissions.

2
2
Anonymous Coward

Re: Surely

@JDX - Or you could just setup your filesystem and Registry ACLs correctly and not run with an account that has inappropriate privilege levels - or at least, not bitch about it if you run as administrator and everything goes wrong.

3
1
Silver badge

Re: with different permissions "modify files outside own directory" etc

Actually, there were some old OSes that did that very well. OS space cleanly segmented from data space so while the data space still needed to be protected, it was nearly impossible to compromise the OS space.

It's just our current OS matrix that jumbles them together.

0
0
Anonymous Coward

Re: with different permissions "modify files outside own directory" etc

@Tom13 - the problem is that it's really the data space that I'm interested in protecting, I don't care about the OS, the worst that could happen is that I spew out spam or someone otherwise steals my bandwidth - if people get my data they could destroy it, they could corrupt it (you'll only notice if you try to use it and you'd better hope you notice before your backups go out of retention) or get personal details that may be stored there.

0
0
Silver badge

Re: with different permissions "modify files outside own directory" etc

FreeBSD, you mean?

0
0

9 out of 10 ???

Surely 21 out of 50 would be 42% not 90%.....or has maths changed so much since I was at school?

0
1
Anonymous Coward

Re: 9 out of 10 ???

I think you are confusing #applications with #'vulnerabilities, or has English changed since you were at school?

0
0

Re: 9 out of 10 ???

its English you should be worried about, not maths.

0
4
Bronze badge

Re: 9 out of 10 ???

It's "it's"

6
0

Re: 9 out of 10 ???

No, it's "It's".

2
0

Page:

This topic is closed for new posts.