Plus ça change...
June's Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer. The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions of …
Plus ça change...
....what would you prefer? MS to not patch bugs?
And this isn't an MS-specific issue, look at all the Java patches of late.
My GNU/Linux system gets updates every other day - although the repository system (when folks bother to package their wares correctly) makes this process much easier when compared to the random, slap-dash, every application needs its own update mechanism, approach on Windows or OS X.
This reminds me, must really look into Puppet/Chef/Salt/Something to keep all the systems up to date in a oner.
Yesh, so does mine, but if you're going to throw that one out, how many of them are security patches? And how many of those are serious and not just Free Software Paranoia (long may it live)
When, e.g., was the last time KDE had a security advisory? Or its browser Konqueror? (or Rekonq). It issues monthly updates, not the same as security issues. I can't remember the last time openSUSE issued a "FFS update this"
Eadon's not posted yet?
Sorry my I did read that in the voice of Mongo from Blazing Saddles and thought it might be a quote :-
"Eadon's not posted yet,
....what would you prefer? MS to not patch bugs?
Not at all- just wondering how the older versions in particular managed to work in the first place, as they musy have been about 10% good code and 90% bugs.
Just another regular occurrence. like Halley's comet coming around, although that may stop one day.
Well Suse itself posted this security vulnerability in May - https://www.suse.com/support/update/announcement/2013/suse-su-20130819-1.html
They just don't get publicised as much. I think it's safe to say that every system has vulnerabilities in it and it's going to be a never ending battle to fix them!
I don't know when KDE last had a vulnerability (I'm a gnome user), but they did nearly lose all their source code a couple of months ago, because they thought that replication was backup! The only thing that saved them was having taken a node offline the previous day. ie: Luck saved them.
It's all about where you look for your problems - sure the code may be secure, but if it's custody is so badly handled that a corrupting replication node can destroy the entire codebase, that's still as insecure as you can get.
People have to look in the right place for the problems that they should be seeing, not the ones they want to see, or think they may see.
".....And how many of those are serious and not just Free Software Paranoia (long may it live)"
1 second of searching. 1st Hit
05 June 2013, 10:41
Please note the patforms affected.
You see, if you lump in Broswer + OS = Fail, the we must do the same for other browsers on onther platforms.
Personally I don't give a shit about the platform or the browser ( I run several), but I do give a shit about unpatched software.
I can't remember any time my OpenBSD server needed a security patch.
...'cause there are a shit-load of SECURITY PATCHES waiting for your OpenBSD server.
1 second of searching. 1st Hit
how many seconds do you need to search to see a tasty remote code execution being already exploited in the wild? Hint: closed source.
BTW, did you notice this ...eight high and medium severity holes saw nearly $10,000 being paid out. Is MS willing to pay for every or most discovered vulnerability. I don't think so.
Or to put it another way: Google pay other people to find their bugs for them, because they can't be arsed.
Yes, I know it's not that simple, but there is more than one way to look at this: Google staff may well leave security to a back seat because they're outsourcing their own bug fixing.
Google pay other people to find their bugs for them...
Google pay other people if they find their bugs. #now fixed
I don't know why you choose to look at this fact from this strange angle? Most vulnerabilities found with MS products are done by non-MS people, more so when those are being exploited in the wild (Compare this to when exploits are being published).
In my view, we-don't-owe-anything-to-anyone attitude is of atavistic, very peculiar MS feature. Another possible explanation is the fear to go bankrupt.
So either a) A faulty software design was re-implemented and perpetuated the vulnerability.
b) Some coder did a copy and paste job on development.
But b could never happen. Do we not have the word of the Turkey Dancer himself on the matter?
Complete re-write doesn't imply they won't re-use existing interfaces for communication between components or externally - so they can become susceptible in the same manner.
Take for instance the way software communicates with the certificate store - it may differ between versions but the base interaction is the same - and therefore potentially open to the same attacks across versions.
As someone who specifies software for a living, I'm getting pretty tired of saying this, but:
If you specify a code module or interface to do X, Y and Z, then hand the spec to a codemonkey, the chances are that any codemonkey will implement that code in a different way, but it will do the same job. If it turns out that Z is incorrect and causes a problem because, for instance, it's a datastream that you didn't specify should be encrypted, the problem resides in your spec and no amount of re-coding from the ground up will fix it.
It's therefore entirely likely that they have re-coded from the ground up and retained problems which are in the spec rather than the code.
You forgot C) which actually even more troublesome than A) and B) although in order of probability from high to low it is probably B, A, C:
The rewrite introduced a whole new set of vulnerabilities.
Good point. I'll make that D) and rerank their order as B, D, A, C.
These patches wouldn't be half as annoying if Windows could update files that are currently in use. Mac OS X achieves this, most of the time. Having to close my dozens of applications with their carefully-positioned windows is a significant pain point.
And now OSX re-opens and repositions all your open windows for you when you restart, which is nice.
At least I don't seem to have to re-install windows itself on a regular basis any more - is why I stopped bothering to "personalize my windows experience" (sic) so long ago; re-instating all those icons, backgrounds, cursors, alerts, favourites etc just became TOO tedious.
"Windows can't update important files and services while the system is using them. Save any open files, and then restart the computer"
Shouldn't that be "whilst" not "while"
Ahhhhh windows patch reboots - just as well they don't market windows as a server... Wait a minute!
I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s. When did they all stop doing it? Was it just because Windows didn't do it, so everyone else stopped bothering?
Or has my failing memory failed again?
net stop wuauserv
"I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s"
I'm pretty sure my Sunos box did that too..
PRISM 2.0 bitches!
Of course Chrome regularly gets patches - but silently so the majority of people have no idea it is getting updates... but let's bash IE because they're more public and structured.
Where's Eadon to stick the irrelevant boot in?!?
Chrome patches don't need a reboot...
But since they happen in the background and don't take effect until you restart Chrome.
Yes because Chrome is engineered how any sane person would do a web browser as userland with a clean separation between the OS networking code. (Chrome is actually engineered very slick with the sandboxes and such) IE is getting that way these days I believe, but in the early IE days the marketing droids at MS thought it would be a great idea to embed browser code deep in the OS itself. Some of the IE fixes therefore result in OS files changing and thus a reboot.
We've been waiting for you to post with baited breath. Thankyou my day is now complete.
It took him 2 hours though. He must have been busy building his own cloud infrastructure this morning
Yeah, no other systems have any form of active data execution withing datafiles, none at all.
...or doing all his MS patching...for the MS machines he pretends he doesn't have, naturally.
"It took him 2 hours though. He must have been busy building his own cloud infrastructure this morning"
Actually Adobe too did the same thing with PDF reader. Anyway I'm with you on this matter. From the engineering point of view, the concept of allowing a document to trash your system is plain idiotic so I will retain only the capital fail without sticking it to Microsoft.
You know what? If I have a service that can't tolerate downtime, scheduled or not, I put it into a cluster. That way when I have a hardware failure or need to upgrade the hardware, or the software, I can remove a cluster node, carry out the work on it, reboot it and re-introduce it to the cluster. The goes for UNIX, Linux and Windows, anyone who doesn't do this is cavalier with their SLAs, anyone who has up-time requirements and doesn't use clusters in this day and age doesn't really care.
You may nave been eating worms, but most of were been waiting impatiently.
His mum wouldn't let him use the computer until he had finished tidying his room.
"Yeah, no other systems have any form of active data execution withing datafiles, none at all."
So the fact another developer fails means Microsoft doesn't? I'm not following your logic.
After it's been patched, will it still have the lowest power consumption?
And how many otters/polar bears/giant redwoods will be burned in the patching process?
...that Gates and Microsucks aren't held accountable for selling totally insecure and defective products.
Isn't it great to see that the original IE was so extendable, they've managed to maintain it as the single code-base for all future revisions.
More seriously, I always query patches that just apply to single versions where the feature was there in both prior and later versions. If you knew you had to re-write something for the next release, then you probably were aware of the flaws in the prior version.