Feeds

back to article Microsoft offloads heap of critical fixes in 'ugly' Patch Tuesday

Microsoft is planning a high-impact edition of Patch Tuesday with seven bulletins this month - six of which cover critical flaws. The less-than-magnificent seven cover all supported versions of Windows and every version of MS Office, as well as updates for Lync, Silverlight, Visual Studio and .NET. Internet Explorer, from IE6 on …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Surprise!

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

People need to give themselves a shake and stop using MS products!!!! ;-P

10
25
Gold badge
Coat

Re: Surprise!

I thought that it was usually Adobe with acrobat or flash...

11
0
Silver badge

Re: Surprise!

You forgot JAVA....

9
2
Anonymous Coward

Re: Surprise!

Sounds like you're saying "How dare they try and fix things promptly"

I guess you like the Java and Apple model of head in the sand?

12
7
Facepalm

Re: Surprise!

Yes, of course. Because the fact The Register never bothers to write articles about every Linux/Mac OS/Android/whatever patch release is an indication that they never happen ever.

7
3
Anonymous Coward

Re: Surprise!

Well there's that story at the moment about the security flaw in Android and the patch...oh.

3
1

Re: Surprise!

Because they, unlike some companies, publicly inform people when there are problems with their software. I would much rather that than being kept in the dark.

If you think Microsoft have more issues, considering the size of their offerings and indeed the scale of the products themselves, than other software houses you're woefully misinformed.

One truth, software is never perfect!

17
9
Anonymous Coward

Re: Surprise!

You forgot to login again, Eadon.

7
4
Silver badge

@egor: Re: Surprise!

"One truth, software is never perfect!"

I see you follow the microsoft philosophy.. That's fine if you program games etc.

Let's hope that the software engineers behind the space programme, nuclear power plants, ICBM's, traffic lights etc.etc. never fall into that trap

8
10
Silver badge
Boffin

Re: Let's hope that the software engineers behind the space programme never fall into that trap

Yeah.... Let's hope that never happens.

Mariner 1

10
0
Silver badge
Boffin

Re: @egor: Surprise!

Let's hope that the software engineers behind the space programme, nuclear power plants, ICBM's, traffic lights etc.etc. never fall into that trap

No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)

7
0

Re: Surprise!

Not surprised...exactly. Surprised it is only 22 though.

RH actually has a larger kit.

0
0
Silver badge

Re: Surprise!

One truth, software is never perfect!

Well, there's Z. You'd hope that someone writing a nuclear power plant's systems isn't just firing up vim and going "Aha, what we going to write today!".

1
0
Anonymous Coward

Re: Surprise!

" someone writing a nuclear power plant's systems isn't just firing up vim and going "Aha, what we going to write today!"."

No, what they're doing in recent years is probably far worse than that.

Is 'Aha' a typo for 'Ada'?

Ada might be a decent language for doing a low level design, but it's far too complex a language to be able to trust the compiler and tools.

There's someone round here whose screen name mentions 'forth'. A custom subset of forth, or something similar, might be appropriate for some safety critical setups. The language and implementation could be simple, efficient, testable, maybe even provably correct in the right circumstances. Given a bit of investment the tool vendors could put some tools around to make it cool and trendy, but Ada seems have become the posterchild for the safety critical folks (at least in aerospace).

AC, obviously.

0
1
Silver badge

Re: Let's hope that the software engineers behind the space programme never fall into that trap

"Yeah.... Let's hope that never happens.

Mariner 1"

:-) Fair point!

0
0
Silver badge
Happy

Re: @egor: Surprise!

"No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)"

Yeah - I can't argue with that - although these posts are in the context of microsoft security alerts, so obviously not only is their software not perfect, but neither are any fail safes and monitoring facilities :)

1
0
Anonymous Coward

Re: Surprise!

Microsoft has far fewer patches than say an enterprise Linux distribution with far fewer days at risk...Hence why you are much more likely to be hacked running a Linux internet facing server than a Windows one...

0
9
Silver badge

Re: Surprise!

I'd love to see you put your money where your mouth is and produce some hard numbers on that for both systems....

Particularly for vulnerabilities exploited in the wild.....

6
0
Anonymous Coward

Re: Surprise!

because 95% of the world's PCs run Windows, so it becomes SIGNIFICANT news.

So what if someone exploits something that runs on 2% of the world's PCs? Big Deal.

0
6
Anonymous Coward

Re: @egor: Surprise!

or the NHS "one system" project....oops.

0
0
Roo
Silver badge
Boffin

Re: Surprise!

Wow, I haven't seen Z mentioned for a while !

I liked the idea behind Z, but at the end of the day I found that writing unit test & integration tests can accomplish the same goal, so I am left thinking that there isn't really any point in having the Z language in addition to your programming language du jour.

The thought processes behind applying Z are the useful bit, but I have found that you don't really need Z to think that way. (Hint: It is possible to 'animate' Z constructs in pretty much any mainstream language these days).

0
0
Gold badge
Unhappy

Re: Let's hope that the software engineers behind the space programme never fall into that trap

""Yeah.... Let's hope that never happens.

Mariner 1"

:-) Fair point!"

In 1962.

Let me describe how the team behind the Shuttle software wrote it.

1) Devise specs

2)Implement specs. Maintaining detailed bug lists and error rates and regular walkthroughs by other people. It's a project. No one "owns" their code. The project does.

3)When you find a bug work out how your review process did not catch it.

4)Modify the system to catch future instances.

5)Scan the codebase for all similar cases and fix them as well.

If you work in a dev shop look around you and ask yourself "Do we do any of that?"

It's estimated that their code was 10x the cost per line than the average cost.

That's why Shuttle flew 134 missions and the software never failed.

5
0
Anonymous Coward

Re: Surprise!

"much more likely to be hacked running a Linux internet facing server than a Windows one..."

Citation needed, but even when it is provided:

MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.

Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.

If the same logic does not apply, please explain why not. When you've thought about that fairly basic starting point, here's another one.

If "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.

Have a secure weekend.

5
0
Bronze badge

@El Andy

Microsoft owns a patent for "Remote code execution", so others are afraid to infringe on it.

2
0
Bronze badge

@eg0r

considering the size of their offerings

if one is considering the size of Debian's offerings... things become more clear.

0
0
Anonymous Coward

Re: Surprise!

Wot, you mean discovery of the master key allowing malicious apps to run?

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

0
3
Anonymous Coward

Re: Surprise!

Here you go: http://www.zone-h.org/news/id/4737

http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

0
3
Anonymous Coward

Re: Surprise!

Wrt the zdnet article, did readers notice the bit that said "the data shouldn't be interpreted as a claim that an OS built off the Linux kernel is necessarily less secure than using a Windows OS".

Or the bit that says: "The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."

Don't take my word for it, read the full article.

0
0
Anonymous Coward

Re: Surprise!

Me again, having just posted some bits from the zdnet article.

As for zone-h: if "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.

MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.

Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.

If the same logic does not apply, please explain why not.

[Seen much of this before? Sorry! The zone-h meme needs to be put down sooner rather than later]

0
0

Tiresome

Every single month, the same old schtick from The Reg. Criticism for releasing security patches with the usual snarky tone that there is something amiss. Seriously - criticism for releasing fixes? As! Tired! As! The! Endless! Yahoo! Exclamation! Marks!

5
11
Silver badge
Windows

Re: Tiresome

Don't like shitty smells?

Don't try to cover them up- stop making shit in the first place!

3
6
Bronze badge

True

But Microsoft also suffer from being the most popular target for naughty miscreants to look for flaws. If all the dastardly types that target Redmond's platforms went looking at OSX, the chances are the fruity one would be similarly lambasted.

7
7
Silver badge

Re: True

"But Microsoft also suffer from being the most popular target for naughty miscreants to look for flaws."

Change the tape - it's beginning to wear out

4
7
Anonymous Coward

Re: True

Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes.

6
3
Silver badge

Re: the usual snarky tone that there is something amiss.

There is something amiss and it deserves the usual snarky tone.

MS engineered their software for ease of use at the expense of security. Despite many remakes and PR efforts that remains at the heart of their exploit issues. The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM). And in theory* because the code is out there you ought to be able to hack it more easily. But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel, not a mishmash of everything from the kernel through the applications.

*In practice the many eyeballs seems to negate theory, but the meme persists.

16
2

nahh

Windows is the easiest target...

So everybody and his 5 year old can hack it.

Thus more attempts. Unfortunately, more success too.

1
1
Silver badge

Re: True

"Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes."

MS has the largest desktop share, yep, but not the server share. Also, servers are by their definition "providing services" so they are more visible.

Granted, the typical server is run better than grandmas home pc, but still, saying "of course MS has the most reported holes because it's the most popular" is a cop-out.

5
1
Bronze badge
Childcatcher

Re: the usual snarky tone that there is something amiss.

The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM).

What you are doing is comparing apples and oranges, here. Servers are not workstations. The protections and vectors are not the same. Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. On the other hand, the argument that higher numbers make more attractive targets is being borne out by the increasing pressure on Android devices.

Where there are enough assets to make an attack worthwhile, there will be an attack. Eventually, the attack will be successful. At the enterprise level, setting up all machines with one OS is a weakness as someone who can compromise one machine should have no problem with the rest. Better security is based on multiple layer, from OS, to AV and onward.

4
1
Anonymous Coward

Re: True

^^ On the desktop. On the Server, its much more Linux that's the risk.

0
4
Mushroom

Re: Tiresome

Tired? Hardly. M$FT is one of the most profitable companies in the history of capitalism and they can't make their products better or more secure. Quite frankly, M$FT lacks the culture to make great products.

5
1
Windows

Re: True

Nonsense. I still don't understand why people make the market share argument. At its core OS X is Unix which is inherently more secure. Its more secure because of its open source nature, which is subject to harsh peer review. Apple has done a marvelous job with security in OS X. Flash out of date? You can't use it in Safari until you update it. Java is out of date? OS X will also shut it down and also push you the latest version.

4
0
Bronze badge

Re: the usual snarky tone that there is something amiss.

targets is being borne out by the increasing pressure on Android devices.

Not true, it was heard long before Android, a pretty controversial theory. And BTW, for Android it's only trojans to talk about, illegitimate apps. One installs those on his/her own risk when not examining permissions and perhaps outside of G. Play (MS Windows lacks even that). It's still unheard of to get a trojan through an RCE.

Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. both need AV according Microsoft.

1
0
Bronze badge

@AC

Saying "halva-halva" doesn't necessary make your mouth sweet.

0
0
Anonymous Coward

Re: the usual snarky tone that there is something amiss.

". But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel,"

Erm, you know there are well over 900 critical flaws known in the Linux kernel alone? Versus say 450 in the WHOLE of the worst Microsoft OS ever - Windows XP?

Windows has historically had a couple of orders of magnitude fewer kernel vulnerabilities than *nix kernels...

0
2
Silver badge

Re: the usual snarky tone that there is something amiss.

@AC - Try to keep up. The Linux kernel has gone through hundreds of versions. If you're going to compare lets try to compare like for like shall we? What number of Linux kernel vulnerabilities were during the Windows XP years?

3
0
Anonymous Coward

Re: Tiresome

Every month they make their products better and more secure... That's kind of the point of patch Tuesday...

0
0
Anonymous Coward

'ugly'?

has there been a beautiful patch Tuesday then?

1
0
Bronze badge

It seemed a beautiful patch Tuesday at the time.

I was very, very, very drunk at the time though......

Disclaimer: patch Tuesday may have been very drunk as well, I didn't take the short route through the ugly tree....

2
0

Same old article

And the same old comments. Why not just save everyone the time and bother, just close the thread to comments and direct it to last month's Patch Tuesday arguments.

3
4

@AC bashing MS...

Every piece of widely used software is subject to issues. Non-MS products are no exception. Linux/Cdorked and DarkLeach are a good example. And they [the reports everyone is giving] still don't seem to know how they work. I'd much rather MS patch things pronto than deny their existence like some other software vendors.

2
7

Page:

This topic is closed for new posts.