back to article Clear next Tues: Incoming Outlook, IE, Windows critical security patches

Microsoft will squash 14 sets of security vulnerabilities - four of which are deemed critical - in the next edition of its monthly batch of Patch Tuesday updates, due next week. Those four critical patches will address flaws in the Sharepoint server software, the Outlook component of Microsoft Office 2007 and 2010, Internet …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Anyone an idea?

Just how long has Microsoft been patching its code now?

I mean, there should be a point where things just work, right?

Oh, wait..

3
5
Anonymous Coward

Re: Anyone an idea?

"In the first three quarters of 2013, Microsoft has issued 80 security patches, well ahead of the 63 released in the nine months to September 2012."

Which is way, way fewer than any competing OSs....OS-X is on over 2,000 known vulnerabilities now, and Linux has had well over 900 in the kernel alone...SUSE 10 is approaching 4,000....

5
7
Anonymous Coward

Re: Anyone an idea?

"I mean, there should be a point where things just work, right?"

Microsoft keeps updating it's products with new features, and attackers keep finding new attack methods, so no you would not expect to ever reach a perfect state.

Microsoft have a far better vulnerability record for circa the last ten years than say Linux or OS-X

1
7
Bronze badge
Childcatcher

Re: Anyone an idea?

Just how long has Microsoft been patching its code now?

Pretty much from the beginning. Sometimes to break other companies' stuff, sometimes to fix their own. At least now it is more the latter which should be commended. These fixes are not for open source code, but they are being open about what they are doing and why - again, better than in years past. As mentioned by others, they have had to patch less than other software houses. Both in comparison to past behavior and to other OS and software creators, they are doing well.

2
2
Anonymous Coward

Re: Anyone an idea?

"Which is way, way fewer than any competing OSs....OS-X is on over 2,000 known vulnerabilities now, and Linux has had well over 900 in the kernel alone...SUSE 10 is approaching 4,000...."

Difference is that the Windows ones are usually critical whereas the Linux ones are minor

2
1
Silver badge
Windows

AC 11.43 GMT. They do not want to hear it old chap......

"Which is way, way fewer than any competing OSs....OS-X is on over 2,000 known vulnerabilities now, and Linux has had well over 900 in the kernel alone...SUSE 10 is approaching 4,000...."

..........whatever you say. I would in fact be the first to acknowledge that Linux based systems are (relatively speaking) less vulnerable than many types of Windows based systems. Howeve, their braindead refusal to accept that Redmond has raised its game since BG's famous "secure computing" memo is pretty much what one expects from the "commited" (and some of them certainly should be).

2
1
Silver badge

Re: Anyone an idea?

"The vulnerability in Microsoft Office 2007 and 2010, which "can be triggered simply by previewing an email in Outlook, even without explicitly opening the email", obviously needs to be patched as soon as possible. The Internet Explorer fixes also need to be rushed through."

0
0

This post has been deleted by its author

Anonymous Coward

Re: Anyone an idea?

"In the first three quarters of 2013, Microsoft has issued 80 security patches"

"Linux has had well over 900 in the kernel alone...SUSE 10 is approaching 4,000...."

I presume you've got a quotable source for these numbers?

What do they represent?

Do they represent exploitable vulnerabilities ?

Do they represent minor things which would benefit from being patched?

Do they represent patches to the core OS only? The core OS and basic bundled apps? The whole suite including office packages and the kitchen sink?

If you and the other posts (other posters?) making this kind of claim can't back up the claims (and in particular the numbers) with a published source and some context you are doing nobody any good. Not even MS. In fact you're just making MS look increasingly desperate. Which probably isn't what you wanted.

Note: I make no claim either way as to which is better. But the folks using numbers to make claims of "mine is better" need to be able to substantiate those claims, or the claims are worthless (and quite possibly counterproductive).

Meantime, anyone who wants independent numbers on exploitable vulnerabilities can go to e.g. the CVE database (or one of the various related sites that republishes the data in a different form). CVE = Common Vulnerabilities and Exposures. Although it's American, it is somewhat independent (or has been assumed to be so in the past).

From there, you may get a slightly different picture there than here. You'll certainly get more context.

2
0
Anonymous Coward

Re: Anyone an idea?

That's a bit misleading. Linux might have fewer critical vulnerabilities as a percentage of the total, but over all it has far more critical vulnerabilities that on average take much longer to be patched than on Windows...

0
1
Anonymous Coward

Re: AC 11.43 GMT. They do not want to hear it old chap......

Well if you look at facts rather than heresay based on what you might think, you will see that you are actually far more likely to be hacked if you run Linux than Windows on an Internet facing server (even after adjusting for market share). See http://www.zone-h.org/news/id/4737

0
1
Anonymous Coward

Re: Anyone an idea?

See www.secunia.org for the numbers...

0
1
Anonymous Coward

Re: AC 11.43 GMT. They do not want to hear it old chap......

"you are actually far more likely to be hacked if you run Linux than Windows on an Internet facing server "

Yes, seen that zone-h article thank you, embarrassing isn't it.

Embarrassing for you, that is, if you really have nothing more relevant to quote than reported website defacement statistics, and nothing more recent to quote than than defacement data from 2010 in an article from 2011, and no better logic than you have just displayed.

Still, at least the article refers to CVE, which is more than you and your fellow travellers have managed so far.

Readers who follow the referenced CVE link [1] will see that the problem isn't even a generic Linux problem, it's one only exposed in the context of an x86-32 application running on certain versions of the x86-64 Linux kernel (which admittedly may have been a quite common situation).

It's also 'only' a possible elevation of privilege exploit rather than the (common with Patch Tuesday) generic unauthenticated remote code execution exploit.

It's also one which had long ago been patched (in 2007) but somehow managed to re-emerge in 2010 (more detail in the CVE article and its references, not reproduced here), and because it was a set of circumstances in widespread use, there were lots of vulnerable websites and they were widely defaced and widely reported.

So, what logic leads from lots of defaced websites, many sharing the same underlying problem, to "Linux is generically less secure than Windows"?

Anyone got anything better to offer? And remember, facts good, logic good, hearsay bad.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301

2007 description: "The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register"

3
0
Anonymous Coward

Re: Anyone an idea?

"See www.secunia.org for the numbers..."

Can you be more specific?

Secunia look very Windows-centric, which is fine for the Windows world, but not helpful in a discussion where claims are being made that "Windows is more secure than Linux" or vice versa, Secunia seem to ignore OS X too.

Secunia's Vulnerability Review of 2013 (20 pages) is apparently based largely on data gathered by their Windows-based Personal Software Inspector [1]. If I've read them right, PSI mostly looks at Windows applications from vendors other than Microsoft, which means it's a bit restricted. Still, the Windows Desktop Operating Systems chart on page 6 of their Review does say that 2012 is the first year since 2006 (they don't go back further) when MS's number of OS vulnerabilities has decreased, so that's some kind of progress if it can be maintained under the new MS management.

Any more suggestions?

[1] "The Secunia Personal Software Inspector (PSI) is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs which can leave your PC open to attacks."

http://secunia.com/vulnerability_scanning/personal/

1
0
Anonymous Coward

Re: Anyone an idea?

No - they are not Windows centric. See http://secunia.com/community/advisories/historic/

0
0

Time for MS to upgrade backdoors for NSA.

3
1
Anonymous Coward

Or maybe...

Or maybe the NSA needs a few more, and Microsoft are patching them in for them.

8
2
PM.

Ha ha

I am on Outlook 2003 and Outlook bug does not affect me .

0
0
Anonymous Coward

Re: Ha ha

Actually it probably does. Office 2003 is end of life and no longer supported....

0
1

Patches accompanied by...

These patches are likely coming to you with new NSA and GCHQ mandated backdoors so they can pwn you whenever they think appropriate, as well as any other party that figures out where those doors are... :-( FAIL!

0
1
Anonymous Coward

I don't give a fiddlers anymore

After all the NSA and backdoor revelations no Microsoft o/s resides on any of my family's machines any more. If we're an 'adversary' to them and the NSA then fuck them and I hope they all burn in hell.

1
0
Anonymous Coward

Re: I don't give a fiddlers anymore

And what do you use?

Don't tell me you think that any other OS doesn't have exactly the same issues as MS.

0
1
Silver badge

Re: I don't give a fiddlers anymore

"Don't tell me you think that any other OS doesn't have exactly the same issues as MS."

They certainly don't have exactly the same issues - what other OS allows execution of mal-code by merely previewing an e-mail ?

2
0
Anonymous Coward

Re: I don't give a fiddlers anymore

You can reset an OSX machine by getting it to render five unicode characters. But that wasn't what the OP was getting at, s/he was suggesting that only MS have given all their systems backdoors and given that access to the NSA and he is protecting his family from that. This chimes along with some of the more conspiracy bollocks that gets rolled out from day to day.

2
0
Anonymous Coward

Re: I don't give a fiddlers anymore

" some of the more conspiracy bollocks that gets rolled out from day to day."

Thing is, quite a lot of the stuff that two years ago quite a lot of people thought was "conspiracy bollocks" is now out in plain sight as reality. And in many peoples' views, rather unpleasant reality.

And some of the very same people that were calling it "conspiracy bollocks" (even though they knew otherwise) are now saying "this news isn't news, nobody should be surprised by it, how else are we er sorry they supposed to do their jobs".

0
0
Anonymous Coward

Re: I don't give a fiddlers anymore

Well that reminds me of the worst virus / worm attack ever - the Morris Worm - which was based on a Sendmail exploit on UNIX systems...

nb - Office is not part of the OS. You would need an additional exploit to gain any additional rights over standard user...

0
1
Silver badge

Re: I don't give a fiddlers anymore

"Well that reminds me of the worst virus / worm attack ever - the Morris Worm - which was based on a Sendmail exploit on UNIX systems..."

Ah, the Morris worm, remind me 1988 wasn't it - powerful argument indeed !

1
0
Silver badge

Re: I don't give a fiddlers anymore

"nb - Office is not part of the OS. You would need an additional exploit to gain any additional rights over standard user..."

Just like a proper OS then these days.

Nota bene - the coming Windows security update include 4 critical remote execution and 10 important remote execution, elevation of privilege and DOS patches.

http://technet.microsoft.com/en-us/security/bulletin/ms13-sep

Includes :

Bulletin 1 Critical Remote Code Execution May require restart Microsoft Office,

Microsoft Server Software

Bulletin 2 Critical Remote Code Execution May require restart Microsoft Office

Bulletin 3 Critical Remote Code Execution Requires restart Microsoft Windows,

Internet Explorer

Bulletin 4 Critical Remote Code Execution May require restart Microsoft Windows

Bulletin 8 Important Remote Code Execution May require restart Microsoft Office

Bulletin 9 Important Elevation of Privilege May require restart Microsoft Office

2
0
Anonymous Coward

Re: I don't give a fiddlers anymore

Sounds like you are trying to suggest that Windows has an inferior security model in some way?

Actually Windows has a far stronger model that say Linux - Windows has a more modern and secure kernel design where drivers are isolated from the kernel, and ACLs are in built into the OS - you don't have to install a new filesystem and SEL to get proper control! Windows also supports proper constrained delegation - not the risky 'has to run as root' model of SUDO...Windows also supports advanced features like Dynamic Access Control - for which Linux simply has no inbuilt matching capability...

If I started listing monthly patches for any enterprise flavour of Linux, it would usually be a far longer list than the above.

If you want to criticise Windows, then at least get your facts right. And the facts are that these days, it is Linux that is someway behind in security...

0
1
Silver badge

Re: I don't give a fiddlers anymore

"If I started listing monthly patches for any enterprise flavour of Linux, it would usually be a far longer list than the above."

That will be true after all I have dozens of programs and libraries that get upgraded fairly regularly . ALMOST always because of improvements to the code HARDLY ever due to vulnerabilities esp.not the kernel.

1
0
Silver badge
Linux

With

the number of patches for windows , I'll be surprised if theres any original code left in the product, and it merely consists of patches now

New windows 9.... download the installer, set it running and you'll get a new version of windows delivered every year in monthly bite sized chunks....

Yeah and I know about the holes in Linux too

2
0
Anonymous Coward

Re: With

That's not a very informed comment. Windows has far fewer patches / vulnerabilities than other OSs like Linux or OS-X.

0
3
Silver badge

Re: With

"That's not a very informed comment. Windows has far fewer patches / vulnerabilities than other OSs like Linux or OS-X."

. Windows has far fewer patches / vulnerabilities than other OSs like Linux or OS-X. - That's not a very informed comment

0
0
Anonymous Coward

Re: With @Chemist

" Windows has far fewer patches / vulnerabilities than other OSs like Linux "

"That's not a very informed comment"

Well, as long as original poster is being honest and fair, he/she might be informed? Using "Linux" as a catch-all for every single version of every single distro (including 'roll your own'), presumably he/she is using the same basis for his/her Windows info (ie every single version of Windows ever, plus every single version of the underlying O/S needed for earlier versions)? Just because OP is making a sweeping generalisation doesn't mean they should be ignored, surely? ;-)

0
2
Anonymous Coward

Re: With @Chemist

Dear clueless idiot,

Microsoft's highest vulnerability total ever for an OS is Windows XP on about 622 - http://secunia.com/advisories/product/22/

OS-X is on ~ 2,000 - http://secunia.com/advisories/product/96/

SUSE 10 is on over 4,000! http://secunia.com/advisories/product/12192/

0
2
Anonymous Coward

Re: With @Chemist

To be fair, a Linux distribution includes more packages that a Windows one - but as per the work by Jeff Jones, even reduced package distributions of Linux to match Windows functionality have more vulnerabilities and more critical vulnerabilities that on average take longer to be patched...

0
2
Anonymous Coward

Re: With @Chemist

It is a common misconception that Windows is less secure that Linux.

Windows on the desktop is attacked more because it has a > 90% share of the desktop market. Linux barely hits 1% on the desktop and therefore is hardly targeted.

If you look at market segments where Linux is actually used like internet servers and Android devices then you are far more likely to be attacked if you run a Linux based solution than a Windows based one....

Architecturally and functionally, Windows has significant security improvements over Linux. Windows has fewer vulnerabilities than close alternatives....and via the shared source initiative, etc. Windows source code can be checked - so I can only conclude that he code quality is pretty good in comparison too...

0
2
Silver badge

Re: With @Chemist

"Dear clueless idiot,"

Cheeky sod !

Please learn to separate critical kernel vulnerabilities from trivial program problems. I'm ending this now as arguing with a faceless AC, yes just the one, is rather pointless, esp. with the constant repetition of worn, unproven, unprovable garbage.

What is it with you ? So insecure ? Afraid WIndows isn't as perfect as you like to suggest ?

I'm happy to use Linux, and indeed only Linux. You use what you want

1
0
Anonymous Coward

Re: With @Chemist

"as per the work by Jeff Jones, even reduced package distributions of Linux to match Windows functionality have more vulnerabilities and more critical vulnerabilities that on average take longer to be patched"

That would be Jeff Jones, Microsoft's Director of Trustworthy Computing, would it?

Jeff Jones back in 2007 when he was claiming that, after a whole six months out in the wild, Vista was more secure than Linux and OS-X?

From http://www.pcmag.com/article2/0,2817,2149851,00.asp

"According to the numbers given in a new report from Microsoft, Windows Vista has blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest amount of serious security vulnerabilities in the six months since its release. The numbers were compiled by Jeff Jones, the security strategy director in Microsoft's Trustworthy Computing Group.

"The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL [Secure Development Lifecycle] and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process)," Jones wrote in a blog posting about the report on June 21. " (continues)

Jones' blog article:

http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report

2
0

This post has been deleted by its author

This post has been deleted by its author

Anonymous Coward

A different selection from Secunia, without further comment

PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.

Windows XP Pro http://secunia.com/advisories/product/22/

427 advisories 632 vulnerabilities 10% unpatched (44 of 427)

Windows 7 http://secunia.com/advisories/product/27467/

148 advisories 310 vulnerabilities 4% unpatched (6 of 148)

Office 2003 Pro http://secunia.com/advisories/product/2276/

116 advisories 356 vulnerabilities 3% unpatched (4 of 116)

Office 2010 http://secunia.com/advisories/product/30529/

25 advisories 67 vulnerabilities 0 unpatched

OpenSUSE 11.3 http://secunia.com/advisories/product/31908/

233 advisories 1427 vulnerabilities 0 unpatched

OpenSUSE 12.2 http://secunia.com/advisories/product/42974/

186 advisories 1016 vulnerabilities 0 unpatched

Red Hat Enterprise Linux Workstation 6 http://secunia.com/advisories/product/32989/

416 advisories 1610 vulnerabilities 0 unpatched

Red Hat Enterprise Linux Server 6 http://secunia.com/advisories/product/32988/

418 advisories 1615 vulnerabilities 0 unpatched

Ubuntu 12.04 http://secunia.com/advisories/product/40762/

262 advisories 1202 vulnerabilities 0 unpatched

2
0
This topic is closed for new posts.

Forums