back to article Every single Internet Explorer at risk of drive-by hacks until Patch Tuesday

Microsoft has lined up a bumper Patch Tuesday this month to snap shut a backbreaking 57 security vulnerabilities in its products. Five of the 12 software updates addressing the gaping holes will tackle critical flaws that allow miscreants to execute code remotely on vulnerable systems. In all, the soon-to-be-patched …

COMMENTS

This topic is closed for new posts.
  1. Lee Dowling Silver badge

    Oh no! That means every single installation of Windows where I let my users use Internet Explorer as their browser will have to be taken offline.

    Oh. Already did that. About 10 years ago. Hell, I have user-agent checking on the proxy that filters the net and IE flags an alert (sadly, so do some old versions of Office and ancient applications that like to use IE as a "plug-in" to get their web access - nothing much lost by blocking of them also, though).

    If you're still using IE, you really should have sorted out whatever-problem it was that kept you on it AT LEAST 10 years ago. You can say that all your ActiveX and backend software or whatever "requires" IE, but that doesn't mean you still shouldn't have sorted that problem - by moving to a system that DOESN'T need it.

    1. Anonymous Coward
      Windows

      So,

      this entire article doesn't concern you in the slightest..

      But thanks for your (in my case at least) unwanted opinion on a browser you don't use and haven't for 10 years!

      1. Lee Dowling Silver badge

        Re: So,

        It does concern me. That people still are deploying / using IE 10 concerns me greatly. It doesn't affect me directly, however, but that doesn't mean that I a) have no opinion on a public forum on the issue, b) can't express that opinion and c) can't discuss the problem with others.

        I commented on a Wii U page the other day but don't own one. Is that forbidden too?

        1. Anonymous Coward
          Windows

          Re: So,

          You are entirely entitled to your opinion. But your opinion is IE is that its shit and you have no problem to discuss (you don't use IE so have no problems).

          You can comment on whatever you wish, as my I and the other commentards do but bleating about how bad IE is and that you don't use it and that others are foolish for doing so is self imposed snobbery and the likes of you and Eadon contribute (in this instance) little, other than to bash MS/IE.

    2. Hungry Sean
      Flame

      careful with that word "you"

      as a consumer of corporate IT services, I don't have a say in the broken software selection process that causes horrible things like Ultipro or other internet-explorer only webservices to be foisted upon me. I suspect that IT frequently doesn't get much say either-- some bean counters get wowed by salespeople and they are the ones who get to choose the payroll system (for example). Bean counters who don't give a crap about corporate security or browser compatibility.

      Here at the bottom of the foodchain, there's not a lot of choice. If I want to get on with my real job, the easiest thing is to use IE for anything on our intranet, and since it's already fired up, might as well use it for the internet too. It doesn't make me happy, but it's better than fucking around with some combination of firefox, chrome, and opera and hoping I can find one that is compatible with each of our services with enough cursing, plugins, and modification of settings.

    3. Anonymous Coward
      Anonymous Coward

      I guess you don't check all your software properly then - and havn't realised that current versions of Internet Explorer have far FEWER security vulnerabilities than other commonly used browsers like Chrome or Safari? We have nearly eliminated such vulnerable third party browsers from our environment and have far less effort patching each month to complete because of it. Any IE issues are easily patched via WSUS / SCCM.

      1. Grikath

        @AC 19:30

        That's partially true, as each browser has it's own small drama theatre when it comes to vulnerability and compatibility. It quite often simple depends on which side of the fence(s) you're parked when it comes to a corporate environment.

        Still... It's stupid to simply compare IE as it is now to the unmitigated frustration it delivered 10 years ago. Then again, 10 years ago Netscape wasn't a rose garden either...

    4. TheVogon
      Mushroom

      These are rather more of current note than the IE issues:

      http://secunia.com/advisories/52064

      http://secunia.com/advisories/52116

      Note that the Flash player issue is currently being actively exploited against both PCs and Macs.

  2. Anonymous Coward
    Anonymous Coward

    moving to a system that DOESN'T need it.

    Sharepoint is such a Bitch.

    1. auburnman

      Re: moving to a system that DOESN'T need it.

      Is there any actual point to Sharepoint beyond an attempt to drum up some cash for Microsoft? Beyond a few little bells and whistles it just seems to me to be a poor man's much slower shared drive.

      1. Anonymous Coward
        Anonymous Coward

        Re: moving to a system that DOESN'T need it.

        In fairness, Sharepoint allows for versioning of the documents, and a slightly better access control model than a normal Windows share.

        Not that you couldn't achieve the same sorts of goals with other solutions, but Sharepoint does them, and does integrate with the rest of Microsoft's applications - which is rather the idea: you need Sharepoint if you use Office, and if you use Sharepoint you really should use IE, and if you use IE you may as well use IIS, and if you use IIS....

        1. Anonymous Coward
          Anonymous Coward

          Re: moving to a system that DOESN'T need it.

          In fairness, Sharepoint allows for versioning of the documents, and a slightly better access control model than a normal Windows share.

          At the cost of turning Files into Objects, and hiding the distinction. And requiring IE

      2. AndrueC Silver badge
        Thumb Up

        Re: moving to a system that DOESN'T need it.

        Sure. Part of my salary comes from our SharePoint support :)

      3. P. Lee

        Re: moving to a system that DOESN'T need it.

        Has anyone tried using LibreOffice 4 with Sharepoint yet?

        I'd be interested to know the result.

        But yes, Sharepoint is a nasty piece of work - it encourages the use of MS word doc format with embedded visio and excel for the storage of useful information. Pre-2010 it habitually ate documents like a spy with a secret on a bit of paper.

        If you're going to do distributed web authoring with versioning, do a wiki. Don't faff around trying to make Office a web thing.

  3. Anonymous Coward
    Linux

    Microsoft Internet Explorer.....

    If it was toilet paper, I'd rather use my hand to wipe my arse with.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft Internet Explorer.....

      Because your hand is free like Open Source right?

  4. Anonymous Coward
    Anonymous Coward

    And Windows Mobile 6.x?

    I bet they ignore Windows Mobile 6.x devices as usual. It's like these things don't exist now that Microsoft has Windows Phone. The realistic end-of-life for WM6.x was as soon as OEMs released their first ROMs to production.

    1. Anonymous Coward
      Anonymous Coward

      Re: And Windows Mobile 6.x?

      I guess the browser in Windows Phone is unaffected by this Internet Explorer vulnerability.

      1. Anonymous Coward
        Anonymous Coward

        Re: And Windows Mobile 6.x?

        Probably it's unaffected - yes. No unsigned code will run on WP.

  5. Anonymous Coward
    Anonymous Coward

    Move along linux users

    Only a horrible road accident to see here.

    1. Silverburn
      Linux

      Re: Move along linux users

      But I just....can't...look...away....

    2. Fatman
      Stop

      Re: Move along linux users

      But, some of us actually enjoy watching those WindblowZE (l)users suffer when their chosen platform has another security hole revealed. I almost consider it sport.

      Case in point, a receptionist at one of my doctor's office did some web browsing with Internet ExploDer, and got nailed with a 'drive-by'. She may have been less likely to have been 'pwned' if she was using Firefox. For certain, she would NOT have been had if she was browsing the net with Linux.

      I have said this before, and it bears repeating, WindblowZE is like a billboard compared to Linux which is more like a STOP sign. If you are trying to hit a target, which one would be easier to hit, the bill board, or the stop sign.

      I rest my case. On the sole count of inadequately protecting its users from the nasties, Windows is GUILTY AS CHARGED!

  6. Refugee from Windows

    Note to Microsoft

    For Windows 9, make the browser (which won't be called Internet Explorer no doubt) and application and not parasitically linked to the operating system, like it should have been since the end of Windows 98 a few years ago. Give the users a real choice, that is if you opt to not have it, none of its elements remain even in the registry.

    Whereas open source browsers do have security issues, I would contend they are sorted out more efficiently ie quicker. Just remember that IE is just a piece of free bundled software with support from its vendor related to what you paid for it.

    1. Silverburn
      Thumb Up

      Re: Note to Microsoft

      I should start off by saying I completely agree with you.

      However, MS have chosen to render some stuff as HTML/XML etc even for "non internet" stuff, so they've got the engine down in the OS as it is, even if you don't use IE as a browser. So while I advocate the complete and utter removal of IE as well, I can - almost - sympathise with MS for not removing it completely for technical reasons.

      However, given the MS programming base, the complete removal of the IE engine should not be a difficult task, FFS. Afterall, they built in in there didn't they, so in classic Haynes process "Removal is the reverse of installation" should be a simple procedure.

      "But that will leave you without any web browser!" some shills may scream...err, yes, that would generally be the idea. When your engine is full of holes, I want it's complete and utter destruction when I remove it ta v. much.

      1. Ken Hagan Gold badge

        @Silverburn

        "MS have chosen to render some stuff as HTML/XML etc even for "non internet" stuff"

        That's just the tip of the iceberg. MSHTML has a published API and squillions of third party apps have depended upon it for at least a decade. Microsoft own use of the library is probably less than 1% of that. MS simply don't have the option of removing it, any more than you could decide to remove the C runtime library from Linux and recode the kernel to use a replacement of your own design.

        That's not to let Microsoft off the hook though. Having decided to offer a standard HTML engine, they have to code it to deal with untrusted content in a secure fashion. At least 99% of HTML is from untrusted sources (web pages), so if the engine isn't utterly paranoid then it isn't fit for purpose.

        1. Tom 13

          Re: MSHTML has a published API

          Rewrite the API to call browser functions instead of specific code, then allow the API to point to whatever browser. If you can't reliably write that, you should never have made such a hash of things in the first place.

          1. John G Imrie

            Re: MSHTML has a published API

            Already been done here http://wiki.winehq.org/MsHtml.

            Admittedly not by Microsoft.

        2. Anonymous Coward
          Anonymous Coward

          Re: @Silverburn

          I'll show my ignorance, but I have to ask, what about MS Server? Didn't they remove a lot of surperfluous stuff, include IE? If they did that for Server whay can't they do it for Desktop?

    2. Tom 13

      Re: Note to Microsoft

      I'm guessing most of the coders at MS would agree. Unfortunately, the legal eagles won't agree. See, decades ago MS insisted in an anti-trust case that IE wasn't an App, it was a critical part of the OS. And the court bought that fraudulent argument and left them off the anti-trust hook. But now, if they EVER admit it IS an app... Well, let's just say there aren't many things that would bankrupt both MS and Bill Gates, but that's one of them that could.

      1. John Smith 19 Gold badge
        Happy

        Re: Note to Microsoft

        " Well, let's just say there aren't many things that would bankrupt both MS and Bill Gates, but that's one of them that could."

        One can hope.

  7. John Tserkezis

    Sorry, I had fallen asleep for a while...

    ...and I was awoken by the news that IE was insecure.

    Well, nothing's changed, so I'll go back to sleep.

  8. DJV Silver badge
    Meh

    57 patches?

    Wow, this must be the Heinz special soup edition!

  9. JDX Gold badge

    A question

    MS manage to patch the OS, IE, Office and other software using one mechanism, which is handy. Every other application I use on Windows seems to have its own update checking mechanism.. and the same appears to be true on OSX (unless you buy through appstore).

    How do you (generally) speaking get updates on Linux systems? Does your package manager do it, or do apps monitor themselves or is it all down to the administrator to keep on to of these things?

    This is assuming you get OS patches and updates in the same way as Windows/OSX, which seems pretty likely... even Linux has bugs!

    1. Lee Dowling Silver badge

      Re: A question

      I haven't yet met a distro of Linux that doesn't include a command that will automatically update EVERYTHING to the latest stable version. Even Slackware has slackpkg now (and that was THE FIRST Linux distro ever and is generally regarded as being only slightly behind Debian in terms of using up-to-date software). And when I say everything, I mean EVERYTHING from firefox to plugins to libraries to kernels to drivers. That's the beauty of aptitude and similar systems - it is literally that easy and if you want, they'll do it on a schedule for you. And it won't trash your OS or make it so you can't revert back easily (Windows Restore you say? Good luck doing that from unbootable computers like I've sometimes struggled to do, and even in the command-line environment of a rescue boot, you still aren't guaranteed to get back where you were).

      And I've not YET had a single stable Linux update that broke something I used, even when I have some horrendously complex configurations and interdependencies (I'm sure they did somewhere, but I've never seen one), but I've had Windows Updates disabled on many machines because they would just blue-screen X% of the computers at random and require a rebuild if you just let them apply everything they want.

      And, as you point out, Windows doesn't update Firefox and all the other programs and NOR DOES WINDOWS PROVIDE THAT FUNCTIONALITY. If the OS doesn't have a package management paradigm in it, then of course each app will end up bundling its own. But on Ubuntu, say, or Slackware, or Fedora, do you think that Flash installs its own cron job to check updates and bug you like mad if they are 0.0.1 versions out of date? No. Because it provides functionality to do that in a proper, centrally-configured way, and such junk wouldn't be allowed in.

      Linux updating, and aptitude especially, is one of the things that Linux gets SO right that it's really hard to argue against it. Hell, I logged onto a 4-year-old netbook today to install a program I'd written for demonstrating at an open day. The program needed SDL and about 10 other libraries installed in order to run and the netbook was running Karmic Koala (which is technically obsolete now). A couple of clicks in the package manager, it ran off and downloaded 100Mb of necessary dependencies and libraries, and then it all "just worked". Those machines were basically bare-metal and it just discovered and installed 100Mb of random software that was necessary, downloaded it (with appropriate permission), installed it all in the right places, and did so in about five minutes.

      Yet, on Windows, I still have games that take 20+ minutes to install .NET Framework, DirectX etc. libraries that ALREADY EXIST ON THAT MACHINE, in identical versions, but it just takes that long to check and find out, and usually involves downloading a pseudo-installer that downloads a real installer, that runs an MSI, that manually checks dependencies by trawling through filesystems, then downloads missing parts, and THEN starts all over again for the next bit of software. And, in the end, you still aren't guaranteed that you installed hotfix X needed to make it work properly (just had a piece of large, expensive Windows MIS software that needed a particular Windows hotfix installed, a particular version of NET Framework 1, and a particular version of NET Framework 2, etc. and at no point provided any hint that that was what was missing or where to get it from!).

      1. Anonymous Coward
        Anonymous Coward

        Re: A question

        @Lee Dowling - I've had two things broken by Linux updates (Centos/Fedora based linuxes)

        Arduino development environment was broken by an update to GCC, it took ages for the Arduino guys to persuade the GCC guys that the problem was with their update and they should fix it. It then took a further ages for the fix to make it from unstables to stables to part of the OS. Happy, I was not.

        Pound proxy was killed by modifications to some libraries removing functionality that was required by Pound, I don't know if it's working again.

        1. CreosoteChris
          Megaphone

          Re: A question

          I just dipped my toes in the Linux water a few months ago (Mint 12 running as a Hyper-V VM)

          - Installed NoMachine NX free client to get the full-screen experience. Had to do some config file editing, but that's OK, it taught me some rudiments

          - Upgrade to Mint 14 broke it.

          - Trawled around for a fix and eventually got one (manually downgrade some component called Cairo)

          - Next maintenance update to Mint 14 broke it again.

          I kinda like Mint, impressed with the user-friendliness, installation ease, seems like a big step forward from a couple of years back. As for the update-breaks, maybe I was just really really unlucky.....

          ....but claims that Linux updates just work, and never break anything year on year strike me as "evangelist at work".

          1. Anonymous Coward
            Linux

            Linux updates just work?

            "....but claims that Linux updates just work, and never break anything year on year strike me as "evangelist at work".

            Never assume that updates will ever work, always make a full system backup before upgrading, this applies to any OS.

            1. Anonymous Coward
              Anonymous Coward

              Re: Linux updates just work?

              @dgharmon - I totally agree, and I'd add - don't even bother doing inplace upgrades between versions of any OS, I've had Windows and Linux (Ubuntu) machines break when doing this. The good thing with a clean install is that you demonstrate you know how to migrate a service from one OS install to another, which is more than half way towards a DR type recovery.

              I do quite like the MS VSS snaps which allow you to rollback driver installs and OS updates, should you require. (Other snapshots are available)

              1. Jamie Jones Silver badge
                Thumb Up

                Re: Linux updates just work?

                Using FreeBSD, I build everything from source. I can easily download the latest STABLE branch, compile the userland and the kernel at 'idle priority', and install them, whilst the machine is live. A simple reboot then reboots the machine into its new OS.

                Occasionally you might get some shared library version missing during the install phase, but from install to reboot only takes a few minutes anyway, so I generally get away with it.

                Remember when multi core processors were first introduced? All the PR spin went on about how you could look at a website whilst burning a cd (etc.)....

                Hello? On an OS with a *proper* scheduling system, this was possible already.

                As for updating third party ports, you usually use "port_upgrade" or similar that keeps track of all changes to over 11,000 third party software packages.

              2. eulampios

                Re: Linux updates just work?

                I do quite like the MS VSS snaps which allow you to rollback driver installs and OS updates, should you require.

                On Linux this is not necessary, you got one kernel. When a kernel gets updated, the old one is not discarded, so if it appears to be broken reboot to the latest stable kernel.

                1. Yet Another Anonymous coward Silver badge

                  Re: Linux updates just work?

                  Of course on VMS we didn't even need to reboot to update the OS

                  On a VaxCluster you could replace the entire machine without the users noticing

                  But that's a cute little unix toy you have there ....

                  now you kids get off my lawn.

                  1. eulampios

                    @Yet Another Anonymous coward Silver badge

                    You might have heard about ksplice, I suppose. Anyways,

                    But that's a cute little unix toy you have there ....

                    Sic:

                    The OpenVMS.org websites are for system administrators, developers, database administrators and technical managers, offering recent industry news, events, links, etc. related to HP's OpenVMS operating system running on the VAX, AlphaServer and Integrity platforms.

                    From the http header of http://openvms.org/

                    Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-Patch

                  2. P. Lee
                    Trollface

                    Re: Linux updates just work?

                    and versioning in the file system...

                    I wonder if we could get linux running under a vm on vms?

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Linux updates just work?

                  @eulampios - you don't know what vss and therefore, presumably, what filesystem snapshots are or what they do, do you?

                  1. eulampios

                    @AC

                    I don't use snapshotting, my anonymous friend, I don't need to. However, LVM logical volume management) offers even more than that.

                    That is not what you need when encounter a buggy driver. All of them are contained in the kernel or associated with it. So it's much more simple just to rollback to the latest stable kernel, I know this is not feasible for a proprietary system and a rocket science really.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: @AC

                      @Eulampios - So basically you don't do enterprise IT or any form of highly available IT, it's always good to know where other commentators stand in the industry.

                      I've worked in storage/backup for about 15 years, since snapshots have been available to any system I've worked on, they've been used, be those systems UNIX, Linux or Windows, be those snapshots hardware or software driven. If you'd looked up a little, you'd see that I had just posted a comment about updating a Linux box (mythbuntu) and that the MySQL server was unbound from the external IP address and re-bound to loopback. Not a particularly big problem for me to solve, but time consuming and annoying. However, if this machine had been running a production service, I would have used some sort of snapshot, probably hardware based as there isn't anything native. Reverting to the snapshot would have resolved the problem much more quickly.

                      Updates of software or to database schemas etc have a habit of going wrong, not all the time, but usually when you need them most, saying that you don't need snapshots because Linux doesn't go wrong, invites serious consequences when it inevitably does go wrong.

                      1. eulampios

                        @AC

                        You tell me how to upgrade databases. Snapshotting is possible on Linux as I told through, for example, LVM. There is also an emerging fs -- btrfs. You can even go with zfs but not in the kernel. I do regular backups of most important things. Say, dumping databases.

                        As far as your MySQL update issue was concerned, you apply your Windows logic, mon ami, despite all your regalia. All you needed was config files. Just like in the discussed case, if you ever tell any Linux, *BSD admin that you use snapshots in case a driver update gets awry, he or she 'll take it as a joke.

                        With databases, you do it with special tools (mine is PostgreSQL with pg_upgradecluster etc) or/and by dumping and restoring entire databases.

                    2. Anonymous Coward
                      Anonymous Coward

                      Re: @AC

                      So you have to roll back everything and reboot - which sucks rather a lot. Versus with a more modern hybrid microkernel architecture like Windows where you can just load a new driver on the fly....

                      1. eulampios

                        Re: @AC

                        So you have to roll back everything and reboot -

                        You just suggested me to rollback your entire system to some previous snapshot with everything on the fylesystem, now I hear some "hybrid kernel" faiy tales again. FYI, for modular architecture most of the drivers are loadable modules, that can be loaded and unloaded, as the term suggests. In that case you can always install a different driver against the headers of the current kernel if you wish so.

                        Tell me please, why does an awesome hybrid Windows kernel need a reboot when it installs a printer driver on Vista? (not sure about Win7/8) Why would need a reboot with pretty much any MS update/patch?

                3. Anonymous Coward
                  Anonymous Coward

                  Re: Linux updates just work?

                  That's not exactly true though is it - you also have to have the right version of the kernel on the boot loader filesystem. And if something goes wrong, its a lot of painful text editing and commands to go restore your old version.

                  Whereas on windows, you just select Last Known Good Configuration, or boot into System Restore mode and roll back to the last snapshot - a lot more user friendly and faster - with no having to look up commands how to fix it like on Linux - which can be a bit tricky with a machine that doesn't boot....

                  1. eulampios

                    Re: Linux updates just work?

                    I know, plain text editing sounds very scary to every Windows admin. It's like "a million mouse-clicks" job for us, *nix people. So scaaarrry, I can't type anymore....

            2. Anonymous Coward
              Anonymous Coward

              Re: Linux updates just work?

              Well, my experience as a simple user over many years is that it does work. I have mostly used Debian and have regularly clicked on 'System, Administration, Update Manager' to keep the system up to date (well, actually to have an excuse for doing nothing for a couple of minutes). Can't remember any trouble.

              Mind you, I also use Win XP a bit and regularly update that (same reason and same result). So keep up the good work of expertly moaning about details, it all improves the user experience for us ignorant plebs.

          2. Kiwi
            Linux

            @CreosoteChris Re: A question

            ....but claims that Linux updates just work, and never break anything year on year strike me as "evangelist at work".

            Linux Evangelist here. Microsoft should suffer slow horrible death yadda yadda yadda...

            Anyways, most of the time IME Linux updates work without fuss. Sometimes, they make such a mess of things that a full reinstall is necessary.

            I have an Ubuntu install that's been through 3-4 laptops and a couple of desktops (IE I just copy my current install when I want a new one, or I swap the drive into a new machine - no "must reactivate", very seldom any driver issues (none that last more than a few minutes), that I've been using since IIRC 2007 without a single reinstall. No problems with updates or anything. I have Mint 14 KDE and Cinamon installs for testing (now favouring KDE for look and feel that is more suited to MY tastes), also no problems.

            But I do have a couple of machines that've been knocked about enough to require reinstalls, and a couple (specifically an older (~5yrs) Acer desktop) where some hardware is not supported very well by most distributions. And some even older Toshiba laptops where hardware support is either a dream or an absolute PITA depending on which distro you try to use.

            HTH

        2. Anonymous Coward
          Anonymous Coward

          Re: A question

          Make that three things: I've just spent over an hour working out why updating my Mythbuntu frontend workstation and backend server has prevented the frontend working. It turns out that the update to mysql on the backend changed the binding of the database service to localhost.

          Grr...

      2. John Smith 19 Gold badge
        Thumb Up

        Re: A question

        "And, as you point out, Windows doesn't update Firefox and all the other programs and NOR DOES WINDOWS PROVIDE THAT FUNCTIONALITY."

        That was my big concern.

        Windows is history for me. My next box is Linux.

        Thanks.

      3. Anonymous Coward
        Anonymous Coward

        Re: A question

        I've just updated my entire Linux Mint distro from 13 to 14 using the commandline. Got the info from a website and didn't lose a file or any functionality. the whole process to about 2 hours. Oh, the wonders of FTTH and a good Linux distro.

        The website provided below is where I got the info. Worked great for me, but to protect my butt I must say I can't guaratee it'll work for you. Just like the website advises. Before people start jumping on that I would suspect that people paying for a distro with support would be have those guarantees.

        http://www.scottalanmiller.com/linux/2012/11/21/upgrading-from-linux-mint-13-to-linux-mint-14/

      4. Anonymous Coward
        Anonymous Coward

        Re: A question

        Sounds just like my experience of trying to use Erlang dependent software on Centos 6 that worked just fine on Centos 5. Except that didn't fix itself. And you couldn't just do an OS upgrade install like you could if it was Windows - you had to wipe the system and start from scratch.

        Installing stuff on Linux sucks a million times more than on Windows. Just try the Office 2013 preview for instance - it starts installing in the background, and starts running while still streaming code in the background as required - and is absolutely amazingly fast at doing this.

        Windows updates everything that ships on the DVD, and a lot more besides. Linux only updates software that was installed from a defined repository - which is by no means everything.

    2. Paul Crawford Silver badge

      @JDX

      That is a perfectly good question for any non-Linux user and it is disappointing to see that someone down-voted you for it.

      As a general rule, you have two options for installing software on a Linux box:

      1) Use the supplied package manager such as aptitude to get it from one of the original repositories, or from one that you have added.

      2) Install directly from a file such as the .deb ones used for Debian-based systems (such as Ubuntu).

      In the first case you are limited to what is officially offered for your system, but it will automatically handle any updates and their dependencies. You can configure what it will do, and for my own machine I choose to be notified and install manually, for my friends/family I chose to update security stuff automatically.

      In the second case you can install ANYTHING and of course that needs the usual (and often missing) sense of what is safe or otherwise to install. Unless said .deb file adds a repository automatically (as Opera do), it is up to you to manage updates.

      In general it is a good system, not perfect, but an order of magnitude better than Windows where critical updates such as Adobe stuff can't use MS' own update system and so pollute the machine with updaters, all gobbling resources and giving non-technical users gibberish messages that they either accept blindly (good for malware writers) or ignore (also good for malware writers!).

      MS' market place system should avoid that, but has all sorts of dubious side-effects where money and freedom are related (as iOS also has).

      1. Anonymous Coward
        Anonymous Coward

        Re: @JDX

        As a general rule, you have two options for installing software on a Linux box:

        There is a middle way between these two extreems.

        If the package already exists, but is not yet available at the most up-to-date upstream release level you can (for example with debian packaging) 'apt-get source' and update the upstream component and debian/control + debian/changelog files and build you own .deb package that integrates perfectly with the systems packaging mechanism.

        Less trivially, you can build your own from scratch with debhelper and freinds.

        Installing raw upstream stuff is just insane ... but thats what VMs are for.

        The best thing about Windows Update is Stuxnet's PoC.

      2. Pookietoo

        Re: In the first case you are limited to what is officially offered for your system

        That's incorrect - you can add third party repositories to your package manager, which will then allow you to install and update the unsupported software as if it were included in the distribution.

        1. Anonymous Coward
          Anonymous Coward

          Re: In the first case you are limited to what is officially offered for your system

          Yes - but you have to go do that - and trawl out a long URL - and make sure the cert is trusted, etc, etc. Not exactly automatic.

      3. JDX Gold badge

        @Lee & Paul et al

        Thanks for the informative answers.

    3. Charlie Clark Silver badge

      The key's in the name

      Berkeley Software Distribution. Had separate ways to update the OS and applications pretty much from the word go, though they have changed over time.

      Typical system upgrades might look a bit like this:

      1) sign up to the relevant mailing lists, e.g BSD security

      2) have a backup strategy and only update when you have to

      3) freebsd-update fetch install

      Depending upon your environment you can also run this in jail to see whether your system will be adversely affected - this rarely happens with system updates but applications can and so step on each other's toes.

      Applications are managed separately from the OS and updates can be run much more frequently:

      1) portsnap fetch update

      2) portmaster -ad <- this will compile from source but also allow you to create packages for distribution if you have several machines

      Separating the OS from applications might explain why applications on BSD are not frozen in lockstep with a version of the OS as they are on RedHat and Linux. Though to be fair that has something to do with the attitude of the package maintainers on Linux systems. BSD's ports are only metafiles which will allow apps to build but you are responsible for them running properly. Nobody's managed to explain to me why this means RedHat still ships with Python 2.4 (or at least it did the last time I was on a RedHat system), a version that has not been maintained by the PSF for over 5 years.

      This might explain why BSD systems have notoriously long uptimes.

      1. eulampios
        Linux

        Re: The key's in the name

        Nobody's managed to explain to me why this means RedHat still ships with Python 2.4

        So why did FreeBSD manage to remain with gcc 4.3.1 (2007) up to now?

        As far as the FreeBSD update mechanism is concerned, , it's not that great. Although I did like the "make install" in from option, in my experience, a few times a package might not build. Say, gnome 3.24, open office did not build properly as I remember on 7.1 (by some reason binary pkg OO was not available for x32 version).

        This might explain why BSD systems have notoriously long uptimes.

        How much notoriously is it longer than Linux Servers? Is this known to yandex and rambler mail, major Russian Internet companies? (BTW, nginx was born while Igor Sysoev worked for rambler) They have recently switched to Debian and Ubuntu, resp. (mail.ru migrated even earlier) , for many reasons, including, package management and updating issues and more In case if either your Russian or googole translate are helpful.

        And BTW, who is the main sponsor of FreeBSD? Isn't it that company that invented rectangles with rounded corners?

        1. John Brown (no body) Silver badge
          Devil

          Re: The key's in the name

          who is the main sponsor of FreeBSD? Isn't it that company that invented rectangles with rounded corners?"

          No.Because the BSD licence basically says, "do as you will with the code except claim it as your own creation and credit the author. Companies such as Apple have used fairly large chunks of the code. They've even donated code back to BSD.

          So no, I'd not call Apple a sponsor, and defiantly not the main sponsor.

          1. eulampios

            The FreeBSD controversy

            The reason FreeBSD is so adamant against gpl'd 3 version of gcc was purely political and ... yes strange. 3d version of gpl does not impose any restrictions on the compiled code. You can still license the resulting binary with any version you want. However, they do admit that "it would be bad for our sponsors" going even further to suggest who htat sponsor is. If this is about the values, than tell us please how much less of BSD values do DragonflyBSD guys have?

            Now with clang being on par with the outdated gcc 4.2 in the compiled code performance, one one would question FreeBSD performance in general. The latter is well known to be inferior to GNU/Linux in most aspects. While, IMHO, other BSD siblings have historically something unique to offer:

            - OpenBSD -> security

            - NetBSD -> portability (even higher than Linux)

            - DragonflyBSD -> peculiar kernel architecture

            And BTW, their sponsor do not reek as much as one of the FreeBSD's famous and infamous one.

        2. Jamie Jones Silver badge

          Re: The key's in the name

          > So why did FreeBSD manage to remain with gcc 4.3.1 (2007) up to now?

          The FreeBSD project were not happy with the license change for later versions of gcc ,and did not want to include it in the base distribution. You can still install gcc4.4, 4.6, 4.7, and 4.8 easily enough from the 'ports' system.

          FreeBSD 10 will be built by clang instead of gcc.

          From here :

          FreeBSD and the GPL v3: The GPL v3 explicitly forbids the so-called Tivoisation of code, a loophole in the GPL v2 which enabled hardware restrictions to disallow otherwise legal software modifications by users. Closing this loophole was an unacceptable step for many in the FreeBSD community:

          Appliance vendors in particular have the most to lose if the large body of software currently licensed under GPLv2 today migrates to the new license. They will no longer have the freedom to use GPLv3 software and restrict modification of the software installed on their hardware... In short, there is a large base of OpenSource consumers that are suddenly very interested in understanding alternatives to GPL licensed software.

          Because of GCC's move to the GPL v3, FreeBSD was forced to remain using GCC 4.2.1 (GPL v2), which was released way back in 2007, and is now significantly outdated. The fact that FreeBSD did not move to use more modern versions of GCC, even with the additional maintenance headaches of running an old compiler and backporting fixes, gives some idea of the strength of the requirement to avoid the GPL v3. The C compiler is a major component of the FreeBSD base, and "one of the (tentative) goals for FreeBSD 10 is a GPL-free base system".

          1. eulampios

            Apple friends

            goals for FreeBSD 10 is a GPL-free base system

            I guess that, yet the ultimate goal is to get FreeBSD a common-sense-free system.

    4. Anonymous Coward
      Linux

      How do you get updates on Linux systems?

      > How do you (generally) speaking get updates on Linux systems?..

      There's a "Software Updater" app that can be configured to prompt you daily, every two days, weekly or every fortnight. But I find it best to not update a fully working system, until at least version 2.xx comes out. If I do update then I take a full system backup, currently only 7GB ...

    5. Anonymous Coward
      Windows

      @JDX

      "How do you (generally) speaking get updates on Linux systems?"

      People downvoting you for asking questions, doh.

      Others have already explained some of the technical aspects; you get them either through the software repositories of the OS (distribution) itself or you start patching manually (whenever you installed something manually).

      But here's another very important aspect: generally speaking you're basically installing a new version, not an update perse. It wouldn't be the first time where a program had some specific changes in the way it worked or behaved. Sometimes for the good, but also sometimes for the worst.

      The main problem is basically that a lot of people maintain a lot of products and they all apply their own policies. Sure; to some end the same applies to Windows; you have your core OS and several programs you use on top of it. But the core environment will remain the same while still getting updates, and that's what I personally like.

      1. eulampios

        Re: @JDX

        Please, stop automatic downvoting.

        Eadon, JDX and SheLluser, my apologies for those people

  10. Anonymous Coward
    Anonymous Coward

    What a cluster

    IMO, Microsucks O/Ss are so insecure that it's a crime, literally. Microsucks should be fined $10 million for every security issue in every version of Windoze. It's a disgrace and injustice to allow them to sell such crap and make consumers deal with the aftermath of such reckless behavior.

    1. Anonymous Coward
      Anonymous Coward

      Re: What a cluster

      Obvious troll is obvious troll. Shock.

    2. JDX Gold badge

      Re: What a cluster

      Hmm, who is going to pay for issues in Linux? Torvalds?

  11. Anonymous Coward
    Thumb Down

    Just FYI - For those who poo-poo IE again

    Unfortunately with Microsoft's training, you *have* to use it. A lot of their crap still needs it, and hence you can't get away from it.

    So as much as most of us reading this site switch to different browsers, in some cases we DO NOT HAVE A CHOICE.

    Sorry.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just FYI - For those who poo-poo IE again

      Poxy government and large corporates with their fuckwit IT contracts. The only way one can deliver software is using a browser and the tossers not only insist on internet exploder, but they lock the sodding thing down so it won't work. So the only tools one has is a useless piece of shit browser.

      FTW

      AC cos the feckers are watching me.

  12. bag o' spanners

    All browsers have vulnerabilities. We expect new features to be rolled out every 15 seconds, but bleat when they aren't bomb-tested prior to rollout.

    Public sector monoliths are so jittery about security patches that they prefer to take the entire system offline for a whole weekend in order to soothe their nerves. Which is why it's not uncommon to see ancient versions of SQL Server, Office, and IE in wide usage in their workplace. The impact on workforce morale and productivity is purely negative. The implications for mission critical application upgrades that rely on latest versions are routinely catastrophic.

  13. Don Mitchell

    Two Statements

    1. IE kinda sucks. Probably true.

    2. Other browsers are flawlessly programmed, totally secure, and not in need of the same intensive testing and patching. Probably false.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two Statements

      1. IE kinda sucks. Obviously true.

      2. Other browsers are better programmed, more secure, and not in need of the same intensive testing and patching. Probably true.

      1. Anonymous Coward
        Anonymous Coward

        Re: Two Statements

        Security vulnerability statistics say not true....

        1. Anonymous Coward
          Anonymous Coward

          Re: Two Statements

          ....only the "security vulnerability statistics" bought by Microsoft though. Funny that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Two Statements

            Nope, the actual lists of vulnerabilities from the vendors and as verified by CERT, Secunia and others show that IE9 and IE10 have consistently lower vulnerability counts than most other major browsers...

            Just like Microsoft current OSs also have had lower vulnerability accounts than commercial rivals like Redhat, Suse and Mac-OS every year since 2004.

  14. Gray
    Gimp

    It's not that they don't care ... they're just bloody incompetent!

    There's little room for caring in a corporation that has defined the concept of "arrogant monopoly." Which means that the wailing and gnashing of teeth from the user base has as much effect as the complaints of the peasantry had upon the nobility of 18th Century France.

    What causes me pause is the notion that of the 57 patches, 50 are serious or critical. For Windows XP?? And IE ver. 6?? And these patches are to fill holes and fix vulnerabilities that have been exposed for how long? Years and years? Sure, it's nice that they finally get around to fixing them ... but one begins to wonder: how many more holes are there in that leaky sponge?

    The world is gearing up for cyber warfare. Somehow the demonstrably incompetent performance of the world's leading software house leaves me less than confident. Now that the entire retired population of the U.S. is drawing their social security via direct deposit electronic transfer, elders can lay awake at night and ponder the fact that the government and the banks are running M$ product.

    1. Anonymous Coward
      FAIL

      @Gray

      Take a program like OpenSSL on Debian. Pretty high end in my opinion because it's basically the de-facto tool for SSL certificate maintenance and administration on a Linux environment (also runs fine on Windows btw).

      And some day a or some Debian package maintainer(s) got it into his head that he knew better than the OpenSSL author and applied changes to the program to make it more, I dunno, Debian like? Only problem was that this patching of his inserted a major exploitable security flaw on each and every key made by this release of OpenSSL. To make matters worse: Debian knows a lot of forks, including an at that time highly popular distribution called Ubuntu.

      Well; as a result all keys between January 2006 and May 2008 were affected.

      That's 2 years of misery on a program which is heavily used, and not only that; also specifically used for security purposes.

      You were saying ?

      1. Destroy All Monsters Silver badge
        Holmes

        Re: @Gray

        > You were saying ?

        What are _you_ saying?

        1. Wibble

          Re: @Gray

          I read it as he was implying that Microsoft had fucked up an already shite browser during a subsequent 'improvement'/update.

          My problem is that IE6 on XP hasn't had an 'improvement', well, since SP3.

          Quite frankly it's a dreadful state of affairs.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's not that they don't care ... they're just bloody incompetent!

      If XP is a 'leaky sponge' on ~ 450 vulnerabilities, how do you class Mac-OS (over 1,800 known vulnerabiities!) or SUSE10 (over 3,700 known vulnerabilities!) ?

  15. Anonymous Coward
    Anonymous Coward

    Ya think?

    When was any Microsucks browser secure? Maybe befoe it was ever used or launched, but not 1 second afterwards. Microsucks is a company who has duped the world and become multi-billionaires many times over by selling defective software, which IMO is a crime that they should be punished for with treble damages of the annual income for the past 26 years and mandatory prison sentences for Bill Gates and all executive staff at Microsucks from 1985 to date.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ya think?

      RICHTO? That you? Trying your hand at a spot of "reverse psychology"?

    2. Anonymous Coward
      Anonymous Coward

      Re: Ya think?

      "Microsucks" is so noughties - possibly even nineties

      Anyone who looks at the phone and tablet market should know that it's now "Me-Too-Soft"

  16. Gray
    Facepalm

    @Shell_user: So what we have here is a suckiness contest ... ?!

    A Debian package maintainer screwed up (you say) and we've got insecure keys. Not good, obviously. I bet nobody turns him loose with the keys to the car again, anytime soon.

    But, yer point? A Debian maintainer screws the pooch, and that lets MS off the hook? All is sweetness and goodness cuz the FS/OSS side is suckier? Is that yer point, Bucky? Cuz I ain't buyin' it. All that does is make me even less confident that our systems are secured against the cyber onslaught. Where's yer reassurance that an endless barrage of patches to fix eternal MS screw-ups will keep our electronic glory-hole from imploding in on itself in one glorious sucking event?

    I gotta tell ya, Bucky ... 57 patches goin' all the way back to XP and IE 6 ain't the way to make me sleep better at night.

    1. This post has been deleted by its author

  17. Yet Another Anonymous coward Silver badge

    Impressive code reuse

    This security flaw affects all versions of IE from 1 to 99, running on Windows 3 to 8, on X86 and ARM

    That points to some very good software architecture and framework design!

    1. John Smith 19 Gold badge
      Unhappy

      Re: Impressive code reuse

      "This security flaw affects all versions of IE from 1 to 99, running on Windows 3 to 8, on X86 and ARM

      That points to some very good software architecture and framework design!"

      True.

      But some desperately s**t testing practices.

  18. Anonymous Coward
    Anonymous Coward

    Reality eventually catches up

    There is no doubt that Microsoft products are the greatest security risk in PC history not because of their sales volume but due to the volume of security holes that result from badly written code with no priority given to security from the beginning. Trying to fix horrible code after it has been distributed with patch after patch after patch is futile. If consumers knew prior to purchase just how many known security issues exists, it's highly unlikely they'd eever buy or use Microsoft products. It's criminal to defraud consumers in this manner and reap fortunes for doing so.

  19. Boris S.

    What's the big deal?

    It's only 57 more security holes. Another day, another ten security holes reported. This isn't something new, just a never ending saga.

  20. Christian Berger

    Yes, but that's not a problem...

    Because Internet Explorer 10 recently got the seal "tested Software" from the TÜV, the German institution checking cars for road safety. (the TÜV is a descendent of regional organisations called Dampfkessel-Überwachungs-und Revisions-Vereine which checked steam boilers, it's also the testing institution you saw in TopGear with that mobile car test stand, with its own lobby)

    So there's nothing to worry about. It's tested. :)

  21. Anonymous Coward
    Anonymous Coward

    Metro is a bug. A very serious one.

  22. Thomas Martin
    Unhappy

    They need to either fix all the holes or get rid of MSIE

    Every week, every month we get patches for MSIE. By now you would think Redmond would have gotten the message that MSIE is far from what we need and is very buggy and wide open to hackers. They need to either make a mass fix of all the problems or get rid of it. While Firefox has its problems, they are nowhere as paramount or serious as MSIE. And Google Chrome may beat them both.

    1. Anonymous Coward
      Anonymous Coward

      Re: They need to either fix all the holes or get rid of MSIE

      Actually, if you look, both Chrome and Firefox and both more bugs and more critical bugs than the current versions of IE...

    2. Stuart Castle Silver badge

      Re: They need to either fix all the holes or get rid of MSIE

      Bearing in mind that a few years ago, IBM did a study and found that on average, for every 1,000 lines of source code, there was at least 1 bug in every piece of software, what would you rather have?

      a) A browser whose maintainer freely admits to bugs and fixes them regularly?

      b) A browser whose maintainer rarely, if ever, fixes bugs?

      The fact is that NO SOFTWARE IS BUG FREE. Whether that software happens to be a Browser, an OS, a complier, a Word processor, a Database or whatever software you care to name.

      What matters is the severity of those bugs, how proactive the company behind the software is at finding them, and how quickly they can release tested fixes for those bugs.

      I am no fan of any particular OS (although I do like Opera as a browser, followed by Safari), but I do believe that MS have been particularly good recently for both finding bugs in their software, and fixing them quickly.

This topic is closed for new posts.

Other stories you might like