Silverlight
"Silverlight is widely used as an alternative to Flash"
<BOGGLE>
Microsoft plans to deliver seven bulletins next week, four critical, and three important, as part of the March edition of its regular Patch Tuesday update cycle. The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows - from XP SP3 up to Windows 8 and …
Well when I said Linux I was speaking about Desktop / HTPC (Desktop) Linux, and not embedded Linux which is likely some encrypted closed source binary package that wouldn't work outside of that environment.
Or maybe Netflix are making good on their promise to fully go HTML5. In any case I'm not aware of any proper Linux being able to run Netflix. 'cause if it did, and were only like 6.00€ a Month for their "all ya can eat" deal. I so would ditch my Cable Operator in a snap!
"Latest turn of the Hamster Wheel of Pain" - patching Microsoft stuff is at worst very simple, at best fully automatic, and is virtually always issue free and well tested.
Shame the open source world doesn't work like that, but is a mishmash of dependency issues and not fully regression tested patches released on a random schedule. Not a good foundation for anything mission critical or enterprise targeted.
Updates for Linux work IF they have not changed the kernel API/ABI or libraries. So for Long Term Stable versions for 3-5 years after the version came out. IF the stuff you need is in the matching/approved repository. If not the old Twilight:2000 broadcast applies: "Good luck, you are on your own"
Not that repositories or any other auto-update from a non-controlled source is useable in a company environment. Patching systems without prior checks is acceptable on a privat box assuming system and data are separated. Worst case you loose your weekend re-setting the computer. A sane company will test and than use a local "repository" to push the patches. WSUS or it's surely existing FOSS equivalent(1) will do the job then.
(1) That, as Eadon or Old Warhorse will tell us is FAAR better anyway
Nonsense. The open source world *does* work like that:
Debian (like): apt-get update; apt-get [upgrade | dist-upgrade]
Red Hat (like): yum update
And I am pretty sure that there are GUI applications that would do the same.
And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.
Windows, on the other hand almost always requires at least one reboot. I recall a time when a Windows XP bearing laptop I was patching required three consecutive applications of patches, each followed by a reboot, to be brought up to date. While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot. And the patch set will have been reasonably tested and thoroughly integrated (assuming the update is from the "stable" target). I am less familiar with Red Hat or SuSE, but suspect they are much the same.
And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.
Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.
Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time.
While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot.
I cannot speak for Debian but updating a couple of years old supported distro doesn't certainly mean that it will be up to date. With RHEL or Centos, Firefox/Libreoffice etc. won't update to latest versions and you manually need to update them because repos haven't been refreshed.
Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.
You seem to be in the wrong here. If the xen touches the kernel it does require a reboot (unless there ksplice is not used). As far as glibc (hal and dbus) is concerned it very rarely does. When that happens all necessary services are restarted by the updater (apt in my case). When you do absolutely need to reboot the whole machine it prompts for this (creates a file /var/run/reboot_required (again, speaking for a Debian based system)
My own server/desktop example:
Thu, Feb 28 2013 09:46:36 -0600
------------------------------------------------
[UPGRADE] libdbus-glib-1-2 0.84-1ubuntu0.2 -> 0.84-1ubuntu0.3
uptime:
3:22:35 up 37 days, 21:45
============================
Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time
Never had to reboot my desktop after updating firefox/chromium/konqueror/epiphany even lynx and libreoffice, gnumeric ;-) However Microsoft says this:
Bulletin 1 Critical,Remote Code Execution: Microsoft Windows, Internet Explorer --> Requires restart. The other one bull.3 for Office "may require restart".
Really? I knew of only one site that uses Silverlight prior to this article and now I know of two.
I block Silverlight installs on all but one of my PCs (which is used for watching the one site I knew of) and have never noticed it was missing.
"A lot of people could say they couldn't name 2 amino acids."
That's a very strange way of stating the bl**ding obvious. Most people can't know most things, given the size & complexity of the universe .
Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight
Sigh.
"Most people can't know most things, given the size & complexity of the universe ."
Yup, that is indeed the point. Just because one person hasn't seen something doesn't mean it's not widespread, so Irongut's comment is pretty pointless. Other than the old feeble "It's from a company i don't like so I'll try to play it down" attack. Of course you've used the same argument yourself, so I can see why you'd defend it.
"Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight"
So from what I've seen so far (responded to this before looking for any later responses,) a sample of one. Who calls himself a chemist. Even if 100 Reg readers can name 2, or 20, so what? As I see it my point still stands.
"I'm going to go for arginine and proline."
Don't know who your post was directed to. If it was me and you're suggesting that arginine and proline are rare then think again. Arginine is very common, being one of those amino acids found on the surface of proteins and is also the source of the vasodilator nitric oxide that we all depend on, proline is also common especially in collagen where it is post-translationally modified to hydroxy-proline and seems necessary to generate the triple helix form of collagen.
On the other hand if you didn't mean me have a good weekend.
Spec's don't have bugs, all they can have is ambiguity, and that after 3 implementations over decades, you're telling me that each of them did it exactly the same?
I bet Microsoft developers get issued a programming guide that was developed by the Customer Support group, who know how to keep themselves employed...
"Don't MS keep telling us that all the code is new at each release?"
You actually believe that? How many hundred million lines in a Windows release, and you seriously believe that they chuck the whole lot out and start again for the next one?
Earth calling Anonymous Coward: Microsoft's marketing department doesn't always tell the truth.
"Earth calling Anonymous Coward: Microsoft's marketing department doesn't always tell the truth."
So lying about security is OK?? Microsoft (and even Mr Monkeyboy himself) have said that later versions of Windows were inherently secure because the code was new but these "All versions of Windows including XP" seem to keep cropping up.
Yeah, I am also pretty sure they have never said that, because it would be stupid and is quite obviously not the case.
All modern versions of Windows are built on NT. Hence the version name, NT6.1 = Windows 7; NT6.2 = Win8. One of the fundamental tenets of software engineering is code re-use.
Unlike quite a few Android systems that are neither old nor cheap and have nice security holes on the OS level. Got rid of one (Note 10.1) am stuck to another (N7000) that is only useable as a WLan router and "dumbphone" since it can't be trusted with anything else. Oh ye gods give me an iOS or WP8 unit with stylus and I sacrificy a keg of wine to Bachus(1)
(1) Join the followers of the Greek panteon - the party pantheon!
They are not. PARTS of Android are but some crucial components are not. So even assuming I trust CM after the "unlock pattern storage" it still won't fly for me since the only reason to use an Android phone (stylus) will not work with CM.
Besides: Security patches are something the producer should deliver not a "community" that may or may not be able to do it
So four third party programs have bugs as has one MS application!. Not even sure the [Windows] tag refers to all from the way it is written. And at least the Java bug is system independent since it is in the browser plugin that will (or will not) be used on other OS as well (Documented for MacOS).
And as Eadon told us a few times the IE bug can not be important because nobody uses IE.
Not exactly right: here
it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.
As far as the firefox hacking is concerned it also was a partly Windows ASLR feature exploit:
VUPEN was able to exploit Firefox via a use-after-free memory flaw paired with an ASLR/DEP memory exploit. ASLR and DEP are operating system features found in Windows that are intended to protect memory from exploitation.
"The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows - from XP SP3 up to Windows 8 and Windows RT as well as all versions of Internet Explorer"
Who was it that once said they had eliminated buffer overflows in Windows and you didn't even need an anti-virus package?
"Who was it that once said they had eliminated buffer overflows in Windows and you didn't even need an anti-virus package?" - erm - no one?
MS made them a lot harder to exploit with features like NX and address spaces randomisation - which couldn't have been too bad as they were later both copied by Linux.
MS made them a lot harder to exploit with features like NX and address spaces randomisation - which couldn't have been too bad as they were later both copied by Linux.
Copied by, or copied from? A lettle history for you:
ASLR was enabled in Windows Vista around 2007, OpenBSD (2003) and the default Linux kernel (2005) followed. AS a matter of fact, ASLR was first implement and invented by the PaX project (should have been patented though). Do you know what PaX stands for? Patch for LinuX kernel (I think). So, it was the Linux kernel design since the very onset of ASLR, it hasn't become the mainstream code right away though. And then after many many years came Redmond .. to copy-cat the innovation. However, it was neither the first, nor the last time.
Added to this list of software security woes that Microsoft is attempting to "patch" - most appropriate word, since a real fix is unlikely - on Tuesday, "Windows Security Essentials" very recently failed testing "twice" at testing labs in Europe.
It is unfortunate that many Microsoft supporters will inundate The Register and other technology media with every type of lame excuse one can imagine for these failures, and divert the subject to how Linux, Mac OS X and maybe BSD ( if they even know what BSD software is) has no market share, is hard to use or some other inane off-topic issue that they hope will take attention away from the growing travails of their heroine in Redmond.
Security Essentials is a free antivirus / malware package, and is only meant to cover the basics. It is certainly better than nothing.
I would expect a paid product to be in some way better since I am paying for it or it would have no market. Just as is the case with OSs, Hypervisors, Office software, etc, etc. See http://blogs.technet.com/b/mmpc/archive/2013/01/16/lessons-learned-from-the-latest-test-results.aspx for the actual meaning behind the 'failure'
nb - 'Which' rated MSE as the best consumer antivirus!