IE patches
Plus ça change...
June's Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer. The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions …
....what would you prefer? MS to not patch bugs?
And this isn't an MS-specific issue, look at all the Java patches of late.
My GNU/Linux system gets updates every other day - although the repository system (when folks bother to package their wares correctly) makes this process much easier when compared to the random, slap-dash, every application needs its own update mechanism, approach on Windows or OS X.
This reminds me, must really look into Puppet/Chef/Salt/Something to keep all the systems up to date in a oner.
Yesh, so does mine, but if you're going to throw that one out, how many of them are security patches? And how many of those are serious and not just Free Software Paranoia (long may it live)
When, e.g., was the last time KDE had a security advisory? Or its browser Konqueror? (or Rekonq). It issues monthly updates, not the same as security issues. I can't remember the last time openSUSE issued a "FFS update this"
Well Suse itself posted this security vulnerability in May - https://www.suse.com/support/update/announcement/2013/suse-su-20130819-1.html
They just don't get publicised as much. I think it's safe to say that every system has vulnerabilities in it and it's going to be a never ending battle to fix them!
This post has been deleted by its author
I don't know when KDE last had a vulnerability (I'm a gnome user), but they did nearly lose all their source code a couple of months ago, because they thought that replication was backup! The only thing that saved them was having taken a node offline the previous day. ie: Luck saved them.
It's all about where you look for your problems - sure the code may be secure, but if it's custody is so badly handled that a corrupting replication node can destroy the entire codebase, that's still as insecure as you can get.
People have to look in the right place for the problems that they should be seeing, not the ones they want to see, or think they may see.
".....And how many of those are serious and not just Free Software Paranoia (long may it live)"
1 second of searching. 1st Hit
05 June 2013, 10:41
http://www.h-online.com/open/news/item/Security-update-for-Chrome-27-1882885.html
Please note the patforms affected.
You see, if you lump in Broswer + OS = Fail, the we must do the same for other browsers on onther platforms.
Personally I don't give a shit about the platform or the browser ( I run several), but I do give a shit about unpatched software.
1 second of searching. 1st Hit
how many seconds do you need to search to see a tasty remote code execution being already exploited in the wild? Hint: closed source.
BTW, did you notice this ...eight high and medium severity holes saw nearly $10,000 being paid out. Is MS willing to pay for every or most discovered vulnerability. I don't think so.
Or to put it another way: Google pay other people to find their bugs for them, because they can't be arsed.
Yes, I know it's not that simple, but there is more than one way to look at this: Google staff may well leave security to a back seat because they're outsourcing their own bug fixing.
Google pay other people to find their bugs for them...
Google pay other people if they find their bugs. #now fixed
I don't know why you choose to look at this fact from this strange angle? Most vulnerabilities found with MS products are done by non-MS people, more so when those are being exploited in the wild (Compare this to when exploits are being published).
In my view, we-don't-owe-anything-to-anyone attitude is of atavistic, very peculiar MS feature. Another possible explanation is the fear to go bankrupt.
....what would you prefer? MS to not patch bugs?
Not at all- just wondering how the older versions in particular managed to work in the first place, as they musy have been about 10% good code and 90% bugs.
Just another regular occurrence. like Halley's comet coming around, although that may stop one day.
So either a) A faulty software design was re-implemented and perpetuated the vulnerability.
b) Some coder did a copy and paste job on development.
But b could never happen. Do we not have the word of the Turkey Dancer himself on the matter?
Complete re-write doesn't imply they won't re-use existing interfaces for communication between components or externally - so they can become susceptible in the same manner.
Take for instance the way software communicates with the certificate store - it may differ between versions but the base interaction is the same - and therefore potentially open to the same attacks across versions.
As someone who specifies software for a living, I'm getting pretty tired of saying this, but:
If you specify a code module or interface to do X, Y and Z, then hand the spec to a codemonkey, the chances are that any codemonkey will implement that code in a different way, but it will do the same job. If it turns out that Z is incorrect and causes a problem because, for instance, it's a datastream that you didn't specify should be encrypted, the problem resides in your spec and no amount of re-coding from the ground up will fix it.
It's therefore entirely likely that they have re-coded from the ground up and retained problems which are in the spec rather than the code.
And now OSX re-opens and repositions all your open windows for you when you restart, which is nice.
At least I don't seem to have to re-install windows itself on a regular basis any more - is why I stopped bothering to "personalize my windows experience" (sic) so long ago; re-instating all those icons, backgrounds, cursors, alerts, favourites etc just became TOO tedious.
Yes because Chrome is engineered how any sane person would do a web browser as userland with a clean separation between the OS networking code. (Chrome is actually engineered very slick with the sandboxes and such) IE is getting that way these days I believe, but in the early IE days the marketing droids at MS thought it would be a great idea to embed browser code deep in the OS itself. Some of the IE fixes therefore result in OS files changing and thus a reboot.
Isn't it great to see that the original IE was so extendable, they've managed to maintain it as the single code-base for all future revisions.
More seriously, I always query patches that just apply to single versions where the feature was there in both prior and later versions. If you knew you had to re-write something for the next release, then you probably were aware of the flaws in the prior version.