Microsoft offloads heap of critical fixes in 'ugly' Patch Tuesday Microsoft is planning a high-impact edition of Patch Tuesday with seven bulletins this month - six of which cover critical flaws. The less-than-magnificent seven cover all supported versions of Windows and every version of MS Office, as well as updates for Lync, Silverlight, Visual Studio and .NET. Internet Explorer, from IE6 …
Because they, unlike some companies, publicly inform people when there are problems with their software. I would much rather that than being kept in the dark.
If you think Microsoft have more issues, considering the size of their offerings and indeed the scale of the products themselves, than other software houses you're woefully misinformed.
One truth, software is never perfect!
""Yeah.... Let's hope that never happens.
Mariner 1"
:-) Fair point!"
In 1962.
Let me describe how the team behind the Shuttle software wrote it.
1) Devise specs
2)Implement specs. Maintaining detailed bug lists and error rates and regular walkthroughs by other people. It's a project. No one "owns" their code. The project does.
3)When you find a bug work out how your review process did not catch it.
4)Modify the system to catch future instances.
5)Scan the codebase for all similar cases and fix them as well.
If you work in a dev shop look around you and ask yourself "Do we do any of that?"
It's estimated that their code was 10x the cost per line than the average cost.
That's why Shuttle flew 134 missions and the software never failed.
Let's hope that the software engineers behind the space programme, nuclear power plants, ICBM's, traffic lights etc.etc. never fall into that trap
No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)
"No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)"
Yeah - I can't argue with that - although these posts are in the context of microsoft security alerts, so obviously not only is their software not perfect, but neither are any fail safes and monitoring facilities :)
" someone writing a nuclear power plant's systems isn't just firing up vim and going "Aha, what we going to write today!"."
No, what they're doing in recent years is probably far worse than that.
Is 'Aha' a typo for 'Ada'?
Ada might be a decent language for doing a low level design, but it's far too complex a language to be able to trust the compiler and tools.
There's someone round here whose screen name mentions 'forth'. A custom subset of forth, or something similar, might be appropriate for some safety critical setups. The language and implementation could be simple, efficient, testable, maybe even provably correct in the right circumstances. Given a bit of investment the tool vendors could put some tools around to make it cool and trendy, but Ada seems have become the posterchild for the safety critical folks (at least in aerospace).
AC, obviously.
Wow, I haven't seen Z mentioned for a while !
I liked the idea behind Z, but at the end of the day I found that writing unit test & integration tests can accomplish the same goal, so I am left thinking that there isn't really any point in having the Z language in addition to your programming language du jour.
The thought processes behind applying Z are the useful bit, but I have found that you don't really need Z to think that way. (Hint: It is possible to 'animate' Z constructs in pretty much any mainstream language these days).
Wrt the zdnet article, did readers notice the bit that said "the data shouldn't be interpreted as a claim that an OS built off the Linux kernel is necessarily less secure than using a Windows OS".
Or the bit that says: "The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."
Don't take my word for it, read the full article.
Me again, having just posted some bits from the zdnet article.
As for zone-h: if "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.
MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.
Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.
If the same logic does not apply, please explain why not.
[Seen much of this before? Sorry! The zone-h meme needs to be put down sooner rather than later]
"much more likely to be hacked running a Linux internet facing server than a Windows one..."
Citation needed, but even when it is provided:
MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.
Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.
If the same logic does not apply, please explain why not. When you've thought about that fairly basic starting point, here's another one.
If "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.
Have a secure weekend.
Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes.
"Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes."
MS has the largest desktop share, yep, but not the server share. Also, servers are by their definition "providing services" so they are more visible.
Granted, the typical server is run better than grandmas home pc, but still, saying "of course MS has the most reported holes because it's the most popular" is a cop-out.
Nonsense. I still don't understand why people make the market share argument. At its core OS X is Unix which is inherently more secure. Its more secure because of its open source nature, which is subject to harsh peer review. Apple has done a marvelous job with security in OS X. Flash out of date? You can't use it in Safari until you update it. Java is out of date? OS X will also shut it down and also push you the latest version.
There is something amiss and it deserves the usual snarky tone.
MS engineered their software for ease of use at the expense of security. Despite many remakes and PR efforts that remains at the heart of their exploit issues. The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM). And in theory* because the code is out there you ought to be able to hack it more easily. But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel, not a mishmash of everything from the kernel through the applications.
*In practice the many eyeballs seems to negate theory, but the meme persists.
The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM).
What you are doing is comparing apples and oranges, here. Servers are not workstations. The protections and vectors are not the same. Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. On the other hand, the argument that higher numbers make more attractive targets is being borne out by the increasing pressure on Android devices.
Where there are enough assets to make an attack worthwhile, there will be an attack. Eventually, the attack will be successful. At the enterprise level, setting up all machines with one OS is a weakness as someone who can compromise one machine should have no problem with the rest. Better security is based on multiple layer, from OS, to AV and onward.
targets is being borne out by the increasing pressure on Android devices.
Not true, it was heard long before Android, a pretty controversial theory. And BTW, for Android it's only trojans to talk about, illegitimate apps. One installs those on his/her own risk when not examining permissions and perhaps outside of G. Play (MS Windows lacks even that). It's still unheard of to get a trojan through an RCE.
Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. both need AV according Microsoft.
". But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel,"
Erm, you know there are well over 900 critical flaws known in the Linux kernel alone? Versus say 450 in the WHOLE of the worst Microsoft OS ever - Windows XP?
Windows has historically had a couple of orders of magnitude fewer kernel vulnerabilities than *nix kernels...
Every piece of widely used software is subject to issues. Non-MS products are no exception. Linux/Cdorked and DarkLeach are a good example. And they [the reports everyone is giving] still don't seem to know how they work. I'd much rather MS patch things pronto than deny their existence like some other software vendors.
I'd much rather MS patch things pronto than deny their existence like some other software vendors.
The problem of course is that until fairly recently MS engaged in precisely that sort of behavior. In fact since they have both private and public lists of known vulnerabilities you can't actually claim they aren't deny[ing] their existence like some other software vendors.
And no, the Linux kernel is historically more secure than Microsoft's OS. Yes, it is comparing apples and team buses, but that's not the kernel's problem.
"The problem of course is that until fairly recently MS engaged in precisely that sort of behaviour"
No they didn't - they have had pretty much the same policy since ~ 2002 when Bill gates made security the #1 priority @ Microsoft.
Incidentally since when Windows has every single year had fewer vulnerabilities than enterprise Linux distributions, that were on average fixed faster....
"2002 when Bill gates made security the #1 priority @ Microsoft."
Security can have multiple meanings and Gates may not directly have meant what you seem to have thought.
Back then, Gates agenda was to make Windows more "secure" from the point of view of the content providers at the RIAA and MPAA and friends. Unbreakable DRM, copy protection all the way from high definition source to high definition screen. That kind of "security" isn't directly related to protecting users' data and systems from (eg) unauthorised code execution, though that kind of security may well benefit from measures which prevent unauthorised access to protected data, by unauthorised elevation of privilege or whatever.
If such measures also happened to make it more secure from the point of view of the end user, that was a nice side effect, but the security of the user wasn't the primary driving force.
Don't take my word for it, go read (properly) about the Trusted Computing Platform concept, its sponsoring organisations, and the behind the scenes activities of the content providers.
According to CNet, Microsoft announced the move to a monthly patch cycle in October 2003. I'm not sure that there's anything in the IT world that would be considered "fairly recent" if it dates from 2003.
http://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html
This post has been deleted by its author
I just watched a colleague ask for "this week's" patches (his words, don't shoot the messenger) for his Debian set-up and the list scrolled for several seconds of unpaginated humongous line. Hundreds and hundreds of issues.
When I expressed the opinion that I couldn't see the advantage over the windows patching process (which he had been loudly criticizing, lifelong, ultra-militant non-windows user that he is) he indignantly snapped "Well, you don't have to apply them *all*!
Comedy gold.
Another bloke came round while I was diddling with a Raspberry Pi in my lunch hour.
"What's it running?"
"Debian, sorta""
"Is there an Ubuntu port for it?"
"Yes"
"You should use that. It's better."
"In what way?"
"Easier to use."
"I'm not having problems using what I have."
"Ubuntu is better."
"You do get that the O/S isn't why I bought the box nor the purpose in owning it, don't you?"
"Well, if you are going to be like *that*" - and he stormed off in high dudgeon.
Software problems are the result of human error. An effective way to reduce human error is to reduce complexity. That can be done by turning a big, complex problem into a lot of small, simple problems, and solving each of these small simple problems by writing code in a small simple language.
The problem, of course, is ensuring that you do not introduce errors when you map the big complex problem into a number of small simple problems, but at least that only requires a small number of people to be brilliant, instead of everyone working on the project.
I've just updated my backup servers to NetBackup 7.5.0.6, let me assure you, Linux repos don't magically supply updates for anything other than the FOSS components of their systems. If you run any commercial software or anything the disro doesn't like you either have to hope that they offer their own repo, which is practically unheard of, or you have to update with your own methods.
So, in other words, just like Windows, MS update all their stuff, plus a couple of other bits (Flash, IIRC?) but don't update other companies software. In some situations that means that you get everything, however if you're using your servers for anything not totally FOSS, you're out of luck at least to some extent.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
