back to article Patch looks like Microsoft FAIL, quacks like FAIL, is actually quite good

An out of band patch, from none other than Microsoft, sounds like a familiar cause of a couple of panicked late nights. Rest easy today, dear readers, for even though that combination has arrived this time there's little need for alarm. The patch in question applies to Windows Update, the bit of Windows that downloads and …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    In other words

    Someone has figured out how to spoof the M$ update system to install malware on your PC device.

    1. Anonymous Coward
      Anonymous Coward

      Re: In other words

      Very slick. Is this the bit where you direct us to a link where you can download an 'official' patch that 'patches' the 'fake' patch then?

      1. Anonymous Coward
        Anonymous Coward

        Re: In other words

        A proof of concept attack was reported on El Reg some months ago; now if only I could be arsed to remember the link.

  2. Paul Crawford Silver badge
    Windows

    Vista?

    What about the few sad folk still unable to avoid suffering from Vista, is that not still considered a supported OS?

    1. localzuk Silver badge

      Re: Vista?

      It only gets security updates now. It left mainstream support on April 10th 2012!

      1. Gis Bun

        Re: Vista?

        Actually, as this update is related to security updates it would normally be included. There is the odd time that non-security updates are included after mainstream support ends. In this case unsure why it wasn't.

    2. regadpellagru

      Re: Vista?

      "What about the few sad folk still unable to avoid suffering from Vista, is that not still considered a supported OS?"

      I think no, see http://support.microsoft.com/lifecycle/?p1=11734, if you don't have extended.

      Different note, I'm baffled MS even still cares about 7 ...

      1. TeeCee Gold badge
        Meh

        Re: Vista?

        I'm baffled MS even still cares about 7 ...

        That's all right, it's nicely balanced by the fact that the rest of us are baffled as to why anyone at all gives a rat's arse about 8.....

        1. Chika

          Re: Vista?

          Stop stealing my rat's arses!

          I suspect that MS cares about 7 because to do otherwise would cause a bigger backlash than the one they risked by killing XP, especially if they had stuck to their original plans.

          1. Captain Scarlet

            Re: Vista?

            MS will care about Win 7 as it still makes money from it, when it drops off like XP then it'll all change.

            1. Anonymous Coward
              Anonymous Coward

              Re: Vista?

              "MS will care about Win 7 as it still makes money from it, when it drops off like XP then it'll all change."

              I would lay a reasonable amount of money that MS will still be caring about 7 long after 8 has been consigned to the "Seemed like a good idea at the time" dustbin of history given the number of corporate customers who are using 7. I suspect 7 will be the new corporate XP and will still be found around offices in 10 years time.

          2. andy k O'Croydon
            Headmaster

            Re: Vista?

            "Stop stealing my rat's arses!"

            How many arses does your rat have?

    3. harmjschoonhoven
      Coffee/keyboard

      Re: Vista?

      This cartoon was published 5 October 2011.

      http://www.foksuk.nl/content/formfield_files/formcartoon_8213_db8567a8338658349c8c35c8062f9f6d8ac62b65.gif

      F&S are not waiting for Steve.

      "Here in Hell we are working for years ... with Vista."

    4. PeterM42
      FAIL

      Re: Vista?

      Vista (NT 6.0) was only a poor, slow and buggy prototype for W7 (NT 6.1). The only worthwhile patch to Vista is W7.

      W8 is the shitheap from hell and will be instrumental in killing off Microsoft unless they REALLY pull their finger out. No corporate wants the retraining costs for W8.

  3. James 29

    Did you get the memo?

    Vista is in extended support, which means (basically) only critical security updates, rather than general improvements/enhancements. So if your still running Vista (all 3 of you) then no updates for you!

    1. Paul Crawford Silver badge

      Re: Did you get the memo?

      I know Vista is on security updates only mode, but given this was described as it "further enhances the security of Windows Update" I wondered why that was not covered.

      Thankfully I personally don't have to deal with Vista on a daily basis, my own needs (which are not internet-facing) are covered by XP in a VM.

  4. Anonymous Coward
    Anonymous Coward

    Maybe there is some truth in this then

    http://www.theregister.co.uk/2014/06/06/patch_piker_redmond_means_win_8_fixes_skip_7_researchers_say/

  5. Crazy Operations Guy

    Probably just updating certificates or something

    With Heartbleed a few months ago and that the patches for OpenSSL would be done getting applied right now, I think this patch is Microsoft revoking old certificates and rolling out new ones to be on the safe side. Having it separate from the other updates makes sense if they don't want it to end up in the middle and kill any secure session with the Windows Update servers mid-patch or mess with code signing or something.

    I know that Microsoft doesn't use OpenSSL, but whoever supplies them certificates might.

    1. Gis Bun

      Re: Probably just updating certificates or something

      There was one exception to this. MS added the Juniper client in Win 8.1 and it uses OpenSLL. But that was already patched.

    2. Anonymous Coward
      Anonymous Coward

      Re: Probably just updating certificates or something

      "With Heartbleed a few months ago and that the patches for OpenSSL would be done getting applied right now, I think this patch is Microsoft revoking old certificates and rolling out new ones to be on the safe side"

      I'm pretty sure none of Microsoft's internet facing stuff relies on insecure Open Source stuff these days...

      http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx

      "I know that Microsoft doesn't use OpenSSL, but whoever supplies them certificates might."

      Nope. Microsoft don't use any of that rubbish in their PKI infrastructure:

      http://www.microsoft.com/en-us/download/details.aspx?id=27581

      1. Crazy Operations Guy

        Re: Probably just updating certificates or something

        Do not understand how PKI works? Microsoft certificates and certificate authorities are signed by a third party CA, Baltimore CyberTrust, who may be the ones that use OpenSSL.

        It is likely that Baltimore CyberTrust will be re-issuing certificates and revoking the old ones as a precautionary measure in the astronomically low chance that anything was actually compromised, so Microsoft needs to get the new ones in the hands of their users before BCT revokes the old ones.

        I assume you posted anonymously because you are embarrassed by the fact you don't know a damn thing about what you are talking about.

  6. Bladeforce

    A patch for the

    Patch updater, no one could dream this drivel up

    1. Anonymous Coward
      Anonymous Coward

      Re: A patch for the

      Except for the zillion other systems that have updated their updater of course.

This topic is closed for new posts.

Other stories you might like