back to article Patch NOW! Microsoft slings emergency bug fix at Windows admins

Microsoft has released a security patch to squash a bug in Windows that hackers are exploiting to compromise whole networks of computers. Redmond said today a vulnerability (MS14-068) in the Kerberos authentication system, used by default in the operating system, allows a normal user to ramp up their privileges and access …

  1. Version 1.0 Silver badge

    ALL YOUR XP BELONG US?

    You are a sheep running XP and the shepherd is walking towards you wearing gum boots ... are you nervous yet?

    1. joed

      Re: ALL YOUR XP BELONG US?

      Now considering that XP is now cordoned off the rest of systems I'd consider these systems more secure than general use system with Windows 7. Also, I'd hope that patch actually fixes the issue on the server. having a client system compromise security of the whole network can't be considered good design.

    2. Gray
      Facepalm

      Re: ALL YOUR XP BELONG US?

      You are a sheep running XP Windows OS and the shepherd is walking towards you wearing gum boots ... are you nervous yet?

      Fixed that ... not only XP has the slippery zipper and a lusty glint in its eye! Flee, ya woollies, flee!

      1. king of foo

        Re: ALL YOUR XP BELONG US?

        It's worse. He's wearing a Wales rugby shirt...

    3. Anonymous Coward
      Anonymous Coward

      Re: ALL YOUR XP BELONG US?

      This vulnerability is a domain controller one - it's in the code used by a Kerberos KDC (which in Windows is a DC) to validate a Kerberos ticket. You can alter some of the ticket data to gain more privileges and still the ticket validates. Thereby client machines and non-DC servers are not affected, thereby XP is not affected by this vulnerability.

      Anyway because any server could be (manually) promoted to be a DC, and because anyway the same code looks to be present on client systems too, the patch applies to all systems, although what you need to patch ASAP are the DCs.

      1. localzuk Silver badge

        Re: ALL YOUR XP BELONG US?

        @LDS - that doesn't seem right... Why would a patch for Windows client OS's be issued then?

        1. Anonymous Coward
          Anonymous Coward

          Re: ALL YOUR XP BELONG US?

          As said I would not be surprised if the same Kerberos libraries are shared among client and server versions, thereby it makes sense to bring them all up to date, even if some code is never called by clients system. Maybe while fixing the bug they also took the time to refactor some code to make it more robust, and make it less vulnerable to yet unknown issues.

        2. Phil W

          Re: ALL YOUR XP BELONG US?

          @localzuk presumably to prevent the clients from executing this vulnerability against a DC.

    4. J__M__M

      Re: ALL YOUR XP BELONG US?

      I'm confused, why would this make xp users nervous?

      Microsoft said the vulnerable component is in all supported versions of Windows – Vista through 8.1 – and Windows Server – 2003 through 2012 R2. The company has made the fix a critical priority Windows Server systems.

  2. Mikel

    Patch

    And patch again. There are more where these came from.

  3. Anonymous Coward
    Anonymous Coward

    Update is 725MB http://i.imgur.com/H7PGPDn.jpg ?!

    1. MatthewSt

      November Rollup

      No, the 700+mb one is the November rollup: https://support.microsoft.com/kb/3000850

      1. Roland6 Silver badge

        Re: November Rollup

        >the 700+mb one is the November rollup

        I seem to remember with XP that size of update was called a Service Pack and would of been available on a CD, how times have changed, yet for many the speed of the Internet hasn't...

  4. Anonymous Bullard
    Joke

    oh ffs!

    See? They start dabbling with open source and this happens!

  5. Destroy All Monsters Silver badge
    Paris Hilton

    This is the castle of my master, Ballmère de Redmonde!

    Did Ballmer fart in the general direction of the security team and fetchez la vache onto them and is Nadella resurrecting it?

    On the other hand, I heard the dudes in security would be folded into marketing or something? Has this order of High Pointyhairedness been belayed?

    1. Charlie Clark Silver badge

      Re: This is the castle of my master, Ballmère de Redmonde!

      Did Ballmer fart in the general direction of the security team and fetchez la vache onto them and is Nadella resurrecting it?

      I get the Monty Python allusion but I just can't make linguistic nor grammatical sense of this

      Plus, it's actually Nadella who's done most of the sacking.

  6. Anonymous Coward
    Anonymous Coward

    so much for...

    The complete rewrite of the latest versions on windows.

    1. Anonymous Coward
      Anonymous Coward

      Re: so much for...

      *snigger*

    2. Not That Andrew

      Re: so much for...

      That's a pupular misconception, but there was never a total rewrite. Vista and later were developed from the stripped down version of Win2003 that gave birth to the minwin concept.

      1. Charlie Clark Silver badge

        Re: so much for...

        That's a pupular misconception Sic.

        The misconception could not have anything to do with the PR and marketing spin saying exactly that? Or is your typo in reality a cunning linguistic pun?

    3. Mikel

      Re: so much for...

      The next one though, that one will be fresh baked from scratch.

  7. Anonymous Coward
    Anonymous Coward

    [REDACTED]

    [REDACTED],[REDACTED], [REDACTED],[REDACTED] and [REDACTED] will be annoyed.

    Now they will have to pay [REDACTED] to be able to continue their ongoing campaign of [REDACTED] [REDACTED] [REDACTED].

    In the meantime to prove your not [REDACTED] [REDACTED] or [REDACTED] would you please ensure that your communications are completely in the clear and that you fax all passwords and the services that they are for, including ip addresses mac addresses physical location and the type of information stored on them to [REDACTED]

    Yours

    [REDACTED]

    [REDACTED][REDACTED][REDACTED][REDACTED][REDACTED]

    [REDACTED][REDACTED][REDACTED]

    [REDACTED]

  8. picturethis
    FAIL

    MS, please help me understand

    <rant>

    After all of theses years of Windows OS releases, almost every patch Tuesday for the last 10+(?) years, how can (new) remote code execution / privilege elevation exploits still be happening?

    As a developer for 20+ years, I just, really, REALLY! don't understand how this can still be happening to newer versions of Windows...

    Either:

    - MS has no fucking understanding of security

    or

    - MS doesn't care about security

    or

    - MS code is complete and utter shit

    or

    - MS developers don't know anything about coding

    or

    - Some combination of the above.

    I get really, REALLY! tired of the same old shit day after day, month after month, year after year.

    It's a damn good thing that most of my internet-facing machines are ABW (anything but windows). MS must think that I have infinite time to spend on testing/patching machines with their code, because they apparently can''t, won't or are unwilling to fix their stuff.

    Complete and utter failure on their part.

    Yes I'm very frustrated with MS right now. Even Windows 10 has this problem - even after completely skipping a major (9) (sic) version!!

    </rant>

    I'm sorry, it's been a bad day (night)... And if I could specify a FAIL + ALE (As in I need a beer after this one...) icon in the future, that would be cool.

    1. circuitguy

      Re: MS, please help me understand

      MS was never focused in producing stable and smart code. Half baked programming ruled the west coast for too long. It was cheaper and faster to produce poor coding, and with the early IBM alliance, generated a guarantee market, yielded large profits. So large profits yielded business models that supposed poor coding and created a massive 3nd party products fixing the obvious.

    2. Anonymous Coward
      Anonymous Coward

      Re: MS, please help me understand

      As a developer you should then be aware that it's pretty much impossible to release 100% bug free code, especially when your talking about something the size of Windows.

      And if you think Linux et al are any different you're very much mistaken.

      1. Nigel 11

        Re: MS, please help me understand

        As a developer you should then be aware that it's pretty much impossible to release 100% bug free code, especially when your talking about something the size of Windows.

        True, but ...

        There is such a thing as coding with security in mind. A long time ago Microsoft hired the chief architect of the VMS operating system away from Digital, with the brief to write them a secure kernel to replace Windows 98. The result was Windows NT 3.51. It was the most secure system Microsoft ever had, possibly second only to VMS in terms of excellence.

        Being secure meant that graphics performance sucked compared to Windows 98 (where there was basically no security at all). This was a completely inevitable result of securely managing the system's memory on the hardware of the day. So what did Microsoft do? It took this kernel that had been engineered for security, and blew holes in it in order to make the graphics run faster. Enter NT 4.0. Broken by design and orders from the top. Then 2000 (further security compromises), then XP(even more). Eventually what had once been one of the most secure OSes in existence (perhaps behind only VMS) became an unmaintainable kluge. Around XP SP2 they claimed to realise that security mattered and started trying to patch the holes that they had deliberately created in a once-secure design. The result was an un-maintainable kluge.

        So they re-wrote it again. Enter Vista ....

        You may say that was all a long time ago and you'd be right, except that you'd also be asserting that a system that was deliberately broken security-wise can then be patched back to secure by the people who broke its design.

        The evidence all suggests that Microsoft simply does not understand security at all.

        And if you think Linux et al are any different you're very much mistaken

        Different culture. Open-source applications are of variable quality. Some are excellent, some less so.

        The Linux kernel is engineered with security in mind and is overseen by Linus. He is very smart, he does not suffer fools gladly, and most importantly he has no marketing department to tell him what he has to compromise (ie, break) tomorrow, because some touchy-feely focus group of non-technical users thinks it would be a good idea to let it display pink elephants galloping faster.

        More generally the Linux ecosystem learns from its mistakes. Things in active development get better. If there is a disagreement one project may fork into two, which then compete until either one branch runs out of supporters, or (occasionally) until both branches have found different niches in the open-source ecology. It's a very similar process to natural evolution. In both cases good designs prosper, poor designs die out.

      2. Roland6 Silver badge

        Re: MS, please help me understand

        "As a developer you should then be aware that it's pretty much impossible to release 100% bug free code, especially when your talking about something the size of Windows."

        That may be so, but there is a big difference between bug free and insecure code; a professional programmer would be aware of this difference.

        The worrying, but yet informative aspect of all the security announcements is just how much code in the supposedly brand new versions of Windows actually date back to at least XP/2003. Which given the seemingly common thread to many of the Windows exploits over the years, doesn't bode well for the quality of the various code inspections and reviews that must have occurred over the years.

      3. JeffyPoooh
        Pint

        Re: MS, please help me understand

        AC: "...pretty much impossible to release 100% bug free code, especially when your talking about..."

        Also pretty much impossible to write a sentence with the correct spelling of "you're".

      4. Anonymous Coward
        Anonymous Coward

        Re: MS, please help me understand

        "...impossible to release 100% bug free code..."

        I wrote about 30 page-feet of code that was bug free as far as we know. Used for years with not a single bug report ever. Not one. Punch line: wrote it overnight in about 12 hours straight (not including the planning and laying out the primary data structure).

        Not the first time either. Wrote another 10,000+ LoC program in one sitting. Perfect. At "$100 per LoC", is it really worth a million dollars for a long day?

        We had a programmer on staff that did not code himself. He just "...transcribed it straight from God." He could have a discussion with you, looking you in the face, while continuing to touch type the software code straight from God into the PC. It got weird when, without breaking eye-lock with you and continuing to discuss other topics, he would backspace to correct typos. We figured God whispered in his ear, "Backspace, backspace, backspace, now continue..." His code was perfect every time, and I mean His code. LOL.

        It's not that difficult, as long as the requirements and your thinking are clear. But when lots of people get involved, then it all goes to hell pretty quick.

        Maybe that's the real reason that Linux got off to such a good start. Work of one guy.

    3. Anonymous Coward
      Anonymous Coward

      Re: MS, please help me understand

      Just installed yesterday security fixes for file, libgcrypt11 and nss in Debian... the problem is not in Windows only, it looks... just see https://www.debian.org/security/2014/

      Thereby, instead of keeping on whining about MS, just ensure your systems - whatever they run - are properly kept up to date.

      1. Bloakey1
        Pint

        Re: MS, please help me understand

        <snip>

        "Thereby, instead of keeping on whining about MS, just ensure your systems - whatever they run - are properly kept up to date."

        I say sir. How dare you post a reasonable argument eschewing the OS dogma seen hereabouts. Have a pint and a thumbs up.

      2. Charlie Clark Silver badge

        Re: MS, please help me understand

        Thereby, instead of keeping on whining about MS…

        No, it's perfectly correct to moan about MS's dreadful track record on this. The issue of liability is also important for software companies: think of the trillions that Microsoft has made over the years by selling shoddy software. Who pays for any lost time / overtime as a result of some of these serial fuck-ups? Will it really take a massive legal case to change fundamental development practices? Will companies start behaving differently if the same recall rights apply to their software as is the case in the car industry?

        This doesn't mean the open source community doesn't need to improve either: openssl should make all us shudder and cringe. We need to work together to develop and follow better programming and testing practices. This doesn't mean we'll ever develop bug-free software but we can do a fuck of a lot more to reduce the number of bugs around.

        1. Anonymous Coward
          Anonymous Coward

          Re: MS, please help me understand

          "MS's dreadful track record on this"

          Actually Microsoft have a much better record in recent years than say OS-X, Red Hat or SUSE. Far fewer holes that are on average fixed faster from public release of the vulnerability (fewer days at risk).

          1. Anonymous Coward
            Anonymous Coward

            Re: MS, please help me understand

            are on average fixed faster from public release of the vulnerability (fewer days at risk)

            Weren't you the retarded twat/ms shill who was going on about how wonderful it is to only have the major security fixes come out once a month not so long back?

      3. picturethis

        Re: MS, please help me understand

        You kind of missed my point. I never claimed that ABW machines were perfect. What I don't like is the constant "remote code execution" and "elevated privileges" patches, which I don't see in other OS's nearly as much (ShellShock, Heartbleed not withstanding). This has been going on with MS for multiple years. This is the issue. When I find and fix bugs in my code, I generally look around other areas and see if the problem exists elsewhere as well. You know, be proactive in fixing stuff?... MS developers appear to do nothing of the sort.

        I have no faith at all that any past, current or future version of Windows can ever be made safe (as long as it's connected to the outside world) with these patches that patch for the same symptoms.

        I've always been a Windows and Linux and Solaris admin + users, but lately I am seriously considering just banning all Windows OS from my work and life. I am getting older and don't have the time left to allow MS to waste my time with their crap. Maybe it's a case of "get off my lawn". It doesn't really matter why actually, but that's where I'm getting to.

        1. Anonymous Coward
          Anonymous Coward

          Re: MS, please help me understand

          Well, as a developer and with a vested interest in Linux, why not have a good look around the codebase in GNU or even just the Kernel and report back here all the bugs that you find (after a responsible disclosure to the team)? I guarantee there are at least 100 sitting there at the moment that are modestly easy to find for a great developer.

          You'll probably easily pick up many that are similar to ones that have already been found previously and that has an hundred of thousands of developers looking at the code.

          This isn't a Linux bash (no pun intended), it's just big codebases have lots of bugs. Some will be critical and in the 'internet age' many will also be remotely exploitable.

          1. Kiwi
            Linux

            Re: MS, please help me understand

            why not have a good look around the codebase in GNU or even just the Kernel and report back here all the bugs that you find

            And while you're at it, do the same for the Windows code base..

            Oh.. Wait...

            (I agree, there's likely many more of these bugs to be found as humans invent ingenious ways of doing things no one else though would be tried, but at least with OSS you can look around!)

        2. Hans 1
          Windows

          Re: MS, please help me understand

          I think that over the last 13 years, the bitmap vulnerability was the worst, by far ... remember, Windows gets 0wned by displaying the contents of a folder - that is simply the proof that windows is just one big sieve - it is simply not possible on *nix.

          I keep saying but "The World Won't Listen" ...

          Besides, to the other numpty above saying that Microsoft patches quicker ... I care to disagree, the Bash vulnerability was made public before patches could be provided, however, as soon as the devs had committed their code, anybody could have used a subversion/git/cvs (select appropriate) client to get the sources and patch - Nothing beats that - and you know what, if MS decided that patch x will be released on patch Tuesday and not immediately, you're toast. In the OpenSource world, if you think you need to patch, you patch when YOU want (provided the patch has been committed). Of course, you can also wait until the distribution provides the patch (akin to MS customers), however, you do not have to ...

          Besides, no 3/6/9/15 or whatever reboots required, except for a select few packages - certainly NOT for userland stuff, and never for browser, productivity suites, calculator, clock.exe

          But that is OK, I understand you feel like "Half A Person" and I feel for you...

          1. Kiwi

            Re: MS, please help me understand

            Besides, no 3/6/9/15 or whatever reboots required, except for a select few packages - certainly NOT for userland stuff, and never for browser, productivity suites, calculator, clock.exe

            Actually, it's never more than one reboot IME (several distros over the years), and no 40+minute shutdown followed by a 40+minute start to do them.

            WTF is up with 7 atm? We've had a number of customers complaining about massively long shut down and restart times while updates are done, day after day after day (have seen one 7 machine that has done over 100 updates (many "important") in the 24hrs it's been here - and the customer has automatic updates fully on!). While I'm in mini-rant mode.. Why the hell do updates stop to wait for further confirmation that you want to continue, like stopping part way with a "Do you really want to update this program" when I already selected the update?

            Bout time MS learned something about usability of computers. Still, their updates are helping win people over the the Blessed Light Side :)

            Love the Linux world. Updates all done in the background. At most one reboot, only if critical core stuff udpated. No slow shutdown or startup.

      4. eulampios
        FAIL

        Re: MS, please help me understand

        >>Just installed yesterday security fixes for file, libgcrypt11 and nss in Debian... the problem is not in Windows only, it looks...

        Equating every vulnerability with every other vulnerability is a fair play, I am sure.

        As well as comparing the complete plethora of all possible software of various sources, an 50+ gig behemoth Debian pan-distribution with a very thin number of isolated software pieces MS barely manages ...

        However, we can take that, perhaps though it's just the time to get a Debian Tax instituted instead of the good ol' MS Tax you have to still pay nowadays?

    4. billse10
      Pint

      Re: MS, please help me understand

      "And if I could specify a FAIL + ALE (As in I need a beer after this one...) icon in the future, that would be cool."

      Have an upvote for the content, and a non-failed ale for the idea -->

      1. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: MS, please help me understand

      "After all of theses years of Windows OS releases, almost every patch Tuesday for the last 10+(?) years, how can (new) remote code execution / privilege elevation exploits still be happening?"

      Presumably in the same way that critical remotely exploitable vulnerabilities existed in BASH for the last 18 years...

    6. JeffyPoooh
      Pint

      Re: MS, please help me understand

      "MS developers don't know anything about coding"

      DING DING DING.

      We have a winner!

    7. Mikel

      Re: MS, please help me understand

      S. Nadella took an Axe

      He gave Nokia forty whacks

      When he saw what he had done

      He gave trusted computing forty one.

      http://www.theregister.co.uk/2014/09/19/ms_shutters_twc/

  9. Syntax Error

    Slack

    Microsoft invented the culture of buggy software. "Oh we'll fix that next patch time".

    Windows users get excited when they hear the announcement of their new Windows OS "service pack".

    I am suprised that Microsoft have not been sued out of existence as they knowingly sell faulty software.

    Perhaps they should of really got rid of the NT kernel/FS after XP but they probably didn't bother because it was too expensive(sic) to develop.

    This is going to make using windows phone fun! I've just blown by data allowance on yet another total re-write of my phone's OS from MS.

    Windows sucks at patch day proves it again and again and again and again and again and again etc...

    1. Anonymous Coward
      Anonymous Coward

      Re: Slack

      There's a thing called "wifi" to dowload phone updates....

      1. Peter Mount

        Re: Slack

        True but I know of several people around here who only have mobile broadband due to land line broadband being non existent or too slow so even WiFi is to expensive if it's mobile for some.

        1. Anonymous Coward
          Anonymous Coward

          Re: Slack

          Then the problem is your lack of connectivity and your data plan limit - not the patch size. And unless he or she owns just a phone, he or she should have ways to patch his or her computer as well...

          1. Roland6 Silver badge

            Re: Slack

            Then the problem is your lack of connectivity and your data plan limit - not the patch size.

            Actually No!

            I point you at Microsoft's own minimum system requirements for Windows 8 say <http://windows.microsoft.com/en-GB/windows-8/system-requirements> which only notes "Internet access (ISP fees might apply)" as an "Additional requirements to use certain features", but fails to give any sizing information for WUP. This can only be a major oversight by MS given that back in the late 90's there was a design edict to the effect that MS's websites must be usable over a 28.8 kbps dial-up, because of the wide variation in connection speeds its customers were achieving.

            Only when MS specify a minimum Internet service level can it be claimed that the problem is the end user's.

      2. Tom 13

        Re: "wifi" to dowload phone updates....

        And if your only internet access is on your phone? Not me personally but I know people who have gone that route.

        In any event the point still stands, the vendor sold you shoddy goods, they should pay for the fix. In this case, every month when MS releases patches for their phones, the carrier should give the phone owner a credit equal to the time required to download the patches. Same should go for iPhones and Droids.

        Full disclosure: I own a clam shell case burner-type phone so I don't think I'd specifically benefit from any of these credits. According to my current screen I have 11xx minutes and more than 365 days of service left.

        1. Anonymous Coward
          Anonymous Coward

          Re: "wifi" to dowload phone updates....

          If you cannot afford a proper data plan, don't buy a smartphone...

    2. Bloakey1

      Re: Slack

      "Microsoft invented the culture of buggy software. "Oh we'll fix that next patch time"."

      <snip>

      Cobblers old chap. Buggy software and programming has been around since the Difference Engine and even further back to the abacus.

      With the complexity inherent in most modern OS' ,systems and programs in general the likelihood of problems increase exponentially.

      1. Tom 13

        Re: likelihood of problems increase exponentially.

        Yes, the likelihood of errors increases exponentially. But that's why it is critical to have excellent rather than dodgy programming skills when writing such a huge swath of code.

        This isn't an MS exclusive issue. Looks to me like Linux is having the same issue between the kernel team and that twit (and his team) who keeps complaining Linus is mean.

      2. BongoJoe

        Re: Slack

        "Cobblers old chap. Buggy software and programming has been around since the Difference Engine and even further back to the abacus."

        The henges near here haven't had the Y2K patches applied yet. And I have these bits of bluestone ready to go but will someone come to collect and install them?

    3. Anonymous Coward
      Anonymous Coward

      Re: Slack

      Blown your data allowance? You've heard of free wifi right?

      At least the update is not so large that it fails because the device doesn't have enough space despite being empty (I'm looking at you apple).

      This is quite a neat and rather obvious attack vector. Hack the kerberos packet to include higher privileges. I'm surprised it's not been done sooner if the only challenge was to hack the signing to make it look valid.

      1. Michael H.F. Wilkinson Silver badge

        Re: Slack

        Using free wifi for a security update? Call me paranoid, but I have seen so many security issues in fre wifi that I only use it for non-sensitive stuff (like browsing the Reg)

        1. JeffyPoooh

          Re: Slack

          MW: "Using free wifi for a security update? Call me paranoid..."

          Okay... You're paranoid.

          Most every OS will check the files it downloads to make sure that they've not been fiddled by the hackers that you fear are hiding under the counter at Starbucks.

          You're more likely to choke to death on your Latte.

          One should really learn to balance risks using logic, not irrational fear.

          Don't smoke. Wear your seatbelt. When driving, make use of that large conveniently situated transparent screen provided by your vehicle manufacturer. Have a varied diet. Look both ways before crossing the street. Don't wear headphones while walking on train tracks. Hmmm... We're getting down into the weeds here.

      2. Roland6 Silver badge

        Re: Slack

        Blown your data allowance? You've heard of free wifi right?

        Do you really want to sit in MacDonalds or similar whilst you try and transact approximately 1 GByte of data over their 1Mbps WiFi link? I think you might end up having to pay the long stay car parking fee...

  10. Anonymous Coward
    Anonymous Coward

    Have belief, you'll feel better.

    Those who hold on to the belief they are safe running "Fully patched MS" OS at least have the belief thing, it does not factually change a thing but hey warm and cosy for a while eh.

    For anyone who thinks these security exploits (All OS's now) don't get out before the patches, watch your web facing logs, they are like a weather forecast.

    Oh I can see some storms on the horizon, new CMS maybe, SSL VPN is that?...

    On one of the last MS exploits I got about 350 emails in a morning sent to a couple of addresses that exist only on spam and "prospective zombie" lists, 10 got through to the catch-all holding address the rest bounced due to Linux based filtering on sender trust, checked the links and at the time they looked clean (virustotal), once the patch had rolled out lo and behold the links turns out to have been bad.

    Do your best and remember you are more likely to be hit by some idiot in the company with a bad USB stick (for example) than someone clever enough to get past the firewall. Happy days.

    1. Bloakey1

      Re: Have belief, you'll feel better.

      <snip>

      "Do your best and remember you are more likely to be hit by some idiot in the company with a bad USB stick (for example) than someone clever enough to get past the firewall. Happy days"

      But my mate in I.T. says it is the system that is crap and not the USB stick.

      <rant/>

      I have just spent a lot of time and effort proving that a particular file from a particular source was crashing a users machine. The user was told that the memory error was down to lack of memory on their machine (32 bit 3.4 gig useable) by the company in question. Funnily enough it worked on a few other machines of a similar spec. I then changed OS to 64 bit, still no luck, jumped up and down and screamed at company whose software was exibiting problem. Told them what the problem was - a disclaimer badly placed in a non Autocad created dwg.

      Finally they agreed, logged it, passed it to developers and accepted ownership.

      I am still hearing from user "I do not understand why it works on other machines"

      <rant/>

  11. chivo243 Silver badge
    Windows

    Humor me here

    I just ran software update, and checked for new updates, and nothing new... So what is the mechanism for receiving this update? Is it a manual download? Someone please shine the light my way.

    1. Charlie Clark Silver badge

      Re: Humor me here

      I just did the same and Windows Update only told me about the July update that I can't install for some reason. However, when I looked at the details the new one was there but just not selected. So, check the details of the available patches.

      1. chivo243 Silver badge
        Thumb Up

        Re: Humor me here

        @Charlie Clark

        Thanks for the tip. I had some updates queued, and hadn't run them yet, after running the outstanding updates, and a restart, presto! It was offered.

    2. Tom 13

      Re: Humor me here

      My system at home installed the patch before I got here. As it is a personal system I've got the patches set to download and install automatically. I didn't look for it, it just installed on shutdown like it is supposed to.

  12. Zog_but_not_the_first
    Boffin

    A better question would be...

    Where are the manifestations and consequences of unpatched systems?

    All El Reg readers will be on top of updates, patches and vulnerabilities - as much as we are able anyway. BUT it's been debated here before that the average Windows user (and there are a lot of them outside the corporate IT environment) usually hasn't got a clue on machine and network security issues (no offence).

    Auto- updates turned off, anti-virus programs out of date or inoperable etc., etc., means that there MUST be hundreds of thousands of compromised machines out there. Possibly millions.

    So, unless the banks are keeping very tight-lipped on levels of fraud or "Windows bots" are simply being recruited for some nefarious plan hatched in an extinct volcano and yet to be realised, there don't seem to be any obvious consequences to this poor/lax security.

    Have I missed something?

    1. Bloakey1

      Re: A better question would be...

      <Snip>

      Good summary of things as they stand.

      "Have I missed something?"

      Yep, buggy software written by the malware coves, inability to understand exploit, inherent complexity of any system i.e. if it is infected with abc perhaps it does not work properly due to component efg, OS component hij or another piece of malware klm.

      Complex systems require complex malware. A piece of malware infecting 10000 machines may only work as expected on a small percentage of them. Why? because you cannot mitigate for the unique signature (think finger print) of any machine.

      Further to all that, you have bank security at login point / portal etc.

      Soooo, I would put it to you that it is easy to buy a round for 2 people who drink the same drink, it is easy to buy for a 1000 who drink the same drink, add a bit of inherent complexity, half measures, doubles, diet drink etc. it gets terribly complex.

  13. PoorLumpyPony

    Good to see

    After a run of Unix and Mac (related) security failures, Redmond coming back strongly showing everyone who's boss in one of their historically strongest areas.

  14. John Brown (no body) Silver badge

    On a positive note....

    ...the number of recently discovered vulns dating back in some case many, many years, does show that people are now actively checking old code where previously they have been assuming it was all "good" because "surely it's already been checked, we've used it for years". This is a good thing for everyone.

    1. Hans 1
      Joke

      Re: On a positive note....

      >This is a good thing for everyone.

      This is a good laugh for everyone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like