Microsoft offloads heap of critical fixes in 'ugly' Patch Tuesday Microsoft is planning a high-impact edition of Patch Tuesday with seven bulletins this month - six of which cover critical flaws. The less-than-magnificent seven cover all supported versions of Windows and every version of MS Office, as well as updates for Lync, Silverlight, Visual Studio and .NET. Internet Explorer, from IE6 …
Because they, unlike some companies, publicly inform people when there are problems with their software. I would much rather that than being kept in the dark.
If you think Microsoft have more issues, considering the size of their offerings and indeed the scale of the products themselves, than other software houses you're woefully misinformed.
One truth, software is never perfect!
""Yeah.... Let's hope that never happens.
Mariner 1"
:-) Fair point!"
In 1962.
Let me describe how the team behind the Shuttle software wrote it.
1) Devise specs
2)Implement specs. Maintaining detailed bug lists and error rates and regular walkthroughs by other people. It's a project. No one "owns" their code. The project does.
3)When you find a bug work out how your review process did not catch it.
4)Modify the system to catch future instances.
5)Scan the codebase for all similar cases and fix them as well.
If you work in a dev shop look around you and ask yourself "Do we do any of that?"
It's estimated that their code was 10x the cost per line than the average cost.
That's why Shuttle flew 134 missions and the software never failed.
Let's hope that the software engineers behind the space programme, nuclear power plants, ICBM's, traffic lights etc.etc. never fall into that trap
No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)
"No, let's hope they include fail safes and monitoring facilities. "No software is perfect" need not be the same thing as "Our product sometimes fails" ;)"
Yeah - I can't argue with that - although these posts are in the context of microsoft security alerts, so obviously not only is their software not perfect, but neither are any fail safes and monitoring facilities :)
" someone writing a nuclear power plant's systems isn't just firing up vim and going "Aha, what we going to write today!"."
No, what they're doing in recent years is probably far worse than that.
Is 'Aha' a typo for 'Ada'?
Ada might be a decent language for doing a low level design, but it's far too complex a language to be able to trust the compiler and tools.
There's someone round here whose screen name mentions 'forth'. A custom subset of forth, or something similar, might be appropriate for some safety critical setups. The language and implementation could be simple, efficient, testable, maybe even provably correct in the right circumstances. Given a bit of investment the tool vendors could put some tools around to make it cool and trendy, but Ada seems have become the posterchild for the safety critical folks (at least in aerospace).
AC, obviously.
Wow, I haven't seen Z mentioned for a while !
I liked the idea behind Z, but at the end of the day I found that writing unit test & integration tests can accomplish the same goal, so I am left thinking that there isn't really any point in having the Z language in addition to your programming language du jour.
The thought processes behind applying Z are the useful bit, but I have found that you don't really need Z to think that way. (Hint: It is possible to 'animate' Z constructs in pretty much any mainstream language these days).
Wrt the zdnet article, did readers notice the bit that said "the data shouldn't be interpreted as a claim that an OS built off the Linux kernel is necessarily less secure than using a Windows OS".
Or the bit that says: "The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."
Don't take my word for it, read the full article.
Me again, having just posted some bits from the zdnet article.
As for zone-h: if "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.
MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.
Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.
If the same logic does not apply, please explain why not.
[Seen much of this before? Sorry! The zone-h meme needs to be put down sooner rather than later]
"much more likely to be hacked running a Linux internet facing server than a Windows one..."
Citation needed, but even when it is provided:
MS supporters when talking about desktop security have a tendency to say "Windows isn't less secure, it's more interesting to hackers because there's so much more of it out there". There's no dispute that there are more Windows than Linux desktops out there. There is less of a consensus about which is more secure.
Does the same logic also apply to web servers: "Linux isn't less secure, it's more interesting to hackers because there's so much more of it out there"? There's no dispute that there are more Linux than Windows webservers out there. There is less of a consensus about which is more secure.
If the same logic does not apply, please explain why not. When you've thought about that fairly basic starting point, here's another one.
If "security" means anything, it would be helpful to distinguish between finding an actual exploit in the OS on the one hand (unauthenticated remote code execution, unauthorised elevation of privilege, whatever) or a boring but embarrassing defacement (e.g. via dumbass SQL injection in the Web-facing application). Please do not use records of "defacements" (eg zone-h or similar) as your primary source of "systems being hacked". Please also do your best to identify separately exploits using defects which have been corrected but where the sysadmins have not applied the corrections in reasonable timescales.
Have a secure weekend.
Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes.
"Just because it gets said every month on the Patch Tuesday announcement, doesn't mean it's not true. MS has the largest desktop/server OS market share. There would be something pretty odd if they weren't the number 1 target for people looking for vulnerabilities, especially as we keep getting told that their product is "swiss cheese" full of security holes."
MS has the largest desktop share, yep, but not the server share. Also, servers are by their definition "providing services" so they are more visible.
Granted, the typical server is run better than grandmas home pc, but still, saying "of course MS has the most reported holes because it's the most popular" is a cop-out.
Nonsense. I still don't understand why people make the market share argument. At its core OS X is Unix which is inherently more secure. Its more secure because of its open source nature, which is subject to harsh peer review. Apple has done a marvelous job with security in OS X. Flash out of date? You can't use it in Safari until you update it. Java is out of date? OS X will also shut it down and also push you the latest version.
There is something amiss and it deserves the usual snarky tone.
MS engineered their software for ease of use at the expense of security. Despite many remakes and PR efforts that remains at the heart of their exploit issues. The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM). And in theory* because the code is out there you ought to be able to hack it more easily. But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel, not a mishmash of everything from the kernel through the applications.
*In practice the many eyeballs seems to negate theory, but the meme persists.
The *nix kernels are even bigger targets because in the server world they run most of it on the Really Good Stuf (TM).
What you are doing is comparing apples and oranges, here. Servers are not workstations. The protections and vectors are not the same. Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. On the other hand, the argument that higher numbers make more attractive targets is being borne out by the increasing pressure on Android devices.
Where there are enough assets to make an attack worthwhile, there will be an attack. Eventually, the attack will be successful. At the enterprise level, setting up all machines with one OS is a weakness as someone who can compromise one machine should have no problem with the rest. Better security is based on multiple layer, from OS, to AV and onward.
targets is being borne out by the increasing pressure on Android devices.
Not true, it was heard long before Android, a pretty controversial theory. And BTW, for Android it's only trojans to talk about, illegitimate apps. One installs those on his/her own risk when not examining permissions and perhaps outside of G. Play (MS Windows lacks even that). It's still unheard of to get a trojan through an RCE.
Compare Windows servers versus Windows workstations in an enterprise setting and you should find that the workstations get hit at a far higher rate. both need AV according Microsoft.
". But the number of critical flaws in the *nix kernel are lower precisely because unlike MS, their kernel is ONLY a kernel,"
Erm, you know there are well over 900 critical flaws known in the Linux kernel alone? Versus say 450 in the WHOLE of the worst Microsoft OS ever - Windows XP?
Windows has historically had a couple of orders of magnitude fewer kernel vulnerabilities than *nix kernels...
Every piece of widely used software is subject to issues. Non-MS products are no exception. Linux/Cdorked and DarkLeach are a good example. And they [the reports everyone is giving] still don't seem to know how they work. I'd much rather MS patch things pronto than deny their existence like some other software vendors.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
