Fir for IE6??
Or whatever it is called. That should fix all the security holes and truly be bug free. Please do it NOW!
Microsoft has fixed security bugs in Internet Explorer and Windows that allow hackers to remotely execute code on victims' vulnerable machines – one bug a result of poor JPEG handling. Redmond said the March edition of Patch Tuesday – out today, natch – tackles programming errors in the software giant's web browser, operating …
365 days a year (+1 for Leap Year) the 'miscreants' can hammer on the Windows OS/Apps, except for those 12 magic days in which Microsoft urges its clients to urgently apply the monthly bandaids.
After long striving to persevere to endure the never-ending story of patch, pray, and evade the slings and arrows of OS attacks, I've begun to wonder why XP has managed to survive, and why MS abandonment of XP will really matter ... really?
If our existing anti-virus safeguards, and safe-computing practices have kept XP alive all these years of 30 days/month, 353 days/year naked exposure before MS deigns to release its patches, where's the worry? Nonetheless, after striving to persevere to endure this sorry never-ending story, we've opted for Linux -- SolydK on the wife's box, and PClinuxOS on mine.
"Phew, thanks goodness after enduring that, there are never any updates for Linux or the software running on it."
Oh there are... but the point was you get a patch as soon as it's available. And in most cases, security related patches are applied automatically, and that's not limited to the OS either.
Mmmm... to be fair, you should also state the following measures:
1- How many times your antivirus has detected a dangerous file in your OS?
2- How many times your OS configuration has been altered without you realizing that? Such as browser toolbars appearing from nowhere, or your browser homepage changed?
3- How many of your CPU and RAM your antivirus is devoting to protect your machine instead of doing other tasks?
4- How long does it take from vulnerability discovery to patch time in each OS?
5- How disruptive is patching?
I curate and carefully keep both my Windows and Linux installs on all 5 machines in the house. In spite of that, my Windows/Linux scores on the questions are:
(1) a few multimedia files trying to download malicious code disguised as multimedia codecs/none (I don't even run AV in Linux) those MP3 and AVI files simply don't play (audio) or display (video) a pathetic message suggesting me to download a codec from a dodgy site.
(2) a few carelessly installed programs that don't require elevated privileges (kids)/none
(3) About 25% CPU and a few hundred megs of RAM/none (I don't have any kind of AV in Linux)
(4) Depends on the whim of Microsoft, anything from days ("out of band because we can be sued to oblivion, lose all credibility or both") to weeks if it will be patched next patch Tuesday/usually 24-48 hours
(5) I have to close the applications being patched and there is a nagging popup reminding me to reboot/nothing happens and I can keep working while the system is being patched. Sometimes I'm informed that some changes will have to wait for the next reboot.
Plus, bonus final question: how do you know for sure that vulnerabilities discovered in Linux don't lurk somewhere inside Windows codebase? You don't know because you don't have Windows source code.
Currently "patching" a Linux box, by the way. At the same time I'm converting some video files, using it to backup of a Windows laptop and browsing the web.
"Plus, bonus final question: how do you know for sure that vulnerabilities discovered in Linux don't lurk somewhere inside Windows codebase? You don't know because you don't have Windows source code."
Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS (obviously including audio players and image viewers, even though you clearly don't lower yourself to such common offal as images and videos)?
What's that? You HAVEN'T?? But, but, you said that...
Damnitall, people, there are good reasons to use Linux. So why does it seem like Linux users never actually mention them?!
Arguing that having the source to your operating system enables you to avoid security issues via advance knowledge makes about as much sense as claiming that your granpa-paw's shotgun is going to stop the US army.
"Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS (obviously including audio players and image viewers, even though you clearly don't lower yourself to such common offal as images and videos)?
What's that? You HAVEN'T?? But, but, you said that..."
I didn't say that. Read again just in case. The point is, anyone has the chance of doing it, as the stream of vulnerabilities discovered proves. What are the chances of doing it with Windows? (excluding of course being NSA/CIA/etc...) Zero. Nothing. Nada. So you have a non zero chance (Linux) against zero chance (Windows) Either you trust a single private entity -whose interests may or not include security- where at best a few individuals are reviewing code in a closed room versus a huge community that openly shares his discoveries. Which side wins?
Guess that the majority of the world has already picked a winner.
And there are many other reasons to use Linux, which is not the point of the article or the original post. Rarely someone will commit to use an OS for a single reason. But security is definitely one of them.
"The point is, anyone has the chance of doing it"
Uh, no. First, you only have a chance in theory if you're a good enough programmer that you're -better- than most of the people who worked on the code already, and have extensive experience with the same emvironment and tools. And you also need to have enough frhundreds to undertake a thorough security review of hundreds of thousands - millions? - of lines of code within the window of time in which you become aware (how?) of a potential vulnerability and when it is exploited by someone else.
Essentially, to have even the slightest chance of efficacy, your argument - almost by definition - requires an average user to single-handedly have the knowledge, time, and skill of every hacker and security researcher in the world put together. By your own admission, one of Linux's strengths is that of vast numbers of individuals accomplishing things impossible for a single user - yet you expect a single user to gain an advantage from personally scouring every shred of those thousands' work, presumably on an ongoing basis?
At least suggest something that passes the sniff test rather than another of the Linux zealots' bag of pompous, self-important encyclicals. You guys make Julian Assange look like a people person.
You don't have to do it all by yourself, you can share the effort with the rest of the community. And you don't have to audit the whole thing, just the pieces that you use. You don't necessarily have to know how the code works to spot a buffer overflow, a double free or many other sources of vulnerabilities, there are even tools that automate that. And the better the code the more readable it is.
Sure, it is not cheap or quick, or 100% safe, and it only makes sense to do when what is a stake is higher than the cost of doing it. But...
Still having some chance, however small, beats having no chance at all.
> You don't have to do it all by yourself, you can share the effort with the rest of the community.
If you trust each and every member of that community with your bank details, yeah.
Face it, the "added security" of open source code is largely a placebo. It makes smug people feel a bit more smug. I personally code for several F/OSS projects. By your implication I am therefore wholly trustworthy. Shyeahright.
In practical terms, F/OSS is no more secure than any other code except in tiny projects.
"If you trust each and every member of that community with your bank details, yeah"
Exactly how is that related to a code audit? Really intrigued, last time I read some source code I did not had to give my credit card to anyone. If you had to do that, I'd suggest you call the police and tell them your story.
"Face it, the "added security" of open source code is largely a placebo"
Citation needed. It would be curious to know how the placebo effect applies to source code. How a machine feels (or actually is) more secure because someone told the machine that it was going to be more secure by running F/OSS? Oh right, you're referring to the people feeling more secure. Citation needed still, or at least anecdotal evidence?
The feeling of security, not only in IT but anywhere in life, comes from trust. So what you're saying is that in the end you trust Microsoft more than the F/OSS contributors to a project? Fortunately it is your choice and your security, not mine.
"It makes smug people feel a bit more smug."
Relationship between ability to inspect source code and smug needs to be explained, really.
"I personally code for several F/OSS projects. By your implication I am therefore wholly trustworthy. Shyeahright."
Best logic contortion seen in ages. Note that applying the same principle and your previous sentence, you're also a smug.
I've coded for some F/OSS projects, and don't think anyone should put special trust on me. Quite the opposite, and that's why my code being F/OSS is becoming better, because more people looking at it can improve on it. Not only security wise but in general.
And why do you assume that all "members of community" have benevolent intentions?
Just the mere statistics. The Law of Big Numbers (quite an important topic in Statistics and Probability Theory) The fact that with an open code given enough popularity for the project, the chances are higher than in the case when it is proprietary.
Why do you have to trust all developers? A few people might be enough to spot mistakes or malevolent intentions of those you don't trust. Once again, no code is available to examine, change and redistribute, you have to have a trust to one entity? How reliable is that?
Okay, who do we trust? Say, Adobe flash player, pdf reader? Yes, sure. No malevolent intentions are needed.
Another example that stands out is skype with the shitty design, apparently, since Microsoft or the former code owner seem to fail the main principle of IT of modular programming. The current MS skype offering has no 64-bit builds for Linux. You gotta install a whole bunch of dependent libs emulating i386 if you run a 64-bit version of the OS (multiarch in Debian terms). It's still a shitty little app as far as the sound is concerned. Compare it with linphone a sip client for Linux/BSD/Windows/Android working flawlessly on each platform.
"Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS..."
All Linux users do review the code. They just don't admit to it as they don't want you Windows tw@'s to feel bad.
Now go back to the rest of the Windows sheep and pay your licensing fees.
We have been told many times, that Win7/Server 2012 are a complete re-write of the Windows code base. So judging from all the bugs that cover all versions of Windows, MS either re-wrote all the bugs from the old versions of the code, they never learnt from mistakes and authored new code including the same failures as last time or by Occam's razor rule, the simplest explanation is that they're lying and the rewite never occured, the most econimic & profitable route was taken, a cut and paste job of bug ridden old code and Windows dressed up in a new frock.
Due diligence by companies should mean that the use of windows in the enterprise is prima facie negligence. Windows has numerous security flaws, bad security and authorisation, is the biggest OS attack target and should be dumped immediately. Windows is not of merchantability and a heavily invested enterprise should start the ball rolling by sueing Microsoft for every penny they can get.
Software is a product one can buy with NO guarantee of it doing what is said on the tin or actually working at all. MS are not alone in this. I don't condone the use of weasel words in licencing agreements to avoid responsibility for providing an unfit for purpose product... It is just they way it is.
One can accept this with software that is given away free of charge. It is generally the case that one gets what one pays for right? Not so with commercial software.
"Win7/Server 2012 are a complete re-write of the Windows code base"
Never, ever heard that. Perhaps in the end user space this may be true for some components, but the kernel and base Win32 libraries have been essentially untouched for about a decade. Only bug fixes and additional support for hardware has been added, but nowhere near a complete rewrite.
True, there has been some effort (at last!!!) in Server 2012 to separate GUI code from low level services, what they call "Server Core"
But note that it has been achieved by patching APIs on non kernel components in places where they wanted to use the GUI. And that still legacy programs may require you to install GUI components on the server.
A rewrite approach is far too risky given the sacred compatibility cow Microsoft has to pay tribute to.
Don't know who told you that but they were lying or grossly misinformed. Vista was apparently originally meant to be a ground up rewrite but the rewrite was running way late and overbudget, and fell foul of MS's Machiavellian internal politics so it was cancelled and the Vista we got was based on the XP codebase.
There are a couple of handy but minor new features under the hood of Win 8/Server 2012 but that's all. TIFKAM basically just sits on top of the Win32 API's much like the various wrappers they've cooked up over the years to make Win32 more palatable.
If Vista had been based on the XP code base it would not have failed as miserably as it did.
Or perhaps you haven't noticed all the recent articles bemoaning the fact that even with XP being EOL next month it still runs neck and neck with Windows 7 for installed user base with Vista and Win 8 falling far, far behind.
Oh I'm pretty sure they know it is unwise. Problem is they don't have a lot of choice.
Having finally eliminate Netscape as a competitor, they assume IE6 would be the forever IE. Then they linked in Activex etc and told business execs they could code their intranet pages to execute OS code for company-only apps. And the business execs did generating the lock-in MS desired. And then the business execs explained that because of the vast amounts of money invested in those apps, the lock-in was now a two-way street. Which is where we are to this day.
I especially like the way the headline is all about screaming at how vulnerable Windows PCs are (bonus points for getting "Microsoft" in there, and for not mentioning which versions), and then at the bottom, almost as an afterthought: "Oh, and Adobe released a fix too for a cross-OS vulnerability".
Personally, I believe that there's no such thing as a vulnerability-free system. However, it's very easy to target the runaway market majority holder, especially when they've traditionally painted a bulls-eye on their forehead. And yes, it would be a lot better if patches were released as soon as possible.
But this is just patch Tuesday. It's the way Microsoft have decided to do things as a corporation, and it's been that way for ages. No need to make a fuss.
Does Microsoft keep a list of all the file formats it repeatedly has trouble with.
So when they do a complete-from-the-bare-metal-absolutely-no-code-cut-and-pasted-nosiree-not-a-line rewrite you have a list of stuff-to-not-screw-up-this-time.
One defense I've heard over the years is that MS has to patch it's drivers because the hardware suppliers versions are so p**s poor. It could be argued that at some level this format has to be actually rendered by some sort of display device and this is tricky.
But then it's always been tricky, back since the days of Windows 1.0.
Biting the hand that feeds IT © 1998–2019