back to article How to not get pwned on Windows: Don't run any virtual machines, open any web pages, Office docs, hyperlinks ...

Microsoft has posted the April edition of its monthly security update, which kills a bug that allows guests to escape to hosts on Hyper-V. A malicious app running in a virtual machine can exploit this flaw to drill down to the host server, execute code on the machine, and interfere with the system and other VMs. Which is bad …

Page:

  1. Anonymous Coward
    Anonymous Coward

    How not to get pwned on Windows...

    Switch to Linux.</sarcasm?>

    1. Anonymous Coward
      Windows

      Re: How not to get pwned on Windows...

      Spoken like a Windows user... Use of XML when given the chance, but no idea how to use it.

    2. This post has been deleted by a moderator

    3. Anonymous Coward
      Anonymous Coward

      Re: How not to get pwned on Windows ...

      Don't run Windows Update.

    4. AMBxx Silver badge
      Thumb Down

      Re: How not to get pwned on Windows...

      ZZZZZZZZZZZZZZZZzzzzzz

      I wish they'd stop allowing comments on Windows update posts, always the same comments, get's really boring.

      1. 1Rafayal

        Re: How not to get pwned on Windows...

        Shhhhhhhh, thou must not say anything but the negative when referring to Windows here.

    5. bitmap animal

      Re: How not to get pwned on Windows...

      If you think MS has a lot of updates you'll be horrified by the number Linux requires. Why don't you have a look and count them.

      1. JLV Silver badge

        Re: How not to get pwned on Windows...

        >Why don't you have a look and count them.

        Actually, I would be interested in an honest appraisal of such. On Win, Linux, OSX, which patches are delivering true OS, non-app, high grade vulns fix, such as remote exec flaws? Severity vs just volume, with CVE the judge. Anyone knows? Also pick one OS release on each end - Win 10 vs OS X El Capitan vs latest kernel Linux.

        I think Windows, but am willing to hear counterarguments. As a cynical and open-eyed Apple user, I am more surprised that it doesn't get powned more often than blindly trusting in Apple's ability to maintain BSD-level security on their own code. They've had some doozies over the years and I've had friends get powned on Macs, very occasionaly.

        Doubt I'll get a straight answer I can believe from too many here, though hopefully some of you certainly know it.

        But one thing I think I can answer myself: which of those 3 OSs will, on desktops, require the most reboots to accomodate those patches? Which OS doesn't typically know and has the always helpful "may require a reboot" rather than stating so outright?

        1. Roland6 Silver badge

          Re: How not to get pwned on Windows...

          >Why don't you have a look and count them.

          Actually, I would be interested in an honest appraisal of such.

          Well I'm not certain that looking at the current numbers of patches is a valid comparison between Win and Linux. Simply because of Linux's install base compared to Windows and hence it's attractiveness to developers - both those who are trying to get stuff done and those who wish to exploit it.

          1. JLV Silver badge

            Re: How not to get pwned on Windows...

            Valid points between Windows and Linux, to an extent.

            But OSX has pretty much the same userbase attractiveness wrt malware as Windows. And very few people bother to run AV software on it - I de-installed Sophos because it tended to hog CPU atrociously from time to time and, for the overhead, I was uncertain at its actual efficacy on Mac malware. I do have ClamAV, but only use to scan downloads. So, along with the capacity of its users to pay the Apple surtax, it would seem like a valuable enough malware target.

            And, going back to Linux, there is plenty of $ to be made in server breaches.

            I would also separate app & browser patches (IE, Edge) from OS level patches. After all, you can always run FF or Chrome on Windows. And browser vulns are only the OS's fault if the OS allows them to propagate - an OS should be totally paranoid about resident browsers at all times. While there is no doubt in my mind that Office macros are a cesspit of threats, that's not core Windows fault, even though MS as a whole does bear responsibility for them and patches them.

            So, do we have any hard numbers besides the "yours has more bugs than mine" arguments that all sides quote with happy abandon? MS does seem to focus a lot more on security than it did 10 years ago, so are we still judging them from that time?

            1. oldcoder

              Re: How not to get pwned on Windows...

              "focus a lot more on security" doesn't mean they do anything about it...

              the same failures from 17/18 years ago are still present.

            2. azaks

              Re: How not to get pwned on Windows...

              >> But OSX has pretty much the same userbase attractiveness wrt malware as Windows.

              How do you figure that? How many companies create products that are relevant to < 10% of their potential customer base? Custom malware for a targeted attack yes, generic malware to maximise returns = no.

        2. Anonymous Coward
          Anonymous Coward

          Re: How not to get pwned on Windows...

          "Actually, I would be interested in an honest appraisal of such"

          According to Secunia, SUSE Server 10 is on well over 4,000 (and OS-X is on well over 2,000) listed vulnerabilities.

        3. azaks

          Re: How not to get pwned on Windows...

          Very valid points about volume not being the only metric - clearly it isn't.

          Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid.

          Another factor that affects bugs found is the number of people motivated to look for them. We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit. Finding usable exploits costs time and money, and if maximising your return on said exploit is your goal, it doesn't take a rocket scientist to predict where most of the investment is going to go.

          1. h4rm0ny

            Re: How not to get pwned on Windows...

            >>"Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid."

            It's not stupid. There are actual variations in security flaws between different OSs. Back in pre-Vista era, Windows was inherently less secure than GNU/Linux. That's no longer true. Windows is probably slightly more secure than GNU/Linux these days. And maybe that will change again over time - who knows. But it's not right to reject comparisons between OSs. It's useful. If nothing else, it keeps different vendors trying hard to compete in the area of closing down vulnerabilities.

            >>"We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit."

            It's not "complete bullshit". It's a valid argument that Open Source benefits from people being able to inspect the source and find flaws. The problem is that the more complex the project, the more specialized you have to be to notice flaws. I can find a flaw in the MySQL source code. I can't find one in Firefox source - I simply wouldn't know where to start with their code base. But that doesn't mean that other people can't or that it's "bullshit".

            The biggest security advantage of Open Source, though, is not guarding against accidental flaws, but against deliberate ones. It lets you examine the source for deliberate backdoors by the vendor. That has a lot of value, imo.

    6. People's Poet

      Re: How not to get pwned on Windows...

      It's a shame it's just not true though, I received 50 Security Advisories from Red-Hat between the 2nd March and 7th April. I've often woken to seeing 10 or more come out in 1 night. Stop believing the hype that Linux or any OS is any more secure than Windows. It's just the sheer numbers of Windows desktops that make being pwned more likely however give your average Windows user a Linux desktop and don't apply the patches and they're just as likely to get pwned over time.

      1. John 104

        Re: How not to get pwned on Windows...

        So true. At a previous job I set up alerts for updates for RHEL. It got to the point that it was just spam there were so many. And like spam, they pretty much got ignored...

      2. azaks

        Re: How not to get pwned on Windows...

        How dare you bring facts to this forum - shame on you!

        If you don't have anything negative to say about M$, don't say it at all!

    7. Darryl

      Re: How not to get pwned on Windows...

      Well, it is true. You won't get pwned on Windows.

      You'll get pwned on Linux

  2. This post has been deleted by its author

  3. The little voice inside my head

    Sad pretty much not being able to use the PC

    We are living in an era when you cannot even turn on your PC and make it "face" the Internet, it is so full of viruses that somebody will "cough" and spread them to your PC.

    1. Palpy

      Re: Sad pretty much not being able to use the PC

      Well, you can use your PC. You just have to be careful when using Windows. I might venture that one should be increasingly careful. As the malware writers game-up, you would be well advised to tighten your defenses wherever you can.

      I'll avoid the Linux-Windows-Mac malware debate, except to note that efforts are being made to craft OSes which are less vulnerable to attack. None will ever be perfect, but Qubes, OpenBSD, and others present significantly higher hurdles for attackers to overcome.

      So your PC is usable and you may even Goggle the Online in a relatively carefree manner. It's the OS setup you mostly need to worry about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sad pretty much not being able to use the PC

        "You just have to be careful when using Windows."

        Or a version of Linux that anyone actually uses - like say Android...

    2. Mikel

      Re: Sad pretty much not being able to use the PC

      Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess.

      1. MrRimmerSIR!

        @Mikel

        Haven't caught Stagefright yet?

      2. Goit

        Re: Sad pretty much not being able to use the PC

        You mean like a Microsoft smartphone? You're right, I've never had a problem with it! FYI, I've recently had to root and clear out two friends kids Android smartphones and my nieces' Android tablet to rid them of malware.

        1. oldcoder

          Re: Sad pretty much not being able to use the PC

          They had to deliberately install the malware...

      3. oldcoder

        Re: Sad pretty much not being able to use the PC

        That is because most phones and tablets are not Windows... They are iPhone/ipads and Android

      4. Dan Paul

        Re: Sad pretty much not being able to use the PC

        If you change the word "vendor" to "Target" you may have a point. Otherwise just more boring drivel. There is little reason for virus and malware creator/users to target obscure and little used operating systems. Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.

        The second that other operating systems become more popular, these virus writing scum will make "product" that targets the more popular OS. This has already happened with Mac's and the other are next.

        Smug pontification about the "superiority" of your brand of OS gets us nowhere.

        1. oldcoder

          Re: Sad pretty much not being able to use the PC

          There are more linux systems in the field than there are Windows systems... Yet Windows is still the most vulnerable.

          1. This post has been deleted by its author

        2. Mikel

          Re: Sad pretty much not being able to use the PC

          @Dan Paul

          >Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.

          That is what has been said for 20 years. We know now that it was always a lie. Far more people use Android than Windows. Over a billion more. There are more users of the Facebook app on Google Play than all the Windows users, all versions, worldwide. And they use Android more often, for more minutes each day too.

          This lie is toast now. The insecurity of Windows is inherent in the design compromises they made to kill its early competition, and now they are stuck with them for backwards compatibility reasons. They fell into their own trap by taking shortcuts with security. The global malware ecosystem and industry are all theirs and they are welcome to keep them.

      5. Anne-Lise Pasch

        Re: It's almost as if there were a specific software vendor involved in all of this

        Yep. Adobe.

        1. JLV Silver badge
          Facepalm

          Re: It's almost as if there were a specific software vendor involved in all of this

          >Yep. Adobe.

          OK, I get that OS preferences is resulting in very mixed up/down vote counts here.

          But did someone really downvote in defense of Adobe here???

      6. h4rm0ny

        Re: Sad pretty much not being able to use the PC

        >>"Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess."

        I'd lay good money that you would also be critical of the Windows Store. In fact, given that this is Mikel, long-time poster on El Reg. noted for virulent anti-Microsoft posts, I'd say it's almost a certainty you've been against it. Yet you compare Windows (open and free to install what you want) to locked down systems like iPads and Windows RT. If you can't see the relevant distinction between an iPad and a Windows OS machine is not vendor but user privileges, you're wilfully blind.

        Oh, and you should check out Android sometime (the most popular OS used for phones) which even at one's most charitable could not be described as having "nary a twitch" when it comes to security.

    3. veti Silver badge

      Re: Sad pretty much not being able to use the PC

      Well, looking at the specific vulnerabilities - I only see one that's an immediate threat to me, plus a couple that could be threats in the medium term. The rest all target specific software or services that I don't use, or require a level of pre-existing access that, if someone else has it, I think I'm already boned.

      So I'd call it irritating rather than sad. And the chance of actually getting hit by one of the vulnerabilities that isn't completely irrelevant, in the time between discovery/promulgation and patching? Slim.

    4. kitekrazy

      Re: Sad pretty much not being able to use the PC

      This is the best use of sarcasm I've seen in a while

    5. Anonymous Coward
      Anonymous Coward

      Re: Sad pretty much not being able to use the PC

      Hmmm, let's not get too carried away now. Even on Windows, a bit of cleverness goes a long way:

      - add a JS blocker like NoScript to your browser. Whitelist very selectively. prefer to whitelist temporarily.

      - NoScript on FF can really act up at the most inconvenient times for ecommerce sites. Rather than turning off some of its paranoid settings, open up your secondary browser (Chrome for me) and complete your transaction there instead.

      - never click on email links unless you know they are from your actual friends. be courteous and always provide a bit of personal chit-chat when emailing a link to someone, just so they know it's you and so they know that you expect that courtesy yourself.

      - avoid Flash and Adobe Reader like the plague. Ditto Java applets.

      - macros in Office docs you didn't write yourself? red flag!

      - be wide-eyed, I mean extra-careful, around smut sites. never download 'extra required codecs' to view files.

      - never run warez code. A crack generator? Whodathought I would be the one getting hacked?

      - download mostly from at least somewhat competent download aggregator sites or open source repos.

      - use your AV to scan what you've downloaded before running it.

      - google up 'malware virus <name-of-something-I-want-to-install>' liberally.

      - backup and take into consideration crypto ransomware when doing so.

      - never, ever, reuse sensitive passwords, though there's nothing wrong with reusing 'foobar1234' on all the various websites you don't care about (sorry, The Register, that means you).

      - encrypt your sensitive data in a mount-on-demand container like TrueCrypt. (be careful about TrueCrypt containers & backup sofware - TrueCrypt goes out of its way to keep file timestamps constant)

      None of this is rocket science, nor very demanding. I spent years using primarily Windows at home without much ado.

  4. TxRx
    Go

    Happy Tuesday!

    Not sure what's more interesting, the volume of vulns on Windows out there or if MS are closing in on more vulns quicker. Go update!! (after testing it doesn't impact your prior pipe/infrastructure)

    1. Mark 85 Silver badge

      Re: Happy Tuesday!

      Go update!! (after testing it doesn't impact your prior pipe/infrastructure)

      Or maybe just wait a few days until all the hidden and disguised updates are found and exposed? I've learned not to be to quick to do the updates...

      1. fran 2

        Re: Happy Tuesday!

        Or wait a week and watch the early adopters wail on the various MS forums that the updates borked their servers

    2. Pascal Monett Silver badge

      Re: "MS are closing in on more vulns quicker"

      Really ? If that were the case I would expect that faults in Secondary Logon would have been found and corrected last decade. It was introduced with 98, if I'm not mistaken, it's about time they ironed out the issues there.

      Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.

      It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade.

      1. regadpellagru

        Re: "MS are closing in on more vulns quicker"

        "Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.

        It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade."

        I'm thankfull I'm apparently not the only one feeling this !

        Apparently, this time, it's only IE 9,10,11 & 12 (Edge). Most of the other weeks, it's IE 6-12, like if, IE 12 code was IE 6 minus AcriveX ...

  5. alain williams Silver badge

    I am told ...

    that keeping it switched off keeps it secure.

    1. Dan 55 Silver badge

      Re: I am told ...

      No, Intel removed that option with AMT.

    2. Anonymous Coward
      Anonymous Coward

      Re: I am told ...

      "that keeping it switched off keeps it secure."

      A friend was surprised to find his PC switching itself on and rebooting at 3am to install Windows updates that had been automatically downloaded.

  6. VinceH Silver badge

    The real question is how many of the 'security' updates include Windows 10 update malware.

    1. Mikel

      Hey

      What happened to the courtesy !!! SPOILER ALERT !!! ?

      That is from tomorrow's story.

      1. VinceH Silver badge
        Coat

        Re: Hey

        I do apologise. Next time I'll double-ROT13 such a comment, and give a warning for people to read before decoding it. ;)

        1. DropBear Silver badge
          Trollface

          Re: Hey

          Double-ROT13 has been successfully attacked ages ago. If you insist using that ancient thing, a minimum of ten or twelve rounds is recommended.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019