back to article It's March 2018, and your Windows PC can be pwned by a web article (well, none of OURS)

Microsoft delivered another hefty bundle of patches with its scheduled monthly update. Redmond bulks up for Vancouver The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver. Hopefully nobody was …

Silver badge

Nope

Mine can't, at least not via any of the issues listed in the article.

3
1
Silver badge

Re: Nope

What a time to be alive.

1
0
Anonymous Coward

Re: Nope

"Mine can't, at least not via any of the issues listed in the article."

Same here. It already patched itself.

0
0

I'm sure it's a coincidence that they've got so many fixes in, just before Pwn2Own.

10
0

Pretty sure it's a coincidence, just as how it's utterly coincidental that in the rush to get the fixes out before P2O, they've just created another 90 vulnerabilities on the "patched" systems.

10
1
Silver badge

Genuinely interested in finding out the answer to this. Given there are so many vulnerabilities found and they keep patching the code, are the fixes they make likely to open up more vulnerabilities or break fixes for old ones? It seems never ending and I do realise just how big these code bases are it just amazes me that they can never ever get near fully secure.

11
2
Anonymous Coward

Patches are a useful place to go looking for old flaws, and these can sometimes point at new flaws.

You can never get an "informally" developed OS like Linux, Windows, Mac OS, completely correct. Even the venerable VAX VMS is still yielding bugs 30+ years on. There's simply too many ways (gazillions) in which sequences of system calls can be strung together with varying parameters to allow exhaustive testing. Kernel fuzzing is all about trying out random stuff, see what combinations work.

Instead you have to design the OS "formally"; that is pretty unusual, because it means the OS, the compiler, the library, the CPU and major peripherals all have to be expressed in a kind of maths (a formal specification language), and then do a load of algebra to prove that process A cannot access process B's address space, etc. Then you have to implement it, and formally show that what has been written and built implements that maths.

This is sooooooo far removed from what most programmers want to do that it's almost never done.

There's Greenhill's INTEGRITY 178b OS, which is excellent, and that's about it. But even that is based on the assumption that the silicon it's running on is perfect, and as Meltdown and Spectre have shown that's far from guaranteed. As it happens INTEGRITY is a hard real time OS, with fixed runtime allocations, so it's probably quite difficult to do a timing sidechannel attack.

16
0
Anonymous Coward

"Given there are so many vulnerabilities found"

I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch and that Windows 10 has had far fewer CVEs since launch than say a similar specced commercial Linux distro install or OS-X?

"are the fixes they make likely to open up more vulnerabilities or break fixes for old ones?"

Microsoft have not iintroduced many known regression type security flaws.

2
4
Silver badge

"I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch and that Windows 10 has had far fewer CVEs since launch than say a similar specced commercial Linux distro install or OS-X?"

I don't think this was a pissing contest question.

3
3
Anonymous Coward

"I don't think this was a pissing contest question."

The implication was that Microsoft's security is somehow terrible compared to anyone else. Which isn't really the case and needed correcting.

1
6
Silver badge

"The implication was that Microsoft's security is somehow terrible compared to anyone else."

No, I wasn't implying Microsoft were worse than anyone else because everyone has bugs and security flaws. It was a general question.

2
2
Silver badge
Coat

it just amazes me that they can never ever get near fully secure.

They should ask Theo, he knows how to do it ... 2 vulns in the default install since the 90's ....

icon: Wearing my OpenBSD shirt today

1
2
Silver badge

"it just amazes me that they can never ever get near fully secure"

Nothing can ever be made fully secure. The best you can hope for is to make attacks uneconomical. The problem is that economics change over time -- what was uneconomical 10 years ago is cheap to do now, so there will always be the need for security patches in any system as time and tech moves forward.

0
0
Silver badge

"The implication was that Microsoft's security is somehow terrible compared to anyone else."

It was? I didn't read that implication in the comment at all.

1
0
Anonymous Coward

"'I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch..."

It does but it's a meaningless statistic as the launch date difference is significant. Per month since launch both Edge on Chrome have had a very similar number of bugs on average (Edge ever so slightly more). What's of concern is that over 60% of those bugs for Edge involve RCE, like many of these new ones too.

So the moral of the story is, if you want a secure browser then use Chromium. :)

0
0
Silver badge

Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed.

Interesting. By this, is MS not telling what's being fixed or were the bugs not disclosed publically? Either way means they could be slipping something under the door. They tried burning us on Win10 why not try for something else?

3
9
Silver badge
Trollface

so ,er , let me try to digest and understand that ...

here goes:

You think that by not disclosing security vulnerabilities (of which the vendor is aware) to the world at large before the scheduled fixes are rolled out Microsoft is up to unspecified "evil" bad things?

hmm , you could be right - just to be safe i propose a second layer of tinfoil. That might stop Nadella watching you through your screen.

3
0
Silver badge
Unhappy

Ah.... I misparsed that then. They were not disclosed prior to the fix. I read it as "here's patches but we're not telling you what they fix".

0
0
Silver badge
Pint

Estimating the unknowable

Example: if a given something (like a Risk item) that might, or might not, happen, and there's zero information about the odds, then the odds may be assumed to be "fifty / fifty". A more experienced manager would actually set the assumed odds to "one-third / one-third / one-third", because they'd already know that in addition to 'might' and 'might not' happen, there's also the distinct possibility that 'something else entirely' could happen instead.

Using this basic method, and given "75 Microsoft bugs squashed this month", then how can we estimated the number of bugs remaining in Windows?

If you casually walk past a huge (mile-high) haystack, look down and can see 75 needles, then you might be able to extrapolate to guesstimate the total number of needles in the haystack.

Somebody somewhere (a Statistician) must have the skills and info at hand to produce a reasonable guesstimate of the number of remaining bugs in Windows. I would have guessed about three million, but now it must be closer to 2,999,925.

1
6
Anonymous Coward

Re: Estimating the unknowable

>>Using this basic method, and given "75 Microsoft bugs squashed this month", then how can we estimated the number of bugs remaining in Windows?

You can't. It gives no statistical indication whatsoever.

11
0
MMR

Will these fix the two USB ports on my laptop which stopped working after the last Patch Tuesday?

5
2
Anonymous Coward

"Will these fix the two USB ports on my laptop which stopped working after the last Patch Tuesday?"

That's likely to be a driver / vendor issue. See if any hardware driver updates were installed last week?

1
2
Anonymous Coward

More proof...

...that Microsucks has knowingly sold consumers, enterprise and schools defective operating systems and software for which they should be held accountable like any other criminal.

2
13
Silver badge
Trollface

Re: More proof...

ouch! burn!

Well you've convinced me. Can I order a copy of your bug free OS please?

7
0

Not one of ours...

That's exactly what a nefarious hacker would say to lull us into a false sense of security.

4
0
Silver badge
Windows

Good job MSFT!

All my Windows 10 machines updated overnight no bother. Ageing BOFHs can't get the concept of "evergreen".

4
8
Silver badge

Re: Good job MSFT!

I don't expect my car to be "updated" every month. Why should I have to put up with that for my computer?

The answer, I suppose, is that computers are orders of magnitude more complicated. I therefore have doubts about the results of human work subject to commercial necessities. Would I trust a CPU + other bits designed by AI? Hahahahahahahaha.

I do wonder whether in the secret world somebody has a validated toolchain of hardware and software.

2
1
Silver badge

Re: Good job MSFT!

"I don't expect my car to be "updated" every month. Why should I have to put up with that for my computer?"

Clearly you don't own a Tesla then.

4
0
Meh

Re: Good job MSFT!

> I don't expect my car to be "updated" every month. Why should I have to put up with that for my computer?

You might want to be careful what you wish for; Stroustrup had a similar thing to say about his telephone.

1
0
Silver badge

Re: Good job MSFT!

"The answer, I suppose, is that computers are orders of magnitude more complicated."

If we're talking about security patches, that's not the answer. The real answer is that your computer is exposed to the internet and your car isn't. That is a large attack surface that is exposed to a large number of threats that constantly evolve and change.

Your car doesn't have to face that. If it did, then your car would be getting regular updates as well. In fact, the latest cars that are so connected do, in fact, have to do that.

It's not about "flaws". It's about an ongoing arms race.

0
0
Silver badge

(well, none of OURS)

Hey reg,

So if your articles could pwn someones PC, would you tell them? Nope attackers don't do that!

But you would tell them that it's safe, to trick them to visit right? ;-

Kidding of course!

0
0
Silver badge
Facepalm

Updates on WSUS approved

Just finished approving updates, so, I'm guessing no issues tomorrow?

I don't think we will ever get ahead of the curve when it's OS first and security someplace down the list in double digits...

1
1

Reports on reddit of WIn2008R2 and Win7 clients losing their network adapter settings with yesterdays patch. Anyone here seeing the same thing?

2
0
Thumb Up

Re : Reports on reddit

Thanks for the heads-up, no win7 updates for me atm.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018