back to article Microsoft kills TWO Hacking Team vulns: NOT the worst in this Patch Tues either

Microsoft has released fixes for 59 CVE-listed vulnerabilities in its software – including a patch for the elevation-of-privilege flaw in Windows exploited by spyware maker Hacking Team. There's a patch (MS15-065) for a remote-code execution bug in Internet Explorer 11 on Windows 7 and 8.1 that also emerged from the Hacking …

  1. Shadow Systems Silver badge

    Tell me about it...

    I think my system decided to download & apply each. and. every. fucking. one. of those damned updates one. at. a. time.

    "You may have to reboot after applying" should be changed to read "You'll restart your computer until we feel like letting you stop, Bitch! MUH Hahahahaha!"

    *Growls, sighs, bangs head into the desk*

    Started at just after noon, it's now just after Two PM my time, and I've *finally* managed to get everything applied, rebooted, verified, & Windows Update to report no further patches available...

    Remind me again why I run Windows?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tell me about it...

      +1

      Hallelujah for sane Linux package managers, are you watching how it's done MS ?

    2. Gray

      Re: Tell me about it...

      Remind me again why I run Windows?

      Because you're a masochist?

      1. asdf Silver badge

        Re: Tell me about it...

        >Remind me again why I run Windows?

        If you are like me only because you are paid too. Not at home.

      2. Shadow Systems Silver badge

        @Gray, re Windows.

        That can't be *entirely* true...

        Granted I've been married once and I run Windows (not by choice) but that doesn't make me a masochist does it?

        *Blinks a few times*

        Oh shit, I'm a bloody masochist!

        *Beats skull into the desk until I pass out*

        ...

        Seriously, I run Windows because I'm not sure I have any choice. I can't afford to buy Apple & the state of Screen Readers on Linux wasn't quite there yet the last time I checked. YES there's stuff like Adrenne (sp?) and Vinux, but the former hated my hardware (Intel NUC) and the latter kept glitching on simple things. I need something as stable as Debian with a ScreenReader That Just Works. Since I can't see to fix it when it goes tits up, and my Sighted Minions have the technical saavy of a lump of Vogon shit, I'm at an impasse to get stuff repaired on my own. So Windows is my only real option for the simple expediency that there are far more Windows knowledgeable Sighted Minions around than Linux ones, unless/until I can (afford to) pay for Professional Support. I live in what is politely called a "Cow Town", where there's more cows than people. My chances of finding a Linux Professional anywhere around are udderly nil. It would behoove me not to milk this any more lest the joke curdle on me, but suffice it to say I can churn the various phone directories until I'm bluuuue in the face & probably never find one.

        *FacePalms with a groan*

        Sorry about that, it's late, I need caffeine, and I'm frustrated as hell about the state of Linux ScreenReaderEnvironments. I _really_ want to purge Windows off my machine & get back to using Linux, but until that SRE Just Works, I can't Get Shit Done on Linux yet.

        *Comical sob*

        1. Gray
          Windows

          Re: @Gray, re Windows.

          @Shadow Systems: hmmm ... I never could learn to keep me yap shut, even after near on to four-score a'yappin'.

          Anyway, I've grown fond of a stable distro of SolydX (Debian 8.1) with a lightweight XFCE face; it runs good on my old lappies 'n boxen with 32-bit CPUs. Look for the Community Edition of SolydX 32-bit or 64-bit (the XFCE versions) at http://solydxk.com/downloads/community-editions/

          I dare reference that cuz us older farts with antique tech need all the breaks we can get. I'm not vision impaired yet (despite the best efforts of a expert with a laser cauterizer who fuzzied up the retina in my right eye.) So I can't speak from hands-on 'xpertise ... but perhaps this screen reader in the Debian repo is more capable? It's got a high version number so they've worked at it for awhile--Orca, a Gnome screen reader: https://wiki.gnome.org/Projects/Orca

        2. ckm5

          Re: Affording Apple crap

          Just buy used, that's what I do. I've recently bought a Macbook Pro for $250 (Core i5, 4gig) and an 11" Macbook Air for $400. Both on Craigslist which is the best place to look, at least where I am. eBay is a crapshoot, sometimes Amazon is cheaper. Be careful of stolen gear on CL - I try to only buy gear with the original packaging since it's unlikely to be stolen.

          New Apple gear can be expensive, but it retains it's value, so over the long run you'll waste less money. It's worth checking Apple's online Refurbished store as there are sometimes really good deals (e.g. 30-40% off) on older models with full warranties, esp. for iMacs. If you buy used carefully, you can sometimes get it for cheaper than resale value and breakeven after using it for a while.

          I find that ~4 yr old Macbook Pros are particularly cheap, esp. if they have low ram & no SSD. With those upgrades, they are almost as good as newer models.... The original Air is also a good deal as you can replace the HD with an SSD & get much, much better performance/battery life.

    3. TheVogon Silver badge

      Re: Tell me about it...

      I'm glad Microsoft patched these nasty zero day ones just before Windows 2003 R2 went end of life....

    4. glussier

      Re: Tell me about it...

      2 hours do the patch tuesday's updates? You should probably think about getting a better computer, even on my slowest ultrabook with an I5 4200u and 240GB ssd, it took less than 15 minutes including the reboot.

      1. Rich 11 Silver badge

        Re: Tell me about it...

        2 hours do the patch tuesday's updates? You should probably think about getting a better computer

        Those of us looking after a shedload of dev and live servers have to take a slightly more diligent approach...

        1. glussier

          Re: Tell me about it...

          The guy is not a dev, he is a home user. I didn't want to say that he was grossly exagerating his computer's update time. I did the testt on a 2009 Toshiba Satellite with Pentium T4400 Full Officel installed, a 300GB 5400rpm drive and the update which started at 9:34 was rebooted to the desktop at 9:54. Even doing the update on a Dell Venue 8 pro with 2gB of ram and a slow emc drive took 20minutes including the download and reboot time to do the update. You can get a used 200 Euros or $ computer which will be able to do this update faster than his pos. computer.

          I was not talking about updating computer in a work environment. Geez, why would I care about youir problem. You are a sysadmin and I'm a project leader, so we might have different types of problems to tackle.

      2. Anonymous Coward
        Anonymous Coward

        Re: Tell me about it...

        "even on my slowest ultrabook with an I5 4200u and 240GB ssd, it took less than 15 minutes including the reboot."

        Some of us have better things in life to spend money on.

        I have a piece of crap system, but it does what I need to do. I spend my workday in IT, then some charitable work on odd days. After that I really don't give a toss about IT.

    5. Cynic_999 Silver badge

      Re: Tell me about it...

      Why have you selected automatic updates? Set Windows updates to download and notify but not install. The updates will then all be installed when you next shut down your PC. After I shut down last night, I noted that it began applying 14 updates. Goodness knows how long that took as I left it working and went to bed, but it had completed by this morning (though I had about a 3 minute additional wait after booting for it to do the registry updates etc.)

    6. Fungus Bob Silver badge
      Windows

      Re: Tell me about it...

      "Remind me again why I run Windows?"

      Ease of use.

  2. Anonymous Coward
    Anonymous Coward

    Great, means our VMs will be screwed for the rest of the week!

    1. TheVogon Silver badge

      "Great, means our VMs will be screwed for the rest of the week!"

      You can decide to control the patch deployment and not just let it auto install!

  3. asdf Silver badge

    that sinking feeling

    Isn't it great that as time passes our systems and software only get more complex? Security is sure keeping up huh (critical CVEs for everyone all around)? Isn't it also great how as time passes western civilization grows ever more dependent on said systems and software? I am sure everything will be fine.

  4. ZZLEE
    Alien

    Where did my tin foil hat go ??

    1. Shadow Systems Silver badge

      @ZZLEE, re Tinfoil Hat...

      *MunchCrunchMunchCrunchMunchCrunch*

      *BURP*

      Ahhhh... zesty!

      *Picks crinkly bit out of teeth with the edge of my Titanium Spork*

      You know those things don't work anymore, right?

      The NSA got together with the tinfoil makers to embed NanoCrystals in the sheets to better focus the Mind Control Rays to your brain, thus turning them from a reflector to a concentrator. Wearing them now *improves* their ability to turn you into a walking Meat Puppet.

      If you want to shield your skull from the NSA MCR, the best way is to lather your head in petroleum jelly & a mix of crushed nuts & crutons. The mix defuses the MCR, the PJ insulates from the stray rays that get past, and all you have to do is stave off the Evil Squirrels.

      Evil... Evil Squirrels.

      *Brandishes Titanium Spork menacingly*

      EVIL, Evil Squirrels!

  5. frank ly

    What can the numbers tell us?

    Given the long and well recorded history of patches for Windows (of all or a particular version), can statistical analysis (and other maths) tell us roughly how many vulnerabilities there are that still need patching? I have a feeling that it would be a scary number.

    1. xenny

      Re: What can the numbers tell us?

      The no of patches/month doesn't seem to be decreasing, so some variant of infinity, although the end of the universe will prevent them all being patched.

      What kind of infinity needs more maths than I know.

    2. Anonymous Coward
      Anonymous Coward

      Re: What can the numbers tell us?

      Well, it's not a physical process but a process of decision-making, serendipity and deciding whether you have a defect in front of you or not, but that doesn't mean that people haven't tried to perform predictive analysis (absolutely the same problem as in economics, really, see also: Praxeology). The latest "IEEE Computer" has an article titled "Selecting the Best Reliability Model to Predict Residual Defects in Open Source Software" with some results here, so I suppose Microsoft could try to do that...

    3. Captain Underpants

      Re: What can the numbers tell us?

      @ frank:

      Given the long and well recorded history of patches for Windows (of all or a particular version), can statistical analysis (and other maths) tell us roughly how many vulnerabilities there are that still need patching? I have a feeling that it would be a scary number."

      Unfortunately, I'd err on the side of "no", because there are too many variables to allow for a useful comparison:

      * lack of knowledge about security/testing standards and whether these are/have been enforced to a standard degree

      * significant difference in scope across different versions (number of architectures supported natively by the OS, the degree to which security is a focus, the degree to which network connectivity is ingrained in the OS, the development lifetime, etc)

      * significantly, a lack of proof that the distribution of vulnerabilities is uniform throughout the code

      * lack of knowledge as to whether the introduction of patches introduces other vulnerabilities

      * changes in the approach to service packs skewing the numbers (NT4 got 6 SPs, Win2K got 4, XP got 3, Vista got 2, 7 got 1, 8 and 8.1 didn't get any, and 10 looks set to change the whole approach anyway).

      You could maybe get some sort of average values for:

      * how many vulnerabilities (possibly even grouped by broad categories) have affected previous releases by an equivalent amount of time since RTM

      * how many vulnerabilities have been found in total over its supported lifespan

      and use these to make very crude estimates about the relative security of the current release. But there's no mathematically-sound basis for giving those estimates any more weight than a number someone makes up...

    4. Roo
      Windows

      Re: What can the numbers tell us?

      "Given the long and well recorded history of patches for Windows (of all or a particular version), can statistical analysis (and other maths) tell us roughly how many vulnerabilities there are that still need patching?"

      You can't really determine the number vulnerabilities from the patch releases simply because there is an upper bound on the number of patches an outfit can crank out every month. If the number of vulns vastly exceed the capacity of the patch writers you might never see a change in the rate of patches for years.

      I think you really should be measuring the reported vulnerabilities instead. ;)

    5. Cynic_999 Silver badge

      Re: What can the numbers tell us?

      Well, even my legacy XP machine received one update yesterday (so it seems that there is still *some* support being provided for XP). My guess is that some updates patch vulnerabilities whilst other updates create new ones that will be discovered at some future date, so the process will never end.

      1. Anonymous Coward
        Anonymous Coward

        Re: What can the numbers tell us?

        Yes, XP still gets the "Malicious Software Removal Tool" update every month. Who knows what it does. But that doesn't address any of the CVEs, so if they apply to XP, it's still unpatched :(

    6. Anonymous Coward
      Anonymous Coward

      Re: What can the numbers tell us?

      "I have a feeling that it would be a scary number."

      I'm not sure that would be meaningful - it would for instance presumably be lower than the equivalent number for OS-X or an enterprise Linux distribution as those have both historically had a much higher number of total patches!

      "The no of patches/month doesn't seem to be decreasing"

      But the size of the OS is increasing over time, so presumably average quality of code would be increasing.

      And actually versus previous Windows OS versions the number of patches IS generally decreasing.

  6. Anonymous Coward
    Anonymous Coward

    Running as much code as possible with full kernel privileges: is it still a good idea? Discuss.

    1. Anonymous Coward
      Anonymous Coward

      Here's hoping the downvoters aren't involved in OS design...

    2. asdf Silver badge

      can't resist

      Depends if you are Red Hat yes as long as it exposes interfaces, use of don't require the GPL ala kdbus.

    3. TheVogon Silver badge

      "Running as much code as possible with full kernel privileges: is it still a good idea? Discuss."

      So you mean like a monolithic kernel (as in Linux) does?

      (As opposed to the hybrid microkernel in Windows)

  7. Anonymous Coward
    Big Brother

    It's a sad day at GCHQ/NSA

    1. Rich 11 Silver badge

      They probably know of vulns which they won't let MS patch. Not that I'm trying to make you paranoid or anything.

  8. Bronek Kozicki Silver badge
    Pint

    you've got to love it

    El Reg tells me there's an Windows update coming my way, before Windows does. There is also Flash update I neglected by a day and another Adobe Reader update, and then also QuickTime and Thunderbird on one of the computers but not on the other (must have installed it earlier). Apparently Secunia PSI does not update software by itself and I still need to run the updates myself, perhaps I should try the CSI or maybe move to Ninite, which unfortunately does not support as many programs as Secunia does.

    And so I stay up until midnight patching my both Windows machines, and am almost late for work today. But at least my machines are updated, and updating kernel to 4.0.8 and bunch of other software running on Linux hypervisor on the same occasion went smoothly.

    Thank you, El Reg.

    1. Captain Underpants

      Re: you've got to love it

      Secunia PSI version 3 has been woeful IME. I went back to v2 a while ago (the last straw for me was their removal of the option to re-scan a single non-Windows executable to confirm that you've updated it, because I CBA running a full scan just to make sure I nuked that old Java version or whatever), which still doesn't autopatch everything - but that's because certain software vendors got shirty about Secunia redistributing their installers without the opt-out crapware option. (I wish I was making this up). The other thing to keep an eye out for is that Secunia's database will flag that new versions are available faster than their repository will get updated, so telling it to update eg your LibreOffice install can sometimes see you repeatedly "upgrade" to the same version you've already got.

    2. Cynic_999 Silver badge

      Re: you've got to love it

      "

      And so I stay up until midnight patching my both Windows machines, and am almost late for work today.

      "

      I went to bed and left the PC merrily updating all by itself, after which it shut itself down. After I booted it this morning the update process completed while I made my first coffee. You need to choose the settings that make it all happen automagically at a time of your choosing.

  9. Anonymous Coward
    Anonymous Coward

    For OSX users..

    Just before anyone makes the mistake of thumping themselves on the chest for fewer update hassles with Apple gear I would suggest you check just how many updates you had over the last few weeks, and that's just OSX. I have Adobe Flash sadly installed (not by choice), but it is not permitted to update automatically and that pinged twice as well.

    OSX had quite a batch on July 1st:

    OSX update to 10.10.4 (required restart)

    iTunes (twice, 12.2 on July 1st, 12.2.1 on July 13th)

    Command Line Tools

    Xcode (well, OK, that tends to go in sync with OSX)

    Garageband

    iBooks Author

    iMovie

    That's not to say they're all security updates, but it does mean bandwidth use and apps that are replaced.

    1. El_Fev

      Re: For OSX users..

      Christ how stupid are you? Downloading updates to make things work is not a problem.Downloading updates to constantly stop people trying to pawn your system is a tad bit different! Apple is winning by a huge fucking margin,. deal with it!

      1. Anonymous Coward
        Anonymous Coward

        Re: For OSX users..

        Christ how stupid are you?

        The whooshing sound is thick irony passing over your head :). You do realise that someone needs to run OSX themselves to see those updates, no? You may thus speculate about the reason for that choice.

        Downloading updates to make things work is not a problem.Downloading updates to constantly stop people trying to pawn your system is a tad bit different!

        The OSX and iTunes updates mentioned in that post all came with associated CVE IDs (just as a quick example, the iTunes 12.2. upgrade alone addressed as many as thirty-nine different CVEs).

  10. Horatio

    Monetising exploits

    "although the company declined to buy an exploit, enough information was exchanged in the subsequently leaked emails to reveal the flaw"

    Hmm. I could completely understand a software company refusing to pay for an exploit for their own product. Such a transaction borders on blackmail (i.e. you can well imagine what *might* happen to the exploit if you refused to pay. I suspect most who can find an exploit almost certainly has the ability to post anonymously on a kiddy script site).

    Is it still ethical to refuse to pay for an exploit (and to gain enough information during bargaining to find the exploit yourself) when one of the functions of your PROFIT MAKING business is releasing details of security vulnerabilities? (we're not talking about some whitehat security site for admins run by a well intentioned blogger here, this is an established business that releases this information to bolster its core business; which itself has been criticised for being unethical!).

    I'm quite torn on this issue. On the one hand I don't really think anybody should be keeping security vulnerabilities to themselves, I think there is a moral duty to report it to the vendor (although who knows, maybe s/he informed MS, gave them a timeframe, and they failed to act before he stated he'd release the information?), even for commercial products.

    On the other hand, information such as this clearly holds value in the security sector (as is demonstrated in these press releases!), nothing in the e-mail exchange suggests any form of skulduggery (i.e. he ain't saying "pay me or I'll release this into the wild"). It very much reads like they were contacted by someone who recognises the Hacking Team turn a profit from this kind of thing, asked them if they want first dibs on this information, and were then screwed over (in a "chain of e-mails"). I don't know the Italian legal system, but if I was the chap(ess?) on the other end of this e-mail conversation, I'd be talking to a lawyer right about now!

    They are effectively trying to dress up information theft as being a noble act (and El Reg have given them the platform to do this!).

  11. Anonymous Coward
    Anonymous Coward

    I don't believe it

    Do you really expect people to believe there is a security hole in Windoze O/Ss or other Microsucks apps? Shirley this is a mistake! Mr. Gates personally inspected every line of code in these products and assured the public that all Microsucks products are "secure" and fit for use by humanity. Thus any claims of security holes or product defects in these Microsucks products must be meritless claims from Apple fanbois and thus 100% accurate. /s

    1. Anonymous Coward
      Stop

      Re: I don't believe it

      Oh do grow up.

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't believe it

        Bill Gates, aka "Lost all faith" is proving once again he is a scumbag idiot in denial.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019