back to article Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed

Microsoft and Adobe have teamed up to deliver more than 70 patches with this month's Patch Tuesday batch released today. Microsoft contributed the bulk of the fixes emitted this month, kicking out updates for 60 CVE-listed vulnerabilities in its products. These should be installed as soon as you're able to test and deploy them …

  1. thomas k

    70 updates with no restart?! What magic is this?

    Went to Security Center, it said "updates pending" so I clicked the "update now" button and went back to reading the article. Suddenly there was a tweedle sound, the page went blank, then reloaded - that was it.

    1. This post has been deleted by its author

    2. TsVk!

      Re: 70 updates with no restart?! What magic is this?

      Whether or not your machine will start again remains to be seen...

    3. Charlie Clark Silver badge

      Re: 70 updates with no restart?! What magic is this?

      Windows 7 - 3 updates weighing in at a mere 300 MB. Looks like a fairly hefty set of patches again. New start almost guaranteed but I won't know for a couple of hours – the time it takes to install the stuff.

      1. AMBxx Silver badge

        Re: 70 updates with no restart?! What magic is this?

        My windows 10 PC wants to restart.

    4. robidy

      Re: 70 updates with no restart?! What magic is this?

      Err, erm no...you'll need restarts on devices.

      1. thomas k

        Re: Alas, no magic after all

        Yes, today it wanted to restart and went through the usual fol de rol.

  2. onefang Silver badge

    "It appears to mostly impact high-load/high-density environments as an attacker could potentially blend different network streams together."

    Don't cross the streams. It would be bad.

    1. PhilipN Silver badge

      Ghostbusters

      Second reference in 24 hours :

      https://forums.theregister.co.uk/forum/1/2018/08/13/windows_is_coming_to_chromebooks_with_googles_blessing/

      (Just counting the first such reference on the above page)

      Who else you gonna call?

  3. amanfromMars 1 Silver badge

    Far Too Little Much Too Late is a Sub Prime Action in a Failed Program

    There's much to do about everything, El Reg, but Microsoft patching holes in its DODGI Operating Systems will not make any great difference. And to think that they don't already know that is either a)risible or b)another systemic vulnerability for future exploitation and non patching.

    1. Spanners Silver badge
      Happy

      Re: Far Too Little Much Too Late is a Sub Prime Action in a Failed Program

      Microsoft patching holes in its DODGI Operating Systems

      Now that is a backronymn begging to be created! How about

      Data

      Oriented

      Disclosure

      Generating

      Interface

    2. bombastic bob Silver badge
      Stop

      Re: Far Too Little Much Too Late is a Sub Prime Action in a Failed Program

      and who still uses anything by Adobe [that isn't a decade or so old] ?

      Flash Player - people STILL use that?

      Acrobat Reader - I bought a re-conditioned PC a couple of years ago [came with Win 7, 'while I could get one' basically] and it had Acrobat Reader pre-installed.

      THE @#$%'ing THING WANTED ME TO LOG INTO IT AND REGISTER MY E-MAIL ADDRESS! Bit-bucket.

      1. Anonymous Coward
        Anonymous Coward

        Re: Far Too Little Much Too Late is a Sub Prime Action in a Failed Program

        Don't blame the people. No one wants to use Flash. But it's because of stupid outdated websites and web apps that companies and governments don't bother upgrade to HTML5 or something similar

        There are still critical websites using Flash, rendering them useless on mobile phones. Pure laziness

  4. Anonymous Coward
    Anonymous Coward

    Incomprehensible

    IMO it's incomprehensible that Microsoft has zero accountability for their seriously defective products that compromise PC security world wide. Adobe isn't much better.

    1. Charlie Clark Silver badge

      Re: Incomprehensible

      IMO it's incomprehensible that Microsoft has zero accountability

      Any liability is mediated by their ability to provide patches which, thus far, have been accepted as sufficient redess.

      To be clear this covers all software where it is not possible to determine negligence. But, while it covers exploits due to sloppy programming, it also covers exploits of code that, at the time of writing was considered safe, with the exploits based on techniques that have been subsequently developed; cryptography being an obvious example.

      I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case.

      1. FlamingDeath Bronze badge

        Re: Incomprehensible

        "I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case."

        I honestly think this idea needs to speed up. Too many software houses are pushing out shit (not properly reviewed / tested) code and expecting the public / customers to simply accept this as the status quo. Would we accept this level of ineptitude in the physical world? Absoutely not!

        Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches

        When (and some might argue this is now) poorly coded software starts affecting peoples lives, there needs to be some accountability for shonky sloppy coding, simply putting a user license agreement saying you are not responsible for jack shit is not good enough anymore

        If your software needs to be patched, time and time again, and then some more, you need to take a introspectional look at your software development cycle, perhaps not enough money is being invested into the testing phase and as a company you have decided to kick that particular conundrum down the path

        I should mention the Tesla (BETA) autopilot which had a disclaimer to the driver that if they enabled it they acknowleged it was still BETA and accepts the risks with no liability to Telsa.

        What the actual fuck, what choice did other roads users get?

        This is the kind of "we're not responsble" malarky that needs to fucking change

        Honestly, when you have a government which doesnt know the difference between a hashtag and hashing, what chance do we have to have a government to properly legislate for this technological clusterfuck waiting to happen. I'm no luddite but some people need to wake up and smell the impending technological signularity, before its too late

        1. Rich 11 Silver badge

          Re: Incomprehensible

          Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches

          Most bridges are designed to be single-function, mostly solid, mostly immovable objects, though, and meant to last for centuries; you can't say the same for any general-purpose OS. Bridges do receive regular maintenance to keep them fit for purpose (well, maybe not in Genoa), and are occasionally closed for things like widening, repairing the roadbed or even adding suicide nets, not to mention for carrying out repairs for damage caused by storms, floods and/or earthquakes.

          That said, patching Windows does occasionally feel like painting the Forth Road Bridge. And they don't even have to repaint that every year now.

          1. FlamingDeath Bronze badge

            Re: Incomprehensible

            "you can't say the same for any general-purpose OS"

            Ok fair points, my analogy probably isn't the best. But still the point I was trying to express is that of lives being lost due to poor cultural practices. It's become a common and normal practice to patch "bugs", lets be clear here, they are blunders and we should refer to them as such. Some of these blunders result in serious harm.

            At what stage in our technological development do we stop and say enough is enough, this shit needs to be properly frameworked into a best practices and enshrined in law. Companies are profiting from their shonky untested code, and we will start seeing it costing peoples lives.

            Have company executives gone to jail because of negligence?

            Yes

            Could we see technology company executives going to jail because of negligence.

            I hope so

          2. AMBxx Silver badge
            Unhappy

            Re: Incomprehensible

            Given the events in Italy, that's a really bad analogy.

            1. Charlie Clark Silver badge

              Re: Incomprehensible

              Given the events in Italy, that's a really bad analogy.

              It's a good analogy if perhaps a little insensitive. The collapse is an example of the kind of catastrophic failure that physical products suffer from. We'll have to wait the results of the investigation to see what caused the failure, but if it is not the design or a original installation then the point stands.

        2. dmacleo

          Re: Incomprehensible

          Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches

          *****************

          I just wanna see someone reboot that bridge...

  5. artbristol

    "exploited" zero-day

    Pedantry alert. By definition it must have been exploited before the patch was available. Otherwise it's not a zero-day.

    1. FlamingDeath Bronze badge

      Re: "exploited" zero-day

      The term zero-day for the most part means what you think it means, unknown to anti-virus definitions for example

      But there can be "in the wild" zero-day expliots, meaning they are actively being exploited, but not sufficiently protected against. They are however still zero-days, but hopefully not zero-days for long.

      Hope that makes sense

  6. Aodhhan

    Seriously....God?

    Anyone who believes you can simply kick out a fix for something in a few days is ignorant about the process... and a moron for not taking the time to learn a bit more about it.

    First off... nearly anytime you increase security--albeit slightly--you impact usability. Therefore, it must be tested by security and users. Many times, it must be tested against a load of different software to ensure it doesn't negatively impact them.

    Just like chess, when you move a piece to strengthen your position, you also create a weakness because you're no longer defending areas where you once were.

    So... the entire operation, usability, security, etc. must be checked, attacked, worked with etc. Sometimes, it isn't fixed during the first iteration, so it must be done over.

    This does take some time. If you think you can do better, and teach people something they don't know... then by all means, step up and jump froggy jump! It's easy to be a beotch and complain about something, when you're a moron.

    Sometimes it's better to keep your mouth shut and let people think you're an idiot, than to open it up and remove all doubt.

    1. FlamingDeath Bronze badge

      Re: Seriously....God?

      Maybe a software license is needed, I know this has been suggested before

      I mean, I reckon I could have a go at driving a HGV and it will all work out ok

      Should I?

      (I dont have a HGV license BTW)

    2. Charlie Clark Silver badge

      Re: Seriously....God?

      First off... nearly anytime you increase security--albeit slightly--you impact usability.

      This is patently not true.

      1. pɹɐʍoɔ snoɯʎuouɐ

        Re: Seriously....God?

        "This is patently not true."

        I beg to differ....

        you can make a computer that is completely secure, guaranteed not be be remotely compromised. guaranteed to be impervious to physical compromise. guaranteed to never crash.. guaranteed the data stored in it to remain on it, unaltered and uncompromised.

        but to make it useable, the compromise you make is you have to take it out of the Inconel box it is encased in, plug in a power supply, attach a keyboard and display and if you really need to, connect it to a network. then its useable but not entirely secure.

  7. CrysTalK

    Infinity and beyond

    Just like our to do list and things we need to do, bugs are also infinite. Maybe due to human error, negligence or intentional those bugs just keeps on flowing in infinitely. Humans might be wiped out on Earth, but software bugs would still be there.

  8. A Dark Germ

    Why do people buy an operating system that has never been finished?

    Why after all these years do we not have a FIXED operating system?

    They will never finish the bloatware because they sell subscriptions not product!

    All you people seem to forget your buying into a LIE.

    Wake ALL up stupid people.

    When you buy a toaster machine, does it only toast when it wants and only in one small corner?

    No it does as advertised, it toasts to your needs.

    This is called a requirement.

    You need to know what your requirement is!

    Wake up, smell the coffee.

    Your all acting like SHEEP.

  9. David Roberts Silver badge
    Linux

    Don't like Windows? Stop bitching, start switching!

    Move to another operating system which you don't even have to pay for.

    You may note, however, that the alternative software is being continually patched and has not sprung fully formed from the godlike brow of a super-penguin. Some patches may even be to correct hitherto unnoticed security vulnerabilities and coding errors. Some of which have been present for 10 years or more.

    On the subject of Windows, how much did you pay for your copy? Almost certainly less than £100. Many will have paid significantly less. How much dedicated manpower do you think this will fund over the perhaps 10 years or more you will be using this system? [Looking at you, XP.]

    If, as some seem to be proposing, software suppliers are held accountable by law for any defects in the software then how long do you expect nominally free or low cost software to be available? No revenue stream, serious legal liabilty, you do the cost/benefit analysis. Do you expect a one-off sale to carry expensive legal liability in perpetuity?

    TANSTAAFL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019