back to article It's December of 2018 and, to hell with it, just patch your stuff

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them. In-the-wild worries from Microsoft The December patch bundle from Microsoft addresses a total of 39 vulnerabilities, including one that is publicly known and another that is …

  1. TReko

    Spectre and Meltdown

    Interesting that there are no specific mentions of Spectre and Meltdown in the wild yet.

    1. Richard 12 Silver badge

      Re: Spectre and Meltdown

      I believe there have been some Meltdown ones.

      Spectre is difficult to exploit. As I understand it, it's really mostly a route to attack those who put some of their eggs in " the cloud" services as the easiest/most reliable Spectre exploits rely on being a VM living on the same host machine as your target.

      If you're self-hosted, then an attacker in a position to use Spectre vulnerabilities is also able to use other, faster and more reliable vulnerabilities, or doesn't need to bother because they're already inside the airtight hatchway.

  2. Anonymous Coward
    Anonymous Coward

    I wouldn’t mind, but....

    Some people seem to think patches are for other people. I came across someone yesterday who hadn’t applied a single solitary update in the four years since installing the OS.

    1. DailyLlama

      Re: I wouldn’t mind, but....

      I bet they don't vaccinate their kids either.

    2. N2 Silver badge

      Re: I wouldn’t mind, but....

      The flipside of that is they havnt lost dozens of hours in lost productivity, waiting days in soem cases for the effing thing to complete an update.

      Although I for one, would not like to follow their mantra.

      The update process is ridiculous and has to change.

      1. Anonymous Coward
        Anonymous Coward

        Re: I wouldn’t mind, but....

        I didn’t say but this was a Linux machine and updates generally take a few minutes. I won’t mention Equifax.

      2. Mark Manderson

        Re: I wouldn’t mind, but....

        waiting days? every so slightly an exaggeration. ;)

      3. keith_w

        Re: I wouldn’t mind, but....

        It's still not as bad as getting the patches from Digital Equipment for PDP-11 RSTS/E and sitting there at the la100 typing patches into the patch area, having first typed in the branch to the patch area and finishing with the return branch to the address following the "patched" code.

    3. 4whatitsworth

      Re: I wouldn’t mind, but....

      At least it was only one person......i came across an entire company of circa 50 users who hadnt updated for that length of time.......you should have seen their faces when WSUS came onto the scene and started pumping all the missed updates out.

    4. Version 1.0 Silver badge

      Re: I wouldn’t mind, but....

      "hadn’t applied a single solitary update in the four years" - that's the Conservative Party? I think that they have scheduled a patch party tonight, I wonder if they will reboot, or will it be another BSoD?

      1. Anonymous Coward
        Anonymous Coward

        Re: I wouldn’t mind, but....

        ""hadn’t applied a single solitary update in the four years" - that's the Conservative Party?"

        It could be much worse - we could have installed a Labour Government under Corbyn.

  3. ivan5

    I can't help wondering what would be the results if the software engineers, and the companies they worked for, put much more emphases on 'getting it right' rather than 'getting it out of the door'. Would Microslurp have the problems with win 10 if they had had at least 2 years of black hat style testing for vulnerabilities before they let it loose on the world?

    1. TRT Silver badge

      I suspect they already do, and what we see are the ones that got away. If they waited until it was an absolute 100% perfect and unassailable product, then it would 1 never be released and 2 never be perfect anyway.

    2. DCdave

      You can extend that to the companies that use Windows as well - how many put a focus on 'getting it right' (patching) rather than 'getting it out of the door' (doing their own stuff). Many of the big hack attacks have been on unpatched systems, and that needs to be fixed.

    3. F0rdPrefect
      Devil

      ivan5

      Having worked in support and distribution at a dealer, for a well known piece of software and received a new version and not been allowed to test it for problems before sending it to customers, I wouldn't blame the software engineers.

      It is almost certainly sales and marketing insisting that it needs to be out there NOW so as not to hurt their commissions.

  4. SVV Silver badge

    Remote code execution flaw in Powerpoint

    This one sounds like it could be fun. Just imagine, you're yawning your way though the presentation on key strategic objectives for Q2 and Q3 when suddenly the screen comes alive with the sight of command prompt windows springing up and scripts executing, whilst the managers flap about in a panic.

    1. Craigie

      Re: Remote code execution flaw in Powerpoint

      Hah. Most 'managers' wouldn't have a clue anything was wrong and if they noticed it at all would report it as 'my screen went a bit funny'.

    2. arctic_haze Silver badge

      Re: Remote code execution flaw in Powerpoint

      We have Wi-fi projectors. One can achieve the same effect without hacking the manager's presentation. All that is needed is to log in taking over the screen.

  5. Charles Calthrop

    87 seems rather a lot. do they have 00s, have they a keen new testing team, or have they not patched for ages?

  6. DJV Silver badge

    Generous Adobe gives out 87 Reader and Acrobat fixes

    Not for me - I haven't allowed their buggy crap near my systems for years. It's bad enough having to deal with the ones from MS.

    1. Tree
      Thumb Down

      Re: Generous Adobe gives out 87 Reader and Acrobat fixes

      How much bloat must there be for 87 parts of Adobe Acrobat to be bad, Use Sumatra pdf. Only 2.17mb large. Does the same thing. Fewer items to go bad.

  7. J. Cook Silver badge

    Call me old, but...

    I miss the days of having a service pack- all the updates wrapped up in one giant bundle that one could slipstream into the installer, instead of having to install the OS, manually install a set of patches in order to be able to perform automatic updates. (If you guessed the 'modern' windows 7 scratch build, you may have an internet gold star.)

    Granted, the cumulative update model is reasonable enough... provided the machine is able to pull the bloody thing down.

  8. Anonymous Coward
    Anonymous Coward

    It's all shits and giggles until...

    ...Windows Update decides to bork itself.

    Do not pass Go.

    Do not collect $200.

    Patching for days is actually possible.

    1. TheVogon Silver badge

      Re: It's all shits and giggles until...

      "Patching for days is actually possible."

      Fortunately with Windows 10, so is an in-place update from a bootable USB ISO.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's all shits and giggles until...

        "Fortunately with Windows 10, so is an in-place update from a bootable USB ISO."

        Try have the average user figure that out by themselves when Windows Update is stuck running for hours on end.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019