back to article It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Microsoft, Adobe, Intel, and SAP have all emitted their latest Patch Tuesday batch of security fixes. Users and admins are encouraged to test and install the updates as soon as humanly possible. For those running Windows and Windows Server, you'll be interested in as many as 88 CVE-listed flaws that need addressing in …

  1. Kev99 Bronze badge

    The Intel info was next to useless. A dozen notices requiring users to know every piece of hardware and software on their machines before they can even begin to determine which patch applies.

    1. Anonymous Coward
      Anonymous Coward

      Good. I needed more arguments to switch to AMD.

      I'm just waiting for someone to bring out a motherboard optimised for server deployment so I can go through resilience testing (can't and won't deploy in production otherwise, but desktops may get there sooner).

    2. Mark 85 Silver badge

      The Intel info was next to useless.

      That seems to be pretty normal for them. Tracking a given processor through their maze is almost impossible. It's a pity they don't have some tool to identify the process and then call for the appropriate patch. It would save everyone a bundle of time.

      In a separate issue rant, homeusers never, ever (for the most part) hear of these patches and then have a clue what to do.

  2. Anonymous Coward
    Anonymous Coward

    can not repro "certutil.exe" hang with "modinv.pem" from project-zero info page

    Can anyone repro the "certutil.exe" process hang with the "modinv.pem" download from the Project Zero info page on the bug?

    https://bugs.chromium.org/p/project-zero/issues/detail?id=1804

    Win7sp1: certutil modinv.pem does not hang

    Win 2016 Server 1607: certutil modinv.pem does not hang

  3. BebopWeBop Silver badge
    Facepalm

    And the phone calls “Hello I’m from Intel/microsoft/adobe, you have probably seen the press comments about dangerous bugs, but we are putting in enormous efforts to help people fix them, just go to this web site’ will ramp up. Not that I think making people aware of the need to patch is unimportant, just groaning in anticipation of the reaction from some ne’er do wells.

    1. deadlockvictim Silver badge

      I make use of them as educational tools. I put the person from "Microsoft" on speakerphone, call my daughter over and tell her that this is a phisher. That they are people who are trying to get you to install malicious software onto your computer so that they can access it. We then go through the pre-written spiel until they hang up.

      They are starting to either use or spoof numbers from the U.K. (0044) these days. I miss the Indian numbers (0091).

      1. big_D Silver badge

        I get them in Germany. The hilarious thing is, they only speak English!

        1. Anonymous Coward
          Anonymous Coward

          Ditto in Belgium and the Netherlands, and sometimes they even try to spoof the local dialling codes.

          That said, they haven't worked out yet that an in-country number never shows the country prefix :). If I'm in the Netherlands and a number comes up as 0031, I know it's spoofed.

          The problem is that the swines are starting to interfere with our emergency numbers. Of course, someone will always answer because that's their function, but they get in the way of clients with emergencies which can have dire implications.

        2. mutt13y

          Interesting because the ones we get in England can't speak English

          1. Anonymous Coward
            Anonymous Coward

            .. but enough about actual telephone support ..

            :)

      2. Rich 11 Silver badge

        Some of them are on 0800 numbers as well. It's nice to know that you can call them back for free...

      3. N2 Silver badge

        I put the person from "Microsoft" on speakerphone

        I used to get them here in France who seemed surprised when I spoke back in French, I keep them on the line as long as possible but eventually they'd give up trying to explain my PC had some sort of virus, despite not owning one.

        Then we got a callblocker and strangely they seem to have 'gone away'

  4. Anonymous Coward
    Anonymous Coward

    Say what you want about Sanbox Escaper...

    She's at least keeping some dev's job at Redland secure.

    You could almost say in a 'round about that way she's good for the economy.

    :-)

  5. big_D Silver badge
    Facepalm

    Why Google?

    Why the arbitrary 90 days, without taking in feedback. If there are extenuating circumstances, surely it is better to keep a lid on the issue, until it is resolved. I mean, look at Meltdown and Spectre, they kept a lid on that for a year, until everybody, including Google, was ready to release patches. Why didn't Google go public 9 months earlier?

    If Microsoft hadn't responded, I could understand Google going public.

    If Microsoft had responded, but was still working on it and Google discovered an active exploit, I could understand Google going public.

    If Microsoft has responded, is actively working on a fix, but requires another 30 days to properly test the fix doesn't cause other issues, I don't see why Google can't wait 30 days to release their information.

    Google actually makes the situation worse in these circumstances. There is a fix in the works, but now Google has given malware developers a heads up to where to look, whilst the systems are still vulnerable.

    1. RyokuMas Silver badge
      Devil

      Re: Why Google?

      Why? This is typical Google strategy: try to paint themselves as the good guys - "we're doing this because we care about the end users' security!" - while acting in a manner that is ultimately self-serving, be it attacking a competitor or excusing their hoovering up yet more data.

      The 90 days notice is merely to be able to avoid any claims of anti-competitive behaviour.

      1. Tom Paine Silver badge

        Re: Why Google?

        I'm afraid you are completely mistaken.

        The idea Tavis is part of some Google conspiracy to attack Microsoft isn't even wrong.

        Here's his response to one such ill-informed criticism (micro-thread):

        https://twitter.com/taviso/status/1138499902621667328?s=19

        1. RyokuMas Silver badge
          Paris Hilton

          Re: Why Google?

          Wait, what???

          "The idea Tavis is part of some Google conspiracy to attack Microsoft isn't even wrong." - well that's obvious enough, given that his response to Betjlich is pretty much an ad hominem against FireEye, as opposed to an addressing of a legitimate concern or a rebuttle as to why the disclosure was reasonable.

          So how exactly am I mistaken when I say that Google have a track record of selling self-serving actions under the guise of being "for the good of the users"?

    2. LDS Silver badge

      "they kept a lid on that for a year"

      Sure, because they were at risk too.

      Google is using vulnerability disclosures against (some) competitors - especially those that don't put themselves at risk. They would never do something like that against Apple, since many at Google use Apple systems.

      That's irresponsible disclosure.

      1. Tom Paine Silver badge

        Re: "they kept a lid on that for a year"

        Welcome to ChoppedLiver 2.0

        https://www.google.com/amp/s/gizmodo.com/googles-project-zero-team-releases-details-on-high-seve-1833052225/amp

        The 90 day deadline (which has nothing to do with anti-trust laws, of course) is the same for every vendor. Release is automatic.

        1. LDS Silver badge

          Re: "they kept a lid on that for a year"

          LOL. There's been several instances when Google delayed disclosures. Usually when its own butts were at stake. Google is weaponising vulnerability disclosures. And nobody ever put Google in a position to decide what is good or not. Really hope one day they will die by the same sword.

  6. Maelstorm Bronze badge
    Flame

    WTF?

    WTF Google!?!?

    Google reported the vulnerability privately to Microsoft with a 90-day deadline to fix it. Redmond planned to release a fix this month, within Google's time limit, then pushed the update back to July for more testing, thus missing the deadline. And so Google went full disclosure today.

    I'll bet if it was a bug in their software, they would keep their mouths shut until it was patched. Nice going there screwing the Windows users.

    1. robidy

      Re: WTF?

      It's a tough one...if the 90 days were flexible...how often would there be an excuse not to disclose as opposed to a valid reason?

      1. Dan 55 Silver badge

        Re: WTF?

        I think "it's in QA" is a pretty valid reason. What do MS do now, rush it out without full testing and increase the chances of hosing computers (which admittedly is par for the course from MS these days) or get accused of allowing a month for a zero-day to be exploited?

        Google's an 800lb gorilla throwing its weight around when perhaps it should be concentrating on its own problems with Android.

        1. iGNgnorr

          Re: WTF?

          "Google's an 800lb gorilla throwing its weight around when perhaps it should be concentrating on its own problems with Android."

          I may be wrong here, but Microsoft, last time I looked, was also an 800lb gorrilla. I think they can take care of themselves. Google/Travis aren't picking on some tiny organisation which has very limited resources.

          1. Dan 55 Silver badge

            Re: WTF?

            That's nice, but what about the users?

            What Google just did wasn't responsible disclosure.

        2. Anonymous Coward
          Anonymous Coward

          Re: WTF?

          "I think "it's in QA" is a pretty valid reason. What do MS do now, rush it out without full testing and increase the chances of hosing computers (which admittedly is par for the course from MS these days)"

          Maybe if they hadn't ditched a lot of their QA team a couple of years back things like this wouldn't be an issue.

    2. Tom Paine Silver badge

      Re: WTF?

      May I gently suggest that a little reading around the history of the disclosure debate over the last 20 years, and some knowledge of Project Zero and of Travis, might be in order before advancing suggestions unsupported by any evidence?

      1. Michael Wojcik Silver badge

        Re: WTF?

        Indeed. For that matter, any RDP has its critics, and I've seen nothing in the Reg forums about P0's that we haven't already heard ad nauseum. This isn't a debate; it's just whinging.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019