>offerings from the multimedia giant are all free of major security flaws this month
Some way to go yet
Microsoft has emitted more than 100 fixes in its March batch of security updates. The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild. One particularly nasty remote-code execution hole revealed …
Who released the exploit for the SMBv3 vulnerability that Microsoft wrote into Windows at the behest of the Three Letter Agencies when they had to close the last vulnerability that they wrote into Windows (the SMBv1 remote execution vulnerabilities).
When they fix this one, what is the next one that they will add?
Seems that the Window between "TLA Sponsored Vulnerability Insertion" and detection and closure is getting shorter though, and that it a good thing!
You seriously think the "fix" actually eliminates the hole? If I was writing these security fixes for the agencies then I'd use the fix to move the hole somewhere else each time it's discovered. How long has Microsoft been fixed these holes now? When will the next one be revealed? And the next?
Not a programmer. Designing software for a home or business PC.
There would be an operating system, which tells the computer what to do.
There would be programmes, which the OS runs to let the users use to do stuff to data.
And there would be data, which the user creates or views
And all three would be separate. And there would be strict rules about what could be passed down from the data ( call that the outer ring) to the programmes and then to the centre ( call that the kernel).
Data would only be allowed to change or address superficial components of the programmes; what to display, what to operate on etc. Stuff that used the programmes' features and nothing else.
Likewise the programmes would tell the core where to store data files, which (permitted) operations to perform with it and nothing else.
And the OS would perform the operations that it is permitted to, with the programmes. And nothing else.
That's how users imagine these things work.
Then programmers come along and spoil it.
To a user data is the stuff they read and write. Programmes are the things that make,show and change the data, then save it and bring it back.
Users make and use data.
Programmers make..... programmes, that do things to the data
Microsoft and Apple make Windows/macOs that they need to start the computer and make the programmes work.
And that's how it should be
And the point is that from the users' viewpoint the control should run OS to programmes to data. But never the other way round. Access to programmes and OS to make changes/updates should go though a very narrow route and not some random code inserted in a web page.
It may not be how it is in real life. But it's how the users have every right to expect it to be.
*1 That's how users imagine these things work.
*2 And they do know they're using Word and that's in Windows, which is the thing that starts the computer- even if they have no idea what exactly it does. And they know that Windows 10 replaced 7/8. And ditto with what their Macs use.
They even know what version of Android/iOs they have on their phones, for the most part.
You are lucky if your user have no idea.
For what I saw, there are indeed such users. But among others, one can find:
- Those who assume it is magic ("Oh, you need time to think before acting ?")
- Those who believe they know. <= ALERT Call for troubles
Note this is not specific to computer science, BTW
If you are complaining about Bloat's design it has roots in the CPM/DOS days when there were no hard drives or networks. PCs were completely standalone devices that had exactly 1 user and only 1 user with input either from a keyboard or a file on a floppy. Output was often printed. There were many design decisions that made sense in the old days but have consequences when computers are networked together and it is possible for code from different 'users' to be running simultaneously on the box.
The saving grace of Linux and BSD is they are Unix derived/based. Since Unix was designed for a multiuser environment there were design decisions made that make it more secure.
Back to the bugs at hand, it is unclear which ones are due to ancient design decisions (probably none) and which ones are due to bad code (probably all). Buffer overruns are a programming problem.
At least M$ decided to not change the settings for LDAP Channel binding and LDAP signing, which would have definitely been a 'hair on fire' emergency on the scale (or worse) of the infamous CredSSP Encryption oracle fix.
Apparently, enough large companies complained loudly enough to their TAMS and other high ups within Microsoft, so while it's still good security practice, they decided to not break stuff with this patch update. Either that, or someone in the update chain is learning that Breaking Stuff In the Name of Security is not necessarily a good thing.
Biting the hand that feeds IT © 1998–2020