back to article 'Holey code, Batman!' Microsoft to patch 12 vulns on Tuesday

Microsoft has issued its pre–Patch Tuesday report, saying it will issue seven patches fixing 12 code flaws next week – but it won't provide a permanent fix for the exploit discovered during the recent holidays that is already being used in the wild. "With 2013 starting on a Tuesday, our monthly bulletin release is upon us a …

COMMENTS

This topic is closed for new posts.
  1. elaar

    Meh

    "One rather glaring omission from the list, however, are any fixes for the recently discovered problems with Internet Explorer"

    So, they're patching a load of stuff, apart from that which afflicts browser versions nearly 2years+? How dare they ignore the people bad enough to either find a better browser or update their existing one!

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh

      They will patch it soon enough. There is already an easy to deploy workaround that blocks the exploit.

      Microsoft have a very thorough OS testing and software integration testing programme before they release patches...hence it is unlikely for them to react in less than a week. If this is widely exploited they will release an out of schedule patch - otherwise, expect it next month.

  2. Allison Park

    help

    I still have not found the virus program in windows 8 they say its here somewhere. I used to just go the the bottom of the task bar

    1. Anonymous Coward
      Anonymous Coward

      Re: help

      Windows Defender is installed and running by default, it is the equivalent of Microsoft Security Essentials on Windows 7.

      Type "Defender" on your start screen and it will appear.

      1. Allison Park

        Re: help

        that was so unobvious just like everything else about win8 i want my start button back and to only have to go the the "start screen" when i want to play backgammon

        1. Blitterbug
          Happy

          Re: help

          Try 'Start8' from Stardock (google it). You get everything back, and the tiled mess formerly known as Metro is relegated to a start menu option, as it always should have been. Couldn't live without my copy. Also ClassicStart is a freeware alternative but not as good.

        2. Anonymous Coward
          Anonymous Coward

          Re: help

          @Allison: That's exactly what you should be doing on Windows 7 in order to find something: Open the start menu and type into the search what you want.

          If it's not obvious, you should give it a go for a bit, once you start using it, you'll find it's a far easier way to find stuff.

          1. David Neil

            Re: help

            Yeah, if you can remember the name, some of us tend to click the icon.

            Yes, I should know better

  3. TiddlyPom
    Linux

    Microsoft Fixes

    As a Linux user I actually applaud Microsoft for releasing more fixes - but the persistent architectural flaws within Windows are causing many of these problems.

    Ironically it is one of the reasons for the success of Windows that causes many of the problems - binary compatibility with programs dating all the way back to the days of MS-DOS. In order to support all of the 20+ years of applications, Windows must support all of the quirks and flaws in the architecture (and security models) of earlier versions of Windows in order to guarantee that earlier applications will run correctly on the latest version of x86 Windows. The most secure (and efficient) copy of Windows is undoubtedly the latest Windows 8 RT (ARM tablet version) that is NOT binary compatible with any earlier versions of Windows!

    Open source systems (like Linux and FreeBSD) in which the SOURCE CODE is available for applications do not have to worry about compatibility between major releases of the operating system (or kernel) since the application is just recompiled (by the Linux distributor) against the new system library code. That means that earlier binary code almost certainly will NOT run on later versions of the operating system but ironically this also means that historical attacks on earlier Linux/FreeBSD BINARIES will probably not work on a later versions of the operating system as these have been recompiled (and in many cases changed). It also means that architectural flaws can be fixed (which break binary compatibility) - something that proprietary software vendors (like Microsoft and Apple) cannot do as they do not have access to the application source code.

    Virus scanners give the ILLUSION of security as they use a black list of N known threats. As soon as (N + 1) appears then you are open to attack. It also means that as time goes on, the system gets slower and slower as it has to check against more and more threats, The proper way to deal with flaws (and all operating systems have them) is to FIX them as soon as they are known (as Microsoft is doing here and should be applauded for doing) - not trying to detect bad code at the last possible instant using a virus scanner!

    In addition, Unix/Linux style operating systems (like Apple OS/X, Linux and FreeBSD) work on a 'sandboxed' security model in which a standard user has the least possible file privileges (i.e. can only modify their own files and NONE of the system files - to modify the system requires using admin (root) privileges for the shortest possible time). As a second safeguard, having additional restrictions as to what known applications can do - even with root privileges (as provided by AppArmor and SELinux) helps to prevent using these applications as an attack vector. As a third safeguard, having a standard (restricted) method of installing applications from known (and GPG key checked sources) - such as APT or YUM - reduces the likelyhood of introducing rogue applications - as does centralized App stores.

    UEFI and 'trusted computing' does not make the system more secure (and there are UEFI viruses now) - just lock out competition which is what they are for.

    Microsoft should ditch direct backwards compatibility but do as Apple did (with the move from OS/9 to OS/X) by having an emulator to run Windows 7 (and earlier) applications in a protected 'sandbox'. Only by breaking with the past can they fix long standing architectural flaws and remove the need for virus scanners forever.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft Fixes

      As a user of pretty much everything except OSX and iOS, I wonder at the persistent Reg reporting of MS's patch schedule.

      Anyone who's interested gets a bulletin from Microsoft 12 hours before the Reg publish anything anyway. As far as I can see, the only reason to print this at all is simply to fill space and offer retards a chance to go on and on and on about Windows is broken/insecure/bad/evil/a child molester/against gun control/pro gun control/smelly - delete as appropriate - and inevitably you're going to get some dick claiming that $OTHER_OS is absolutely perfect and doesn't need patching and doesn't get viruses, its just that "M$" - fuckwit indicator right there - write deliberately bad code so they can make more money with their free patches or some such drivel.

      In fact, I expect Eadon will be here any minute.

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft Fixes

        As far as I can tell, El Reg reports OSX patches too. There is just less to report, and they give Apple flack too (the late Java fix was a good example of that). What I do not see is Linux fixes, but that may be more because it's a bit of a moving target, depending on what people have installed so they only report on major issues.

        I would really like to see a full list of all the Microsoft patches in 2012. The internal MS reason for patch Tuesday must have been to hide the sheer volume of patches, publicly it was "to allow businesses to test" (note that companies controlling updates can very well create a patch day themselves), so a 2012 list would be an excellent way to get a decent overview of just how many problems were fixed.

        Having said that, now I've mentioned it they will probably start working on ways to prevent you building such a damaging document..

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft Fixes

          The reason for Patch Tuesday was that system administrators asked MS to make batch releases, rather than releases every time that there was a patch. This means that planning for testing and rollout can be made in a cycle each month, rather than having to either have someone waiting for new patches which may or may not turn up or having someone pulled off other scheduled work.

          1. Anonymous Coward
            Devil

            The reason for Patch Tuesday?

            > The reason for Patch Tuesday was that system administrators asked MS to make batch releases, rather than releases every time that there was a patch ..

            NO, it was so as to reduce the number of patches released in a particular month, to not more than one a month ...

            --

            just who writes this stuff

        2. TiddlyPom
          Linux

          Re: Microsoft Fixes

          I run Ubuntu 12.04 and "Update Manager" has just run indicating 18 updates (50.9MB). As an example of a security flaw/report - https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986

          There are a LOT of Linux patches - some are simple bug fixes and some are security flaw fixes as per Microsoft's release and I usually apply all of them (and could set them to be applied automatically as per many Windows boxes). You should view these in the same way as people view updates to the virus scanner database in Windows - except that these security flaws are actually being fixed rather than a virus scanner having to defend against unpatched security flaws in the operating system!

          Security in Linux is not perfect by any means and yes a Linux system can be infected (I did a system penetration testing course on doing this - which is scary when you find out how to infect your own machine - which I did on a test machine - and it certainly makes you tighten up the security!) but having real fixes and patches beats anti-virus updates hands down. My Mum and Dad's machine is set just to update automatically (and they are no techies).

          What is more scary (to me) is cross platform zero day exploits (like the recent Java one) which perhaps should be flagged by The Register as they have the ability to hurt Linux users as well. Having said that, most Linux users that I know do not enable the Java plugin in the browser and would not arbitratily run any old script!

        3. Chris Miller

          Re: Microsoft Fixes

          List of 12,500 Microsoft patches, since mid-98 (.xlsx format).

          Not too tough, was it?

          1. TiddlyPom
            Linux

            Re: Microsoft Fixes

            Patches - good, virus scanners - bad as far as I am concerned :) Everybody finds security holes but patching architectural problems (especially those which break binary compatibility) is harder on proprietary operating systems than open source systems.

            For comparison:

            Ubuntu Security Notices: http://www.ubuntu.com/usn

            Ubuntu Updates: http://www.ubuntuupdates.org/

            Red Hat watch list: https://www.redhat.com/archives/enterprise-watch-list/

          2. Anonymous Coward
            Anonymous Coward

            Average number of patches per month

            Average number of patches per month = 71.5, or ONE if you live in Microsoft Land ...

          3. Anonymous Coward
            Anonymous Coward

            Re: Microsoft Fixes

            To be clear, 12,500 includes all different OS and CPU variants for the same patches

            Actually there are 999! unique vulnerability KBs on that list over a period of 15 years.

        4. Ken Hagan Gold badge

          Re: reason for Patch Tuesday

          "(note that companies controlling updates can very well create a patch day themselves)"

          It is a fact that as soon as patches become available, the bad guys reverse engineer them to figure out the hole they exploit. If a company chooses to delay applying those patches, they are exposed to well-known holes for a few days. If MS choose to delay revealing them, no such window exists, but any bad guys who already know about the vulnerability get a few more days of unrestricted malice.

          In other words, it's a trade-off. For limited periods of time, security by obscurity is actually the best strategy. (Apologies to anyone who's slogan-based understanding of security is disrupted by this more nuanced view.)

          1. TiddlyPom
            Linux

            Re: reason for Patch Tuesday

            Security by obscurity does NOT work.

            Many eyes make light bugs.

            If lots of people can see the code then many people can help to find possible exploits and fix them - and many 'exploiters' like to help with open source code as they can see what they are doing. I have helped fixed one particular stack smash bug.

            1. Smudger 1
              FAIL

              Re: reason for Patch Tuesday

              @TiddlyPom "Security by obscurity does NOT work."

              Of course it works - witness that Roman coin hoards are still being discovered nearly two thousand years after they were hidden. How does secure for 2000+ years count as "not working"?

              There are circumstances where security through obscurity is the statistically/probabilistically best option - and other circumstances where security through obscurity is clearly foolish/ill advised/shortsighted/reckless.

              1. Robert Helpmann??
                Childcatcher

                Re: reason for Patch Tuesday

                Roman coin hoards are still being discovered nearly two thousand years after they were hidden.

                Yes, but let's contemplate that from a IT security perspective. Individual hoards continue to be found over the course of two millennia. Overall, there are ongoing efforts to find and claim these ancient caches, which prove successful from time to time. Yes, this seems to be an apt analogy, except for the the implication that it is a successful approach to IT security.

              2. Chemist

                Re: reason for Patch Tuesday

                "@TiddlyPom "Security by obscurity does NOT work.

                Of course it works"

                It helps as part of a strategy - but on it's own it's very risky. The gold hoard is a bit of a red herring as without any clues it really is just a matter of luck whereas scanning (say) IP addresses and ports severely limits the search scope and can be automated.

                My router has one open port forwarding to a server for SSH purposes - I've run it for years and the router logs have never shown a SSH access attempt on anything other than a standard port - -the security by obscurity bit is the actual port number is non-standard but I don't rely on that - the only valid username allowed ssh access on the server is very unusual and the password is 20 characters long and horrible. As a further precaution I've now blocked access to ports below 1024 at my ISP

              3. TiddlyPom
                Linux

                Re: reason for Patch Tuesday

                Have a look at these

                http://en.wikipedia.org/wiki/Security_through_obscurity

                http://www.treachery.net/articles_papers/tutorials/why_security_through_obscurity_isnt/Security_Through_Obscurity_Isnt.pdf

                http://randomactsofarchitecture.com/tag/security-through-obscurity/

                Randomly not being discovered is not the same as being secure! It might be (using your analogy) that nobody was looking for the coins BUT if people suspect that the coins are there and then systematically hunt with metal detectors then they will find them. In the same way, many hackers systematically probe for open ports, suspected TCP/IP stack defects or similar flaws and if they discover a chink in the armour they exploit it.

                That is why we use public key crytography and not hidden keys. It is inherently more secure, trustworthy and tested than a hidden key that (if revealed) will break open the system. What if one of the developers of the closed code system silently leaks the security secrets to a hacker group (which has happened several times)?

                1. Adam 1

                  Re: reason for Patch Tuesday

                  The discussion on security by obscurity is always fun but in this case a red herring.

                  This is not a case of it. This is the way that Microsoft is balancing the risks.

                  Risk 1

                  Malicious person independently discovers the flaw and exploits it between the time it is fixed and the time the fix is published.

                  Risk 2

                  Malicious person looks at the patches and noting what has been changed to fix the flaw is able to design an exploit to take advantage of those who haven't bothered to apply the fix.

                  Risk 1 is reduced by patching quickly but by definition unpredictably. It is increased the longer the patch is withheld.

                  Risk 2 is reduced by patching predictably which by definition means you are delaying the publishing. A nice side effect is that it creates a reference point to how out of date a system's patching is which creates pressure to get it done at least sometime within the month.

                  For mine, the risk minimisation strategy Microsoft are using here is about right.

                2. Smudger 1
                  Meh

                  Re: reason for Patch Tuesday

                  @TiddlyPom

                  Security (software or physical) buys you time and (by a law of diminishing returns) approaches 100% asymptotically. No system is 100% secure.

                  Having a "secret password" to get access to some system or service is (by definition) security through obscurity.

                  Not telling anybody that you nicked a Mars bar from the corner shop when you were twelve is security through obscurity.

                  IMHO, you're not doing yourself any favours by asserting a sweeping generalisation that security by obscurity does not work.

        5. Anonymous Coward
          Anonymous Coward

          Re: Microsoft Fixes

          Erm, but Apple have far MORE patches for OS-X that Windows. OS-X is currently on ~1,800 security vulnerabilities. To put that in perspective, even Windows XP is only on ~ 450!

    2. dogged

      Re: Microsoft Fixes

      Microsoft should ditch direct backwards compatibility but do as Apple did (with the move from OS/9 to OS/X) by having an emulator to run Windows 7 (and earlier) applications in a protected 'sandbox'. Only by breaking with the past can they fix long standing architectural flaws and remove the need for virus scanners forever.

      They went half-way to this with "XP Mode" in Vista and 7 with further free virtualization of XP via downloadable stuff.

      I suspect that legacy hardware (and drivers for it) are a much bigger problem. But one of Windows' selling points is that literally nothing supports as much hardware or as many different configurations.

      1. Test Man
        Stop

        Re: Microsoft Fixes

        "They went half-way to this with "XP Mode" in Vista and 7 with further free virtualization of XP via downloadable stuff."

        Not really. That was just simple virtualisation, of the type that had been available for years already. AND 7 still ran virtually all old software anyway.

    3. Anonymous Coward
      Anonymous Coward

      MS-DOS binary compatibility caused insecurity?..

      "Ironically it is one of the reasons for the success of Windows that causes many of the problems - binary compatibility with programs dating all the way back to the days of MS-DOS"

      Binary compatibility was never the reason for security flaws in Windows

      "Open source systems .. do not have to worry about compatibility between major releases .. since the application is just recompiled .. That means that earlier binary code almost certainly will NOT run on later versions of the operating system"

      There is no casual relation between availability-of-source-code or indeed security, and old application binaries not being able to run on newer systems.

      --

      Allchin Suggests Vista Won't Need Antivirus

    4. RICHTO
      Mushroom

      Re: Microsoft Fixes

      What complete crap. I dont think you have a clue what you are talking about.

      Windows has a far better, more integrated and more modular security architecture than Linux.

      Windows has exactly the same minimum privilege model - except that things like SEL and AppArmor are integral to the OS and not bolt on after thoughts (plus they are much more capable too - have you looked at AppArmor and SEL in detail? - its total suck. You can get round all AppArmor restictions simply by creating a hard link to a file, and SEL can't control access to files mounted via NFS)

      Ditto windows has signed applications and updates (ever heard of Windows Update?)

      Compatibility between kernel versions? I mean you are just so clueless it's unreal. There are countless issues migrating between major kernel releases. Plus no major Linux enterprise distributions support in place upgrades for major releases like with Windows - you have to do a clean install.

      No recent Windows vulnerabilites have been anything to do with support for legacy apps.

      Windows RT runs the exact same kernel as Windows 8 - it is just recompiled for the Arm CPU!

      UEFI and trusted computing 'doesnt make the system more secure?' Moron. I suggest you look up what trusted computing means, and read about how Windows uses Secure Boot with UEFI. There has to date been no virus or boot loader that can bypass Windows security on a UEFI firmware with the default setting of

      Secure Boot turned on.

  4. mhenriday
    Big Brother

    One instructive context in which Ian Thomson's article should be read

    is this one by Gavin Clarke in the very same issue of the Reg. A bargain, indeed !...

    Henri

  5. Anonymous Coward
    Anonymous Coward

    Hmmm

    Flaws in Microsoft's software. Never expected that ;)

  6. Anonymous Coward
    Anonymous Coward

    due to flaws security is always via obscurity

  7. Boris S.

    A career opportunity

    Trying to fix the millions of security holes in every verison of Microsucks Windoze is a career opportunity that is profitable and secure, unlike the O/S.

    1. Anonymous Coward
      Anonymous Coward

      Re: A career opportunity

      Well looking at JobServe it certainly tends to pay better than Linux skills...

This topic is closed for new posts.

Other stories you might like