back to article Microsoft preps UPDATE EVERYTHING patch batch

Microsoft plans to deliver seven bulletins next week, four critical, and three important, as part of the March edition of its regular Patch Tuesday update cycle. The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows - from XP SP3 up to Windows 8 and …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Silverlight

    "Silverlight is widely used as an alternative to Flash"

    <BOGGLE>

    1. Tim 11
      Happy

      Re: Silverlight

      Actually I thought referring to SharePoint as "enterprise server software" was even funnier

    2. Michael Habel
      Stop

      Re: Silverlight

      Sadly that might be true given that both Netflix and Lovefilm use it to stream their stuff in.

      Upshot why you can't use 'em under Linux or a Linux XBMC install...

      1. Marcelo Rodrigues
        Meh

        Re: Silverlight

        Weird. My television is a Panasonic, and runs Linux. Well, a Linux kernel. One of the applets is Netflix.

        Don't know if Panasonic made something specially for it - or if Netflix can use something else...

        1. Michael Habel

          Re: Silverlight

          Well when I said Linux I was speaking about Desktop / HTPC (Desktop) Linux, and not embedded Linux which is likely some encrypted closed source binary package that wouldn't work outside of that environment.

          Or maybe Netflix are making good on their promise to fully go HTML5. In any case I'm not aware of any proper Linux being able to run Netflix. 'cause if it did, and were only like 6.00€ a Month for their "all ya can eat" deal. I so would ditch my Cable Operator in a snap!

    3. Fred Flintstone Gold badge

      Re: Silverlight

      widely

      That's actually a novel way to spell "nowhere". Must be a Microsoft spell checker.

  2. Rodrigo Valenzuela

    Silverlight

    "Silverlight is widely used as an alternative to Flash"

    Not really:

    http://w3techs.com/technologies/details/cp-silverlight/all/all

    R

    1. Charlie Clark Silver badge

      Re: Silverlight

      Even Microsoft no longer encourages its use. It is now pretty much limited to providing the DRM for streaming services.

  3. Anonymous Coward
    Anonymous Coward

    "Latest turn of the Hamster Wheel of Pain" - patching Microsoft stuff is at worst very simple, at best fully automatic, and is virtually always issue free and well tested.

    Shame the open source world doesn't work like that, but is a mishmash of dependency issues and not fully regression tested patches released on a random schedule. Not a good foundation for anything mission critical or enterprise targeted.

    1. mmeier

      Updates for Linux work IF they have not changed the kernel API/ABI or libraries. So for Long Term Stable versions for 3-5 years after the version came out. IF the stuff you need is in the matching/approved repository. If not the old Twilight:2000 broadcast applies: "Good luck, you are on your own"

      Not that repositories or any other auto-update from a non-controlled source is useable in a company environment. Patching systems without prior checks is acceptable on a privat box assuming system and data are separated. Worst case you loose your weekend re-setting the computer. A sane company will test and than use a local "repository" to push the patches. WSUS or it's surely existing FOSS equivalent(1) will do the job then.

      (1) That, as Eadon or Old Warhorse will tell us is FAAR better anyway

    2. tom dial Silver badge
      Flame

      Fail

      Nonsense. The open source world *does* work like that:

      Debian (like): apt-get update; apt-get [upgrade | dist-upgrade]

      Red Hat (like): yum update

      And I am pretty sure that there are GUI applications that would do the same.

      And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.

      Windows, on the other hand almost always requires at least one reboot. I recall a time when a Windows XP bearing laptop I was patching required three consecutive applications of patches, each followed by a reboot, to be brought up to date. While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot. And the patch set will have been reasonably tested and thoroughly integrated (assuming the update is from the "stable" target). I am less familiar with Red Hat or SuSE, but suspect they are much the same.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fail @tom dial

        And you only have to reboot if the kernel is updated, and then only to use the new kernel - the old one usually works fine until reboot at a convenient time.

        Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.

        Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time.

        While that admittedly had not been updated in a while, in the same circumstance a Debian Linux installation would have been brought up to date with one update cycle and one reboot.

        I cannot speak for Debian but updating a couple of years old supported distro doesn't certainly mean that it will be up to date. With RHEL or Centos, Firefox/Libreoffice etc. won't update to latest versions and you manually need to update them because repos haven't been refreshed.

        1. eulampios

          @AC

          Wrong: Updates to (at least) hal, glibc, dbus and xen require reboots.

          You seem to be in the wrong here. If the xen touches the kernel it does require a reboot (unless there ksplice is not used). As far as glibc (hal and dbus) is concerned it very rarely does. When that happens all necessary services are restarted by the updater (apt in my case). When you do absolutely need to reboot the whole machine it prompts for this (creates a file /var/run/reboot_required (again, speaking for a Debian based system)

          My own server/desktop example:

          Thu, Feb 28 2013 09:46:36 -0600

          ------------------------------------------------

          [UPGRADE] libdbus-glib-1-2 0.84-1ubuntu0.2 -> 0.84-1ubuntu0.3

          uptime:

          3:22:35 up 37 days, 21:45

          ============================

          Also - updates to Windows usually work in similar manner you describe - after updates you can postpone the reboot until a convenient time

          Never had to reboot my desktop after updating firefox/chromium/konqueror/epiphany even lynx and libreoffice, gnumeric ;-) However Microsoft says this:

          Bulletin 1 Critical,Remote Code Execution: Microsoft Windows, Internet Explorer --> Requires restart. The other one bull.3 for Office "may require restart".

    3. Euripides Pants

      AC @11:47

      Stop licking the garage floor!

  4. Irongut
    WTF?

    Silverlight is widely used as an alternative to Flash

    Really? I knew of only one site that uses Silverlight prior to this article and now I know of two.

    I block Silverlight installs on all but one of my PCs (which is used for watching the one site I knew of) and have never noticed it was missing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Silverlight is widely used as an alternative to Flash @Irongut

      "Really? I knew of only one site that uses Silverlight prior to this article and now I know of two."

      Doesn't mean much really, does it? A lot of people could say they couldn't name 2 amino acids.

      1. Chemist

        Re: Silverlight is widely used as an alternative to Flash @Irongut

        "A lot of people could say they couldn't name 2 amino acids."

        That's a very strange way of stating the bl**ding obvious. Most people can't know most things, given the size & complexity of the universe .

        Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight

        1. Anonymous Coward
          Anonymous Coward

          Re: Silverlight is widely used as an alternative to Flash @Chemist

          Sigh.

          "Most people can't know most things, given the size & complexity of the universe ."

          Yup, that is indeed the point. Just because one person hasn't seen something doesn't mean it's not widespread, so Irongut's comment is pretty pointless. Other than the old feeble "It's from a company i don't like so I'll try to play it down" attack. Of course you've used the same argument yourself, so I can see why you'd defend it.

          "Now I can name all the amino acids and indeed some rather rare variants - but I don't know many sites that use Silverlight"

          So from what I've seen so far (responded to this before looking for any later responses,) a sample of one. Who calls himself a chemist. Even if 100 Reg readers can name 2, or 20, so what? As I see it my point still stands.

      2. Loyal Commenter Silver badge

        Re: Silverlight is widely used as an alternative to Flash @Irongut

        I'm going to go for arginine and proline. Or possibly gamma-amino-butyrate, but you probably meant alpha-amino acids, didn't you?

        1. Chemist

          Re: Silverlight is widely used as an alternative to Flash @Irongut

          "I'm going to go for arginine and proline."

          Don't know who your post was directed to. If it was me and you're suggesting that arginine and proline are rare then think again. Arginine is very common, being one of those amino acids found on the surface of proteins and is also the source of the vasodilator nitric oxide that we all depend on, proline is also common especially in collagen where it is post-translationally modified to hydroxy-proline and seems necessary to generate the triple helix form of collagen.

          On the other hand if you didn't mean me have a good weekend.

  5. wyatt
    Stop

    Silverlight

    My company use Silverlight in a number of their products, I'm certain that V5 isn't supported yet with only support for unpatched V4. It'd be fun if our customers decided that this was a threat and uninstalled it from their PCs!

  6. Anonymous Coward
    Anonymous Coward

    XP through to Win 8....

    ..what the helll is XP code doing in Vista, Win 7 and Win 8? Don't MS keep telling us that all the code is new at each release?

    1. Chemist

      Re: XP through to Win 8....

      "Don't MS keep telling us that all the code is new at each release?"

      Yes, so they keep telling us

    2. Anonymous Coward
      Anonymous Coward

      Re: XP through to Win 8....

      This one again: It's a specification problem, not a code problem, the code may well have been re-written from scratch and have the same bugs if that bug is in the code's specification.

      1. Anonymous Coward
        FAIL

        Re: XP through to Win 8....

        Spec's don't have bugs, all they can have is ambiguity, and that after 3 implementations over decades, you're telling me that each of them did it exactly the same?

        I bet Microsoft developers get issued a programming guide that was developed by the Customer Support group, who know how to keep themselves employed...

        1. Anonymous Coward
          Anonymous Coward

          Re: XP through to Win 8....

          @Theodore - Of course specifications can have bugs, if the wrong thing is specified it's a specification bug. If you specify a vulnerability in how you want your code to be written, the person writing the code will write that vulnerability in for you.

    3. Ken Hagan Gold badge
      Facepalm

      Re: XP through to Win 8....

      "Don't MS keep telling us that all the code is new at each release?"

      You actually believe that? How many hundred million lines in a Windows release, and you seriously believe that they chuck the whole lot out and start again for the next one?

      Earth calling Anonymous Coward: Microsoft's marketing department doesn't always tell the truth.

      1. Anonymous Coward
        Anonymous Coward

        Re: XP through to Win 8....

        "Earth calling Anonymous Coward: Microsoft's marketing department doesn't always tell the truth."

        So lying about security is OK?? Microsoft (and even Mr Monkeyboy himself) have said that later versions of Windows were inherently secure because the code was new but these "All versions of Windows including XP" seem to keep cropping up.

    4. Anonymous Coward
      Anonymous Coward

      Re: XP through to Win 8....

      "Don't MS keep telling us that all the code is new at each release?"

      Do they? Can you reference an actual source for this?

      Sure, there's bound to be a lot of new code in each release, but there got to be lots of stuff that stays pretty much the same.

      1. Anonymous Coward
        Anonymous Coward

        Re: "all-new code"

        Yeah, I am also pretty sure they have never said that, because it would be stupid and is quite obviously not the case.

        All modern versions of Windows are built on NT. Hence the version name, NT6.1 = Windows 7; NT6.2 = Win8. One of the fundamental tenets of software engineering is code re-use.

  7. Mystic Megabyte
    FAIL

    Siverlight

    If a site wants me to install Silverlight they have just lost me as a customer.

    There is plenty of other content out there and I have not noticed being left out.

  8. Michael Habel
    Alert

    Hell here I was thinking great another bunch of security updates to look forward to.

    Then it downs on me that I'm no longer using my old Copy ox Windows XP any longer.

    Whooo what a relief!!

  9. mmeier

    At least it GETS official updates

    Unlike quite a few Android systems that are neither old nor cheap and have nice security holes on the OS level. Got rid of one (Note 10.1) am stuck to another (N7000) that is only useable as a WLan router and "dumbphone" since it can't be trusted with anything else. Oh ye gods give me an iOS or WP8 unit with stylus and I sacrificy a keg of wine to Bachus(1)

    (1) Join the followers of the Greek panteon - the party pantheon!

  10. Ken Hagan Gold badge

    Re: At least it GETS official updates

    'Tis a pity that these old Android systems aren't FOSS.

    1. mmeier

      Re: At least it GETS official updates

      They are not. PARTS of Android are but some crucial components are not. So even assuming I trust CM after the "unlock pattern storage" it still won't fly for me since the only reason to use an Android phone (stylus) will not work with CM.

      Besides: Security patches are something the producer should deliver not a "community" that may or may not be able to do it

  11. Joeykins

    grammar pedantry (sorry)

    "because of a myriad of security flaws" isn't a correct use of myriad; you could substitute multitude in there but the correct version would be "because of myriad security flaws"

    I'm so sorry

    1. Anonymous Coward
      Anonymous Coward

      Re: grammar pedantry (sorry)

      I was going to make a friendly comment about the same thing.

      Strangely it seems this usage is becoming more common. I'm not sure why people have a problem with the correct form; it's more efficient in terms of writing!

  12. Anonymous Coward
    Anonymous Coward

    What a cluster!

    Windoze, that is.

  13. Herby
    Coat

    Then there is the joke... Requires Windows Me or better...

    ...so I installed Linux.

    One might label it the 'Ultimate Patch".

    For some reason, some applications don't work the same, but lots do, and for less $$$.

    Its Friday, so I'm out the door.

    1. Anonymous Coward
      Anonymous Coward

      Re: Then there is the joke... Requires Windows Me or better...

      "but lots do, and for less $$$." If your time is of no value and you don't care about TCO.

  14. Anonymous Coward
    Anonymous Coward

    Windows windows windows windows windows windows ...

    5 mentions of Microsoft and 4 mentions of Windows on the main page please make us relevant please ...

  15. Anonymous Coward
    Anonymous Coward

    New vulnerabilities in Windows browser platforms ..

    "In related news, the ZDI’s Pwn2Own competition at CanSecWest security conference in Vancouver led to the discovery of all manner of new vulnerabilities in [Windows] browser platforms (IE, Chrome and Firefox), Java and Adobe apps"

    1. mmeier

      Re: New vulnerabilities in Windows browser platforms ..

      So four third party programs have bugs as has one MS application!. Not even sure the [Windows] tag refers to all from the way it is written. And at least the Java bug is system independent since it is in the browser plugin that will (or will not) be used on other OS as well (Documented for MacOS).

      And as Eadon told us a few times the IE bug can not be important because nobody uses IE.

      1. eulampios

        @mmeier

        Not exactly right: here

        it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.

      2. eulampios

        @mmeier, Firefox

        As far as the firefox hacking is concerned it also was a partly Windows ASLR feature exploit:

        VUPEN was able to exploit Firefox via a use-after-free memory flaw paired with an ASLR/DEP memory exploit. ASLR and DEP are operating system features found in Windows that are intended to protect memory from exploitation.

  16. Anonymous Coward
    Facepalm

    Affects every version of Windows ..

    "The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows - from XP SP3 up to Windows 8 and Windows RT as well as all versions of Internet Explorer"

    Who was it that once said they had eliminated buffer overflows in Windows and you didn't even need an anti-virus package?

    1. Anonymous Coward
      Anonymous Coward

      Re: Affects every version of Windows ..

      "Who was it that once said they had eliminated buffer overflows in Windows and you didn't even need an anti-virus package?" - erm - no one?

      MS made them a lot harder to exploit with features like NX and address spaces randomisation - which couldn't have been too bad as they were later both copied by Linux.

      1. eulampios
        Linux

        @AC, history of ASLR

        MS made them a lot harder to exploit with features like NX and address spaces randomisation - which couldn't have been too bad as they were later both copied by Linux.

        Copied by, or copied from? A lettle history for you:

        ASLR was enabled in Windows Vista around 2007, OpenBSD (2003) and the default Linux kernel (2005) followed. AS a matter of fact, ASLR was first implement and invented by the PaX project (should have been patented though). Do you know what PaX stands for? Patch for LinuX kernel (I think). So, it was the Linux kernel design since the very onset of ASLR, it hasn't become the mainstream code right away though. And then after many many years came Redmond .. to copy-cat the innovation. However, it was neither the first, nor the last time.

        1. eulampios

          Re: @AC, history of ASLR

          Correction, I meant: Both OpenBSD and Linux followed PaX, not Redmond, of course (2003<2005<2007). PaX original ASLR implementation dates back to 2001 (according to Wikipedia).

  17. W. Anderson

    Never ending security problems for Microsoft

    Added to this list of software security woes that Microsoft is attempting to "patch" - most appropriate word, since a real fix is unlikely - on Tuesday, "Windows Security Essentials" very recently failed testing "twice" at testing labs in Europe.

    It is unfortunate that many Microsoft supporters will inundate The Register and other technology media with every type of lame excuse one can imagine for these failures, and divert the subject to how Linux, Mac OS X and maybe BSD ( if they even know what BSD software is) has no market share, is hard to use or some other inane off-topic issue that they hope will take attention away from the growing travails of their heroine in Redmond.

    1. Anonymous Coward
      Anonymous Coward

      Re: Never ending security problems for Microsoft

      Security Essentials is a free antivirus / malware package, and is only meant to cover the basics. It is certainly better than nothing.

      I would expect a paid product to be in some way better since I am paying for it or it would have no market. Just as is the case with OSs, Hypervisors, Office software, etc, etc. See http://blogs.technet.com/b/mmpc/archive/2013/01/16/lessons-learned-from-the-latest-test-results.aspx for the actual meaning behind the 'failure'

      nb - 'Which' rated MSE as the best consumer antivirus!

This topic is closed for new posts.

Other stories you might like