It's 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by... Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited. Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in …
"All repairs tend to destroy the structure, to increase the entropy and disorder of the system. Less and less effort is spent on fixing the original design flaws; more and more is spent on fixing flaws introduced by earlier fixes. As time passes, the system becomes less and less well-ordered. Sooner or later the fixing ceases to gain any ground. Each forward step is matched by a backward one. Although in principle usable forever, the system has worn out as a base for progress."
Frederick P. Brooks, The Mythical Man-Month
F.P. Brooks' The Mythical Man Month should still be compulsory reading even if some of the references are a bit dated (microfiche?).
To make that even simpler, there is (obviously) the Wikipedia article
https://en.wikipedia.org/wiki/The_Mythical_Man-Month
Or go direct to an apparently legitimate free download of the First Edition, which was published in 1975, and apparently many people still don't "get it".
https://archive.org/details/mythicalmanmonth00fred
"Do Adobe hire their programmers out of Trump University or something?"
<facepalm /> <downvote />
"How do they have such consistently shit code??"
it's probably a combination of:
a) management/policy deficiencies
b) 'original design' flaws
c) arrogant coders
d) closed source [so nobody can see how crappy it really is]
I wonder what the typical "function call depth" is... and how many files you have to look through to find out what XXX does. [and whether classes/objects muck with each others' storage, or if garbage collection is being relied upon instead of proper reference count based object freeup, etc..]
Recently several companies in Canada were evaluating virtualization solution for their Cloud based applications integration and Microsoft sang praises of their Hyper-V over other more established solutions in regard reliability, security, scalability and flexibility, which , as this Patch Report and several security bulletins have shown to be totally rubbish sales propaganda.
KVM and Xen used for several high end virtualization projects in funded University projgrams and small Petroleum Trading corporations have consistently proven superior to Hyper-V in every case, so it seem ridiculous that any sane technology user would choose Hyper-V instead.
and yes indeed therefore products need patching.
But there are questions of quantity and and impact to be considered. This isn't about aiming for "zero defect" software and systems (where a defect can be either a non-conformance to specification, or unwanted behaviour that has unwanted consequences, maybe other stuff too). It's about shipping products that are fit for purpose, give or take the odd rapidly-fixed issue here and there. Regardless of supplier.
Enjoy your patching. But personally I know a lot of folks that would just like Stuff That Works. On time, all the time.
One of the SQL servers I work with seems desperate to install some updates, it keeps telling me when I rdp it - as if its a home computer . I'd have thought those messages would be surpressed and wsus or sccm would do the whole deal . Maybe its cos its a server and I'm I.T. that the message is still there and all is in fact well - updates are being chosen , tested , approved , whatever and deployed.
I did infact email 'them' to check im not supposed to be doing it and they say "nope , we got it under control..."
Now in the update history the last update is :
"Update for Windows Server 2008 R2 x64 Edition (KB3177467)" on 14/05/2017
are we behind?
Patch Tuesday is turning into a monthly ritual of abuse (legitimately) directed at certain software manufacturers. What has changed over the years?
From my early days I remember a metric called Mean Time Between Failures (MTBF). It was somehow related to the number of components (resistors, capacitors, tubes/valves (at the time)). The more components, and the more of certain types, the shorter the MTBF.
It's not unreasonable to expect complex software inherently to be vulnerable to malicious students of the code. It's a learning curve. Software developed today may be less vulnerable as a result. For example, personal computers today are more reliable, as a result of better cooling, and the move to SSDs and away from mechanical hard drives. Solid-state displays outlast CRTs.
Writing new software that does what the old software did, but is less vulnerable, costs money. A corporation will make more money coming out with new applications than totally replacing what's already out there. Patches are more cost-effective. That is the bottom line.
Hardware and software have improved over time. What hasn't improved, IMO, is the level of user competence. It's a training thing. After all these years, seemingly well-educated people in jobs that otherwise require intelligence, are still clicking on phishing links!
It's well and proper to kvetch about Adobe and Microsoft, but the focal point of all security problems is the user. To use an analogy, we've built safer cars, but if the users drive recklessly and don't wear their seat belts, they're still likely to get killed in an accident. So we train people to be sensible behind the wheel, and enforce seat-belt laws. I'm not saying we need civil laws to regulate what you do at the keyboard, but there's precious little public discussion of what not to do. Ransom-ware attacks make headlines; what's rarely mentioned in the news is that if people didn't open the infected files, such attacks would fail. When a malware attack has the potential of some recent events, it seems akin to a public-health issue.
Shame on Adobe, MS and others for continuing to flog busted code. That said, we've chosen to have capitalist economies where we shouldn't expect better. We can, however, do something to mitigate the potential harm. El Reg and others dutifully report on the subject. Unfortunately, your Aunt Millie probably never reads them.
Sure, it's unfair to blame users for malware and vulnerable but popular applications. But stuff happens. Malware and vulnerable software are facts. We should complain and we should try to eliminate both. But the buck (pound, euro) stops at the user interface. That's where we're not putting enough resources, IMO.
"the buck (pound, euro) stops at the user interface. That's where we're not putting enough resources, IMO."
You make a selection of excellent points, but I'm not sure that's such a good one.
There's a *lot* of poorly designed poorly coded poorly implemented InterwebOfTat stuff out there, and there's going to be more in a while.
Probably quite soon there'll be more IoT stuff than there is desktop and mobile "PC" stuff. The IoT stuff typically doesn't have much in the way of a user interface, but it seems to be just as defective in security terms, just as exploitable, maybe even more so, than your typical "PC" stuff, despite the IoT stuff having only a tiny fraction of the capabilities of modern "PC-class" boxes.
What's the answer to them, where there is no UI because there is no user in the traditional way?
The answer to something with no user and no need for a UI isn't investing in UI, it's got no users as such so user education doesn't really help either. Part of the answer *might be* product liability legislation which exists already, but for some reason seems to be considered irrelevant to stuff with software in it.
If it's more profitable to ship defective by design tat than it is to ship decent stuff, which will most designers and manufacturers choose?
Sometimes there are exceptions:
https://www.theregister.co.uk/2016/12/01/ucam247_responds_most_cams_not_vulnerable_to_get_vuln/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
