Reply to post:

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold

Kiwi Silver badge
Pint

The whole issue is that these fixes are silently introduced in the upstream kernel, with no mention of any security impact.

I get what you're saying on the "silent fixes", especially where something may be fixed that is a security bug without the writers realising they're fixing a bug (eg improving the implementation of a network authentication protocol - not realising there is an undiscovered vulnerability in the old version that gets fixed by their improvements)

However, there is another side to the bit I've quoted, and that's an issue across the whole OS..

When I go to check updates in my Linux update manager, I get a brief description of the update and what it fixes (security or otherwise), and I can easily get further information on the impact and even the actual lines of code that are changed.

When I go to the Windows update manager, I get a "monthly quality rollup" (W7). I get NO information on what is inside, other than some generic "fixes flaws in Windows" text which tells me nothing. I could go and manually look for the security fixes, but again it's a big block rather than individual updates I can install if I decide the risk of installing outweighs the risk of not. Even the pages at MS that used to give information on the flaw, the fix, and reported detrimental side-effects now only give a basic one-line "this fixes stuff" text that is useless in telling me the impact. I value my privacy, and want to know if MS is somehow trying to backdoor their spyware into 7 (on the very rare times I update 7, mostly it lives offline now).

MS are now very bad at telling people what is fixed in the updates. The latest kernel code may fix a flaw in my own current kernel, and someone may find out that there's a vulnerability that could be exploited through pawing through the code. Good chance that some white/grey will find it and fix it, because they can look if they want. MS does much the same, but they go out of their way to make it harder for W/G types to see what is going on.

You may be right about the risk from the Linux kernel and new code, but the risk from MS's own practices is still far greater, and puts far more people at risk, especially given the article we're talking about here! :)

--> Not a Friday, but I understand the frustration of not being heard when you have something you're sure is quite important. One of these might help you some :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019