Slashdot Mirror
13 New Windows Security Vunerabilities
Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."
And then again on Tuesday when the actual updates come out.
Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!
Can't they roll them into one cumulative security update?
Is this relevant if you have SP2 installed?
And I just got done updating three or four ZEN images. I can't wait for the hundred times I'll be asked next week "can I click OK on the update thing or is that spyware?".
Isn't the 8th a Tuesday?
The summary is wrong, and this is pointing out that fact. Running Windows Update on Monday won't get you anything since the updates come out on TUESDAY, aka the 8TH.
13... the unlucky number. They must be BAD security risks for a change ;)
http://www.sandstorming.com
hmmm....that's 13 down, and a hell of a lot more to go
Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?
We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.
I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.
Support the First Amendment. Read at -1
Some of us actually use Automatic Update Agent, that downloads and installs the patches. No need for manual updates anymore.
Running Windows Update on Monday will not help, someone please -1 the original article.
The 8th falls on Tuesday, not Monday.
Totally agree!
Windows users, don't forget to run WindowsUpdate first thing Monday morning.
These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.
Beware: In C++, your friends can see your privates!
Microsoft has given advance notice that on February 8th, they will NOT be releasing patches for dozens and dozens of yet-undiscovered vunerabilities. Unhappily a day later they'll have a nice little webcast to answer questions about the vunerabilities they know, but not about the ones that have no clue about yet. Windows users, don't forget to dump Windows first thing Monday morning."
For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.
Microsoft releases updates for Windows XP every second Tuesday of the month, Windows users should be aware of that, as there always is something fixed.
I shot the sheriff
well, we check the gas guage on our vehicles on a regular basis don't we. i know, every now & then we think we can make it but...
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.
It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.
On my calendars the 8th is a Tuesday. Maybe all the Windows users should try WU that day . . .
Shawn's Tech Articles
"The folks in Redmond are doing us all a big favor in producing a great product like Windows"
(*rimshot* ba-dum-bum)
Man, you are funny... Where will you be appearing next? Do you have an agent I can contact for bookings?
10 Print New Awesome Mac Product 20 Print New Windows Security Problem 30 Goto 10
Crushing my karma one post at a time.
I'm not that much into windows, but this windows-update thingy seems like a great idea. My only question is - why don't they just release the patches once they're done? I mean - setting a specific date is like a release plan; we don't release just yet, but we estimate that we're ready on monday with it all.
Especially security patches should be released immediately when they're done. Distributing the releases would probably also take some load of the servers. Or am I missing something about windows update?
e-mail, browsers, and half a dozen minesweeper imitations all exist on platforms other than Windows.
And yes, they are equally simple to use. It's just that you've never ventured out at all. (but then I guess you did post as a coward...)
Cheers.
Now accepting PayPal donations!
1) It's Tuesday not Monday; afternoon rather than morning as they seem to release about noon time PST.
2) This is a repeat.
scott
Auto-update is dangerous to stability!
Also, it seems the M$ fanboys are out in force today. Nice to see Billy G's billions can still buy a bit of astroturf.
If you haven't done it already, go to microsoft.com and search for antispyware. Install Microsoft AntiSpyware (beta). You'd be surprised how many trojans and spyware it will find on your "secure" Windows boxen.
Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.
A programmer is a machine for converting coffee into code.
Real Windows users use Automatic Update and ignore this crap.
Better yet, try running Windows Update on Tuesday (8 Feb), not on Monday (7 Feb). That is when the patch is supposed to be released.
Mr. T pitied this fool on 27 July 1992.
Parent post was a classic (if unsubtle) TROLL.
In no way was it aggressively provocative or distateful enough to be considered FLAMEBAIT.
I wish some the mods here would get a fucking clue!
Windows security holes are as common as getting email?
"Ha-Ha"
I'd not reccomend anyone to trust automatic updates to make them secure.
When using Windows you should always be behind a firewall(hard or soft) that blocks all incomming traffic that you haven't explicitly allowed.
I, for one, will not rush to make those updates, yet I feel safe.
What's a fucking VUNERABILITY?
...
You didn't mean to write vulnerability on
all of those occasions?
... and I didn't see much Microsoft bashing in the original article.
To have a "trusted computing" environment as they want it, we need hardware to ensure that software is what it says it is.
Usually it involves having key (as in RSA) locked down in a temper-proof hardware chip, and the computer use that key to assert that the software it is about to run is indeed signed by and for that key. For example, a Linux kernel could be signed by such a key, and at boot time the system would validate it and if it passes, we can assume that it is not compromised by a virus or something. The kernel would then have the job to verify the rest of the programs it wants to run.
Of course the safety of such systems relies on the chips containing the keys. Any attempts to get them out of there would trigger them to self-destruct.
There is a project around working on an IBM card like that to provide a virtual currency, but i can't find the link right now. It basically runs an open source package, and the card can verify that it not modified. (I would like the link if anyone knows) It allows anyone to check the source code and see for themselves that it contains no backdoor.
Like any powerful technology, it can be used to do very good things(tm), and very bad things(tm).
While you're patching your lovely Windows box and doing the reboot parade, why not switch over to your Mac Mini and catch up on some Ruby tutorials? =)
Some Windows users (like myself) shut off the "Automatic update" service (along with many others) in order to have less system resources used (and less vulnerabilities) while doing what really matters...surfing for porn! Although I can understand the disgust with constantly hearing about patches, there are some people who might not hear about them any other way.
I have XP SP1 installed as vmware guest and I run windows update on it. I;ve installed all the security patches except SP2 which windowsupdate keep nagging to install. Is XP vulnerable without SP2 or is it safe on SP1 with all the security patches?
Clearly, you have keen insight and abilities that are unappreciated by your current employer. Perhaps you should look for a job where there are systems more in tune with your unique view of the IT universe.
# Windows XP Media Center Edition may unexpectedly crash while being shown before large audiences.
# User may 'hijack' Internet Explorer settings, this update will reset your Internet Explorer start page and search settings to the new and improved MSN Search.
# Fixes vulnerability that allows users to view old Teen-Beat photographs that may contain images that could shock your system!
What disadvantage do the corporate users have if Microsoft releases the patches today. The corporate folks can still install the patches on Monday --- or any day they choose. Assuming the patches are ready, I see no reason not to make them available on the web for anyone eager to patch their systems.
-- john
Uh oh, Microsoft has announced 13 vulnerabilities that will be patched early this month affecting vulnerabilities since the beginning of the yeay. That's certainly a whole lot. Well, at least it seems like it when you ignore the vulnerabilities of other platforms.
Let's look at our good friends at Debian. Since January 1st they have issued 47 security vulnerabilities, including 17 buffer overflow vulnerabilities.
http://www.debian.org/security/2005/
So you zealous fuckers, which platform is more secure? Why don't the other vulnerabilities matter? Oh yeah, because you're ignorant childish fuckwits.
There's various methods for updating office, some that appear to require the user to have admin privs, keeping a local copy of office install source on the computer at all times, etc, etc...
It's all a mess if you have various versions of office out there... :-(
I'm so HAPPY they are having a webcast! That more than makes up for the ridiculous quality of their operating system. A webcast! It is like 1998 all over again.
What's the point in continually reporting this drivel?
Two minutes hate.
(Warning: long rant)
;-P
:-/ When's ReactOS going to be ready, dammit? Some millionaire please invest some money and start paying the guys. You know, the government should invest in free software development if they keep failing at punishing Microsoft for monopoly.
that we're getting sick tired of having to run windows update every 2 months. We've been doing that since about 2 years ago. Frankly, I'm sick.
When I opened my shrinkwrap, the EULA it didn't tell me that I had to connect to Microsoft every N months or else I wouldn't be attacked by a hacker or virus. This was supposed to be a finished product, not a pre-beta >:S
How long will this happen? Until Longhorn? You know, for a lot of time I had complained about Microsoft because of what OTHER users had to endure: Spyware, viruses, crashes... but now it's starting to annoy me. I mean, an uncareful person can be bothered with this stuff. But the fear and tension associated with "oh no, another vulnerability" can't let anyone escape if (s)he runs Windows.
It's not the security updates themselves that annoy me. It's knowing that the thing is so defective that it has to be given maintenance every 2 months or so. If I was running a car, I'd return it (but I can't). I just want to find out who were the morons who designed it and humilliate them publicly. Oh yeah. A bunch of people with clubs and torches wouldn't be bad
I'm just sick tired of this.
2) It's not 13 patchs for windows. As the article could not state any clearer it's:
3) Read before you submit.
- AMW
They have time to announce that they will be paching critical flaws in, like, 72 hours time
I would consider that an OS has failed miserably if they are aware of an unpached vulnerability for 72 hours. Unless it is very complex, 24 hours would be excessive.
IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems from Windows that will make it more secure.
Check out my page on Windows patches, I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.
XP subsystem removal software here.
Of course, the editor doesnt actually mean it, its just a taunt. This stupid "my patches vs your patches" game is ridiculous and further cements slashdot as a "teen hangout" than anything resembling a tech site.
Not to mention running an update on most linux distros demands a serious amount of patching.
If slashdot would stop taunting for two minutes, they would realize that MS has a policy of patching on the first tuesday of each month and once auto-updates are enabled this becomes a non-issue.
Its getting old, really. If MS patches or doesnt patch, its going to be a slashdot item with the typical trolls coming out from under their bridges.
According to secunia the web browser I'm using has 5 non-patched critical security holes. Guess what, I'm not using IE. Has this been a slashdot item yet? If not why? Where are mozilla's tuesday patches? Oh right, we have a double standard for them and just wait for release 1.1 without saying a word.
Linux vulnerablities reports appear at about the same frequency as Windows ones.
But where Linux vulnerablities are reported one per report, with Windows you get a 3-15 bundles with Windows... Maybe this kind of tactic, you hear about Linux problems at least as often as about Windows, so it leaves you with impression they are the same level...
When was the last time Linux developers shipped 13 different vulnerablity patches at once?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Hi, Matt, and welcome to the internet.
YHBT. YHL. HAND.
Please don't visit and comment on stories in which you have no interest.
Damn, that would suck ass.
My first modem was 300 baud.
I turn all automatic updates off since that disaster. This patched user32.dll and after application, my 2003 box does a continous reboot. Removing the patch fails to restore functionality.I had to retore from a drive image to get back running. I'm running 2003 as a desktop, so I don't fit the average testing profile, but it is unacceptable to have a patch completely depants my workstation.
The people that actually keep up with these updates are the same people that use McCaffee and that enable encryption on their WIFI routers; they are the slightly-savvy citizens of the Microsoft community, and are a minority--and are probably already protected from these exploits beforehand, by some third-party software somewhere. While everyone else, that doesn't have the time or know-how to protect their PCs are the ones getting hurt the worst by these vulnerabilities. I think updates should be forced by this Operating System, kind of like how AOL back in the 90's wouldn't let you sign off a session and release your modem till you had downloaded their damn updates (which I am--even till today-- convinced were ad-packs).
Micro$oft? Get a life fucker.
Set it to auto update so you don't have to worry about it.
How about you make an operating system that's tailored for little whiny bitches like you, always complaining about how Microsoft is stealing our money, or they don't like this, or they don't like that. It also doesn't help that little bitches like you also cause issue with backwards compatability because some 10 year old game "just has to work." Btw, Linux is no fucking better. You -will- rue the day when Linux has just as many issues... Furthermore, you're finding every goddamn reason to make yourself feel better about taking on an operating system that has not one good solid app that the end user or professional world really recognizes, beyond the OS. And... Linux has NO place on the desktop, as it's built on a foundation that was meant for servers and related devices. Fuckin' idiots.
Come on guys, how hard could spelling "Vulnerabilities" correctly be?
a.) the last time I checked, 9+1+1+1+1 = ...wait for it... 13
b.) these are only for machines running Windows.
Therefore, 13 new Windows security vulnerabilities.
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
The real problem with windows is that every 2-3 years they come out with a new version and have to go through all this crap all over again. Just when they've fixed most of the bugs, they come out with a new version, get everyone to upgrade, and we're back to the beginning. Windows 98 runs just about everything. And at this point most of the bugs have been patched. I knew guys that were still using windows 95 osr2 in 2000 because it was one of the most stable and streamlined systems available.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Yeah rigt... wonderful...
Last time I tried that some of our mission critical applications went dead...
Since M$ system is so "well integrated" any update to allmost any component could sabotage something else... and some of those bloody security updates can't be uninstalled...
haha. cant spell : vulnerabilities
No thanks, I'll stick to OpenBSD instead! I prefer security...
Microsoft's Superbowl ad:
Nice.
Yes, shocking.
:)
Maybe this is a sign.
Pretty Pictures!
Mac Mini ...
"There is no flag large enough to cover the shame of killing innocent people."--Howard Zinn
How is this different/more important or whatever than redhat over 100 errata updates in 1 month. It is very hard to justify using redhat to management when you constantly have to apply patches. I will admit windows is no better and they probably should have several hundred a month but how can one say redhat is any better???
You can suppress what I'm saying, but not the reality of what I said.
Amen, preach it!
The early bird may get the worm, but the second mouse gets the cheese!
Unless this gets hammered on repeatedly, people will forget, and/or you will fail to educate newer users. Yes, this is /., but even this community suffers from human foibles. Count me amongst those who are satisfied with the status quo, here.
in one swift stroke and get on enjoying your life instead of reading boring documents about fixing problems someone else created.
I'm getting a Mac.
Let's call this safe surfing.
The answer is to surf the web as user "Guest".
There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.
As a computer consultant every day I get asked about safe computing. My answer on windows is this:
People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.
By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.
However, unlike with Unix, Windows is a hostile environment for mixing users.
On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.
It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.
It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.
The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.
But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.
I'm currently working tech support for a DSL/ISP combo company (yeah, one of the Baby Bells) and customers are now calling and asking an interesting question: "What alternatives do I have?"
Those asking this question have usually been burned a couple of times and had to spend money to get their trashed MS OS repaired or reinstalled. They are tired of trying to keep their Windows boxes running because they mostly don't know how, don't have the time to learn and really just want the thing to work and not have to mess with it all the time just to have to -- yet again -- pay someone else to fix it.
Point: MS customers are past the exhaustion point due to MS Windows security and stability problems and are actively looking for someplace safe to jump. Mind you I'm talking about mom and pop and Joe User here -- the PHBs won't get it until it costs them their jobs.
A competitor with a quality product which can meet the basic needs of these consumer-level folk has a rare opportunity here: Microsoft has actually made it easy to take away market share.
Go Apple and Linux distros! Let mom and pop PC user know what you've got and where to get it. Apple can do a marketing campaign, Linux folks could use their local LUGS and do small local marketing campaigns on the cheap.
People are actively looking for alternatives to the MS Gerbil Wheel of Pain, so show them what you've got.
And get all the patches prior to next week's on first. That way, you'll be adding 13 instead of 45 patches next week.
This guy has a point actually, the standard libraries themselves have contained overflowable operations for many a year, that experienced folk like myself always have to watch out for.
Sometimes people tends to be addictive to things they hate. At least I am one of them. There are some ads that I hate so much that whenever they are aired on TV, I will rush to watch them, and then curse about their stupidity. I feel some slashdotters also have this phobia, which, after cursing MS for whatever they do, makes them feel good about themselves.
...Is the one patching the Windows Calendar, making Feb. 8 2005 a Monday, so this article will be correct starting on Tuesday.
Saskboy's blog is good. 9 out of 10 dentists agree.
This is probably the dumbest troll I've ever seen.
Congratulations on being an unfunny faggot, you unfunny faggot.
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
I think he meant to say:
Install Linux first thing Monday morning...
I say: Why wait? Use the weekend wisely...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Man, those people at microsoft are surely taking their time with patching the real vulnerabilities... how else could they have the time to fiddle around with these vunerability thingies... now could someone please explain to me what are these "vunerabilities", and what do I have to do about them? Are they a kind of malware?
You said: "Windows users, don't forget to dump Windows first thing Monday morning"
/.
You're a biased slanderer, plain and simple. You can't have a more friendly audience than here on
Knowing yourself is the first step towards understanding others. So accept the fact that you're an anti-Microsoft zealot.
...consider the bandwidth. It's going to lag for ages. It's not the /. effect is the massive MS patch effect.
...and how many of these have been used for an successfull attack ?
Noone is saying that bugs dosen't exist in Linux (or any other OS)... we are just saying that they are usually fixed before they are exploited... where M$ often denies a bug's existence until it has been exploited...
Excuse moi... but my KCalc sez 13/1000=0.013 and 47/1000=0.047
...and NO I'm NOT a M$ fanatic...
Therefore, 13 new Windows security vulnerabilities.
.Net framework installed, so that makes 10 updates only for me.
Nope. I don't have SharePoint, MSOffice or the
They are caused by a serious keyboard bug... :-)
A revelation
MS has huge gaping holes
Bill Gates is Goatse
When I used to do individual windows updates, I would just install them all, and leave the "You must reboot" dialogs sitting behind the other windows, piling up until I'm done... then I'd hit reboot on one of them and the machine would reboot.
This saved several craploads of time. }:)
-Z
It is great to see MS providing updates for various software. Now, my concern is that they will not break anything. :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Because I think it should be called Windows.
This ought to be interesting if SP2 is affected.
As guest I can create folders and files well beyond my account folder (admittedly, some folders like C:\Program Files are protected). I can load yahoo and write to the registry, saving my password and having yahoo (or theoretically any other program) start up on login. I can change the background, enable a web style desktop, do lots of things.
As administrator, I can turn the guest account off, reboot and turn guest account back on. When I log back in, all files and folder created in the guest account (ie, my documents, desktop) are still there. The background changes are still there. Yahoo still automatically logs in as me.
Ahh you say I need to delete Guest's folder and clean out his registry entries. We're getting into a lot of work though, at least for windows.
As administrator, I can create a low-level account with no password and if I delete that account, I have the option of deleting their folder by clicking a button. And I know when I delete a regular user, their user specific registry entries get deleted.
If you really want to lock down windows, learn how to use gpedit.msc, or even further, editing policy files directly and using some batch scripts to lock/unlock the the computer by copying these policy files into the appropriate directory. Even then, you can still get spyware.
I've tried several times to find a solution to the startup values in the registry. There are some programs I've found that monitor the registry for
startup changes, but none of them work as advertised. Yahoo messenger is a great example of this. You open it up, it adds itself to your user's registry startup list. You have to log in with a valid user/pass in order to uncheck boxes so it won't startup next time. But the very next time you start yahoo messenger, it still creates those entries. As administrator, you can't access another user's registry entries. They don't appear until you log in as that user. This just a messenger client... malware has much nastier methods. It's like the registry is designed to facilitate malware. If someone has come across a solution to prevent a user/user-level programs from modifying the registry at all, I am all ears.
While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.
An install log might be a nice option too... Of course, once it has been up and running through a couple patch cycles you find it to be pretty much a cake-walk... setup would have been simpler with a log I can enable/disable when I needed to, though.
Who did what now?
... when Red Hat is scheduled to release Red Hat Enterprise Linux 4.
http://shit.slashdot.org/article.pl?sid=05/02/05/1 351208
Instead you could be rebooting until Easter. Such convenience. (-:
Got time? Spend some of it coding or testing
Microsoft persist in asserting that MSIE is part of the OS, so I see nothing wrong with counting its vulnerabilities as part of the OS's. What's sauce for the goose is sauce for the gander, after all. And their dotNYET implementation is even more tightly bound to the OS than their "I-do-colour-management-on-images-with-no-ICC*" browser.
For a more realistic comparison, pick one browser, one email client, one database, one MTA, one webserver, one nameserver, one office suite, one media player, one proxy for Linux and compare just those.
I usually use Konqueror, KMail, PostgreSQL, PostFix, Apache2, BIND, OpenOffice, MPlayer and Squid. In Linux land, the web-server and name-server in particular are not noted for their security, yet I can run both of them chrooted (BIND is set to do this by default), which is not possible with IIS or MS-Proxy.
Filter your terrible Linux stats through those, and you'll get something like a reasonable comparison of a fully loaded MS machine (server and workstation in one) versus a typical Linux machine (ditto).
The machine I'm facing saw four vulnerabilities in the time-slice touted by the GPP, two of them remote or remoteable, and that's unusually bad. Harking back to the distribution running on this machine I count 9 vulnerabilities in that package set (plus CUPS and X11, which are kinda-sorta built in to Windoze in a limited way) since last year, an average of one every four days. Most of those 9 are extremely difficult to exploit and several of them are "dupes" in that they're several packages recompiled to close a vulnerability in a common library, so three for four reports might really be one vulnerability. December was also very heavy with 14 fixes; November is more typical and saw 5, of which 3 were one (libXpm) vulnerability and one was a DoS rather than an intrusion.
Got time? Spend some of it coding or testing
Who recently fixed one remote root vulnerability which was over a year old. Sorry, their security reporting system is so opaque I'm having trouble re-finding the link for you.
Got time? Spend some of it coding or testing
Microsoft Security Vulnerabilities is prime for its own dedicated section at slashdot. The number of stories certainly warrants it.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
So if Windows users dont use SharePoint Services, Microsoft Office ( open office instead ) , Dont use Windows Media Player ( Use Media Player Classic) , and MSN Messenger ( Use Gaim or Miranda opensource programs instead )
...
Then would it really be Critical update ???
My guess , probly not
Swap to open source today and feel the difference !
Dont ask , Just Google IT : http://www.google.com
IE is not a "major update". Upgrading IE requires a reboot because the way used by the installation program to replace existing binaries if they are in use is MoveFileEx with move on reboot.
How is it that all 13 patches are magically ready on the same day? Are they not withholding them when they could have released the patches earlier, as they were developed?
Karma: It's all a bunch of tree-huggin' hippy crap!
At least they report these things open and loud, and the fixes are soon availabe. It's actually kind a funny that Linux community pay so much attention to Windows vulnerabilities, so people kind a know about them more and are using Windows Update more often :D
Why doesnt Linux vulnerabilities get so much attention althought they exists and there are many of, even home users whos pc's get 0wn3d while online?
(patching FC2 at the moment.. again.. )
...doesn't mean it actually is easier.
Got time? Spend some of it coding or testing
Nahh. They're actually going to cut Windows Update access to any known pirated copies of Windows, then in the webcast later they'll tell everyone exactly how to use these exploits. Bastards.
Perhaps by "Monday morning" the writer meant monday morning late at night... blah, no, he's just an idiot.
I like suggestions, but I don't like contributing towards them.