Slashdot Mirror
13 New Windows Security Vunerabilities
Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."
Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!
I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.
Support the First Amendment. Read at -1
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.
It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.
For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.
Hm, trusted computing was their initiative with DRM in e.g. Office and WMP, the whole thing about the "Fritz" circuit, Palladium, etc. AFAIK, no WMA or Word Document DRM etc has been exploited, so I can't really see what that has to do with these news.
Beware: In C++, your friends can see your privates!
Yeah, OK, that's fine.
But as others have said already, do we really need to hear about it every time?
Okay, who's not releasing patches for all the undiscovered Linux vulnerabilities? Oooooh, vast, incompetent menace! Switch to something else, quick.
One word describes a system, nearly ANY system more recent than an Atari ST or C-64, that isn't regularly patched: "0wn3d"
Bash bash bash. You guys are boring.
Any sufficiently advanced technology is insufficiently documented.
If the burglar broke into my house through a flaw in the design of the lock - a flaw known by the manufacturer - a flaw the manufacturer found more profitable to ignore than fix - a flaw the manufacturer decided not to tell me about and trust me to make my own decisions on how best to secure my house - then HELL YEAH I'd get mad at the lock manufacturer!
I dub thee... Sir Phobos, Knight of Mars, Beater of Ass.
The real problem with windows is that every 2-3 years they come out with a new version and have to go through all this crap all over again. Just when they've fixed most of the bugs, they come out with a new version, get everyone to upgrade, and we're back to the beginning. Windows 98 runs just about everything. And at this point most of the bugs have been patched. I knew guys that were still using windows 95 osr2 in 2000 because it was one of the most stable and streamlined systems available.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
In contrast millions of Windows users waste millions of hours and lose millions of dollars of data because of Microsoft vulnerabilities. To conclude:
I think part of the gripe here is that MS "hoards" their updates and releases them periodically. This means the latest hole found a day after the scheduled update is going to remain an unpached hole for the next 30 days. At least with redhat, you can choose to run updates more frequently, and patch potential nasty things the day after they're discovered. If you don't want to be bothered with redhat's more frequent updates, then is it so hard to just run the updater on your favorite day of the month?
Choice is good.
I work for the Department of Redundancy Department.
debian woody has like 8000 packages.
Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)
13/1000= 0.13 vulnerabilities per package
47/8000=0.005
"So you zealous fucker, which platform is more secure?"
Let's call this safe surfing.
The answer is to surf the web as user "Guest".
There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.
As a computer consultant every day I get asked about safe computing. My answer on windows is this:
People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.
By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.
However, unlike with Unix, Windows is a hostile environment for mixing users.
On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.
It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.
It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.
The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.
But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.
While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.
An install log might be a nice option too... Of course, once it has been up and running through a couple patch cycles you find it to be pretty much a cake-walk... setup would have been simpler with a log I can enable/disable when I needed to, though.
Who did what now?
You know, I've got to agree with the "Run WindowsUpdate first thing Monday morning" - before the new patches are out on Tuesday - because these patches are not just minor. If you had bothered to read Microsoft's announcement, you'd see that Microsoft is devoting twice the webcast time they usually do just to explain them.
If Microsoft is worried, maybe you should be too.
Any operating system where updating the web browser is a "major update" is fundamentally flawed.