13 New Windows Security Vunerabilities

Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."

"Run WindowsUpdate first thing Monday morning"

And then again on Tuesday when the actual updates come out.

Re:"Run WindowsUpdate first thing Monday morning"

[tomhudson]

Of course, you'll have to run it again Wednesday, Thursday, and Friday:

FTFA

1. 9 Microsoft Security Bulletins ... Some of these updates will require a restart.
2. 1 Microsoft Security Bulletin ... These updates may or may not require a restart.
3. 1 Microsoft Security Bulletin ... This update will require a restart.
4. 1 Microsoft Security Bulletin ...These updates will require a restart.
5. 1 Microsoft Security Bulletin ... These updates will require a restart.

By the time you've rebooted (up to 13 times per machine) ... I pity the guy who has more than 1 or two machines to patch - anyone with 100 boxes will still be rebooting on Valentine's day.

Nice of them to issue the patches in time for Troll Tuesday ...

Re:"Run WindowsUpdate first thing Monday morning"

[theancient2]

It's only necessary to reboot once, not after each update. (The only time you need to reboot more than once is when installing a major update, such as a new version of Internet Explorer.)

Re:"Run WindowsUpdate first thing Monday morning"

[andalay]

Thats odd, xfce, kde and gnome all have applets/applications that do this for you without restarting X.

Re:"Run WindowsUpdate first thing Monday morning"

[LurkerXXX]

You must get all your 'knowledge' from google, because it's obvious you have never actually had to install updates on 1000 machines yourself. If you did, you'd find MS has a nice toold called SUS server, that will roll them out to your network for you. No need to 'reboot till valentines day'

As the grandparent said, you are either clueless or a troll.

Re:"Run WindowsUpdate first thing Monday morning"

[tomhudson]

So, if you DO test them, you're not going to be applying them to everyone Tuesday, are you ...

You know, I've got to agree with the "Run WindowsUpdate first thing Monday morning" - before the new patches are out on Tuesday - because these patches are not just minor. If you had bothered to read Microsoft's announcement, you'd see that Microsoft is devoting twice the webcast time they usually do just to explain them.

If Microsoft is worried, maybe you should be too.

Re:"Run WindowsUpdate first thing Monday morning"

[BandwidthHog]

I had to do four reboots on each of thirteen XP machines last week. Of course, they hadn't been updated since they were set up a little over a year ago, so hopefully your mileage has varied greatly. It was some HTTP transport (forget exactly what) patch for the new WindersUpdate, then a clump of nearly a dozen miscellaneous patches, then SP2, then another pair. Hmm, considering the two admin machines I was dealing with, that mean I rebooted XP over sixty times that day. Wow. Just, wow.

Re:"Run WindowsUpdate first thing Monday morning"

[macosxaddict]

Any operating system where updating the web browser is a "major update" is fundamentally flawed.

Booooring...

[Majorachre]

Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!

Re:Booooring...

[mw13068]

If I recall correctly, the /. tagline is "News for Nerds. Stuff that matters." I believe, despite your objection and concern about the size of the /. article database (i.e. "wasted space") that this article fits the general area of interest. I might suggest that the next time you encounter something that bores you, you don't take the time to read it and comment on it, as that tends to muck up your boredom experience.

Re:Booooring...

[chris_mahan]

What I want to know is this:

Are the holes real?

(I mean, I know there are so many holes in windows the swiss cheese manufacturing association is suing)

Since the great unwashed masses are going to buy windows. (They are, trust me) and Microsoft, knowing this, wants to boost sales.

They announce, in this order:

A) We don't support windows 2000, 98, ME, for new vulnerablities, you need XP sp2.

B) We are not going to provide windows updates to non-legal installations of the software.

C) There are now lots and lots of holes in all the software, so unless you buy a windows XP sp2 license, you will NOT be protected, and all the hackers will steal ALL your credit card, health, and skeleton-in-closets information. Buy now!

D) Profit! (Announce best quarterly profit in years (oh, done that already)).

They are banking on people's laziness and fear. And they are not the first.

They are pointing the finger at the hacker, not at their own lack of software engineering skills. And Jow Sixpack is going to follow that line of reasoning. How could he not? He IS Joe Sixpack after all. So they look like they're standing up to the shadowy underworld of cyberspace on behalf of mom and pop, and mom and pop happily buy their wintel boxen.

I say crackers need to lay low and not attack windows for about 1 year, and take a break. Since there won't be any bad things killing machines, people will be happy running their 4 year old windows ME, or that corporate windows 2000 pro from "a friend", and microsoft will have a really bad quarter. or two. And that will prompt leadership changes. And once that happens, then crackers can do whatever they want.

I also want to point out that firefox had better get a foundation going with a couple of heavies in it, otherwise some corp is going to hire the lead guys out of the project. Can you say Google?

As far as google: they should not be too keen to diversify. They can make a lot more money in search and custom-profiled advertisement. It's an undertapped market. They don't need to make enemies right now.

On Sun, and that means you Jonathan, (tim, tell him), get people involved in the grid computing by providing free accounts for hackers and FOSS people. These people really influence their corporate PHBs. I know if I use it and love it, then I don't mind telling my boss and his boss that anything less is Mickey Mouse. And I'm fast becoming the leading enterprise J2EE developer at my place of business. But I ain't gonna spring 8760USD per annum to find out if it's any good.

Microsoft: Make gaming software for linux. You will nearly redeem yourself. Donate some money (not software) to some foss foundations, no strings attached.

Re:Booooring...

[Malc]

Another day, another anti-Microsoft zealot on /.

Here are some recent security announcements from one of Linux's more reliable and secure distros:

04/02/2005
[DSA 667-1] New PostgreSQL packages fix arbitrary library loading
*[DSA 667-1] New squid packages fix several vulnerabilities
*[DSA 666-1] New Python2.2 packages fix unauthorised XML-RPC internals access

02/02/2005
[DSA 664-1] New cpio packages fix insecure file permissions

01/02/2005
*[DSA 663-1] New prozilla packages fix arbitrary code execution
*[DSA 662-1] New squirrelmail package fixes several vulnerabilities

27/01/2005
[DSA 661-1] New f2c packages fix insecure temporary files

26/01/2005
[DSA 660-1] New kdebase packages fix authentication bypass
*[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities

25/01/2005
[DSA 658-1] New libdbi-perl packages fix insecure temporary file
(*)[DSA 657-1] New xine-lib packages fix arbitrary code execution
*[DSA 656-1] New vdr packages fix insecure file access
[DSA 655-1] New zhcon packages fix unauthorised file access

Do I need to go on? That's an average of more than 1 a day.

* = remote exploit
(*) = can be turned in to a remote exploit

One of those is potential remote exploit just watching DVDs! If you want to pick an OS or vendor apart, it's easy to do it to any of them. I'm not defending Microsoft, but they're far from unique. Of course, with the examples I've cited, I'm sure there will be many people who would like to quibble and try and make it seem less of an issue... if they'd been Microsoft exploits quite the opposite would occur. It's so dull and childish.

Re:Booooring...

[natrius]

If Microsoft cared about security issues in third party programs, their list of security announcements would be a lot longer than they are now.

Re:Booooring...

[Espectr0]

Here are some recent security announcements from one of Linux's more reliable and secure distros:

How many of those vulnerabilities are actually tied to the OS?

Zero.

How many of the windows vulnerabilities are tied to the OS?

Mostly all of them.

So do you want to count for example bsplayer's bugs so we can have a fair comparison against xine bugs?

Re:Booooring...

[Too+Much+Noise]

Attempting to draw sort of a line between "OS" and "irregular tools":

[DSA 664-1] New cpio packages fix insecure file permissions

It has been discovered, that cpio, a program to manage archives of files, creates output files with -O and -F with broken permissions due to a reset zero umask which allows local users to read or overwrite those files.

Annoying, but hardly "critical"

*[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities
This is actually a mixed bag.

The Debian package accidently installed its configuration file /etc/pam_radius_auth.conf world-readable.

rather embarassing, but Deb-specific.

Leon Juranic discoverd an integer underflow in the mod_auth_radius module for Apache which is also present in libpam-radius-auth.

more general, indeed.

and even (assuming a KDE desktop):
[DSA 660-1] New kdebase packages fix authentication bypass

Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session.
This problem has been fixed upstream in KDE 3.0.5 and is thereforefixed in the unstable (sid) and testing (sarge) distributions already.

The rest are additional packages installed on a per-need basis. You don't argue MSSQL vulnerabilities are Windows vulnerabilities, do you? Or those of the compiler? (f2c indeed - that must be highly critical for home users)

Contrast this with the Windows anouncement where the 10 vulns affecting the OS are rated Critical.

Re:Booooring...

[damiam]

Any end users of Linux have to face the security flaws whether or not they're part of the OS.

No, they don't. 99% of Linux end users don't run postgresql, zhcon, vdr, libdbi-perl, or most of the other packages the grandparent listed. It's fair to compare flaws in GNOME/KDE, Firefox, X, and the kernel to flaws in Windows. If you want, you can compare OO.o to Office and perl/python/Mono to .NET. But you can't compare the entire Debian archive (which takes 7 CDs to hold just the stable version) to the base release of MS Windows.

Why?

[Sophrosyne]

Can't they roll them into one cumulative security update?

Re:Why?

[drmaxx]

they try - it's called Longhorn - they are just soooo many of them...

Re:Why?

[amberp]

for 2 reasons
1. There are too many (known and unknown) of vunerabilities.
2. Even the known ones are too much to be fixed for various reasons.

Re:Why?

[Zocalo]

Mostly because not every one might appreciate having to download a huge patch for something they don't have installed. Also because the patches are covering multiple Windows versions, and EDS can tell you all about what happens when you apply a patch for one Windows varient over another...

Re:Why?

[totoanihilation]

Every time I visit family, I make it a point to bring all the updates they could possibly need for their computer. (That, and bringing along new versions of firefox). It's a pain trying to figure out which updates they have, and which ones they don't and I end up spending an hour locating them all.
Unfortunately, most of those I visit don't have broadband, so downloading 200 megs from WU doesn't work.

On the other side of the fence, MacOSX updates always have a Combo version containing ALL previous updates, which I find wonderful for quick deployment and updates of multiple systems. When installing a new system, for example, I run my install CDs, then run the one updater. Done. On windoze, I run the installer, have to install hundreds of updates OR run WU several times in a row to make sure the system is patched.

Anyways. I guess what I'm trying to say is that it wouldn't be too hard to write a script (at M$) that would add every new update to a Combo update (similarly to how you add a file to a tar file) and a special installer to handle it all without user intervention. So why don't they do it? It's not like they lack the money to hire some student to write it in a weekend...

Damnit

[mao+che+minh]

And I just got done updating three or four ZEN images. I can't wait for the hundred times I'll be asked next week "can I click OK on the update thing or is that spyware?".

Redundant?

The summary is wrong, and this is pointing out that fact. Running Windows Update on Monday won't get you anything since the updates come out on TUESDAY, aka the 8TH.

Re:Redundant?

Interesting. So you would suggest that the "moderators" actually read the "news" they put on their "site"? Weird.

At least they are actively patching...

[jmcmunn]

Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?

We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.

Re:At least they are actively patching...

[bersl2]

Yeah, OK, that's fine.

But as others have said already, do we really need to hear about it every time?

Re:At least they are actively patching...

[Murphy+Murph]

If a burglar breaks into your house and steals all your stuff, then you install a better lock but get robbed again next week, do you get mad at the lock manufacturer? No thinking person does - they try to find the burglar and punish him.

If the burglar broke into my house through a flaw in the design of the lock - a flaw known by the manufacturer - a flaw the manufacturer found more profitable to ignore than fix - a flaw the manufacturer decided not to tell me about and trust me to make my own decisions on how best to secure my house - then HELL YEAH I'd get mad at the lock manufacturer!

Re:At least they are actively patching...

[DarkVader]

Hmm... I think I might even sue the lock manufacturer. If I've bought a new lock that's been advertised to keep the burglar out, and he goes in by breaking the lock, I've even got a case.

Now, if I buy a lock that is known to be defective, I don't have a case - I should have known better.

But I can still be annoyed that the lock manufacturer makes garbage locks.

Or I can just use another company's locks. That's the problem with Microsoft, they have so much of the market that many people are stuck using their locks, even when they know they're garbage. Me, I'll stick with Macintosh and Linux.

Re:At least they are actively patching...

[jmcmunn]

Well, Microsoft could take the stance of creating the "bullet proof" OS which allows you to run only the software that comes preinstalled, and only stuff that they have tested and debugged...that's about the only way they could "guarantee" their product to be bug free. (of course even linux users would never claim to be totally bug free)

But you know what? That wouldn't be a very useful machine to anyone. The beauty of an OS is that it can run programs that you install (or even write) after the fact. You want the "Fort Knox" of machines? Run BartPE, or a Linux LiveCD or something. You want a functional OS, that can run all kinds of software and actually evolve over time, run Windows (or linux for all I care, or Mac). The point is, they do their best to keep up with the changing world, and fix bugs as well as they can in a timely fashion most of the time.

You have to realize that a lot of bugs and security problems are found in the OS due to bad code in the apps that people have written. (or good code, depending on who you are) So MS reacts to the new ways that people find to break in. You think cars always had LoJack, or GPS tracking, or security alarms? NO. Security is an ongoing fight, not just in the computer industry. The "criminals" will constantly find new ways to break in, and the "good guys" keep on trying new ways to keep them out. So step back and relax, and remember the good old days when no one had to worry about hackers on the internet, then remember that in those days you also dialed in on a 19.2 Baud modem, and it sucked ass. We've come a long wya, and things are getting better...

Re:At least they are actively patching...

[Lisandro]

Seriously. Damned if they do and damned if they don't. I update atleast two or three software packages a day in Gentoo (most of them version revisions with bugfixes) and it's not all over the news.

Is this sort of thing still interesting to /.

[Chess_the_cat]

I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.

Re:Is this sort of thing still interesting to /.

[MooseGuy529]

Tomorrow's Slashdot headline:

5 New Linux Security Vulnerabilities

Gentoo has given advance notice that 5 packages have problems and will be updated. Happily within the week they will explain them in the next Gentoo Weekly Newsletter. Gentoo users, don't forget to run 'emerge sync' in 15 minutes when your local Portage mirror is updated.

Um, as you can see the same thing happens to any OS. The difference is that Gentoo does this: 1. write a patch to fix current version so users are safe, then 2. put fixed version in Portage when available, then 3. notify users with a Gentoo Linux Security Advisory. Microsoft does this: 1. let news about vuln spread, 2. wait for someone important to notice, 3. announce vuln, 4. wait a week to a month, 5. release patch, 6. give sheepish excuse.

They don't need to

[Jugalator]

Windows users, don't forget to run WindowsUpdate first thing Monday morning.

These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.

Every second Tuesday

[NaCl]

Microsoft releases updates for Windows XP every second Tuesday of the month, Windows users should be aware of that, as there always is something fixed.

Re:Monday?

[amberp]

May be he is refering to Feb' 8th 2010.

PC Benchwarming

[bigskank]

"Windows users, don't forget to run WindowsUpdate first thing Monday morning."

Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.

It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.

Re:PC Benchwarming

[essdodson]

Congratulations, you're the first person I know who has had problems with Service Pack 2.

Re:PC Benchwarming

[jwcorder]

What in the hell are you talking about? It's been at least 2 years since we have had a patch crash our machine here on a 5000 workstation environment.

Not the mention that SP2 works great unless you happen to be running a in house application that was coded in basic back in 1942. Then you will have some problems. I have it running on about 10 workstations and I have had no problems except for once when I rolled back the install and corrupted a file. The only reason we haven't deployed it to all 5000 of our machines is that the firewall in SP2 does not allow remote control from the version of SMS we run in this environment. Once we get the new SMS version on the server, all workstations in this environment will be upgraded

I am so sick of this crap. Sure MS is evil, but get over it. They are not the devil. Foosball is the devil!

Seriously, I will be one of the first to get my patches on Tuesday morning....

Re:Trusted Computing: -

[Jugalator]

For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.

Hm, trusted computing was their initiative with DRM in e.g. Office and WMP, the whole thing about the "Fritz" circuit, Palladium, etc. AFAIK, no WMA or Word Document DRM etc has been exploited, so I can't really see what that has to do with these news.

New Slashdot format

[EaterOfDog]

10 Print New Awesome Mac Product 20 Print New Windows Security Problem 30 Goto 10

Idiots

[essdodson]

1) It's Tuesday not Monday; afternoon rather than morning as they seem to release about noon time PST.
2) This is a repeat.

AntiSpyware

[inertia187]

If you haven't done it already, go to microsoft.com and search for antispyware. Install Microsoft AntiSpyware (beta). You'd be surprised how many trojans and spyware it will find on your "secure" Windows boxen.

Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.

Re:AntiSpyware

[Bambi+Dee]

It found exactly nothing, just like Ad-Aware and Spybot S&D and Clam AV and AVG and whatever else I tried. Am I in violation of any natural laws here?

Except for that one time when I decided I'd go see what it's really like for those who always complain about random popups and slowdowns and stuff.

It was quite a hassle at first, but once you've disabled/enabled enough to get the malware to install, there's a rainbow-coloured nightmare wonderland of Studly Males Online Gambling Hello Kitty Porno Toolbar Screensavers waiting. It's a regular shadow internet. I've seen things you people wouldn't believe! Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near Tannhauser gate. All those moments will be lost in time, like tears in rain. Time to die...

At least I discovered spyware scanners actually do something and will happily keep recommending them (as I keep recommending Macs. Maybe I should try those, too)

Re:Explain this to a non-windows guy

[essdodson]

Their corperate customers have asked them to schedule updates in this manner unless they absolutely must be pushed out in a hurry. MS previously released weekly on Tuesdays, now due to input from large corperate customers who like to plan downtimes and patches they do it once a month.

Re:What they are not telling you

[kabdib]

Okay, who's not releasing patches for all the undiscovered Linux vulnerabilities? Oooooh, vast, incompetent menace! Switch to something else, quick.

One word describes a system, nearly ANY system more recent than an Atari ST or C-64, that isn't regularly patched: "0wn3d"

Bash bash bash. You guys are boring.

Re:Explain this to a non-windows guy

[Emperor+Skull]

Past experience has shown that exploits are developed very quickly after a patch is released. Without advance notice admins can't schedule or plan to deploy updates. I test and approve patches for about 3000 Windows machines. I'm also in Louisiana where this happens to be a 4 day weekend because of Mardi Gras. Had a critical patch been released on Thursday or Friday I probably wouldn't get to even look at it before next Wednesday. If an exploit was released before then, then well my first day back is going to be a real bad day. While the second Tuesday of the Month might not be perfect for everybody, at least we can plan for it. I know I'll remote in and approve the patches for deployment to my test lab sometime on Mardi Gras day (and watch bugtraq and other places to help determine how important it is to deploy these quickly.) ES

A different perspective

[AverageMidget]

Some Windows users (like myself) shut off the "Automatic update" service (along with many others) in order to have less system resources used (and less vulnerabilities) while doing what really matters...surfing for porn! Although I can understand the disgust with constantly hearing about patches, there are some people who might not hear about them any other way.

Re:You should be behind a firewall anyway.

[Joe+U]

When using Windows you should always be behind a firewall

When shouldn't you be behind a firewall? With the exception of say, a WebTV, ALL operating systems should be behind a firewall.

Mac included.

A couple of the updates

[Sophrosyne]

# Windows XP Media Center Edition may unexpectedly crash while being shown before large audiences.
# User may 'hijack' Internet Explorer settings, this update will reset your Internet Explorer start page and search settings to the new and improved MSN Search.
# Fixes vulnerability that allows users to view old Teen-Beat photographs that may contain images that could shock your system!

Re:Mod parent up.

[jmcmunn]

Yeah, my network of 5 windows machines never has any troubles. Of course that's because everyone here is smart enough not to download spyware infested crap from the internet. We have AVG running on every machine and that keeps us virus free. And yes, I have a router as firewall, and SP2 on every box.

If your Windows machines are broken, it's not Windows fault IMHO, it's mostly user issues. I do agree that Windows makes it easy to install bad software, but Linux can also be totally runined by installing bad software (at least when you know as little as I do). So if you want to have a solid Windows box, learn how to manage it. Don't let your 9-year old install stuff and you should be ok.

Did You RTFA?

[Rolan]

1) The 8th is TUESDAY and the SECOND TUESDAY of every month is when Microsoft does their patch releases (unless they're so critical they release them out of cycle).
2) It's not 13 patchs for windows. As the article could not state any clearer it's:

9 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart.
1 Microsoft Security Bulletin affecting Microsoft SharePoint Services and Office. The greatest aggregate, maximum severity rating for this security bulletin is Moderate. These updates may or may not require a restart.
1 Microsoft Security Bulletin affecting Microsoft .NET Framework. The greatest aggregate, maximum severity rating for this security bulletin is Important. This update will require a restart.
1 Microsoft Security Bulletin affecting Microsoft Office. The greatest aggregate, maximum severity rating for this security bulletin is Critical. These updates will require a restart.
1 Microsoft Security Bulletin affecting Microsoft Windows, Windows Media Player, and MSN Messenger. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will require a restart.

3) Read before you submit.

Making a more secure Windows

[The+Fifth+Man]

IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems from Windows that will make it more secure.

Check out my page on Windows patches, I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.

XP subsystem removal software here.

The sad reality of this is:

[dariyam]

The people that actually keep up with these updates are the same people that use McCaffee and that enable encryption on their WIFI routers; they are the slightly-savvy citizens of the Microsoft community, and are a minority--and are probably already protected from these exploits beforehand, by some third-party software somewhere. While everyone else, that doesn't have the time or know-how to protect their PCs are the ones getting hurt the worst by these vulnerabilities. I think updates should be forced by this Operating System, kind of like how AOL back in the 90's wouldn't let you sign off a session and release your modem till you had downloaded their damn updates (which I am--even till today-- convinced were ad-packs).

Virus writers...

[PuppiesOnAcid]

Windows users, don't forget to run WindowsUpdate first thing Monday morning.

Virus writers, don't forget to exploit these vulnerabilities before then.

aspell, anyone?

[kernelistic]

Come on guys, how hard could spelling "Vulnerabilities" correctly be?

The problem with windows is

[CastrTroy]

The real problem with windows is that every 2-3 years they come out with a new version and have to go through all this crap all over again. Just when they've fixed most of the bugs, they come out with a new version, get everyone to upgrade, and we're back to the beginning. Windows 98 runs just about everything. And at this point most of the bugs have been patched. I knew guys that were still using windows 95 osr2 in 2000 because it was one of the most stable and streamlined systems available.

Re:The problem with windows is

[ledow]

I have to agree with CastrTroy here... I run 98SE for the exact reason he has stated. I provide tech support to 6 different schools in my area and I'm having to turn new job offers down because I just don't have enough hours in the week to do them.

Everyone is surprised that I run 98 but, especially now, I know the problems that it has and I have systems in place to stop them. I know it crashes a lot but I also know how to fix it. I've never lost a windows 95/98/me installation yet. However, the XP and 2K machines that I support will lock into all sorts of reboot loops and cryptic stop messages that I can nothing about but restore from backup.

The schools I work for were stung big-time by things like Sasser, they were taken completely off-guard and all reached a critical state within a few days when not one of their PC's would stay up for more than a few minutes.

Because of my setup and because of the way that viruses are now only targeting the new vulnerabilities, I'm pretty safe. I've NEVER, repeat NEVER, had a virus on any computer that I own and for many years didn't even bother with an antivirus.

Nowadays, the only reason I have antivirus is so that I can scan emails from people who forward me crap and ask "is this a virus/trojan etc?". Most of the time, it's a yes before I even bother to scan it.

Virus writers are not targetting me, they'd have a very hard time if they did because I'm not stupid.
My IE is up-to-date and never used, because I realised many years ago what a mistake it is to use it. IE is installed purely for Windows Update.

I have people who I support who are still happily running 98, even 95, some of whom are years behind on updates and they don't have a problem because they are educated, firewalled, know what not to do and have established measures in place, have had for years.

Only the 2000/XP computers that I support have problems with such junk because, like Sasser, there was little a user could do to prevent it as it came out of the blue. That's what 98 was like many years ago but we've since established a routine that prevents that.

There is NOTHING WRONG with running an older Windows OS, even an out-of-date, not-updated OS. Sure, I wouldn't use it as a server but then I wouldn't use Windows as a server given half a choice, precisely because of it's many problems.

Windows "automatic update" has screwed up many a machine that I support, and given all sorts of weird problems becuase of it installing crap and hogging internet connections.

Windows 98 works for me, does everything I need to, is blindingly fast (but you don't notice that until you use it after using XP), behind a suitable set of protective measures is as safe as a Windows 2000/XP machine behind the same measures, easy to recover and suffers less problems overall.

Experiment for the adventurous: Get a Windows 3.1 box, install TCP/IP and put it on the net. Wait for it to be compromised. Perform similar action on XP/2K, even with latest updates.

One of my firewalls is still running a Linux 2.0 kernel because it's simple, safe, and works. Old decrepid. Old = tried and tested.

Ask NASA why they won't put a Intel with XP controlling the space shuttle. Now ask them why they would use a Z80 with something like CP/M or Unix.

WOW, Censorship is alive and well here

[FunWithHeadlines]

Say anything negative against Microsoft nowadays, except in the meekest of manners, and you get modded to oblivion. What I wrote is 100% true, done in a humorous way, and the last sentence is optional but highly recommended. Anyone who doesn't know by now that Windows is the least secure OS out there gets what they deserve.

You can suppress what I'm saying, but not the reality of what I said.

Re:Redhat Linux

[Mybrid]

It's different because Redhat Linux boxes don't actually go down because of an attack.

In contrast millions of Windows users waste millions of hours and lose millions of dollars of data because of Microsoft vulnerabilities. To conclude:

1. Redhat fixes are preemptive, attacks don't succeed.
2. Many Microsoft fixes are after the fact, millions of dollars and hours are lost every year.

Re:Lots of vulnerabilities?

[diegocgteleline.es]

debian woody has like 8000 packages.

Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)

13/1000= 0.13 vulnerabilities per package

47/8000=0.005

"So you zealous fucker, which platform is more secure?"

Safe Surfering

[Mybrid]

It is trivial to run Microsoft without anit-virus software or anti-adware software safely.

Let's call this safe surfing.

The answer is to surf the web as user "Guest".

There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.

As a computer consultant every day I get asked about safe computing. My answer on windows is this:

1. Don't use Microsoft Express or Outlook at home. Instead use web email clients like Yahoo.
2. Don't click on email links. Instead, cut-copy-paste the text of the displayed link into a new browser window.
3. Log out as your account and log in as Guest whenever you 1.) use Windows Media Player or 2.) or 2.) surf unfamiliar web sites.

People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.

By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.

However, unlike with Unix, Windows is a hostile environment for mixing users.

On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.

It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.

It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.

The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.

But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.

Instead of the Following...

[Master+of+Transhuman]

"Windows users, don't forget to run WindowsUpdate first thing Monday morning."

I think he meant to say:

Install Linux first thing Monday morning...

I say: Why wait? Use the weekend wisely...

Re:Remote update of office

[RequestTimedOut]

Try out WUS, successor to SUS and currently in beta. It allows you to select Office updates to deploy. (Office XP & higher I believe)

SUS good, not perfect

[Karl+Cocknozzle]

you'd find MS has a nice toold called SUS server, that will roll them out to your network for you.

While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.

An install log might be a nice option too... Of course, once it has been up and running through a couple patch cycles you find it to be pretty much a cake-walk... setup would have been simpler with a log I can enable/disable when I needed to, though.