Slashdot Mirror
13 New Windows Security Vunerabilities
Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."
And then again on Tuesday when the actual updates come out.
Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!
Can't they roll them into one cumulative security update?
The summary is wrong, and this is pointing out that fact. Running Windows Update on Monday won't get you anything since the updates come out on TUESDAY, aka the 8TH.
Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?
We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.
I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.
Support the First Amendment. Read at -1
Windows users, don't forget to run WindowsUpdate first thing Monday morning.
These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.
Beware: In C++, your friends can see your privates!
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.
It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.
10 Print New Awesome Mac Product 20 Print New Windows Security Problem 30 Goto 10
Crushing my karma one post at a time.
If you haven't done it already, go to microsoft.com and search for antispyware. Install Microsoft AntiSpyware (beta). You'd be surprised how many trojans and spyware it will find on your "secure" Windows boxen.
Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.
A programmer is a machine for converting coffee into code.
Past experience has shown that exploits are developed very quickly after a patch is released. Without advance notice admins can't schedule or plan to deploy updates. I test and approve patches for about 3000 Windows machines. I'm also in Louisiana where this happens to be a 4 day weekend because of Mardi Gras. Had a critical patch been released on Thursday or Friday I probably wouldn't get to even look at it before next Wednesday. If an exploit was released before then, then well my first day back is going to be a real bad day. While the second Tuesday of the Month might not be perfect for everybody, at least we can plan for it. I know I'll remote in and approve the patches for deployment to my test lab sometime on Mardi Gras day (and watch bugtraq and other places to help determine how important it is to deploy these quickly.) ES
When using Windows you should always be behind a firewall
When shouldn't you be behind a firewall? With the exception of say, a WebTV, ALL operating systems should be behind a firewall.
Mac included.
2) It's not 13 patchs for windows. As the article could not state any clearer it's:
3) Read before you submit.
- AMW
IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems from Windows that will make it more secure.
Check out my page on Windows patches, I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.
XP subsystem removal software here.
Come on guys, how hard could spelling "Vulnerabilities" correctly be?
debian woody has like 8000 packages.
Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)
13/1000= 0.13 vulnerabilities per package
47/8000=0.005
"So you zealous fucker, which platform is more secure?"
Let's call this safe surfing.
The answer is to surf the web as user "Guest".
There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.
As a computer consultant every day I get asked about safe computing. My answer on windows is this:
People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.
By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.
However, unlike with Unix, Windows is a hostile environment for mixing users.
On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.
It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.
It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.
The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.
But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.
I have to agree with CastrTroy here... I run 98SE for the exact reason he has stated. I provide tech support to 6 different schools in my area and I'm having to turn new job offers down because I just don't have enough hours in the week to do them.
Everyone is surprised that I run 98 but, especially now, I know the problems that it has and I have systems in place to stop them. I know it crashes a lot but I also know how to fix it. I've never lost a windows 95/98/me installation yet. However, the XP and 2K machines that I support will lock into all sorts of reboot loops and cryptic stop messages that I can nothing about but restore from backup.
The schools I work for were stung big-time by things like Sasser, they were taken completely off-guard and all reached a critical state within a few days when not one of their PC's would stay up for more than a few minutes.
Because of my setup and because of the way that viruses are now only targeting the new vulnerabilities, I'm pretty safe. I've NEVER, repeat NEVER, had a virus on any computer that I own and for many years didn't even bother with an antivirus.
Nowadays, the only reason I have antivirus is so that I can scan emails from people who forward me crap and ask "is this a virus/trojan etc?". Most of the time, it's a yes before I even bother to scan it.
Virus writers are not targetting me, they'd have a very hard time if they did because I'm not stupid.
My IE is up-to-date and never used, because I realised many years ago what a mistake it is to use it. IE is installed purely for Windows Update.
I have people who I support who are still happily running 98, even 95, some of whom are years behind on updates and they don't have a problem because they are educated, firewalled, know what not to do and have established measures in place, have had for years.
Only the 2000/XP computers that I support have problems with such junk because, like Sasser, there was little a user could do to prevent it as it came out of the blue. That's what 98 was like many years ago but we've since established a routine that prevents that.
There is NOTHING WRONG with running an older Windows OS, even an out-of-date, not-updated OS. Sure, I wouldn't use it as a server but then I wouldn't use Windows as a server given half a choice, precisely because of it's many problems.
Windows "automatic update" has screwed up many a machine that I support, and given all sorts of weird problems becuase of it installing crap and hogging internet connections.
Windows 98 works for me, does everything I need to, is blindingly fast (but you don't notice that until you use it after using XP), behind a suitable set of protective measures is as safe as a Windows 2000/XP machine behind the same measures, easy to recover and suffers less problems overall.
Experiment for the adventurous: Get a Windows 3.1 box, install TCP/IP and put it on the net. Wait for it to be compromised. Perform similar action on XP/2K, even with latest updates.
One of my firewalls is still running a Linux 2.0 kernel because it's simple, safe, and works. Old decrepid. Old = tried and tested.
Ask NASA why they won't put a Intel with XP controlling the space shuttle. Now ask them why they would use a Z80 with something like CP/M or Unix.
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
I think he meant to say:
Install Linux first thing Monday morning...
I say: Why wait? Use the weekend wisely...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!