Slashdot Mirror
Microsoft Releases Eight Security Updates
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
Phew and here I was thinking hell had frozen over in March and Microsoft wouldn't have any new security updates. Thanks for reassuring me Microsoft. You had me nervous.
-Teiresias
This is not the first time when there was something to fix at Shell32.dll
yep, and like every operating system - it won't be the last...
Huh? These are patches, not new features being added.
Thanks, Bill.
Mens et Manus
And yet they are less vague than the ones which have recently come out of OpenBSD. That's scary.
Windows Server 2003 SP1 is also available. Apparently it's a kind of XP SP2 but for Server 2003. With the firewall, security center, IE "enhanced security", spyware removal tool that doesn't run, etc.
I just hope it doesn't break as many apps...
Karma cannot be described by words alone.
Huh? These are patches, not new features being added.
:(
Technically, they are feautures being removed. Microsoft should pay us to install them.
I've applied these to about 15 servers this morning - boxes running IIS, SQL, Exchange, and so far nothing has blown up. What really gets me is the bandwidth they must be putting into the distribution. The 8 or so MB that the servers are downloading is coming across much more quickly than I've seen it in the past. Could just be an abberation, but usually the feeding frenzy is pretty intense.
Don't disappoint your bird dog. Go to the range.
... but after using the "windows update" utility in XP and 2000/2003 server for some time, and being a newbie to fedora (new servers in my home lab), i find the MS utilities muuuuuch easier to use than the fedora update manager. once i say no to an update, that choice stays "no" ... i have to always say no to unwanted updates in fedora (even tho they're on my ignore list). am i a feeble n00b, or could the linux distros learn a thing or two from MSFT?
nothing worth possessing isn't possessed. or something.
...now you must have a licensed registered copy on winders or else you are SOL, nice they waited until now to release them...btw...when you upgrade to the new winders update stuff, which checks to make sure you dont have a pirated/illegal copy (whatever THAT means), and you try to do it through Firefox, you have to reboot, and guess what, IE is now your default browser....
#include bier;
Glad I don't do "Auto Install"...hidden way at the bottom of the list of things Windows wanted to update was...
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
Download size: 694 KB, 1 minute
This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.
How is this critical?
..just how long these security holes have existed? It's a nifty trick to publish security holes only after patching them. Makes you look good, except in the eyes of those whose PC has already been "pwned" because of said holes...
Auto update applied the patched and then I could not boot.
Had to run chkdsk, then it came back to life.
The most worrisome are (from least to most)
MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
Remotely Exploitable. Good potential for the next superworm.
IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.
MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
Remotely Exploitable Buffer Overflow
Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.
MS05-020: Cumulative Security Update for Internet Explorer (890923)
Remotely exploitable.
All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
This is not the first time when there was something to fix at Shell32.dll
yep, and like every operating system - it won't be the last...
That's funny. I just did an ls for Shell32.dll, but didn't find it on my SuSE box. Should I download and install the file anyway?
I would like to thank MS for being so diligent in protecting the everyday computer user from malicious attacks from evil-doers. Keep the patches coming!
One man's Funny is another man's Offtopic.
I don't know if I'm feeling safer or less safe after seeing these patches.
Scenario 1)
Yay!!! There are now fewer security holes.
Scenario 2)
Oh noo!!! If they still are finding problems of this type then there must be many many more.
Are you a scenario type 1 or type 2 guy?
The Internet is full. Go Away!!!
That way I can be the first to break something. It's no fun having a solution already up on Google.
Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?
At least they're not calling MSN Messenger an important update anymore :)
It's all fun & games until someone loses the game.
"something to fix at Shell32.dll"
WTF kind of English is this?
I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...
I just went to update Win2003 SP1 and all they offered was the Windows Malicious Software Removal Tool - April 2005. I'm disappointed at missing my patch fix for this month :-(
last night, i got a popup message saying "updates were applied to your system and it will be rebooted in 5 minutes" - i tried to kill that process but it kept respawning. is that related to these patches? weird, i thought i had autoupdate disabled..
--
http://unk1911.blogspot.com
48 hours is already too much, and a month represents a century in the IT universe...
So you're telling me I have to wait an eon for Longhorn to come out?
People don't want to be updating every five minutes. Every patch goes through a complete testing cycling at some businesses, which is very expensive. This lowers the time and expense by restricting it to once a month. Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it. I think this is a matter of risk management - maybe they will get burnt by this one day, but experience has shown that this approach is acceptable.
Because people buy a 800$+ server OS to browse the web with it...
The only pages my 2003 boxes have ever visited is windows update. If I want to browse the web, I've got workstations.
Tell the truth and you won't have so much to remember.
Read Broadband Reports security forum thread about this. It appears the rerelease patch fixed the blue screen problems, proxy, etc.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
It's stupid to cover security updates from Microsoft, we all know as soon as they relase more problems just sprout up and then they release more updates.
In America, you spam computers In Soviet Russia, computers spam you!
Hmm, Microsoft security updates. Must be the 2nd Tuesday of the month.
I don't even use MS products and I know about their update schedule, yet every 2nd Tuesday of the month
I spent several hours yesterday cleaning viruses and spyware off of my mom's laptop, then installing patches, SP2, and AVG Antivirus. Now I have to go patch it some more?
Sorry, my karma just ran over your dogma.
The plus side: sysadmin day comes but once a year, and if I can thank the manufacturer of windows OS for anything it would be the highly visible justification they provide for our management to kick down some goods and buy us some chocolate cake...
Can those users with pirated windows [ Common serial ] downlaod these updates?
Why does yahoo do this
Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?
-Rob
Marriage doesn't have to suck!
No (or at least not to the same scale).
The firewall added by SP2 significantly reduces the threat profile, especially for those people connected to the net bare. Even if a lot of local services are vulnerable, it's less of a threat if external probes can't reach them.
Our company moved all developers to Debian workstations. Productivity increased (we deploy on Debian as well) and security too.
Some users were also moved to Debian workstations and the plan is for the whole company to be running Linux withing 2 years.
I don't know where or how I got it stuck in my head that WindowsXP SP2 was supposed to have fundamentally changed something about the way code ran... maybe it was just a dream. But I thought some of those critical components of the OS had gone through intensive scrutiny and all that when they were compiling updates to build SP2. But, again, I must have been dreaming since these new ones have managed to stick around.
I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.
Weird weird weird...
Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).
To do an "nightly update" on a Fedora machine you do this:
% yum -y update
Works great, scales well (throttled by network bandwidth). I don't even have to be there to do it. A regular user can continue to use the machine happily. If it requires a reboot then that can be done much later unless flakiness arrises. The point is it doesn't interrupt my work nor the user's work.
To do a "nightly update" on Windows you have to:
- Go physically find the machine if you have no deployment tools or remote desktop.
- Login if no one is there. If someone is there, remind them to click on the icon on the try to patch their machine ("Please, sooner than later"). The worst: boot someone off the machine who locked their desktop. Whatever they were working on is gone.
- If you are lucky, the patch itself requires no real user interaction. If you are unluck, be prepared to get a lot of calls on the help line asking "Should I click 'I accept'? What is this?".
- If you are lucky, you don't have to reboot. More often than not you have too. Not so bad for desktops although many will wait for their Lunch break to do it. So very bad for live servers because you have actually schedule time to do it.
- If you are really lucky, nothing else goes wrong. People go back to work. Reading around it appears on some configurations that one of the patches makes the system unbootable. If you are slighly less luck it is just booting into the Admin console and fixing the problem. The alternative is well....unpleasant. I don't have time to monkey with an individual workstation since there are several more people having problems. Reformat/restore from the stock image if the simple fixes don't work.
I can't say I want any of the Linux machines to behave like how Microsoft does Windows update. Yum and apt-get are infinitely more pleasant to work with. The problem isn't with Window's Update though...it is with the fact that patching Windows sucks.
Why is this news at all ?
Patches up
I have mod points and I am not afraid to use them
The latest patches took the liberty to remove all of my IP information. Thanks for nothing.
That wasn't an OS login. That was a Workgroup/Domain login, albeit misleading.
A programmer is a machine for converting coffee into code.
You must be new here ....
if you are unfamiliar with akamai's distributed replication service, then you are obviously stunned that microsoft pays big cash for their service so that the microsoft update services WONT go down like a whitehouse intern.
And your post was modded "flamebait", which proves your point.
If a /. user ever starts dating a girl, maybe they can better explain the appreciation of foreknowledge of the monthly cycle.
- If you have XP Service Pack 2, and are behind a router, the ICMP vulernability is a non-issue. Your router responds to pings, not your computer.
- If you use Mozilla Firefox, the IE vulnerability is a non-issue as well.
- The Exchange vulnerability is a non-issue for desktop users.
- If you use MSN messanger, update. I don't.
- If you open other peoples word documents, update. I use Abiword, or let google translate them to html.
-DanPeople don't want to be updating every five minutes.
Microsoft don't force these updates on people. If they release the patches when they are ready, you can still only update once a month if you want to.
Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it.
I think you mean "if the security hole hasn't been publically announced, people have no clue whether there are things exploiting it or not."
Or do you think that black hats make formal announcements when they discoever vulnerabilities?
I think this is a matter of risk management
Indeed it is. By releasing patches on a regular basis rather than when the patches are finished, Microsoft force their customers to go from a known, quantifiable risk (the cost of testing and patching) to a completely unknown risk (the possibility of being compromised, unknown severity).
So yes, it's a matter of risk management - Microsoft are taking away your ability to manage your risks effectively.
Would someone do me a favor and tell me why this is newsworthy? Alright so Microsoft announces eight security fixes. Fantastic. They've announced five thousand before this, and they're gonna release five thousand more. Do yourself a favor and setup your box for auto-update, install a good AV program, use Firefox instead of IE and make sure you're running XP SP2, and just consider yourself relatively safe. It's a windows desktop for christ's sake. Who cares if it gets owned. You're an idiot if you have anything important on there in the first place. ;-)
MS went to a 'regular' monthly schedule to pacify the sysadmins out there who were tired of wondering when they were going to have to push a new update out.
What wondering? Tuesdays, Thursdays and Fridays, regular as clockwork. It became a running joke on Slashdot it was that regular.
Geeks... start you patches!
Microsoft should really have a category higher than "critical." They still do occasionally release a bulletin out of cycle when it's a huge, gasping, oh-my-god-the-dam's-breaking issue. Otherwise, they stick to this schedule because it makes Windows sysadmins' lives much easier. Since you can't trust Microsoft patches not to break your systems, you have to spend a lot more time testing, testing and retesting before deploying the patches. It's easier to do that with a batch of 8 patches monthly, than with individual patches on an irregular schedule.
It's just an example of CYA bullshit that actually causes more risk of something bad happening. If something breaks you can fix it.
"Complete testing cycles" are used because if something breaks, the IT guy can shift blame instead of taking responsibility for the systems they maintain.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
All of the patches in yesterday's release were already included in Windows Server 2003 Service Pack 1, or do not affect that platform.
As part of my job I've been tracking exploits for these as they pop up on the usual lists and public exploit archives. So far there's an instant root shell using a single HTML file opened in IE; ditto for "windows shell remote code execution"; and a couple for Access (tho' I don't believe those were actually part of the Patch Tuesday frenzy.) Fun times! Who's running the book on whether someone will wormify one of these? My betting is NOT; I think MS have managed to do just enough to get back ahead of the skiddies (well, worm-author skiddies anyway) for the next few months at least. XPSP2 is taking all the fun out of incident response ;)
> Thanks, Bill.
So? 98 and 98 SE haven't had a "critical" vulnerability in years!
On a more serious note -- I'd love to see a better explanation of why 98 and 98SE are never critically affected by some of these holes.
Sometimes (most of the time, these days), a Win98 box really isn't vulnerable. If it's a hole in some stupid SYSTEM-level background process that listens to port XYZ on XP, and the process doesn't exist on 9x, then the 9x box simply. isn't. vulnerable.
Other times, you really have to wonder if "contains the affected component but is not critically affected" simply means "we never bothered to check".
Sure, 9x doesn't have any security model to speak of, but when was the last time a 9x box got owned by simply installing it out of the box and plugging it into a network? (All the holes that rely on 9x's lack of a security model require some form of user intervention, even if that intervention is as innocent as "using IE", "running Outlook", and anything to do with filesharing over NetBIOS or running IIS as "user intervention". But I don't think IIS was turned on by default on 9x, nor was filesharing over NetBIOS. I could be wrong; it's been a long time. What'd I forget? There's still a part of me that would bet on an unpatched 9x box and an enclued user to outlive an XP box, even with autoupdate turned on.)
I just don't understand why an entire computer's hardware has to be emulated in software, and then the operating system, with all its polling and processing loops, interrupt handling, and background crap that it does, has to be emulated as well.
Darwine is going to eliminate that. It's going to have an application loader, so when you click a Windows .EXE in Mac OS, it will open it in a loader. QEMU will then run the executable, emulating only the processor. All system calls will convert data structures to Mac format and then call Wine functions, which will be compiled natively under Mac OS. I think this will bring about a tremendous speedup, as only the application will be running, and applications spend nearly all of their time just waiting for input, so it won't take hardly any processor resources; and finally, only the program's inner workings will run under emulation. This is exciting!
And screw Windows, SP2 and all... That OS is so full of vulnerabilities and bugs that it's not even funny anymore. Microsoft just patches upon fix forever. Their code probably contains functions 1000 lines long that have indents going so far to the right that they're voting Republican and attacking the Middle East for cheap oil, which keeps going up anyway. (Proof, as much as I hate to admit it, that Bush didn't lie about Iraq, 'cuz if he did, Gas would cost fifty cents a gallon by now. I hate to admit it, but I was wrong about him.)
Yeah. Windows sucks.
Even though NVidia's NForce now provides you with a free hardware FW running on every windows box (and probably with linux too)...
And now starts the joy of wondering why you can't sur the pr0n websites when you've got your router's firewall + your MB's firewall + XPSP2's firewall activated at once
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
No, we literally do not. We do literally want to ban all nonstandard language usage, figuratively speaking.
Dewey, what part of this looks like authorities should be involved?
Someone has probably already mentioned this, but doesn't it seem very suspicious that this occurred just as the block on SP2 was removed? Did they just hold on to these until they could force SP2 out with some patches that would be in demand?
All of the OpenBSD updates on the page you linked to are in the form of source patches. If those are vague, what exactly would you consider precise?
Have a look at 014: SECURITY FIX: March 30, 2005, for example:
Where the patch adds, among a couple of other things, the ability to ignore certain kinds of environment variables:- if ((ep = env_find(var)))
+ if ((ep = env_find(var))&&(!exported_only || ep->export))
It seems to me that this is about as detailed information as anyone could possibly ask for.
(n/t)
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
Not using option explicit, Not declaring (Dim'ing) vars; Bad indentation, LOTS of errors (like strSQL = without quotes), Typos (isMicrosoft and isMicorsoft ), Sloppy coding, No error handling, no use of anything OOP (too "complicated")... The code is buggy at best and does nothing useful. Typical VB code :)
This proves definitively that Linux is WAY more secure than Windows and that Open Source is the only way to go. When will the Windows sheeple wake up and fight "Da Man". Only complete losers that don't truly understand computers use Windows. M$ intentionally delays patches to hurt their users.
From your desk, you can simply go to the root of your Active Directory, and apply the "Auto download and schedule the install" Group Policy object.
http://support.microsoft.com/kb/328010/EN-US/
If you only want some of your clients to apply updates, you can filter the policy appropriately.
"Microsoft Releases Eight Security Updates" - And twentyfour new ones! Yay!
In the Soviet Union, signatures writes you!
I don't understand why they like to wait and release 8 patches at once. Why don't they just release each patch as it's ready? Anybody who's got a large network is probably using beta Windows Update Service or Software Update Service by now, which can pull updates daily, so it really wouldn't be an inconvenience to release them separatly. I just don't see why they sit on 'crittical' patches.
Explorer is part of the operating system, remember? So explorer exploits count as OS exploits, especially because a lot of the explorer exploits are arbitrary code execution exploits, which are beyond critical.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Care to back up your statements with some links to stories of problems caused by exploits occuring before the announcement? No of course not - you can't. You should be moderated troll, not insightful.
Microsoft don't force these updates on people. If they release the patches when they are ready, you can still only update once a month if you want to.
Actually you can't. Once the patch is released, the vulnerability is exposed. After that point, it is a race between the people trying to figure out what changed in the patch to exploit that vulnerability and the people patching it.
LOSER
Take a look at Microsoft Security Bulletin MS05-019.
If you are running SP2, none of the flaws is considered worse that "moderate".
1) The criticality of a fix depends on the OS. A critical bug is Win2k may be only moderate in XPSP2, but it's always advertised as just "critical".
2) This is good proof that (at least my Microsoft's analysis of criticality) XPSP2 does improve security dramatically, even in the face of defects.
A speech...
That's a record for me - your entire post rebutted by the very first line of the post I ALREADY made. woot!!!!
/. wants everything. Especially because different people want different things...)"
" You misunderstood.
The rest was, naturally, a joke. Which is why, naturally, it was modded insightful. But that's not my fault (unless I really do have superpowers I haven't confirmed).
At this moment apparently it's an insightful funny troll - I think 4/1/1) And my other reply (which was, in my opinion, much less funny) is a +2 funny -1 offtopic. So naturally the less funny one is marked more funny. Which I find funny, Karma about talking about mods be damned.
PS. At this moment the ggp is modded +4, 70% insightful, 20% Funny, 10% Troll. Which adds up to 100, but implies that it's more funny than troll, and I can't make the math work out, even with significant rounding, unless it's +1/-1 Funny/Troll, which would imply that they should be the same, however you're rounding. Does it just give whatever is left to the last category? Did somebody complain too much about it not adding up to 100%? It rounding to the nearest 10% saving cycles somewhere?
PPS fnord
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
because of all the updates, which have bogged down the networks, and then it blew our Firefox when Adobe tried to self-download a patch caused by the Microsoft patches.
...
...
Cascade failure.
It always sounds easy to bug fix, but the problem is each fix can cause more fixes, and everyone assumes only their fix is occurring at any one time, while in the real world they all happen at the same time, since people being human put off things on Monday and do them Tuesday "when it's not so busy"
The funny thing is Microsoft will get this error report of my PC locking up as if it was Firefox, when the reason the CPU overbooked was Adobe and Microsoft
-- Tigger warning: This post may contain tiggers! --
Apparently, the 1750 running as Domain Controller gets killed after SP1 application. It bluescreens "BAD_REGISTRY". Lucky for me, someone else had this problem on USENET. The solution is to contact Dell and get this regprep.iso image that you burn onto a CD, boot the 1750 onto it, and it fixes the problem by booting tiny WinXP and changing the registry. After that, everything is okay.
Dell is recommending not applying SP1 until they've had a good crack at it. Looks like June.
all the people who did buy there copy are SOL becasue they will still be getting hit from these machines when they get exploited.
And it was not theft, it's copyright infringement.
yes it's wrong, but they're different for a reason.
The Kruger Dunning explains most post on
Would one of those security updates be Linux? That seems to be the only way M$ can be secure.
I think they "almost" got it sorta secure.
(If at first you don't succeed, do it different next time!)
up2date in my FC3 installation had 37 updates last I checked. I'm sick of the amount of updates that come out for that... It's started to get annoying.
That's JMO, YMMV
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
*This* is 'Trustworthy computing?'
www.madeofwinandawesome.com
...by MS bashing in this forum? And why do the type of people who feel sorry for Gates and think they have to defend MS hang out here? Are you people brainless or just lost? How many clues do you need that this an anti-MS site? Here let me help you http://www.microsoft.com
How stupid you have to be wrtie that comment, and how stupid mods are is quite impressive.....
Geez. You know it's scary when you read this, and think to yourself 'Only eight?'
-DJBS
It really isn't that complicated. A vulnerability is one issue. A "critical" vulnerability is something which could immediately compromise the system if uncorrected. Yet if a "critical" vulnerability shows up the day after the monthly patch cycle, Microsoft does not issue the patch for another ~29 days.
I do not run any "mission-critical" applications, but to me, a 29 day head-start for the ill-intentioned is 29 days too much. I, like any reasonable person, would like to have my patches on the same day. if not available on the same day, then as soon as possible. 29 days later is flagrantly irresponsible.
But I forgot the windows mantra. Is it not "Reboot, Reformat, Reinstall?" Hey, a lot can happen in 29 days. Am I just supposed to sit, vulnerable, on an untrusted network? No thanks. If you want to... Please give me your IP address. (;
Can you easily roll back an emerge ?
IE is part of Explorer - the GUI of Windows...
The fact it automatically runs somewhere between Administrator and User level just means it's exploits are more critical and harder to stop but it doesn't make IE part of the OS itself.
This illustrates the point that it's too hard to compare apples to apples in a purely objective way, as the choice of where to draw the line depends on what the reviewer is expecting to get out of the comparison. (or what his advertisers / income source do)
(IE integration can be argued to death, and I am sure there are some links to the OS beyond the GUI, but you've got to draw the line somewhere)
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
With MS Marketing (TM) second only to MS Legal (TM) in the success of the company (MS Software design comes in somewhere between 5 and 6), I'm surprised they didn't try to bundle everything into one patch.
As we all know after carefully reading the "get the facts" campaign, security is not defined by responsiveness of the vendor. If that were the case, MS really has pulled a boner on keeping its systems secure.
But, according to marketing, and highly influential and well-paid "in-your-pocket" consultants, vulnerability is measured in the number of distinct security fixes provided.
Maybe MS could reduce the number of security updates to 1 roll-up patch per year, proving once and for all its security is superior to all those OS's that provide security update as needed without concern for artificial metrics. Maybe they should provide updates only once per every five years. Hell, why not go for once per decade? The marketing boys and girls would love that.
Of course, if your analytical ability is so pathetically shallow as to agree with the above, you should really quit your IT position and apply for a lucrative position with the Yankee Group immediately.
I work at MS, and you're insane if you think most of the security patches are found in-house. Active testing on already-released software is close to NIL, except for tests of security patches of course.
Most vulnerabilities are reported by external sources or are backported from newer versions. You'd think that the latter would happen often, but actually hitting that bar for backporting is not as high as I would like.
While I am fully capable of reading a patch, most people are not, and thus a detailed explanation of what the patch provides must be provided. It is imperative. Also, look at the latest patch against TCP... there is no explanation as into why that was necessary, and the patch provides no explanation even in the source, it just changes some timestamping logic around and does not say why.
As an OpenBSD user, I'd much prefer that they disclose more information about their patches before they release them.
I just now got this vision of commercializing the cute little penguin with magic powers, but with this backdrop of being in a cheesy clown horror movie.
The penguin sold in the supernatural equivalent of ThinkGeek or the like... advertised as helping with "the one area of life we couldn't help you with before"... having to sacrfice something to the little penguin with a knowing smirk on it's face.
Sold in a bunch of varieties based on what sort of partner you're trying to attract...
Let's just hope nobody gets a defective one!
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
IT did the patch overnight here in the office. Half the computer either couldn't get their monitors to work afterwards, or the NTLDR jumped ship.. did anyone see anythign like this?
You steal men's souls.. and make them your slaves...
Oh lions, tigers, and bears oh my. Another round a patchware from crapware land. When will we ever learn?
Worst. Sig. Evar.