Slashdot Mirror
Flurry of Security Patches
yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)
....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.
......and see all the non-existant updates I have to download. Seriously, people talk about all the updates to download, but I never can find them. Although I do have to say Firefox updates wonderfully.
However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out, that creates more problems to be patched later on. If people would just learn some basic browsing habits, there would be less zombie-boxes and "Win32:Netsky" emails in my inbox.
Look at the calendar.
Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.
The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.
The last set of patches from WindowsUpdate:
- Security Update for Windows 98 (KB891711)
- Security Update for Windows 98 (KB888113)
- Security Update for Windows 98 (KB896358)
- Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939)
freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works.
The problem is most people have ZoneAlarm set to start at boot, and do not know how to bypass ZoneAlarm to get the computer booted so they can fix it.
My guess is since Microsoft is selling its own personal firewall, they will take every opportunity to hurt ZoneAlarm. Or they just wanted to generate PC sales from all those people whose computers are now "broken". Hey, they should have paid for newer versions of Windows many times since Windows98SE was released.
I can't wait to install today's patches!
I spend my life entertaining my brain.
After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.
The sysadmin mantra lives on: All operating systems suck, they just suck differently.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
What i've always worried about is a well planned attack that sends fake patches that actually cause more security nightmares or currupt the OS.
Voice your opinion!
Ah yes, the wisdom of the AC...
If I was 'in my right mind' I'd be living in Fiji taking tourists on scuba tours of the soft corals. Since I'm not, I stay in SF and buy shiny toys; and I maintian the right to bitch about them if they don't work as expected. And I've got the balls to do it with a real login account.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.
One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.
d efault.asp
The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/
No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.
I dont like defending M$, but at least they have "updates" rather than creating a whole new version like Firefox 1.05. Its about time this was fixed, dont you think?
serenity now!
Out of curisity, what do you consider "quickly"?
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
Let's look at the most recent vulnerability there, MFSA-2005-56. Unfortunately, the details are being hidden until July 20th. However, we can see the Bugzilla report numbers. The first, 294795, won't let me view it. But if we view 294796, the bug created right after we see it was created on May 19th. Nearly 2 months ago.
Is 2 months "quickly"?
You seem to be blindly making assumptions without bothering to check the facts.
This is NOT evidence that Open Source fixes bugs quickly. If anything, it proves that just like Closed source, they can keep the bugs quiet and sit on them as long as they like.
If you need web hosting, you could do worse than here
Microsoft releases patches for IE, Mozilla foundation releases patches for Firefox, why isn't Opera patching their browser?!
Oh yeah, 0 unpatched vulnerabilities.
Oracle Unbearable, perhaps.
/. trashing whatsoever. Interesting.
They probably have the worst security track record among major databases and yet they get no
I can't ever remember anybody saying that "only Microsoft had security flaws". If you were under this impression, this is more likely to be down to a misunderstanding, or some angry pro-Microsoft type trying to give Linux users a bad name.
The point is that Microsoft has vulnerabilities which are usually exploited swiftly. They're usually quite nasty. They're usually in the most popular (bloated) Microsoft software packages. Finally, there's a good chance that patches could cause just as much damage as an exploit. This is what makes people shake their heads about Microsoft security.
Added to this, Microsoft has been working extremely hard - or so we're led to believe, even to the detriment of it's beloved Longhorn - and has spent millions on security. Maybe there have been improvements, but it's still coming out with plenty of nasties after years of this.
And after saying that Windows has better security than Linux, Microsoft is now copying Unix/Linux administration rights. This seems to suggest that Microsoft doesn't see an end to the plague, and that perhaps Linux holds an upper hand in security after all. Not only that, but this is going to make it easier for people to switch to a Linux desktop, after getting used to having to log in as root on Windows for particular reasons.
Linux/Open Source/Anti Microsoft News
2 months? Generally accepted practice for responsive fixes to coordinated secret ("responsible", as MS and others style it) disclosure varies from 1-60 days, so 2 months could be "quickly" by some definitions.
The Mozilla team do need a more responsive security framework. It's a big project and it's a lot to handle. But they are trying; and, I might add, on a small budget, on an often volunteer or ex-developer-basis. Opera have their fair share of vulns, particularly after the damn-near rewrite of Presto (v7), but they respond and fix very quickly and I have to congratulate them on that.
MS, on the other hand... Firefox's 2 months is better than IE's 2 years!
Have a look at eEye's upcoming some time, and talk to Mark about this. MS are emphatically NOT trying, unless it threatens to become a PR issue for them.
Windows Update v6 and Microsoft Update actually fail to flag open vulnerabilities on some computers - a very serious regression, but it was pushed out the door anyway.
MS don't care at all about local exploits unless they're actively exploited and showcased by big names in the VX scene either before or after public disclosure (#VDM).
Currently, the oldest security-related bug that MS knows about remains unfixed after 4 years. It's a remotely-exploitable integer overflow in mshtml's parsing, and a similar bug is in shdocvw as well, and that's all I'll reveal publically in the hope that one of these days those idiots actually decide to take notice. If it hits 5 years and it's still unfixed, F-D and Bugtraq will hear about it.
They don't even reply to email except with form letters. They don't keep the researcher in the loop about what's going on. It sometimes takes phone calls, and digging out personal email addresses of team members, to get something done.
MS have a *long* rep of simply burying or ignoring security vulnerabilities if they think they can get away with it. They started to care when it became a PR issue, but that's why they have been paying lip service to it, not actually because they care about timely fixes. It's ridiculous to expect MS to take longer than 7 days to turnaround a fix to any security vulnerability. They have the resources, and if they really treated these things seriously, the patchsets would be once a week, and they would be willing to divert attention from all teams to pitch in with testing of particularly intractable patches. It really should be a company priority for them, and it's disappointingly not.
But hey, I'm just a security researcher, not a businessman - what would I know?