Slashdot Mirror

← Back to Stories (view on slashdot.org)

June Windows Update To Be Biggest in a Year

Posted by ryuzaki0 on from the patch-early-patch-often dept.

Supersonic1425 writes "The BBC reports that this month's security update from Microsoft will be the one of the biggest this year. Nine of the patches are for Windows — one classed as critical — two are for Office and one for the Exchange e-mail server software." From the article: "At least one of the loopholes being patched is already being actively exploited by malicious hackers. ... Microsoft is not only tackling security problems but also the fallout of a legal case that the software giant lost."

15 of 220 comments (clear)

  1. Sigh. It's gonna be... by chachacha · · Score: 5, Insightful

    ...a long week.

    --
    I do like programming things that work super quickly, especially when they work super quickly, super quickly.
  2. Reinventing their Wheel by dsginter · · Score: 5, Insightful

    Just when XP is nice and patched and secure, they'll release Vista and start the process all over again.

    Yummy.

    --
    More
    1. Re:Reinventing their Wheel by geobeck · · Score: 4, Insightful

      I think patch days like today are an indication that XP will never be "patched and secure." And probably, neither will Vista.

      But if you're switching to Mac, beware of the purists who seem to think Mac use is a royal privelege or something.

      --
      Find environmentally and socially responsible products on http://buy-right.net
  3. How much in lost revenue .. by Anonymous Coward · · Score: 5, Interesting

    How much in lost revenue is all this Microsoft Patching costing the real economy?

    1. Re:How much in lost revenue .. by naelurec · · Score: 4, Insightful
      Do you really think it would be any different had some other OS become the #1 OS?


      Yes.

      1. Other operating systems have a user security model that works. WinXP is still very difficult to maintain regular (non-admin) users. There is a LOT of workarounds that are required to make it function correctly (I think MS engineers call these "shims") due to application developers not testing for this scenario, unlike other systems (Mac OS and *NIX demand it).

      2. This model has been utilized by *nix systems for over 30 years. While security issues have been found, they have largely been eliminated and it is infrequent to find escalation issues.

      3. *nix systems are inherently very modular and consistent throughout. As a result, it is much easier to roll out a patch and rollback if necessary compared to Windows. Furthermore, given this architecture and well established APIs, it is easier and quicker to test patches and release them (not to mention provide competent admins actual source code access to understand the changes made -- let it be at the distribution level, corporate or organizational level).

      4. *nix has a long history of being used in untrusted, multi-user settings (servers, thin clients, terminals, universities, banks, you name it..). Windows inherently *trusts* the user .. *sarcasm on* I think Bill Gates called this "Trustworthy Computing" .. just trust everyone will do the right thing *sarcasm off* ..

      Windows/DOS from the beginning has assumed a single, trusted user. It wasn't until NT came around that a true security model was inplace, but even that didn't take to the mainstream until XP arrived in 2001. Even with the release of XP and the possibility of enhanced security (underprivleged users), Microsoft elected to favor backwards compatibility/ease of use and defauled to Administrative level access for all users instead of enforcing underprivleged users and slapping application developers upside the head to write good code (Though in the 3rd party's defense, even Windows XP has some issues with the entire underprileged user configuration..).

      5. So now we are on the verge of "Vista" .. while they are claiming a better security model, it appears that much of the legacy Windows apps are not functioning properly (even inside of Vista) -- ie the multiple steps required to remove an "all users" desktop icon.

      Anyways.. thats my take. Sure, any operating system *could* be run in such a way where a user can load up malicious code and undoubtedly, there will be bugs in the source code (it is written by humans after all..) --- however, given the initial focus on Unix to be utilized on untrusted networks in a multi-user environment and the fact they have had over 30 years to fine tune the code, make the code modular and it is still very prominent today (it was done right the first time) makes me think it is a valid, time tested model.

      Compare this to the Microsoft model where every few years they have the "bet the company" on a new model.. its apparent to me that they simply are not building a model that is solid. Over the past 20 years, they have released what I consider 5 distinct versions of Windows (Windows 1, Windows 2, Windows 3, Windows 95, Windows NT) -- all with major fundamental changes in how they function. Windows Vista could very well be the sixth version (Atleast it *should* have been.. but with all the feature cut, it might not be..). This is compared to *nix where a lot of fundamental philosophies and tools very much date back over 30 years.
  4. Get your facts straight... by Phil+John · · Score: 5, Informative

    ...genuine advantage failure doesn't mean unpatched windows. Security updates will still be downloaded if you select "automatic updates", you just can't download nice addons like windows defender, media player etc.

    --
    I am NaN
    1. Re:Get your facts straight... by Anonymous Coward · · Score: 5, Funny

      you just can't download nice addons like windows defender, media player etc.

      Cool, how do I get WGA to fail? And will it get rid of IE and Messenger too?

  5. Clarification by BrynM · · Score: 4, Informative
    From TFA:
    Microsoft had to re-engineer Internet Explorer to stop a technology known as ActiveX automatically starting when users visit some websites. MS may have done this as a result of the Eolas suit, but the rest of us can consider it a security patch ;)
    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  6. Re:ActiveX by bheer · · Score: 5, Informative

    Not a major problem out on the Internet, but many Corporates have internal web apps where this patch is going to screw things up royally.

    IIRC, the workaround is to make sure your [object] tag is written out using (Java|VB)script. If you visit macromedia.com they use this technique and have a tutorial about it written up. And to be fair, MSDN's been letting developers know about this for ages.

    --
    Go somewhere random
  7. Re:Please! by $RANDOMLUSER · · Score: 4, Funny

    Of course it's broken, it's Windows.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  8. Beware of Microsoft's advice by obender · · Score: 4, Funny
    From TFA:
    On its security blog Microsoft wrote: "We strongly recommend that those of you who are still running these older versions of Windows upgrade to a newer, more secure version
    Well, I folowed their advice and upgraded from 32 bit linux to amd_64 linux. Now I have no Macromedia Flash player and there's no hourly trunk build of Firefox.
  9. Re:Strange Days by ledow · · Score: 5, Insightful

    I work in tech support for six different schools and dozens of people for whom I do private jobs.

    Your comment is just not true. I get calls EVERY week with someone wanting me to clean their computers (all of them XPSP2 at least). The problem is that the first thing that sort of junk does is stop Automatic Updates from working for everything from Windows to Antivirus to even targetting AdAware etc., so from then on even if the user "cleans" their machine, they aren't getting the updates they need (even though sometimes it looks like they are) and thus they are open to every future problem too (including those fixed in patches like this one).

    People are still dumb, they still click, they still don't learn, no matter what it ends up costing them. Most of them are extremely casual about all this "Oh, yes, I got a virus/spyware/malware a few months back but so long as I don't do X, I don't notice", "Yeah, I've been getting these random popups for the past few months, if you have a minute could you have a look at them sometime?", etc. Personally, I'd be doing damage control the second I spotted one of these on my own personal computers but it's just tolerated by the average joe. They can literally put up with it for months.

    I'm ALWAYS being told that "machines slow down when they get older", don't they? Makes sense to them but to me I'm just thinking "Yeah, only if they are slowly filling with junk". And that's how people work. They keep using it until it gets to the point of being unusable (which for people who used to run older PC's is actually totally unbearable). Then they might casually bring it up in conversation with me, not do anything for several weeks, then try to book my time to clean it up etc.

    Come on, a few days ago there was a major news story about the head of Microsoft itself not being able to clean his friend's PC of spyware. I work with people who can't drag-and-drop, you really think they stand a CHANCE of even seeing that they've been infected, cleaning it themselves etc.? And with the growing spate of targetted spyware/viruses, I can't even rely on putting on a nice automated cleaning system (like Adaware/Spybot/AVG scripted to auto-update and then full scan) onto their systems.

    The reason I don't hear about it any more? I raise my prices depending on how bad it seems when I hear about it. Can't get on the net at all? That's an extra £10/hour. Can't load any program? Another £10/hour. Antivirus isn't functioning properly cos something's interfering? Another £10/hour. Haven't GOT antivirus/firewall/updates? Another £10/hour.

    Got up-to-date antivirus, a good firewall, an "alternative" web browser, scheduled anti-spyware, no visible signs of infection prior and somehow STILL got something nasty? (even if you accidentally clicked a link you didn't mean to, so long as you TELL me you did that) The price drops dramatically to the point where people don't say... "Uh, ok, I'll er... call you sometime." but instead say "Yes, please, if you could."

    Users aren't getting educated, they're getting ignorant. They KNOW it's a virus/spyware and they choose to ignore it and continue with their work (which, incidentally, is not only usually private and confidential but usually vital to the running of the school they work for). When you're telling headteachers that X got on the system because supplier Y didn't issue an update, they just carry on regardless. They don't stop to consider what MIGHT have happened to the data (in complete breach of Data Protection laws I might add) or where it might currently be floating, even when informed.

    The best customers in the world are the ones who KNOW NOTHING but ADMIT to knowing nothing and look to you for advice. They're the ones that you can TEACH how to use a computer safely. Everyone else nods along and then loads IE behind your back because they "know better" (for instance, they installed an anti-spyware thing "to keep IE safe" from a pop-up on their desktop just to give you

  10. MS not supporting what they say they do! by internewt · · Score: 4, Interesting
    From the article:

    At the same time as information about the update was being released, Microsoft mentioned that it will not be able to patch Windows 98 and ME against a loophole discovered in April 2006.

    Fixing this bug in the ageing software would require a major re-write of the Windows Explorer program used in these old copies of the operating system.

    Microsoft is not prepared to undertake this work, given that all support for Windows 98 and ME ends on 11 July 2006.

    So even though Microsoft have stated that they support 98 and ME until 11th July 2006, they will not support those two OSes today?

    Yes, people are crazy if they rely on 9x in anyway, but when Gates says he'll support it until a date I'd expect support to be provided, even it means some changes to the shell. And we all know how much exageration is used when a job is being avoided... ("major re-write of the Windows Explorer").

    --
    Car analogies break down.
  11. So Illegal Copies Break The Law (Again)? by aslate · · Score: 4, Informative

    I find it interesting that illegal copies of Windows aren't able to update the fix for the legal settlement. Microsoft have finally changed their WGA tool to "Do not allow update unless user PC submits 'Yes it's valid'" from "Do not allow update unless user PC submits 'No i'm not valid'", i thought it was odd the way their system worked before.

    This is why i'm using Autopatcher XP (Annoying forum-based website), you can download the updates off them, see the details and unselect all the crap you don't want, without having to go through Microsoft and Windows validation. You just have to wait a while before they release the newest version.

  12. Re:Windows 98 by Chanc_Gorkon · · Score: 5, Insightful

    Come now....Windows 98/98SE/ME use a kernel (DOS FOLKS!) that has not been impotant for quite sometime now. Do any Linux Kernel developers still work on the 2.0 kernel?? Does Red Hat still patch Red Hat 6?? NO!

    Everyone ASSUMES that Microsoft is dropping support just because it's too broke and that probably isn't even CLOSE to the truth. The real reason is likely a combination of the two. From the archtecture basis, Windows 98/98SE/ME are UNSECURE! Microsoft has a much better chance of securing things with XP. That's not to say there's no holes in XP....there is. But the reason software is dropped from support is merely a business reason. When 99.9 percent of thier support calls are likely Windows XP or 2003 Server related, what sane person would choose to continue to patch something almost NOONE uses!

    --

    Gorkman