Microsoft Plugs a Record 26 Security Holes

An anonymous reader writes "Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps. According to Washingtonpost.com's Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack. Also of note, six of today's updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista."

It's not how many were patched...

[rjamestaylor]

It's how many remain that's important.

And, how many were created in the making of the 26 patches?

Windows update is a joke

Until Microsoft provides a way to update from a fresh install to the latest patched version offline, I consider my Windows box to be already compromised.

Re:".NET" - a computer "language"?!

[Shados]

Regardless of how it happens, .NET is a way to tell a computer to do stuff. Of course, we can go in the technicalities that the .NET platform supports multiple languages (which in the end are all quite similar, because the platform affects them so much), that its a virtual machine environment, blah blah blah.

But its a way to -tell- a computer to do "stuff". So I guess saying its a computer language is "good enough". Misleading, and I'd get annoyed if this appeared in more technicaly oriented articles, but like this, being specific while still allowing the average joe to understand would just shift the scope of the article. What .NET truly is simply cannot be explained to a technicaly challenged person without spawning on several lines, which wouldn't have their place in that article.

Apple's last patch fixed 24 and was over 200 MB.

[MSFanBoi2]

So, at least Microsoft is fixing them.

Microsoft has bugs, people complain.

Microsoft fixes the bugs, people complain.

Apple releases an incremental update to OS X 10.2 to 10.3 and charge you for it ($129.00), and when they release a MASSIVE update in September, not a peep of complaints...

What are you doing about it?

[technicalandsocial]

I don't think anyone feels that Windows is security hole free. I've not seen a security hole free OS. Does today's "news" not perhaps mean that Microsoft is spending more R&D on resolving this issues?

Yikes

[BeeBeard]

Given Microsoft's history of only fixing security holes when real exploit code is known to exist, should we assume the worst?

Re:DISASTROUS NEWS !

[truthsearch]

Let's not forget that we'll never know exactly how many total exploits IE really has. Microsoft may know of 100 more that they simply haven't disclosed. We'll never know. But anyone can inspect Firefox. Don't think that simply because IE has less publicly documented exploits that it's more secure. Unless you work for the software vendor, you will never really know how secure any proprietary software is.

Also look at how quickly Microsoft fixes security vulnerabilities. They've let major holes exist for 3 years or more. Even if they have fewer vulnerabilities it's almost irrelevant if they don't fix the ones they have.

It's a more complex issue that simply how many vulnerabilies each camp discloses.

Re:Apple's last patch fixed 24 and was over 200 MB

[Alcimedes]

I think a difference is that to the best of people's knowledge, the holes in Apple's OS weren't being exploited in the wild prior to the patch. Apple is fixing the problems before they're exploited, not a week or two after.

Time will tell though.

Re:Apple's last patch fixed 24 and was over 200 MB

Uh, it's not. That's the most we'll see from Apple all year. The 26 from Microsoft just beats the previous Patch Tuesday record. Every friggin' month is more and more patches from Microsoft, including patches to fix PAST patches! It's been hundreds this year alone, while Apple's were all minor flaws in various third-party OSS.

I forgot, you're super-hip and enlightened if you try to attack from the other side like that. The pro-MS contingent on Slashdot strikes again! Anything to distract from the hilarity that Vista isn't even out yet and is already seeing flaws. So much for "winning this thread." It's sad you had to log in as AC and reply supportively to your own comment. But hey, you poor Windows users are stuck with the ancient Win32 codebase of Vista and its 15% slower gaming (as stated by Microsoft). But wowee, the window borders are see-through! Thanks for that innovation, Microsoft.

The story isn't that 26 were patched. It's that ONLY 26 were patched. Windows is a sinking Titanic of an operating system with an abortion of an interface that only blinded fanboys defend these days who think .NET is some amazing innovation when it's absolutely nothing more than a Microsoft rip-off of Java, right down to the syntax. Windows is so bad that its own developers call it overly complicated and want to just start over with a rewrite. And this is the OS they want you to spend $400 on and trust your data! Not to mention all that wonderful DRM hell.

Do you get that? Microsoft fanbois FREAK OUT over charging $120 for a major OS release and yet happily accepting waiting six years to get no updates at all only to end up spending $400 on the "ultimate edition" of an OS X rip-off. Awesome.

Windows--for playing videogames, like The Sims.
Macs--for getting real work done.

Re:DISASTROUS NEWS !

[xlsior]

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Too bad that it won't work, unless they scrap everything they have and start from scratch, likely breaking all most backwards compatibility in the progress.

'security' isn't something you can just slap on top after the fact, it's the foundation of a solid system. If you just paint over the holes, you will keep on doing that forever.

Re:DISASTROUS NEWS !

[penix1]

I think your crystal ball is a little foggy there. Let me help you...

They're doing this for SharePoint which is going to be the lynchpin for EVERYTHING they're doing.
Specifically, SharePoint + Groove. Remember, Ray Ozzie is driving this. All of these patches are aimed at OFFICE . Think about it. Collaboration. Real-time working on documents from different locations. Chatting. VoIP.
It's coming.

Norman set your WayBack machine to 1995 (because hindsight is 20/20). The "big" thing with Microsoft Office 95's release was "office automation, web integration, and ease of use". By default, macros were enabled and every one of Microsoft Office's applications supported them even across applications. Now, flash forward to Office 2003. The biggest push for this is the turning off of macro support by default and nagging those that do use it to death over the security implications. As for their old web integration, they all but dropped that because of the exploits inherent to Outlook. Although your comment looks good on paper, it is a security nightmare waiting to happen. I pity the Windows admins out there that will have to deal with the fallout until Microsoft turns those off by default.

Sadly though, this kind of thing does appeal to the clueless PHBs which is why I didn't claim your crystal ball was dark. Some will implement it just like some implemented macros. Those will be the first casualties.

As a side note, I work for State government and our email server strips out Excel documents as "dangerous content" every time someone tries to send me one. I know this is a policy gone nuts but there still is nothing I can do to remedy that situation other than use a different address for Excel stuff.

Re:The only vista on my OS horizon: Ubuntu

[drsmithy]

Almost any OS that is free... After all, it is hard to argue that Ubuntu (for example), should be flawless when it costs nothing and is in fact shipped out at someone else's expense if one asks for a few sets of the install discs.

So if it's free it can't suck ?

How about all those versions of Linux that *aren't* free ?

Why waste money on a bigger, slower, pile of crapware from Microsoft when it offers nothing substantial in the way of practical improvements over the mess that is XP?

It offers masses of "substantial, practical improvements". The important question people need to ask is if any of those are important enough to them to upgrade.

What I'm reading these days is that the Vista release is being given the yawn treatment by many IT professionals.

IT professionals are waiting for a) the server-side complement to Vista and b) the early rounds of bugs to be shaken out.

In fact, I'm worried that security will be much worse on Vista than it is on XP since 3rd party security vendors are being prevented by Microsoft from hooking in at the level their code needs to run at to be most effective. I don't trust Microsoft to handle security issues. It has a pathetic track record. The programmers at MS clearly don't understand their own code.

Sounds to me like you're buying into the standard anti-Windows and anti-Microsoft FUD.

Re:".NET" - a computer "language"?!

[Tim+C]

He should at least refer to it as a platform

Well, its full name is "the .NET Framework", so perhaps he really ought to be calling it a framework, not a platform.

Re:DISASTROUS NEWS !

[stonedonkey]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

[Hi, my name is Stonedonkey. I noticed that your extremely shitty post got marked "5 interesting." My notations will be in brackets. Enjoy!]

It took them some time to get it right, but eventually IE took over.

[By being bundled into every version of the OS for the last ten years.]

Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow.

[Specious exaggeration that isn't really relevant.]

And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

[IE won because of its default desktop placement.]

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

[In what sector? Desktop consumers? Can you provide some supporting material for all these pronouns?]

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

[That's great. But right now, I can get superior software for free. Then again, you didn't specify what sector you're talking about, so I can't say for sure.]

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me.

[See the other guy's response about open source.]

  It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition.

[There you go again, glossing over IE's default inclusion.]

SP2 was huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it.

[Oh, shut yo mouth. SP2 was not a "huge leap forward." Not when MS was so far behind to begin with. It sealed some painfully obvious cracks, but I wouldn't hand them any trophies for it.]

In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground.

[A little subjective. Is your assured tone suppose to make your reaction generalizable and trustworthy?]

Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

[This is a contradiction. Or, at best, a back-handed compliment.]

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

[Will it be another failure of open source if we don't? Should I be surprised when you sieze that "failure" as an example of some larger and wholly imagined problem?]

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS.

[Suit yourself, Nostradamus. Maybe by then Microsoft will "share" some of its code to assuage your worries. By the way, how in the flaming fuck do you make the leap from "Mozilla" to "F/OSS"? I'm sorry, but that's pure jackassery, pal.]

And I don't want to see that happen.

[In that, we agree.]