Microsoft Plugs a Record 26 Security Holes

An anonymous reader writes "Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps. According to Washingtonpost.com's Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack. Also of note, six of today's updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista."

It could have been worse...

[xTantrum]

It could have been 27!

It's not how many were patched...

[rjamestaylor]

It's how many remain that's important.

And, how many were created in the making of the 26 patches?

".NET" - a computer "language"?!

[blcamp]

I am really annoyed by journalists who pose as experts in whatever they are reporting on.

This guy tries to explain to the average reader/non-geek that Microsoft .NET is a "computer language".

He should at least refer to it as a platform, even if the vast majority of the readership won't know the difference.

Re:".NET" - a computer "language"?!

[Shados]

Regardless of how it happens, .NET is a way to tell a computer to do stuff. Of course, we can go in the technicalities that the .NET platform supports multiple languages (which in the end are all quite similar, because the platform affects them so much), that its a virtual machine environment, blah blah blah.

But its a way to -tell- a computer to do "stuff". So I guess saying its a computer language is "good enough". Misleading, and I'd get annoyed if this appeared in more technicaly oriented articles, but like this, being specific while still allowing the average joe to understand would just shift the scope of the article. What .NET truly is simply cannot be explained to a technicaly challenged person without spawning on several lines, which wouldn't have their place in that article.

Re:".NET" - a computer "language"?!

[Shados]

I disagree. My 85 years old grand father, who has never booted a computer of his own life, never had an email adress, or anything of the sort, knows what a computer language is. Same with a lot of people. That is a bit of my personal experience, so it might not reflect the rest of the world, but it is what I'm going by here. I've used the terms "computer language" while describing what I do for a living to a -lot- of people, and it virtualy always goes through. The term "software" doesn't always, so...

Re:".NET" - a computer "language"?!

[Planesdragon]

This guy tries to explain to the average reader/non-geek that Microsoft .NET is a "computer language".

So long as your precompiled code is a combination of English and C, and yet you still prefer to call it a "language", you shouldn't be surprised to hear others mis-use the word just as bad as you.

C, C++, VB, Java, Perl, Pascal, Javascript, and all the rest are syntaxes, not languages.

Re:".NET" - a computer "language"?!

[Tim+C]

He should at least refer to it as a platform

Well, its full name is "the .NET Framework", so perhaps he really ought to be calling it a framework, not a platform.

DISASTROUS NEWS !

[unity100]

microsoft introduces 2-3 holes while fixing one .. if they patch up with that speed from now on, it means ... uh oh ...

Re:DISASTROUS NEWS !

[ronkronk]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.

Re:DISASTROUS NEWS !

[truthsearch]

Let's not forget that we'll never know exactly how many total exploits IE really has. Microsoft may know of 100 more that they simply haven't disclosed. We'll never know. But anyone can inspect Firefox. Don't think that simply because IE has less publicly documented exploits that it's more secure. Unless you work for the software vendor, you will never really know how secure any proprietary software is.

Also look at how quickly Microsoft fixes security vulnerabilities. They've let major holes exist for 3 years or more. Even if they have fewer vulnerabilities it's almost irrelevant if they don't fix the ones they have.

It's a more complex issue that simply how many vulnerabilies each camp discloses.

Re:DISASTROUS NEWS !

[TheRaven64]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0).

I don't think you do. Internet Explorer 3 was released on August 13, 1996. Windows NT 4.0, which shipped a year after Windows 95, came with IE 2.0 (which crashed on launch on a fresh install; something I thought was quite impressive. Fortunately, Windows Update didn't require IE back then, and so you could download a newer version through that).

Re:DISASTROUS NEWS !

[xlsior]

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Too bad that it won't work, unless they scrap everything they have and start from scratch, likely breaking all most backwards compatibility in the progress.

'security' isn't something you can just slap on top after the fact, it's the foundation of a solid system. If you just paint over the holes, you will keep on doing that forever.

Re:DISASTROUS NEWS !

[penix1]

I think your crystal ball is a little foggy there. Let me help you...

They're doing this for SharePoint which is going to be the lynchpin for EVERYTHING they're doing.
Specifically, SharePoint + Groove. Remember, Ray Ozzie is driving this. All of these patches are aimed at OFFICE . Think about it. Collaboration. Real-time working on documents from different locations. Chatting. VoIP.
It's coming.

Norman set your WayBack machine to 1995 (because hindsight is 20/20). The "big" thing with Microsoft Office 95's release was "office automation, web integration, and ease of use". By default, macros were enabled and every one of Microsoft Office's applications supported them even across applications. Now, flash forward to Office 2003. The biggest push for this is the turning off of macro support by default and nagging those that do use it to death over the security implications. As for their old web integration, they all but dropped that because of the exploits inherent to Outlook. Although your comment looks good on paper, it is a security nightmare waiting to happen. I pity the Windows admins out there that will have to deal with the fallout until Microsoft turns those off by default.

Sadly though, this kind of thing does appeal to the clueless PHBs which is why I didn't claim your crystal ball was dark. Some will implement it just like some implemented macros. Those will be the first casualties.

As a side note, I work for State government and our email server strips out Excel documents as "dangerous content" every time someone tries to send me one. I know this is a policy gone nuts but there still is nothing I can do to remedy that situation other than use a different address for Excel stuff.

Re:DISASTROUS NEWS !

[batkiwi]

Yes, you can. It can be on any web server.

Now for the kicker:
If that URL happens to point to a sharepoint server, when you click "save" it will save it back to the site, update the document history, prompt you for any necessary meta-data, and (with 2007) kick off a workflow for (example here) document approval.

Re:DISASTROUS NEWS !

[greed]

It works just fine with WebDAV. In fact, it works better with WebDAV than the Web Folders thing does. Add "SVNAutoversioning on" to your Subversion repository config and have fun, just for one example.

Re:DISASTROUS NEWS !

[Dare+nMc]

>It's a more complex issue that simply how many vulnerabilies each camp discloses.
Also it is a time for the standard stock quote, "Past performance is not a direct indicator of future performance."

I think their is no way to interpert which is more bug free product, from past security issues. If you assumed the two products started out with identical # of critical faults, then the product with the most patches is likely the most secure. Even if your trying to win a bet on which was more secure on 10-11-2006, you would have to assume both were equally secure at some date (say 2009) and look at which had the most bug patches between the two time periods.

You could deterime which company is more dedicated to support from current patch cycles. Actualy it is probably safe to say that InternetExplorer is a product that is much more difficult to support than firefox, because MS seams very dedicated to supporting their product, but are unable to safely release patches as quick as firefox. But even that is influenced by which support group has a more risk adverse nature, and which team is more familure with their product.

Re:DISASTROUS NEWS !

[stonedonkey]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

[Hi, my name is Stonedonkey. I noticed that your extremely shitty post got marked "5 interesting." My notations will be in brackets. Enjoy!]

It took them some time to get it right, but eventually IE took over.

[By being bundled into every version of the OS for the last ten years.]

Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow.

[Specious exaggeration that isn't really relevant.]

And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

[IE won because of its default desktop placement.]

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

[In what sector? Desktop consumers? Can you provide some supporting material for all these pronouns?]

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

[That's great. But right now, I can get superior software for free. Then again, you didn't specify what sector you're talking about, so I can't say for sure.]

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me.

[See the other guy's response about open source.]

  It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition.

[There you go again, glossing over IE's default inclusion.]

SP2 was huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it.

[Oh, shut yo mouth. SP2 was not a "huge leap forward." Not when MS was so far behind to begin with. It sealed some painfully obvious cracks, but I wouldn't hand them any trophies for it.]

In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground.

[A little subjective. Is your assured tone suppose to make your reaction generalizable and trustworthy?]

Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

[This is a contradiction. Or, at best, a back-handed compliment.]

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

[Will it be another failure of open source if we don't? Should I be surprised when you sieze that "failure" as an example of some larger and wholly imagined problem?]

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS.

[Suit yourself, Nostradamus. Maybe by then Microsoft will "share" some of its code to assuage your worries. By the way, how in the flaming fuck do you make the leap from "Mozilla" to "F/OSS"? I'm sorry, but that's pure jackassery, pal.]

And I don't want to see that happen.

[In that, we agree.]

Holes

[Ice+Wewe]

...In other news, Microsoft plans to patch the 17 holes created by these patches sometime by the end of the month.

Re:One at a time, MS!

No. They tried that. Corporate customers revolted because their IT teams couldn't keep up with patch testing/deployment. And as history has shown (MSBlaster), the worm-clock starts ticking once the patch is available to the general public (it is faster for exploiters to reverse engineer the patch to find the hole), meaning it isn't practical for IT departments to "hold" onto patches and deploy them on their own monthly cycle.

Apple's last patch fixed 24 and was over 200 MB.

[MSFanBoi2]

So, at least Microsoft is fixing them.

Microsoft has bugs, people complain.

Microsoft fixes the bugs, people complain.

Apple releases an incremental update to OS X 10.2 to 10.3 and charge you for it ($129.00), and when they release a MASSIVE update in September, not a peep of complaints...

Re:Well Guess that means

Vista ain't done until Firefox won't run!

I kid! I kid!

Wowee! We're falling behind!

[rolfwind]

I thought all those studies said that Linux had way more security bugs than Microsoft! The last report had Microsoft at somewhere around 52 security bugs and Linux at several times that.

If I have my math right:

  52
-26
-----
  26 bugs left!

Microsoft only has to fix them there 26 bugs until Windows is all perfect and flawless!

*Does a happy dance!*

What are you doing about it?

[technicalandsocial]

I don't think anyone feels that Windows is security hole free. I've not seen a security hole free OS. Does today's "news" not perhaps mean that Microsoft is spending more R&D on resolving this issues?

Yikes

[BeeBeard]

Given Microsoft's history of only fixing security holes when real exploit code is known to exist, should we assume the worst?

Re:Patch for Mac Office

[LindseyJ]

Where does it say that the Mac version only has one bug? From here it looks like it says one of the flaws is only present in the mac version. In other words, the Mac version has a bug that the Windows version doesn't (which, considering how different OSX is from XP, is perfectly understandable); it doesn't say "The only bug in the Mac version was patched". Given the amount of such posts I've already seen in this thread, I'm pretty suprised you're latching onto this 'only one bug' thing, instead of the 'only one bug found, but how many more are still there / created from the fix' shtick.

Re:Apple's last patch fixed 24 and was over 200 MB

[Alcimedes]

I think a difference is that to the best of people's knowledge, the holes in Apple's OS weren't being exploited in the wild prior to the patch. Apple is fixing the problems before they're exploited, not a week or two after.

Time will tell though.

Re:That's No Medal!

[suv4x4]

Pendant, surely?

Ok I give you the medal.

They did it by distributing it with the OS

[unity100]

and no factor more effective.

maybe almost 70% of the internet users do not know what a "browser" is, and there are other browsers out there.

This is because microsoft easily pushes its own browser as a "os feature".

majority of casual computer users by then were, now the majority of the casual internet users, those who are not interested in doing something else than using mail, going to a few sites, chatting with some friends and playing some backgammon around the net, are not in a level, proficiency, or desirous to research and explore the intricacies of what they are using.

They are just buying a computer, windows comes installed within, there are stuff there, and they use it.

THIS was the way microsoft have villainishly monopolized the browser arena, and nothing more. Not security, not features, not the "mis-schedule" of netscape releases and nothing more. And certainly, definitely not the "far-sight" or "visionary genius" of bill gates and his memos.

They used the power of market reach, to "sell" something to people who didnt know if any alternatives existed.

Re:Apple's last patch fixed 24 and was over 200 MB

[Overly+Critical+Guy]

That "incremental update," as you ignorantly call it (nice nick, by the way), was a major version release with a whole new version of OS X, new features, and new technologies. It wasn't some minor service pack.

And that massive update in September isn't so massive when you point out that it's the most we'll see all year. Meanwhile, Microsoft released an IE patch, then released a patch to fix the patch, then released a patch to fix THAT patch. And you wonder why people complain about Microsoft?

Title should read...

[Shadyman]

Microsoft plugs a record 26 security holes; Other 26,000 security holes wanted for questioning.

Re:26 down...

[Crunchie+Frog]

Nice masturbation there. Well done.

Re:The only vista on my OS horizon: Ubuntu

[drsmithy]

Almost any OS that is free... After all, it is hard to argue that Ubuntu (for example), should be flawless when it costs nothing and is in fact shipped out at someone else's expense if one asks for a few sets of the install discs.

So if it's free it can't suck ?

How about all those versions of Linux that *aren't* free ?

Why waste money on a bigger, slower, pile of crapware from Microsoft when it offers nothing substantial in the way of practical improvements over the mess that is XP?

It offers masses of "substantial, practical improvements". The important question people need to ask is if any of those are important enough to them to upgrade.

What I'm reading these days is that the Vista release is being given the yawn treatment by many IT professionals.

IT professionals are waiting for a) the server-side complement to Vista and b) the early rounds of bugs to be shaken out.

In fact, I'm worried that security will be much worse on Vista than it is on XP since 3rd party security vendors are being prevented by Microsoft from hooking in at the level their code needs to run at to be most effective. I don't trust Microsoft to handle security issues. It has a pathetic track record. The programmers at MS clearly don't understand their own code.

Sounds to me like you're buying into the standard anti-Windows and anti-Microsoft FUD.

what really happened to Netscape

[rs232]

"I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0)", ronkronk

It wasn't an afterthought it was a renamed Spyglass browser which they subsequently 'gave away' with Windows so as they wouldn't have to pay royaltees. After failing to buyout Netscape and get an exclusive deal from NCSA they settled with Spyglass.

"It took them some time to get it right, but eventually IE took over", ronkronk

IE took over by billg strong arming the OEMs to take Netscape off the desktop. Can't you remember what the MS AOL court case was all about.

"AOL's March 12 and October 28, 1996 agreements with Microsoft also guaranteed that, for all practical purposes, Internet Explorer would be AOL's browser of choice"

"Compaq was the only one to fully commit itself to Microsoft's terms for distributing and promoting Internet Explorer to the exclusion of Navigator"

"now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet", ronkronk

Like as an after thought.

"within a few years, we're going to see some really damn secure stuff coming out of Microsoft", ronkronk

I've heard exactly the same kind of thing when NT came out.

"In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition.", ronkronk

Netcape was never inferior to IE. As this test proves. The MS stratagy at the time was to make it a jolting experience for the enduser. Why are you trolling slashdot with patently false pro-MS propaganda.

"We will bind the (Windows) shell to the Internet Explorer, so that running any other browser is a jolting experience" .

Firefox running on a more secure OS as standard user are not as serious as bugs in IE running on WinVista. You see as MS embedded the browser directly into the OS so as it couldn't be removed.

Secondly Netscape lost ground because of backroom shenagenans by billg an Co. After threatening to withold technical information, they offered to carve up the market between them or else they would cut off Netscapes oxygen supply.

`The delay in turn forced Netscape to postpone the release of its Windows 95 browser until substantially after the release of Windows 95 (and Internet Explorer) in August 1995. As a result, Netscape was excluded from most of the holiday selling season.'

"Microsoft representative J. Allard had told Barksdale that the way in which the two companies concluded the meeting would determine whether Netscape received the RNA API immediately or in three months.'"

`After Netscape refused Microsoft's offer to divide the browser market, Microsoft embarked on a predatory campaign to eliminate the browser threat'

`In subsequent meetings in the Fall of 1995, Microsoft explained to Intel that its strategy would be to kill Netscape and control Internet standards'

`in exchange for steering clear of the Windows browser segment Netscape would be made a preferred Microsoft partner'

"I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.", ronkronk

I'm really an Open Source advocate except for bla, bla, bla

http://www.usdoj.gov/atr/cases/f2600/2613-1.htm
http://www.theregister.co.u