Slashdot Mirror
Microsoft Plugs a Record 26 Security Holes
An anonymous reader writes "Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps. According to Washingtonpost.com's Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack. Also of note, six of today's updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista."
It could have been 27!
$action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.
It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.
Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.
Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.
In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.
Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?
If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.
So, at least Microsoft is fixing them.
Microsoft has bugs, people complain.
Microsoft fixes the bugs, people complain.
Apple releases an incremental update to OS X 10.2 to 10.3 and charge you for it ($129.00), and when they release a MASSIVE update in September, not a peep of complaints...
Vista ain't done until Firefox won't run!
I kid! I kid!
I thought all those studies said that Linux had way more security bugs than Microsoft! The last report had Microsoft at somewhere around 52 security bugs and Linux at several times that.
If I have my math right:
52
-26
-----
26 bugs left!
Microsoft only has to fix them there 26 bugs until Windows is all perfect and flawless!
*Does a happy dance!*
Let's not forget that we'll never know exactly how many total exploits IE really has. Microsoft may know of 100 more that they simply haven't disclosed. We'll never know. But anyone can inspect Firefox. Don't think that simply because IE has less publicly documented exploits that it's more secure. Unless you work for the software vendor, you will never really know how secure any proprietary software is.
Also look at how quickly Microsoft fixes security vulnerabilities. They've let major holes exist for 3 years or more. Even if they have fewer vulnerabilities it's almost irrelevant if they don't fix the ones they have.
It's a more complex issue that simply how many vulnerabilies each camp discloses.
Developers: We can use your help.
This guy tries to explain to the average reader/non-geek that Microsoft .NET is a "computer language".
So long as your precompiled code is a combination of English and C, and yet you still prefer to call it a "language", you shouldn't be surprised to hear others mis-use the word just as bad as you.
C, C++, VB, Java, Perl, Pascal, Javascript, and all the rest are syntaxes, not languages.
That "incremental update," as you ignorantly call it (nice nick, by the way), was a major version release with a whole new version of OS X, new features, and new technologies. It wasn't some minor service pack.
And that massive update in September isn't so massive when you point out that it's the most we'll see all year. Meanwhile, Microsoft released an IE patch, then released a patch to fix the patch, then released a patch to fix THAT patch. And you wonder why people complain about Microsoft?
"Sufferin' succotash."