Microsoft Sets Record With Monster Patch Tuesday

CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"

That's a lot of patches

but at least I got first post.

Re:That's a lot of patches

[xaosflux]

For MS maybe, but there have been many time that I've seen Umbuntu ask to install a list of updates longer then my johnson... Of course it is updating multiple products, but so is MS here.

Re:That's a lot of patches

a list of updates longer then my johnson...

Sounds like it wasn't exactly a matter of great concern then.

Re:That's a lot of patches

[zonky]

Ubuntu is updating all products in all repo's, with a single command/daily check.

The problem with windows is that you're not doing this at all when you check windows update/wsus - you're checking windows only- (other microsoft products if you opted-in to doing this).

This is in fact the real problem with windows- patch management is just a total nightmare.

For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.

it's mindbogglingly hard at any point in time to say you are patched when running a windows system. This is the greatest challange/weakness of windows, and the biggest benefit of Linux - package management as a means of achieving security.

Re:That's a lot of patches

[gbarules2999]

I've seen Ubuntu ask to install a list of updates longer then my johnson

And probably 90% of them were 120KB libraries, which MS updates but doesn't list.

Is it the new fad to spell "Ubuntu" wrong? It's not that difficult. Add it to Firefox's dictionary if you have to.

Re:That's a lot of patches

[Compholio]

Does Ubtunu, or any other Linux distro, provide a way to keep proprietary applications patched or updated? Exactly.

Indeed, create your own repository and have your installer add that repository to the list when your application is installed (though you should ask permission or people will get angry with you). From that point on the customer's PC will update your software automatically, it'll even warn the customer to install it quickly if you flag it as a security update.

Re:That's a lot of patches

[zonky]

There are non-free apps in some of the multiverse repo's so yes, obviously they can. In anycase, Anyone can add a custom repo to their sources.list and a valid signing key.

Re:That's a lot of patches

Dude, if Microsoft started up a system for updates, then they'd simply be criticized for monopolizing further!

Either that, or increasing the security risk by creating another single point of failure.

Re:That's a lot of patches

blah

Really? Cause I roll out patches to all sorts of MS products with WSUS.

blah

And WSUS makes rollouts pretty dman easy. I'm not sure why you call it a nightmare.

blah

Adobe updates roll out with Ubuntu? Sweet. Oh wait, no.

blah

If you install any software for linux that isn't in the repository, you have to do the same damn thing. Get over it.

Re:That's a lot of patches

[gbarules2999]

Does Wundwos, or any Mhac, provide a way to keep proprietary applications patched or updated? Exactly.

Fixed that for you.

Is it the new fad to spell "Ubuntu" wrong? It's not that difficult. Add it to Firefox's dictionary if you have to.

Re:That's a lot of patches

[MrEricSir]

Um, with Linux you have your choice between apt-get and yum, both of which let you add any repo you want. On my system, proprietary drivers, browser plugins, etc. are all kept up to date by Ubuntu automatically.

WSUS does not let you do this. As far as I can tell, you can set up your own server but you can't update non-Microsoft software.

Re:That's a lot of patches

[FishWithAHammer]

As I understand it, however, there's no way to protect that application against non-authenticated users. Can you have an APT repository that, say, requires a login and password?

Re:That's a lot of patches

[Jurily]

For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.

I'm still looking for the feature that disables all auto-update checks and dialog boxes.

Re:That's a lot of patches

Yet another example of a "feature" of Linux being a "drawback" to Windows.

Re:That's a lot of patches

[Nakor+BlueRider]

Keep in mind also that those updates can often be actual upgrades -- new features for example -- and not have anything to do with bugs or security flaws. While MS occasionally does this as well, the article above specifically refers to 31 vulnerabilities.

Re:That's a lot of patches

[Bill_Royle]

Sorry, that's not the case. I'm not happy about this month's load of patches, but there are perfectly good patch management solutions out there that can manage multiple vendors and products with ease. I've had pretty good luck with Patchlink, and expect that in the next day or so I'll have a reasonable amount of information to go through to determine what needs to be patched. And when I have a question I know I can contact someone there to get more specifics.

I think what a lot of people don't like is that there's not a *free* patch management solution that is as effective as some of the paid ones (such as Patchlink). But that is a complaint based on price, not on availability. There are working solutions out there, it's just that many of the good ones often cost money. As an enterprise user I need the resources and continuity that a commercial product can contractually provide.

As for package management as it relates to Windows, that's different than patch management. The benefit that an OS like Ubuntu brings to the table is a dead-simple updating mechanism that can cover multiple products. It can be used to roll out patches, sure, and it is. But it is also used intensively for rolling out cursory product updates which have more to do with bug fixes than security flaws. Is that because Ubuntu or other Linux flavors are more secure? Probably - but a lot of that also comes down to market share more than programming quality.

One way or the other, the statement that patch management is a total nightmare isn't the case - it just depends on the approach and purchasing priorities that you set.

Disclosure: I don't work for nor have I ever worked for Lumension, and I haven't received anything (and won't) for posting this.

Re:That's a lot of patches

[NormAtHome]

I've thought for some time that Microsoft should have some type of open update scheme that other vendors could participate in. As you mention so that Adobe could submit their updates to MS and that you get all your updates through Windows update. I realize that this is a serious issue and that MS would have to run it in a benevolent manner and I think most people here would agree that MS is far from benevolent. (the FireFox plugin that was mentioned recently comes to mind) But really when you want to update your system you've got to run all these software updaters individually and it's just incredibly time consuming not to mention that some of them like the Sun Java JRE installs it's own resident update agent adding yet another process to the system. (the install shield update manager is another, LiveUpdate from Symantec also) All these resident update agents just bog the system down with additional unnecessary processes so some type of central update agent could clean this up.

Also hardware updates as well, I usually check for hardware updates on my systems about every six months and it's a real nuisance. Before anyone says it, yes I've seen many instances of suggested hardware updates from MS that didn't work / caused anything from minor to major problems on the given system. MS would have to do a way, way better job with hardware updates than they do now.

I realize that there are several commercial services that do just this but I'm stubborn and won't pay for something like this that I can do myself. Also I have four computers and these services would not allow me to update all four systems for a single fee and I'm not paying for this service times four.

Re:That's a lot of patches

[ls671]

I prefer Debain.

Re:That's a lot of patches

[eosp]

An APT repository is just a directory exposed by HTTP. You might be able to .htpasswd it but I'm not sure whether it would work.

Re:That's a lot of patches

The correct spelling is "Noobuntu".

Re:That's a lot of patches

[zonky]

https://help.ubuntu.com/community/SecureApt Use client-side certs.

Re:That's a lot of patches

Sweet. Where's the WOW repository for updating it on Linux. Oh, there isn't one.

How about the repository for updating Oracle. Oh wait, no...

Get the idea? Yes there are more things in the repository. Or another repository you add (when the original guy was complaining about having to click on a link to add other MS software, I figure I get to bitch about having to add other repositories). Are all things you want or might want in a repository waiting for you to add it? No. So you still have to do the same damn thing.

Re:That's a lot of patches

[zonky]

Ooops- linked wrong article, but essentially, you can do what you want by using SSL and client side certs.

Re:That's a lot of patches

[eosp]

The article here explains that you can either have a secured FTP repository or one grabbed by SSH.

Re:That's a lot of patches

[zonky]

Because a WSUS install helps a single user at home stay upto date with any degree of reliability. Idiot.

Re:That's a lot of patches

[Compholio]

As I understand it, however, there's no way to protect that application against non-authenticated users. Can you have an APT repository that, say, requires a login and password?

Yes, there are other ways but a couple easy methods are in this article: http://www.debian-administration.org/articles/513

Re:That's a lot of patches

[zonky]

>Sorry, that's not the case. I'm not happy about this month's load of patches, but there are perfectly good patch management solutions out there that can manage multiple vendors and products with ease. Please name one that is suitable for a "home" user with little or no technical ability to setup and use? This is a major problem with the windows ecosystem. Staying on top is hard.

Re:That's a lot of patches

[zonky]

Way to miss the whole point- WSUS/Windows Update/Microsoft Update only helps where MS patches are concerned.

Re:That's a lot of patches

That isn't the point. The point is that Microsoft and it's products require many updates compared to a relatively stocked Ubuntu/Debian system. Yeah I guess it would be monopolizing for Microsoft to hold the keys to a general repository but I don't think it would be bad to have a framework in place that allows third parties add their own repositories in conjunction with their msi packages to allow say, Adobe to send patches downstream or even let users purchase software.

Re:That's a lot of patches

[RockWolf]

install a list of updates longer then my johnson...

Then your johnson what? Don't leave us hanging in suspense, man!

Re:That's a lot of patches

[Bill_Royle]

I agree with your assertion that it's a problem for the industry as a whole. In terms of products for home users the market is really sparse, and I don't like having to hassle through any of the stuff either, even on the enterprise side.

A quick google of "update checker" brought up this result: http://www.filehippo.com/updatechecker/

Sounds like that might help some. I haven't tried it but running that once a month, then hitting Windows Update would probably keep your bases covered pretty well.

Anyhow, I'm not disputing that the situation sucks, but I am disputing the notion that there aren't ways to address patching. Cheap? No. Available? Yes.

Re:That's a lot of patches

[haruchai]

Dear DMBFCKAC, you really don't get it or are trolling as you clearly ignore the fact that, given the existence of a repository, which can exist in
many forms, including a CD or local directory, you can update just about any software from the package installer on most mainstream distros.

The Windows installer system is so fucking lame that, 14 years after the Win '95 "Start Me Up" campaign, endusers still have to babysit Add / Remove
Programs, if they want to uninstall software as they can't pick more than one program at a time.

Most Linux packages have allowed the user the ability to select multiple packages for both install and removal and I've done a session where nearly
2 GB total, with over 100 packages were added, removed or upgraded with no issues.

Re:That's a lot of patches

[miro+f]

no need for MS to host the content, they could just create a service for patch management and let Adobe, etc host the servers. Similar to how it's done in Linux already (if it ain't broke...)

Re:That's a lot of patches

[drsmithy]

I've thought for some time that Microsoft should have some type of open update scheme that other vendors could participate in. As you mention so that Adobe could submit their updates to MS and that you get all your updates through Windows update.

I can't think of any reason why Windows Update couldn't do this for applications today (or even yesterday). It certainly does so for drivers.

In all likelihood the problem, as usual, lies with the application vendors.

Re:That's a lot of patches

[jabithew]

Try Secunia PSI, it's pretty good for checking you're running patched software.

Re:That's a lot of patches

[calagan800xl]

There are several products like Shavlik Netchk, which allow you to patch commonly-used applications like Adobe, Firefox, Java, etc... at the same time as MS OS and applications.

Re:That's a lot of patches

[Bert64]

Absolutely, providing the vendor of that proprietary application provides an appropriate package repository..
If they don't, then it's the vendor's fault, the distro itself provides everything they reasonably could.

Re:That's a lot of patches

[MrMr]

Yes, and yes.
Exactly indeed.
I wont bother with suppling a clue, as you've obviously never seen Ubuntu or any other Linux distro.

Re:That's a lot of patches

[shentino]

I prefer the HMAC.

Re:That's a lot of patches

[dugeen]

Then again, the chances of Ubuntu working with any piece of hardware made in the last 2 years are slim indeed.

Re:That's a lot of patches

well, that's better than Eunuchs

Re:That's a lot of patches

[silent_artichoke]

How about the repository for updating Oracle. Oh wait, no...

deb http://oss.oracle.com/debian unstable main non-free
Found here

Re:That's a lot of patches

Is it the new fad to spell "Ubuntu" wrong? It's not that difficult. Add it to Firefox's dictionary if you have to.

Who gives a buck? Do you see Windows users complaining at childish comments like "windoze"? If your precious OS can be so devastated by an incorrect spelling, you may want to start checking your pretentiousness at the door, and add real value to your posts, rather than bitching.

Re:That's a lot of patches

it's mindbogglingly hard at any point in time to say you are patched when running a windows system. This is the greatest challange/weakness of windows, and the biggest benefit of Linux - package management as a means of achieving security.

Unless you use 230345 applications, no, it's not. MS update manages everything MS, Firefox/Thunderbird are updated automatically, Pidgin warns you about updates, so does Adobe, etc.

Nearly all important applications have updaters. It's not hard at all.

Re:That's a lot of patches

[crashumbc]

the circle is complete, now Linux users bash each other based on the version installed.

There may be help for Linux to compete with Windows or Macs yet!

Re:That's a lot of patches

[SiChemist]

Adobe updates roll out with Ubuntu? Sweet. Oh wait, no.

Wrong, smartass. If you used Medibuntu to install acrobat reader, then you DO get the updates. I also believe that it works for Flash.

Re:That's a lot of patches

Can you have an APT repository that, say, requires a login and password?

Yes you can. In fact I did something similar to an apt-cache machine (So not exactly an apt repo, but close for these purposes)

Slashdot isnt displaying the same URL i am typing in, so this might be quite messed up, but under /etc/apt/sources.list you add a URL entry in the format:

http : / / username : password @ hostname / path (space) repo1 repo2 repo3 ...

Ignore the extra spaces and crap slashcode inserts..
A more exact example can be found by Googling "Username and password in URL"

You can also use https for SSL over HTTP, and also FTP (and I believe FTPS) which is more designed for user based authentication than the web, but both work fine in apt.

Re:That's a lot of patches

[FishWithAHammer]

Oh, interesting. I may have to look into this for distributing commercial application updates on Linux.

Thanks!

Re:That's a lot of patches

[FishWithAHammer]

This is pretty handy to read. Much appreciated.

Re:That's a lot of patches

[Compholio]

No problem, if you're not familiar with SSH it's also possible to create an SSH key that you can distribute "in reverse" (to all of your clients instead of collecting a key from each one of them). I don't have an article for that on hand, but if you need details I can give them to you (while this is easier to distribute there is the obvious disadvantage that this technique does not allow you to "discontinue" a customer).

Re:That's a lot of patches

[FishWithAHammer]

I know a little bit about SSH, I just didn't know you could actually use client keys it in conjunction with APT. It's a long way off for my company (a game company who is planning a Linux port) to actually have something publicly available that needs patching, and I'm not sure that we'll do this rather than have an update-checker build in, but it certainly is an interesting possibility.

Re:That's a lot of patches

[Compholio]

Well, if you need any assistance when the time comes you can reach me by email as compholio at gmail dot com. Personally, I would probably look into the possibility of creating a small "personal" apt database for users without a debian package manager and have the update-checker just use apt (why reinvent the wheel if you don't have to?).

Re:That's a lot of patches

You must be new here. Distro bashing has been going on since the days of Slack and Redhat. And for the record, it's 'lolbuntu, so dumbed down even an idiot can use it'.

Scary Good or Scary Bad?

[Nefarious+Wheel]

That number of bugs rather scares me. I depend on Windows for playing WoW at home and writing documents at work. Will this kill it?

Re:Scary Good or Scary Bad?

[powerspike]

Scary good. At least it shows MS is looking for problems, and fixing them as they find them.
If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number.
Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...

Re:Scary Good or Scary Bad?

[petrus4]

That number of bugs rather scares me. I depend on Windows for playing WoW at home and writing documents at work. Will this kill it?

There is no need for that. I run WoW in Wine on FreeBSD, and it runs much faster and more smoothly there than it does natively in Windows.

Granted, customising FreeBSD is perhaps a little above the bullet-dodging capabilities of the average FOSS user, but Ubuntu will still run WoW very agreeably. I'd recommend Kubuntu; I'm a KDE man in terms of the "big two," desktop environments, myself.

Re:Scary Good or Scary Bad?

[maz2331]

Good and bad.

It's good that they crushed a lot of bugs, but I'm used to fast and incremental crushing of bugs on Fedora.

Re:Scary Good or Scary Bad?

[petrus4]

Nobody gives a shit.

Ah, the Anonymous Cowards. I'm starting to think it might be time for Slashdot to retire the ability to make anonymous comments, to be honest; I've noticed ACs becoming even more obnoxious and/or annoying than usual, recently.

Although Ubuntu's numbers on DistroWatch, as well as the amount of forum traffic they get, prove that you're wrong. Plenty of people care about it.

Re:Scary Good or Scary Bad?

[Moebius_6]

Am not AC, and am seconding that. Mistakes were made, patches hae been deployed. It's an arbitrary number of patches, occasionally it will be the highest number. Does firefox work? Great, who cares what OS it is as long as it's patched?

Oh fsm, did I just feed a troll?

Re:Scary Good or Scary Bad?

[Omniscient+Lurker]

I like AC's, there's not enough humor in this world and AC's fill it.

Re:Scary Good or Scary Bad?

[Luthair]

Yes, I'm not a fan of the once a month patch releases, while it may be beneficial for corporate IT, as an end-user I'd rather have the fixes as soon as they become available.

Re:Scary Good or Scary Bad?

[AnalPerfume]

Numbers are only part of it, the more important part is how many are critical allowing remote users to execute code on your local machine. On the bright side, they are at least patching them. Of course the stopping of further patching is part of the carrot to force people to open their wallets and fork out more cash to Microsoft for the latest Windows, which of course won't work on their hardware, which means buying a new PC with a new Windows license, and potentially a whole new round of updated versions of software which won't work with the latest Windows.

Ain't it great how Microsoft look after their license holders? It just makes you feel all warm and fuzzy.

Re:Scary Good or Scary Bad?

[_Sprocket_]

Scary good. At least it shows MS is looking for problems, and fixing them as they find them. If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number. Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...

It's always a shame when people use vulnerability / bug counts as some kind of definitive universal metric. The issues involved are much more complex than a single number score. And while the information can be useful, the simplest use is to debunk zealots' (Windows, Linux, etc.) claims that their software of choice is bug-free or that one particular style of development produces better quality code (if you consider bugs signs of defects that count against your quality metric). And even then, the debate could rage on (which I'll avoid doing as that's not the point right now).

Microsoft producing security patches is an overall good thing. Its a battle that was "won" quite a few years ago. And it's a battle that continues as it takes continued pressure to keep them honest (there is a history of bugs being reported to Microsoft w/out fixes over extended lengths of time). Constant pressure nudges Microsoft to resolve these issues. It's an echo of the bad old days when Microsoft cared little about responding to serious flaws in their products.

Likely it's those echos that probably mislead the masses to assume these numbers meant something that they didn't. Back in those aforementioned bad old days, the bug count outlined largely well-documented and unaddressed flaws. Now days a few of those pop up from time to time (and again - it is more common these days for "responsible disclosure" with commercial vendors to uncover flaws that go unpublished until patch release). But for the most part, those numbers represent issues that are addressed. And that is indeed a victory (bittersweet if you contend that the flaws should never have existed).

Re:Scary Good or Scary Bad?

Agreed. I never understood why so many people would foam at the mouth whenever other people mispell Ubuntu. Even saying "Ubuntu" remnds me of an ape beating his chest and saying "ooo-OOO-ooo."

I hope that some people don't project their racism onto this post. Ubuntu is an African word but African males have nothing to do with this. There are differences between apes and blacks. Subtle differences, yes, but differences nonetheless as defined by H.P. Lovecraft, the foremost authority of ethnic Africans and Jews.

That being said, Ubuntu is my favorite distro and I've used Suse, Red Hat, IRIX, classic Mac OS as well as OSX, and of course MS operating systems since the DOS days.

Re:Scary Good or Scary Bad?

I like AC's, too !

Re:Scary Good or Scary Bad?

But I have TOURETTES you insensitive FUCKING FUCKER!

Re:Scary Good or Scary Bad?

[lazy_playboy]

Nobody gives a shit

Re:Scary Good or Scary Bad?

Nobody gives a shit.

Re:Scary Good or Scary Bad?

[perryizgr8]

Nobody gives a shit

true.

Re:Scary Good or Scary Bad?

Let me clarify my previous statement. Nobody gives a shit about your self promoting masturbation as in "little above the bullet-dodging capabilities of the average FOSS user". Are you really a KDE man? Really? Cuz this thread has nothing to do with that, and even if it did nobody gives a shit about your personal preference. That's what I meant by "nobody gives a shit".

Re:Scary Good or Scary Bad?

I do, so hereby you've been proven wrong.

Re:Scary Good or Scary Bad?

[7+digits]

Security patches are good. For instance, java has a remote execution issue that is 5 month old. See this blog

In that page, you have a link [BEWARE, DON'T CLICK], which will execute arbitrary code (the guy says it is harmless, I believe him, but you don't have to), on your fully-patched, up-to-date OSX. I checked it, it works.

So, well, I, for one, guess that a high bug fix list is a good thing. I wish that Apple fix list count was one higher.

Re:Scary Good or Scary Bad?

I like AC's

That doesn't make sense.

You like AC's what?

Adding an apostrophe doesn't make a word (or acronym) plural. If you use an apostrophe, you make the word possessive, e.g. "I like AC's humor". I think what you meant to say was "I like ACs, there's not enough humour in this world and ACs fill it.".

Love from your AC apostrophe troll

Re:Scary Good or Scary Bad?

[daveime]

Nobody *important* gives a shit. FTFY.

Re:Scary Good or Scary Bad?

[Bert64]

It benefits hackers immensely, if you have a new 0day exploit you start using it on exploit wednesday, or possibly a couple of days earlier on the basis they can't patch it that quick... then you are guaranteed at least a month before anyone will be patched against it.

Re:Scary Good or Scary Bad?

[Bert64]

MS aren't so bad when it comes to security updates, they keep providing updates for several years after a particular version was released, such that by the time they stop very few people will still be using it, and those who are will usually be companies who made an explicit decision to stick with the old version.

Re:Scary Good or Scary Bad?

[Bert64]

You also have to consider the differing disclosure models...
For an OSS distribution, all of the development is done in public so everything becomes public knowledge...

For commercial software, disclosing that your product has bugs, especially exploitable ones, is bad for business. Now when someone else finds a bug it's pretty much unavoidable so you just play nice and go along with it.. But what about bugs which are found internally? Quite often these will never be disclosed and may not be patched, some are patched silently (slipped in with other updates).

Re:Scary Good or Scary Bad?

[marafa]

i wonder if this is just coincidence that they released such a large number on the same day that Leonidas was released upon the world?

Re:Scary Good or Scary Bad?

[plague3106]

They have released patches out of band before for high risk exploits.

Re:Scary Good or Scary Bad?

I like apostrophe's too. AC's and Apostrophe's of the world unite!

The apostrophe is my mental way of knowing when the abbreviation stops--as long as you know what I meant it is all good.

Re:Scary Good or Scary Bad?

[Phroggy]

If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number.

Slackware has released three security patches in the past 30 days: Cyrus-SASL, Pidgin, and NTP. 31 doesn't sound low to me.

Re:Scary Good or Scary Bad?

Problem: When someone writes "banana's" on the sign at the supermarket. Gets to me every single time...

Re:Scary Good or Scary Bad?

Assuming you're running on the same hardware, with a relatively recent video card, cpu, etc., your Windows install should be no slower, and quite probably faster at running 3d games as compared to the *BSD box. If it is slower, you're either starving it for resources, or just have it misconfigured. And I'd guess that a lack of resources for the OS would count as misconfigured as well, so that's what it really boils down to.

I'm sure they could do better

[Centurix]

Next tuesday they could double that amount with the right attitude...

Re:I'm sure they could do better

[Centurix]

Christ alive, this was marked troll before it refreshed after I posted it! Steady on with that Troll mod Windows users, it's like a loaded gun.

Re:I'm sure they could do better

How is parent troll? There are definitely more bugs to fix in Windows than 31.

Re:I'm sure they could do better

in honor of your downmodded posts, i offer this great MS quote:

"and even Macs if you have them."

haha right there you have it, they do acknowledge the existence of Macs.

Re:I'm sure they could do better

[shutdown+-p+now]

Next tuesday they could double that amount with the right attitude...

They couldn't, but you can. Time to blow the dust off your father's trusted debugger!

Re:I'm sure they could do better

[Opportunist]

And get sued for copyright infringment? No thanks.

Re:I'm sure they could do better

[Centurix]

You mean Dr. Watson Snr?

Re:I'm sure they could do better

[Spud+Zeppelin]

This may be the best snark in history...! :)

at least...

[inode_buddha]

Well, at least they *are* disclosing and patching. But then again, I switched to linux back during Win98.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Microsoft is too big to fail

[shanen]

Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning. Consider it in light of the birthday paradox. Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.

Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

I'm not saying we should kill Microsoft. Just cut it up into four or five small pieces, give each of them a copy of the source code, and tell them to run with it. No non-public communications permitted, and let the customers actually have the MEANINGFUL freedom to pick and choose. Not only will there be more pressure to produce new versions, but within a few versions we'll have enough diversity to prevent totally massive fails.

Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.

Re:Microsoft is too big to fail

[Daniel+Dvorkin]

While I agree that the Windows monocultire is a bad thing, I think it's important to remember that you could kill every single Windows machine in the world and most of the infrastructure than runs the internet would keep humming along quite happily. What's at risk is primarily desktops and corporate (intranet) servers. Losing these machines would be bad, but "brings the entire Internet to its knees" is an exaggeration. Admins would just cut off the infected machines and keep going.

Re:Microsoft is too big to fail

[shanen]

To the spineless cowardly censorious moron with the negative mod points:

Exactly what part of the post were you unable to understand? If you don't ask questions, you'll just continue being a bloody ignorant twit.

And your mother wore army boots, too.

However, I do thank you for your additional evidence of the quality of most of the moderation on /.--but it was scarcely needed. I've pretty much given up looking for funny or witty posts these days. A moderation of +5 funny apparently means that some moderators recognized at least one of the traditional 'funny' memes in the post.

Me? I've quit playing the moderation game and opted out of moderation long ago. If /. wasn't so poorly programmed, I suppose that might exempt my posts from moderation. Something like 'judge not and be not judged'?

Re:Microsoft is too big to fail

[shanen]

Acknowledged. I should clarify that I am thinking of a Warhol Worm that includes a rooted backdoor for a large-scale DDoS attack. We've already had plenty of problems with zombots around 10^4, but imagine the hassles of a 10^7 zombot... I don't think it would be possible to simply cut the infected machines off the net, but rather it would be necessary to partition the entire network and rebuild in pieces.

Re:Microsoft is too big to fail

Yes, fortunately this has only been done to Unix so far (Morris worm).

Re:Microsoft is too big to fail

[wvmarle]

Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

In numbers there is strength as well. There is quite some evidence that birds are the living direct descendants of the dinosaurs - and in a way I have always been puzzled on how it would be possible that all dinosaurs would become extinct but other types of animals (mammals, crocodiles) not. Dinosaurs were often huge animals, so relative few numbers before the earth is full. That is more likely to have been their undoing. When 90% gets killed, finding a mate becomes really hard due to the huge distance between individuals.

Windows is so huge in numbers that it is almost impossible to extinct. Almost always there will be some Windows computers surviving somewhere, forgotten on grandma's table, not connected to the Internet even maybe and happily moving on alone. It is impossible to wipe them all out, there are too many of them.

OS/2 is virtually extinct - some installations hanging on for dear life but there were so few of them... BeOS saw the same fate... and so there are more. Dead branches on the tree of evolution, they could not multiply sufficiently to weather the competition.

Windows is of course at risk of disease: all individuals are so similar they can easily infect one another. Some have better immune systems (firewalls, more patches installed) and may survive longer - they may even survive the main onslaught and survive the virus which itself may die out due to not enough hosts left to infect. That is after all what happened to the Spanish Flue: this strain disappeared because in the end all hosts were either immune or had died. There were virtually no fresh hosts available for the virus to survive.

Linux is reaching sufficient numbers now to also be impossible to become extinct, and add to that the large diversity in systems giving the species great immunity. Yes some groups may be vulnerable to a certain virus, others will be immune and sit out the disease. Then the ones killed by the virus will be replaced by new, immune systems and the species as a whole becomes stronger.

At the moment actually I can not think of other operating systems that are as diverse as the Linux platform. BSD is a candidate but only three major flavours available. Windows certainly is no candidate, it's all the same.

Re:Microsoft is too big to fail

[gbarules2999]

Dude, you got a 5+ Insightful. Settle down.

Re:Microsoft is too big to fail

[symbolset]

Why is it these days that when I see the words "too big to fail" attached to a company that I automatically imagine it is secretly burning down from within?

It's not a few compromised hosts. It's several millions under the control of no more than ten people. Any one of them could sht down the Internet, and would if they saw a profit in it.

Re:Microsoft is too big to fail

[BronsCon]

For pure irony, I mod you +5, Fail.

Re:Microsoft is too big to fail

[Kjella]

Back in the days of the Microsoft worms there was no default firewall and many default network exposed services, find one flaw in something and you could infect pretty much every other Windows machine on the net. They learned from that, and now there's very little chance of a machine being infected unless the machine calls out, either it's checking mail, browsing the web or whatever. Diversification is overrated, pretty much all *nix boxes use OpenSSL so how's that not a major monoculture? Or Apache for web hosting? Find me a remote exploit in the default config with no login info and you'll see full-blown panic in no time. Except that you don't. Nor has there been a major IIS security issue for ages either.

Computers don't act randomly. You minimize the contact area, analyze the heck out of it until you're really, really sure that it's correct with formal proof if you damn well please and then it will act that way. Always. Making five clones only gives you the chance to implement a bug five times more. And if it's really more sensitive than that, there's always firewalling off those entire networks. Code does not travel by magic, in short unless there's a secret port knock the NSA can do to make Windows bring down its own defenses it's not going to happen. Not anymore than I think you can break my Linux box.

Re:Microsoft is too big to fail

You saying Microsoft = Ma Bell?

Re:Microsoft is too big to fail

[shanen]

The initial mods were negative, presumably to stifle discussion of those aspects of the topic. My reply to that moron was mostly because I conclude that I've suffered too many /. fools too gladly in the past.

However, it should also be obvious that I'm somewhat seriously concerned by the potential of a Warhol Worm to build a very large zombot very quickly. There were several replies that considered variations on the configurations, but my focus is just on any open vulnerability that can be exploited without user involvement on the default configuration of Microsoft's most dominant OS of the day. I'm not sure how many machines are on the Web at any time, but I am sure that the biggest monoculture is pre-pwned by Microsoft. According to http://www.internetworldstats.com/, the current Internet user population is around 1.5 billion... Now I think I've scared myself by thinking it through...

As far as being insightful, I think that's a different stretch for that post, but I'm not supposed to complain about that, am I? It's more in the sense of a revelation, which a wise friend told me is always obvious--AFTER you hear it.

Seems a waste to include suggestions for improvements to the fossil that /. has become, but... In general I think the moderation system should be more directly reflected in the dimensionality of the karma, and the dimensionality of the moderation should be cleaned up. People with high karma in a particular dimension should have extra clout in that dimension, but in general the mod points should be much more widely distributed. I also think the mod point reporting should be logarithmic. I got to playing with the numbers and now feel like the natural log would be better than the base-10 log. That would mean that +5 funny would have to have about 150 mod points behind it.

Re:Microsoft is too big to fail

Your premise is rather idiotic.
  Also, there were plenty of small dinosaurs, and calling dinosaurs extinct when you are living with their direct descendants is a bit silly, but anyway...

Re:Microsoft is too big to fail

[TheVelvetFlamebait]

Me? I've quit playing the moderation game and opted out of moderation long ago.

If you want to make the moderation system better, you might consider contributing.

If /. wasn't so poorly programmed, I suppose that might exempt my posts from moderation. Something like 'judge not and be not judged'?

Sure, that could work. But, of course, you would have to start at -1 in case you started posting links to goatse or attack sites in all your posts, but at least there would be no chance of you being modded up!

Re:Microsoft is too big to fail

[Opportunist]

Funny enough, the internet itself would survive, since most of it does actually not depend on Windows. What would probably take a huge hit is the economy, considering that most companies rely on Windows for processing and storage.

Tempting, I tell you, tempting the dark side is...

Re:Microsoft is too big to fail

[lazy_playboy]

Dude. You must have a pretty good life to be able to get so worked up about this.

http://xkcd.com/386/

Re:Microsoft is too big to fail

In numbers there is strength as well. There is quite some evidence that birds are the living direct descendants of the dinosaurs -

Windows is a little tweeting bird chirping in a meadow. Windows is a wreath of pretty flowers which smell BAD. Are you sure your circuits are functioning correctly? Your ears are green.

Re:Microsoft is too big to fail

[shanen]

Your comment is constructive how?

Not certain, but from the short example of your writing, I'm already inclined to believe you should designate me as your foe so that I won't see you in the future. I'm also inclined to believe this request is too polite.

And in conclusion, this 63-word reply seems to be 64 more words than your comment merits.

Re:Microsoft is too big to fail

[TheLink]

If the zombie machines use up too much of the bandwidth - the users or ISP will notice and the relevant zombies get dealt with.

When that happens it's not that difficult for an ISP to cut the infected machines off the net if they become a big problem.

However with 10^7 zombies if each zombie just DoSed a target at even as low as 128kbps per zombie it still works out to 152GBps. While some grandma in Sweden might be OK with that, many less well connected sites will still get crushed.

IMO the big problem is at low speeds like tens to hundreds of kbps per zombie, the ISPs and users of zombies won't notice, and so won't do anything.

Only the target and the target's ISP will be affected. If the zombies have an even more intelligent "back off" scheme it's even worse - the target's ISP might not even be affected - it just looks like the target being maxed out.

In which case good luck calling up and convincing the rest of the world to help you with your very personal problem :).

Re:Microsoft is too big to fail

While I agree that the Windows monocultire is a bad thing, I think it's important to remember that you could kill every single Windows machine in the world and most of the infrastructure than runs the internet would keep humming along quite happily. What's at risk is primarily desktops and corporate (intranet) servers. Losing these machines would be bad, but "brings the entire Internet to its knees" is an exaggeration. Admins would just cut off the infected machines and keep going.

I'm confused. Your low UID seems to indicate that you've been on the Internet for a while. Have you seriously never tried to use the 'net during a serious worm outbreak? These sorts of things slow everything to a crawl and can definitely affect connectibility. Now, they don't happen often, but it happens.

The problem isn't the Windows machines going down, it's the explosion that they emit as they try to take everything else with them. "just cutting off the affected machines" brings thousands of people into work for extremely stressful emergency shifts trying to stem the crapflood.

Re:Microsoft is too big to fail

[TheVelvetFlamebait]

Your comment is constructive how?

Not in the slightest. ;)

Well, maybe you will consider participating in the moderation system (God knows it needs some variation), but other than that, it's not at all constructive.

Lighten up! It's just Slashdot.

Re:Microsoft is too big to fail

[tiggertaebo]

Who cares that web/dns servers etc keep running if there are no clients to make use of them?

Re:Microsoft is too big to fail

[Bert64]

Consider that most of the people running that network infrastructure and even many unix systems perform their administrative functions from windows workstations...
Also IIS has about 1/3 of the web market, so 1/3 of websites would go offline...
A serious Windows failure would screw up a lot of things.

Re:Microsoft is too big to fail

[Saba]

Or send out a anti-infection worm, that cleans out the host and itself.

Re:Microsoft is too big to fail

[Shrike82]

Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

I think you might have chosen a bad analogy - I'm fairly sure that the diversification (or not) of computer operating systems will have no effect on meteors impacting the Earth.

Re:Microsoft is too big to fail

[johneee]

And after millions (billions?) of dollars spent by the government and by us, and a whole lot of confusion, ten years later there would be just one again because they'd merged/failed or bought each other. In fact, the only people that would really do well would be the major shareholders of the companies who would of course (as always) make off like bandits. Just like Bell.

Re:Microsoft is too big to fail

Didn't you write this same crap yesterday on another topic? Do you have this generic post sitting open on notepad hoping to copy & paste a couple of times a day?

Re:Microsoft is too big to fail

[D+Ninja]

In numbers there is strength as well. There is quite some evidence that birds are the living direct descendants of the dinosaurs - and in a way I have always been puzzled on how it would be possible that all dinosaurs would become extinct but other types of animals (mammals, crocodiles) not. Dinosaurs were often huge animals, so relative few numbers before the earth is full. That is more likely to have been their undoing. When 90% gets killed, finding a mate becomes really hard due to the huge distance between individuals.

It's not a car analogy...cannot parse...

Re:Microsoft is too big to fail

[westlake]

Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning.

The geek has been piping this tune since the launch of the IBM PC

- and we all still here.

Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.

If you want to bring the Internet down - and keep it down - what you really need is a dragline to snag the right cables.

The geek's magical - whimsical - Warhol Worm is little more than a distraction.

You can do far more damage by simply mismanaging the traffic that flows through Google.

The Windows client OS or app runs spends most of its time off-line or within the relatively safe confines of a corporate Intranet or a local ISP.

It should not be impossible to isolate the problem.

I'd take a small side bet that the clueless user on Automatic Updates will be adequately protected by the patch that has been sitting on the geek's PC for the last four months. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

I'd say a 185 million year run is incredibly successful.

The dinosaurs were taken out by an event that erased more than 70 percent of Earth's living species.
"Dinosaur-Killer" Asteroid Crater Imaged for First Time

Plants. Animals. Proto-life forms.

When you get down to the basics we are not so very different after all.

That is the real lesson here.

Tech is the geek's Maginot Line.

It never reaches as far as it needs to. Impressive when seen head-on. Not so much from the backside.

So strike from the rear. You strike at weaknesses in the user. In the administrator. The developer. The man behind the curtain.

Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.

Of course you are arguing against standards.

It is rare when standards do more than codify practice. Standards create a monoculture of their own.

Standards emerge from committees who are ridden by internal political, ideological and economic rivalries and whose progress is glacially slow.

The entrepreneur takes the losses he must, but his real interest is in staking out new ground - and he moves very quickly.

Re:Microsoft is too big to fail

And my netbook. It's the last one apparently running Linux.

I think it's overblown. if there's a GDI patch, then WSUS counts it for each supported OS version. So that fix would count as six patches.

Honestly, it seemed like a light month, especially after worrying about conficker last month.

patch your workstations, have a good firewall, watch your virus scanner logs, implement an IPS and a good up to date proxy. If all else fails, make sure you have a good automated reimaging process.

Welcome to running an enterprise in the 2000's.

Course, the security team's running on macs, and the IDS's are all unix running snort.

Re:Microsoft is too big to fail

[RocketRabbit]

"Back in the days of the Microsoft worms..."

OK you already lost me.

Despite the housecleaning Microsoft is still THE hosting platform for literally thousands of botnets.

Even Macs?

"You've got to work everywhere, servers and workstations, and even Macs if you have them."

I don't have Microsoft Office on my Mac.

Fuck you and your dumbass comment that tries to make Mac OS X look as insecure as Windows.

Re:Even Macs?

[TSHTF]

Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.

Re:Even Macs?

[Yvan256]

Safari 4 was beta before yesterday.

Re:Even Macs?

[Daniel+Dvorkin]

Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.

It looks like almost half the vulnerabilities listed are only for the Windows version of Safari, which means it's probably a matter of Apple having to clean up after Microsoft's bad security practices. Trying to write secure software is a PITA when the OS is fighting you at every turn.

Re:Even Macs?

Or that the fixes are included as part of the OS's updates on OS X. Safari on Windows ships with libraries that the OS X version doesn't have because they're already there for it to use, so any patch related to those libraries will count as part of a Safari update on Windows but not OS X.

Re:Even Macs?

[Opportunist]

So? Windows has been beta for as long as I know it, MS just thought it would sell better if named "final".

Re:Even Macs?

[daveime]

"Java VM allows arbitrary code execution on Max OSX".
(Repeat 10 times until you get it).

And before you start about how that's "not the same" because Sun is a different company, consider this. XP SP3, Vista, Windows have all been progressively more secure. ActiveX and driveby installs are *almost* a thing of the past, and the last major bad shit was Sasser Worm and the likes that exploited open services.

But nothing will stop some lemon installing the latest screensaver, or 1000 email smileys onto their system, and once the trojan or whatever is *inside* the machine calling out, there's not a lot you can do on *any* O/S. For me now, I don't worry so much about the core Windows anymore, but fret every time my wife or kids installs something they got off the net.

Re:Even Macs?

Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.

don't you even try?
please, next time try harder, please

stupid noob troll

Re:Even Macs?

Do like i did. They use the system inside a VM (virtualbox or vmware).

If anything happens its in a sandbox. At worst you delete the infected VM and put another one in... You never have the original OS plagued.

The positive side of the Borg icon

[petrus4]

Squashing 31 vulnerabilities in a single patch, is, in a word, efficient. "Embrace and extend," might be a negative part of the Borg ethos, but I give Microsoft credit for displaying the positive side of it, as well. ;-)

Re:The positive side of the Borg icon

[Opportunist]

What would be efficient would be squashing zero vulnerabilities.

Ponder why.

Yes, I know it's almost impossible to write bug free software. But I also know what kind of bugs are fixed, and some are of the "aww heck, you're kidding, they did WHAT?" kind.

Re:The positive side of the Borg icon

[Just+Some+Guy]

Squashing 31 vulnerabilities in a single patch, is, in a word, efficient.

Well, that's one way to positively spin "sat on patches until there were enough to bother with".

Re:The positive side of the Borg icon

Well, that's one way to spin "I'm a fucking idiot who won't even be happy when MS fixes more bugs in their software, instead I'll come up with 9th grade conspiracy theories".

Re:The positive side of the Borg icon

[Just+Some+Guy]

I don't use Windows and don't care one way or another. Strawman conspiracy theories aside, though, it's an undeniable fact that MS holds onto patches. That's the very definition of Patch Tuesday!

How many, really.

[bertoelcon]

- It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow. Meaning the ones they don't disclose grows until something like this looks like a bunch were found and fixed at once.

Mod parent up.

Damm. Wish I still had those mod points. This guy is right.

Re:M-M-M-M-M-onster Patch! (n/t)

[Techman83]

Is it sad that I could hear the UT voice in my head when I read the subject? Oh the hours spent fragging on UT!

Vulnerabilities?

[Korbeau]

Vulnerabilities? What does this word mean? "31 vulnerabilities, including 18 bugs marked as critical."

In my mind a bug and a vulnerability are 2 different things, one englobing the other.

Let me get this straight ... if you're telling me my computer has a "vulnerability", it means I got chances to get a notepad.exe application start out of nowhere with the words "I've hax0r Ur C8mput8r" or something in my face.

Reading the article I don't know if it's some random critical bug in some MS application, or if it depends of me running a service in X or Y situation and the attacker is in the intranet or whatever, or if I need to go to a very *very* untrusted site that even Avast! won't let me do to get attacked ... please be specific!

Every month or so there is such articles about MS patches ... hell, let's do this with every god-damn software patches around? With Ubuntu you get to install patches every week also! Heck, the Java upgrader thingy pops-up every month too.

What does "vulnerabilities" mean, in this context, seriously? Am I in danger?

Re:Vulnerabilities?

[Culture20]

Let's put it this way: I saw a drive by download on a fully patched Vista SP2 machine with IE8 on Friday. If the user had been in the admin group, it could have been owned. Now with http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx I'm not so sure (why does it say valid creds are needed? Could a drive-by exploit it?).

Re:Vulnerabilities?

[zonky]

If the user had UAC disabled, they w/could have been owned. Being in the admin group on Vista shouldn't in itself allow a drive by to write files outside the user's home folders. Same if you were running safari with sudo on OSX, or Firefox as root on Linux. Any user running as admin/root is a fool. Of course, if the code you do run in your drive by download can hit a privilege escalation vulnerability on the os, all bets are off....

Re:Vulnerabilities?

[Kjella]

A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.
A vulnerability is something that can be exploited by a third party for example to crash, hang or invade your machine.

That in itself doesn't really tell you much, is it locally or remotely exploitable, do you need valid logins, user action etc. which means it can range from trivial to critical. If you want the details, you need to read the details... that is to say MS security bulletins.

Re:Vulnerabilities?

A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.

I initially read that as

Slashdot rendering on standards compliant browsers for example.

Re:Vulnerabilities?

[mpe]

A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.

Bugs can be anything from trivially annoying to "show stopper".

A vulnerability is something that can be exploited by a third party for example to crash, hang or invade your machine.

This "third party" can include the end user. In the case of servers or where it is possible to elevate privileges of a thread/process/etc.

That in itself doesn't really tell you much, is it locally or remotely exploitable, do you need valid logins, user action etc. which means it can range from trivial to critical.

The severity can depend very much on the context. e.g. crashing a terminal server is likely to be a rather bigger issue than crashing an individual workstation. Even if exactly the same bug is involved.

Re:Vulnerabilities?

[jonaskoelker]

A bug is something not working as intended. Slashdot's rendering [...]

Snipped, but not so as to change the meaning ;)

Re:Vulnerabilities?

[jawahar]

I think Govt must mandate to OPEN SOURCE these 31 vulnerabilities, including 18 bugs so that customers can evaluate the direct and indirect impact on their other software systems.

This explains the update warning at work

[ErikInterlude]

I work in a department that uses mostly Macs (the rest of the company using PCs, as would be expected). Since we mostly use Macs, and since our IT people have explicitly stated they don't service Macs, we were a little confused when an email went around saying not to update our systems until IT had a chance to clear it. Obviously it was never meant for my department, but given the breadth of fixes, I'm wondering what kind of hell IT will catch if the Sales or Admin departments get updated and find applications broken.

Has anyone had anything break from this update, or has it been smooth sailing?

Re:This explains the update warning at work

Has anyone had anything break from this update, or has it been smooth sailing?

Well, at first everything seemed fine but then ÙS ØÙÙSÙÙ... ØÙØØÙÙS ÙØØÙر ÙØØØ¦Ø ØÙØÙØØ®ØØØØ ØÙÙÙSØØÙSØ© ØÙÙØÙØÙÙSØ© ØÙØÙS ØØØØ ÙÙ...ØÙØØ© ØØØÙÙ ÙÙÙ 14 ØØØر ÙØÙÙ...ØØÙÙÙSÙ ØØÙØÙØÙ

Re:This explains the update warning at work

[cupantae]

I work in a department that uses mostly Macs (the rest of the company using Windows, as would be expected). Since we mostly use Macs, and since our IT people have explicitly stated they don't service Macs, we were a little confused when an email went around saying not to update our systems until IT had a chance to clear it. Obviously it was never meant for my department, but given the breadth of fixes, I'm wondering what kind of hell IT will catch if the Sales or Admin departments get updated and find applications broken.

Has anyone had anything break from this update, or has it been smooth sailing?

Re:This explains the update warning at work

[ls671]

It is strange that your Sales and Administration users have the ability to run Windows update by themselves...

Re:This explains the update warning at work

[drsmithy]

Obviously it was never meant for my department, but given the breadth of fixes, I'm wondering what kind of hell IT will catch if the Sales or Admin departments get updated and find applications broken.

As much as they deserve for putting their users in a position where they _can_ install the patches.

Re:This explains the update warning at work

[Culture20]

Well, there were semi-recent updates for 10.5 too.

Re:This explains the update warning at work

[Sporkinum]

Has anyone had anything break from this update, or has it been smooth sailing?

I'm not sure as I didn't hang around to see it finish. I did notice that it stuck the IE8 install back in after I had hid it when it showed up the first time. I hid it again, and won't let it install until I know for sure it won't break anything. My Windows box is my DVR and i don't want it to hose my ability to record and stream shows.

This is a good thing

[syousef]

We already know Windows has vulnerabilities and that there are exploits in the wild. The design isn't going to magically change. So the fact that we're getting more patches is a good thing. We can't whine when we don't get patches then whine when we do! My only question is do these patches break any existing functionality, and if so is this clearly documented?

Re:This is a good thing

[wvmarle]

A proper patch would imho only be able to break existing functionality if:

• it changes the behaviour of a publicly documented API (it shouldn't but it can be documented),
• the software providing the functionality uses an undocumented API or uses a bug workaround, the first it shouldn't do in the first place and the second is up for debate whether it's good to do or not.

Changing a documented API should happen only between OS version changes, the second is more likely. And considering the number of bugs and undocumented API calls included in Windows that may well be a serious issue. Documenting the patch will never warn one of these issues: the undocumented API calls are, well, undocumented so technically they do not exist, and it is impossible to know beforehand which bug workarounds there are in software, if any.

So assuming MS writes their patches properly, no documented functionality will change. It may change to what the documents say it does, it may internally change giving the same end result - so no matter the documentation, testing would be the only way to make sure that your specific set of third-party or in-house software still works.

And I'm sure the above accounts for open source software as much as it does for closed source.

Re:This is a good thing

[syousef]

I've seen patches - especially security patches - that break functionality in the past. Ones from MS that come to mind include breaking the ability to open older versions of Office documents and transmitting certain file extensions in Outlook. Both of those were in an Office Service pack. I have a vague recollection of other problems caused by patches but I don't have solid links. Google the phrase "windows update breaks" without the quotes.

Re:This is a good thing

To support that statement, in the decade or so that I've been doing this in enterprise-level engagements I've never seen anything break with any M$ patches except service packs (we all remember NT4's SP5, right?). That being said, you get the choice: a) test first; b) provide yourself some sort of rollback (VM's, blades, etc); c) scramble to fix it when it does break.

Re:This is a good thing

[Ol+Olsoc]

Can I print and give your post to the boss? For some reason he doesn't look at it that way, and maybe he'll feel better about his computer not working.

Problem is, patches DO break functionality.

I don't care whether they are proper or not - ground truth is that they do.

This is either good or bad

the number of vulnerabilities [Microsoft discloses] continues to grow.'

This is either good or bad. I cannot tell without knowing the history of their disclosure to (stuck in the pipeline) ratio.

Re:M-M-M-M-M-onster Patch! (n/t)

[cupantae]

I was working on the PC late one night
When my eyes beheld an eerie sight
For bug on windows began to rise
And suddenly to my surprise

THEY DID THE PATCH
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch

From my computer seat in the office east
To the master Ballmer where the vampires feast
The faults all came from their humble abodes
To get a jolt from my electrodes

THEY DID THE PATCH
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch ...and so on. I only really wanted to say that your comment made me sing that song, but really it is way longer than I care to do a half-assed parody.

Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed

[BSDetector]

So where is the Slashdot article on the following? It's as current as the Microsoft article from ZDNet! I guess as long as it puts Apple in a bad light - it gets ignored or even censored. But if it can be interpreted as Microsoft=BAD then let's up the font size and BOLD the headers!

"Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed" - http://blogs.zdnet.com/security/?p=3541/

Hypocrites!

Re:M-M-M-M-M-onster Patch! (n/t)

[garphik]

Ahh UT GOTY vintage gold....

5 critical updates for me

[Mistlefoot]

I am currently using Windows Vista, that was, as of 1 week ago, up to date. I am also using IE 8. I have Office 2003 on this machine. I have automatic updates turned off as I do them weekly and like to see what it coming in.

After reading the headline here I instantly closed firefox, opened IE and did my updates (and for Office too). 5 were listed critical. There were a total of 9 updates and some of those were for hardware.

Reading the article does not offer clarity but I suspect that this includes updates for different OS'es, different versions of Office and different versions of IE. The sentence "work everywhere, servers and workstations, and even Macs" implies that these were updates involving every category of software Microsoft makes.

While even 5 critical updates are too many, I really wish the article had touched on how many critical updates would be required for Vista, with IE 8 and Office 2007 (the newest version). Although I am sure greed is the larger reason, Microsoft has been trying to stop selling XP for about 2 years now but still continue to update it (and will be for some time I am sure). When talking about security my expectation is that you will be using the laterst versions of Linux (pick your vendor), Windows, Apple software or even BSD. If you aren't, you wear some of the burden of responsibility as well as the OS when problems arise.

I distrust MS as much as the next guy (as I said, I manually do my windows updates BUT set the updates to run automatically in Ubuntu), but I really wish people didn't go out of the way to make MS look bad when they do a fine job of that on their own. I have it when MS spouts Linux FUD too.

Re:5 critical updates for me

[DaMattster]

I agree with you to a point. Making MS look bad is fine. Personally, the company's arrogance is outstanding. When the Linux community criticizes MS, they aren't spreading fear, uncertainty, and doubt but simply telling the truth as it is. FUD is a unqiuely Microsoft way of doing things. If you distrust Microsoft so much, why do you run Windows when you can do almost everything you have to do in open source? Personally, I use PCBSD and it does everything I need it to do and then some.

Re:5 critical updates for me

[IsaacD]

"When the Linux community criticizes MS, they aren't spreading fear, uncertainty, and doubt but simply telling the truth as it is. FUD is a unqiuely Microsoft way of doing things." You _HAVE_ to be kidding. No one can make a statement like this and be serious. You're either a fanboy beyond any sense known to man, or you are a complete fucking idiot. Wait - you're both.

Re:5 critical updates for me

[heffrey]

I've just checked out my Vista machine at work and it lists 16 updates, none of which is critical. I've got Vista SP2, IE8, Office 2007 SP2. I suspect that if you use the up-to-date versions of MS software then you will get far fewer critical updates.

I know that it's not fashionable to give MS any credit but my experience tells me that the quality and security of MS software are much improved from the bad old days. I think any reasonable scientific measure of critical vulnerabilities would regard Windows Vista desktops as being more secure than OS X and Linux desktops.

Re:5 critical updates for me

[perryizgr8]

After reading the headline here I instantly closed firefox, opened IE and did my updates (and for Office too). 5 were listed critical. There were a total of 9 updates and some of those were for hardware.

either you are lying or i am mad. you DON'T need ie for windows/microsoft update.

Re:5 critical updates for me

[daveime]

why do you run Windows when you can do almost0 everything you have to do in open source

I think you just answered your own question.

Re:5 critical updates for me

From my experience, Ubuntu updates are more likely to destroy something. Video, audio and vmware are first candidates to die. Windows update never* destroyed anything for me (*at my desktop).

Re:5 critical updates for me

[Untimely+Meme+Guy]

Tom boom runs on BSD? Adobe Distiller? Almost is not enough. My PC (as in personal computer) runs Ubuntu but the PC (as in Workstation) runs Windows XP and I hope I can make the jump to a Mac for the WS in the next months. But there will be always a Windows machine here because I just can't say no to a client with some bizarre windows-only-format archive. If I pay for my license, have my system up to date and clean of virus how that makes me a Windows Luzer (TM) oh please, thats the kind of attitude that keeps a really good OS in 1% of share. It's a tool not a cult nor a club. Don't lecture me how I should use my hardware to bring the bread to my table. ty very much.

poem

Ah jeez comparing linux to windows please
we try to compare but do we dare
they will always be two different peas

they are both OSes,
and windows will always need patches
and the year of the linux desktop...we'll never see!

Play Nice /.

[rxan]

It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.

That's quite the underhanded comment there. Insulting Microsoft while showing that they are improving their software at the same time. Nice!

Re:Play Nice /.

[Celeste+R]

Agreed. They are changing their business model (for the better!), they should at least get a little encouragement from us.

Truth be told, the number of undisclosed vulnerabilities that MS has patched is... undisclosed. Take for example anti-trojan patches. How many individual patches were made to keep a single trojan from spreading? Were they lumped together and called something else?

Never underestimate corporate ingenuity when it comes to telling a white ie. Sure, a patch is a patch, but it's not always what we think it is.

That being said, I like honesty. I'll continue using Linux instead (and I'm dreading updating Vista now).

pan-MS patch

[Gothmolly]

Before you fanboys and trollboys come out of the woodwork, realize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc. It certainly isn't controlled and managed by the same group.

btw posting this from an Ubuntu machine, which just pulled down 10 updates.

Re:pan-MS patch

[CountOfJesusChristo]

You're probably a troll, but in case you're simply misguided or poorly informed:

[R]ealize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc.

The point of a distro is that it comes bundled with lots of software. It usually does include a browser, an office suite, an image editor, and more.

It certainly isn't controlled and managed by the same group.

The purpose of a distribution is to have everything managed by a single group. Sure, most -- if not all -- software comes from upstream, but the same single group does manage all of the packaging and updates for the users of said distribution.

btw posting this from an Ubuntu machine, which just pulled down 10 updates.

If you really are posting from an Ubuntu machine, then you should know that the updater will update everything installed by default, and everything installed after-the-fact through the package manager. All other things being equal, distributions like Ubuntu should be expected to have more updates than Windows/Office/IE alone.

Re:pan-MS patch

[Celeste+R]

Lies. Try updating Gentoo.

Re:pan-MS patch

[Ginger+Unicorn]

are you a fucking retard? or do you just live in opposite-land?

Futile Comparison

[Bunzinator]

It always amuses me when people see M$ patching a bunch of vulns, and then make a comment like 'But Umbuntu (sic) is much worserer! It patched ( m$_vulns + 10 ) this month!'... or vice versa.

With Linux distos, you can pretty much count on the count being pretty much accurate, due to the defacto auditing that occurs as a function of the open source methodology.

In comparison, M$'s counts are basically meaningless, unless you are one of those gullible fanbois who believe M$ would never lie. Ever.

It's all about disclosure. Disclosure in open source is real, disclosure by the likes of M$ and Apple is pretty much based on what makes them look the best in the marketplace.
 

Re:Futile Comparison

Can you please use a few more dollar signs when you post? Right now you're at the point where I simply dismiss whatever you're saying. But verily, if you use a few dozen more, I'll start to think you're just disabled and take your opinion seriously in the name of equality and progress.

Re:Futile Comparison

Plenty of worthwhile posts use M$. Just because it's an old joke doesn't mean you should dismiss the text. The reasons for writing M$ have not changed.

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[MrMista_B]

And that makes you a troll - you're comparing updates that affect a single browser, compared to this story, of updates that affect an entire platform.

The only Apple bias here is coming from you.

Oh joy!

[Errtu76]

Microsoft. Windows. Updates. Patches. On slashdot?

*quickly gets the popcorn and F5's the comments*

Oh good one!

*munch munch*

hahahaha funny

*munch*

ooooo

*munch munch*

Re:Oh joy!

Don't be a leech, participate in our participatory culture.

Re:Oh joy!

[Celeste+R]

Don't forget the meaningless eye candy!

http://en.wikipedia.org/wiki/Microsoft_Bob

Re:Oh joy!

We run MS Bob to control our web server you insensitive clod!

Re:Oh joy!

[lzdt]

*quickly gets the popcorn and F5's the comments*

*munch munch*

Uughh.. Moooom!?? Would you buy another keyboard please?

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[BSDetector]

So in your math - a single product that has 50 patches is "better" than 10 updates/31 vulnerabilities for an entire platform? In an ideal world - there would be 0 bugs but since we don't live in an ideal world then ALL platforms - including your beloved MAC - will always be rife with issues. Of course you can't ever see that or admit that - when it comes to Apple/MAC's.

So what?

[Velorium]

Well if they're being fixed what's the problem? If nobody knew about them in the first place and they're spotting them and resolving them, who the hell cares?

unethical technology

[Horar]

A computer consultant advocating Windows is like a doctor prescribing cigarettes. It creates a lot of extra work.

Re:unethical technology

[freedom_india]

A computer consultant who advocates Linux on Desktop is like doctor prescribing amputation without anasthesia.

Re:unethical technology

[Waccoon]

"I'm prescribing you to play more games. Oh, wait, about that Linux thing..."

Sorry. Best I could come up with in lieu of mod points.

Re:unethical technology

[freedom_india]

Mac, Linux, Windows - what's the big difference?
I have karma to burn, and am itching to burn it-:)

Re:unethical technology

[selven]

It's obvious emacs is better than all of those.

Re:unethical technology

[Bert64]

A lot of extra *PAID* work, it's called putting your own interests before those of the client.

Re:unethical technology

And that's bad because...?

Re:unethical technology

[freedom_india]

God, i wish i had my mod points now.

Re:unethical technology

OH SNAP! OP got told!

Re:unethical technology

[Bert64]

Because if the client is smart enough to figure out what you're doing, he will find someone else who won't rip him off.

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[Gouru]

Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

Does anybody even know what "troll" means anymore? A troll is not somebody who says something you don't like.

The point of a troll is to get replies to a fake message. A troll is something like "Back when Bill Gates invented the internet blah blah". The point there is for know-it-alls to jump up and yell that it was not Bill Gates.

The grandparent was pointing out something he saw as hypocrisy. You might not agree, but that doesn't make him a troll. He might be a troll (if he pointed it out solely to see the replies), but I think it's a valid point, and I'm willing to bet he does too.

But that's the way people are, I suppose. Ever look at 1-star reviews on Amazon? Even good 1-star reviews ("I didn't like this, and here are the reasons why") tend to have, at best, a 50% "This was helpful" rate. People check off "unhelpful" because they disagree with the reviewer. I suppose it's no surprise that the OP here decided that someone who said something he disagrees with is a troll, but it sure would be nice for people to learn how to have some form of mature debate.

Re:M-M-M-M-M-onster Patch! (n/t)

I disagree.

Um...

Am I the only one who was hoping for a Monster Patch Tuesday event?

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[DAldredge]

When did the /. user base get so stupid?

Re:M-M-M-M-M-onster Patch! (n/t)

that was so unfunny I shit myself

Sure, that's impressive, but

[commodoresloat]

what I found really impressive about this Monster Patch is the fact that they were able to apply it to the Monster without getting bitten and slashed.

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[mpe]

Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?

Except that this isn't "apples to apples". Since you don't know how many actual issues and their severity are involved. Since a "patch" can involve an arbitrary number of changes. Especially with Microsoft having a policy to only issuing patches once a month.

Re:M-M-M-M-M-onster Patch! (n/t)

"Smash" and "flash" do not rhyme with "patch".

Re:M-M-M-M-M-onster Patch! (n/t)

[Untimely+Meme+Guy]

rhyme nazis? only on /.

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[MrMr]

You are aware that these patches are for the beta release of a major upgrade?
Of course you are; You just like to use the word hypocrite a lot, to divert attention.

Don't sell yourself short

That was a completely-assed parody!

(nah, it was a great spontaneous work, I just always wonder what the *half* of half-assed meant and whether fully-assed would be better or worse).

Re:M-M-M-M-M-onster Patch! (n/t)

[skaet]

You're not alone...

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[Bert64]

Those bugs were in a BETA VERSION of Safari 4, the whole purpose of a beta version is to find and fix bugs... Looks like the beta process is working as intended.
How many bugs were fixed between the beta and final release of IE8?

The ZDNet story also indicates Safari 4 comes with a fix for the "clickjacking" issue, which also affects other browsers (that have not been patched).

Hmm...

[malus314]

Bug, Vulnerabilities, Critical Updates, Oh, My! I don't know about anyone else, but I tend to think that the longer a list of fixes is, the better. All software has bugs, one of the main differences between OSes is how the developer handles them. I like Linux because Linux doesn't like bugs and the community hunts them down with a vengeance. MS rarely seems to care.So this (hopefully) means that MS is starting to do a better job of maintaining its products. I, for one, would like to see more bug fixes every month. It seems kind of strange that MS going on a bug killing spree is something that we should spin as a bad thing. Don't get me wrong, I hate 'doze as much as the next guy and I'm quite content to stay on Debian to do everything I need, but as one of the guys who gets called when the sh*t hits the fan with a 'doze box, anything that makes the Windows OS look more like an OS as opposed to Swiss cheese is a fantastic thing. Now, this list of fixes barely does anything to make Windows a better OS, but if MS hunted bugs (or better yet, actually tried to weed a good many out before a release as opposed to saying "Ok, usable enough" and pushing it out the door) like the *nix community does Windows could actually look like something other than dairy products from the alps. Sure, I'd make less because I'd do less cleaning of fecal matter from walls, but I'd gladly trade that for just doing upgrades or replacing a part every now and then. If anything it would make my job quieter and more enjoyable... But, whatever, may as well go with the crowd... "BOO, MICROSOFT!!! TO HELL WITH YOU AND YOUR OBSCENELY LONG LIST OF BUG FIXES!!!"

Re:M-M-M-M-M-onster Patch! (n/t)

They rhyme when done with a Karloff accent, so the rhyme ___ is not wholly correct.

It would be nice if they got them RIGHT

I mean, they STILL own the copyright for 95 years or whatever and they are the only ones with the source code and rights to make the OS, so why won't they keep fixing it until they get it RIGHT?

Or if they can't be arsed, let the source code go free?

If it's "well, they are using some of that code in Windows 7 which will mean people will have some of that "free" too", then why is Windows 7 not a lot cheaper, if so much of the source code has ALREADY been paid for several times over?

Monster Patch

[noidentity]

So is this Monster Patch gold-plated and guaranteed to improve the sharpness of pixels on screen??

Re:M-M-M-M-M-onster Patch! (n/t)

Whatever happened to the Redmond Twist?

Windows~less options, ease use; Unix~more options

Diversification is overrated, pretty much all *nix boxes use OpenSSL so how's that not a major monoculture? Or Apache for web hosting?

OpenSSL and Apache on x86 is different than on x86_64, is different than on SPARC, is different than on PowerPC. You then have to go up against OpenBSD's ASLR and perhaps Solaris' no_exec_stack setting. Or perhaps SELinux restrictions (or Solaris' RBAC). I run my workstation with 'noexec' set on /tmp, so good luck trying to dump some binary there.

The libraries and programs are the same, and there's certainly risk in that, but you don't have a monoculture around that.

And while OpenSSL and Apache are the most popular--ditto for OpenSSH--there is also GnuTLS and lighttpd, nginx, AOLserver, Glassfhsh, etc. People would use IIS (and ISA) on Windows almost exclusively because they've drunk the MS Kool-aid(tm) and want "ease of use". If you're on a Unix-y platform though, you're probably more willing to investigate other combinations because you're traditionally not stuck with a top-down design like most MSCEs are (with exceptions of course).

Same thing goes with mail: "Microsoft shop" = Exchange. Unix-y system: Lotus or IMAP: UW-IMAP, Cyrus, Courier, Dovecot; SMTP: sendmail, postfix, qmail.

People who choose Microsoft generally (IMHO) want /less/ choice because the thinking is that it improves "ease of use".

Re:M-M-M-M-M-onster Patch! (n/t)

Haha -- I dont know if you made this up, but its pretty funny.

Re:M-M-M-M-M-onster Patch! (n/t)

Wait, you mean to say that audio doesn't play when you read that line?

Printing Problems

[thittesd0375]

Has anyone else had problems with the print spooler service quitting after this update. Almost all of our lan computer are having the printers disappear and are requiring reboots.

Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi

[BSDetector]

So how come when Microsoft releases a BETA product and bugs are found in it that the same consideration isn't given to Microsoft and that BETA product? Oh - I know - its because it Microsoft and its not Apple!

Re:M-M-M-M-M-onster Patch! (n/t)

[PerfectAgent007]

What did the voice say?

Re:M-M-M-M-M-onster Patch! (n/t)

I was working on the PC late one night
When my eyes beheld an eerie sight
For bug on windows began to rise
And suddenly to my surprise

THEY DID THE PATCH
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch

From my computer seat in the office east
To the master Ballmer where the vampires feast
The faults all came from their humble abodes
To get a jolt from my electrodes

THEY DID THE PATCH
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch ...and so on. I only really wanted to say that your comment made me sing that song, but really it is way longer than I care to do a half-assed parody.

Booyaka Booyaka