Slashdot Mirror
Microsoft Sets Record With Monster Patch Tuesday
CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"
That number of bugs rather scares me. I depend on Windows for playing WoW at home and writing documents at work. Will this kill it?
Do not mock my vision of impractical footwear
Next tuesday they could double that amount with the right attitude...
Task Mangler
Comment removed based on user account deletion
For MS maybe, but there have been many time that I've seen Umbuntu ask to install a list of updates longer then my johnson... Of course it is updating multiple products, but so is MS here.
Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning. Consider it in light of the birthday paradox. Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.
Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.
I'm not saying we should kill Microsoft. Just cut it up into four or five small pieces, give each of them a copy of the source code, and tell them to run with it. No non-public communications permitted, and let the customers actually have the MEANINGFUL freedom to pick and choose. Not only will there be more pressure to produce new versions, but within a few versions we'll have enough diversity to prevent totally massive fails.
Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
a list of updates longer then my johnson...
Sounds like it wasn't exactly a matter of great concern then.
Squashing 31 vulnerabilities in a single patch, is, in a word, efficient. "Embrace and extend," might be a negative part of the Borg ethos, but I give Microsoft credit for displaying the positive side of it, as well. ;-)
- It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow. Meaning the ones they don't disclose grows until something like this looks like a bunch were found and fixed at once.
Anything can be found funny, from a certain point of view.
Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.
Is it sad that I could hear the UT voice in my head when I read the subject? Oh the hours spent fragging on UT!
# cat
Damn, my RAM is full of cats. MEOW!!
Vulnerabilities? What does this word mean? "31 vulnerabilities, including 18 bugs marked as critical."
In my mind a bug and a vulnerability are 2 different things, one englobing the other.
Let me get this straight ... if you're telling me my computer has a "vulnerability", it means I got chances to get a notepad.exe application start out of nowhere with the words "I've hax0r Ur C8mput8r" or something in my face.
Reading the article I don't know if it's some random critical bug in some MS application, or if it depends of me running a service in X or Y situation and the attacker is in the intranet or whatever, or if I need to go to a very *very* untrusted site that even Avast! won't let me do to get attacked ... please be specific!
Every month or so there is such articles about MS patches ... hell, let's do this with every god-damn software patches around? With Ubuntu you get to install patches every week also! Heck, the Java upgrader thingy pops-up every month too.
What does "vulnerabilities" mean, in this context, seriously? Am I in danger?
The problem with windows is that you're not doing this at all when you check windows update/wsus - you're checking windows only- (other microsoft products if you opted-in to doing this).
This is in fact the real problem with windows- patch management is just a total nightmare.
For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.
it's mindbogglingly hard at any point in time to say you are patched when running a windows system. This is the greatest challange/weakness of windows, and the biggest benefit of Linux - package management as a means of achieving security.
Safari 4 was beta before yesterday.
I work in a department that uses mostly Macs (the rest of the company using PCs, as would be expected). Since we mostly use Macs, and since our IT people have explicitly stated they don't service Macs, we were a little confused when an email went around saying not to update our systems until IT had a chance to clear it. Obviously it was never meant for my department, but given the breadth of fixes, I'm wondering what kind of hell IT will catch if the Sales or Admin departments get updated and find applications broken.
Has anyone had anything break from this update, or has it been smooth sailing?
--Erik
Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.
It looks like almost half the vulnerabilities listed are only for the Windows version of Safari, which means it's probably a matter of Apple having to clean up after Microsoft's bad security practices. Trying to write secure software is a PITA when the OS is fighting you at every turn.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
We already know Windows has vulnerabilities and that there are exploits in the wild. The design isn't going to magically change. So the fact that we're getting more patches is a good thing. We can't whine when we don't get patches then whine when we do! My only question is do these patches break any existing functionality, and if so is this clearly documented?
These posts express my own personal views, not those of my employer
I was working on the PC late one night
When my eyes beheld an eerie sight
For bug on windows began to rise
And suddenly to my surprise
THEY DID THE PATCH
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch
From my computer seat in the office east
To the master Ballmer where the vampires feast
The faults all came from their humble abodes
To get a jolt from my electrodes
THEY DID THE PATCH ...and so on. I only really wanted to say that your comment made me sing that song, but really it is way longer than I care to do a half-assed parody.
They did the monster patch
THE MONSTER PATCH
It was a vulnerability smash
THEY DID THE PATCH
They caught them in a flash
THEY DID THE PATCH
They did the monster patch
--
I've seen Ubuntu ask to install a list of updates longer then my johnson
And probably 90% of them were 120KB libraries, which MS updates but doesn't list.
Is it the new fad to spell "Ubuntu" wrong? It's not that difficult. Add it to Firefox's dictionary if you have to.
So where is the Slashdot article on the following? It's as current as the Microsoft article from ZDNet! I guess as long as it puts Apple in a bad light - it gets ignored or even censored. But if it can be interpreted as Microsoft=BAD then let's up the font size and BOLD the headers!
"Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed" - http://blogs.zdnet.com/security/?p=3541/
Hypocrites!
Ahh UT GOTY vintage gold....
Indeed, create your own repository and have your installer add that repository to the list when your application is installed (though you should ask permission or people will get angry with you). From that point on the customer's PC will update your software automatically, it'll even warn the customer to install it quickly if you flag it as a security update.
There are non-free apps in some of the multiverse repo's so yes, obviously they can. In anycase, Anyone can add a custom repo to their sources.list and a valid signing key.
I am currently using Windows Vista, that was, as of 1 week ago, up to date. I am also using IE 8. I have Office 2003 on this machine. I have automatic updates turned off as I do them weekly and like to see what it coming in.
After reading the headline here I instantly closed firefox, opened IE and did my updates (and for Office too). 5 were listed critical. There were a total of 9 updates and some of those were for hardware.
Reading the article does not offer clarity but I suspect that this includes updates for different OS'es, different versions of Office and different versions of IE. The sentence "work everywhere, servers and workstations, and even Macs" implies that these were updates involving every category of software Microsoft makes.
While even 5 critical updates are too many, I really wish the article had touched on how many critical updates would be required for Vista, with IE 8 and Office 2007 (the newest version). Although I am sure greed is the larger reason, Microsoft has been trying to stop selling XP for about 2 years now but still continue to update it (and will be for some time I am sure). When talking about security my expectation is that you will be using the laterst versions of Linux (pick your vendor), Windows, Apple software or even BSD. If you aren't, you wear some of the burden of responsibility as well as the OS when problems arise.
I distrust MS as much as the next guy (as I said, I manually do my windows updates BUT set the updates to run automatically in Ubuntu), but I really wish people didn't go out of the way to make MS look bad when they do a fine job of that on their own. I have it when MS spouts Linux FUD too.
It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.
That's quite the underhanded comment there. Insulting Microsoft while showing that they are improving their software at the same time. Nice!
Before you fanboys and trollboys come out of the woodwork, realize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc. It certainly isn't controlled and managed by the same group.
btw posting this from an Ubuntu machine, which just pulled down 10 updates.
I want to delete my account but Slashdot doesn't allow it.
It always amuses me when people see M$ patching a bunch of vulns, and then make a comment like 'But Umbuntu (sic) is much worserer! It patched ( m$_vulns + 10 ) this month!'... or vice versa.
With Linux distos, you can pretty much count on the count being pretty much accurate, due to the defacto auditing that occurs as a function of the open source methodology.
In comparison, M$'s counts are basically meaningless, unless you are one of those gullible fanbois who believe M$ would never lie. Ever.
It's all about disclosure. Disclosure in open source is real, disclosure by the likes of M$ and Apple is pretty much based on what makes them look the best in the marketplace.
Um, with Linux you have your choice between apt-get and yum, both of which let you add any repo you want. On my system, proprietary drivers, browser plugins, etc. are all kept up to date by Ubuntu automatically.
WSUS does not let you do this. As far as I can tell, you can set up your own server but you can't update non-Microsoft software.
There's no -1 for "I don't get it."
And that makes you a troll - you're comparing updates that affect a single browser, compared to this story, of updates that affect an entire platform.
The only Apple bias here is coming from you.
Microsoft. Windows. Updates. Patches. On slashdot?
*quickly gets the popcorn and F5's the comments*
Oh good one!
*munch munch*
hahahaha funny
*munch*
ooooo
*munch munch*
As I understand it, however, there's no way to protect that application against non-authenticated users. Can you have an APT repository that, say, requires a login and password?
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.
I'm still looking for the feature that disables all auto-update checks and dialog boxes.
So in your math - a single product that has 50 patches is "better" than 10 updates/31 vulnerabilities for an entire platform? In an ideal world - there would be 0 bugs but since we don't live in an ideal world then ALL platforms - including your beloved MAC - will always be rife with issues. Of course you can't ever see that or admit that - when it comes to Apple/MAC's.
Well if they're being fixed what's the problem? If nobody knew about them in the first place and they're spotting them and resolving them, who the hell cares?
Yet another example of a "feature" of Linux being a "drawback" to Windows.
Keep in mind also that those updates can often be actual upgrades -- new features for example -- and not have anything to do with bugs or security flaws. While MS occasionally does this as well, the article above specifically refers to 31 vulnerabilities.
Sorry, that's not the case. I'm not happy about this month's load of patches, but there are perfectly good patch management solutions out there that can manage multiple vendors and products with ease. I've had pretty good luck with Patchlink, and expect that in the next day or so I'll have a reasonable amount of information to go through to determine what needs to be patched. And when I have a question I know I can contact someone there to get more specifics.
I think what a lot of people don't like is that there's not a *free* patch management solution that is as effective as some of the paid ones (such as Patchlink). But that is a complaint based on price, not on availability. There are working solutions out there, it's just that many of the good ones often cost money. As an enterprise user I need the resources and continuity that a commercial product can contractually provide.
As for package management as it relates to Windows, that's different than patch management. The benefit that an OS like Ubuntu brings to the table is a dead-simple updating mechanism that can cover multiple products. It can be used to roll out patches, sure, and it is. But it is also used intensively for rolling out cursory product updates which have more to do with bug fixes than security flaws. Is that because Ubuntu or other Linux flavors are more secure? Probably - but a lot of that also comes down to market share more than programming quality.
One way or the other, the statement that patch management is a total nightmare isn't the case - it just depends on the approach and purchasing priorities that you set.
Disclosure: I don't work for nor have I ever worked for Lumension, and I haven't received anything (and won't) for posting this.
I've thought for some time that Microsoft should have some type of open update scheme that other vendors could participate in. As you mention so that Adobe could submit their updates to MS and that you get all your updates through Windows update. I realize that this is a serious issue and that MS would have to run it in a benevolent manner and I think most people here would agree that MS is far from benevolent. (the FireFox plugin that was mentioned recently comes to mind) But really when you want to update your system you've got to run all these software updaters individually and it's just incredibly time consuming not to mention that some of them like the Sun Java JRE installs it's own resident update agent adding yet another process to the system. (the install shield update manager is another, LiveUpdate from Symantec also) All these resident update agents just bog the system down with additional unnecessary processes so some type of central update agent could clean this up.
Also hardware updates as well, I usually check for hardware updates on my systems about every six months and it's a real nuisance. Before anyone says it, yes I've seen many instances of suggested hardware updates from MS that didn't work / caused anything from minor to major problems on the given system. MS would have to do a way, way better job with hardware updates than they do now.
I realize that there are several commercial services that do just this but I'm stubborn and won't pay for something like this that I can do myself. Also I have four computers and these services would not allow me to update all four systems for a single fee and I'm not paying for this service times four.
I prefer Debain.
Everything I write is lies, read between the lines.
An APT repository is just a directory exposed by HTTP. You might be able to .htpasswd it but I'm not sure whether it would work.
https://help.ubuntu.com/community/SecureApt Use client-side certs.
Ooops- linked wrong article, but essentially, you can do what you want by using SSL and client side certs.
A computer consultant advocating Windows is like a doctor prescribing cigarettes. It creates a lot of extra work.
The article here explains that you can either have a secured FTP repository or one grabbed by SSH.
Yes, there are other ways but a couple easy methods are in this article: http://www.debian-administration.org/articles/513
Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?
>Sorry, that's not the case. I'm not happy about this month's load of patches, but there are perfectly good patch management solutions out there that can manage multiple vendors and products with ease. Please name one that is suitable for a "home" user with little or no technical ability to setup and use? This is a major problem with the windows ecosystem. Staying on top is hard.
Does anybody even know what "troll" means anymore? A troll is not somebody who says something you don't like.
The point of a troll is to get replies to a fake message. A troll is something like "Back when Bill Gates invented the internet blah blah". The point there is for know-it-alls to jump up and yell that it was not Bill Gates.
The grandparent was pointing out something he saw as hypocrisy. You might not agree, but that doesn't make him a troll. He might be a troll (if he pointed it out solely to see the replies), but I think it's a valid point, and I'm willing to bet he does too.
But that's the way people are, I suppose. Ever look at 1-star reviews on Amazon? Even good 1-star reviews ("I didn't like this, and here are the reasons why") tend to have, at best, a 50% "This was helpful" rate. People check off "unhelpful" because they disagree with the reviewer. I suppose it's no surprise that the OP here decided that someone who said something he disagrees with is a troll, but it sure would be nice for people to learn how to have some form of mature debate.
Way to miss the whole point- WSUS/Windows Update/Microsoft Update only helps where MS patches are concerned.
Then your johnson what? Don't leave us hanging in suspense, man!
February 9th, 2009 8:55pm: Slashdot becomes self-aware.
I agree with your assertion that it's a problem for the industry as a whole. In terms of products for home users the market is really sparse, and I don't like having to hassle through any of the stuff either, even on the enterprise side.
A quick google of "update checker" brought up this result: http://www.filehippo.com/updatechecker/
Sounds like that might help some. I haven't tried it but running that once a month, then hitting Windows Update would probably keep your bases covered pretty well.
Anyhow, I'm not disputing that the situation sucks, but I am disputing the notion that there aren't ways to address patching. Cheap? No. Available? Yes.
Dear DMBFCKAC, you really don't get it or are trolling as you clearly ignore the fact that, given the existence of a repository, which can exist in
many forms, including a CD or local directory, you can update just about any software from the package installer on most mainstream distros.
The Windows installer system is so fucking lame that, 14 years after the Win '95 "Start Me Up" campaign, endusers still have to babysit Add / Remove
Programs, if they want to uninstall software as they can't pick more than one program at a time.
Most Linux packages have allowed the user the ability to select multiple packages for both install and removal and I've done a session where nearly
2 GB total, with over 100 packages were added, removed or upgraded with no issues.
Pain is merely failure leaving the body
no need for MS to host the content, they could just create a service for patch management and let Adobe, etc host the servers. Similar to how it's done in Linux already (if it ain't broke...)
being vague is almost as cool as doing that other thing...
what I found really impressive about this Monster Patch is the fact that they were able to apply it to the Monster without getting bitten and slashed.
Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?
Except that this isn't "apples to apples". Since you don't know how many actual issues and their severity are involved. Since a "patch" can involve an arbitrary number of changes. Especially with Microsoft having a policy to only issuing patches once a month.
I've thought for some time that Microsoft should have some type of open update scheme that other vendors could participate in. As you mention so that Adobe could submit their updates to MS and that you get all your updates through Windows update.
I can't think of any reason why Windows Update couldn't do this for applications today (or even yesterday). It certainly does so for drivers.
In all likelihood the problem, as usual, lies with the application vendors.
Try Secunia PSI, it's pretty good for checking you're running patched software.
All intents and purposes. Not intensive purposes.
"Java VM allows arbitrary code execution on Max OSX".
(Repeat 10 times until you get it).
And before you start about how that's "not the same" because Sun is a different company, consider this. XP SP3, Vista, Windows have all been progressively more secure. ActiveX and driveby installs are *almost* a thing of the past, and the last major bad shit was Sasser Worm and the likes that exploited open services.
But nothing will stop some lemon installing the latest screensaver, or 1000 email smileys onto their system, and once the trojan or whatever is *inside* the machine calling out, there's not a lot you can do on *any* O/S. For me now, I don't worry so much about the core Windows anymore, but fret every time my wife or kids installs something they got off the net.
There are several products like Shavlik Netchk, which allow you to patch commonly-used applications like Adobe, Firefox, Java, etc... at the same time as MS OS and applications.
Absolutely, providing the vendor of that proprietary application provides an appropriate package repository..
If they don't, then it's the vendor's fault, the distro itself provides everything they reasonably could.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Yes, and yes.
Exactly indeed.
I wont bother with suppling a clue, as you've obviously never seen Ubuntu or any other Linux distro.
rhyme nazis? only on /.
You are aware that these patches are for the beta release of a major upgrade?
Of course you are; You just like to use the word hypocrite a lot, to divert attention.
That was a completely-assed parody!
(nah, it was a great spontaneous work, I just always wonder what the *half* of half-assed meant and whether fully-assed would be better or worse).
I prefer the HMAC.
You're not alone...
There is no knowledge that is not power.
Then again, the chances of Ubuntu working with any piece of hardware made in the last 2 years are slim indeed.
Those bugs were in a BETA VERSION of Safari 4, the whole purpose of a beta version is to find and fix bugs... Looks like the beta process is working as intended.
How many bugs were fixed between the beta and final release of IE8?
The ZDNet story also indicates Safari 4 comes with a fix for the "clickjacking" issue, which also affects other browsers (that have not been patched).
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Bug, Vulnerabilities, Critical Updates, Oh, My! I don't know about anyone else, but I tend to think that the longer a list of fixes is, the better. All software has bugs, one of the main differences between OSes is how the developer handles them. I like Linux because Linux doesn't like bugs and the community hunts them down with a vengeance. MS rarely seems to care.So this (hopefully) means that MS is starting to do a better job of maintaining its products. I, for one, would like to see more bug fixes every month. It seems kind of strange that MS going on a bug killing spree is something that we should spin as a bad thing. Don't get me wrong, I hate 'doze as much as the next guy and I'm quite content to stay on Debian to do everything I need, but as one of the guys who gets called when the sh*t hits the fan with a 'doze box, anything that makes the Windows OS look more like an OS as opposed to Swiss cheese is a fantastic thing. Now, this list of fixes barely does anything to make Windows a better OS, but if MS hunted bugs (or better yet, actually tried to weed a good many out before a release as opposed to saying "Ok, usable enough" and pushing it out the door) like the *nix community does Windows could actually look like something other than dairy products from the alps. Sure, I'd make less because I'd do less cleaning of fecal matter from walls, but I'd gladly trade that for just doing upgrades or replacing a part every now and then. If anything it would make my job quieter and more enjoyable... But, whatever, may as well go with the crowd... "BOO, MICROSOFT!!! TO HELL WITH YOU AND YOUR OBSCENELY LONG LIST OF BUG FIXES!!!"
So is this Monster Patch gold-plated and guaranteed to improve the sharpness of pixels on screen??
How about the repository for updating Oracle. Oh wait, no...
deb http://oss.oracle.com/debian unstable main non-free
Found here
the circle is complete, now Linux users bash each other based on the version installed.
There may be help for Linux to compete with Windows or Macs yet!
Adobe updates roll out with Ubuntu? Sweet. Oh wait, no.
Wrong, smartass. If you used Medibuntu to install acrobat reader, then you DO get the updates. I also believe that it works for Flash.
God is imaginary
Oh, interesting. I may have to look into this for distributing commercial application updates on Linux.
Thanks!
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
This is pretty handy to read. Much appreciated.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Has anyone else had problems with the print spooler service quitting after this update. Almost all of our lan computer are having the printers disappear and are requiring reboots.
No problem, if you're not familiar with SSH it's also possible to create an SSH key that you can distribute "in reverse" (to all of your clients instead of collecting a key from each one of them). I don't have an article for that on hand, but if you need details I can give them to you (while this is easier to distribute there is the obvious disadvantage that this technique does not allow you to "discontinue" a customer).
So how come when Microsoft releases a BETA product and bugs are found in it that the same consideration isn't given to Microsoft and that BETA product? Oh - I know - its because it Microsoft and its not Apple!
I know a little bit about SSH, I just didn't know you could actually use client keys it in conjunction with APT. It's a long way off for my company (a game company who is planning a Linux port) to actually have something publicly available that needs patching, and I'm not sure that we'll do this rather than have an update-checker build in, but it certainly is an interesting possibility.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Well, if you need any assistance when the time comes you can reach me by email as compholio at gmail dot com. Personally, I would probably look into the possibility of creating a small "personal" apt database for users without a debian package manager and have the update-checker just use apt (why reinvent the wheel if you don't have to?).
What did the voice say?