Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Sets Record With Monster Patch Tuesday

Posted by kdawson on from the one-a-day dept.

CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"

23 of 237 comments (clear)

  1. I'm sure they could do better by Centurix · · Score: 5, Funny

    Next tuesday they could double that amount with the right attitude...

    --
    Task Mangler
  2. Re:Scary Good or Scary Bad? by powerspike · · Score: 4, Insightful

    Scary good. At least it shows MS is looking for problems, and fixing them as they find them.
    If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number.
    Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...

  3. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  4. Microsoft is too big to fail by shanen · · Score: 4, Insightful

    Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning. Consider it in light of the birthday paradox. Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.

    Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

    I'm not saying we should kill Microsoft. Just cut it up into four or five small pieces, give each of them a copy of the source code, and tell them to run with it. No non-public communications permitted, and let the customers actually have the MEANINGFUL freedom to pick and choose. Not only will there be more pressure to produce new versions, but within a few versions we'll have enough diversity to prevent totally massive fails.

    Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
    1. Re:Microsoft is too big to fail by shanen · · Score: 4, Interesting

      Acknowledged. I should clarify that I am thinking of a Warhol Worm that includes a rooted backdoor for a large-scale DDoS attack. We've already had plenty of problems with zombots around 10^4, but imagine the hassles of a 10^7 zombot... I don't think it would be possible to simply cut the infected machines off the net, but rather it would be necessary to partition the entire network and rebuild in pieces.

      --
      Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
    2. Re:Microsoft is too big to fail by wvmarle · · Score: 4, Informative

      Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

      In numbers there is strength as well. There is quite some evidence that birds are the living direct descendants of the dinosaurs - and in a way I have always been puzzled on how it would be possible that all dinosaurs would become extinct but other types of animals (mammals, crocodiles) not. Dinosaurs were often huge animals, so relative few numbers before the earth is full. That is more likely to have been their undoing. When 90% gets killed, finding a mate becomes really hard due to the huge distance between individuals.

      Windows is so huge in numbers that it is almost impossible to extinct. Almost always there will be some Windows computers surviving somewhere, forgotten on grandma's table, not connected to the Internet even maybe and happily moving on alone. It is impossible to wipe them all out, there are too many of them.

      OS/2 is virtually extinct - some installations hanging on for dear life but there were so few of them... BeOS saw the same fate... and so there are more. Dead branches on the tree of evolution, they could not multiply sufficiently to weather the competition.

      Windows is of course at risk of disease: all individuals are so similar they can easily infect one another. Some have better immune systems (firewalls, more patches installed) and may survive longer - they may even survive the main onslaught and survive the virus which itself may die out due to not enough hosts left to infect. That is after all what happened to the Spanish Flue: this strain disappeared because in the end all hosts were either immune or had died. There were virtually no fresh hosts available for the virus to survive.

      Linux is reaching sufficient numbers now to also be impossible to become extinct, and add to that the large diversity in systems giving the species great immunity. Yes some groups may be vulnerable to a certain virus, others will be immune and sit out the disease. Then the ones killed by the virus will be replaced by new, immune systems and the species as a whole becomes stronger.

      At the moment actually I can not think of other operating systems that are as diverse as the Linux platform. BSD is a candidate but only three major flavours available. Windows certainly is no candidate, it's all the same.

    3. Re:Microsoft is too big to fail by Kjella · · Score: 4, Insightful

      Back in the days of the Microsoft worms there was no default firewall and many default network exposed services, find one flaw in something and you could infect pretty much every other Windows machine on the net. They learned from that, and now there's very little chance of a machine being infected unless the machine calls out, either it's checking mail, browsing the web or whatever. Diversification is overrated, pretty much all *nix boxes use OpenSSL so how's that not a major monoculture? Or Apache for web hosting? Find me a remote exploit in the default config with no login info and you'll see full-blown panic in no time. Except that you don't. Nor has there been a major IIS security issue for ages either.

      Computers don't act randomly. You minimize the contact area, analyze the heck out of it until you're really, really sure that it's correct with formal proof if you damn well please and then it will act that way. Always. Making five clones only gives you the chance to implement a bug five times more. And if it's really more sensitive than that, there's always firewalling off those entire networks. Code does not travel by magic, in short unless there's a secret port knock the NSA can do to make Windows bring down its own defenses it's not going to happen. Not anymore than I think you can break my Linux box.

      --
      Live today, because you never know what tomorrow brings
  5. Re:That's a lot of patches by Anonymous Coward · · Score: 5, Funny

    a list of updates longer then my johnson...

    Sounds like it wasn't exactly a matter of great concern then.

  6. The positive side of the Borg icon by petrus4 · · Score: 4, Insightful

    Squashing 31 vulnerabilities in a single patch, is, in a word, efficient. "Embrace and extend," might be a negative part of the Borg ethos, but I give Microsoft credit for displaying the positive side of it, as well. ;-)

  7. Vulnerabilities? by Korbeau · · Score: 4, Insightful

    Vulnerabilities? What does this word mean? "31 vulnerabilities, including 18 bugs marked as critical."

    In my mind a bug and a vulnerability are 2 different things, one englobing the other.

    Let me get this straight ... if you're telling me my computer has a "vulnerability", it means I got chances to get a notepad.exe application start out of nowhere with the words "I've hax0r Ur C8mput8r" or something in my face.

    Reading the article I don't know if it's some random critical bug in some MS application, or if it depends of me running a service in X or Y situation and the attacker is in the intranet or whatever, or if I need to go to a very *very* untrusted site that even Avast! won't let me do to get attacked ... please be specific!

    Every month or so there is such articles about MS patches ... hell, let's do this with every god-damn software patches around? With Ubuntu you get to install patches every week also! Heck, the Java upgrader thingy pops-up every month too.

    What does "vulnerabilities" mean, in this context, seriously? Am I in danger?

    1. Re:Vulnerabilities? by Kjella · · Score: 4, Informative

      A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.
      A vulnerability is something that can be exploited by a third party for example to crash, hang or invade your machine.

      That in itself doesn't really tell you much, is it locally or remotely exploitable, do you need valid logins, user action etc. which means it can range from trivial to critical. If you want the details, you need to read the details... that is to say MS security bulletins.

      --
      Live today, because you never know what tomorrow brings
  8. Re:That's a lot of patches by zonky · · Score: 4, Insightful
    Ubuntu is updating all products in all repo's, with a single command/daily check.

    The problem with windows is that you're not doing this at all when you check windows update/wsus - you're checking windows only- (other microsoft products if you opted-in to doing this).

    This is in fact the real problem with windows- patch management is just a total nightmare.

    For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.

    it's mindbogglingly hard at any point in time to say you are patched when running a windows system. This is the greatest challange/weakness of windows, and the biggest benefit of Linux - package management as a means of achieving security.

  9. Re:Even Macs? by Yvan256 · · Score: 4, Insightful

    Safari 4 was beta before yesterday.

  10. This is a good thing by syousef · · Score: 4, Insightful

    We already know Windows has vulnerabilities and that there are exploits in the wild. The design isn't going to magically change. So the fact that we're getting more patches is a good thing. We can't whine when we don't get patches then whine when we do! My only question is do these patches break any existing functionality, and if so is this clearly documented?

    --
    These posts express my own personal views, not those of my employer
  11. Re:M-M-M-M-M-onster Patch! (n/t) by cupantae · · Score: 5, Funny

    I was working on the PC late one night
    When my eyes beheld an eerie sight
    For bug on windows began to rise
    And suddenly to my surprise

    THEY DID THE PATCH
    They did the monster patch
    THE MONSTER PATCH
    It was a vulnerability smash
    THEY DID THE PATCH
    They caught them in a flash
    THEY DID THE PATCH
    They did the monster patch

    From my computer seat in the office east
    To the master Ballmer where the vampires feast
    The faults all came from their humble abodes
    To get a jolt from my electrodes

    THEY DID THE PATCH
    They did the monster patch
    THE MONSTER PATCH
    It was a vulnerability smash
    THEY DID THE PATCH
    They caught them in a flash
    THEY DID THE PATCH
    They did the monster patch ...and so on. I only really wanted to say that your comment made me sing that song, but really it is way longer than I care to do a half-assed parody.

    --
    --
  12. Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed by BSDetector · · Score: 5, Insightful

    So where is the Slashdot article on the following? It's as current as the Microsoft article from ZDNet! I guess as long as it puts Apple in a bad light - it gets ignored or even censored. But if it can be interpreted as Microsoft=BAD then let's up the font size and BOLD the headers!

    "Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed" - http://blogs.zdnet.com/security/?p=3541/

    Hypocrites!

  13. Re:Scary Good or Scary Bad? by _Sprocket_ · · Score: 4, Insightful

    Scary good. At least it shows MS is looking for problems, and fixing them as they find them. If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number. Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...

    It's always a shame when people use vulnerability / bug counts as some kind of definitive universal metric. The issues involved are much more complex than a single number score. And while the information can be useful, the simplest use is to debunk zealots' (Windows, Linux, etc.) claims that their software of choice is bug-free or that one particular style of development produces better quality code (if you consider bugs signs of defects that count against your quality metric). And even then, the debate could rage on (which I'll avoid doing as that's not the point right now).

    Microsoft producing security patches is an overall good thing. Its a battle that was "won" quite a few years ago. And it's a battle that continues as it takes continued pressure to keep them honest (there is a history of bugs being reported to Microsoft w/out fixes over extended lengths of time). Constant pressure nudges Microsoft to resolve these issues. It's an echo of the bad old days when Microsoft cared little about responding to serious flaws in their products.

    Likely it's those echos that probably mislead the masses to assume these numbers meant something that they didn't. Back in those aforementioned bad old days, the bug count outlined largely well-documented and unaddressed flaws. Now days a few of those pop up from time to time (and again - it is more common these days for "responsible disclosure" with commercial vendors to uncover flaws that go unpublished until patch release). But for the most part, those numbers represent issues that are addressed. And that is indeed a victory (bittersweet if you contend that the flaws should never have existed).

  14. Oh joy! by Errtu76 · · Score: 5, Funny

    Microsoft. Windows. Updates. Patches. On slashdot?

    *quickly gets the popcorn and F5's the comments*

    Oh good one!

    *munch munch*

    hahahaha funny

    *munch*

    ooooo

    *munch munch*

  15. unethical technology by Horar · · Score: 4, Funny

    A computer consultant advocating Windows is like a doctor prescribing cigarettes. It creates a lot of extra work.

    1. Re:unethical technology by freedom_india · · Score: 5, Funny

      A computer consultant who advocates Linux on Desktop is like doctor prescribing amputation without anasthesia.

      --
      "Doing what i can, with what i have." ~ Burt Gummer
  16. Re:That's a lot of patches by eosp · · Score: 4, Informative

    The article here explains that you can either have a secured FTP repository or one grabbed by SSH.

  17. Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi by Anonymous Coward · · Score: 5, Informative

    Does anybody even know what "troll" means anymore? A troll is not somebody who says something you don't like.

    The point of a troll is to get replies to a fake message. A troll is something like "Back when Bill Gates invented the internet blah blah". The point there is for know-it-alls to jump up and yell that it was not Bill Gates.

    The grandparent was pointing out something he saw as hypocrisy. You might not agree, but that doesn't make him a troll. He might be a troll (if he pointed it out solely to see the replies), but I think it's a valid point, and I'm willing to bet he does too.

    But that's the way people are, I suppose. Ever look at 1-star reviews on Amazon? Even good 1-star reviews ("I didn't like this, and here are the reasons why") tend to have, at best, a 50% "This was helpful" rate. People check off "unhelpful" because they disagree with the reviewer. I suppose it's no surprise that the OP here decided that someone who said something he disagrees with is a troll, but it sure would be nice for people to learn how to have some form of mature debate.

  18. Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi by MrMr · · Score: 4, Informative

    You are aware that these patches are for the beta release of a major upgrade?
    Of course you are; You just like to use the word hypocrite a lot, to divert attention.