Slashdot Mirror
Microsoft Plans Largest-Ever Patch Tuesday
CWmike writes "Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008." Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."
I am still worried about using Ebay to buy my star wars collectables from my Chrome Browser - http://it.slashdot.org/story/09/10/06/2118211/Null-Prefix-SSL-Certificate-For-PayPal-Released
The sun is the same in a relative way, but you are shorter of breath and one day closer to death
So it installs linux?
Yes, and kills problem users.
Does this mean that my Windows 3.1 box will finally get the DST update?
Last week's "critical updates" were two copies of Windows Genuine Annoyance.
Isn't Tuesday the first day back from a long weekend? Is that really the best time to do this? We'll be up to our eyeballs in password resets already. (How do people forget a password in three days?)
When our name is on the back of your car, we're behind you all the way!
I'm guessing windows 2000 isn't one of the operating systems that will be patched?
:(
I couldn't find details in the article, but since extended support has ended... RIP win2k
P.S. unless it's not affected by this? but I think there are previous vulnerabilities which haven't been patched too so maybe win2k is already dead and I missed the boat.
i got this awesome bug fix such that Outlook now says "This copy of Office is not genuine. Click here to learn more online." in an unremoveable toolbar
can't wait to see what gets patched next!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I'd like to see a comparison between the number of patches to Linux vs. Windows. :)
Which do I think is a better OS in terms of security and stability? Linux. But I tend to get tired of the "Microsoft releases so many patches, their OS is obviously bad" argument when the it seems the whole development model of open source software (e.g., Linux distros) is that anyone can develop both features and patches, thus improving the software.
13 patches released at 13:00 of Tuesday 13. Windows sysadmins that day will have to pass below ladders, see a black cats cross in front of them and then break a mirror. But that will be nothing. The worst part will be when they turn on the computer, and see that windows is still running.
Nope, that doesn't require a patch; it was built into the original release ...
I'd like to see a comparison between the number of patches to Linux vs. Windows. :)
For just the kernel, or for a whole average distro? Which distro's kernel and which variant (e.g. SMP vs. uniprocessor) and which arch? (x86 vs. say, PPC or ARM)? Do we count all the optional modules, and what about the stuff that is out there which could be compiled-in, but usually isn't (e.g. Win4Lin extensions)? Are patches counted as individual diffs checked in to a CVS/SVN/BK repo source tree, or counted only if distributed .rpm/.apt packages by a vendor?
Otherwise, yeah, I can see your POV. :)
Quo usque tandem abutere, Nimbus, patientia nostra?
Will it make every PC that uses windows ME self-destruct?
Not likely, PC's running Windows ME probably don't have the power to do more than to self fizzle at most. I would personally be impressed if they let out the smallest little puff of smoke. I think the reality would be that they just refuse to power up due to shame.
Moved to http://soylentnews.org/. You are invited to join us too!
Fair questions, but easily answered: for whatever is being compared to in a Windows OS. Windows, as I recall, has a kernel, has components that are necessary, has components that are unnecessary, etc. It seems Linux fans easily lapse into thinking that Windows is one complete mess all bound into one, whereas Linux has messy parts but the core is great... but who installs "Linux" and doesn't install a "Linux distro." To be fair to Windows. I'd have to say you'd have to compare an entire Linux distro default installation to an entire Windows default installation... all software included in the iso, not the latest-updated-version-of-Amarok or whatever comes with it by default. Getting the latest Amarok version is just like getting the latest patch for Windows Media Player...
As for CVS/SVN/BK diff's and whatnot, that's hard to come up with... I have no clue how much code differences there are in a given Windows patch. For all I know, it's one single typo, but since it's a binary, the entire thing is built and sent over in the patch, right? So who knows? I would think, from an end-user perspective, it only counts as a patch if it's distributed in an easily installed format; e.g., as an update or as an rpm or included in the distro, etc.
Thanks for seeing my POV. :) hehe. I'm in an unfortunate position for my life on slashdot; I actually enjoy Windows OS's. And Linux distros. Awful, I know.
I don't like AIX though...
Yes, those users, too. ;)
Nope, that doesn't require a patch; it was built into the original release ...
Yup. The hard drive with ME installation will jump out from the chasis, climb the refrigerator and rub itself all over the magnets.
Face your daemons!
http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx
For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.
Well.... ALL of them, as the 13 updates includes office etc as well. Reguardless if it's SMP or uniprocessor, it's apart of the kernel, if it's a kernel patch it has to be counted, otherwise it wouldn't be linux would it? At the end of the day 13 is for everything "in this batch", so if your going to be counting linux bugs, i would count everything you'd consider linux, just because one distro doesn't include one part of the kernel doesn't mean you don't count a patch for it...
Look, I know it's fashionable to make negative remarks about MS round here, but it's only fair to say 'well done' to them for bettering their previous high count. Hopefully they haven't run out of bugs to fix and they'll work hard to find and fix even more next time. Who knows, this time next year they could be fixing hundreds of bugs every month - and if we're lucky, some of them could be quite serious or critical - wouldn't that be just awesome!
Go MS!
AT&ROFLMAO
I was about to bitch about the submitter/moderator not RTFA, but it turns out, the article doesn't mention it either, so I'll clarify instead: thirteen updates are being released which together address thirty-four security vulnerabilities of varying severity across varying products (ten of which are targetted at Windows). So, that's NOT thirteen flaws (plenty more actually), just thirteen updates, some of which (all?) address multiple flaws in the particular system they are targetted at. Of course, this is just the advance notification, so full details about how many vulnerabilities each update addresses and the general information on them won't be released until the patches are next Tuesday. I think it's also worth nothing (although the summary of course neglects to mention it) that the good aspect of these updates are both major zero-day exploits (targetting IIS & SMB 2.0) are patched with these updates.
And while I'm posting, why does Slashdot insist on linking to shitty tech magazine articles (poorly) summarising the raw and accurate data straight from Microsoft? Seriously, I'm not sure if it's some sort of aversion to linking to MS, but they're the ones doing the patching, so it follows that they have the best, newest, most accurate data on them, and they'll likely be the first to provide updates on their content. These articles are just summarising what Microsoft has published on their various web-sites, and being a summary, they provide a lot more information and raw data:
Microsoft Security Bulletin Advance Notification for October 2009
October 2009 Bulletin Release Advance Notification
Also, a lot of patches for linux software are adding new functionality. Not just fixing bugs.
Furthermore, what exactly is contained in one Windows "update"? As far as we know one windows update contains as many changes to the system as dozens of smaller patches in a linux distro.
But yeah, the idea that more released patches = less secure system isn't a very good one.
The point the GP is trying to make is that they just aren't directly comparable. Limiting yourself to the Linux kernel is unfair to Windows, as Windows is much more than just a kernel. But comparing with a full distribution is unfair to Linux, as there is much more in a distribution than even Windows + Office + SQL Server + everything else that Microsoft Update covers.
Does it fix the problems with Windows 7? After reading this review of a pre-release download, I'm a bit hesitant to use it.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I am using special exam software to take a grad school exam Wednesday morning. The version of the software which I'll be using was released TODAY. Would I be smart to turn off Automatic Updates on Monday, or is this just paranoia?
The number of patches and whether or not Windows or *nix requires more is pretty much a moot point. Both systems need to be updated regularly and both are vulnerable to automated vulnerability scanners that are being run 24/7 on compromised boxes. I won't re-tell the tale here, but you can check my journal if you want to read about the most recent tale of an Ubuntu box that I setup getting owned in under a month. Any OS that falls behind on patches becomes an exploitable target.
Kernel issues still require a reboot.
I run both Linux and FreeBSD in the server room, and have for about 15 years - but in terms of managing, reporting on, and distributing updates to hundreds of desktops, there's nothing off the shelf for *nix that comes close.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Don't get me wrong, I'd not put a Windows machine directly facing the internet - but I wouldn't do that with an un-firewalled desktop Linux box either.
Linux doesn't have OLE, but they're still messing with implementing Bonobo, kpart, etc to re-create basically the same idea.
As for reading LKML, it also shows you how good ideas are often ridiculed and rejected on the basis of "not invented here" or differing from Linus' personal choice. Schedulers, for example...
I'm not saying open source is bad or worse - simply that its not immune from shitty code. There's far more shitty code out there than good code, whether its commercial or not.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
So where are the instructions for the patch party?
thegodmovie.com - watch it
PROTIP: That's actually a usage error. He (or she) spelled "metal" correctly.
That said, I've had no issues with five different webcams functioning properly under Ubuntu, without having to compile anything. I believe this is commonly referred to as "It Just Works(TM)".
Additionally, I'll take "knowing about vulnerabilities quickly" over "having somewhat fewer vulnerabilities that are publicly disclosed, leaving out problems Microsoft doesn't feel like informing the admin community of until exploits are already being used in the wild" any day.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
"What's the Canadian holiday?"
That would be Thanksgiving.
When our name is on the back of your car, we're behind you all the way!
Plus, OpenOffice.org has it's own component system (UNO) which is very similar to OLE/COM, Mozilla has XUL which is also the same thing and you also have CORBA which is akin to DCOM (which is distributed OLE/COM). Components are not inherently less secure than normal applications... and even better, you have more granular control over their use (separate permissions for use, activation, instantiation, etc.)
It was ActiveX that gave a bad name to COM, but not because it's bad in itself, but rather because it was a poor idea to integrate it to web pages in the way it was done.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
Or at least patches to Win2K would be nice, maybe some working timezone data.
I also would highly recommend Microsoft release patches for Windows 3.11 to fix flaws in Win32s, and perhaps add IPv6 to Wolverine (winsock 1.1 for Windows for Workgroups)
“Common sense is not so common.” — Voltaire
So what?
My Ubunutu Jaunty desktop downloaded 130mb of updates last night. And this isnt the first time either.
I didnt see the /. community getting their nickers in a knot about it
Erk, there is nothing inherently wrong with OLE, ActiveX or anything else in COM. At the end of the day they're just a means to embed or utilise one program from another. And yes GNOME/KDE have their equivalents. The problem has nothing to do with the OS but in the way IE promoted ActiveX, including automatic installation and the broken assumptions underlying its trust model such as the safe for scripting flag. Basically IE let you instantiate any control installed in your system so long as it was tagged safe for scripting. Even inadvertant bugs in the automation interface of a control could be exploited in drive by attacks.
Other browsers such as Mozilla, Opera etc have their own plugin solutions which are conceptually little different from ActiveX controls. Netscape/Mozilla has various used NPAPI combined with LiveConnect/XPConnect for scripting. The big difference historically was it was more of a pain in the ass to install a plugin than a control so the consequence of an exploit was minimized. It still doesn't prevent exploits happening though as the recent vulnerabilities in Flash Player 10 demonstrate.
We use it to manage several thousand linux servers that store and process the data that's about to come from one of the LHC detectors. Handles provisioning, RPM updates, etc. And yeah, it'll work with Linux desktops.
Kernel issues still require a reboot.
Have a look at KSplice. It allows the kernel to be patched dynamically, with no reboot. It's also free to users of Ubuntu 9.04 and 9.10 but I'm not sure about others. It works nicely from what I've seen so far, and the company was nice enough to answer a few of the questions I had about it. It's great if you really want to avoid reboots.
Can you do this on Linux? Maybe. Its certainly not standard, and a lot more work. Can you automatically updates unix boxes? Sure - but to set up the monitoring of the process, its a lot more work, and more likely will require an admin to read/interpret logs.
Sure, linux/unix machines are generally a bit less patch dependent to stay secure, but the Windows patching process is relatively painless if you set up a wsus server. All you need is a spare machine (even running XP, from memory) with plenty of disc, and a method of pointing machine's windows update server registry entry at it - eg with group policy or a login script.
If redhat, suse or whoever can offer something similar that is as easy to set up and monitor, they'll certainly help get *nix easier to support as an end user OS.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Wow, yeah, when you said BK, I thought I would take the initiative and get off your lawn.
I know Microsoft is often poked at, especially around these parts, for having so many vulnerabilities to patch, but at least there on the ball doing it. Not to mention, automatic updating has been the defacto standard now since XPSP2, so nowadays it's pretty hard not to be somewhat up to date. So my OS pulls down a batch of updates once or twice a month, big deal... I think Microsoft has done a good job with the hand of cards they've been dealt.
Not to mention, WSUS in the enterprise is an excellent, free tool for centrally managing patch deployment.
Number of patches and vulnerabilities aside, I think MS is a standout leader in this category.
The only mistake they made was the dialog box when a non-Intranet site tried to send you an ActiveX control. This shouldn't have caused a dialog box, it should have just been blocked.
I am TheRaven on Soylent News
Landscape
Follow me