Microsoft Kicks Off Third-Party Bug Warnings

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Good idea

[stopacop]

Since Adobe and Java are widely ignored by the general population because they have hundreds of icons on their system tray. I'm almost to the point of charging $10 extra per customer who ignores these updates.

Fair comparison to Linux

[hierofalcon]

Finally. Now if they track every product they'll finally be able to fairly compare themselves to Linux distributions.

Re:Fair comparison to Linux

[kvvbassboy]

It's *not* a fair comparison for the simple reason that Linux is open source for most part. It can be much harder to find a security vulnerability in a 3rd party software, whereas most applications running on Linux is open source.

Re:Fair comparison to Linux

[sortius_nod]

That's utter bullshit. Finding security holes makes little difference if it's open source or not. If you'd subscribed to any of the bug/security mailing lists you'd notice that predominantly it's closed source software popping up with vulnerabilities.

It's not hard to find holes in a leaking boat if you look hard enough, it's just whether the holes are big enough to warrant fixing them.

Re:Fair comparison to Linux

Not at all... if it runs on windows, there is a security flaw. See how simple that was?

Re:Fair comparison to Linux

That's being INFORMED of bugs. FINDING bugs is definitely much harder in closed-source applications.

Re:Fair comparison to Linux

[ozmanjusri]

It's *not* a fair comparison for the simple reason that Linux is open source for most part.

Who gives a rat's arse if it's fair?

I just want to know which is BETTER.

Re:Fair comparison to Linux

[kvvbassboy]

I was playing devil's advocate. Linux's system of operation (if you will) is lightyears ahead of Microsoft's "3rd party advisories" when it comes to security.

Re:Fair comparison to Linux

[gorehog]

That was the point. It's easier to close the security holes in open source than closed source.

Re:Fair comparison to Linux

[WorBlux]

Not necessarily. Some methods like fuzzing don't require source code analysis. Also being blindsided by and exploit is a sure way to find a bug.

Interesting "advisories"

[jhoegl]

Anyone else notice their advisories are against competitors?

Yeah... I call BS

Re:Interesting "advisories"

[Bacon+Bits]

I noticed that. I also noticed they didn't list the vendors I'd call the major offenders: Adobe (Flash, Reader) and Java. I find it a little unlikely none of those products has no open vulnerabilities. However, it says they're only doing responsible disclosure (CVD) and I would as easily believe that Adobe and Oracle are still unwilling to talk about security problems as much as MS just wants to smear Google and Mozilla (sorry, Opera, nobody really sees you as a threat).

Re:Interesting "advisories"

[egamma]

Anyone else notice their advisories are against competitors? Yeah... I call BS

Are you calling BS because you do not think that other companies besides MS have vulnerabilities in their products?

Or are you calling BS because you believe that MS should keep quiet about vulnerabilities they find in products other than their own?

And yes...I am calling BS on your calling BS.

Re:Interesting "advisories"

[jhoegl]

I was pretty clear about why I called BS.
But maybe it wasnt clear enough.
I call BS on the "Advisories" because....

Ah hell with it, Im not responding to a troll, except this response and only this response. No more responses after this response of me responding to the troll.

Re:Interesting "advisories"

[Bacon+Bits]

OK, I just looked at the vulnerabilities:

http://www.microsoft.com/technet/security/advisory/msvr11-001.mspx
Affects: Google Chrome version 6.0.472.55 and earlier

http://www.microsoft.com/technet/security/advisory/msvr11-002.mspx
Affects: Google Chrome version 8.0.552.210 and earlier, Opera version 10.62 and earlier

WTF? Google Chrome stable is v10, and Opera stable is v11.10.

Re:Interesting "advisories"

[Aladrin]

Do you actually think they will disclose vulnerabilities without the approval of the company? Then re-read the summary. It says right there that they will coordinate with the third party before the advisory is issued.

Even if they wanted to, if their disclosure cost the third party money, they could be sued. They won't risk that.

So his 'bs call' is perfectly legit.

Re:Interesting "advisories"

[kvvbassboy]

Depends on who the "competitors" are. Mozilla? Google? Do you really think Microsoft Research will pull out such a stunt? As far as I can seem it's the dickweeds at the corporate side of Microsoft who bring down its reputation.

Re:Interesting "advisories"

[blair1q]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones. Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

Until the competitors start to pay Microsoft to stop doing it.

Re:Interesting "advisories"

Microsoft knows everyone uses old browsers until they're told not to.

Re:Interesting "advisories"

...Do you really think Microsoft Research will pull out such a stunt?...

Yes, as they already have. http://www.neowin.net/news/microsoft-vulnerability-research-discovers-two-chrome-flaws
Breaking news....a long time ago our competitors had this security flaw, that they ummm....fixed a long time ago.

Re:Interesting "advisories"

[bloodhawk]

Simple fact is many users do not upgrade even when the upgrade is free. People don't even bother to apply free security patches half the time so why would you expect them to also not be using older versions of free products?

Re:Interesting "advisories"

[Bacon+Bits]

Why would someone who doesn't keep their auto-update software up-to-date read MSVR?

Re:Interesting "advisories"

Chrome auto upgrades.

Re:Interesting "advisories"

[Bacon+Bits]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

Until the competitors start to pay Microsoft to stop doing it.

That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?

Re:Interesting "advisories"

[bloodhawk]

It isn't about THEM reading it. It is about being aware what are the potential dangers out their, whether they are from a rogue user that has installed an old version of chrome on the corporate image or an external user that comes into your system remotely or merely interchanges data with your system, the vulnerability doesn't have to be on your own system to affect you.

Re:Interesting "advisories"

[aztracker1]

Well, whenever chrome starts it updates iirc... so that would be a hard isue to have with chrome, unless it's unpatched in stable.

Re:Interesting "advisories"

[bloodhawk]

It is not a hard issue to have with chrome at all. I work with 2 large government departments that BOTH have this issue, chrome website and update are blocked as it is not something that is supposed to be running on end machines and hence not in their whitelist of sites, but their are always a few users with local desktop admin rights that think it is their god given right to run whatever they want on their machine and put a copy on and NEVER update it.

Re:Interesting "advisories"

[thetoadwarrior]

Chrome updates itself and I doubt most people go through the effort of trying to disable it.

Re:Interesting "advisories"

To the FUDmobile, FUDman! We have FUD to spread.

Pay No Attention

[0100010001010011]

To the bugs behind the OS.

Anything that is an improvement

[cyberfin]

to any systems security is welcome. I do think however that MS should have introduced this directly with the launch of W7. So much could have been done by now.

Do an Apple

Ban flash from Internet Explorer and watch virus infections fall dramatically.

Where exactly are these being announced?

[Repossessed]

There's nothing concerning Chrome or Opera in the Microsoft Security Advisory RSS feed.

Java's and Adobe's updates suck.

Ah Java and Adobe!

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

So, what if your customers, or least the people using those machines, don't have admin access?

Oh, I don't have that problem with any of Microsoft's products, btw.

iTunes on Windows sucks too.

Listen Windows devs, not everyone runs their machines as Admins all the time! Geeze!

And no, you shouldn't have to be an admin to install a fucking document viewer.

Re:Java's and Adobe's updates suck.

[kevinmenzel]

If only there were solutions to this problem. Maybe if Microsoft ever releases a new version of Windows, there might be a way around some of this stuff. Too bad they haven't released one or two versions since XP came out.

Re:Java's and Adobe's updates suck.

And no, you shouldn't have to be an admin to install a fucking document viewer.

Huh, yes, you should be an admin to perform administrative tasks. You're a fucking moron.

Re:Java's and Adobe's updates suck.

[similar_name]

Installing a document viewer is not necessarily an administrative task. You can install Firefox (Windows XP) without admin privileges. As long as you have write access somewhere.

Re:Java's and Adobe's updates suck.

[Anaerin]

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

So, let me get this straight, you have enabled a high(er) security policy, and are now complaining when the higher security policy you have implemented gets in the way of something you want to do. Let's try looking at this another way:

Stupid lock makers! I installed deadbolts in my doors for security, but when I'm outside and I see I've left a light on I have to unlock my doors again to turn that light off! Can I do a "teleport into the room"? Nope. Gotta walk to the door and unlock it! X10? Didn't get the wireless option for performance reasons

It's the same kind of argument you're trying here. Some might say that the Java updater should change it's prompt if you don't have administrative rights (and/or change it's behaviour, so it doesn't bother downloading an update you can't install), but that is STILL not Microsoft fault. And, in fact, in Vista and 7, with UAC, have enabled you to do exactly as you intend, and given that XP's support is being sunset shortly, it would behoove you to update. And, for reference, Windows 7 with Aero disabled has comparable (or better) performance than Windows XP. Oh, and you CAN do a RunAs, you just need to do it from Windows - The "Update notifier" applications don't have that capability, but if you find where it downloaded the installer to, you can install it using RunAs from there.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

Because it's a completely different user, and for security reasons one user's programs can't access another user's area

So, what if your customers, or least the people using those machines, don't have admin access?

You find someone (your IT manager, or the person who implemented the higher security policy) who does have admin access.

And no, you shouldn't have to be an admin to install a fucking document viewer.

Why the hell not? Software is software, no matter what it does. Your "Fucking document viewer" might have any number of other functions, including formatting the entire system if it so desires, not to mention adding files to the system (DLL/COM components/Default associations) and making all kinds of changes. The OS has no idea what a program is and what it does, just that it's something new and therefore needs approval. Or do you want an "Evil" bit to be set in programs. Just how well do you think that would work?

Re:Java's and Adobe's updates suck.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

Because it's a completely different user, and for security reasons one user's programs can't access another user's area

Maybe some random user's program doesn't have access to other user's data, but he did switch to "Admin mode". Are you telling me "Admin" doesn't have access to everything?

And no, you shouldn't have to be an admin to install a fucking document viewer.

Why the hell not? Software is software, no matter what it does. Your "Fucking document viewer" might have any number of other functions, including formatting the entire system if it so desires, not to mention adding files to the system (DLL/COM components/Default associations) and making all kinds of changes. The OS has no idea what a program is and what it does, just that it's something new and therefore needs approval. Or do you want an "Evil" bit to be set in programs. Just how well do you think that would work?

In Linux I can install a "fucking document viewer" or a browser or whatever other "non-administrative" program I want and it can't format the entire system even if it tried.

Programs like mkfs and friends needs to be run as root and a normal user can't just set the suid bit on the binary.

Seems to work pretty fine to me.

Re:Java's and Adobe's updates suck.

[Luckyo]

There is an "old" saying in corporate IT: "Friends don't let friends downgrade from XP"

Because fixing all the legacy shit that "upgrade" to vista/7 will break will make you pop more anti-depressants then a trophy wife wed to a jealous 90-year old gay.

Re:Java's and Adobe's updates suck.

[ozmanjusri]

but that is STILL not Microsoft fault.

Have you ever used any other operating systems?

Re:Java's and Adobe's updates suck.

[Anaerin]

As it happens, yes. I have a Debian box running MythTV acting as DVR and NAS for my home network. And the same thing happens on linux - Try to run apt-get from a regular user (without sudo, or without sudo privileges) and you get an error message, as intended. My point still stands - Microsoft is not at fault for shortcomings in other people's products, or for security measures you yourself have implemented. Though I guess this is /., and Microsoft-bashing is pretty much par for the course here.

Re:Java's and Adobe's updates suck.

[ozmanjusri]

And how does sudo compare to logging out and logging back in as admin for convenience?

Re:Java's and Adobe's updates suck.

Hey, a measly user ain't gonna be able to install that license manager service.

Re:Java's and Adobe's updates suck.

[Pseudonym+Authority]

He disabled the Fast User Switching on his own, any inconvenience he has to endure because of that is his own fault.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

And no, you shouldn't have to be an admin to install a fucking document viewer.

Correct, user applications should install at the user level. Chrome installed on Win 7 for me under a standard user account. Acrord, Flash, Java require admin level, maybe due to where the updated files are placed or registry, and because they are system applications.

Re:Java's and Adobe's updates suck.

[Luckyo]

In what way does it matter? If a user who is in important, or even key position in a company suffers from reduced efficiency because of the upgrade, it's your head that will roll when he/she complains to the boss.

Re:Java's and Adobe's updates suck.

[1u3hr]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

And if my work is dependent on that application, which is now not being updated, I don't give a shit as long as the damn thing runs. If it doesn't, I will downgrade my OS if necessary.

Applications are important to users, not OSes.

Re:Java's and Adobe's updates suck.

[gorehog]

Too bad I don't need those versions. Since XP came out I started migrating away from windows. Now I can do most anything I need on linux and the few things I need windows for XP does fine.

Re:Java's and Adobe's updates suck.

+1

Re:Java's and Adobe's updates suck.

You could also run a command prompt as admin and then launch the updates (or any other program) and it will run with admin permissions. There's even use runas http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true and load a different profile, etc.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

Use Win 98 then; single user, admin all the time, security a total afterthought. To be fair, Win 98 was designed before the always on network connections were common, certainly for home users.

Say an honest developer makes an application poorly, requiring it to have administrator access to run, and since it was made poorly, it gets cracked. By giving that application administrator access, you gave up a PC and everything it has accessible. Its network shares, database access using windows authentication and anything else it has are all available because of laziness. That's why you should care what applications have admin access.

The critical people in the company need to understand why the data they access needs to be kept safe. Someone complaining about UAC is like someone complaining about needing to unlock/lock their doors.

Re:Java's and Adobe's updates suck.

[jones_supa]

Too bad I don't need those versions. Since XP came out I started migrating away from windows.

I did the same thing, although 7 was good enough so I came back. Now I run both Windows and Ubuntu.

Re:Java's and Adobe's updates suck.

[Luckyo]

Vast majority of "critical people" in the company wouldn't be able to define what "data access" is in the way you reference it. They don't care either, as it's not part of their job description. An frankly, having seen what they have to work with, I understand why. The intricate details of their work look just as arcane to me as IT's work must look to them.

Point is, there's no need for win98 as you reference it - XP runs pretty much all legacy 16-bit stuff good enough, and being 7 years old most of the arcane stuff has already been made to work with XP.

Same cannot be said about 7 - not by a long shot. And that is the main problem why no one sane lets IT upgrade key personnel that don't specifically request 7.

Re:Java's and Adobe's updates suck.

[Sam+Douglas]

If my work is dependent on an application that no longer runs on modern operating systems, then I have a problem. I will make the application work, and/or try to find a way to not be dependent on unsupported software that will leave me up shit creek in future. Luckily VMs make it easy to run various operating systems as needed, even if modern hardware is poorly supported by them.

Re:Java's and Adobe's updates suck.

[Sam+Douglas]

I quite like the approach of just installing to your home directory by default, and offering to install for all users as a secondary option. It works well for single user systems and somewhat limits the damage that can be caused on a multi-user system.

In my opinion too much software is packaged to target some experience in between individual use and corporate use. I like that Google Chrome just installs somewhere and updating just happens without me really being involved or having to prod it along. Minecraft is another popular app that uses that model to good effect.

Really?

[93+Escort+Wagon]

because many users look to Microsoft to ensure that their computers are secure

Okay, that explains a lot.

A move I agree with!

[erroneus]

Finally something Microsoft is doing right. Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others... and truth be told, it's probably more other crap that does more damage to Windows than anything else. Okay so there's a combination of stupid in effect... Microsoft can't seem to limit the applications and drivers to prevent them from doing bad things (as they should) and bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Anyway, keep doing that and a little more and I won't hate Microsoft OSes so much.

Re:A move I agree with!

[jhoegl]

I would agree with you if they called out Adobe, Java, IRC programs, News viewers, file sharing, firewalls, routers, server software, websites, etc.

But instead they call out browsers. Browsers that have significant market share on them.
Not only that, but Old browsers with old bugs. I mean if we were to do that we should call out Windows 95/WindowsNT/2000/2003RC1/Vista bugs that they havent patched.
Not because they dont support them anymore, but because they are still not fixed in that release iteration.

Re:A move I agree with!

[Yunzil]

bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Actually, you mean "yeah, and Microsoft is right."

Full-Time Jobs For All!

[tunapez]

Wow, this endeavor could very well add thousands, or 10's of thousands, of new jobs to the economy. Or, it's a PR campaign to push IE9, et al MS apps.
 
  Hmmm, which is more likely?

Re:Full-Time Jobs For All!

For lawyers maybe. For the rest of the employable world it'll probably have a negative effect.

If you REALLY want to make Windows secure

[TClevenger]

Add Adobe Flash, Adobe Reader and Java to Windows Automatic Updates. That will resolve 90% of the issues.

Re:If you REALLY want to make Windows secure

[jones_supa]

This is actually a great idea. Windows also should have some kind of "third party repositories" in the update system.

Deal with it.

[Pseudonym+Authority]

XP is crap grandpa. Just update your fucking applications already and stop using a 236354 year old operating system because your poorly designed program from 1993 can't run without admin rights.

Seriously, are you really bitching that Windows finally has a security model? God damn you people are impossible to please.

They need 4th and 5th Party HELP too!

[mcdmgsmith7475]

The biggest fault that Bill Gates doesn't understand in his crappy OS's is just this: The concept of a System Registry. Absolute, Joke! Terrible flaw!!!!! Microsoft = Frequent reboots because of drastic memory leaks. Frequent security patches that require constant reboots. "Require" anti-virus software (Norton, McAfee) that do not work to the extent they say they do. This all equals downtime and headaches for businesses. Microsoft doesn't belong at the Enterprise Level. PERIOD! It's an absolute money pit to maintain and administer because of the reasons I stated. Although it is Job Security!!!!

Re:They need 4th and 5th Party HELP too!

[Bacon+Bits]

The registry is no worse and no more complex than /boot/, /dev/, /etc/, and parts of /lib/ combined. That's all the registry is, with a little /home/ thrown in for HKCU. If you honestly believe otherwise, you've honestly never dealt with either system for any extended period with any applications of consequence. It takes maybe one or two hours of serious study to understand how the registry is laid out and what each bit does for the system. It's not hard. People are just intimidated. They think that editing a live hierarchal database is somehow more scary than editing a live filesystem, without realizing it's essentially the same thing.

Windows itself has not had memory leaks since prior to Windows 2000, and making this argument dates your experiences towards obsolescence. Complaints about other software being shoddy should be directed at those particular vendors. Or should we start blaming kernel.org because we found a bug in a binary driver? FOSS political followers love that.

Rebooting servers to apply patches takes about 1 hour a month for the entire network for about 50 servers. Honestly, if your systems cannot handle the server being inaccessible for the time it takes a system to restart, you've built an amazing fault-intolerant system. It does not take significantly longer than it does to stop and start services on Linux servers, which needs to be done when that software is updated. The idea of never rebooting servers is outdated and unwise, as if you never reboot servers and suddenly you have to due to an emergency restart, hardware failure, or hardware update and discover a problem at boot, you will never know if your system isn't booting because of the hardware failure or because you updated the software this month. Or the month before that. Or the month before that. Or the month before that. Or changed the configuration six months ago. Or twelve months ago. Wait, did Bob do a change nine months ago? Or was that reverting a change from last year? You're suddenly stuck in a position of having no idea why your server is broken and only knowing that the last known good state was three years ago and you probably haven't even got the grandfather backup any longer. Good job. Have a nice weekend with that. Hope your resume is polished and ready.

I've said it before: If you are so poor at systems administration that you cannot adequately harden and secure Windows Server and keep it running smoothly, you do not deserve to be a systems administrator of any operating system. Turn in your badge and keyboard.

Re:They need 4th and 5th Party HELP too!

http://blogs.msdn.com/b/oldnewthing/archive/2007/11/26/6523907.aspx

Re:They need 4th and 5th Party HELP too!

[mcdmgsmith7475]

Only memory leaks prior to Windows 2000? That just summed up your knowledge in itself.

Re:They need 4th and 5th Party HELP too!

[mcdmgsmith7475]

Oh poop, I completely forgot about the nonstop security flaws that this company seems to attract. Keep in my Knucklehead, Microsoft Corporate runs Unix! Let me guess, you went to college learning MS like most innocent kids looking for an IT Degree. If you want to separate yourself become an RHCE like myself ya knucklehead.

Re:They need 4th and 5th Party HELP too!

[mcdmgsmith7475]

The registry is no worse and no more complex than /boot/, /dev/, /etc/, and parts of /lib/ combined. That's all the registry is, with a little /home/ thrown in for HKCU. Dude, I've fortunately read many of your comments that you've pleasantly blessed this forum with. You're a knucklehead! I swear to God Almighty that you have not a flippin clue! I let 3 other RHCE's read your comments and it made for some fun times. Take care!

Re:vista/7

[TaoPhoenix]

Just a little more time.
Let's get it in the open, Vista was a documented Hail Mary from when they lost two entire years of dev time and started over about 2004. 7 is just what Vista should have been if they had planned better.

So now that 7 got the "housekeeping" done, it's time to see what Windows 8 is, with its plans for App Stores vs. whatever evil media tracking tricks get baked into the OS.

How about working on FIXING problems first?

Windows has this awesome updating feature that even works with certain Windows programs (like Office). Why do they not have any way for third-party programs to tie into it?

I think if you did a poll on a large number of computer users and asked "Would you rather be informed when your software might have a security flaw, or just have it fixed?", most would choose to just have it fixed. And if programs can use the built-in Windows mechanisms, people are more likely to update their software (since a lot of basic computer users ignore update notices, and lots of more advanced users turn off the update programs since every program has a separate update program that wants to run all the time).

vulnerability lies with a third-party program?

[doperative]

"Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Look, for the umpteemed time, a programming error in an application that leads to a system compromise, is a defect in the underlying Operating System, namely Microsoft Windows/WinNT/Longhorn/Vista/Windows ...

Internet Malware ..

[doperative]

> Pay no attention to the the bugs behind the OS.

And what ever you do don't mention WIndows, talk about Internet malware instead ... :)

Linux (kernel only) compared 2 Win7 anyone?

Microsoft ENTIRE "business development suite": (only 5 KNOWN unpatched security vulnerabilities)

---

Vulnerability Report: Microsoft Office 2010: (04/23/2011)

http://secunia.com/advisories/product/30529/?task=advisories

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft SQL Server 2008: (04/23/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/23/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Visual Studio 2010: (04/23/2011)

http://secunia.com/advisories/product/30853/?task=advisories

Unpatched 17% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Explorer 9.x: (04/23/2011)

http://secunia.com/advisories/product/34591/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Windows 7: (04/23/2011)

http://secunia.com/advisories/product/27467/?task=advisories

Unpatched 8% (5 of 59 Secunia advisories)

---

THAT's 3.5++x LESS THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE! See below...

(Toss on the rest of what goes into a Linux distro? That # goes "up, Up, UP & AWAY...", bigime, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least!))

---

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (04/23/2011)

http://secunia.com/advisories/product/2719/?task=advisories

Unpatched 7% (18 of 259 Secunia advisories)

---

THAT? Again - That's rougly 3.5++x as many as Windows 7 has that are unpatched

Also, AGAIN:

THAT'S ONLY THE LINUX KERNEL MIND YOU, not the entire 'gamut/array' of what actually comes in a Linux distro (such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO), THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE!

APK

P.S.=> So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope... apk

Re:Linux (kernel only) compared 2 Win7 anyone?

[WorBlux]

Mary collect 354 coins, Paul collect 108. Whose coin collection is worth more?

It depends on the value of each coin.

Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x

Beside that your comparing less than two years of history to over 7 as well. In addition the environment and incentives are different. In the FOSS world, shouting "Here's a bug and here's how I fixed it" gets you a lot of credibility. With M$ they want no publicity about bugs expect when it would irresponsible not to disclose them. (e.g. when they are actively being explioted). All the little bugs and fixes if any are held close to avoid publicity and hope that security through obscurity might hold up.

Bottom line, one of the best ways to test code for bugs is to throw random data (fuzzing) at it and see what happens. Or at least that's a much better way than to rely on than plain numbers generated by two very different operating philosophies and practices.

Re:Linux (kernel only) compared 2 Win7 anyone?

Above all else - That's only a kernel in Linux: NOT AN ENTIRE DISTRO! (as Windows 7 is)...

Funny how you Linux people ALWAYS seem to "conveniently omit that", eh?

(Toss on the REST of what comes in Linux?? That # of "faults" goes "up, Up. UP & AWAY"...)

---

"Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. " - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Not now, but last week there was a REMOTE one, in Linux, AND for weeks in the "rose" subsystem...

(And again: There certainly are MORE OF THEM in Linux, by far, still.)

(AND YET AGAIN - THAT'S ONLY THE LINUX KERNEL BEING JUDGED (not the entirety of what a Linux distro is & ships with, which adds MORE BUGS!))

---

"For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x" - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

And, still: There's only 5 of them in Windows 7, an ENTIRE OS mind you, not just a kernel like Linux 2.6x (with EASY work-arounds, that 'boil-down' to 1 simple thing: "DON'T BE STUPID", in essence!), vs. 18 in Linux's KERNEL ALONE!

So - Toss on the REST of what DOES GO INTO A LINUX DISTRY & THOSE BUG #'s go "up, Up, UP & AWAY" & get higher still!

Period!

---

LMAO - this next one?

Oh, it's a FAVORITE of mine, that *NIX heads here have "tried to use to pull the wool over everyone's eyes with":

"Beside that your comparing less than two years of history to over 7 as well." - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Both Linux &/or Windows NT-based OS' are of the relatively SAME relative age, in BOTH "hit market" (release to general public) around the 1992-1994 period... so, your point here, is WHAT?

I will tell you what mine is though - Both OS' are the same age pretty much, & one (Linux) has MORE UNPATCHED KNOWN SECURITY BUGS THAN THE OTHER (Windows)... that's what.

---

Heh, this one's a "new twist" I had to think about... but, not long:

"In addition the environment and incentives are different." - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Let's see:

1.) Both items being compared are computer operating systems

2.) Both items have bug counts for unpatched known security vulnerabilities

3.) Linux has MORE UNPATCHED SECURITY BUGS than does Windows 7

Hmmm... let me think on that, lol! No, I'll still "stick to my guns" here of:

Linux just plain has MORE KNOWN UNPATCHED SECURITY ISSUES IN ITS KERNEL ALONE, than does Windows 7 (an ENTIRE OS DISTRO), and for good measure, THAN DOES THE ENTIRE MS "Business Development Suite" in MS':

---

1.) DB Engine SQLServer 2008
2.) WebServer IIS 7
3.) Office Suite Microsoft Office 2010
4.) WebBrowser IE9
5.) Development Tools IDE Visual Studio 2010
6.) Operating System Windows 7

---

= 5 known security issues unpatched IN AN ENTIRE BUSINESS DEVELOPMENT SUITE (Nearly Ms' ENTIRE TOOLSET) , vs. 18 in an OS' kernel ALONE (Linux 2.6x)...

PERIOD!

APK

P.S.=> Oh, lastly: I've got a BETTER WAY, as well as a practical example!

"Bottom line, one of the best ways to test code for bugs is to throw random data (fuzzing) at it and see what happens. Or at least that's a much better way than to rely on than plain numbers generated by two very different operating philosophies and practices" - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

AHEM: Again - WHAT ABOUT ANDROID?

ANDROID'S showing you ALL that once you get a

Let's pay attention 2 OS' (Linux 2.6x vs. Win7)

Microsoft ENTIRE "business development suite": (only 5 KNOWN unpatched security vulnerabilities, vs. 18 in the Linux KERNEL ONLY (which is, after all, ONLY A FRACTION OF WHAT'S POSSIBLE IN AN ENTIRE LINUX DISTRO))

---

Vulnerability Report: Microsoft Office 2010: (04/23/2011)

http://secunia.com/advisories/product/30529/?task=advisories

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft SQL Server 2008: (04/23/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/23/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Visual Studio 2010: (04/23/2011)

http://secunia.com/advisories/product/30853/?task=advisories

Unpatched 17% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Explorer 9.x: (04/23/2011)

http://secunia.com/advisories/product/34591/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Windows 7: (04/23/2011)

http://secunia.com/advisories/product/27467/?task=advisories

Unpatched 8% (5 of 59 Secunia advisories)

* Of which only 2 are remote, with basic workarounds (don't be stupid stuff)...

---

THAT's 3.5++x LESS THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE! See below...

(Toss on the rest of what goes into a Linux distro? That # goes "up, Up, UP & AWAY...", bigime, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least!))

---

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (04/23/2011)

http://secunia.com/advisories/product/2719/?task=advisories

Unpatched 7% (18 of 259 Secunia advisories)

---

THAT? Again - That's rougly 3.5++x as many as Windows 7 has that are unpatched

Also, AGAIN:

THAT'S ONLY THE LINUX KERNEL MIND YOU, not the entire 'gamut/array' of what actually comes in a Linux distro (such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO), THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE!

APK

P.S.=> So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope... apk

Dilution

[gorehog]

A large number of the security holes in Windows apps are caused by flaws in Windows libraries. Calling out others who have used your flawed library has the effect of diluting warnings about yourself. MS won't look so bad if they point their finger at others and say "see, theirs sucks too!"

Re:Dilution

"A number"?

How many? And how many of these are being listed as other companies problems? This is pretty much a strawman...
"Random supposition. If this is in fact true, then MS and penguins are part of a plot to take over the world"

Also it can't really work, no on in their right mind is going to say "company X called one of our assemblies which is broke, they done screwed up", if only for the fact that other security monitors would call BS on them. Sorry for not using the phrase "M$", but it's not 1995 and I'm not 12.

Can U agree w/ facts from good sources?

Microsoft ENTIRE "business development suite": (only 5 KNOWN unpatched security vulnerabilities, vs. 18 in the Linux KERNEL ONLY (which is, after all, ONLY A FRACTION OF WHAT'S POSSIBLE IN AN ENTIRE LINUX DISTRO))

---

Vulnerability Report: Microsoft Office 2010: (04/23/2011)

http://secunia.com/advisories/product/30529/?task=advisories

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft SQL Server 2008: (04/23/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 4 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/23/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Visual Studio 2010: (04/23/2011)

http://secunia.com/advisories/product/30853/?task=advisories

Unpatched 17% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Explorer 9.x: (04/23/2011)

http://secunia.com/advisories/product/34591/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Windows 7: (04/23/2011)

http://secunia.com/advisories/product/27467/?task=advisories

Unpatched 8% (5 of 59 Secunia advisories)

* Of which only 2 are remote, with basic workarounds (don't be stupid stuff)...

---

THAT's 3.5++x LESS THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE! See below...

(Toss on the rest of what goes into a Linux distro? That # goes "up, Up, UP & AWAY...", bigime, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least!))

---

"Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others" - by erroneus (253617) on Friday April 22, @07:12PM (#35911156) Homepage

Ahem: Overall, Windows 7's LESS "vulnerable" than Linux is (see above & below)...

(The apps of others', such as Adobe products, doesn't help MS, & yes, they're making a "good move" on this... I agree!)

However, on that VERY NOTE?

Well - Lets compare a "*NIX/Open SORES" OS, in Linux's "latest/greatest"::

---

Vulnerability Report: Linux Kernel 2.6.x (04/23/2011)

http://secunia.com/advisories/product/2719/?task=advisories

Unpatched 7% (18 of 259 Secunia advisories)

---

THAT? Again - That's rougly 3.5++x as many as Windows 7 has that are unpatched

Also, AGAIN:

THAT'S ONLY THE LINUX KERNEL MIND YOU, not the entire 'gamut/array' of what actually comes in a Linux distro (such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO), THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE!

---

Funniest part:

All those "local exploits", once a bug gets "inside" (via email or bogus link clicked on by a user, part of the "don't be stupid" stuff I noted above under Windows' list?)?

They can & often DO, become REMOTE EXPLOITS, easily enough, because they get used by malware once it's "invited inside" by users...

Don't think THAT can't & doesn't happen on Linux variants as well (think ANDROID, for example)...

The only reason most Linux distros aren't exploited is n

Linux 2.6 (kernel ONLY) vs. Win7 (ENTIRE OS)

Above all else - That's only a kernel in Linux: NOT AN ENTIRE DISTRO! ( as Windows 7 is )...

Funny how you Linux people ALWAYS seem to "conveniently omit that", eh?

(Toss on the REST of what comes in Linux?? That # of "faults" goes "up, Up. UP & AWAY"...)

---

"Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. " - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Not now, but last week there was a REMOTE one, in Linux, AND for weeks in the "rose" subsystem...

(And again: There certainly are MORE OF THEM in Linux, by far, still.)

(AND YET AGAIN - THAT'S ONLY THE LINUX KERNEL BEING JUDGED (not the entirety of what a Linux distro is & ships with, which adds MORE BUGS!))

---

"For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x" - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

And, still: There's only 5 of them in Windows 7, an ENTIRE OS mind you, not just a kernel like Linux 2.6x (with EASY work-arounds, that 'boil-down' to 1 simple thing: "DON'T BE STUPID", in essence!), vs. 18 in Linux's KERNEL ALONE!

So - Toss on the REST of what DOES GO INTO A LINUX DISTRY & THOSE BUG #'s go "up, Up, UP & AWAY" & get higher still!

Period!

---

LMAO - this next one?

Oh, it's a FAVORITE of mine, that *NIX heads here have "tried to use to pull the wool over everyone's eyes with":

"Beside that your comparing less than two years of history to over 7 as well." - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Both Linux &/or Windows NT-based OS' are of the relatively SAME relative age, in BOTH "hit market" (release to general public) around the 1992-1994 period... so, your point here, is WHAT?

I will tell you what mine is though - Both OS' are the same age pretty much, & one (Linux) has MORE UNPATCHED KNOWN SECURITY BUGS THAN THE OTHER (Windows)... that's what.

---

Heh, this one's a "new twist" I had to think about... but, not long:

"In addition the environment and incentives are different." - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

Let's see:

1.) Both items being compared are computer operating systems

2.) Both items have bug counts for unpatched known security vulnerabilities

3.) Linux has MORE UNPATCHED SECURITY BUGS than does Windows 7

Hmmm... let me think on that, lol! No, I'll still "stick to my guns" here of:

Linux just plain has MORE KNOWN UNPATCHED SECURITY ISSUES IN ITS KERNEL ALONE, than does Windows 7 (an ENTIRE OS DISTRO), and for good measure, THAN DOES THE ENTIRE MS "Business Development Suite" in MS':

---

1.) DB Engine SQLServer 2008
2.) WebServer IIS 7
3.) Office Suite Microsoft Office 2010
4.) WebBrowser IE9
5.) Development Tools IDE Visual Studio 2010
6.) Operating System Windows 7

---

= 5 known security issues unpatched IN AN ENTIRE BUSINESS DEVELOPMENT SUITE (Nearly Ms' ENTIRE TOOLSET) , vs. 18 in an OS' kernel ALONE (Linux 2.6x)...

PERIOD!

APK

P.S.=> Oh, lastly: I've got a BETTER WAY, as well as a practical example!

"Bottom line, one of the best ways to test code for bugs is to throw random data (fuzzing) at it and see what happens. Or at least that's a much better way than to rely on than plain numbers generated by two very different operating philosophies and practices" - by WorBlux (1751716) on Saturday April 23, @09:54PM (#35918358)

AHEM: Again - WHAT ABOUT ANDROID?

ANDROID'S showing you ALL that once you get

Cool!

[justforgetme]

Now spamers will have one more vector for scareware distribution!!!

Oh, I so love this world!!!!