Slashdot Mirror
Microsoft Releases Out-of-Band Security Patch For Windows
mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.
I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)
For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.
Am I looking at the wrong thing?
Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
Windows Server 2003
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2003 Service Pack 2 (Critical)
Windows Server 2003 x64 Edition Service Pack 2 (Critical)
Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
Windows Vista
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows Vista Service Pack 2 (No severity rating)[1]
Windows Vista x64 Edition Service Pack 2
(No severity rating)[1]
Windows Server 2008
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
Windows 7 Bulletin Identifier MS14-068
Aggregate Severity Rating
None
Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
Windows Server 2008 R2 Bulletin Identifier MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
Windows 8 and Windows 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows 8 for 32-bit Systems
(No severity rating)[1]
Windows 8 for x64-based Systems (No severity rating)[1]
Windows 8.1 for 32-bit Systems
(No severity rating)[1]
Windows 8.1 for x64-based Systems (No severity rating)[1]
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier
MS14-068
Aggregate Severity Rating Critical
Windows Server 2012 (Critical)
Windows Server 2012 R2 (Critical)
Windows RT and Windows RT 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows RT
Not applicable
Windows RT 8.1
Not applicable
Server Core installation option
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
Windows Server 2012 (Server Core installation) (Critical)
Windows Server 2012 R2 (Server Core installation) (Critical)
Notes for MS14-068
Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.
Freedom of Speech only include discussion that are approved by the RIAA, MPAA and DMCA.
You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.
Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?
It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.
(We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)
Any worthwhile testing would take weeks to perform.
Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).
Here's the testing you need to do in the real world:
Install all the patches on your machine.
Reboot.
Launch IE, FF, Chrome, Outlook, Word, and Excel.
Launch any applications mentioned in the bulletin.
If nothing crashed, deploy the patch to everyone.
If something crashed, search "Patch Tuesday Breaks " and look for recent shit.