Microsoft Releases Out-of-Band Security Patch For Windows

← Back to Stories (view on slashdot.org)

Microsoft Releases Out-of-Band Security Patch For Windows

Posted by timothy on Tuesday November 18, 2014 @03:15AM from the as-circumstances-warrant dept.

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.

111 of 178 comments (clear)

Min score:

Reason:

Sort:

Better go kick WSUS into a sync... by MachineShedFred · 2014-11-18 03:23 · Score: 4, Funny

I love nothing better than starting out my Tuesday with rebooting every Windows box...

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
1. Re:Better go kick WSUS into a sync... by DigiShaman · 2014-11-18 03:39 · Score: 1, Funny
  
  Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)
  
  --
  Life is not for the lazy.
2. Re:Better go kick WSUS into a sync... by Richard_at_work · 2014-11-18 03:50 · Score: 4, Insightful
  
  If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?
3. Re:Better go kick WSUS into a sync... by Tiger4 · 2014-11-18 04:09 · Score: 4, Informative
  
  Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.
  
  --
  Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
4. Re:Better go kick WSUS into a sync... by mysidia · 2014-11-18 04:10 · Score: 2
  
  There has already been one major compatibility bug in the patch for MS14-066 released November 11, where you update your IIS server to fix the SSL remote code exec bug, and Chrome browsers stop working..
  Furthermore, there were several botched updates in October.
  Windows 7 blue screens with a patch in September
  I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.
5. Re:Better go kick WSUS into a sync... by bill_mcgonigle · 2014-11-18 04:13 · Score: 5, Interesting
  
  If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?
  If only security were so binary - in the real world it's a constant process of risk/reward calculations.
  Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
6. Re:Better go kick WSUS into a sync... by DigiShaman · 2014-11-18 04:19 · Score: 4, Insightful
  
  Damned if you do, damned if you don't. Welcome to IT.
  
  --
  Life is not for the lazy.
7. Re:Better go kick WSUS into a sync... by afidel · 2014-11-18 04:23 · Score: 4, Informative
  
  Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
8. Re:Better go kick WSUS into a sync... by WaffleMonster · 2014-11-18 04:27 · Score: 1
  
  I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.
  Having recently "downsized" their QA staff testing work has been outsourced to paying customers.
  When they say they will release a patch 10 AM PST this represents the time they will have managed to get it to compile.
9. Re:Better go kick WSUS into a sync... by DigiShaman · 2014-11-18 04:31 · Score: 5, Insightful
  
  THIS! Richard obviously works in a nice posh fortune 500 org where such resources are available to HIM. Meanwhile back int he real world for everyone else (Small Medium Business), rolling the dice is only option. As you said, it's all a risk/reward calculation as to when and where to be proactive with the expendature of resources.
  I find the lambasting of "should do this retard" to be quite insulting. As employees, we don't always get that option to do what is theoretically in the best interests of the company we work for.
  
  --
  Life is not for the lazy.
10. Re:Better go kick WSUS into a sync... by jfbilodeau · 2014-11-18 04:36 · Score: 2, Insightful
  
  Damned if you do, damned if you don't. Welcome to Windows.
  FTFY ;)
  
  --
  Goodbye Slashdot. You've changed.
11. Re:Better go kick WSUS into a sync... by CaptainDork · 2014-11-18 04:37 · Score: 2
  
  We don't keep files on people's feet.
  
  --
  It little behooves the best of us to comment on the rest of us.
12. Re:Better go kick WSUS into a sync... by Opportunist · 2014-11-18 04:42 · Score: 1
  
  OTOH, if one of your dufus users clicks on some crap and infests the network with the latest and greatest threat since ILY you get whacked as well, after all there WAS a patch out and why the hell didn't you install it?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
13. Re:Better go kick WSUS into a sync... by Anonymous Coward · 2014-11-18 04:44 · Score: 1
  
  Exactly. I don't have a fucking QA division. I install the updates.
14. Re:Better go kick WSUS into a sync... by Anonymous Coward · 2014-11-18 04:58 · Score: 1
  
  yeah cos there's been no major security bugs in open source projects this... oh wait.
15. Re:Better go kick WSUS into a sync... by MacTO · 2014-11-18 04:59 · Score: 3, Informative
  
  Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?
  It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.
  (We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)
16. Re:Better go kick WSUS into a sync... by sexconker · 2014-11-18 05:29 · Score: 5, Informative
  
  Any worthwhile testing would take weeks to perform.
  Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
  You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).
  Here's the testing you need to do in the real world:
  Install all the patches on your machine.
  Reboot.
  Launch IE, FF, Chrome, Outlook, Word, and Excel.
  Launch any applications mentioned in the bulletin.
  If nothing crashed, deploy the patch to everyone.
  If something crashed, search "Patch Tuesday Breaks " and look for recent shit.
17. Re:Better go kick WSUS into a sync... by mlts · 2014-11-18 05:30 · Score: 1
  
  That applies to all operating systems. When it comes to production, three things apply: Has the patch been tested in an environment as close to what the field is like, can it be applied without much downtime, and is there a way to back it out without causing major headaches.
  This is one reason I like virtualization with clusters [1]. If a patch does make it past testing and fouls up a production VM, I'm a snapshot away from going back to a working machine. This isn't a magic bullet solution, but it does help, and there is software which can sit atop the virtualization platform to catch intrusions and automatically roll boxes back to a working snapshot (perhaps taking a snapshot of the hacked VM for forensic purposes.)
  [1]: VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V.
18. Re:Better go kick WSUS into a sync... by MachineShedFred · 2014-11-18 05:30 · Score: 5, Insightful
  
  I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?
  I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
19. Re:Better go kick WSUS into a sync... by bill_mcgonigle · 2014-11-18 05:31 · Score: 1
  
  in a nice posh fortune 500 org where such resources are available to HIM
  In many cases this can be true, but consider a case where there's a zero-day in the MS TLS implementation. The only possible thing that can be done here is to have a pre-existing TLS interception mechanism deployed (local CA root on workstations with on-the-fly cert regeneration on the proxy) and have that be on a non-MS platform.
  Even if that's a good idea, many F500 companies won't have that deployed, much less the F50000.
  There are some situations where not only is extensive testing not possible, it's the stupid decision. I realize many corp-o-drones have CYA policies to hide behind while they make bad decisions, but I still would not want to be the guy who followed policy and got his internal network completely infested.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
20. Re:Better go kick WSUS into a sync... by MachineShedFred · 2014-11-18 05:39 · Score: 1
  
  Well, for one thing, it was meant to be kind of funny.
  Second: I really only have to look after a handful of Windows servers, because we do 90% of everything on Linux.
  Third: it's all VMs, and we have snapshots. If something breaks, we disable the patch and roll back. Oh, that was hard.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
21. Re:Better go kick WSUS into a sync... by fahrbot-bot · 2014-11-18 05:57 · Score: 1, Funny
  
  I still would not want to be the guy who followed policy and got his internal network completely infested.
  Ya, but you've already got Windows systems on your network ... :-)
  
  --
  It must have been something you assimilated. . . .
22. Re:Better go kick WSUS into a sync... by DigiShaman · 2014-11-18 06:14 · Score: 3, Interesting
  
  Richard, I've lost clients because because these clients were 10+ employees or less running off a single Windows SBS box. It wasn't us. It was the fact IT was just too expensive in general. Running a business, especially a small was is exceedingly risky. They should be so lucky to afford rolling the dice ALONE! Many small business will just adhere to a BYOD policy with a NAS purchased from Best Buy. Yeah, good luck when Cryptolocker pulls you into bankruptcy.
  Risk assessment; learn it, love it, above all else, accept it! Can't stand the heat? Get out of the kitchen!
  BTW; you can't really duplicate an SBS box as it holds all the FSMO roles in addition to P2V testing being optional if they spend the time as a billable activity (assuming you can P2V with enough physical resources).
  
  --
  Life is not for the lazy.
23. Re:Better go kick WSUS into a sync... by LordLimecat · 2014-11-18 06:15 · Score: 3, Interesting
  
  VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V
  This is not correct.
  VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.
  High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.
24. Re:Better go kick WSUS into a sync... by MightyYar · 2014-11-18 06:36 · Score: 2
  
  It's a file format created by Acrobat.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
25. Re:Better go kick WSUS into a sync... by master_kaos · 2014-11-18 07:44 · Score: 1
  
  Same here. I am the QA IT And development division. Every PC belongs to an employee. I don't have an isolated network. We only a 10 person company, but a lot of companies rely on us to have high uptime. I do the best I can do (creating images before updates, etc), but at the end of the day got to throw the dice and hope it doesn't end up snake eyes as it still takes time to recover..
26. Re:Better go kick WSUS into a sync... by f3rret · 2014-11-18 08:15 · Score: 1
  
  Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)
  
  Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)
  
  Import-module activedirectory
  $ComputerNames = Get-ADcomputer -searchbase (DN of you server/workstation OU here) -filter * | Select-object -expandproperty name
  ForEach($ComputerName in $ComputerNames)
  {
  Restart-computer -force $ComputerName
  }
  Have the nightshift guy run that from a machine that the workstations/servers will accept WMI calls from and then have him feel like a wizard as every computer under the OU magically reboots.
  
  --
  Admit nothing. Deny Everything. Make Counter-accusations.
27. Re:Better go kick WSUS into a sync... by Ravaldy · 2014-11-18 08:16 · Score: 1
  
  You can reboot the server during work hours?
28. Re:Better go kick WSUS into a sync... by Darinbob · 2014-11-18 08:31 · Score: 1
  
  I love running around like a headless chicken. It's my best joke at work and lightens up the dull meetings.
  On that note, let's have a quiet remembrance in honor of Mike the Headless Chicken.
29. Re:Better go kick WSUS into a sync... by StikyPad · 2014-11-18 08:41 · Score: 1
  
  To be fair, most updates of OS X have required a reboot as well. I'm in the process of installing 10.10.1 right now, and will have to reboot momentarily. There are probably more patches for Windows, but on its own, I'm not sure whether that statistic is objectively bad.
  
  --
  https://www.eff.org/https-everywhere
30. Re:Better go kick WSUS into a sync... by Bite+The+Pillow · 2014-11-18 13:17 · Score: 2
  
  A lot of this is historical. IE is baked into the shell, so the shell files can't be updated while a user is logged in. These ties have been broken lately, but not completely. It's not the architecture of Windows, but rather the need to keep up appearances despite most people knowing better. And the architecture of the web browser of course.
  Windows itself relies on having a lot of shared libraries, known as ".dll files". They can't possibly be patched if they are in use.
  Oh wait. Forgive me for not knowing the details off hand, but there is a preamble they emit in the assembly solely for the purposes of hotfixing. If they need to insert a call, do things, return, they have space for it. So they can patch all of the processes that loaded the library without restarting. It's something like MOV EAX,EAX or something else obviously without purpose (yes, not followed by a flag test).
  Anyway, the expectation of the users is probably why restarts are needed. If a service should be running, then users expect it to be running. If it is needed for some reason, like antivirus, then it is needed. Considering that Windows hosts the biggest money-making and proprietary software, the general expectation is that a service will be running when it needs to be running.
  Sure, tell me about how something crashed et cetera, but the software runs how it is expected to run as a matter of course and with some exception. In the world of Microsoft, this benefits the user. In the world of Linux, other attributes help the user.
  TL;DR the architecture is only a small part. Use case and audience seem to be the defining factor.
31. Re:Better go kick WSUS into a sync... by sexconker · 2014-11-18 13:29 · Score: 1
  
  Importing modules? Multiple lines? Can't be run from a standard command prompt? Ugh.
  FOR /F "usebackq tokens=1 skip=3" %A IN (`net view /domain:domain`) DO IF [%A] NEQ [The] shutdown /r /t 0 /d p:2:18 /m %A
32. Re:Better go kick WSUS into a sync... by Trogre · 2014-11-18 14:13 · Score: 1
  
  I think you might mean NT there...
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
33. Re:Better go kick WSUS into a sync... by mysidia · 2014-11-18 15:44 · Score: 1
  
  As I understand it they introduced changes independent of the security fix, and the non-fix-related feature additions caused the problem.
  They shouldn't have rolled new features in the same patch, BUT if they did, they should have included common software used by more than 10% of windows systems in their test cases and basic functionality such as HTTPS compatibility.
34. Re:Better go kick WSUS into a sync... by hairyfeet · 2014-11-18 16:17 · Score: 1
  
  Correct me if I'm wrong but don't you have to be using the 32bit powerpoint to be affected by this? If so my users don't have to worry, switched them to 64bit a few years back.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
35. Re: Better go kick WSUS into a sync... by lgw · 2014-11-18 20:23 · Score: 1
  
  About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.
  SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
36. Re:Better go kick WSUS into a sync... by MachineShedFred · 2014-11-19 03:16 · Score: 1
  
  the general expectation is that a service will be running when it needs to be running.
  And this expectation can be filled with something like Apple's launchd (open source) which has the ability to spawn or respawn jobs on demand; or monitor them and reload them if they die, throttled in case of crash.
  So, patch the files, then kill the process. launchd then respawns it. Downtime? Less than a second. No reboot needed. The user can be notified by a box saying "The patch has been installed successfully" with a big green check mark.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
37. Re: Better go kick WSUS into a sync... by sexconker · 2014-11-19 05:48 · Score: 1
  
  About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.
  SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.
  You're a dumbass if you think SAP and SQL are relics.
  Further, you're a dumbass if you think redundancy, load balancing, etc. solve the problem. They add reliability to the replicated services by moving the single point of failure out to a different box (the load balancer, the VM server, the border switch, the ISP, or even all the way out to DNS) while adding complexity and cost and increasing the impact should the new single point of failure fail.
  Further, they intrinsically impact customers by providing different data to different customers until shit syncs up and cascades throughout all the hosts. This isn't done with magic or tachyons - it takes time. This is why we have transactions and brokers in SQL. This is why distributed and replicated systems spend so much effort trying to make sure their clocks are synced up.
  Redundancy is nice when you need to manage those services, but it doesn't solve the inherent problem. Nothing can. When a user wants X, they can't get X if is X down. They can get Y, which may or not be the same as X at the given time.
  Anything handling critical transactions is redundant in exactly the opposite way from what you describe. Redundant, hot-swappable power, network, CPUs, RAM, storage, etc. for a single instance that is the arbiter of transactions from many sources. Mainframes are still around because we solved this fucking problem decades ago. Your approach is the cloud approach - make services redundant and push the single point of failure out. When in normal operation, different users get different shit at the same time - you simply can't use this model for critical transactions. When (not if) shit fails, shit fails hard. Hell, Azure just went out.
38. Re:Better go kick WSUS into a sync... by david_thornley · 2014-11-19 07:07 · Score: 1
  
  On real operating systems, you can patch files while they're in use. If that doesn't work in Windows, that's a Windows problem, and an architecture issue.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
39. Re: Better go kick WSUS into a sync... by lgw · 2014-11-19 08:49 · Score: 1
  
  I help develop and operate a service that makes a hefty sum by doing all those things you deride, implementation-wise. It all works quite well - well enough that if routing patching causes any customer-visible disruption, you're in for extensive analysis, paperwork, and perhaps ritual abasement before an angry VP.
  Yes, yes, there are many technical problems involved with consuming "eventual consistency". In the 20th century these problems were seen as blocking, and anyway just buy a bigger DB server. But the 20th century was along time ago, and while there's still a need for a transactional store, most problems can be solved without one, given sufficient thought - and at sufficient scale, it's really worth figuring out how.
  Not that safe patching is incompatible with SQL, of course. In my last job we routinely pushed patches to farms of many thousands of SQL servers, and again if there was any disruption visible to the mid-tier, important people would become seriously angry about that, and we didn't use fancy servers, beyond RAID controllers (and even that concession I abhorred). It's always safe for a single server to fail, or be rebooted for maintenance, and if two servers holding your primary copies of the same data should fail, you better have taken serious, well-reviewed steps in planning to limit the number of DBs affected and the minutes of data lost and the minutes until you're back up.
  And even that, which was a nice system, feels outdated now that Amazon went and announced this, which productizes the modern SQL DB and wraps it up in a pretty bow. /jealous
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
XP as well? by mrspoonsi · 2014-11-18 03:25 · Score: 3, Insightful

I guess so, as Server 2003 is from a similar era.
1. Re:XP as well? by smooth+wombat · 2014-11-18 03:28 · Score: 4, Funny
  
  Since it's not listed this would mean XP is safer than W7 or W8.
  Hazzah!
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
2. Re:XP as well? by rescendent · 2014-11-18 03:37 · Score: 3, Interesting
  
  Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.
  So its a patch for the server products.
3. Re:XP as well? by Anonymous Coward · 2014-11-18 03:52 · Score: 3, Informative
  
  You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.
4. Re:XP as well? by NJRoadfan · 2014-11-18 04:44 · Score: 2
  
  As far as the GP asking about XP - XP is out of support and doesn't get patches.
  But Windows Embedded POSReady 2009 does. ;) I wonder if they have been keeping up with security patches, particularly the OLE one.
5. Re:XP as well? by tverbeek · 2014-11-18 08:58 · Score: 1
  
  No, it just means that MS isn't issuing a patch for XP. At least not exactly. They have released a patch today "for WEPOS and POSReady 2009", which is the branding given to the point-of-sale variant of Windows XP, which Microsoft still offers support for. There's a registry hack that makes Windows XP identifiy itself as Windows POS [insert joke here] when contacting the MS Update servers, and machines running that variant will get the patch.
  Or so I'm told. ;)
  
  --
  http://alternatives.rzero.com/
So... by jellomizer · 2014-11-18 03:25 · Score: 2, Interesting

With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
Should we be a bit more welcoming to Microsoft?

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:So... by McGruber · 2014-11-18 05:38 · Score: 5, Insightful
  
  Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?
  Embrace, Extend, Extinguish.
  What you view as "trying to be more open" strikes me as being "Embrace".
2. Re:So... by Rob+Y. · 2014-11-18 06:20 · Score: 3, Insightful
  
  For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.
  
  --
  Posted from my Android phone. Oh, I can change this? There, that's better...
3. Re:So... by Alrescha · 2014-11-18 07:21 · Score: 4, Insightful
  
  "For the bazillionth time, Google is not "sharing all your data in the world".
  Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.
  Somehow, that doesn't make folks feel any better.
  A.
  
  --
  ...bringing you cynical quips since 1998
4. Re:So... by Obfuscant · 2014-11-18 08:35 · Score: 2
  
  "For the bazillionth time, Google is not "sharing all your data in the world".
  Technically, I think you are correct.
  Yes, technically correct.
  When my ISP decided to drop their own email services and start funneling all their customer's email through Gmail, it wasn't technically "all my data" that they handed over to Google to index and root around through, it was just the last four years of deleted email they got to play with. Yes, email I deleted four years ago showed up on Gmail. So, technically, because I have some other email accounts that don't go through that ISP, I mean didn't go through them, Google doesn't have ALL my data to share. Just a significantly large enough fraction of it.
5. Re:So... by Rob+Y. · 2014-11-18 10:17 · Score: 1
  
  You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest. But don't go claiming that they're sharing the info they have - they're not. Microsoft wants you to think they are - so they can get you to switch to MS services - where they will collect exactly the same data and do the same things with it.
  
  --
  Posted from my Android phone. Oh, I can change this? There, that's better...
6. Re:So... by Obfuscant · 2014-11-18 12:49 · Score: 1
  
  You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest.
  My only option in the matter would have been to leave an ISP I've been using for more than a decade. And I didn't expect them to HAVE four years of deleted email on hand to give to Google, so I didn't know Google was going to get it all until WAY too late.
  
  But don't go claiming that they're sharing the info they have - they're not.
  Citation required.
7. Re:So... by Bite+The+Pillow · 2014-11-18 13:24 · Score: 1
  
  EEE is a cautionary tale, not a knee-jerk reaction.
  Is openness somehow bad? Is having source code for more and more products somehow bad?
  I am going to classify your comment as "I don't know what they are doing, therefore I am confused, therefore they confused me and are trying something sneaky". In other words you are an idiot.
  Embrace is good, and we support that. Extend is when we start to throw red flags. Extinguish is what users should do at the Extend phase.
  Put another way, if they never get to Extend, then what in the fucking shitpile are you and your positive moderators on about?
8. Re:So... by Trogre · 2014-11-18 14:19 · Score: 1
  
  Openness is not bad.
  Microsoft's track record is bad.
  Having source code for more and more products is not bad.
  Microsoft's track record is bad.
  Embrace is good.
  Microsoft's track record is bad.
  Someone who questions Microsoft's motives is not an idiot.
  Microsoft's track record is bad.
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
"Out of band?" by pigiron · 2014-11-18 03:26 · Score: 4, Informative

I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)
1. Re:"Out of band?" by Wootery · 2014-11-18 03:30 · Score: 1
  
  Seconded.
  If I want to see people misuse computer terminology, there are plenty of TV shows full of it. (I'm not sure if I'm right in thinking that 24 started it.)
2. Re:"Out of band?" by arth1 · 2014-11-18 03:47 · Score: 2
  
  Out of band means that it's not distributed through the normal channels; i.e. Windows Update.
  This one is, so it's not out of band.
  And it's also only for server products, not Windows 7/8/8.1/10.
  But don't let that stop what /. now uses instead of editors from making a stupid headline.
3. Re:"Out of band?" by caseih · 2014-11-18 04:26 · Score: 1
  
  Yes I agree. I was wondering if Microsoft was going to be shipping the patch to customers on tapes, or what.
4. Re:"Out of band?" by Chris+Mattern · 2014-11-18 04:31 · Score: 1
  
  Agreed. I read the headline and thought, "They're not offering it through Windows Update? How are people supposed to get it, or even know it exists?"
5. Re:"Out of band?" by Opportunist · 2014-11-18 04:46 · Score: 1
  
  This. Hand the man an insightful, because that's basically the problem.
  I, too, was sitting here, knowing that MS is going to do something "out of schedule" and reading an update coming "out of band". For a moment I was worried that I might have missed something critical, then I said to myself "Wait. You read it on /., better check whether it's so or whether someone just wanted to use jargon to sound cool without knowing what the fuck they write about".
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:"Out of band?" by FrankDrebin · 2014-11-18 05:41 · Score: 1
  
  They probably meant "out of cycle".
  
  --
  Anybody want a peanut?
7. Re:"Out of band?" by pigiron · 2014-11-18 07:14 · Score: 1
  
  It's far, far too late for anything out of Redmond to not have a ring of "oh, crap" to it.
8. Re:"Out of band?" by rikkards · 2014-11-18 07:16 · Score: 1
  
  Actually it is out of band as it was not originally scheduled to be out on Patch Tuesday but was added after the fact.
  We have some MS guys in our office
Not for Windows 8 or 8.1 by ifdef · 2014-11-18 03:26 · Score: 5, Informative

For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.
Am I looking at the wrong thing?
1. Re:Not for Windows 8 or 8.1 by jnik · 2014-11-18 03:27 · Score: 1
  
  Same deal for 7.
2. Re:Not for Windows 8 or 8.1 by TheCarp · 2014-11-18 03:32 · Score: 1
  
  Well slightly confusing as it sounds like it IS for windows 8 and 8.1, but, its not critical on those platforms since the actual vulnerability is not present, but it still does make some changes.
  This sounds to me like "an unrelated change we made in 8 made this, we think, unexploitable, but we are patching the error anyway, just in case". Not sure that is exactly correct, but that is how I interpret that.
  
  --
  "I opened my eyes, and everything went dark again"
Out of band? by Chrisq · 2014-11-18 03:29 · Score: 2

In my book this means it will be sent by another channel compared to normal updates I can't see how this applies!
1. Re:Out of band? by jones_supa · 2014-11-18 03:51 · Score: 1
  
  Well, Patch Tuesday is the main channel, simple as that.
2. Re:Out of band? by funwithBSD · 2014-11-18 04:14 · Score: 4, Funny
  
  You will be getting a USB stick in the mail.
  Don't worry... it is perfectly safe to insert into your server.
  
  --
  Never answer an anonymous letter. - Yogi Berra
3. Re:Out of band? by Chris+Mattern · 2014-11-18 04:33 · Score: 1
  
  No, Patch Tuesday is the normal scheduled time. Windows Update is the main channel.
4. Re:Out of band? by jones_supa · 2014-11-18 04:45 · Score: 1
  
  But Patch Tuesday is a channel which frequency is about 30 days.
5. Re:Out of band? by jones_supa · 2014-11-18 06:31 · Score: 1
  
  Ah yes, that's true. :)
6. Re:Out of band? by jones_supa · 2014-11-18 06:34 · Score: 1
  
  That's just one interpretation, but yes, you are correct.
Does not Affect Vista, Windows 7, Windows 8, 8.1. by Snake98 · 2014-11-18 03:38 · Score: 4, Informative

Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
Windows Server 2003
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2003 Service Pack 2 (Critical)
Windows Server 2003 x64 Edition Service Pack 2 (Critical)
Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
Windows Vista
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows Vista Service Pack 2 (No severity rating)[1]
Windows Vista x64 Edition Service Pack 2
(No severity rating)[1]
Windows Server 2008
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
Windows 7 Bulletin Identifier MS14-068
Aggregate Severity Rating
None
Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
Windows Server 2008 R2 Bulletin Identifier MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
Windows 8 and Windows 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows 8 for 32-bit Systems
(No severity rating)[1]
Windows 8 for x64-based Systems (No severity rating)[1]
Windows 8.1 for 32-bit Systems
(No severity rating)[1]
Windows 8.1 for x64-based Systems (No severity rating)[1]
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier
MS14-068
Aggregate Severity Rating Critical
Windows Server 2012 (Critical)
Windows Server 2012 R2 (Critical)
Windows RT and Windows RT 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows RT
Not applicable
Windows RT 8.1
Not applicable
Server Core installation option
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
Windows Server 2012 (Server Core installation) (Critical)
Windows Server 2012 R2 (Server Core installation) (Critical)
Notes for MS14-068
Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

--
Freedom of Speech only include discussion that are approved by the RIAA, MPAA and DMCA.
Re:Erm... Ok by Anonymous Coward · 2014-11-18 03:40 · Score: 1

The pop up notification (and the accompanying system tray icon) was removed in Windows 8.
I'm safe! by Anonymous Coward · 2014-11-18 03:40 · Score: 1

Windows 98SE, bitches!
iOS Developer Program and XNA Creators Club by tepples · 2014-11-18 03:50 · Score: 1

With Apple continuing to make a more closed ecosystem [...] Should we be a bit more welcoming to Microsoft?
The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

Now Microsoft trying to be more open.
Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT, where you pay only once it's time to upload your app to Windows Store.
1. Re:iOS Developer Program and XNA Creators Club by tlhIngan · 2014-11-18 06:12 · Score: 2
  
  The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.
  Only for iOS. OS X still has free Xcode development tools available. They used to ship with the OS, but now it's in the Mac App Store as a separate download. And this started before Microsoft created the Express edition of Visual Studio.
  
  Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT, where you pay only once it's time to upload your app to Windows Store.
  Great, so Microsoft makes it a one-time payment to code for a dead platform? And given the struggles Microsoft has with their app store(s), it's no wonder Microsoft is trying all sorts of things because developers aren't willing to code for a marginal platform like Windows RT or Windows Phone. They have to make it super cheap or free because developers wouldn't code for it otherwise.
Re:Seems to be a mistake... apk by jones_supa · 2014-11-18 03:54 · Score: 1

You seem to be right, Alex. If one reads the MS bulletin carefully, one can see that this patch applies only to Windows Server editions.
XP Killer? by bill_mcgonigle · 2014-11-18 04:20 · Score: 1

Windows Server 2003 Service Pack 2 (Critical)
Since XP and 2003 usually go together. I didn't find a technical discussion link on the advisory but if this is the buffer overflow in the TLS library that has been making the rounds recently, this could be the one that finally kills the XP machines on the 'net.
Unless Microsoft backpedals again and enables the XP holdouts for a while longer.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:XP Killer? by afidel · 2014-11-18 04:29 · Score: 2
  
  No, the TLS flaw was MS14-066 and it affects XP as well but there is no generally available fix for it since XP is out of extended support. If you care at all about security you're no longer using XP so the fact that there is another critical flaw isn't going to significantly change the situation.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
2. Re:XP Killer? by NJRoadfan · 2014-11-18 04:59 · Score: 1
  
  MS14-066 (along with the MS14-064 OLE fix) was released for POSReady 2009, so technically XP was patched for it. http://support.microsoft.com/k...
3. Re:XP Killer? by ihtoit · 2014-11-22 06:55 · Score: 1
  
  only those that host Kerberos as part of the consolidated domain services.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
4. Re:XP Killer? by ihtoit · 2014-11-22 06:58 · Score: 1
  
  Kerberos V5 does run on xp. In fact it'll run on 2000.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Re:Does not Affect Vista, Windows 7, Windows 8, 8. by ISoldat53 · 2014-11-18 04:23 · Score: 1

Why does MS explain the risk in a footnote instead of the chart of affected software? Why not just say "Unaffected" or some similar term in the chart itself.
Re:Does not Affect Vista, Windows 7, Windows 8, 8. by Lew+Perin · 2014-11-18 04:23 · Score: 1

So the vulnerability is in some component that's present only in server versions of Windows. On machines running client versions of Windows, there's no urgency about this.

--
Sorry, I forgot there are ads on the Web; I use Lynx.
Re:What is it? by MrSmurf1 · 2014-11-18 04:24 · Score: 1

I'm with you? been searching all morning for more details and can't find a single article with what it actually patches. Anyone else find anything?
Re:What is it? by Anonymous Coward · 2014-11-18 04:50 · Score: 1

It is a patch that addresses a vulnerability that is present in all current versions of Windows Server. The vulnerability is not present by default in all current workstation versions of Windows, but the patch will still be applied to those OS's. Because the vulnerability is being actively exploited, the details will not be released before the patch is released around 10:00 AM PST today.
Another feather in the cap for XP by linuxrunner · 2014-11-18 04:56 · Score: 1

Thank goodness I'm still running XP!

--
www.slightlycrewed.com - Because aren't we all?
Re:Go XP! by ArcadeMan · 2014-11-18 05:07 · Score: 1

XP? I'm still using MS-DOS 3.3 here.

--
Get free satoshi (Bitcoin) and Dogecoins
Re:Go XP! by armanox · 2014-11-18 05:50 · Score: 1

You must like setting the system time every time it boots.
How did you manage to post to Slashdot on your 8088 anyway (hope you have the full 640K RAM!)?

--
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Of little impact for illiterate users by Eravnrekaree · 2014-11-18 06:13 · Score: 1

Its interesting that a patch on privelege seperation escalation, while be ranked serious, would have so little effect on most users because most computer illiterate users do not know how to use them, the OS contains what is a major problem in that it does not encourage these users to use the feature.
Most of your common windows users do not use any kind of privilege seperation, they go right in as a superuser account, because, they don't even know what any of this stuff is. Windows ironically seems designed in such a way that it assumes that every user is a very literate on how to properly setup and use an operating system. To get the situation with viruses under control would require having a model whereby the system comes default in a secure, recommended state but also allows expert users to override that if necessary. Most common users will not do this, they can barely understand anything in the control panel anyway. The resulting situation would not be perfect but better than now but also would not prohibit customization by experts.
This initial state would put the user in a non-priveleged account by default and would not offer a login choice for an administrator account. It would also include a prohibition on executing any user downloaded programs in the users directories, only programs which are root writeable only in the main system directory would be executable, this makes it much harder to download and execute viruses. Programs could only be installed via an app store, or via a physical distribution that has been registered, approved and cryptographically signed by OS vendor. Program installers would be given the minimum permissions they need to install themselves and would install into an file system overlay environment, allowing any effects of the installer to be easily tracked and reversed, they would not have direct access to a large number of system files which they have no need to touch, and would be restricted to their own subfolder in the registry.
I find it ironic that Mandatory access control, which is more badly needed on newbie computers to stop these users from downloading EXEs to their home folder and executing them, is unavailable in Home Premium, where the feature is most badly needed.
The restrictions could be disabled from the control panel if needed but the idea is that most users use the default configuration that they are given so this would be a vast improvement over how things work now. The proliferation of viruses would be drastically reduced from all of this.
These ideas are good ones for any operating system which are for illiterate computer users.
DOES Affect Vista, Windows 7, Windows 8, 8.1. by teridon · 2014-11-18 06:15 · Score: 1

I don't know what you're looking at, but it's the wrong patch. The patch in question is MS14-068, and it affects every system listed in summary. https://technet.microsoft.com/library/security/MS14-068

--
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
1. Re:DOES Affect Vista, Windows 7, Windows 8, 8.1. by __aagmrb7289 · 2014-11-18 07:06 · Score: 1
  
  From TFA (that you linked!):
  
  What systems are primarily at risk from the vulnerability? Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.
  This isn't meant to dispute what you are saying (it does effect them all), but the article makes it clear that if the DCs are patched, you've mitigated the primary issue. Which seems strongly related to the comments to which you are replying.
2. Re:DOES Affect Vista, Windows 7, Windows 8, 8.1. by harryjohnston · 2014-11-18 15:39 · Score: 1
  
  No, the security bulletin is very clear that the vulnerability doesn't affect client versions of Windows. The patch has been made available anyway only as a defense in depth precaution.
  If you look at the "Affected Software" table, you will note that the "Maximum Security Impact" is "None" for client versions.
  (OK, I guess it depends on what you mean by "affect". But the upshot is that you only need to patch servers - more specifically DCs - now, everything else can wait and be done with next month's updates.)
3. Re:DOES Affect Vista, Windows 7, Windows 8, 8.1. by teridon · 2014-11-19 00:30 · Score: 1
  
  Yes, you're right, I didn't read the table carefully!
  
  --
  I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Remote attack on systems that allow domain users? by microsquishy · 2014-11-18 06:33 · Score: 1

"The affected component is available remotely to users who have standard user accounts with domain credentials" https://technet.microsoft.com/... Sounds like a "fun" new target for malware.
Re:Go XP! by ArcadeMan · 2014-11-18 06:56 · Score: 1

This is 2014. The majority of nerds have more than one computer.

--
Get free satoshi (Bitcoin) and Dogecoins
Vulnerability in Microsoft Windows Kerberos .. by lippydude · 2014-11-18 07:04 · Score: 1

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account"

How did they manage to write a security component, that of itself opens up the Operating System to exploition? I mean, and after all, this isn't the defective Apple OS or open source ...
1. Re:Vulnerability in Microsoft Windows Kerberos .. by microsquishy · 2014-11-18 09:23 · Score: 1
  
  How did they manage to write a security component, that of itself opens up the Operating System to exploition? I mean, and after all, this isn't the defective Apple OS or open source ...
  I don't know, practice?
FTFY by ClickOnThis · 2014-11-18 07:32 · Score: 1

Yet another reason to move forward to Linux.

--
If it weren't for deadlines, nothing would be late.
just update the exec's laptops by swschrad · 2014-11-18 08:20 · Score: 1

then if it's a fail, you can lobby to switch to another platform.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:just update the exec's laptops by DigiShaman · 2014-11-18 09:44 · Score: 1
  
  Funny you mention that. I know of a few that use a MacBook Pro with VMWare Fusion running Windows 7 (custom vertical market apps). In this case, you can roll back via Time Machine in the event the VM of Win7 gets hosed.
  
  --
  Life is not for the lazy.
Re:Go XP! by Kittenman · 2014-11-18 12:33 · Score: 1

This is 2014. The majority of nerds have more than one computer.
Heck, that's a prerequisite of membership.

But look on the bright side - nerddom also requires more than one operating system ...

--
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Re:What is it? by harryjohnston · 2014-11-18 15:47 · Score: 1

An elevation of privilege affecting the entire domain is certainly critical, particularly when it's already being used in attacks.
This means that if the attacker has control of one machine in the domain, he or she can take control of every other machine, including the servers.
Re:do you want .Net? because that's how you get .N by ihtoit · 2014-11-22 06:43 · Score: 1

WAMP on xp does what I need.

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Re:What is it? by ihtoit · 2014-11-22 06:49 · Score: 1

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.
#
Source: https://technet.microsoft.com/...

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Re:What is it? by ihtoit · 2014-11-22 06:53 · Score: 1

yes, and this is a vulnerability in the authentication/session key service which is basically an invitation to exploit using a skeleton key.
Sounds to me like Kerberos is fatally flawed (as in, it was designed to prevent this exact thing from happening by whitelisting users on a per-case basis assigning temporary privileges according to their stored credentials), and this is a temporary fix.

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Re:are you sure? by ihtoit · 2014-11-22 07:01 · Score: 1

no, it will affect any system which runs Kerberos. From 2K to ~.
The only difference is which OSen are in support cycle. Xp isn't one of them, and neither, clearly, is 2K. 2K3 is, but that's down to MS' decision to extend it, not, I think, due to any technical pressures or original scheduling.

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Re:What is it? by harryjohnston · 2014-11-24 11:34 · Score: 1

There's a bit more information available now:
http://blogs.technet.com/b/srd...