Slashdot Mirror
Microsoft Kills Many Critical Flaws, Some 0-Days, Un-Trusts One Wildcard Cert
An anonymous reader writes: For this December Patch Tuesday, Microsoft has released twelve security bulletins, eight of which have been rated critical. Those refer to the cumulative security updates for Internet Explorer, Microsoft Edge, JScript and VBScript, and updates for Microsoft Windows DNS, Microsoft Graphics Component, Silverlight, Microsoft Office, and Microsoft Uniscribe. Microsoft also released a security advisory announcing the removal of a digital certificate from the Certificate Trust list (CTL).
... err, I mean, Windows 10.
In other news Microsoft also released another 14 updates that increase telemetry, attempt to forcibly install Win 10, beat your children and do unspeakable things to the cat!
I have Windows Update on a pure as-needed basis and glad I do after hearing about the supremely unethical 'Hey! Upgrade to Windows 10! Hey!' nag that came in some updates.
On another front a friend was having trouble with his boot drive and as we were shutting it down Windows jumped in to install a bunch of updates - that finished corrupting the boot drive and many, many hours were dedicated to recovery and repair.
I'll give these patches a look but want no shady behavior out of the Redmond Mob.
A feeling of having made the same mistake before: Deja Foobar
Saw that there were several "important" updates available to me last night. I've disabled Automatic Updates, since I can't really trust Microsoft to not try and install Windows 10 behind my back, and instead have Windows Updates a startup item now so I can stay on top of new updates more easily.
Haven't had a chance to go through what's listed there -- doesn't anyone know if there are any I need to be hiding from this batch?
Warning, they are trying to sneak in yet another update to chuck Windows 10 down your throat. KB3112343 enables support for additional upgrade scenarios from Windows 7 to Windows 10.
How can any of us trust that when Microsoft puts out patches they're not also saying "fuck it, while we're here we'll just tinker with a few things and add stuff we've wanted for a while"?
Microsoft are being such bastards about shoving Windows 10 up our collective asses I'm afraid at this point Microsoft has to be treated as a hostile and un-trusted entity -- they've pretty much decided that furthering their own interests is compatible with the update system which is supposed to provide us security.
We don't trust you didn't write something horribly insecure, we don't trust that you aren't sneaking something in unrelated to security, and quire frankly we don't trust that you're going to do a good job of fixing these problems.
Lost at C:>. Found at C.
.
This extreme slowness is a recent thing, occurring only for the last three four four months. I really takes the fun out of running Windows Update.
It's the Wimpy security remediation model -- "I'll gladly fix on Tuesday that security vulnerability you found today..."
Strictly speaking, sending a computer with Debian into a singularity would only cause apt-get to appear as slow as windows updates to outside observers. From the frame of reference of the user it would still run as fast as it always does.
It almost seems that Microsoft has intentionally slowed updates for Windows 7. It's been taking 30 to 60 minutes to check and get a repsonse using Windows update on our Windows 7 machines. Windows 10, on the other hand, is rapid, but buggy with more than one failed update that required running a script in an elevated command prompt to get it removed, when not needed, or installed. Having experienced annoying and on one PC serious issues with Windows 10, our Windows 7 PC's are staying with Windows 7, with automatic updates disabled. I manually check now, with recommended updates turned off, since I lost all trust in Microsoft in the past few months thanks to sloppy work and buggy updates. I have been installing GWX Control Panel in most of our customer computers that are still running Windows 7 or 8.1, with their blessings and often at their request since they like their PC the way it is.
I think Microsoft is driven to shove tiles down people throats for no reason other than they doubled down on Ballmer's betting the company on Windows 8's schizophrenic dual GUI by bundling it into Windows 10 start menu with Candy Crush and other shit.
Wouldn't that just be a cop-out?
You may be surprised to learn it's only the second Tuesday of the month ("Patch Tuesday"), and not every Tuesday.
It's actually a sensible policy that allows corporations to plan on regular updates. A large company can't simply accept patches without a lot of testing to make sure they don't accidentally bring down every computer in the business because of some issue with their mission-critical software. That sort of little mistake can cost many millions of dollars. By regularly scheduling the patches, the IT staff can plan a regular test and integration cycle.
On the development side, these fixes have to go through a huge battery of tests before they can be deployed. This can take quite a while to do. I'd imagine it's much easier for MS if they can perform these compatibility tests on an entire batch of fixes, rather than doing it for each single patch. You can argue it's likely more damaging to have a badly-tested patch bring down a large number of machines than whatever was being patched in the first place.
In the event of issues that are time sensitive (critical zero-day issues), MS has been known to push out-of-band patches. Most patches though, especially anything not already found in the wild, are not nearly that time-sensitive. Keep in mind many of these flaws have existed for years, possibly even decades, before being discovered.
Irony: Agile development has too much intertia to be abandoned now.
1. Don't install it.
2. If you ignored step 1, then uninstall it.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Its cute ... you guys have warped 0-day into something utterly meaningless.
The term was always stupid, you mean 'undisclosed'. It stopped being 0 day 24 hours after it was first discovered, regardless of when you found out about it.
The reality is, unless someone on slashdot was actually writing it, its pretty unlikely you've EVER seen a 0 day exploit.
You guys now days have no experience or clue about what words mean so you just start making shit up and using them in utterly stupid ways.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
If there is a really serious security issue they'll sometimes release out of band.
It's know as "Metro" or "Modern". Until MS kills it and goes back to the UI people WANT, without additional spyware, forced installs and all the rest, they will continue to see people migrate away from their software and services.
Which UI is that? The one in Windows 7? The one people coming from XP also bitched about?
Shouldn't Internet Explorer be an optional removable application, since Microsoft now wants to push Edge as the default browser? I'm fine w/ that, b'cos I use a combination of Edge, Chrome and Palemoon. On the laptop, it's not a big deal, but on my Winbook tablet that has limited storage, I'd like to remove things like IE
There is no reason at all to ever run it. Your system will be perfectly safe. Worse IT professionals actually believe this??!
Glad mine are turned on
http://saveie6.com/
...installing this comprehensive necessary patch DOES actually also install Win10 automatically.
Sorry.*
-MS
*not really.
-Styopa
3114409 has been pulled, but might have caught some people who patched early.
Microsoft's "Critical Update" screwed up my iPhone 5S's update to IOS 9.2 to the point where it almost bricked the phone.
I ended up spending 15 minutes with Apple Support trying to get the phone back using a Mac when ... the Mac announced it had an update to El Capitan and Xcode.
Maybe it's time that manufacturers set aside unique days (of the month) for releasing their updates so that they all don't collide?
Sorry, just bitching because I really didn't need to lose an hour on an iPhone update which is normally transparent to me.
Mimetics Inc. Twitter
It would be great if the patches could be released sooner than at one month intervals, but everything has a trade-off. Fast patches mean sloppy patches or buggy code (remember the Stagefright patches?), especially when you're talking about a billion machine in nearly that many unique configurations. Keep in mind that non-corporate customers still needs the benefit of QA to ensure things don't break on our computer. It's probably even more important for us, because unlike at a corporation, we don't first install the patches on test machines to see if things are broken, since we probably only have one or two machines to begin with.
There's another issue here as well: patches have to be released at the same time for everyone. The release of the patch itself, oddly enough, tends to generate more immediate exploits shortly after. This is because patches are analyzed to discover what exactly was fixed, and those exploits tend to be added to kits rather quickly. So, it's not really practical to push out consumer patches ad-hoc, because it would essentially force everyone to begin the testing and integration cycle over for each new patch.
I completely understand not liking the idea of patches being held back for a time because of a release schedule, but MS has to balance the needs of all its customers here.
Irony: Agile development has too much intertia to be abandoned now.
I thought Microsoft Edge was elimated all the defects in the Microsoft browser?
I don't actually use Windows but I have it on good authority that there are quite a few free versions that don't have ads right in the store and available with the same search query.
"So long and thanks for all the fish."
Every time I start it up, its layout gets resetted. So annoying!
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).