Forgot your password?
typodupeerror

Microsoft Patches 19 Flaws, 6 in Vista 307

Posted by Zonk
from the many-patches-makes-os-work dept.
Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"
This discussion has been archived. No new comments can be posted.

Microsoft Patches 19 Flaws, 6 in Vista

Comments Filter:
  • by A beautiful mind (821714) on Wednesday May 09, 2007 @11:26AM (#19053087)
    Hm...I guess they leveraged the active synergies to stop the probes but the active hardening failed on the SuperHyperVista3000 edition.

    Oh wait, you did expect real security instead of buzzwords?
  • Linux patches? (Score:5, Insightful)

    by stevenbdjr (539653) <steven@mrchuckles.net> on Wednesday May 09, 2007 @11:27AM (#19053105) Homepage

    When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

    (I can feel my karma slipping away, but I couldn't take it anymore).

    • Re:Linux patches? (Score:4, Insightful)

      by varmittang (849469) on Wednesday May 09, 2007 @11:31AM (#19053171)
      We do, its usually for Firefox bugs, because that is Linux to the rest of the world. But then comes the trolls that point out that it was fixed in a matter of hours and not weeks or months.
      • by QuickFox (311231) on Wednesday May 09, 2007 @11:39AM (#19053287)

        But then comes the trolls that point out that it was fixed in a matter of hours and not weeks or months.
        Don't blame it on the trolls, they only report it here. It's the open-source developers' fault. Why can't they wait for some time and give Microsoft a chance?
        • While it's not exactly a security problem (if you don't count self inflicted DOS attacks) but the continuing lack of a linux sky2 ethernet driver that doesn't lock up sets the bar pretty low.

          But ultimately, you have to decide. Are you going to compare a transmission to a car? Or are you going to compare a car to a car?
      • Re: (Score:2, Interesting)

        by EvilRyry (1025309)
        It's not really trolling if its true (which it often is). Then there's also the differences in how each group determines whats a vunerability. Fedora Core for example patches many security issues (and they get counted as such) even when they don't really effect the distro due to things like ExecShield.
    • Re: (Score:3, Interesting)

      If the linux kernel people would ignore vulnerabilities, downplay them, take months for them to produce a fix, merge distinct vulnerabilities into single advisories and finally try to claim improved security, then I'd guess I would want to see stories about it on slashdot. So what bias?
      • Re: (Score:2, Insightful)

        by suv4x4 (956391)
        If the linux kernel people would ignore vulnerabilities, downplay them, take months for them to produce a fix, merge distinct vulnerabilities into single advisories and finally try to claim improved security, then I'd guess I would want to see stories about it on slashdot. So what bias?

        Right there in the first sentences of that quote, that bias. Those are released patches, not "downplayed patches" or "ignored vulnerabilities". Those are actual fixes, released on a monthly basis.

        If Microsoft would ignore it,
        • Re: (Score:3, Insightful)

          by drinkypoo (153816)

          Right there in the first sentences of that quote, that bias. Those are released patches, not "downplayed patches" or "ignored vulnerabilities". Those are actual fixes, released on a monthly basis.

          Microsoft has frequently been caught knowing about a bug for months before a patch is released.

          When they get caught they claim they're doing QA, but past experience with Microsoft patches suggests that they are doing no valuable testing anyway.

          If they had ever demonstrated trustworthiness, they might be trusted

          • Re: (Score:2, Insightful)

            by suv4x4 (956391)
            Microsoft has frequently been caught knowing about a bug for months before a patch is released.

            When they get caught they claim they're doing QA, but past experience with Microsoft patches suggests that they are doing no valuable testing anyway.

            If they had ever demonstrated trustworthiness, they might be trusted a bit. As it is, they have demonstrated time and again that they will fuck you over and lie about it.

            If you appreciate the way Microsoft treats you, then you are free to sing their praises. But it do
            • by drinkypoo (153816)

              That's what pisses me off with fanboys: they don't get context at all. For them any article with "Microsoft" in it, is a reason enough to recycle the entire 30 years of Microsoft faults in a single post. Over and over.

              Those who forget history are condemned to repeat it.

              Microsoft has always behaved poorly, and continues to behave poorly.

              Let's see what's the event at case: regular monthly patches for Windows. That's it.

              Yes, they are regular monthly patches. That means that they are withholding completed p

              • Re: (Score:2, Insightful)

                Yes, they are regular monthly patches. That means that they are withholding completed patches until the chosen day comes.

                Microsoft used to release as and when. They got slated on Slashdot for it.

                Microsoft then rolled patches into a monthly patch. They got slated on Slashdot for it.

                Microsoft released some important patches outside of the monthly cycle since they switched to it. They got slated on Slashdot for it.

                Yeah, theres no pattern there at all.

                With Linux, you can install patches immediately if there is a need, or later once they have had some good testing if there is not an immediate need. With Microsoft, you may install them when they say you may install them.

                So, I can install a patch when its been released or later on if I decide ... in either of your cases? Wow, thats some industrial strength spin you have there!

      • linux must be flawless then huh? If they're patching it so fast and fixing everything immediately, what is left to fix?

        So linux has no defered bugs? hmmm

        I doubt that.

        • by Wakko Warner (324) *
          There's a bit of a difference between "the driver for this USB implementation sometimes crashes the box" and "there's a giant, gaping security hole in every release of this operating system".

          If you're going to make straw-man arguments, you really ought to try harder.
      • Re:Linux patches? (Score:5, Insightful)

        by PixieDust (971386) on Wednesday May 09, 2007 @12:33PM (#19054255)
        I invite you to investigate this site [packetstormsecurity.org] which holds no immediate bias in it's reporting of security advisories, patches, problems and exploits. Look at the average turnaround time for patches, fixes, and responses to security problems. You will find out that Microsoft isn't as bad as everyone likes to pretend it is, nor is it's flagship Windows OS. Also to, I find it ironic that whenever someone points out a problem that affects Linux, people are like "But that's not the OS, it's (insert kernel module, driver, app, whatever) that is (insert special circumstance here).", but when it's Microsoft, they're all lumped together as "OMGz! Windoze h4x!". This includes vulnerabilities in Word, and Excel (and something else from the Office Suite, can't remember though atm), and additionally mentions Exchange. Exchange runs on a server platform, but ok, I'm not going to get into semantics on that (I assume they meant Outlook, though even if it was Exchange, it's still a fix, or at least an attempt at one).

        I am the first to admit that Microsoft has problems with security, but it's a problem that plagues the entire industry. Linux, Unix, Windows, Mac, websites, forms, applications, EVERYTHING. It's a problem in how the industry approaches security. It goes far beyond Microsoft. The entire industry has this "Get it working now, patch it later" mentality. It's the "Default Allow" instead of "Default Deny" approach. There is NO reason Buffer Overflow attacks should work... EVER. Period. How hard is it to check your buffers, and make sure you're handling them properly? Very sloppy. Microsoft certainly isn't the best, but they're far from the worst. Don't believe me? Check that website, and all the security advisories for the past few years, and you will notice and interesting trend.

        • Re: (Score:3, Insightful)

          by darkwhite (139802)
          The problem is not simply insufficient attention by developers, and buffer overflow bugs can sometimes be very non-trivial. The big, ubiquitous lapse in security these days is the lack of sandboxing. Why are applications not sandboxed properly? Why, despite the full availability of the security framework to do it, are desktop applications allowed by default to read and write anywhere in the user's home directory, registry, communicate with everything, display anything they want on the screen, use any periph
          • Re:Linux patches? (Score:5, Interesting)

            by PixieDust (971386) on Wednesday May 09, 2007 @02:29PM (#19056471)
            Agreed, which is pretty much the same thing I'm saying. The Buffer overflow bit was just an example. But you can see this everywhere. You see it in ACLs in firewalls, routers, and switches. You see it in applications that let everything just go willy nilly. You see it in default installations of some OSes. You see it in the installations of applications, in websites, email-clients, hell even games. And before you say "What could POSSIBLY happen in a game that could be a security threat?" Let me illustrate this example...

            Take a well known game, say, a first person shooter based in WW-II. Fairly good game, kinda fun. Let's say it's released witha BIG following, and several expansions are released for it. Now imagine, that since it's initial release, it has had a vulnerability just hiding, waiting to be discovered. It is discovered, by a couple of gamers just having fun. Say there's a voting system (for kicks, map change, etc.). Let's say people use this voting system all the time to talk to people who are still alive, because it displays the vote in yellow text to everyone. Some ingenious players discover that if your vote is for a map change, and you manually enter the command and name via console something like:

            callvote change_map "Shotgunner camping in the vent!!"

            It's been a while so forgive the syntax if it's wrong. In any case, these intrepid gamer friends are having fun, and annoying each other with vote requests that mean nothing, and just fill the screen with yellow text (repeating gibberish to flood the screen so the player can't see). Let's say during this, both game clients crash. Hmm, well that sucks. So you go back to having fun, the server is running on an actual server in the garage so it's no biggy. Same thing happens again. The clients just crash immediately after a vote is called that is an absurd length. Hmmmm.. You get another friend involved, they join, they also crash. Interesting. Then you crash 2 clients, and have the 3rd join immediately after to see people running in place, stuck in doors, etc. Server is still running just fine. Clients however, have crashed. Now intensely curious, you start digging, and find the exact point at which is goes from "Annoying Spam Vote" to Buffer Overflow.

            Now through various methods you discover that this vulnerability is definitely client specific. The server is totally unaffected. The server simply hands everything off to the clienhts, which don't know what to make of it, stuff is outside the buffer, client craps all over itself. Now someone malicious enough could take that, and create something that would quite literally be capable of hijacking any machine the game client was running on, and the only thing the user would notice MIGHT be a game crash (hell if you do it right you might be able to do it without the game itself crashing), which happens occasionally anyway, so it's ignored. Now let's say you notify the producer of this Entertainingly Amazing game, and exchange a few emails with them. 4 patches later it still isn't fixed. Several expansions later it still is not fixed.

            Unacceptable. Absolutely unacceptable. And this happens throughout the industry. THAT is why security problems, are as much of a thorn in our side as they are.

            *flips two coins onto the table, returns the soapbox to it's upright and locked position, and returns to her regularly scheduled nonsense*

            /rant off

    • Re: (Score:2, Insightful)

      by *weasel (174362)
      Probably when they gain a practical monopoly on desktop computing, begin heavily abusing their users and illegally wielding their market control against the rest of the industry.
      • by Lord_Slepnir (585350) on Wednesday May 09, 2007 @11:39AM (#19053289) Journal
        You have listed my fondest dream: To be part of an abusive monopoly that replaced the abusive monopoly that I hated when I was a young college student....*sigh*
      • So basically what you're saying is that it's purely because the /. submissions that get through are provided by people who are angry or bitter about Microsoft's position. Illegal monopolies and wielding market control have nothing to do with security fixes but because of the submitter's or the poster's personal feelings about Microsoft it's just fine to make it into an attack?
        • by *weasel (174362)
          Absolutely.

          When the bully gets sucker-punched, it's hardly surprising that the victims would delight in it. Particularly just after the bully went through a nauseating round of marketing himself as the strongest and the toughest.
    • Re: (Score:2, Insightful)

      by snoyberg (787126)

      You're right, Slashdot is biased against Microsoft. If you're looking for unbiased news stories, you've come to the wrong place.

    • Re: (Score:2, Insightful)

      by Reivec (607341)
      How is this an "accusatory tone"? Looks to me to just be stating the fact that there are some major security patches released that windows users should know about. Microsoft would WANT this information to be spread around so that people patch up and have fewer problems thus relating fewer poor experiences to a Windows problem.

      Perhaps you are showing your own bias?
      • Re:Linux patches? (Score:4, Insightful)

        by trifish (826353) on Wednesday May 09, 2007 @01:58PM (#19055907)
        The sole problem is, and the OP rightfully criticized it, was that Slashdot never posts articles like "10 security flaws in Linux patched". Everytime Windows is patched, there's an article. Occassionally this is true for OS X. That's the point. Still seeno bias? C'mon it's Slashdot and we know how it goes here.
    • Re: (Score:2, Insightful)

      by Tribbin (565963)
      Wrong place buddy, no-one will hear you; go cry somewhere else.

      It's like going to the Catholic church saying: Why don't you tell me everytime anybody is proven the absence of God?!
    • I guess you'll have to wait till the first major Linux virus/worm/phishing etc. outbreak.
      As long as M$ is so much more vulnerable and targetable you will always perceive a kind of bias.
      To your dismay, even if Linux will have a bigger market share, it won't get that much attention from malware creators, because first the technically savvy or at least more aware users will take the leap. Lazy and/or ignorant people are the best target. And I still didn't talk about the big differences between OS security :) I
    • If there were almost 20 critical vulnerabilities patched for Linux in one month, I think that would be pretty significant news too. The fact that it has never happened is more to do with the either the lack of market share of Linux, or else the bias of the programmers putting more errors into Windows than Linux. Either way, not Slashdot's fault.

      Nice +5 troll post though! I will probably save that one so I can use it when I feel like trolling. Hope you don't mind. :)
    • Re:Linux patches? (Score:5, Insightful)

      by SnowZero (92219) on Wednesday May 09, 2007 @11:44AM (#19053363)
      It's a myth that Slashdot has almost all Linux users. It used to be that way, but it has long since been overrun with a more "general computing" crowd. I would bet that if you add up the regular Windows and Mac users, it would outnumber regular Linux users. For UIDs below 100k however, you would probably see a quite different statistic. People only notice Linux users here because we're not at 1-2%, like on almost any other discussion site.

      Frankly, I'm now getting tired of the number of posts with the same tone as yours. You lament losing Karma in a sea of angry "Linux-zealot" mods, but I would guess you will be modded up, not down. Enjoy the karma...
      • Re: (Score:2, Informative)

        by tknd (979052)

        Frankly, I'm now getting tired of the number of posts with the same tone as yours. You lament losing Karma in a sea of angry "Linux-zealot" mods, but I would guess you will be modded up, not down.

        But that's the problem. Had he not posted in that type of tone, he might not have gotten modded up. I've seen many good posts defending Microsoft products without flaming the opposition yet when they hit the 4 or 5 moderation marks, people keep trying to mod them down.

        I'm sure even if you removed all of the

      • by SL Baur (19540)

        It's a myth that Slashdot has almost all Linux users

        Agreed.

        It used to be that way, but it has long since been overrun with a more "general computing" crowd. I would bet that if you add up the regular Windows and Mac users, it would outnumber regular Linux users

        Disagreed. I don't recall it ever being that way. I remember long, long ago reading that most (> 70%) of the hits on /. were coming from Microsoft Windows boxes.

        For UIDs below 100k however, you would probably see a quite different statistic.

        Maybe, but I don't think it matters that much.

        (Posted from a Solaris box)

    • Re: (Score:3, Interesting)

      I see the recent batch of articles about MS patches as a response to the release of Vista. MS decided that the heavily enhanced security in Vista was worthy of a ton of press so I think it's fair that /. or any other tech site keep track of the validity of these claims, especially in the begining while MS's statements concerning Vista security are still fresh.

      Although I do believe that MS made some good improvements to security in Vista it would seem that it's actual performance falls short of their claims.
      • by SEMW (967629) on Wednesday May 09, 2007 @12:17PM (#19053953)
        Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.

        Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.
    • Re: (Score:2, Interesting)

      by Magneon (1067470)
      The problem with this is that Linux patches generally happen individually as soon as the problem is discovered. This way your favorite distro can check on the individual components and alert you to the fact that there are updates. Microsoft on the other hand likes to release a bunch of patches at once, leaving the user vulnerable for a period of hours, days and sometimes weeks.

      So no, we don't see 100 preemptive individual patch stories for various linux builds on here every day.
    • by Ucklak (755284)
      I really saw this as a non news/MS bash bit too but in reality, when MS releases a patch, it's a "Well about time" whereas the Linux camp will find a flaw and fix it immediately which is really a non-news item.

      I guess we can walk away with it's patch Tuesday and they're releasing patches. Good for them.
    • Why does the author describe them as 'flaws' rather than bugs, or vulnerabilities if they concern security.
    • by Wakko Warner (324) *
      Could you pretty please point me to the line(s) in the writeup where the author takes an "accusatory tone"?

      Maybe I'm just fucking illiterate, or maybe you're just fucking retarded and trolling for karma points, but I don't see it.
    • I think your current score (+4, Insightful) dispells the myth once and for all of some magic "Slashdot bias" that people continually complain about (and get modded up for). If anything, I'd say there's a clear bias on Slashdot IN FAVOUR OF Microsoft.
    • by Ngarrang (1023425)

      When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

      (I can feel my karma slipping away, but I couldn't take it anymore).

      What? You thought that if you saved enough karma you could trade it in for a night with CowboyNeal or CmdrTaco? *grin* Even karma whores have to give up a few points occasionally.

    • When Linux has 90+% of the worldwide PC installations, then I suspect we will see a similar bias against Linux.

      Until then, Microsoft has completely abdicated its responsibility of providing a secure operating system, and should be routinely called to task for that.

    • Funny people here post the opposite view on Apple (as in why the hell is every security update Apple does news?)

      Very simple.

      1) There are a number of Linux distros out there that would make it so that every single day we could have 5 security updates between Microsoft, Apple, and name your flavor OS (god that sounds like a ice cream sunday)

      2) The issue people have with Microsoft is the time it takes them to patch things that are known about in advance. For Apple its the piss in the mac users cereal bec

    • We'll see that when Linux developers start marketing to people that they have "the most secure version of Linux yet" and that people should spend hundreds of dollars on a new version, and if they spend a couple of grand on a new PC to run it, even better.
    • This isn't "bias." This is a tech news site reporting about something that huge numbers of tech workers are spending huge amounts of time dealing with.

      Patch Tuesday is an event which has effects felt throughout the IT world. Few other security-related events have such an impact.

      If you are looking for statistical analysis of security flaws, don't do it by reading Slashdot headlines.
    • I don't mean to troll and I'm not necessarily disagreeing with you about a bias, but I tend to think of Microsoft vulnerabilities and patches to be more important than the Linux counterpart.

      It's not my intention to imply Linux has fewer security bugs/holes/etc, because I haven't done any research in that regard.

      What I am saying is that Microsoft dominates the market; so therefore a Microsoft vulnerability and patch are more newsworthy in than a more obscure piece of software, in my book. I'm not talking

    • Re: (Score:3, Interesting)

      by grcumb (781340)

      When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

      No one's going to see this, and if they do it'll get modded down. But I'll feel better when I'm done.

      You, sir, are a liar.

      You complain about an accusatory tone, and when pressed to provide evidence, you admit that this advisory is actually perfectly neutral in its tone.

      It makes me sick to see this kind of perverse logic through which one's critical faculties can be so twisted that even to make observations of fact and to draw logical, rational conclusions from them (e.g. Microsoft's security sucks)

  • by Anonymous Coward on Wednesday May 09, 2007 @11:34AM (#19053225)
    I used Microsoft Update to download and install the new patches last night. Lo and behold, upon reboot, Mozilla Firefox was no longer my default browser. It appears one of the new patches resets Internet Explorer as the default browser. Easy enough to fix, but why would a patch change a system's default browser in the first place?
    • Re: (Score:3, Informative)

      by Kandenshi (832555)
      Happened to me as well, which was ... confusing.

      Then I adjusted my thinking to Microsoft's point of view and tried to figure it out.

      Now that IE7 is patched, it's much more secure than Firefox could ever be! Changing IE7 back to default is much like a firewall, an ounce of prevention is worth a pound of cure eh? By trying to get us back using IE7 they're just trying to prevent all the malware from getting on our systems, much like most of the rest of the patches.

      It's a bit screwy, but that's the best ratio
      • <paranoid hat='tinfoil'>
        An attempt to lure people back to using it? "Oh look, the shiny, I forgot how cool the new IE looks. Why did my cousin tell me to use this Mozilla thing again? Oh well, I wonder if Joe updated his MySpace..."

        MS's response to this underhanded attempt? "Oh, well that was an oversight in the patching process, sorry won't happen again".
        </paranoid>
      • by Reivec (607341)
        My money would be that no one tested the patch on systems with firefox as as default so no one noticed the problem. As much as I don't like Microsoft I could see how this could have just been an honest mistake from a side effect of running some premade function during the patch that does several things, only one of which is setting the default flag.
      • by eck011219 (851729)
        I'm certainly not an expert on this kind of stuff (I'm a web designer), but it seems to me that it could be that the patching process requires that IE be run at some point during the process (perhaps in the background, but still technically in memory and so forth). Maybe after the patch, it has to run IE to confirm successful patching. And if another browser is the default, that can obviously cause problems.

        Dunno. Don't understand any of this stuff. Just thinking out loud. I doubt it's an accident, though.
    • by kestasjk (933987)
      MS are hoping you won't notice, and thus convert you back to IE. They're probably all sitting there in Redmond right now with their fingers crossed, looking at Alexa browser statistics and saying "Oh God, did they notice? Was it too obvious?"
  • I just did a yum remove Vista ... I'm going to Disney!
  • by edgrale (216858) on Wednesday May 09, 2007 @11:38AM (#19053277)
    What's up with the cumulative IE 7 update being 34,70 MB?
    It is bigger than the x64 bit version!
  • Is this even news? (Score:2, Insightful)

    by anss123 (985305)
    MS throws out a bunch of patches every month, and have been at it for years. It must be a regular event by now, right?
  • by CyberVenom (697959) on Wednesday May 09, 2007 @11:49AM (#19053447)
    When Microsoft releases "critical" patches like this, one of the primary motivations for users, home and business alike to apply the patches is fear of loss of data if their computer falls victim to one of the new exploits. To "help" users keep their systems up to date, Microsoft has provided the Automatic Update tool. Formerly this tool would insistently prompt the user to reboot once updates had been installed. Recently, however, the tool has taken to rebooting computers of its own volition if it is unable to elicit a user response to its prompting within 5 minutes. What's the big deal? Well, lets say you have just typed up a nice email but want to add a couple more points to it before sending it off, but you have to walk away from the computer for a while. (coffee break, etc.) And when you come back 6 minutes later you find that Windows has terminated all your open programs, lost your email, rebooted, and is now happily chiding away to itself in a little speech bubble about some new updates having been installed. Well, that's fine - install your damn updates, but either do it without destroying my work or wait until I give you permission!
    (yes, I lost an email I was writing last night because of this and I'm still a bit sore...)
    • Or let's say you're a developer whose machine is in the middle of a 16 hour build. Oops, better start over!
      • by praxis (19962)
        First off, why start over? Incremental builds solve that problem. As for the email, what email clients do not safe unsent messages when asked to close? As for unprompted reboots, they get prompted. When Vista installs a patch, it tells you, then you can tell it when to reboot, otherwise it does it at some odd hour, when you don't use your machine (or I don't anyhow). If I respond to the updates have been installed popup, I can tell it when to reboot, otherwise it does it at 4am when I am at home. If y
    • (yes, I lost an email I was writing last night because of this and I'm still a bit sore...)

      Yes, it screwed up a drive rebuild here that had been running for about 20 hours before the reboot. There's an option "download but don't install until I tell you" that may stop this unpredictable rebooting.

    • by drinkypoo (153816)

      (yes, I lost an email I was writing last night because of this and I'm still a bit sore...)

      It's too bad you weren't paying attention during your installation, in which you were asked to configure automatic updates.

      It's further too bad that you didn't inspect your various settings, instead simply trusting the computer to automatically be configured to do precisely what you want it to.

      It's also too bad that you don't know how to use autosave, either.

      Perhaps if you learned how to use your computer, you'd h

      • Trusting that your computer won't just go ahead and lose all your work if you pop out for a moment makes the user stupid? Sorry - no operating system should automatically reboot itself by default with no permission or special instruction from the user. I nearly lost work to this too. I had lots of stuff open, and this damn auto update dialog box tells me it's going to reboot my machine in 4 minutes... counting down... and no way to even cancel it. Here's a hint: it's not the users who are dumb in this s
        • by drinkypoo (153816)

          Trusting that your computer won't just go ahead and lose all your work if you pop out for a moment makes the user stupid? Sorry - no operating system should automatically reboot itself by default with no permission or special instruction from the user.

          During the OS install, you are specifically asked to configure automatic updates. Some of the service pack installs also ask you to do this.

          Automatic updates are a major feature of Windows these days. They do not hide from you the fact that they will reboot

          • Re: (Score:3, Insightful)

            During the OS install, you are specifically asked to configure automatic updates. Some of the service pack installs also ask you to do this. [...] If the user decides to just click away the dialog asking you to configure automatic updates (which many OEMs will leave for you) then that's their damage.

            Hmmm.. like most people, windows was preinstalled on my machine. If enabling a feature can lose the vital work of the user, it should not be a default. Also, a clear warning of the consequences should be mad

            • by drinkypoo (153816)

              Hmmm.. like most people, windows was preinstalled on my machine. If enabling a feature can lose the vital work of the user, it should not be a default.

              That is not Microsoft's fault. It is the fault of your OEM, who chose to preconfigure that for you when they had no business doing so.

              Funnily enough, the argument that linux is harder to configure than windows is often made, but in my recent experience, I have to tinker less with linux than I ever did with windows, and I feel much safer!

              If everything works

    • by mstahl (701501)

      Yet more reasons to love my OS X / Ubuntu setup I've got going on. The dialogue goes more like "Hey I've got these updates for you whenever you've got a second" rather than "YOU WILL INSTALL THIS NOW".

    • by DavidD_CA (750156)
      How about using an email application that periodically saves your work?

      That concept is so new, I know.
  • by Medievalist (16032) on Wednesday May 09, 2007 @11:52AM (#19053485)
    People running Apache are starting to see this junk in their logs:

    GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1
    GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1
    This noise gets spewed at websites by IE if you load the latest version of Microsoft Office and turn on the discussion bar "feature".

    You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).

    I'm guessing they didn't fix that one?
  • by gd23ka (324741) on Wednesday May 09, 2007 @11:55AM (#19053505) Homepage
    Here, this is probably the article you had in mind:

    "Microsoft has just released seven dominance advisories -- all rated critical -- with dominance enhancements for at least 19 dominance threats affecting the world's premier and most popular Windows(R) operating system, the widely deployed superior Office productivity suite and the most dominant Internet Explorer browser. Six of the 19 dominance threats affect Microsoft's latest and most exciting offering, the Windows Vista Operating System. 'There are dominance enhancements for 7 different domination points that could otherwise lead to unplanned code execution in the most popular word processor of all times Word, the most powerful spreadsheet application Excel and of course spectacular Office. Users of Microsoft Exchange the kick-ass central hub of Information Technology are also urged to pay attention to all of the critical bulletins, which cover 4 different dominance features. A cumulative IE dominance update addresses six potentially cool features. There are the six that apply to the dominant IE 7 on the hugely popular Windows Vista Operating System. The last bulletin in this month's batch apples to the widely acclaimed CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system dominance violations.'"
    • by drinkypoo (153816)
      WAY OT but you do not have valid contact info - the video in your sig is no longer on Youtube. Or at least not by that ID. I don't suppose you have a copy?
  • by 644bd346996 (1012333) on Wednesday May 09, 2007 @12:08PM (#19053723)
    Ok, here's what's bugging me: 6 out of 19 holes are still present in Vista. That means that, in developing Vista, they removed at least 13 holes. My question: was that an accident? If those 13 holes were identified as critical vulnerabilities during Vista development and fixed, then they should have been patched in XP too. If they were accidentally fixed by more broad changes in Vista, then I guess you can see that as good, but it still calls into question MS's ability to audit code.

    On the other hand, if the rewritten portions of Vista removed 70% of the critical holes, that's pretty good. They might have been working on the right modules.
    • Re: (Score:2, Interesting)

      by MeBot (943893)
      More likely they're just issues that were mitigated as a side effect of the overall increased security in Vista. That's why minimizing attack surfaces is good even if you don't know of any vulnerabilities (yet). You also see similar patterns in new vulnerabilities between 2000 and XP SP 2. So it wasn't an accident even though they weren't aware of the vulnerabilities at the time.
    • by PsychicX (866028)
      Eh. Think back to the blog about the start menu->shut down menu thing that took a year to develop. Communication between groups in Windows is not very good, and so when the Vista guys fix a vulnerability there, the XP guys don't necessarily get the news. It's not exactly a redeeming point, I know, but I doubt there's anything malicious or intentional going on. Like most things, it's just disorganization and red tape.
  • Does anyone know if the 6 Vista vulnerabilities are stopped by protected mode(UAC)? I'm curious if protected mode is working as designed, and the KB article doesn't make a note of this.
  • by ThinkFr33ly (902481) on Wednesday May 09, 2007 @01:28PM (#19055289)
    Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)

    In the case of the one bug [microsoft.com] that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)

    Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.

    Considering Vista has been out since November of last year, its security record [csoonline.com] so far as been extremely impressive.

  • ...The number of Windows/Office/Exchange/Outlook/IE/whatever vulnerabilities/patches over time?

    That seems the only way to prove or disprove the "this is the most secure version ever" claims that always accompany an upgrade.

  • System restart (Score:3, Interesting)

    by D H NG (779318) on Wednesday May 09, 2007 @03:04PM (#19057173)
    I've had it up to here with Microsoft's automatic restart after a system update. Last night somebody was sending me a 1 GB file via Skype. It was halfway done when I went to bed. In the morning, my computer had restarted. All the transferred data was lost. As soon as I get my wireless card working in Ubuntu, I'm gonna wean off Windows forever.
  • Vista patches (Score:3, Informative)

    by obeythefist (719316) on Wednesday May 09, 2007 @08:34PM (#19061397) Journal
    The vista patches are all just to disable the one-click activation hacks that are circulating.

The world is no nursery. - Sigmund Freud

Working...