Microsoft Patches 19 Flaws, 6 in Vista

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

Linux patches?

[stevenbdjr]

When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

(I can feel my karma slipping away, but I couldn't take it anymore).

Re:Linux patches?

[varmittang]

We do, its usually for Firefox bugs, because that is Linux to the rest of the world. But then comes the trolls that point out that it was fixed in a matter of hours and not weeks or months.

Re:Linux patches?

[*weasel]

Probably when they gain a practical monopoly on desktop computing, begin heavily abusing their users and illegally wielding their market control against the rest of the industry.

Re:Linux patches?

[snoyberg]

You're right, Slashdot is biased against Microsoft. If you're looking for unbiased news stories, you've come to the wrong place.

Re:Linux patches?

[Reivec]

How is this an "accusatory tone"? Looks to me to just be stating the fact that there are some major security patches released that windows users should know about. Microsoft would WANT this information to be spread around so that people patch up and have fewer problems thus relating fewer poor experiences to a Windows problem.

Perhaps you are showing your own bias?

Re:Linux patches?

[Tribbin]

Wrong place buddy, no-one will hear you; go cry somewhere else.

It's like going to the Catholic church saying: Why don't you tell me everytime anybody is proven the absence of God?!

Re:Linux patches?

[SnowZero]

It's a myth that Slashdot has almost all Linux users. It used to be that way, but it has long since been overrun with a more "general computing" crowd. I would bet that if you add up the regular Windows and Mac users, it would outnumber regular Linux users. For UIDs below 100k however, you would probably see a quite different statistic. People only notice Linux users here because we're not at 1-2%, like on almost any other discussion site.

Frankly, I'm now getting tired of the number of posts with the same tone as yours. You lament losing Karma in a sea of angry "Linux-zealot" mods, but I would guess you will be modded up, not down. Enjoy the karma...

Is this even news?

[anss123]

MS throws out a bunch of patches every month, and have been at it for years. It must be a regular event by now, right?

Re:Linux patches?

[suv4x4]

If the linux kernel people would ignore vulnerabilities, downplay them, take months for them to produce a fix, merge distinct vulnerabilities into single advisories and finally try to claim improved security, then I'd guess I would want to see stories about it on slashdot. So what bias?

Right there in the first sentences of that quote, that bias. Those are released patches, not "downplayed patches" or "ignored vulnerabilities". Those are actual fixes, released on a monthly basis.

If Microsoft would ignore it, we get "microsoft ignores it!" article on Slashdot. If they release a patch, we get "omg critical patch for Windows" article on Slashdot.

It's ridiculous.

Also how about claims of security and bending truth, just like you prove it yourself, Linux fanboys twist the truth about Linux far more often than Microsoft does with Windows. Anything goes.

Re:Linux patches?

[drinkypoo]

Right there in the first sentences of that quote, that bias. Those are released patches, not "downplayed patches" or "ignored vulnerabilities". Those are actual fixes, released on a monthly basis.

Microsoft has frequently been caught knowing about a bug for months before a patch is released.

When they get caught they claim they're doing QA, but past experience with Microsoft patches suggests that they are doing no valuable testing anyway.

If they had ever demonstrated trustworthiness, they might be trusted a bit. As it is, they have demonstrated time and again that they will fuck you over and lie about it.

If you appreciate the way Microsoft treats you, then you are free to sing their praises. But it doesn't make you right.

Re:Linux patches?

[TommydCat]

I didn't read anything accusatory or noted a demeaning tone in the summary. I think many here bring their own bias ready to start an argument (either for or against). To me, the summary is just stating that patches are now available, they are labelled "critical", and the users of this site may be interested as many of them own, use or deal with Microsoft operating systems on a daily basis.

What conclusion is the summary supposedly spoon-feeding me?

Why didn't they find these holes earlier?

[644bd346996]

Ok, here's what's bugging me: 6 out of 19 holes are still present in Vista. That means that, in developing Vista, they removed at least 13 holes. My question: was that an accident? If those 13 holes were identified as critical vulnerabilities during Vista development and fixed, then they should have been patched in XP too. If they were accidentally fixed by more broad changes in Vista, then I guess you can see that as good, but it still calls into question MS's ability to audit code.

On the other hand, if the rewritten portions of Vista removed 70% of the critical holes, that's pretty good. They might have been working on the right modules.

Re:Did they fix the cltreq.asp query nonsense?

[drinkypoo]

You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).

Is there any reason someone with Chilisoft ASP couldn't implement the same functionality?

Re:Linux patches?

[suv4x4]

Microsoft has frequently been caught knowing about a bug for months before a patch is released.

When they get caught they claim they're doing QA, but past experience with Microsoft patches suggests that they are doing no valuable testing anyway.

If they had ever demonstrated trustworthiness, they might be trusted a bit. As it is, they have demonstrated time and again that they will fuck you over and lie about it.

If you appreciate the way Microsoft treats you, then you are free to sing their praises. But it doesn't make you right.

That's what pisses me off with fanboys: they don't get context at all. For them any article with "Microsoft" in it, is a reason enough to recycle the entire 30 years of Microsoft faults in a single post. Over and over.

Let's see what's the event at case: regular monthly patches for Windows. That's it.

I, and some other people just asked for objective opinions: there's no "ignored vulnerability" or "delayed responce" in THIS ONE CASE. There is NO reason to regurgitate past faults of Microsoft every single month, when completely predictably, the patches are released.

But all of those are treated as an excuse for doing just that.

So you response is that "I'm singing praises for Microsoft". There's basically no way to argue with you guys. Keep living in your imaginary world, I hope you're happy there.

Re:Linux patches?

[Anonymous Coward]

Microsoft has frequently been caught knowing about a bug [... snip drivel ...] past experience with Microsoft patches suggests that they are doing no valuable testing anyway [... snip drivel ...] they have demonstrated time and again that they will fuck you over and lie about it.

Stop for a second, and ask yourself: "why on earth I just recited my whole Microsoft bashing repertoire in response to a mere boring monthly patch release".

Think about it hard, and then consider again who's the ridiculous one in this discussion.

Re:Linux patches?

[PixieDust]

I invite you to investigate this site [packetstormsecurity.org] which holds no immediate bias in it's reporting of security advisories, patches, problems and exploits. Look at the average turnaround time for patches, fixes, and responses to security problems. You will find out that Microsoft isn't as bad as everyone likes to pretend it is, nor is it's flagship Windows OS. Also to, I find it ironic that whenever someone points out a problem that affects Linux, people are like "But that's not the OS, it's (insert kernel module, driver, app, whatever) that is (insert special circumstance here).", but when it's Microsoft, they're all lumped together as "OMGz! Windoze h4x!". This includes vulnerabilities in Word, and Excel (and something else from the Office Suite, can't remember though atm), and additionally mentions Exchange. Exchange runs on a server platform, but ok, I'm not going to get into semantics on that (I assume they meant Outlook, though even if it was Exchange, it's still a fix, or at least an attempt at one).

I am the first to admit that Microsoft has problems with security, but it's a problem that plagues the entire industry. Linux, Unix, Windows, Mac, websites, forms, applications, EVERYTHING. It's a problem in how the industry approaches security. It goes far beyond Microsoft. The entire industry has this "Get it working now, patch it later" mentality. It's the "Default Allow" instead of "Default Deny" approach. There is NO reason Buffer Overflow attacks should work... EVER. Period. How hard is it to check your buffers, and make sure you're handling them properly? Very sloppy. Microsoft certainly isn't the best, but they're far from the worst. Don't believe me? Check that website, and all the security advisories for the past few years, and you will notice and interesting trend.

Re:Linux patches?

[Vexorian]

I read the summary:

"Microsoft has just released seven advisories -- all rated critical -- with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.

I guess:

Market leader Microsoft cares about security, and have fixed 19 security flaws proving that their software is always up to the fight against wholes and demonstrating that Vista is a medium that fights security in revolutionary ways.

Would have been less of that accusatory tone you are talking about.

Re:No flaws in Vista itself, all 6 in IE7

[aichpvee]

I'm calling bullshit. Microsoft has been saying for 10 years that IE is INSEPARABLE from Windows. Any flaw in IE is a flaw in Windows. Because either you believe Microsoft or you stop your cheerleading and admit that Bill Gates and all the other execs at Microsoft are liars and that the feds should have broken the company up into a hundred little Microsofts.

Re:Cure the disease and lose the patient

[mattpalmer1086]

During the OS install, you are specifically asked to configure automatic updates. Some of the service pack installs also ask you to do this. [...] If the user decides to just click away the dialog asking you to configure automatic updates (which many OEMs will leave for you) then that's their damage.

Hmmm.. like most people, windows was preinstalled on my machine. If enabling a feature can lose the vital work of the user, it should not be a default. Also, a clear warning of the consequences should be made. In actual fact, I intentionally enabled the automatic update and I still didn't know what I was letting myself in for. My bad, I guess, but I never thought for one moment that enabling it like this might just cause my machine to lose my work while I was sitting in front of it, never mind if I popped out for a coffee! It fails the principle of least surprise.

I think that for most people, computers are tools, not objects of intrinsic interest in themselves. Any boring software (ie - stuff that should just work and not get in the user's way unless absolutely necessary) should do just that: just work. If can't just work, at the very least it should not endanger the user's work if at all possible.

Funnily enough, the argument that linux is harder to configure than windows is often made, but in my recent experience, I have to tinker less with linux than I ever did with windows, and I feel much safer!

Re:Linux patches?

[Richard_at_work]

Yes, they are regular monthly patches. That means that they are withholding completed patches until the chosen day comes.

Microsoft used to release as and when. They got slated on Slashdot for it.

Microsoft then rolled patches into a monthly patch. They got slated on Slashdot for it.

Microsoft released some important patches outside of the monthly cycle since they switched to it. They got slated on Slashdot for it.

Yeah, theres no pattern there at all.

With Linux, you can install patches immediately if there is a need, or later once they have had some good testing if there is not an immediate need. With Microsoft, you may install them when they say you may install them.

So, I can install a patch when its been released or later on if I decide ... in either of your cases? Wow, thats some industrial strength spin you have there!

Re:Linux patches?

[trifish]

The sole problem is, and the OP rightfully criticized it, was that Slashdot never posts articles like "10 security flaws in Linux patched". Everytime Windows is patched, there's an article. Occassionally this is true for OS X. That's the point. Still seeno bias? C'mon it's Slashdot and we know how it goes here.

Re:Linux patches?

[darkwhite]

The problem is not simply insufficient attention by developers, and buffer overflow bugs can sometimes be very non-trivial. The big, ubiquitous lapse in security these days is the lack of sandboxing. Why are applications not sandboxed properly? Why, despite the full availability of the security framework to do it, are desktop applications allowed by default to read and write anywhere in the user's home directory, registry, communicate with everything, display anything they want on the screen, use any peripherals and communicate on the network in any way short of running a server? That's what's not acceptable. An obscure vulnerability in a big application might be excusable if it crashes it and causes it to nuke its config files, but it's very inexcusable if it installs spyware that steals the user's data or craps all over the user's home directory.

Re:Why didn't they find these holes earlier?

[Samhain]

And if you read the about the patches you would notice that many of those 13 holes were with other products such as about 3 or 4 dealing with Office, some with Exchange, and some with windows DNS. These may or may not apply to Vista depending on what software you have installed on it.

Although I really hope someone is not trying to run Exchange on Vista. *grins*