Forgot your password?
typodupeerror
Security Microsoft

Microsoft Sets Record With Monster Patch Tuesday 237

Posted by kdawson
from the one-a-day dept.
CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"
This discussion has been archived. No new comments can be posted.

Microsoft Sets Record With Monster Patch Tuesday

Comments Filter:
  • by Centurix (249778) <centurix@noSpam.gmail.com> on Tuesday June 09, 2009 @10:11PM (#28274273) Homepage

    Next tuesday they could double that amount with the right attitude...

  • by asifyoucare (302582) on Tuesday June 09, 2009 @10:17PM (#28274323)

    Apparently I need to have some text in the comment.

    • by Techman83 (949264)
      Is it sad that I could hear the UT voice in my head when I read the subject? Oh the hours spent fragging on UT!
    • by cupantae (1304123) <maroneill AT gmail DOT com> on Tuesday June 09, 2009 @10:57PM (#28274595)

      I was working on the PC late one night
      When my eyes beheld an eerie sight
      For bug on windows began to rise
      And suddenly to my surprise

      THEY DID THE PATCH
      They did the monster patch
      THE MONSTER PATCH
      It was a vulnerability smash
      THEY DID THE PATCH
      They caught them in a flash
      THEY DID THE PATCH
      They did the monster patch

      From my computer seat in the office east
      To the master Ballmer where the vampires feast
      The faults all came from their humble abodes
      To get a jolt from my electrodes

      THEY DID THE PATCH
      They did the monster patch
      THE MONSTER PATCH
      It was a vulnerability smash
      THEY DID THE PATCH
      They caught them in a flash
      THEY DID THE PATCH
      They did the monster patch ...and so on. I only really wanted to say that your comment made me sing that song, but really it is way longer than I care to do a half-assed parody.

  • by shanen (462549) on Tuesday June 09, 2009 @10:21PM (#28274341) Homepage Journal

    Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning. Consider it in light of the birthday paradox. Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.

    Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

    I'm not saying we should kill Microsoft. Just cut it up into four or five small pieces, give each of them a copy of the source code, and tell them to run with it. No non-public communications permitted, and let the customers actually have the MEANINGFUL freedom to pick and choose. Not only will there be more pressure to produce new versions, but within a few versions we'll have enough diversity to prevent totally massive fails.

    Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.

    • by Daniel Dvorkin (106857) * on Tuesday June 09, 2009 @10:32PM (#28274423) Homepage Journal

      While I agree that the Windows monocultire is a bad thing, I think it's important to remember that you could kill every single Windows machine in the world and most of the infrastructure than runs the internet would keep humming along quite happily. What's at risk is primarily desktops and corporate (intranet) servers. Losing these machines would be bad, but "brings the entire Internet to its knees" is an exaggeration. Admins would just cut off the infected machines and keep going.

      • by shanen (462549) on Tuesday June 09, 2009 @10:43PM (#28274503) Homepage Journal

        Acknowledged. I should clarify that I am thinking of a Warhol Worm that includes a rooted backdoor for a large-scale DDoS attack. We've already had plenty of problems with zombots around 10^4, but imagine the hassles of a 10^7 zombot... I don't think it would be possible to simply cut the infected machines off the net, but rather it would be necessary to partition the entire network and rebuild in pieces.

        • by TheLink (130905)
          If the zombie machines use up too much of the bandwidth - the users or ISP will notice and the relevant zombies get dealt with.

          When that happens it's not that difficult for an ISP to cut the infected machines off the net if they become a big problem.

          However with 10^7 zombies if each zombie just DoSed a target at even as low as 128kbps per zombie it still works out to 152GBps. While some grandma in Sweden might be OK with that, many less well connected sites will still get crushed.

          IMO the big problem is at l
      • Re: (Score:3, Insightful)

        by symbolset (646467)

        Why is it these days that when I see the words "too big to fail" attached to a company that I automatically imagine it is secretly burning down from within?

        It's not a few compromised hosts. It's several millions under the control of no more than ten people. Any one of them could sht down the Internet, and would if they saw a profit in it.

      • Funny enough, the internet itself would survive, since most of it does actually not depend on Windows. What would probably take a huge hit is the economy, considering that most companies rely on Windows for processing and storage.

        Tempting, I tell you, tempting the dark side is...

      • by Bert64 (520050)

        Consider that most of the people running that network infrastructure and even many unix systems perform their administrative functions from windows workstations...
        Also IIS has about 1/3 of the web market, so 1/3 of websites would go offline...
        A serious Windows failure would screw up a lot of things.

    • Re: (Score:3, Funny)

      by shanen (462549)

      To the spineless cowardly censorious moron with the negative mod points:

      Exactly what part of the post were you unable to understand? If you don't ask questions, you'll just continue being a bloody ignorant twit.

      And your mother wore army boots, too.

      However, I do thank you for your additional evidence of the quality of most of the moderation on /.--but it was scarcely needed. I've pretty much given up looking for funny or witty posts these days. A moderation of +5 funny apparently means that some moderators r

    • by wvmarle (1070040) on Tuesday June 09, 2009 @11:07PM (#28274659)

      Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.

      In numbers there is strength as well. There is quite some evidence that birds are the living direct descendants of the dinosaurs - and in a way I have always been puzzled on how it would be possible that all dinosaurs would become extinct but other types of animals (mammals, crocodiles) not. Dinosaurs were often huge animals, so relative few numbers before the earth is full. That is more likely to have been their undoing. When 90% gets killed, finding a mate becomes really hard due to the huge distance between individuals.

      Windows is so huge in numbers that it is almost impossible to extinct. Almost always there will be some Windows computers surviving somewhere, forgotten on grandma's table, not connected to the Internet even maybe and happily moving on alone. It is impossible to wipe them all out, there are too many of them.

      OS/2 is virtually extinct - some installations hanging on for dear life but there were so few of them... BeOS saw the same fate... and so there are more. Dead branches on the tree of evolution, they could not multiply sufficiently to weather the competition.

      Windows is of course at risk of disease: all individuals are so similar they can easily infect one another. Some have better immune systems (firewalls, more patches installed) and may survive longer - they may even survive the main onslaught and survive the virus which itself may die out due to not enough hosts left to infect. That is after all what happened to the Spanish Flue: this strain disappeared because in the end all hosts were either immune or had died. There were virtually no fresh hosts available for the virus to survive.

      Linux is reaching sufficient numbers now to also be impossible to become extinct, and add to that the large diversity in systems giving the species great immunity. Yes some groups may be vulnerable to a certain virus, others will be immune and sit out the disease. Then the ones killed by the virus will be replaced by new, immune systems and the species as a whole becomes stronger.

      At the moment actually I can not think of other operating systems that are as diverse as the Linux platform. BSD is a candidate but only three major flavours available. Windows certainly is no candidate, it's all the same.

    • by Kjella (173770) on Tuesday June 09, 2009 @11:46PM (#28274921) Homepage

      Back in the days of the Microsoft worms there was no default firewall and many default network exposed services, find one flaw in something and you could infect pretty much every other Windows machine on the net. They learned from that, and now there's very little chance of a machine being infected unless the machine calls out, either it's checking mail, browsing the web or whatever. Diversification is overrated, pretty much all *nix boxes use OpenSSL so how's that not a major monoculture? Or Apache for web hosting? Find me a remote exploit in the default config with no login info and you'll see full-blown panic in no time. Except that you don't. Nor has there been a major IIS security issue for ages either.

      Computers don't act randomly. You minimize the contact area, analyze the heck out of it until you're really, really sure that it's correct with formal proof if you damn well please and then it will act that way. Always. Making five clones only gives you the chance to implement a bug five times more. And if it's really more sensitive than that, there's always firewalling off those entire networks. Code does not travel by magic, in short unless there's a secret port knock the NSA can do to make Windows bring down its own defenses it's not going to happen. Not anymore than I think you can break my Linux box.

    • Re: (Score:3, Insightful)

      by johneee (626549)

      And after millions (billions?) of dollars spent by the government and by us, and a whole lot of confusion, ten years later there would be just one again because they'd merged/failed or bought each other. In fact, the only people that would really do well would be the major shareholders of the companies who would of course (as always) make off like bandits. Just like Bell.

    • Re: (Score:3, Interesting)

      by westlake (615356)
      Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning.

      The geek has been piping this tune since the launch of the IBM PC

      - and we all still here.

      Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.

  • by petrus4 (213815) on Tuesday June 09, 2009 @10:26PM (#28274383) Homepage Journal

    Squashing 31 vulnerabilities in a single patch, is, in a word, efficient. "Embrace and extend," might be a negative part of the Borg ethos, but I give Microsoft credit for displaying the positive side of it, as well. ;-)

  • Vulnerabilities? (Score:4, Insightful)

    by Korbeau (913903) on Tuesday June 09, 2009 @10:33PM (#28274433)

    Vulnerabilities? What does this word mean? "31 vulnerabilities, including 18 bugs marked as critical."

    In my mind a bug and a vulnerability are 2 different things, one englobing the other.

    Let me get this straight ... if you're telling me my computer has a "vulnerability", it means I got chances to get a notepad.exe application start out of nowhere with the words "I've hax0r Ur C8mput8r" or something in my face.

    Reading the article I don't know if it's some random critical bug in some MS application, or if it depends of me running a service in X or Y situation and the attacker is in the intranet or whatever, or if I need to go to a very *very* untrusted site that even Avast! won't let me do to get attacked ... please be specific!

    Every month or so there is such articles about MS patches ... hell, let's do this with every god-damn software patches around? With Ubuntu you get to install patches every week also! Heck, the Java upgrader thingy pops-up every month too.

    What does "vulnerabilities" mean, in this context, seriously? Am I in danger?

    • by Culture20 (968837)
      Let's put it this way: I saw a drive by download on a fully patched Vista SP2 machine with IE8 on Friday. If the user had been in the admin group, it could have been owned. Now with http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx [microsoft.com] I'm not so sure (why does it say valid creds are needed? Could a drive-by exploit it?).
      • Re:Vulnerabilities? (Score:4, Informative)

        by zonky (1153039) on Tuesday June 09, 2009 @11:11PM (#28274693)
        If the user had UAC disabled, they w/could have been owned. Being in the admin group on Vista shouldn't in itself allow a drive by to write files outside the user's home folders. Same if you were running safari with sudo on OSX, or Firefox as root on Linux. Any user running as admin/root is a fool. Of course, if the code you do run in your drive by download can hit a privilege escalation vulnerability on the os, all bets are off....
    • Re:Vulnerabilities? (Score:5, Informative)

      by Kjella (173770) on Tuesday June 09, 2009 @11:58PM (#28274995) Homepage

      A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.
      A vulnerability is something that can be exploited by a third party for example to crash, hang or invade your machine.

      That in itself doesn't really tell you much, is it locally or remotely exploitable, do you need valid logins, user action etc. which means it can range from trivial to critical. If you want the details, you need to read the details... that is to say MS security bulletins.

      • by mpe (36238)
        A bug is something not working as intended. Slashdot's rendering on standards compliant browsers for example.

        Bugs can be anything from trivially annoying to "show stopper".

        A vulnerability is something that can be exploited by a third party for example to crash, hang or invade your machine.

        This "third party" can include the end user. In the case of servers or where it is possible to elevate privileges of a thread/process/etc.

        That in itself doesn't really tell you much, is it locally or remotely expl
  • by syousef (465911) on Tuesday June 09, 2009 @10:44PM (#28274505) Journal

    We already know Windows has vulnerabilities and that there are exploits in the wild. The design isn't going to magically change. So the fact that we're getting more patches is a good thing. We can't whine when we don't get patches then whine when we do! My only question is do these patches break any existing functionality, and if so is this clearly documented?

    • by wvmarle (1070040) on Tuesday June 09, 2009 @11:37PM (#28274869)

      A proper patch would imho only be able to break existing functionality if:

      • it changes the behaviour of a publicly documented API (it shouldn't but it can be documented),
      • the software providing the functionality uses an undocumented API or uses a bug workaround, the first it shouldn't do in the first place and the second is up for debate whether it's good to do or not.

      Changing a documented API should happen only between OS version changes, the second is more likely. And considering the number of bugs and undocumented API calls included in Windows that may well be a serious issue. Documenting the patch will never warn one of these issues: the undocumented API calls are, well, undocumented so technically they do not exist, and it is impossible to know beforehand which bug workarounds there are in software, if any.

      So assuming MS writes their patches properly, no documented functionality will change. It may change to what the documents say it does, it may internally change giving the same end result - so no matter the documentation, testing would be the only way to make sure that your specific set of third-party or in-house software still works.

      And I'm sure the above accounts for open source software as much as it does for closed source.

      • Re: (Score:3, Interesting)

        by syousef (465911)

        I've seen patches - especially security patches - that break functionality in the past. Ones from MS that come to mind include breaking the ability to open older versions of Office documents and transmitting certain file extensions in Outlook. Both of those were in an Office Service pack. I have a vague recollection of other problems caused by patches but I don't have solid links. Google the phrase "windows update breaks" without the quotes.

  • by BSDetector (1056962) on Tuesday June 09, 2009 @11:08PM (#28274661)
    So where is the Slashdot article on the following? It's as current as the Microsoft article from ZDNet! I guess as long as it puts Apple in a bad light - it gets ignored or even censored. But if it can be interpreted as Microsoft=BAD then let's up the font size and BOLD the headers!

    "Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed" - http://blogs.zdnet.com/security/?p=3541/ [zdnet.com]

    Hypocrites!
    • Re: (Score:3, Interesting)

      by MrMista_B (891430)

      And that makes you a troll - you're comparing updates that affect a single browser, compared to this story, of updates that affect an entire platform.

      The only Apple bias here is coming from you.

      • Re: (Score:2, Insightful)

        by Gouru (1568313)
        Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?
        • by mpe (36238)
          Okay, then to compare apples to apples...Microsoft had one fix for IE in this patch, Apple had 50 for Safari. Again, where is the apple headline?

          Except that this isn't "apples to apples". Since you don't know how many actual issues and their severity are involved. Since a "patch" can involve an arbitrary number of changes. Especially with Microsoft having a policy to only issuing patches once a month.
      • by Anonymous Coward on Wednesday June 10, 2009 @12:12AM (#28275073)

        Does anybody even know what "troll" means anymore? A troll is not somebody who says something you don't like.

        The point of a troll is to get replies to a fake message. A troll is something like "Back when Bill Gates invented the internet blah blah". The point there is for know-it-alls to jump up and yell that it was not Bill Gates.

        The grandparent was pointing out something he saw as hypocrisy. You might not agree, but that doesn't make him a troll. He might be a troll (if he pointed it out solely to see the replies), but I think it's a valid point, and I'm willing to bet he does too.

        But that's the way people are, I suppose. Ever look at 1-star reviews on Amazon? Even good 1-star reviews ("I didn't like this, and here are the reasons why") tend to have, at best, a 50% "This was helpful" rate. People check off "unhelpful" because they disagree with the reviewer. I suppose it's no surprise that the OP here decided that someone who said something he disagrees with is a troll, but it sure would be nice for people to learn how to have some form of mature debate.

    • by MrMr (219533) on Wednesday June 10, 2009 @04:26AM (#28276671)
      You are aware that these patches are for the beta release of a major upgrade?
      Of course you are; You just like to use the word hypocrite a lot, to divert attention.
  • I am currently using Windows Vista, that was, as of 1 week ago, up to date. I am also using IE 8. I have Office 2003 on this machine. I have automatic updates turned off as I do them weekly and like to see what it coming in.

    After reading the headline here I instantly closed firefox, opened IE and did my updates (and for Office too). 5 were listed critical. There were a total of 9 updates and some of those were for hardware.

    Reading the article does not offer clarity but I suspect that this includes upd
    • I agree with you to a point. Making MS look bad is fine. Personally, the company's arrogance is outstanding. When the Linux community criticizes MS, they aren't spreading fear, uncertainty, and doubt but simply telling the truth as it is. FUD is a unqiuely Microsoft way of doing things. If you distrust Microsoft so much, why do you run Windows when you can do almost everything you have to do in open source? Personally, I use PCBSD and it does everything I need it to do and then some.
    • Re: (Score:3, Interesting)

      by heffrey (229704)

      I've just checked out my Vista machine at work and it lists 16 updates, none of which is critical. I've got Vista SP2, IE8, Office 2007 SP2. I suspect that if you use the up-to-date versions of MS software then you will get far fewer critical updates.

      I know that it's not fashionable to give MS any credit but my experience tells me that the quality and security of MS software are much improved from the bad old days. I think any reasonable scientific measure of critical vulnerabilities would regard Windows

  • Play Nice /. (Score:2, Insightful)

    by rxan (1424721)

    It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.

    That's quite the underhanded comment there. Insulting Microsoft while showing that they are improving their software at the same time. Nice!

    • Agreed. They are changing their business model (for the better!), they should at least get a little encouragement from us.

      Truth be told, the number of undisclosed vulnerabilities that MS has patched is... undisclosed. Take for example anti-trojan patches. How many individual patches were made to keep a single trojan from spreading? Were they lumped together and called something else?

      Never underestimate corporate ingenuity when it comes to telling a white ie. Sure, a patch is a patch, but it's not alwa

  • pan-MS patch (Score:2, Interesting)

    by Gothmolly (148874)

    Before you fanboys and trollboys come out of the woodwork, realize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc. It certainly isn't controlled and managed by the same group.

    btw posting this from an Ubuntu machine, which just pulled down 10 updates.

    • Re: (Score:3, Informative)

      You're probably a troll, but in case you're simply misguided or poorly informed:

      [R]ealize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc.

      The point of a distro is that it comes bundled with lots of software. It usually does include a browser, an office suite, an image editor, and more.

      It certainly isn't controlled and managed by the same group.

      The purpose of a distribution is to have everything managed by a single group. Sure, most -- if not all -- software comes from upstream, but the same single group does manage all of the packaging and updates for the users of said distribution.

      btw posting this from an Ubuntu machine, which just pulled down 10 updates.

      If you really are posting from an Ubuntu

    • Lies. Try updating Gentoo.

  • Oh joy! (Score:5, Funny)

    by Errtu76 (776778) on Tuesday June 09, 2009 @11:40PM (#28274885) Journal

    Microsoft. Windows. Updates. Patches. On slashdot?

    *quickly gets the popcorn and F5's the comments*

    Oh good one!

    *munch munch*

    hahahaha funny

    *munch*

    ooooo

    *munch munch*

  • by Horar (521864) <slashdotNO@SPAMasmith.id.au> on Wednesday June 10, 2009 @12:01AM (#28275015) Homepage

    A computer consultant advocating Windows is like a doctor prescribing cigarettes. It creates a lot of extra work.

Porsche: there simply is no substitute. -- Risky Business

Working...