Microsoft Sets Record With Monster Patch Tuesday 237
CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"
Re:Scary Good or Scary Bad? (Score:4, Insightful)
If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number.
Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...
Re:That's a lot of patches (Score:2, Insightful)
For MS maybe, but there have been many time that I've seen Umbuntu ask to install a list of updates longer then my johnson... Of course it is updating multiple products, but so is MS here.
Microsoft is too big to fail (Score:4, Insightful)
Microsoft has become a single point of failure that poses and unacceptably enormous risk to our society's normal functioning. Consider it in light of the birthday paradox. Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.
Massive monoculture is always dangerous. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.
I'm not saying we should kill Microsoft. Just cut it up into four or five small pieces, give each of them a copy of the source code, and tell them to run with it. No non-public communications permitted, and let the customers actually have the MEANINGFUL freedom to pick and choose. Not only will there be more pressure to produce new versions, but within a few versions we'll have enough diversity to prevent totally massive fails.
Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.
The positive side of the Borg icon (Score:5, Insightful)
Squashing 31 vulnerabilities in a single patch, is, in a word, efficient. "Embrace and extend," might be a negative part of the Borg ethos, but I give Microsoft credit for displaying the positive side of it, as well. ;-)
Re:Microsoft is too big to fail (Score:4, Insightful)
While I agree that the Windows monocultire is a bad thing, I think it's important to remember that you could kill every single Windows machine in the world and most of the infrastructure than runs the internet would keep humming along quite happily. What's at risk is primarily desktops and corporate (intranet) servers. Losing these machines would be bad, but "brings the entire Internet to its knees" is an exaggeration. Admins would just cut off the infected machines and keep going.
Vulnerabilities? (Score:4, Insightful)
Vulnerabilities? What does this word mean? "31 vulnerabilities, including 18 bugs marked as critical."
In my mind a bug and a vulnerability are 2 different things, one englobing the other.
Let me get this straight ... if you're telling me my computer has a "vulnerability", it means I got chances to get a notepad.exe application start out of nowhere with the words "I've hax0r Ur C8mput8r" or something in my face.
Reading the article I don't know if it's some random critical bug in some MS application, or if it depends of me running a service in X or Y situation and the attacker is in the intranet or whatever, or if I need to go to a very *very* untrusted site that even Avast! won't let me do to get attacked ... please be specific!
Every month or so there is such articles about MS patches ... hell, let's do this with every god-damn software patches around? With Ubuntu you get to install patches every week also! Heck, the Java upgrader thingy pops-up every month too.
What does "vulnerabilities" mean, in this context, seriously? Am I in danger?
Re:That's a lot of patches (Score:5, Insightful)
The problem with windows is that you're not doing this at all when you check windows update/wsus - you're checking windows only- (other microsoft products if you opted-in to doing this).
This is in fact the real problem with windows- patch management is just a total nightmare.
For example, Adobe also patched today- but can you manage that upgrade at the same time? Nope.
it's mindbogglingly hard at any point in time to say you are patched when running a windows system. This is the greatest challange/weakness of windows, and the biggest benefit of Linux - package management as a means of achieving security.
Re:Even Macs? (Score:5, Insightful)
Safari 4 was beta before yesterday.
This is a good thing (Score:5, Insightful)
We already know Windows has vulnerabilities and that there are exploits in the wild. The design isn't going to magically change. So the fact that we're getting more patches is a good thing. We can't whine when we don't get patches then whine when we do! My only question is do these patches break any existing functionality, and if so is this clearly documented?
Re:That's a lot of patches (Score:4, Insightful)
I've seen Ubuntu ask to install a list of updates longer then my johnson
And probably 90% of them were 120KB libraries, which MS updates but doesn't list.
Is it the new fad to spell "Ubuntu" wrong? It's not that difficult. Add it to Firefox's dictionary if you have to.
Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed (Score:5, Insightful)
"Apple Safari Jumbo Patch 50+ Vulnerabilities Fixed" - http://blogs.zdnet.com/security/?p=3541/ [zdnet.com]
Hypocrites!
Re:Microsoft is too big to fail (Score:3, Insightful)
Why is it these days that when I see the words "too big to fail" attached to a company that I automatically imagine it is secretly burning down from within?
It's not a few compromised hosts. It's several millions under the control of no more than ten people. Any one of them could sht down the Internet, and would if they saw a profit in it.
Re:Scary Good or Scary Bad? (Score:5, Insightful)
Scary good. At least it shows MS is looking for problems, and fixing them as they find them. If somebody got a full list of bugs / sec updates for linux everymonth (all software), i'm quite sure that "31" would be quite a low number. Of course MS could ignore them (or some), and come up with a low number, but that wouldn't be in anybodies best interests...
It's always a shame when people use vulnerability / bug counts as some kind of definitive universal metric. The issues involved are much more complex than a single number score. And while the information can be useful, the simplest use is to debunk zealots' (Windows, Linux, etc.) claims that their software of choice is bug-free or that one particular style of development produces better quality code (if you consider bugs signs of defects that count against your quality metric). And even then, the debate could rage on (which I'll avoid doing as that's not the point right now).
Microsoft producing security patches is an overall good thing. Its a battle that was "won" quite a few years ago. And it's a battle that continues as it takes continued pressure to keep them honest (there is a history of bugs being reported to Microsoft w/out fixes over extended lengths of time). Constant pressure nudges Microsoft to resolve these issues. It's an echo of the bad old days when Microsoft cared little about responding to serious flaws in their products.
Likely it's those echos that probably mislead the masses to assume these numbers meant something that they didn't. Back in those aforementioned bad old days, the bug count outlined largely well-documented and unaddressed flaws. Now days a few of those pop up from time to time (and again - it is more common these days for "responsible disclosure" with commercial vendors to uncover flaws that go unpublished until patch release). But for the most part, those numbers represent issues that are addressed. And that is indeed a victory (bittersweet if you contend that the flaws should never have existed).
Play Nice /. (Score:2, Insightful)
It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.
That's quite the underhanded comment there. Insulting Microsoft while showing that they are improving their software at the same time. Nice!
Futile Comparison (Score:1, Insightful)
It always amuses me when people see M$ patching a bunch of vulns, and then make a comment like 'But Umbuntu (sic) is much worserer! It patched ( m$_vulns + 10 ) this month!'... or vice versa.
With Linux distos, you can pretty much count on the count being pretty much accurate, due to the defacto auditing that occurs as a function of the open source methodology.
In comparison, M$'s counts are basically meaningless, unless you are one of those gullible fanbois who believe M$ would never lie. Ever.
It's all about disclosure. Disclosure in open source is real, disclosure by the likes of M$ and Apple is pretty much based on what makes them look the best in the marketplace.
Re:Microsoft is too big to fail (Score:5, Insightful)
Back in the days of the Microsoft worms there was no default firewall and many default network exposed services, find one flaw in something and you could infect pretty much every other Windows machine on the net. They learned from that, and now there's very little chance of a machine being infected unless the machine calls out, either it's checking mail, browsing the web or whatever. Diversification is overrated, pretty much all *nix boxes use OpenSSL so how's that not a major monoculture? Or Apache for web hosting? Find me a remote exploit in the default config with no login info and you'll see full-blown panic in no time. Except that you don't. Nor has there been a major IIS security issue for ages either.
Computers don't act randomly. You minimize the contact area, analyze the heck out of it until you're really, really sure that it's correct with formal proof if you damn well please and then it will act that way. Always. Making five clones only gives you the chance to implement a bug five times more. And if it's really more sensitive than that, there's always firewalling off those entire networks. Code does not travel by magic, in short unless there's a secret port knock the NSA can do to make Windows bring down its own defenses it's not going to happen. Not anymore than I think you can break my Linux box.
Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi (Score:1, Insightful)
Re:That's a lot of patches (Score:1, Insightful)
Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi (Score:2, Insightful)
Re:That's a lot of patches (Score:3, Insightful)
Dear DMBFCKAC, you really don't get it or are trolling as you clearly ignore the fact that, given the existence of a repository, which can exist in
many forms, including a CD or local directory, you can update just about any software from the package installer on most mainstream distros.
The Windows installer system is so fucking lame that, 14 years after the Win '95 "Start Me Up" campaign, endusers still have to babysit Add / Remove
Programs, if they want to uninstall software as they can't pick more than one program at a time.
Most Linux packages have allowed the user the ability to select multiple packages for both install and removal and I've done a session where nearly
2 GB total, with over 100 packages were added, removed or upgraded with no issues.
Re:Scary Good or Scary Bad? (Score:3, Insightful)
MS aren't so bad when it comes to security updates, they keep providing updates for several years after a particular version was released, such that by the time they stop very few people will still be using it, and those who are will usually be companies who made an explicit decision to stick with the old version.
Re:Microsoft is too big to fail (Score:3, Insightful)
And after millions (billions?) of dollars spent by the government and by us, and a whole lot of confusion, ten years later there would be just one again because they'd merged/failed or bought each other. In fact, the only people that would really do well would be the major shareholders of the companies who would of course (as always) make off like bandits. Just like Bell.