Microsoft Sets Record With Monster Patch Tuesday 237
CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"
Re:Scary Good or Scary Bad? (Score:3, Interesting)
That number of bugs rather scares me. I depend on Windows for playing WoW at home and writing documents at work. Will this kill it?
There is no need for that. I run WoW in Wine on FreeBSD, and it runs much faster and more smoothly there than it does natively in Windows.
Granted, customising FreeBSD is perhaps a little above the bullet-dodging capabilities of the average FOSS user, but Ubuntu [ubuntu.com] will still run WoW very agreeably. I'd recommend Kubuntu; I'm a KDE man in terms of the "big two," desktop environments, myself.
Re:Even Macs? (Score:1, Interesting)
Apple isn't much better. The official security fixes in Safari 4.0, released yesterday, are for a total of _47_ vulnerabilities. Microsoft has a long way to go.
It looks like almost half the vulnerabilities listed are only for the Windows version of Safari, which means it's probably a matter of Apple having to clean up after Microsoft's bad security practices. Trying to write secure software is a PITA when the OS is fighting you at every turn.
Re:Microsoft is too big to fail (Score:5, Interesting)
Acknowledged. I should clarify that I am thinking of a Warhol Worm that includes a rooted backdoor for a large-scale DDoS attack. We've already had plenty of problems with zombots around 10^4, but imagine the hassles of a 10^7 zombot... I don't think it would be possible to simply cut the infected machines off the net, but rather it would be necessary to partition the entire network and rebuild in pieces.
pan-MS patch (Score:2, Interesting)
Before you fanboys and trollboys come out of the woodwork, realize that this is across ALL the stuff - your precious Ubuntu or BSD would never have this many, simply because a distro is not also a browser, office suite, etc. It certainly isn't controlled and managed by the same group.
btw posting this from an Ubuntu machine, which just pulled down 10 updates.
Re:Apple Safari Jumbo Patch 50+ Vulnerabilities Fi (Score:3, Interesting)
And that makes you a troll - you're comparing updates that affect a single browser, compared to this story, of updates that affect an entire platform.
The only Apple bias here is coming from you.
Re:This is a good thing (Score:4, Interesting)
A proper patch would imho only be able to break existing functionality if:
Changing a documented API should happen only between OS version changes, the second is more likely. And considering the number of bugs and undocumented API calls included in Windows that may well be a serious issue. Documenting the patch will never warn one of these issues: the undocumented API calls are, well, undocumented so technically they do not exist, and it is impossible to know beforehand which bug workarounds there are in software, if any.
So assuming MS writes their patches properly, no documented functionality will change. It may change to what the documents say it does, it may internally change giving the same end result - so no matter the documentation, testing would be the only way to make sure that your specific set of third-party or in-house software still works.
And I'm sure the above accounts for open source software as much as it does for closed source.
Re:That's a lot of patches (Score:3, Interesting)
I think what a lot of people don't like is that there's not a *free* patch management solution that is as effective as some of the paid ones (such as Patchlink). But that is a complaint based on price, not on availability. There are working solutions out there, it's just that many of the good ones often cost money. As an enterprise user I need the resources and continuity that a commercial product can contractually provide.
As for package management as it relates to Windows, that's different than patch management. The benefit that an OS like Ubuntu brings to the table is a dead-simple updating mechanism that can cover multiple products. It can be used to roll out patches, sure, and it is. But it is also used intensively for rolling out cursory product updates which have more to do with bug fixes than security flaws. Is that because Ubuntu or other Linux flavors are more secure? Probably - but a lot of that also comes down to market share more than programming quality.
One way or the other, the statement that patch management is a total nightmare isn't the case - it just depends on the approach and purchasing priorities that you set.
Disclosure: I don't work for nor have I ever worked for Lumension, and I haven't received anything (and won't) for posting this.
Re:That's a lot of patches (Score:3, Interesting)
I've thought for some time that Microsoft should have some type of open update scheme that other vendors could participate in. As you mention so that Adobe could submit their updates to MS and that you get all your updates through Windows update. I realize that this is a serious issue and that MS would have to run it in a benevolent manner and I think most people here would agree that MS is far from benevolent. (the FireFox plugin that was mentioned recently comes to mind) But really when you want to update your system you've got to run all these software updaters individually and it's just incredibly time consuming not to mention that some of them like the Sun Java JRE installs it's own resident update agent adding yet another process to the system. (the install shield update manager is another, LiveUpdate from Symantec also) All these resident update agents just bog the system down with additional unnecessary processes so some type of central update agent could clean this up.
Also hardware updates as well, I usually check for hardware updates on my systems about every six months and it's a real nuisance. Before anyone says it, yes I've seen many instances of suggested hardware updates from MS that didn't work / caused anything from minor to major problems on the given system. MS would have to do a way, way better job with hardware updates than they do now.
I realize that there are several commercial services that do just this but I'm stubborn and won't pay for something like this that I can do myself. Also I have four computers and these services would not allow me to update all four systems for a single fee and I'm not paying for this service times four.
Re:This is a good thing (Score:3, Interesting)
I've seen patches - especially security patches - that break functionality in the past. Ones from MS that come to mind include breaking the ability to open older versions of Office documents and transmitting certain file extensions in Outlook. Both of those were in an Office Service pack. I have a vague recollection of other problems caused by patches but I don't have solid links. Google the phrase "windows update breaks" without the quotes.
Re:The positive side of the Borg icon (Score:4, Interesting)
Squashing 31 vulnerabilities in a single patch, is, in a word, efficient.
Well, that's one way to positively spin "sat on patches until there were enough to bother with".
Re:5 critical updates for me (Score:3, Interesting)
I've just checked out my Vista machine at work and it lists 16 updates, none of which is critical. I've got Vista SP2, IE8, Office 2007 SP2. I suspect that if you use the up-to-date versions of MS software then you will get far fewer critical updates.
I know that it's not fashionable to give MS any credit but my experience tells me that the quality and security of MS software are much improved from the bad old days. I think any reasonable scientific measure of critical vulnerabilities would regard Windows Vista desktops as being more secure than OS X and Linux desktops.
Re:Microsoft is too big to fail (Score:3, Interesting)
The geek has been piping this tune since the launch of the IBM PC
- and we all still here.
Even if each failure is 99% safe, sooner or later we're going to have a major Warhol Worm that brings the entire Internet to its knees--along with large portions of the world's economy. Actually, I'd wager that the NSA already has the capability, and probably several other state actors, too.
If you want to bring the Internet down - and keep it down - what you really need is a dragline to snag the right cables.
The geek's magical - whimsical - Warhol Worm is little more than a distraction.
You can do far more damage by simply mismanaging the traffic that flows through Google.
The Windows client OS or app runs spends most of its time off-line or within the relatively safe confines of a corporate Intranet or a local ISP.
It should not be impossible to isolate the problem.
I'd take a small side bet that the clueless user on Automatic Updates will be adequately protected by the patch that has been sitting on the geek's PC for the last four months. The dinosaurs seemed incredibly successful, too, but too many of them were too similar--and look what happened. In diversity there is strength.
I'd say a 185 million year run is incredibly successful.
The dinosaurs were taken out by an event that erased more than 70 percent of Earth's living species.
"Dinosaur-Killer" Asteroid Crater Imaged for First Time [nationalgeographic.com]
Plants. Animals. Proto-life forms.
When you get down to the basics we are not so very different after all.
That is the real lesson here.
Tech is the geek's Maginot Line.
It never reaches as far as it needs to. Impressive when seen head-on. Not so much from the backside.
So strike from the rear. You strike at weaknesses in the user. In the administrator. The developer. The man behind the curtain.
Point of clarification: I'm not arguing against standards--but they need to be open and agreed upon, not imposed by and for the sake of monopoly.
Of course you are arguing against standards.
It is rare when standards do more than codify practice. Standards create a monoculture of their own.
Standards emerge from committees who are ridden by internal political, ideological and economic rivalries and whose progress is glacially slow.
The entrepreneur takes the losses he must, but his real interest is in staking out new ground - and he moves very quickly.