Microsoft Scrambles to Fix Flaw

Turgon

http://uk.news.yahoo.com/5/20081217/twl-microsoft-scrambles-to-fix-flaw-3fd0ae9.html

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

photex

Well they did it again

blargoe

Our MS account manager sent us an alert about this, It's supposed to be available this morning (Pacific time).

Bokeh

Two people came running into my office all in a tizzy over it. I had sent out emails the other day about it and also one yesterday afternoon on the upcoming patch. Come on folks, gotta read those emails every day.

JDMurray

77 total patches for 2008. That's nothing to be ashamed about. Windows is a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications. It shouldn't take being a software engineer to understand how difficult it is to anticipate and discover every problem in such a codebase.

Claymoore

I checked my WSUS synchronizations last night and this morning, but the update wasn't available yet. I just ran a manual update at 1PM EST and it's there. Those of you using WSUS with automatic approval of security updates should get this during your next synchronization/installation cycle.

Slowhand

JDMurray wrote:

77 total patches for 2008. That's nothing to be ashamed about. Windows is a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications. It shouldn't take being a software engineer to understand how difficult it is to anticipate and discover every problem in such a codebase.

What, you couldn't hack out all the fixes in a weekend?

I agree with you 100% on this one. Any operating system, especially one with a history as long as Windows, is bound to have countless little bugs, ways of being compromised, etc. Every system has ways that it can be breached, intentional or not. The trick is, it's the most popular systems that get noticed. Just imagine how many vurnerabilities would magically be discovered next week if Apple or one of the Linux distros suddenly got 50%+ market-share tomorrow.

Devin McCloud

This is why I use firefox... ! :P

royal

Devin McCloud wrote:

This is why I use firefox... ! :P

Firefox has had a lot of security fixes. But good try.

Mishra

US Cert pushing this hard.

msright1981

Slowhand wrote:

JDMurray wrote:

77 total patches for 2008. That's nothing to be ashamed about. Windows is a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications. It shouldn't take being a software engineer to understand how difficult it is to anticipate and discover every problem in such a codebase.

What, you couldn't hack out all the fixes in a weekend?

I agree with you 100% on this one. Any operating system, especially one with a history as long as Windows, is bound to have countless little bugs, ways of being compromised, etc. Every system has ways that it can be breached, intentional or not. The trick is, it's the most popular systems that get noticed. Just imagine how many vurnerabilities would magically be discovered next week if Apple or one of the Linux distros suddenly got 50%+ market-share tomorrow.

I have to definitely disagree on this. Apache is the most wide spread webserver on the earth, but still does not come near IIS in flows & threads.

JDMurray

royal wrote:

Devin McCloud wrote:

This is why I use firefox... ! :P

Firefox has had a lot of security fixes. But good try.

And don't forget about all those buggy FireFox Add-ons that Mozilla doesn't pre-check for vulnerabilities.

Ahriakin

"That's why I use an Etcha-Skech!"
(You can quote me when this is popular again)

royal

This is why I still use dictionaries and spend every day in the library reading instead of using this thing called the internet.

Slowhand

msright1981 wrote:

Slowhand wrote:

JDMurray wrote:

77 total patches for 2008. That's nothing to be ashamed about. Windows is a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications. It shouldn't take being a software engineer to understand how difficult it is to anticipate and discover every problem in such a codebase.

What, you couldn't hack out all the fixes in a weekend?

I agree with you 100% on this one. Any operating system, especially one with a history as long as Windows, is bound to have countless little bugs, ways of being compromised, etc. Every system has ways that it can be breached, intentional or not. The trick is, it's the most popular systems that get noticed. Just imagine how many vurnerabilities would magically be discovered next week if Apple or one of the Linux distros suddenly got 50%+ market-share tomorrow.

I have to definitely disagree on this. Apache is the most wide spread webserver on the earth, but still does not come near IIS in flows & threads.

Well, let's not forget Apache's rough ride to the top. There's a reason it was called "a patchy" web server before the name Apache was officially adopted.

Devin McCloud

I use firefox with noscript. Please, go look at the security patches this year for IE!

HeroPsycho

Devin McCloud wrote:

I use firefox with noscript. Please, go look at the security patches this year for IE!

Just because Firefox addresses multiple flaws per patch virtually all the time, it doesn't make it more secure.

I like and use Firefox, but let's be fair.

snadam

Devin McCloud wrote:

I use firefox with noscript. Please, go look at the security patches this year for IE!

I'm sorry, but when is it a bad thing that a company releases security patches? Doesn't that mean they are doing their jobs and trying to keep ahead of the curve? Not to mention that other companies release similar critical updates; and yet their products don't get revered as 'crap'. It seems as though the disgruntled end-user is more critical of a patch release than the actual patch itself sometimes...

jamesp1983

Claymoore wrote:

I checked my WSUS synchronizations last night and this morning, but the update wasn't available yet. I just ran a manual update at 1PM EST and it's there. Those of you using WSUS with automatic approval of security updates should get this during your next synchronization/installation cycle.

Ya I had to do a manual synch as well.

dynamik

Devin McCloud wrote:

I use firefox with noscript. Please, go look at the security patches this year for IE!

You can lock down IE much tighter than FF. Most people don't have a clue how to do it though. (I'm saying this as someone who primarily uses FF)

HeroPsycho

You set Internet zone security to High, and run it on Vista.

Devin McCloud

Wow... what a bunch of IE fanboys....in one of those articles the guy announcing the story actually recommended using something other then IE. Everyone here must work for Microsoft.

I'm sorry, but when is it a bad thing that a company releases security patches?

When it takes months for a billion dollar company to patch holes that ever Chinese hacker and **** site are already exploiting!

[/quote]

Kasor

Now, you know why many companies still using Novell OSE....

Ahriakin

Devin McCloud wrote:

Wow... what a bunch of IE fanboys....in one of those articles the guy announcing the story actually recommended using something other then IE. Everyone here must work for Microsoft.

Or simply that many internal corporate applications use ActiveX controls and require IE, also policies may exist that preclude quickly changing core software like the Browser of choice. There's a big difference between response for personal systems, and response companywide. Do not assume everyone else is lazy, or a fanboy, because they have to deal with a bigger picture.

Daniel333

Interesting about the patch, no biggie though. General web rules continue to apply.

As for using a 3rd party browser, you really need to look at application life cycle management. If you have never had to do a life cycle report or negociate a long term contract you really should read up on these.

I currently support about 40 companies in the SMB range running 2000-Vista(32/64) with nearly 30% of them being a mobile workforce along with nearly half of them dealing with legecy software that requires various versions of IE from 5.5 to 7 and any number of special settings.

The reality is in most of the world their is an application life cycle that needs to be addressed, patching Internet Explorer with Firefox is not the answer when companies have multimillion dollar investments in legacy code.

win2k8

My combat arms account got hijacked first day i created it, although i heard bad reviews about the game about it being easily hacked and what not...

win2k8

Devin McCloud

I was merely kidding...I know business's are bound by IE. I have a friend who works at one of the big Airline companies and she cannot access any internal secure sites , with anything but IE. I use Firefox for personal use. I just think that Microsoft's priorities are screwed up when security holes are not patched for months and months. Microsoft's response time is ridiculous!

Daniel333

Microsoft does better than most software vendors I work with.

Worst reponse time I have seen in a while was Apple's DNS patch. *shudder* Still not sure if they ever patched X.2-3.

Webmaster

http://support.apple.com/kb/HT3298
Notice how all 11 fixes apply to Windows XP/Vista and only 4 also to Mac OS X. Even at Apple they can't write secure code for Windows

JDMurray wrote:

Windows is a vast, complicated, and complex beast that retains compatibility with over 20 years-worth of legacy applications. It shouldn't take being a software engineer to understand how difficult it is to anticipate and discover every problem in such a codebase.

Which shows perhaps it's better to let the Windows era end and everyone should change to Mac OS X with its less complex, less compatible, and minimalistic design, so developers can focus on userfriendliness and security rather than compatibility and bells-and-whistles

I admit, my new Mac and my iPhone infected me, I'm biased. I entirely agree with Slowhands first reply. Then again security through obscurity can still be an effective additional layer of security as long as you don't depend on it, i.o.w. using software that is less likely to be a target is a nice side-effect.

Earlier this month Apple released an update of 190 MB updating Mac OS X to 10.5.6, including almost 15 security fixes and over 20 software updates/fixes/improvements. Most users don't see the list/specification and just notice a single patch. It sure doesn't feel like I'm getting less updates for the Mac than Windows. I'd be more worried if I didn't get a whole bunch of updates frequently.

JDMurray

I don't care so much for the number of updates as I do their criticality. Distributing a dozen fixes as either a single patch or a dozen patches is done simply for book keeping convenience by the vendor. How severe the problem is that is fixed is far more important. I also discern between operating system fixes and application fixes--which is hard to do when both types of software are maintained by Microsoft.

Webmaster wrote:

and everyone should change to Mac OS X with its less complex, less compatible, and minimalistic design

I can't wait until you put the high-level applications programming aside and delve into the world of BSD UNIX programming. Then we'll see if you still think that OS X is less complex and with a minimalistic design.

HeroPsycho

Webmaster wrote:

Notice how all 11 fixes apply to Windows XP/Vista and only 4 also to Mac OS X. Even at Apple they can't write secure code for Windows

OR...

Apple is filled with human beings as programmers who also make mistakes, especially when they code for an OS they don't know as well as their own.