Speaking of Microsoft shipping bad code, how about an absolutely humongous ‘patch Tuesday’?
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
↫ Brian Krebs
Happy new year, Windows users.
Thom conveniently ignored other massive sources of vulnerabilities, such as a tiny Rsync utility, https://kb.cert.org/vuls/id/952657
It’s always “evil” “incompetent” Microsoft. Never mind multiple critical vulnerabilities in the Linux kernel every year, and pretty much in all open source software.
On the other hand, Thom might have noticed that Microsoft has started using AI to search for vulnerabilities, so they discover and fix more. Basically a win-win for their customers.
A myth of a thousand eyes has been debunked so many times that it’s not even funny anymore.
Artem S. Tashkinov,
I think you’re trying to troll us but most of us understand that there can be vulnerabilities in any software irrespective of software license. Anyone who’s worked on proprietary software will attest that the quality of code is not better on the proprietary side of the fence. There’s rushing and cost cutting everywhere. That’s the software industry for you.
I favor FOSS because it grants us more freedoms and yes it’s harder to hide nefarious activities.
Thank god we have you to defend the poor multitrillion dollar company from lone bloggers like me.
Crisis averted.
Thom, I’ve always thought that you strive to be unbiased, almost a journalist, and covering this story the way you did doesn’t do it justice. There is no complex software without bugs and vulnerabilities, and to say that Microsoft products are a sieve is kind of unfair.
You don’t have to be a “defender” of a multitrillion-dollar company to point out obvious bias.
If you want my opinion, Microsoft learned their hard lessons from the Summer of Worms and forces OEMs to accept security updates for Windows whether those OEMs want it or not. Meanwhile, the Linux kernel in all those Android smartphones and Internet of Shit devices… jeez, some of those devices are even shipping with months-old vulnerabilities from the factory, and most are patched never. The Linux Foundation could add something to the Linux kernel that auto-updates the kernel, but this would annoy several “partners”, so they are taking their chances with security like Microsoft did in the late 90s and early 200s0s. And then there is the userland (either we are talking about Android or Desktop Linux), forked a million times by OEMs and also patched never. But since the blame for that can be conveniently assigned to a million places, let’s focus on the Linux kernel.
kurkosdr,
Focusing on the linux kernel wouldn’t solve the majority of issues because the majority of issues aren’t with the kernel.
Even if the linux foundation has a back door, which lets face it that’s what your asking for here, what are they supposed to do with it? The linux foundation can’t just update the kernel absent vendor patches and drivers. Vendors have to compile their own kernels. We can have a whole debate over the merits of stable kernel ABIs (my opinion here is clear, the lack of ABI has been bad for users), but for better or worse device owners are dependent on vendors for updates. And it’s not like the linux foundation can easily add new restrictions on the kernel to stop vendors from creating their forks… this allowed by the GPL and linux can’t change it. Maybe they could do something on trademark grounds, but the vast majority of phones/IoT devices/etc don’t specifically advertise that they run “linux” and therefor even trademark licensing agreements are non starters for this market.
Ultimately the lack of device support is obviously real, but it genuinely is the manufactures fault. The Linux kernel is supported by linux devs but they can’t force manufacturing forks of the kernel (and more importantly proprietary userspace software) to be supported.
What you are describing is the architectural and licensing choices that make Linux a security nightmare. Instead, a pro-user effect of the MS-EULA is that it forces OEMs to accept security patches whether they want it or not, and they can’t fork their way out of it.
In plain English, Microsoft Windows is not the biggest security issue of IT like it was 20 years ago, all those various unpatched Linux devices are. This makes Thom appear extremely biased when he goes “hurr durr,,,, Happy new year, Windows users”. Or completely clueless, I am not sure.
Anyway, one thing that the Linux Foundation people could do is build an auto-updater in the Linux kernel and safeguard the “Linux” trademark from forks, much like Mozilla safeguards the “Firefox” trademark from forks. And no, an auto-updater is not a backdoor, modern update mechanisms rely on certificates to verify the update. Also, Google could safeguard the “Android” trademark from forks, or at least prevent unpatched devices from accessing the Play Store. That is, if either the Linux foundation or Google frickin’ cared about security. Which they don’t. When they eventually get their own version of Summer of Worms, they will start caring. Remember when Microsoft asked users if they want to enable Windows Update or not during OOBE back in Windows XP days? They’ve learned their lesson after the Summer of Worms.
kurkosdr,
The license was set in the 90s and I don’t think they can change it.
These devices happen to run linux, but I think it’s wrong to say linux is the reason they are unsafe or unpatched. After all the linux kernel IS relatively safe and well supported. Many linux distros are very well maintained including those that compete against windows on desktop PCs. Not only are they well maintained, but sometimes I even find linux support on desktop to be superior to windows.
As much as it sucks that there are many manufacturers who fail to provide long term support, I don’t think pointing the finger at linux can possibly do any good because linux isn’t the bottleneck here.
We can agree that manufacturers aren’t doing their job, but how exactly do you propose linux kernel devs should fix this especially given that the vast majority of exploits don’t attack the kernel head on but come in through unpatched user-space applications like web servers, streaming codecs, php, mysql, openssl, xz, etc. These all need to be updated. The scope of this is clearly larger than the linux kernel. Here’s an idea that I could get behind: device manufactures get out of the operating system game altogether. This would fix most of the support issues. Have them use an existing well supported distro instead of failing customers with their own.
@birdie – >”It’s always “evil” “incompetent” Microsoft. Never mind multiple critical vulnerabilities in the Linux kernel every year, and pretty much in all open source software.”
Oh yes, that’s why the world is overwhelmed by ransomeware that routinely compromises GNU/Linux desktop boxes.
Oh wait, no – those are pretty much all compromised Windows boxes. Troll harder birdie.
There will be no numbers, right?
Yeah, let’s claim something outrageous and make it look like you’ve invalided the opponent’s point. You didn’t, you just failed hard.
And don’t get me started on hundreds of thousands of compromised Linux based IoT devices because NO ONE supports them.
Don’t get me started on tens of thousands of compromised Linux servers because NPM Ruby and such repos are FULL of malware.
God, you’re so pathetic.
Microsoft FIXES stuff and supports it for sometimes up to 13 years (Windows XP).
Linux “solutions”? More like “SUPPORT YOURSELF” solutions.
The Linux cult strikes again. With its utmost illiteracy, bias and bigotry. You could really stick to Phoronix and r/Linux where like-minded bigots will appreciate your “input”.
Artem S. Tashkinov,
Your anger seems to be misdirected pointing your finger at linux as a scapegoat even though linux developers are not responsible for what manufacturers do with linux. The vast majority of IoT devices are running proprietary software, not FOSS software, and it’s this software that is most likely exploitable and not the linux kernel itself. Look, it’s totally fair to blame linux for actual linux vulnerabilities. But when you are bent on blaming linux for things that linux can’t be responsible for, that just highlights your own biases.
It’s clear that linux is a lot more popular than windows with manufactures, but do you have any evidence that their products would be more robust if they used windows instead? I hope you can provide at least some evidence, let’s see.
>”God, you’re so pathetic.”
Self-righteous indignation in defense of mega-corp reputations really fits you birdie. Perfection.