Microsoft plans to release patches for five Windows flaws next week, it announced today.
Microsoft to patch New Windows flaws
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Why do these guys do these PR instead of quitely releasing patches within a day or two. thats what other operating systems do.
its a pathetic state of affairs
I’m also sick and tired of hearing all these pathetic anouncements even though I’m still on Winbloze (not for long though)…
… are hoping people will think they are increasing the security.
But the fact is…
… that security was shamefull from the start. Being the number one operating system in the world gives you 95% percent of the sales of OS but you also have to expect to be number one under attacks. What do they do with their money? Public relations. Is anyone at MS actually paid to find flaws BEFORE they get exploited on the net?
With the money they have they could write a second or a third OS in parallallel just for fun and beat the hell out of OSX and Linux. But hey, why would they do that… they’re leaders forever ain’t they?
“I’m also sick and tired of hearing all these pathetic anouncements even though I’m still on Winbloze (not for long though)…
”
Here here. As a network administrator as well as desktop administrator, I’m tired of applying every patch out there for this and that. I’m fed up with it and I don’t see Longhorn correcting it.
Thank goodness we’re going to Linux in 2007. Most of our servers are already there. Desktops probably in late 2007.
but with linux you still need to do regular patching. it isn’t a magic OS that’s immune to vulnerabilities. of course linux/open source overall is still doing a better job than MS when it comes to security and quickly addressing it.
All operating systems have patches, I don’t care
what you are running.
Another quote I am going to prove wrong today:
~~~~Netcraft.com has the stats on the longest uptimes
and they are all BSD or FreeBSD well I got some news.
The site listed at the top is:
**** http://wwwdir1.telia.com/ ****
When I went to visit the site it stated this:
***This page is not in use. (For the moment)***
It does not take rocket science to figure out
this is a scam, long uptimes on a bogus webserver.
Anyone can have a webserver running hosting a
static webpage and keep it up for months. Give me
a break, if those were ‘REAL’ websites listed on
the netcraft uptime stats page, but it is a bunch
of BOGUS websites with names like http://www.lan.ne.jp
give it up.
In the meantime, Patching is a way of life in Tech,
until software can manage itself. Hence, no humans
inputing data to make mistakes.
Omg they did something normal and expected from a major Operating System. Come on everybody get up, GET UP!!!!! GIVE THE DEVELOPERS A ROUND OF APPLAUSE!!! WhAAAAAAAAAA!!!!!
You did not read what I wrote did you, I stated
that everyone complains about Windows patches.
But, they also state that Unix BSD/Free BSD never
needs to be rebooted because of the netcraft uptime
survey.
****** The sites listed on the uptime survey on
netcraft.com are mostly BOGUS! Just like the one
that is the #1 on the list. If you don’t believe
visit the site and see for yourself. The site is
a scam, long uptimes on a webserver not hosting
a page, hard to beat uptime on something NOT even
used.
So ALL operating systems get patchess, if they don’t
then the admin needs to be fired.
This isn’t PR, it’s MS giving customers advance notice that security patches are on the way so they can plan for them. People running more than a dinky little home network appreciate that.
Important security patches are news for any operating system. If you don’t like operating system news, I’d suggest you’re visiting the wrong website. Spend your time elsewhere, instead of polluting the comments here.
Unfortunately, if you agree with my subject I don’t need to explain why.
If you don’t, and think I’m being silly, you probably can’t be convinced.
For everyone else…keeping it simple;
* All software has defects.
* Some defects impact security.
* All software has intentional settings that are default.
* Not all default settings are secure.
* Security defects are usually harmless by themselves; just having a defect doesn’t mean that it necessarily can be exploited.
* Multiple security defects tend to increase the number of paths through a system (‘attack vectors’).
* The more complex a system, the more likely it will have defects of every kind — security included.
* We tend to use more and more complex systems because we can and there are demands that we do.^^
* Complexity is typically automated or hidden to prevent users from being burdened with it — masking some defects.
* Making simple changes to a complex system can lead to security defects (old and new) that either become more or less serious.
So, to reduce security concerns, first reduce complexity. For example, if you reduce complexity by turning off or removing services you have removed multiple paths that can be abused — patch or no patch.
Doing anything that reduces the potential paths through the system helps. For example; isolate parts of the network itself at the router. Once again; if the defective part isn’t running…it’s not a problem.
^^. That said, this does not necessarily mean that the number of security holes is always due to increase…though without care there will likely be more and more holes. The types of attack vectors will tend to be either highly sophisticated (and silent) or involve low-tech social engineering (either through direct contact or working with human nature).
“For example; isolate parts of the network itself at the router”
You’re whole post stinks of academic assertions without practical foundation – this part in particular.
What about the laptop that moves between “isolated parts of the network” let alone completely foreign networks? Patches *are* security in this (very common) scenario. Not total security, but a very substantial part of it.
As we are debating about patches and not network infrastructures,i think you made a good point.What isn’t there doesn’t have to be patched.Important is also to consider if everything what you install is needed and if it’s remotely accessible,is there a extreme vulnerability history,what deamons might listen,are there better alternatives,what’s the community of that particular app like,etc.
“Patches aren’t security”,that’s true, its just a piece of the security pie but one that can’t be neglected.
Matt (IP: —.vic.bigpond.net.au):Patches *are* security in this (very common) scenario. Not total security, but a very substantial part of it.
Just what Anonymous (IP: —.nrockv01.md.comcast.net) said,with other words.The title maybe suggested something else.
“Just what Anonymous (IP: —.nrockv01.md.comcast.net) said,with other words.The title maybe suggested something else.”
But —.nvrock suggested I was silly to disagree with his subject line, and I very much do as per the bit of my comment you quoted. Indeed, for most home users patches are the best security. And for most corporate users it’s preferable to reducing “complexity” (a point —.nvrock… seemed to labour.) In the sense he seemed to argue, “complexity” seems to be a synonym for features – ie a product provides more than basic functionality for the sake of making a user/admin’s life easier. Most sane people prefer that to piping arcane command through arcane command through …
It’s a funny thing how Microsoft lays all the blame on the user. They state that it’s a weak password issue. But there have been several major buffer overflow flaws within the Microsoft OS. Most notably the RPC issue. So I believe Microsoft’s entire approach to killing the cometition is coming back to bite them. From Windows 98 on, the incorporation of Internet Explorer into the kernel has turned up more flaws, vulerabilities, and holes than any existing OS PERIOD. In fact, they made it easier for people to write malicious code because M$ created that single point of remote exploitation. Now Most if not all of Microsoft’s products, From Their Office Suite on down, There are a lot of Hooks into IE, SO that makes even those Applications Very Vulnerable. So are Weak Passwords the issue? Yes, But only a small PART of the issue.
“From Windows 98 on, the incorporation of Internet Explorer into the kernel has turned up more flaws, vulerabilities, and holes than any existing OS PERIOD.”
Never mind that IE isn’t incorporated into the kernel. Never mind that MS has released 404 security bulletins since 1998 compared to Redhat’s 642 since 1999.
Never mind that all OS vendors recommend strong passwords.
It all gets in the way of a good fairy tale about your beloved open source being more secure than windows.
“Never mind that IE isn’t incorporated into the kernel. Never mind that MS has released 404 security bulletins since 1998 compared to Redhat’s 642 since 1999”
compare properly. comparing a OS and a distribution with 4000 packages isnt a sane thing to do. when did MS ships with office suites and whole lot of database services and stuff. the number of bulletins isnt important. the *critical* nature of the bulletins are.
learn security and compare fairly
but with linux you still need to do regular patching. it isn’t a magic OS that’s immune to vulnerabilities. of course linux/open source overall is still doing a better job than MS when it comes to security and quickly addressing it.
True and false. You can make Linux more immune to vulnerabilities than windows by turning on SELinux. That way you can sandbox applications that may pose dangers to your system in case they get compromized. Another way to sandbox things is to use choroot. E.g you could run services like e.g. webserver and database servers in a chroot environment.
Running various methods of sanboxing is of course not an excuse not to patch, but the risk that something bad happens before you have time to patch is reduced. One other advantage of Linux is that patches seldom requires reboots. This means less planning to avoid production disturbances by the sysadmin. Patches are also generally smaller, and patch one thing at a time. This means that problems that might occur after a patch is easier to track down (not that problems are common though).
But the main thing that makes Linux easier to handle than windows to a sysadmin is that everything is so easy to script. One example: I have scripts that run after each automatic update of the system that checks that mail, web, file, ldap and database servers run OK. If not they send me an SMS. But only your imagination will limit how scripts can make your life as a sysadmin easier.
Another thing that is a plus is that so far there is next to none viruses for Linux. This saves a lot of time.
Switching your users desktops to Linux is probably what will save you the most time. Linux makes it simple to lock down their desktop so that they only have the tools needed for their work and nothing else. This gives them a more simple desktop to handle. This means lower education costs in the long run and most importantly, you get fewer support questions. It is also good for business. Your users will not spend time swapping screen savers, games or other things that when installed may interfear with bussiness operations. The desktops can be netbooted or run as X terminals giving you a much easier time.
Yes. I’m sure MS would have many fewer security holes if they didn’t count the DHCP, Web, FTP, SMB, Mac and DNS servers they include on the same CD as the OS, as Linux fans do for their favourite distros. I’m sure they’d have even fewer if they stopped counting holes in their bundled word processors, text editors, calculators, games, web browsers, email clients and graphics and scanner utilities, as you argue Linux distros should be able to.
MS include one browser, and cop the shit for the security holes in it. Linux distros include half a dozen and claim it’s not the distro’s problem when there’s a security hole.
Great. That’s the way to win over consumers!
“For example; isolate parts of the network itself at the router”
You’re whole post stinks of academic assertions without practical foundation – this part in particular.
What about the laptop that moves between “isolated parts of the network” let alone completely foreign networks? Patches *are* security in this (very common) scenario. Not total security, but a very substantial part of it.
Laptop? Where did I mention laptops?
(Network admin for 15+ years btw…on everything except mainframes.)
“(Network admin for 15+ years btw…on everything except mainframes.)”
and of course laptops that couldn’t be kept to “isolated parts of the network”
Of course you could substitute dial in client, unmanaged computer or internet client for “laptop”. All prove the point that patches are a very valuable part of security, despite the title you chose
“complexity” seems to be a synonym for features
Another point I didn’t make. That’s why I attempted to keep it simple and why I had the little note marked with ^^ .
Systems _should_ be capable of being attacked for years without being compromised if configured properly to begin with. The reason is simple; you can’t find all the defects — security related or otherwise. That often means that by the time a patch is available, you’ve already had to deal with the problems that the patch will address. Act like you can’t patch a system and you will find ways to secure it.
That’s where I start. Any exceptions are carefully watched so that I know when things go wrong how it happened. It’s too much work to fix these things after the fact.
Attempting to get ahead of it all by adding in tools like virus and malware scanners or additional firewalls adds complexity … and doesn’t necessarily make the system any more secure.
These tools *are* handy…no doubt…I just don’t use them or system patches by themselves and think I’ve fixed all the issues out there. Too many admins see “patch” and think “cure” when it’s just not true.
The reason why this seems academic is that I’m not talking about one OS or network. I’m being as general as possible because this applies to them all.
MS include one browser, and cop the shit for the security holes in it. Linux distros include half a dozen and claim it’s not the distro’s problem when there’s a security hole.
Great. That’s the way to win over consumers!
Huh! What Linux distro doesn’t try to issue patches on all software included in the distro if needed. Just like Microsoft takes care of the security holes in whatever software you licence from them. Not much difference here.
“Of course you could substitute dial in client, unmanaged computer or internet client for “laptop”. All prove the point that patches are a very valuable part of security, despite the title you chose”
How much dammage can they do if you know what they are and properly harden and isolate your other systems while isolating them? I consider all systems to be potentially hostile and insecure…that’s why I don’t have problems with security on the networks I manage.
Patches are not security. The are a tool like a hammer.
As for you being silly, what I really said was this;
Unfortunately, if you agree with my subject I don’t need to explain why.
If you don’t, and think I’m being silly, you probably can’t be convinced.
Why were you offended by this?
I’m done…hope you got something from my replies.
MS really know how to make a rock solid OS don’t they?
Untie IE from the OS, that would be nice.
MS really know how to make a rock solid OS don’t they?
Untie IE from the OS, that would be nice.
That’s the last thing I see happening to IE. Mozilla/Firefox are catching on very quickly, so MS will probably integrate IE even further in Longhorn in order to try and get IE’s share back up. I wonder if they’re planning on putting more features into the OS that require IE….that would be a risky move considering they are a monopoly.
“I wonder if they’re planning on putting more features into the OS that require IE….that would be a risky move considering they are a monopoly.”
Or maybe they’ll take a chance, try and get some good PR and consider bundling Firefox with Windows instead of IE. Actually admit that the browser game is not their specialty.
. Linux distros include half a dozen and claim it’s not the distro’s problem when there’s a security hole.
Great. That’s the way to win over consumers!
—-
there is always a single default and besides I *challenge* you to find a single distributor who has a outstanding browser security flaw in their distribution and claimed that its not their liablity.
you are obviously misinformed or plainly trolling.
”
Or maybe they’ll take a chance, try and get some good PR and consider bundling Firefox with Windows instead of IE. Actually admit that the browser game is not their specialty.
”
MS will never ever do something like that even if its technically a sane thing to do. they could even write a proprietary browser based on firefox. the MPL license allows that. still the business reason is that standards oriented browsers would lead to no lock in unlike activeX on vbscript
You can make Linux more immune to vulnerabilities than windows by turning on SELinux.
SELinux is not recommended for desktops. It is a server toy (feature).
Another way to sandbox things is to use choroot.
Single user home desktop with email, Web browsing, document editing does not gain very much from chroot.
E.g you could run services like e.g. webserver and database servers in a chroot environment.
Sure, but because server hardware is so damn cheap today you’ll be better off just running one criticall application per physical server.
One other advantage of Linux is that patches seldom requires reboots.
In 2004, Red Hat issued kernel patches almost once per month. Kernel patches require reboots. There had been other patches which could make everyone but Linus himself wonderihng if reboot is necessary- so better reboot than be sorry.
This means less planning to avoid production disturbances by the sysadmin.
Reboots are irrelevant for so-called production disturbances. You have patch, you test it, you schedule update, that takes most time. Reboot takes one-two minutes. If you need 24/7- you beter have redundant hardware.
Question: how many patches Red Hat released in September of 2004, for RHEL ES 3.0? Count them- each patch requires evaluation (do we need it or not?), planning, testing, deployment.
If admin patches servers with untested patch during business hours just because “a patch does not require reboot and can’t harm anything”- that admin is ready for re-education camp where he will be told to plan EVERY patch outside business hours.
But the main thing that makes Linux easier to handle than windows to a sysadmin is that everything is so easy to script.
One word: WSH.
Another thing that is a plus is that so far there is next to none viruses for Linux. This saves a lot of time.
True. That is called security through obscurity. Desktop Linux haven’t reached critical mass for worm and virus writers to notice it.
And no, reference to Apache won’t help you. Apache is managed by people who have at least some clue, desktop users are mostly clueless by definition. Desktop Linux haven’t reached critical mass- in the reference to this group of people.
Switching your users desktops to Linux is probably what will save you the most time.
For until Linux is popular enough and worm writers start targeting it. Then, you’ll start suggesting switching your users to something else.:)
Joke: how to separate junior sysadmins from senior ones? Junior syadmin promises that everything will work fine when people switch to environment junior sysadmin knows, senior sysadmin will properly configure any environment he was given to work with.
Linux makes it simple to lock down their desktop so that they only have the tools needed for their work and nothing else.
Group policies for Windows- you should research this subject. You’ll be amazed how well Windows desktop in a domain can be locked down.
Your users will not spend time swapping screen savers, games or other things that when installed may interfear with bussiness operations.
I repeat: group policies for Windows.
When you figure it out- then you are qualified to discuss Windows.
It does not take rocket science to figure out
this is a scam, long uptimes on a bogus webserver.
Anyone can have a webserver running hosting a
static webpage and keep it up for months. Give me
a break, if those were ‘REAL’ websites listed on
the netcraft uptime stats page, but it is a bunch
of BOGUS websites with names like http://www.lan.ne.jp
give it up.
What exactly was your point here? Was it that you think it’s odd that it’s all scarcely used sites on the list, or that you don’t think BSD is reliable? Or maybe your point was simply that you don’t understand the way that statistics are gathered, and what they are used for?
It doesn’t take a rocket scientist to see why those “BOGUS” sites are important, and why their uptime matters, even if they aren’t doing anything.
Now, it makes the most sense that these sites are up simply because they are unused, does it not?
However, the fact that one of the systems on their “Longest uptime” list claim to have an uptime of 1824 days (4.99 years) says something in and of itself, does it not? Outside of OpenVMS (where 5 years may not be uncommon) that kind of uptime is rare in any system, let alone one that hosts a web site, dead or not. This speaks fairly well of *BSD, if you ask me, since the longest Linux system uptime I’ve seen was around 500 days.
This is not a matter of “months”, it’s a matter of very nearly half a decade. There is a big difference there.
Also, If you check out Yahoo (also a FreeBSD site), it’s longest record on that little chart is very close to 300 days (looks like around 285 where the little check falls). If a system can stay up for a full year running a site like Yahoo (which is always updated and obviously has many computers running the site), then that says something about the system it’s running on, right? (note, this also came off the netcraft site, you just have to know how to use that little search box at the top)
The list still makes me laugh though. If you check out #5, it is just a site saying that they have moved the site someplace else, and gives the new link. This site is a BSD/OS site. The link sends you to the site http://7dream.com/, which runs on NT4/Windows 98… makes me chuckle to find things like that.
Too bad they can’t collect data on the uptime of Windows servers, because I’m mildly curious. It’s still an interesting source for known heavy traffic sites.
I guess maybe I just don’t understand what part of that list you thought was odd? The whole idea of uptime is bizarre anyway, since you take down an important system for things like patches, drive rotation, or redistributing files for better access/write time (tar, newfs, untar).