Comments on: Microsoft's urgent security update: What it means

Jon Oltsik recommends that network administrators treat Microsoft's newest patch with urgency, but says the out-of-cycle release bodes well for the company's security efforts.

[Mr. Dee]

I commended Microsoft for this over at NeoWin.com where I first saw this alert. I love how Microsoft focuses on putting users first and making us aware of serious problems before they escalate or get exploited before they do anything. The past outbreaks with Nimda, Welchia, Code Red really thought them a lesson in patch management. Kudos Microsoft!

[Josh Viney]

Kudos to Microsoft for releasing an emergency patch for a critical vulnerability to worms from 4 years ago in an operating system that is 8 years old all by themselves.

[Mr. Dee]

Interesting, this vulnerability also affects Windows 7 Pre-Beta.

I agree. I may not like the fact that Microsoft is such a huge and dominant company, simply because I think that solid competition is important , but I really like this kind of proactive response. I have to give Microsoft kudos too ;-)

[SecuriChrome]

Jon, how about a link or instructions telling us how to make sure our systems get updated?

[catch23]

Go to Windows Update. If you have automatic update turned on, it should download itself.

[mmagliaro]

It is not that I think Microsoft doesn't take security seriously. The problem is that they are incompetent.
It is very popular to point the finger and say that Windows is the dominant O/S, and is so popular, that it is naturally the biggest target, and is therefore the most vulnerable through no fault of their own.

Rubbish. They integrated a web browser with the O/S. They provide back-door communication between the Office suite, the browser, and the O/S. They (Microsoft) are so Hell-bent on integrating everything tightly into the O/S, that they have created an environment just begging to be exploited.

They brought this on themselves.

I commend them for trying, but I do not think Windows will ever be a very secure environment. No matter how hard MS tries.

[becoolgirl]

ditto

[Mr. Dee]

Here is a link with instructions:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

[alegr]

Enlighten me, what you mean "integrated browser into OS". It may not mean what you think it means. What back-door communication are you aware of between Office, the browser and the OS? I'm very curious to hear that.

[joesmith984]

"Complex software will always contain vulnerabilities and bugs"

Excuses...excuses... Microsoft seems to have a knack for having more vulnerabilities and bugs than any other software company out there...

Seriously. Everyone knows that the old Windows framework was never designed with security and the Internet in mind.

[catch23]

Seriously, have looked at the Apple patch count this year? Have you looked at the patches needed for just QuickTime?

I hate to dispel you FUD and lies with some facts, but I have to.

[Penguinisto]

@catch23: Have you looked at the exploit count for Windows this year? Have you looked at the OS make-up of a typical botnet?

I hate to dispel your FUD and lies with some facts, but I have to.

[compudoc318]

Seriously. Everyone knows that the old Windows framework was never designed with security and the Internet in mind.............who knows this...oh, you do, whatever, watch osx or ubuntu get used as much and see how perfect it is.......wait, nvm its taken apple 20 years to get an 8% share, so thats not happening in our life times.

[jandler]

@Penguinisto
here are the vulnerabilities listed for apple products http://support.apple.com/kb/HT1222?viewlocale=en_US
here are those for ubuntu http://www.ubuntu.com/usn (note that for ubuntu they listed everything going back to 2004, so only those that starts with CVE-2008 are from this here)

The point is, neither of these are small numbers.

[Penguinisto]

@jandler: how many of them are exploited? There's a huge difference between obscure vulnerabilities and active exploits.

[Vegaman_Dan]

Penguinisto wrote:

"@catch23: Have you looked at the exploit count for Windows this year? Have you looked at the OS make-up of a typical botnet?"

"I hate to dispel your FUD and lies with some facts, but I have to. "

Amazing. Just absolutely amazing. You counter facts with... FUD. I am really surprised that you would dismiss the security concerns of Apple's own products so out of hand as you have. Even Apple considers the security risks serious enough to issue patches and here you are dmissing them as FUD. Tell me exactly what patches and products by Apple you consider to be FUD?

No, I think security is important regardless of what platform you are using. Comments like yours only help to intentionally spread misinformaiton. I do wonder what financial gain you have invested in these activities of yours. I really do.

[Vegaman_Dan]

Penguinisto wrote:

"@catch23: Have you looked at the exploit count for Windows this year? Have you looked at the OS make-up of a typical botnet?"

"I hate to dispel your FUD and lies with some facts, but I have to. "

"@jandler: how many of them are exploited? There's a huge difference between obscure vulnerabilities and active exploits."

Good point you brought up. Please point to all the security risks in Windows that have been exploited. Be sure to be complete- your answer *will* be checked and verified for accuracy. I'm not surprised that you would answer this way though- you've already made sure in your own comments that you consider any and all security risks in Apple's OS to be 'FUD'.

Seriously, take a look in the mirror sometime. You'll find the biggest FUD producer here will be looking back at you.

[Penguinisto]

Heya Dan - maybe you should ease up on the anger issues... you're double-posting now. ;)

[Penguinisto]

Oh, and about: "Please point to all the security risks in Windows that have been exploited. Be sure to be complete- your answer *will* be checked and verified for accuracy."

http://www.securityfocus.com/vulernabilities - each vuln that can be exploited has one attached to the issue.

Start checking... ;)

[DrtyDogg]

@Penguinisto, document not found Hmmmmmmmm.

[soveraign]

Let them build a track record of such behavior and I will commend them.

[CrashPad63]

@joesmith and mmagliaro No platform is secure. Not one! So get of your high horse and stop degrading a really excellent catch and patch for MS.

[dfrossar]

Crash--

You are correct: No platform is entirely secure.

However, this does not mean that all platforms are equally insecure, as your argument implies.

Unix-based systems took security seriously long before Windows even existed, and it shows.

Microsoft has made some progress toward better security, but they have some distance to go yet. I commend them on their (belated) efforts.

[Vegaman_Dan]

You're wrong. Penguinisto knows better than you. Look it up.

[Penguinisto]

It is true that no platform is "secure". OTOH, some are far less secure than others (e.g. Windows).

Here's a hint: Absolute statements do not apply to relativistic situations.

[MrHapyman]

I agree, KUDOS to Microsoft for putting customers ahead of all other considerations.
It is a shame how anti-Microsoft some "so called tech gurus and know-it-alls" have become. Unfortunately these people go around spreading their ignorance and biases to unsuspecting consumers.

Good job Microsoft!

[dratskiwatski]

2/3 of your comments seem intended to take the (well-deserved) heat off of M$. In bullet 1, you say M$ found the bug themselves. Whoop-do-do. Real, professional programmers test and debug their code all the time - it's nice M$ has finally started to get into 20th century code processes, even though the rest of us have moved on to the 21st century. Doing a bunch of hooping and hollering over the one rare exception is hardly enough for a vote of confidence from me.

In bullet 3, you try to drum up support for dying Vista, by saying the effects are "not as pronounced". Huh? How is THAT anymore worthwhile - or trustworthy - if the bugs still affect Vista too? Sounds like M$'s historical and notoriously bad designs are all vulnerable, just to different degrees. By analogy then, I presume you'd say it's OK to get Avian Flu, as long as it doesn't kill you?

Even bullet 2 is lame. So, they shared. So what? Who FORCED them to do that, the EU under penalty of sanctions for abusing customers and "partners" alike? Puleeze

More important, the fact that this "urgent update" is for a bug found on Vista, Windows 7 too according to one poster, as well as almost all older versions, says that M$ is just shuffling around old code like deck chairs on the Titanic. So much for all that "innovation", the "new approach" or "improved security", alleged "improvements", and so-called "value", eh? No thanks - I'll stick with more secure and better-designed systems like Linux or Mac for the bulk of my work, thank you very much.

[blahbot123]

How can you be so ignorant? Now your bullet one response is just stupid, how many programs out there are as big as windows? Mac OS isnt, no one program is as big as windows itself. It takes people thousands of work hours to write all the code working with thousands others, chances are, they probably make some type of error between everyone, so what? They still go out there and try to do everything they possibly can so ignorant people like you can be satisfied, not just the average user. As to your bullet three response, do you know how much more secure Vista is in comparison to XP? Stop whining and give the people who work their butt off so you can b$tch and moan while sitting behind your screen some credit. Most people use windows for a reason, its pretty damn good for everything.

[macandpcuser2008]

Good catch Microsoft and good reaction time. For all those complaining about Microsoft, get real and be original. You open up a brand new MAC and do you know what is the first thing you do? You download patches. Lots of them. There is so much talk of Microsoft not doing this not doing that, well what about MAC OS. It cant support half the things that windows does. Both OS are good in their own right and lets not continue lashing out on Microsoft just coz they were proactive in fixing things.

[sanjayb]

What the heck r u smoking?? I wasn't spending a lot of time getting patches when I bought my Mac Book Pro. Have u tried installing a new copy of Windows XP? The last time I did that I was downloading patches for the next 2 hours.

[Tishers]

I am not normally a fan of Microsoft and only use the application on one computer where I need to maintain compatibility with an MS only application, but I do need to recognize their quick response to this vulnerability.

The security patch was easy to install and did not zorch the system. I hope that their response to this problem is recognized as a "best practice" within Microsoft going forward.

[ChainedGhost]

By commending M$ for patching their OS you ensure they continue to produce bad software. Why should they produce good secure software when all of you apologists will commend them when they patch and forgive them when they don't? I've used Windows for almost 17 years now and it has always been bad. Always. The next version is always going to be faster, more secure, etc. And it always falls on it's face. XP with all of it's security problems is still the best version yet. Windows 7 will be another Redmond Steamer. Popularity isn't why it's the best - it's why it's the worst!

To the now upset apologists I am not a Mac user. My OS of choice is Ubuntu.

[andyscrewed]

This may be a coincidence. But two days ago I used an image search engine, got a firewall warning asking me if I want to let svchost.exe access to the net. I denied it...my computer rebooted and had a virus installed replaceing beep.exe, in multiple places in the registry and masquarading as svchost.exe. AVG had all sorts of problems and couldnt get rid of it. I had to manually kill it. It turned off my firewall too. Everything was up to date on my machine (except this latest patch).
So this is worse than people at the M company are letting on, everything up to date and you can have your computer completely hijacked by going by a web page.
Very bad

[gwhiz2K]

Were you using Internet Explorer?

[Penguinisto]

@ChainedGhost:

re: "By commending M$ for patching their OS you ensure they continue to produce bad software. Why should they produce good secure software when all of you apologists will commend them when they patch and forgive them when they don't?"

Funnier still - MSFT (among others) will often hide the existence/knowledge of flaws for months, and sometimes years, with no patch in sight (at least until an active exploit forces their attention to it). And yet we hear of all this praise being heaped upon them for "prompt" attention... Yeah, whatever. The only reason they lit a fire under their butts this go 'round was the fact that there were (and are) active exploits out there and operating.

[compudoc318]

and apple doesnt, you are such a fan boy pen.....every article about msft will have a comment from you slamming them, half the time with nothing to do with the article....keep up the good work, youre good for a laugh every day, now...one quick point, if osx is so great...why does it have boot camp.......lol.

[Penguinisto]

Nope - Apple does too - at least for their proprietary parts.

OTOH, they can't for the open-source parts (e.g. OSX' core); the source code is publicly available, and exploits/vuln reports are posted publicly as they arise.

So, you were saying?

[Vegaman_Dan]

Compudococ318:

Don't be offended that his answer had nothing to do with your comment- it's likely he was responding to something else. Either that, or it's another example of changing the subject when confronted with the truth. I'd rather give him the benefit of the doubt.

Penguinisto: Compudocc318 brought up a good point. Will you be addressing it?

As for your comments themselves- you're absolutely right. Apple has hidden the flaws of their OS for months/years. They most often release security patches to the OS as part an iTunes update. That's pretty sneaky, but allows them to never have to acknowledge the problem in the first place. Microsoft, Apple, RedHat- they are all guilty of this sort of patch by parallel process. I would expect you to tar the entire OS industry with the same brush you are so eager to paint Microsoft with.

Your bigotry is rather blatant. It's also old and tired. Try a new tactic.

[Penguinisto]

Hiya Dan! While his "point" was irrelevant, sure - I can address it easily: BootCamp and Parallels help ease Windows users into becoming Mac users.

Next.

[dratskiwatski]

In response to blahbot: there are few systems "as big as Windows" because serious designers learned long ago the importance of layered architectures and loosely coupled interactions through tightly defined and controlled interfaces - things which Windows doesn't have. Having been personally responsible for design, development, and management of several very large (> 1M SLOC) programs, as well as two complete and commercially deployed real-time operating systems in the past, I can assure you that I'm well aware of the design monstrosities that some people call "good".

Unlike you, I did not make my attack personal on the M$ programmers: they are working in a crippled environment, technical and business honesty, and are to be pitied. But when a magazine like CNet feels compelled to point out what should be a normal course of development and deployment as "news" and elevates it to the level of tail-kissing and extolling virtues where few exist, nobody benefits - not the developers, not the customers.

Curiously, in your vitriolic screed, you did nothing to refute my points that a) this is typical development work and no more; b) that the fault exists across multiple old and "new" product versions, i.e., it is due to the perpetuation of either bad code, and flawed architecture, or both; and c) that their history of "sharing" such information with other companies is dubious at best.

You are welcome to your opinion (as am I). Maybe someday you'll learn to express it in a balanced way. I also hope that someday you'll learn enough about system development to respond intelligently, or at least, to question the system(s) which you use and rely upon. But hey, it's your data and your life: if you don't care to learn, to protect yourself, or to be anything but a raving ranter, that's your choice.

[dratskiwatski]

And, in reply to my own post, in the meantime, I'll sit here, content in the knowledge that CToEP (Chair Throwing over Ethernet Protocol) has still not been perfected. ;-)

Thanks for the entertainment, "Steve".

[Penguinisto]

The MSFT cheerleading set isn't really all that good at refutation, at least not with facts. Usually ad-hominem is all they're good for.

[ChainedGhost]

OSX has bootcamp so Mac users can expand their software library. Not because Windows is a better environment to work in. Once major 3rd parties start developing for *Nix it's bye-bye Windows.

[Ilgaz]

Major 3rd parties run Windows under OS X without your knowledge. EA games for example, full of Cider junk.

[victor_sf]

Microsoft is the least evil company of the evil trio:

Apple, Google, and Microsoft

[ckurowic]

uhhh what does your ridiculous comment have to do with anything? get a life.

[Ilgaz]

I keep asking this question for years... Who does share their printers and files over Internet, using Microsoft technologies instead of standard IPP etc?
That is the question and there is no answer yet. I haven't seen a single configuration like that for years and MS keeps opening 139 to World access and tries to "defend" with firewall. It is like opening your door wide open and trusting to a guy with minimum wage to defend your house.
Trust me one day, same thing will happen to Apple. They also open AFP to planet while nobody uses AFP over net (not local LAN) to transfer files.