'Critical' Windows fix coming for PCs

As part of its monthly patching cycle, Microsoft plans to release on Tuesday one security bulletin for the Windows operating system.

The security bulletin is deemed "critical," Microsoft's highest risk rating, the company said in a notice posted on its Web site on Thursday. Last month's "Patch Tuesday" included nine bulletins covering 14 Windows flaws. Some of the patches have caused trouble for users since their Oct. 11 release.

Microsoft rates as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

Microsoft's notice did not specify which component of Windows is being repaired in Tuesday's bulletin or how many flaws the update will deal with. Security researchers have several unpatched flaws outstanding with Microsoft. For example, eEye Digital Security lists eight vulnerabilities on its Web site for which it considers fixes overdue.

In addition to the Windows security fixes, Microsoft also plans to issue at least two updates that it deems high priority, but that are not security-related, the company said.

Furthermore, as it does every month, a new version of the Windows Malicious Software Removal Tool will be released. The tool detects and removes malicious code placed on computers.

Microsoft gave no further information on Tuesday's bulletins, other than stating that the Windows update will require restarting the computer.

The Redmond, Wash., software giant provides information in advance of its monthly patch release day, which is every second Tuesday of the month, so people can prepare to install the patches.

Microsoft said it will host a Webcast about the new fixes on Wednesday at 11 a.m. PDT.

[Mister C]

I don't get it?

Can somebody tell me why software manufacturers are not held to the same product standards as other companies. If I had to take my new car in once a month for recall repairs, even non-safety related ones, it would be the biggest scandal since Monika's dress. Not to mention the lawsuits would be flying like bats in a cave. Somehow software is immune from such free market and legal pressure. What's up with that?

[smcgui5]

Keeping It Fair

You have to look at from a fair trade standpoint. If a software manufacturer made a operating system so perfect that no one in the entire world was able to crack it how would other software companies compete? If Ford made a car that lasted forever, never broke down, never wore out, never needed maintenance how would other car manufacturer's compete? It's all about making a good product, not a perfect one.

[bhodges00]

bad analogy

Windows don't produce virus by itself someone had to create one and you had to execute it, by your car analogy if someone slit your tires you would have the tire manufactor be responsible instead of the culprit.

[ajbright]

Protected by law

Actually software is protected by law in this regard.

Someone decided a long time ago that software could never be 100% reliable (for a host of reasons, some of which still apply, many of which don't) so it should not be held accountable if it fails.

Therefore laws were passed that exempt software (and some other technologies, computers are probably included in the mix) from having to be 100% reliable.

The issue here is not whether software crashes, but whether someone can take advantage of the software crashing - i.e. buffer overflow.

Because the backbone of Windows is Explorer, if someone can cause it to crash with malicious code, they have direct access to your operating system and are able to run any piece of code they choose.

64-bit processors will mitigate this to some respect, as they are not supposed to allow any code to be executed when a buffer overflow occurs.

This doesn't mean all viruses will cease to be, just one (the most popular) avenue of attack could be shut down.

How well this is implemented remains to be seen, but a 64-bit OS is required to make use of the feature, and WinXP 64 is still only a beta.

Vista is supposed to be compliant, but we shall see.

Closed operating systems, such as the Mac OS, already operate in this way, which is why people say that it's impossible to create a Mac virus.

This isn't strictly true, but is close enough as almost all modern viruses use this avenue of attack (just as most viruses of the late eighties, early nineties were boot sector viruses).

So while the type of attack used today will probably be stopped cold with the next release of Windows, a new method of attack is only a few keystrokes away.

And that's basically it - 1/Software is protected by law to the extent that you can't sue if it proves to be faulty, and don't expect this to change and 2/For a short while things will get better when 64-bit processors and 64-bit operating systems are used by the majority of users, but 3/eventually these will be hacked too.

[System Tyrant]

The Lawless World of Software.

Truthfully I think the day will come with software 'companies' will be held responsable for damages incurred by poorly written and insecure software. The only reason I think this is because software is becomming or already has become a neccessary part of life. We all rely on software to get our work done.

The truth is that more and more people are getting behind the idea of holding software companies and in some cases developers responsible for the stability and security of the software the produce. My only thought is for developers to become proactive and find ways to better secure their code either through specific supported platforms, better development tools and languages, or better system testing.

I know that at least two of them are unpopular with developers because of the inherent cost of doing them, but better to be proactive than sit around and complain about how nobody understand how hard it is to be a developer or how much it will cost and hinders software all together to be reliable, stable, and secure. I hate to say it, but those people that don't understand are lawmakers and everybody else. Those are the people that will push the lawmakers into making those laws. Be they right or wrong.

[heystoopid]

oh well

M$ way of tied customer, sell them flawed software full of security holes, then keep the customer on an endless upgrade and security patch treadmill! Oh well, life is never simple!

[Mister C]

Much appreciated!

I just wanted to say thanks. This is one of the few times where ideas we presented rationally and without name calling etc. (my OS is better, my browser is better yap, yap, yap). I only wish there were more talk-backs like this. Thanks!