January 3, 2006 4:34 PM PST

Wait for Windows patch opens attack window

A serious flaw in Windows is generating a rising number of cyberattacks, but Microsoft says it won't deliver a fix until next week.

That could be too late, security experts said. The vulnerability, which lies in the way the operating system renders Windows Meta File images, could infect a PC if the victim simply visits a Web site that contains a malicious image file. Consumers and businesses face a serious risk until it's fixed, experts said.

"This vulnerability is rising in popularity among hackers, and it is simple to exploit," said Sam Curry, a vice president at security vendor Computer Associates International. "This has to be taken very seriously, and time is of the essence. A patch coming out as soon as possible is the responsible thing to do."

News.context

What's new:
Microsoft says customers will have to wait till next week for a patch for a Windows Meta File flaw that has opened the door to a flood of cyberattacks.

Bottom line:
The delay will leave businesses and consumers unprotected during seven days of attacks that promise to become increasingly sophisticated, experts warn.

More stories on this topic

Microsoft has come under fire in the past for the way it releases security patches. The company has responded in the past by instituting a monthly patching program, so system administrators could plan for the updates. Critics contend that in high-urgency cases such as the WMF flaw, Microsoft should release a fix outside of its monthly schedule.

Details on the WMF security problem were publicly reported last week. Since then, a number of attacks that take advantage of the flaw have surfaced, including thousands of malicious Web sites, Trojan horses and at least one instant messaging worm, according to security reports.

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

Microsoft has said that a patch will not be made available until Jan. 10, its next official patch release day. That delay could provide an opportunity for attackers, security provider Symantec said on Tuesday.

"There is a potential 7-day window for which attackers could exploit this issue in a potentially widespread and serious fashion," Symantec said in a notice sent to subscribers of its DeepSight alert service.

Hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet.

Click for photos

Many of the attacks today use the unpatched bug to attempt to install unwanted software, such as spyware and programs that display pop-up advertising, on Windows PCs. The flaw affects all current versions of the operating system, and a vulnerable system can be attacked simply if the user views a specially crafted image, according to a Microsoft security advisory.

In most cases, the attacks require a user to visit a malicious Web site, but the schemes are likely to become more sophisticated, antivirus specialist Marx said.

"I'm sure it's just a matter of days until the first (self-propagating) WMF worm will appear," he said. "A patch is urgently needed."

Microsoft is urging people to be cautious when surfing the Web. "Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code," it said in its advisory.

But most ordinary PC owners simply aren't aware of this type of threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There are a lot of Windows users who aren't paranoid enough about never clicking on an unknown link," she said.

Patch ahoy
Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. "Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins," the company said.

To protect Windows users, Microsoft shouldn't wait, but release the patch now, several critics said.

"The flaw is actively exploited on multiple sites, and antivirus provides only limited protection," said Johannes Ullrich, the chief research officer at the SANS Institute. "Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch."

CONTINUED: Balancing the risks…
Page 1 | 2

99 comments

Join the conversation!
Add your comment
ANOTHER SERIOUS WINDOWS FLAW? UNBELIEVABLE!
I can but shake my head in disbeilief when people continue to
put up with this 'planned obselecence' marketing strategy. Who
do you think creates these viruses ad nauseum, patches it, then
forces you to buy a whole new system? Buy a MAC, or at least
shop around for alternative OS's and boycott Micro$oft. Support
the competition before this monopoly swallows us all up
completely!
Posted by Annette Snow (4 comments )
Reply Link Flag
RE:
"I can but shake my head in disbeilief when people continue to put up with this 'planned obselecence' marketing strategy."

Planned obselecence is part of how commerical software makes money. Vendors eventually stop supporting old software and hardware(Apple does it to). It's just not feasble for them to continue to support old software and hardware forever. If they did they'd be so tied up with old stuff they'd never develop anything new. Even open source projects move on eventually.


"Who do you think creates these viruses ad nauseum, patches it, then forces you to buy a whole new system?"

Conspiracy theories aren't particularly useful.
Posted by unknown unknown (1951 comments )
Link Flag
Ban Mircrosoft
Google is coming out with an OS. I will be looking at that very seriously. In the meantime, I have a few extra hard drives, and am experimenting with Linux.
Posted by eSchmeltzer (18 comments )
Link Flag
Why Unbelievable?
IIRC Ballmer had indicated during the hullabaloo
about Microsoft's new religion of security that
the Windows XP developers had flagged 70,000
known security issues in the operating system
(it'll take some Googling, but you ought to be
able to find it). In a typical year, 1000-2000
of those become public, and about 50% are fixed
(those given higher criticality ratings).

I'm pretty sure all of this is pretty much
understood at this point. You aren't buying MS
products for security, and prudent users / IT
managers simply recognize this sort of thing as
part of the cost of using the product -- like
the maintenance costs on a car.

Don't like it? Get a different car or go for a
boat... There's still costs involved, and
perhaps you need to change the way you drive,
but maybe something different is what you need.
Then again, maybe not -- perhaps the cost is
reasonable if it truly is the only model that
satisfies your needs.
Posted by Zymurgist (397 comments )
Link Flag
PROBLEMS?
AS WE ALL KNOW, ALL MECHANICAL EQUIPMENT WILL FAIL AT ONE POINT OR ANOTHER.. THIS SHOULD NOT COME AS SUCH A SUPRISE TO ANYONE!
Posted by val31 (37 comments )
Link Flag
Windows Patch for Security hole
I work IT normally and use a PC and Mac at home. Yet one more of
a thousand reasons I love my Mac more than my PC. My PC is WORK
at home (even gaming), and WORK at WORK. My Mac is fun at home
and could be used at work if everything was not bug infested.
Posted by Richard Gilbertson (1 comment )
Reply Link Flag
Hey, It's Window$
What do you expect?! :)) Windows and Security never mix :))
Posted by wakizaki (44 comments )
Reply Link Flag
Web Bugs
Want to really get scared? Download BUGNOSIS from the Privacy Foundation to see how many sites you visit have Web Bugs (Including C|Net).

That's right, this site uses Web Bugs !!

Roger
Posted by adeptblue (1 comment )
Reply Link Flag
hahah and cnet article
<a class="jive-link-external" href="http://news.cbsi.com/2100-1017-243077.html?tag=tb" target="_newWindow">http://news.cbsi.com/2100-1017-243077.html?tag=tb</a>

makes you wonder what kind of schizophrenic place this is.... oh look these are bad....oh look lets use them!

makes me wonder about this site more and more...
Posted by The user with no name (259 comments )
Link Flag
Microsoft is providing protection from flaw
Install Windows OneCare

A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains 'green' or 'yellow' while you're connected to the Internet, Windows OneCare is protecting you. If your status is 'red' (at risk), please either take the requested action or go to the Help Center.

Advisory: 0.0.0.8
Release date: 01/03/2006
Posted by CoachWT (42 comments )
Reply Link Flag
wow
What a fan boy. One care is a protection racket. Who else would have the eggs to charge for protecting something that they cause, other then the mob and MS.
Posted by Bill Dautrive (1179 comments )
Link Flag
Another day, another Microsoft virus
Need I say more?
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Ma and Pop Computer Users are Most at Risk
I am in the same camp as some of the other commentors here. I use a Windows machine at work and a Mac at home. I am so thankful that my Mac is unaffected.

Microsoft needs to held ultimately responsible...
Posted by jypeterson (181 comments )
Reply Link Flag
Responsible for what ...
There are just as many exploits on Unix/Linux/Mac. Check the SANS Institute web site.
This is all F.U.D..
This flaw was discovered over a month ago and there has not been one computer infected.

Microsoft is currently providing protection from this flaw. Install Windows OneCare from the download site.

Microsoft Notice:
A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains 'green' or 'yellow' while you're connected to the Internet, Windows OneCare is protecting you. If your status is 'red' (at risk), please either take the requested action or go to the Help Center.

Advisory: 0.0.0.8
Release date: 01/03/2006
Posted by CoachWT (42 comments )
Link Flag
Defense?
I have a question that's been eating at me for a long time. With all of these security exploits that continue to come out...at what level of concern should a person be who is

1) Using Firefox as their primary browers
2) Using Zonealarm for: Firewall, Antivirus and Anti-Spyware
3) and also using as secondary measures: AVG-Antivirus, Spybot, M$'s Anti-spyware and Ad-aware

So...with all of this protection...should I be 'oh my God' type of fear or just 'umm..think I'll be just a little more cautious' type of mood?
Posted by SvnX (12 comments )
Reply Link Flag
Caution is always a good policy
Even with all of that protection, you should always be cautious. A
little healthy paranoia keeps you from having to deal with these
issues.

Keep your stuff updated and run it regularly and you'll more than
likely be fine.
Posted by nightveil (133 comments )
Link Flag
I hate to worry you,
but none of those things will protect you from a brand new exploit of this WMF bug. It's doesn't matter what browser you use, what anti virus you have, what firewall you have... You view a malicious WMF it'll compromise your machine. Until MS release the patch.

But just stick to websites you know and trust and you'll be fine. You have to view a dodgy website where the owner has purposely put a malicious WMF. You won't get infected reading CNet for example.
Posted by Mutex (40 comments )
Link Flag
You should be concerned....
Firefox really has no bearing on it, nor does
ZoneAlarm (per se -- ZoneAlarm will catch
network traffic from malware after it's been
installed). So far, none of the antivirus and
antispyware vendors have a fix. AdAware would
help if it's deployed in a banner ad.

The issue lies in a library shared by several
applications and system services. The method of
exploit is actually there by design -- which is
probably why it's taken so long to respond, to
verify that no legacy software is dependent on
the functionality.

One point of concern for you might also be the
overhead imposed by running ZoneAlarm, Spybot,
AdAware, and MS Antispyware. The memory
resources used vary quite a bit, but you're
sacrificing hundreds of megs of disk space and
20-30% of your CPU power running that stuff
(maybe more). Running those programs has a very
perceptible affect on the performance of your
computer.
Posted by Zymurgist (397 comments )
Link Flag
The sky is falling the sky is falling ... let's blame Microsoft!
Sheesh, love how an article about Microsoft brings out the "shiny-box people" (Mac users)!

The summary of the article is :

... A flaw has been found for Windows and some people are whining to get this patch they think is some miricle cure out to the public before anybody has had a chance to finish testing it because they feel as if Microsoft "owes it to them". ...

Do these people promise to NOT say anything negative about Microsoft if the patch comes out whether or not it doesn't work on some systems because it wasn't fully tested? Would these same people turn around and sing praises of Microsoft for their "quick turn-around"?

um, no.

It's so easy to blame Microsoft and want things to to be fixed yesterday but that doesn't change the fact I don't have a clue what's going on inside the Redmond campus right now. Are they playing tiddly-winks, or wearing their finger nails down typing like mad?

Macs can have, what, millions of configurations? That's still well behind the number Microsoft has to prepare for and is one factor in Apple's ability to build a more secure and stable OS (and re-writing it from scratch helps).

In a project management book I'm reading there are a number of examples going over how shrinking the proposed development time actually causes it to take longer and produce more bugs.

While waiting for the patch to come out, wouldn't it be nice to have a place list the infected websites so they can be avoided?

I use Windows at work, and Linux at home. Both systems work just fine.
Posted by dragonbite (452 comments )
Reply Link Flag
Maybe you should take the time...
... to figure out what you are talking about.

Okay, so lots of people are over reacting about MS's security
problems. But, it's not like those problems are in any way new.
Or that they will actually get fixed.

And you are right that with no standardization in the PC world,
MS has a major problem in managing an OS. I've always said that
it's a miracle that Windows runs at all. The fact that it runs badly
is almost unavoidable, except for the MS marketing impact.'

And yes, Apple has an advantage in cleaning out the old code
and writing a new OS twice now in the past ten years or so. But
then Apple has the advantage in selecting both the OS and the
processor, as well as the motherboard design. MS can only work
the OS design, and then is less concerned about writing an OS
than they are about hanging on to their marketing position. So
MS jams every app they can find into their OS, and that just
compromises the h--- out of OS design and security. Apple
went with independent apps and a separate OS, and it works.
Too bad MS couldn't figure that one out. I'd have much better
running PC's in my system.

Linux is also a fairly good option, but I have yet to find Linux
apps that can actually replace MS Office Pro on the PC. And even
then, MS Office runs better on my Mac's than it does on my PC's.
Posted by Earl Benser (4310 comments )
Link Flag
Very Interesting!
This seems to be showing up more and more. It used to be WINDOZE is way better than Linux! As of late it has morphed to Windoze is as good as Linux."

Are we seeing the beginning of a paradigm shift?
Posted by Mister C (423 comments )
Link Flag
Patch delay
They have to take the next week to test the patch.
If the patch has problems, Microsoft will face criticism.
Posted by chrisx1 (201 comments )
Reply Link Flag
Stop putting up with Windows!
I feel for my friends with Windows machines. I really do. Why do you keep putting up with it?

<a class="jive-link-external" href="http://www.apple.com/macosx/features/security/" target="_newWindow">http://www.apple.com/macosx/features/security/</a>
Posted by CA1900 (332 comments )
Reply Link Flag
yeah...
I put up with windows at work because it is a necessity, since the apps used don't run on any other OS. I put up with windows at home because my laptop, which is 1.5 years old, is still faster than any powerbook around. I put up with windows because my media center acts as a tivo with no monthly cost, something Mac's can not do.(I guess I could pay $2 per episode for low quality downloads of some shows, but that would just be stupid.) Oh, and I play games on my gaming rig, something Mac's obviously can not do. So in short, if you want options, I guess you have to "keep putting up" with windows. If you want to be told what hardware to use, and have very limited options, then by all means switch.
Posted by Rolndubbs (194 comments )
Link Flag
Why I put up with it
Just remember you asked the question...

I put up with windows for a good reason. I can get software that isn't available on mac or linux. Yes, the mac is a fine machine and runs nice, but when you have less than 5% of the market share, you don't have software vendors willing to write for it.
Posted by Seaspray0 (9714 comments )
Link Flag
Second Class System
Microsoft is fast becoming a second class system in some
companies. Few businesses can afford to get rid of Microsoft
completely but I'm finding that some are now starting to put
their vulnerable Windows computers on a separate network
segment.

Doing that allows them to prevent their Windows users from
reaching the Internet, email, etc. and most importantly prevents
their Windows computers from being a source of attacks on the
rest of their network.

It's time for Microsoft to concentrate on X-Boxes instead of
trying to deliver a secure operating system. At least they have a
chance of success with the X-Box.
Posted by rcrusoe (1305 comments )
Reply Link Flag
rubish
"but I'm finding that some are now starting to put their vulnerable Windows computers on a separate network segment. Doing that allows them to prevent their Windows users from reaching the Internet, email, etc."

Oh really? I haven't seen a business network yet where the PC's weren't on a seperate network segment... and you're just finding this out? Without doing this, the company would have to provide a public IP address for every PC on their network. You bet you can control access... through a proxy server. Many companies do it to control access to the internet, email (internet email like aol and msn), etc. I don't know of many companies where internet email access IS authorized (employees do not have a right to their private email on work PC's) and companies do have a right to restrict access to websites (no porn, etc). This is how things have been for ages and it's not just a microsoft thing; all client PC's get this treatment reguardless of the operating system.

Try and tell me that both MAC and Linux don't get viruses and then go online are research for yourself how many security issues are currenly reported. If you're going to write comments like you did, you better include every operating system out there... "ALL operating systems are fast becoming a second class system..."

The only operating system I've found that couldn't get a virus was embedded on a ROM chip.
Posted by Seaspray0 (9714 comments )
Link Flag
File Types for WMF
I have read all I can on the flaw, and I changed the File association for WMF to NOTEPAD so the picture will not execute as an image file, instead will open up note pad. The simple tests I made worked, and notepad was opened.

Is this all we might have to do for this particular threat?
Posted by eSchmeltzer (18 comments )
Reply Link Flag
Why not simplify it?
Forget all that crap about a thousand and one ports. At some point, there is only one circuit letting data enter and leave your computer. That is the obvious point to check data.

Why doesn't someone build a program to monitor it and check all input and output? Something Microsoft or another company can easily update?

It would slow the computer down, but so do all the patchwork programs to check for and stop Malware. I would imagine that all Malware has some sort of signature.

There are programs that record everything going in or out. I have one that does that. Why not program one to checks checks for Malware and stops it or asks for your permission?

Maybe I'm old fashioned, but I have no need for things like Java or Active-X. I keep them turned off and have no real problems. I can't get on a few sites, but nothing crucial to my normal use. If others felt the same, it would be used less by web sites. The pretty pitchers ain't worth the aggravation.

Why would I need an email client that handles HTML in the first place? Like the other two, I don't use it or need it.

Microsoft has too many such ports, many reserved for its own use. They should be blocked or eliminated. Personally, I think Microsoft has plans to get into the placing of ads itself. From past experience, when have they missed an opportunity to make money? I wouldn't doubt that they're collecting information on our viewing habits at this very moment.

I would never buy anything from an unsolicited ad. At the most, it might remind me of something I want to purchase. In which case I would do a search and pick the best place to buy it myself, certainly not simply clicking an ad. There has to be something to it though, since a lot of people do.

Oscar Rat
Posted by Oscar Rat (54 comments )
Reply Link Flag
they do
It's known as a firewall.
Posted by Bob Brinkman (556 comments )
Link Flag
Not practical, technically.
It's true that you could inspect all data coming
through a network channel, but it's not
technically feasible. Why? Because you'd need to
assemble the incoming packets,
decode/decrypt/uncompress chunks of data that
are arbitrarily compressed/encrypted, then
compare that chunk of data to a database of
fingerprints (which is nothing but an array of
regular expressions). While that's conceivable
(right down to being the "man-in-the middle" for
SSL traffic), you'd need to do it at line-speed
(the speed of the incoming traffic).

You wouldn't be able to pull it off using the
host-CPU at anything near ethernet speeds, you'd
probably need to throttle the connection speed
back to that of a conventional modem, maybe
slower. It's still computationally cheaper to
identify contexts where there's risk and address
those (and restrict yourself to exploits
relevent to the context -- such as a macro in a
word document). Why unzip a file to search for
viruses right away when you can defer that
action (and the penalty of the search procedure)
until the zip file is about to be opened?

Understand too, that some of the underlying
causes and design flaws of Windows (not all mind
you, just some) are addressed in Microsoft's
upcoming Vista. There are some basic security
practices that have been around for 20 years
that will see their first formal implementation
in Vista (like LUA). Vista won't solve all the
problems (like the WMF exploit), particularly if
nobody shells out the cash for it, but it will
go farther than anything Microsoft has done
before.
Posted by Zymurgist (397 comments )
Link Flag
I read that this works
"disabling .WMF file handling: First, users should click on the Start button on the taskbar. Then they should click on Run, type "regsvr32 /u shimgvw.dll," and click "Ok" when the change dialog appears."

Haven't tried it myself yet as I don't use XP at home
Posted by (4 comments )
Reply Link Flag
Microsoft Should not be allowed to profit from this...
You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
In alot of cases this will force people to have to buy new hardware.

So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales.

The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.
Posted by SmartITGUY (9 comments )
Reply Link Flag
Surge in sales???
MS still provides patches for 2000 and I believe still for 98. Many people still have not upgraded to XP because 2000 still works and is supported by MS.
Posted by Charleston Charge (362 comments )
Link Flag
Google Products Never Get Out Of Beta
Google mail is still in beta and it has been over a year now. How on earth would they be able to release a PRODUCTION OS within this decade?
Posted by Stating (869 comments )
Reply Link Flag
Google O/S info
The long talked about and anticipated Google O/S is soon to be offered in Beta.

Download links be sent to google mail accounts (sorry if you dont have a google mail account or have never been sent an invite for one you are s.o.l)

The O/S is being called Giggle
Once you have installed Giggle you will have access to all of the Giggle multimedia products
(Giggle viewer, Giggle media player, and a new desktop search called Giggle This.) As well as an integrated competition to Office called, amazingly enough (lol) Giggle At Work

registered Giggle OS users will however be able to send out giggle invites to their friends whereby they too can download the GiggleWare and make the switch to what certainly will be the OS with the most smiles.

Bad news is that just like Google Mail the OS tracks you like a Wild Animal and keeps records of everything you do, see, and send even when you have deleted these records. The kept records will only be used for the purposes of being able to figure out how to sell you more useless **** as well as revenue streams for 3rd party marketeers.

AND JUST TO STOP THE LAWYERS FROM KNOCKING ON MY DOOR... THIS WAS ALL JUST FAIR USE UNDER THE GUISE OF A PARODY OF THE REAL AND ACTUAL GOOGLE COMPANY. AND AS STAUNCH DEFENDERS OF FAIR USE (SEE THEIR BOOK SCANNING PROJECT) THIS DISCLAIMER SHOULD SUFFICE TO PROTECT ME.

lol
Posted by The user with no name (259 comments )
Link Flag
Try Here for the Patch
all the sites hosting this patch are very, very busy. here's a link to a washington post article with a link in it to a site that has quite a few mirrors for the patch. i'd provide that link, but if you're like me you consider that might be an attempt at infection in and of itself!

<a class="jive-link-external" href="http://blogs.washingtonpost.com/securityfix/2006/01/unofficial_patc.html" target="_newWindow">http://blogs.washingtonpost.com/securityfix/2006/01/unofficial_patc.html</a>

i figure you folks will trust the washington post. well, at least on tech (if not on politics!).

mark d.
Posted by markdoiron (1138 comments )
Reply Link Flag
A bad guard is better than no guard
Since Microsoft has the patch but needs time to test it, why not envolving the rest of the community in the process?

Microsoft can release a beta or pre-release version of the patch. Users can decide whether they want to use the beta patch, which might not be complete, or not. This way, users can also get envolved in improving the patch by reporting any problems they might encounter.

I think that in this situation a partial solution is better than no solution at all.
Posted by baloushi (7 comments )
Reply Link Flag
Permissive By Default
Millions of lines of legacy code based on a permissive by default architecture.
Decades old news!
Posted by mattcsully (1 comment )
Reply Link Flag
Simply Impractical
Here's a simple analogy: Suppose that you're driving on the highway, and your car gets a flat tire. Do you try to replace the tire as soon as possible, or do you wait for the proper day of the month to fix it? Now if there's someone who would say, "yes, I'll
sit in my car and wait for two weeks", that person must work for Microsoft. Because it's completely impractical to fix things according to a date on the calendar. If a mechanic came along and said "Sorry, I only fix things on the 12th of every month", would you go to him if you needed something fixed, or to someone else? But here's the catch-Microsoft's the only mechanic in town. It's a shame, because I don't see why a company as large as Microsoft couldn't issue patches on an as-needed basis. If smaller companies can do so, then why not Microsoft? The defence that Microsoft has to test its patches doesn't fly, because some Microsoft patches have come out that caused more problems for computers than the exploits they attempted to fix. The defence that Microsoft doesn't have enough capability to handle the millions of computers that need the fix doesn't apply, because how else can Microsoft handle the millions of computers on the second Tuesday of every month? It seems that some of Microsoft's patches are rushed because of the date that they have to come out, and that others are delayed for the same reason, which results in poor performance all around. It's poor performance to need all these patches in the first place if you use Microsoft, and it's poor performance to not have these patches provided when needed, rather than a few weeks down the road. Microsoft is like the overbearing sheriff that shoots himself in the foot! What experienced computer user is going to trust Microsoft with this track record, or take them seriously? Reading all this bad press about Microsoft does nothing to improve their reputation. Yet their marketing campaign is formidable, and thousands of new computer users every day recieve Microsoft's products pre-packaged. Thousands of new computer users will learn to trust these, along with the tired old line "Well, since Microsoft has 90% of the market,
computers running Microsoft are the only ones virus writers care about." If virus writers had to deal with 90% of the market having SECURE operating systems and browsers, they'd be out of business.But isn't this Microsoft's responsibility
to the consumers of their products? As it is, Microsoft is like Swiss cheese, and virus writers are like mice taking the bait!
Posted by Michael G. (185 comments )
Reply Link Flag
Hackers
Hi,

I think we ought to deal with the main culprit, hackers or those who misused what have been created. It is a global problem that we need to face and not just Microsoft itself. People hated Microsoft because of their sheer ability to innovate thus creating a great feeling of displeasure among competitors.

Then there is a huge pool of people who just hated Microsoft for whatever reason and when an opportunity comes to discredit them, they pour our their grievances.

Look at it rationally, Microsoft has million lines and it is a software development process which they must abide by. Making sure the patch work for all parts of their system, it is not a easy task to complete. It is not just patch the flaw but patch it and ensure every other modules work as well.

I use Windows and Linux; Windows is great in ease of use where as Linux being an arrogant OS, you need skill to use it. Not to mention they always assume you know Linux before you start using it. There are flaws in every piece of creation but a creation is what the future is.
Posted by ericsalim (1 comment )
Reply Link Flag
Re: Hackers
You may be referring to crackers, those who's main agenda is to create computer havoc. Hackers are pursuers of higher computer knowledge. Discovering exploits is a hacker activity, using that exploit for malicious gain is not (but a cracker's). The beauty of open source is that the source code is very transparent, becaues it is accessible to everyone. Open Source software applies the "Many Eyes" approach, yielding software inline with security. This is an ongoing process. When you are speaking of closed source software (e.g. Micro$oft Windows), you would have to wait for developer to make the fix. In Open Source software (e.g. Linux), the community can be the developers too, making software development and fixes faster. Linux does require some technical knowledge, but in the end, the user wins because he/she can fix it if something goes wrong (if you can't, there's the community to help you out), not to mention the stuff you learn when using Linux. Heck, you can use Linux to fix Window$ if it goes bad :))
Posted by wakizaki (44 comments )
Link Flag
Off base
The main culprit is Microsoft. It is their ****-ppor implementation and coding practices that allows an ignorant 12 year old to easily expoilt the OS. Windows is nothing more then a *****, it lets anything in.

Innovate? Please, that is beyond ignorant. Name one true "innovation" from Microsoft.

Linux has millions of lines of code too, but it can fix flaws in days, MS has no excuse here. The one reason that Linux and OSX are so damn easy to fix is because they conform to POSIX, Windows has no standard.

You call windows easy? With linux, 5 clicks will get you a roack solid install that is very simple to use, no knowlege required, at all. From the users prospective, Linux works the same as windows. With windows, after you install it, you have to spend a long time to tweak it and install third party apps and it still doesn't come close to a default linux install. Those tweaks take more knowlege then your average windows user possesses and you have the audacity to call it easy to use? Windows is the most user-unfriendly OS out there, except for a non-GUI Linux install. If you think Linux is hard to use, taks like tying your shoes must be a daunting task for you. 5+ years ago Linux required more then 2 brains cells, not today.
Posted by Bill Dautrive (1179 comments )
Link Flag
Linux is easy.
The problem isn't with people finding holes in the software; it's that there are holes in the software in the first place.

Microsoft may have innovated in the past (or they may have just bought up innovative companies), but not recently. Their products have stagnated, and they're playing catch-up by introducing features into their products that other products have had for ages.

Windows may have millions of lines of code, but so do more secure OSs. The difference is those other OSs were designed to be secure from the start; with Windows, they started with a single user system, then bolted on stuff until we get to the situation we're in today, with viruses and malware able to easily take advantage of Windows.

Linux isn't difficult to use. In the past it may have been difficult, but now it's as easy to use as Windows or Mac OS. The only people who have problems with Linux are those who can't lose the Windows way of doing things. If someone only used Linux and then was forced to use Windows, they'd have problems unless they were willing to re-learn everything they thought they knew about computers.
Posted by booboo1243 (328 comments )
Link Flag
Shutup Mac and Linux Users
First off I respect the Linux platfrom (sorry Mac is just a unix system dressed up), but I digress...whenever you deal with a large close source OS like Windows you will have problems. Add to that the fact that because it's Microsoft a lot of jealous script-kiddies are writing little viruses that exploit Windows. It's not Microsoft's fault and if ANY other os was #1 it'd be targeted too. I'm tired of all this bias towards Microsoft. The reason it has so many flaws is because people probe around all of the time on it. If you used it like it was designed to be used you'd never have problems. The real culprit are the idiots that don't have lives.
Posted by mlw4428 (1 comment )
Reply Link Flag
Geez
That is why Apache has far less flaws and even fewer exploits then Windows Server, yet Apache a considerable larger market share. Because market share is why windows get attacked more.

WRONG!

Script kiddies do not attack *nix for one reason: It is extremely difficult to attack one machine, much less orchestrate an attack that spread itself. On windows it is a trivial task that requires no techical knowlege.

The reason it has flaws is because MS has only paid lip-service to security so far. The flaws are there before people "probed" it. You really are showing your ignorance about software design and programmming.

The real culprit are the idiots at MS who designed a *****-ish OS with absolutely no security built in from the ground up.
Posted by Bill Dautrive (1179 comments )
Link Flag
Using Windows as it's supposed to be used.
User: Administrator privileges, no password.
IE: Active-X enabled.
Office: Macros enabled.
Outlook/Outlook Express: HTML format.
Firewall: Didn't originally come with one.
Virus checker: see Firewall.

These are just some of the ways people can exploit Windows if you run it as it was designed to buerun.
Posted by booboo1243 (328 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.