Microsoft's urgent security update: What it means
Earlier today, Microsoft did something unusual. The company made an exception to its normal security processes and issued an "out-of-band" urgent update. The update applied is classified as critical for Windows XP and older versions and is considered important for Windows Vista.
After speaking with Microsoft earlier today, I strongly suggest that users understand the importance of this update and begin emergency patching procedures immediately. While exploits around this Windows vulnerability have been limited thus far, Microsoft concedes that it could be exploited by old-school Internet-based worms a la 2004 and do massive amounts of damage. In addition to patching Windows systems, I also encourage users to install the latest security signatures from endpoint and network security vendors.
Microsoft's "out-of-band" reaction speaks to the seriousness of this threat, but I can't help but be impressed with the behind-the-scenes effort that led to this action. It is noteworthy to point out a few things:
1. Microsoft security researchers discovered this vulnerability themselves with the aid of some customer data. In other words, this vulnerability was not brought to Redmond's attention by a third-party researcher, Black Hat Web site "chatter," or a series of massive malicious exploits. This is a good proof point to those who still believe that Microsoft does not take security seriously.
2. In preparation for the urgent update, Microsoft has been sharing data and patches with other endpoint and network security vendors as part of a number of security partnering programs. This means that notification from Microsoft will likely be followed by new security signatures and support by leading security vendors.
3. It is worth mentioning that the vulnerability in Windows Vista is not as pronounced as older versions of Windows. To me, this speaks to the effectiveness of the Security Development Lifecycle (SDL) process. Lessons learned from this vulnerability will be integrated into future revisions of SDL as part of a constant improvement cycle.
Some will point fingers at Microsoft and claim that this "out-of-band" security bulletin is further proof that Microsoft remains an anathema to security. I don't share this view. Complex software will always contain vulnerabilities and bugs. The trick is to fix as many as you can during the development and testing process, continue security research once software is released, and respond to problems with professionalism, industry collaboration, and haste. In my view, Microsoft is doing a good job at following this model.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
It is very popular to point the finger and say that Windows is the dominant O/S, and is so popular, that it is naturally the biggest target, and is therefore the most vulnerable through no fault of their own.
Rubbish. They integrated a web browser with the O/S. They provide back-door communication between the Office suite, the browser, and the O/S. They (Microsoft) are so Hell-bent on integrating everything tightly into the O/S, that they have created an environment just begging to be exploited.
They brought this on themselves.
I commend them for trying, but I do not think Windows will ever be a very secure environment. No matter how hard MS tries.
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
Excuses...excuses... Microsoft seems to have a knack for having more vulnerabilities and bugs than any other software company out there...
Seriously. Everyone knows that the old Windows framework was never designed with security and the Internet in mind.
I hate to dispel you FUD and lies with some facts, but I have to.
I hate to dispel your FUD and lies with some facts, but I have to.
here are the vulnerabilities listed for apple products http://support.apple.com/kb/HT1222?viewlocale=en_US
here are those for ubuntu http://www.ubuntu.com/usn (note that for ubuntu they listed everything going back to 2004, so only those that starts with CVE-2008 are from this here)
The point is, neither of these are small numbers.
"@catch23: Have you looked at the exploit count for Windows this year? Have you looked at the OS make-up of a typical botnet?"
"I hate to dispel your FUD and lies with some facts, but I have to. "
Amazing. Just absolutely amazing. You counter facts with... FUD. I am really surprised that you would dismiss the security concerns of Apple's own products so out of hand as you have. Even Apple considers the security risks serious enough to issue patches and here you are dmissing them as FUD. Tell me exactly what patches and products by Apple you consider to be FUD?
No, I think security is important regardless of what platform you are using. Comments like yours only help to intentionally spread misinformaiton. I do wonder what financial gain you have invested in these activities of yours. I really do.
"@catch23: Have you looked at the exploit count for Windows this year? Have you looked at the OS make-up of a typical botnet?"
"I hate to dispel your FUD and lies with some facts, but I have to. "
"@jandler: how many of them are exploited? There's a huge difference between obscure vulnerabilities and active exploits."
Good point you brought up. Please point to all the security risks in Windows that have been exploited. Be sure to be complete- your answer *will* be checked and verified for accuracy. I'm not surprised that you would answer this way though- you've already made sure in your own comments that you consider any and all security risks in Apple's OS to be 'FUD'.
Seriously, take a look in the mirror sometime. You'll find the biggest FUD producer here will be looking back at you.
http://www.securityfocus.com/vulernabilities - each vuln that can be exploited has one attached to the issue.
Start checking... ;)
You are correct: No platform is entirely secure.
However, this does not mean that all platforms are equally insecure, as your argument implies.
Unix-based systems took security seriously long before Windows even existed, and it shows.
Microsoft has made some progress toward better security, but they have some distance to go yet. I commend them on their (belated) efforts.
Here's a hint: Absolute statements do not apply to relativistic situations.
It is a shame how anti-Microsoft some "so called tech gurus and know-it-alls" have become. Unfortunately these people go around spreading their ignorance and biases to unsuspecting consumers.
Good job Microsoft!
In bullet 3, you try to drum up support for dying Vista, by saying the effects are "not as pronounced". Huh? How is THAT anymore worthwhile - or trustworthy - if the bugs still affect Vista too? Sounds like M$'s historical and notoriously bad designs are all vulnerable, just to different degrees. By analogy then, I presume you'd say it's OK to get Avian Flu, as long as it doesn't kill you?
Even bullet 2 is lame. So, they shared. So what? Who FORCED them to do that, the EU under penalty of sanctions for abusing customers and "partners" alike? Puleeze
More important, the fact that this "urgent update" is for a bug found on Vista, Windows 7 too according to one poster, as well as almost all older versions, says that M$ is just shuffling around old code like deck chairs on the Titanic. So much for all that "innovation", the "new approach" or "improved security", alleged "improvements", and so-called "value", eh? No thanks - I'll stick with more secure and better-designed systems like Linux or Mac for the bulk of my work, thank you very much.
The security patch was easy to install and did not zorch the system. I hope that their response to this problem is recognized as a "best practice" within Microsoft going forward.
To the now upset apologists I am not a Mac user. My OS of choice is Ubuntu.
So this is worse than people at the M company are letting on, everything up to date and you can have your computer completely hijacked by going by a web page.
Very bad
re: "By commending M$ for patching their OS you ensure they continue to produce bad software. Why should they produce good secure software when all of you apologists will commend them when they patch and forgive them when they don't?"
Funnier still - MSFT (among others) will often hide the existence/knowledge of flaws for months, and sometimes years, with no patch in sight (at least until an active exploit forces their attention to it). And yet we hear of all this praise being heaped upon them for "prompt" attention... Yeah, whatever. The only reason they lit a fire under their butts this go 'round was the fact that there were (and are) active exploits out there and operating.
OTOH, they can't for the open-source parts (e.g. OSX' core); the source code is publicly available, and exploits/vuln reports are posted publicly as they arise.
So, you were saying?
Don't be offended that his answer had nothing to do with your comment- it's likely he was responding to something else. Either that, or it's another example of changing the subject when confronted with the truth. I'd rather give him the benefit of the doubt.
Penguinisto: Compudocc318 brought up a good point. Will you be addressing it?
As for your comments themselves- you're absolutely right. Apple has hidden the flaws of their OS for months/years. They most often release security patches to the OS as part an iTunes update. That's pretty sneaky, but allows them to never have to acknowledge the problem in the first place. Microsoft, Apple, RedHat- they are all guilty of this sort of patch by parallel process. I would expect you to tar the entire OS industry with the same brush you are so eager to paint Microsoft with.
Your bigotry is rather blatant. It's also old and tired. Try a new tactic.
Next.
Unlike you, I did not make my attack personal on the M$ programmers: they are working in a crippled environment, technical and business honesty, and are to be pitied. But when a magazine like CNet feels compelled to point out what should be a normal course of development and deployment as "news" and elevates it to the level of tail-kissing and extolling virtues where few exist, nobody benefits - not the developers, not the customers.
Curiously, in your vitriolic screed, you did nothing to refute my points that a) this is typical development work and no more; b) that the fault exists across multiple old and "new" product versions, i.e., it is due to the perpetuation of either bad code, and flawed architecture, or both; and c) that their history of "sharing" such information with other companies is dubious at best.
You are welcome to your opinion (as am I). Maybe someday you'll learn to express it in a balanced way. I also hope that someday you'll learn enough about system development to respond intelligently, or at least, to question the system(s) which you use and rely upon. But hey, it's your data and your life: if you don't care to learn, to protect yourself, or to be anything but a raving ranter, that's your choice.
Thanks for the entertainment, "Steve".
Apple, Google, and Microsoft
-
by Ilgaz
October 24, 2008 1:21 AM PDT
- I keep asking this question for years... Who does share their printers and files over Internet, using Microsoft technologies instead of standard IPP etc?
-
Reply to this comment
-
Showing 1 of 2 pages (51 Comments)That is the question and there is no answer yet. I haven't seen a single configuration like that for years and MS keeps opening 139 to World access and tries to "defend" with firewall. It is like opening your door wide open and trusting to a guy with minimum wage to defend your house.
Trust me one day, same thing will happen to Apple. They also open AFP to planet while nobody uses AFP over net (not local LAN) to transfer files.