Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Microsoft Plugs a Record 26 Security Holes 200

An anonymous reader writes "Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps. According to Washingtonpost.com's Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack. Also of note, six of today's updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista."
This discussion has been archived. No new comments can be posted.

Microsoft Plugs a Record 26 Security Holes

Comments Filter:
  • by xTantrum ( 919048 ) on Tuesday October 10, 2006 @08:24PM (#16385993)
    It could have been 27!
  • by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Tuesday October 10, 2006 @08:31PM (#16386065) Journal
    It's how many remain that's important.

    And, how many were created in the making of the 26 patches?
  • by blcamp ( 211756 ) on Tuesday October 10, 2006 @08:35PM (#16386091) Homepage

    I am really annoyed by journalists who pose as experts in whatever they are reporting on.

    This guy tries to explain to the average reader/non-geek that Microsoft .NET is a "computer language".

    He should at least refer to it as a platform, even if the vast majority of the readership won't know the difference.

    • Re: (Score:3, Insightful)

      by Shados ( 741919 )
      Regardless of how it happens, .NET is a way to tell a computer to do stuff. Of course, we can go in the technicalities that the .NET platform supports multiple languages (which in the end are all quite similar, because the platform affects them so much), that its a virtual machine environment, blah blah blah.

      But its a way to -tell- a computer to do "stuff". So I guess saying its a computer language is "good enough". Misleading, and I'd get annoyed if this appeared in more technicaly oriented articles, bu
      • Since your average user doesn't really know what a "computer language" is either, it may have been more appropriate to call it a "software platform" with a link to wikipedia to assist those who are interested in learning more. After all, that's what links are for.
        • Re: (Score:3, Informative)

          by Shados ( 741919 )
          I disagree. My 85 years old grand father, who has never booted a computer of his own life, never had an email adress, or anything of the sort, knows what a computer language is. Same with a lot of people. That is a bit of my personal experience, so it might not reflect the rest of the world, but it is what I'm going by here. I've used the terms "computer language" while describing what I do for a living to a -lot- of people, and it virtualy always goes through. The term "software" doesn't always, so...
    • This guy tries to explain to the average reader/non-geek that Microsoft .NET is a "computer language".

      So long as your precompiled code is a combination of English and C, and yet you still prefer to call it a "language", you shouldn't be surprised to hear others mis-use the word just as bad as you.

      C, C++, VB, Java, Perl, Pascal, Javascript, and all the rest are syntaxes, not languages.
    • Re: (Score:3, Insightful)

      by Tim C ( 15259 )
      He should at least refer to it as a platform

      Well, its full name is "the .NET Framework", so perhaps he really ought to be calling it a framework, not a platform.
  • by unity100 ( 970058 ) on Tuesday October 10, 2006 @08:39PM (#16386135) Homepage Journal
    microsoft introduces 2-3 holes while fixing one .. if they patch up with that speed from now on, it means ... uh oh ...
    • Re:DISASTROUS NEWS ! (Score:5, Interesting)

      by ronkronk ( 992828 ) on Tuesday October 10, 2006 @09:05PM (#16386327) Journal
      I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

      It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

      Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

      Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

      In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

      Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

      If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.
      • Re: (Score:2, Flamebait)

        by menkhaura ( 103150 )
        It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow.


        Does that mean that I can do a File->Open and type in an URL from MS Office and have a remote document right on my screen?*

        *Half trolling, half really wanting to know if I can do this, since I can with KDE for some time now.
        • Re:DISASTROUS NEWS ! (Score:4, Informative)

          by batkiwi ( 137781 ) on Tuesday October 10, 2006 @11:54PM (#16388073)
          Yes, you can. It can be on any web server.

          Now for the kicker:
          If that URL happens to point to a sharepoint server, when you click "save" it will save it back to the site, update the document history, prompt you for any necessary meta-data, and (with 2007) kick off a workflow for (example here) document approval.
          • by Trelane ( 16124 )
            If that URL happens to point to a sharepoint server, when you click "save" it will save it back to the site, update the document history, prompt you for any necessary meta-data, and (with 2007) kick off a workflow for (example here) document approval.
            That sounds nifty. What about if it's not a Microsoft SharePoint Server. Instead, say, WebDAV or something. Or a BZR repository?
            • Re: (Score:2, Interesting)

              by greed ( 112493 )

              It works just fine with WebDAV. In fact, it works better with WebDAV than the Web Folders thing does. Add "SVNAutoversioning on" to your Subversion repository config and have fun, just for one example.

        • by uhlume ( 597871 )
          Only for the last five or six years.

          Welcome to the table, troll.
      • by truthsearch ( 249536 ) on Tuesday October 10, 2006 @09:53PM (#16386661) Homepage Journal
        Let's not forget that we'll never know exactly how many total exploits IE really has. Microsoft may know of 100 more that they simply haven't disclosed. We'll never know. But anyone can inspect Firefox. Don't think that simply because IE has less publicly documented exploits that it's more secure. Unless you work for the software vendor, you will never really know how secure any proprietary software is.

        Also look at how quickly Microsoft fixes security vulnerabilities. They've let major holes exist for 3 years or more. Even if they have fewer vulnerabilities it's almost irrelevant if they don't fix the ones they have.

        It's a more complex issue that simply how many vulnerabilies each camp discloses.
        • by penix1 ( 722987 )
          It's a more complex issue that simply how many vulnerabilities each camp discloses.


          You are right about that. The more important number to keep track of are out of those exploitable ones how many are exploited in the wild. That IMO is the problem with "security by obscurity". By the time they get around to fixing the exploit it is already being exploited. Nothing like closing the barn door when the horse is dead from pneumonia.

          B.
        • by mpe ( 36238 )
          Microsoft may know of 100 more that they simply haven't disclosed. We'll never know. But anyone can inspect Firefox.

          Also anyone can add to the official bug list for Firefox.

          Don't think that simply because IE has less publicly documented exploits that it's more secure. Unless you work for the software vendor, you will never really know how secure any proprietary software is.

          It's perfectly possible for the software company not to know about bugs in its own software. Especially if they are a large corpor
        • Re: (Score:3, Interesting)

          by Dare nMc ( 468959 )
          >It's a more complex issue that simply how many vulnerabilies each camp discloses.
          Also it is a time for the standard stock quote, "Past performance is not a direct indicator of future performance."

          I think their is no way to interpert which is more bug free product, from past security issues. If you assumed the two products started out with identical # of critical faults, then the product with the most patches is likely the most secure. Even if your trying to win a bet on which was more secure on 10-11
      • and no factor more effective.

        maybe almost 70% of the internet users do not know what a "browser" is, and there are other browsers out there.

        This is because microsoft easily pushes its own browser as a "os feature".

        majority of casual computer users by then were, now the majority of the casual internet users, those who are not interested in doing something else than using mail, going to a few sites, chatting with some friends and playing some backgammon around the net, are not in a level, proficiency
        • by drsmithy ( 35869 )

          and no factor more effective.

          Then why did the fastest period of Internet Explorer's marketshare growth occur with IE4, in the time period before and shortly after the release of Windows 98 ?

          In case your memory is hazy (or you weren't there), IE4 was only availble as a manual install prior to Windows 98, and the adoption rate of Windows 98 was very slow.

          • "fastest market share growth" means absolutely nothing to me.

            Your market share might be growing from 0.1% to 1% very rapidly, this is also a fast growth. from zero to something is always a fast growth come to think of it. and if you notice, the years 97-98 are the years when internet was still niche, people using it was not in numbers comparable to today, and noone would get surprised if most hardcore netscape users gave internet explorer a try then.

            its not the start, but what is after that matters.
      • Re: (Score:3, Informative)

        by TheRaven64 ( 641858 )
        I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0).

        I don't think you do. Internet Explorer 3 was released on August 13, 1996. Windows NT 4.0, which shipped a year after Windows 95, came with IE 2.0 (which crashed on launch on a fresh install; something I thought was quite impressive. Fortunately, Windows Update didn't require IE back then, and so you could download a newer version through that).

        • Thank you! I wish I hadn't used my last mod point this afternoon. I don't know how someone can get to +5 for saying something that anyone with a 9 year memory span can easily contract: Windows 95 didn't come with any web browser, let alone IE freaking 3! To get the first IE, you had to buy the "Plus!" pack. IE 2 was released shortly thereafter. IE 3 was the first decent version of IE and came significantly after Windows 95.

          This should all be "no, duh" material, but it looks like you're the only other person
      • These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

        Adding internet capability does not remove things from the programs it was added to.
        Adding "security" usually means loosing features, options, performance, "ease of (ab)use", time-to-market etc. Security is a trade-off.
        Also, much of their "security" effort is directed at DRM (which has nothing to do with _MY_ security).

        I think they'll get better at security, but at some point t
      • Re: (Score:3, Insightful)

        by xlsior ( 524145 )
        Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

        Too bad that it won't work, unless they scrap everything they have and start from scratch, likely breaking all most
        • by drsmithy ( 35869 )

          'security' isn't something you can just slap on top after the fact, it's the foundation of a solid system. If you just paint over the holes, you will keep on doing that forever.

          Fortunate, then, that the "foundation" of Windows is quite good.

        • by stikves ( 127823 )
          Too bad that it won't work, unless they scrap everything they have and start from scratch, likely breaking all most backwards compatibility in the progress.

          Yep, as it's pointed out above, this is one of the biggest reasons to why vista is delayed so much. Wikipedia has information on this: http://en.wikipedia.org/wiki/Features_new_to_Windo ws_Vista#Security_and_safety [wikipedia.org]
      • by hany ( 3601 )

        If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.

        I hope I can be that optimistic as you are!

        You know, the other day I've got discusion here on /. with other guy about drivers. Problem is, that "kernel folks" in an attempt to rid themselves of the need to maintain a lot of backward-compatibility layers do not provide stable driver API. (there are of course also

      • by rs232 ( 849320 ) on Wednesday October 11, 2006 @08:13AM (#16391021)
        "I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0)", ronkronk

        It wasn't an afterthought it was a renamed Spyglass browser which they subsequently 'gave away' with Windows so as they wouldn't have to pay royaltees. After failing to buyout Netscape and get an exclusive deal from NCSA they settled with Spyglass.

        "It took them some time to get it right, but eventually IE took over", ronkronk

        IE took over by billg strong arming the OEMs to take Netscape off the desktop. Can't you remember what the MS AOL court case was all about.

        "AOL's March 12 and October 28, 1996 agreements with Microsoft also guaranteed that, for all practical purposes, Internet Explorer would be AOL's browser of choice [gpo.gov]"

        "Compaq was the only one to fully commit itself to Microsoft's terms for distributing and promoting Internet Explorer to the exclusion [gpo.gov] of Navigator"

        "now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet", ronkronk

        Like as an after thought.

        "within a few years, we're going to see some really damn secure stuff coming out of Microsoft", ronkronk

        I've heard exactly the same kind of thing when NT came out.

        "In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition.", ronkronk

        Netcape was never inferior to IE. As this test [netscape.com] proves. The MS stratagy at the time was to make it a jolting experience for the enduser. Why are you trolling slashdot with patently false pro-MS propaganda.

        "We will bind the (Windows) shell to the Internet Explorer, so that running any other browser is a jolting experience" [usatoday.com] .

        Firefox running on a more secure OS as standard user are not as serious as bugs in IE running on WinVista. You see as MS embedded the browser directly into the OS so as it couldn't be removed.

        Secondly Netscape lost ground because of backroom shenagenans by billg an Co. After threatening to withold technical information, they offered to carve up the market between them or else they would cut off Netscapes oxygen supply.

        `The delay in turn forced Netscape to postpone the release of its Windows 95 browser until substantially after the release of Windows 95 (and Internet Explorer) in August 1995. As a result, Netscape was excluded from most of the holiday selling season.'

        "Microsoft representative J. Allard had told Barksdale that the way in which the two companies concluded the meeting would determine whether Netscape received the RNA API immediately or in three months.'"

        `After Netscape refused Microsoft's offer to divide the browser market, Microsoft embarked on a predatory campaign to eliminate the browser threat'

        `In subsequent meetings in the Fall of 1995, Microsoft explained to Intel that its strategy would be to kill Netscape and control Internet standards'

        `in exchange for steering clear of the Windows browser segment Netscape would be made a preferred Microsoft partner'

        "I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.", ronkronk

        I'm really an Open Source advocate except for bla, bla, bla

        http://www.usdoj.gov/atr/cases/f2600/2613-1.htm [usdoj.gov]
        http://www.theregister.co.u [theregister.co.uk]
        • by LocoMan ( 744414 )
          One thing I do disagree with you... IE5 when it came out was better than the version of netscape out at that time, at least in my experience. It felt a lot slower (not sure about how faster/slower it loaded the websites, but the program itself felt a lot slower and heavier than IE5) and it crashed much more frequently too. I remember I had a net cafe back when IE5 came out, and ISPs gave CDs with netscape on them to new costumers, and I had people bringing their computers for me to install it (and I kept a
          • by rs232 ( 849320 )
            "One thing I do disagree with you... IE5 when it came out was better than the version of netscape out at that time, at least in my experience. It felt a lot slower", LocoMan

            How can IE be better if Netscape don't have access to the API. I'm not sure if you actually read, but here are the relevent quotes, again.

            "Test results showed that Communicator 4.6 beats IE 5.0 in browsing speed over a modem connection"

            "The delay in turn forced Netscape to postpone the release of its Windows 95 browser"

            "I r
      • by stonedonkey ( 416096 ) on Wednesday October 11, 2006 @01:34PM (#16395829)
        I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

        [Hi, my name is Stonedonkey. I noticed that your extremely shitty post got marked "5 interesting." My notations will be in brackets. Enjoy!]

        It took them some time to get it right, but eventually IE took over.

        [By being bundled into every version of the OS for the last ten years.]

        Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow.

        [Specious exaggeration that isn't really relevant.]

        And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

        [IE won because of its default desktop placement.]

        Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

        [In what sector? Desktop consumers? Can you provide some supporting material for all these pronouns?]

        Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

        [That's great. But right now, I can get superior software for free. Then again, you didn't specify what sector you're talking about, so I can't say for sure.]

        In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me.

        [See the other guy's response about open source.]

          It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition.

        [There you go again, glossing over IE's default inclusion.]

        SP2 was huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it.

        [Oh, shut yo mouth. SP2 was not a "huge leap forward." Not when MS was so far behind to begin with. It sealed some painfully obvious cracks, but I wouldn't hand them any trophies for it.]

        In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground.

        [A little subjective. Is your assured tone suppose to make your reaction generalizable and trustworthy?]

        Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

        [This is a contradiction. Or, at best, a back-handed compliment.]

        Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

        [Will it be another failure of open source if we don't? Should I be surprised when you sieze that "failure" as an example of some larger and wholly imagined problem?]

        If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS.

        [Suit yourself, Nostradamus. Maybe by then Microsoft will "share" some of its code to assuage your worries. By the way, how in the flaming fuck do you make the leap from "Mozilla" to "F/OSS"? I'm sorry, but that's pure jackassery, pal.]

        And I don't want to see that happen.

        [In that, we agree.]
      • I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

        Compared to whom?

        I never used OS/2 or Amiga, but compared to Macintosh, Microsoft was WAY ahead on the whole internet thing. Apple didn't even release a PPP connection tool until, what, version 7.5 or so? Long after
  • Holes (Score:2, Funny)

    by Ice Wewe ( 936718 )
    ...In other news, Microsoft plans to patch the 17 holes created by these patches sometime by the end of the month.
  • yada yada
    god forbid they take it seriously
  • I'll start brewing the coffee. It might be a long night.
  • by MSFanBoi2 ( 930319 ) on Tuesday October 10, 2006 @09:14PM (#16386395)
    So, at least Microsoft is fixing them.

    Microsoft has bugs, people complain.

    Microsoft fixes the bugs, people complain.

    Apple releases an incremental update to OS X 10.2 to 10.3 and charge you for it ($129.00), and when they release a MASSIVE update in September, not a peep of complaints...
    • I think a difference is that to the best of people's knowledge, the holes in Apple's OS weren't being exploited in the wild prior to the patch. Apple is fixing the problems before they're exploited, not a week or two after.

      Time will tell though.
    • by Overly Critical Guy ( 663429 ) on Tuesday October 10, 2006 @10:38PM (#16387265)
      That "incremental update," as you ignorantly call it (nice nick, by the way), was a major version release with a whole new version of OS X, new features, and new technologies. It wasn't some minor service pack.

      And that massive update in September isn't so massive when you point out that it's the most we'll see all year. Meanwhile, Microsoft released an IE patch, then released a patch to fix the patch, then released a patch to fix THAT patch. And you wonder why people complain about Microsoft?
      • by Tim C ( 15259 )
        That "incremental update," as you ignorantly call it (nice nick, by the way), was a major version release with a whole new version of OS X

        If it was a major version release, it would've been 11. Going from 10.x to 10.y is by definition a point release, not a major release.

        Now to be fair, MS do the same thing - Win2k is NT 5.0, XP is NT 5.1. That doesn't change the fact that if Apple want me to think that 10.3 is "a major version release" they should name it as such.
        • Yeah but you're saying something that could be seen as favourable for MS en unfavourable for Apple.

          So someone has to go and call you ignorant, and most of the time you get modded down....

          Too bad tho
        • If it was a major version release, it would've been 11. Going from 10.x to 10.y is by definition a point release, not a major release.

          Wrong. A major version update includes a major point release.

          That doesn't change the fact that if Apple want me to think that 10.3 is "a major version release" they should name it as such.

          So all it will take to make you think that is bumping a number? Simply examining the changes yourself isn't enough? Take a visit to Arstechnica and read Siracusa's reviews sometime.

    • Charges for incremental updates, like Windows 5.0 to Windows 5.1?

      The cost for that upgrade is about the same as a 5 pack of 10.3-10.4
    • Apple releases an incremental update to OS X 10.2 to 10.3 and charge you for it ($129.00), and when they release a MASSIVE update in September, not a peep of complaints...

      They re-did the entire PPC emulation layer (or at least heavily modified it). On my Mac Pro (Intel) it was 200+ MB, but my iBook ran to about 30ish MB. So it's pretty clear that about 160-180 MBs of that update was a Rosetta overhaul for speed and scientific apps. That wasn't 200 MBs of security updates, that was like 30 MBs of securi
    • Microsoft has bugs, people complain.

      Microsoft fixes the bugs, people complain.
      Ballmer throws a chair, people cheer!
  • It's a good thing we don't have a policy that requires that patches be thoroughly tested before deployment, or the next few weeks could have been really nasty.
  • by rolfwind ( 528248 ) on Tuesday October 10, 2006 @09:23PM (#16386463)
    I thought all those studies said that Linux had way more security bugs than Microsoft! The last report had Microsoft at somewhere around 52 security bugs and Linux at several times that.

    If I have my math right:

      52
    -26
    -----
      26 bugs left!

    Microsoft only has to fix them there 26 bugs until Windows is all perfect and flawless!

    *Does a happy dance!*
  • I don't think anyone feels that Windows is security hole free. I've not seen a security hole free OS. Does today's "news" not perhaps mean that Microsoft is spending more R&D on resolving this issues?
    • by dcapel ( 913969 )
      I actually saw a completely secure OS once, it was OSS, too. The code was in assembly (so the compiler can't introduce bugs), but I think I can translate it into C for you:

      int main()
      {
            while (1)
            { /* Ignore all input, especially those damn users */
            }
      }
      • I don't know how you count security holes, but it looks to me like there's a DoS attack that's quite easy to pull off against that code...
  • Yikes (Score:3, Insightful)

    by BeeBeard ( 999187 ) on Tuesday October 10, 2006 @09:36PM (#16386549)
    Given Microsoft's history of only fixing security holes when real exploit code is known to exist, should we assume the worst?

  • The story is that only 26 were patched.
    • The story is that only 26 were patched.

      If an automaker and its unhappy vict^H^H^H^Hcustomers keep finding major safety issues and design flaws in a line of cars, flaws that required fix after repair after parts replacement, all of which fail to correct the underlying problem(s), I think the manufacturer would be forced to recall the cars. Certainly lemon laws would apply in many states!

      How about a recall on Microsoft Windows XP? Microsoft could probably weasel its way into exchanging the clearly def
      • by drsmithy ( 35869 )

        If an automaker and its unhappy vict^H^H^H^Hcustomers keep finding major safety issues and design flaws in a line of cars, flaws that required fix after repair after parts replacement, all of which fail to correct the underlying problem(s), I think the manufacturer would be forced to recall the cars. Certainly lemon laws would apply in many states!

        So which OS are you thinking of that _wouldn't_ be classified as a 'lemon' ?

        • "So which OS are you thinking of that _wouldn't_ be classified as a 'lemon' ?"

          Almost any OS that is free... After all, it is hard to argue that Ubuntu (for example), should be flawless when it costs nothing and is in fact shipped out at someone else's expense if one asks for a few sets of the install discs. I run Ubuntu and although I've used Red Hat back when it (as opposed to Fedora) was free, I never really got into Linux. Ubuntu I am working to learn well enough that I never have to infect any of
          • by drsmithy ( 35869 ) <drsmithy@g[ ]l.com ['mai' in gap]> on Wednesday October 11, 2006 @02:11AM (#16389113)

            Almost any OS that is free... After all, it is hard to argue that Ubuntu (for example), should be flawless when it costs nothing and is in fact shipped out at someone else's expense if one asks for a few sets of the install discs.

            So if it's free it can't suck ?

            How about all those versions of Linux that *aren't* free ?

            Why waste money on a bigger, slower, pile of crapware from Microsoft when it offers nothing substantial in the way of practical improvements over the mess that is XP?

            It offers masses of "substantial, practical improvements". The important question people need to ask is if any of those are important enough to them to upgrade.

            What I'm reading these days is that the Vista release is being given the yawn treatment by many IT professionals.

            IT professionals are waiting for a) the server-side complement to Vista and b) the early rounds of bugs to be shaken out.

            In fact, I'm worried that security will be much worse on Vista than it is on XP since 3rd party security vendors are being prevented by Microsoft from hooking in at the level their code needs to run at to be most effective. I don't trust Microsoft to handle security issues. It has a pathetic track record. The programmers at MS clearly don't understand their own code.

            Sounds to me like you're buying into the standard anti-Windows and anti-Microsoft FUD.

  • This makes me REALLY wonder how many more there are.....
  • Microsoft plugs a record 26 security holes; Other 26,000 security holes wanted for questioning.
  • [insert obligatory MS fanboy praise here]

    As a Microsoft customer, I'm glad to see that they are releasing a whole slew of patches. As strange as it seems, I'm actually glad and feel MORE secure that they're releasing a lot of them. It gives the impression (however naive it may be) that they really are getting serious about finding bugs and patching holes. I know it's fun to bash on Microsoft but seriously, they aren't going through anything all that different than what the *nix world when through in the

    • For what it's worth, my home XP box downloaded 7 of the possible 26 patches. That's 19 patches that I didn't even need. Not too bad. And much better than having download the updated ftpd, or httpd, or [insert exploited daemon here] source and manually compile it.

      I get the feeling that was supposed to be a jab at linux. It's a lousy one. A typical desktop linux install does not have httpd or ftpd installed and things most definitely aren't compiled from source -- in fact update systems in linux are in some a

      • by dave562 ( 969951 )
        I get the feeling that was supposed to be a jab at linux. It's a lousy one. A typical desktop linux install does not have httpd or ftpd installed and things most definitely aren't compiled from source -- in fact update systems in linux are in some aspects superior as they take care of all software on the machine. Don't make asinine comments about things you don't know about.

        It wasn't so much a swipe or jab at Linux so much as it was a statement to reenforce my position that the *nix world had similar secu

    • I have a couple of Windows boxes myself, but your post still makes me wonder how much MS pays you to post on Slashdot. Does it pay the rent? Seriously, I could use some extra cash for Christmas. Please email me with contact info.
    • by RKBA ( 622932 )
      I guess I'll never know if any of those patches apply to Windows 2000, because although I have a perfectly legitimate copy, I refuse to submit my computer to Micro$oft's intrusive scanning. It's only a matter of time before I switch to Linux completely, but I just haven't decided on which flavor of Linux/BSD to stick with yet.
  • They already announced [slashdot.org] that they were dropping SP1...
  • Is that the most quality of writing ?
  • Also of note, six of today's updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista.


    I'll bite...

    If a system is "fully patched," how do you apply an update? Doesn't the need for an update require that a system is, by definition, not fully patched?

Happiness is a hard disk.

Working...