|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
07:26 EST/12:26 GMT | News Source:
ZDNet |
Posted By: Jonathan Tigner |
Microsoft’s Patch Tuesday train will be empty this month.
A[n] advance notice from Redmond says there are no security updates on tap for Tuesday, March 13, the day set aside for software fixes.
Microsoft said it is investigating “potential and existing vulnerabilities” but, because of its rigid patch testing routines, none of the updates are ready for this month’s release cycle.
“Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps. All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment,” a company spokesman said.
“There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges,” he added.
The last time Microsoft did not offer security updates as part of its monthly update cycle was September 2005.
|
|
#1 By
15406 (216.191.227.68)
at
3/9/2007 9:31:37 AM
|
Good job, Microsoft. 5 zero-day exploits are running wild on Windows but no need for a patch this month. Oh well. Maybe they will be fixed net month.
|
#2 By
61 (12.108.60.37)
at
3/9/2007 10:18:13 AM
|
Latch, MS's policy is if there is a major exploit in the wild they will release a patch when it's ready outside their normal patch release cycle (so as soon as it is available).
Also, you can't blame them for makeing sure their patches are working correctly.
|
#3 By
32132 (142.32.208.231)
at
3/9/2007 10:37:50 AM
|
One of the reasons Microsoft does test its patches is to avoid situations like this one:
http://www.mozilla.org/security/announce/2007/mfsa2007-09.html
"moz_bug_r_a4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI.
The same regression also caused javascript: URIs in IMG tags to be executed even if JavaScript execution was disabled in the global preferences."
Sure, OSS fanatics like to brag about Firefox rushing out untested patches, but I think its a bad idea.
|
#4 By
15406 (216.191.227.68)
at
3/9/2007 11:01:38 AM
|
#2: So after enough people get burned, then MS will start to care? Great policy. I guess that's why there are 3rd-parties out there creating and issuing patches for Windows while MS ponders.
#3: Wow, you're right. I hope the Firefox team nevers gets into the position of issuing patches that break things in horrible ways. I also hope they never release a patch for a patch for a patch, because that would be really embarrassing for a software company, wouldn't it? And, as usual, your helpful link is for a bug that has already since been fixed. We all know how embarrassing it is for a software company to have bugs hang around for a long time without getting fixed.
btw, has MS' antivirus product scored any higher than last place lately? I'm not surprised it's failing, considering that it lets 17% of malware through.
|
#5 By
23275 (24.179.4.158)
at
3/9/2007 11:33:21 AM
|
#4, Be careful about assessing anti-mal-ware efficacy based upon reported tests:
We use a mix/layered solution, and our reps have advised that a lot of the tests are rigged - to favor certain products and place other products in a bad light. In some cases, testers have used a select set of mal-ware that is designed to shape the results. Each anti-mal-ware suite can be set up to look worse than others and in a number of different ways - for example, what settings were applied, etc... the tests in many cases do not reveal how a product has been manipulated for which portion of the test(s).
There is a lot of bias against Microsoft. I would conduct your own tests and use your own conclusions before making a purchasing decsion. I would also use a mix of solutions - combining third party filtering of mail objects for mal-ware/SPAM and an edge gateway, then a perimeter gateway and finally, host protections.
For small companies, they can use either a low cost edge appliance, or a SW product running with ISA 2004/2006 in addition to third party filtering of email. It is surprisingly inexpensive.
For SOHO/Home Networks, small edge appliances are inexpensive and work well alongside host based AV. I do not recommend people count on any "one" product to secure even one system - at a minimum, secure a third party filtering account for one user, and definately consider a router/security appliance that screens all in and out-bound traffic. It does not cost much more, and it can help keep systems safer.
|
#6 By
32132 (142.32.208.231)
at
3/9/2007 11:42:09 AM
|
#4 "And, as usual, your helpful link is for a bug that has already since been fixed."
Firefox just admitted it: http://www.itnews.com.au/newsstory.aspx?CIaNID=47238&src=site-marq
"The Mozilla Foundation issued a download this week that fixes a prior patch that they had issued in December.
The problematic update was issued for Mozilla's flagship Firefox browser and for its SeaMonkey application suite, according to an advisory. The vulnerability, which Mozilla labeled as 'critical', caused JavaScript problems and enabled hackers to remotely execute arbitrary code. "
Firefox seems to be specializing in fixes for bugs that allow "remote execution of arbitrary code".
#4 "We all know how embarrassing it is for a software company to have bugs hang around for a long time without getting fixed."
It took Firefox 3 months to fix it.
|
#7 By
15406 (216.191.227.68)
at
3/9/2007 12:32:27 PM
|
#5: Let me get this straight. When one of MS paid-for studies says MS is wonderful, it's got nothing at all to do with where the money came from. But when more than one independant study concludes MS is crap, it's bias and chicanery. OK.
#6: I'm not sure how your dubious math came up with 3 months to fix it. It seems to me that it was (incorrectly) addressed in December. That's different compared to the MS method, where you just sit on it for 200+ days.
|
#8 By
23275 (24.179.4.158)
at
3/9/2007 12:54:46 PM
|
#7, Latch, I was not speaking to any one vendor's product(s). You know that - and by the by... so would anyone else reading the thread - so why take the discussion in such a direction - what is the point of that. My recommendations are for people to use a layered defense in depth - which is more affordable than most people know and for them to seek out and formulate an equally balanced assessment - vice relying upon one product, or one test.
Why is it that you wish to seek out confrontations? What has made you so angry? It's silly and a waste of time.
|
#9 By
32132 (142.32.208.231)
at
3/9/2007 12:59:28 PM
|
#7 "I'm not sure how your dubious math came up with 3 months to fix it"
December to March. 3 months.
"That's different compared to the MS method, where you just sit on it for 200+ days. "
Which issue that allows "arbitrary code execution" without user intervention has taken Microsoft 200+ days to address?
|
#10 By
15406 (216.191.227.68)
at
3/9/2007 1:46:16 PM
|
#8: I was countering your attempt to explain away MS' bad showing in the study as anti-MS bias. If you consider me voicing a contrary opinion to be confrontation, so be it.
#9: I odn't remember off the top of my head. A year or two ago there as a stink when it was releaved that MS had been sitting on some serious bugs for many, many months. Of course, they could be sitting on a ton of critical bugs and we'd never know since their closed, proprietary dev system is secret. Does MS ever admit to a bug on their own, or do they wait for 3rd-parties to find them all for MS? btw, I wonder how many bribes will have to be delivered by MS to the DOT to get them to change their minds about Vista, Office2007 and IE7. People seem to get it, regardless of how many millions MS spends on Vista commercials that says nothing, that there's no *here* here.
|
#11 By
37047 (216.191.227.68)
at
3/9/2007 2:09:44 PM
|
#9: The defect I saw, linked from the article, showed it being reported on January 29, 2007, and the fix was released on February 23, 2007. So, for the record, that is actually less than a month.
|
#12 By
32132 (142.32.208.231)
at
3/9/2007 2:42:00 PM
|
#10 I'll ask again: Which issue that allows "arbitrary code execution" without user intervention has taken Microsoft 200+ days to address?
You try to smear Microsoft with made up crap all the time. Give it up. You are deranged.
#11 Since the patch was itself defective, I would argue the issue as old as December 19th.
|
#13 By
12071 (124.168.205.173)
at
3/9/2007 11:25:22 PM
|
#5 Surely you cannot blame ANYONE who has been here for longer than a week in assuming that your comments were specifically aimed at trying to stand up for Microsoft's product! You'd think, given that they have written the OS from the kernel up, that they should have the best protection available, even if it requires a few secret holes here and there. You know, similar, but more advanced, to the holes where certain addresses bypass the hosts file!
#12 " Which issue that allows "arbitrary code execution" without user intervention has taken Microsoft 200+ days to address? "
176 days - http://research.eeye.com/html/advisories/upcoming/20061024.html - remote execution of arbitrary code with minimal user interaction. So it doesn't quite fit your criteria as it requires minimal user intervention, but it's fairly close, and your computer is exploitable right now!
210 days - http://research.eeye.com/html/advisories/published/AD20060509a.html - take complete control over a vulnerable system to which he has network or local access. This one fits your criteria, the user doesn't have to do anything at all, except be unlucky enough to be on the same network as the malicious user.
163 days - http://research.eeye.com/html/advisories/published/AD20060110.html - execute arbitrary code on the system of a user who visits the site, at the privilege level of that user (which is admin in the vast majority of cases). This one it fairly close to your criteria, except it did take 37 less days than you requested.
224 days - http://research.eeye.com/html/advisories/published/AD20051108b.html - execute code on that user's system at the user's privilege level. This one is fairly close to your criteria, it does require a user to go to a "bad" web page, but users go to bad web pages all the time.
...
Check the rest of eEye for further examples - it's a good thing that they are providing information that Microsoft would rather have hidden away.
I can find you a lot more examples if you just point us all in the direction of the public bug tracking system that Microsoft are using where they report EVERY bug and vulnerability received, not just the ones they wish you mention on "Patch Tuesday", where they may or may not have been bundled in together with multiple other fixes.
|
#15 By
32132 (64.180.219.241)
at
3/10/2007 10:32:39 AM
|
Close. But close doesn't count.
|
#16 By
23275 (24.179.4.158)
at
3/10/2007 10:44:26 AM
|
#13, Clearly, my post is vendor agnostic and as clearly, recommends the use of a mix of security products from different vendors.
While Microsoft products don't need to be defended, objectivity, reason and the exercise of good form often do.
Since you have invited it, assessing Microsoft's Windows Live OneCare in the isolated context of AV scanning and detection efficacy, is both incomplete and unwise. OneCare itself is representative of a defense in depth strategy that is designed to limit the surface area opposite connected systems and or mitigate the consequences of systems exposure to various threats. OneCare, like many products inspired by it [Norton 360, for example], take a broader and more balanced approach to helping make systems more secure and safer to use and at the same time, presenting a management and user interface appropriate for the market being served. Leveraging access to the Windows Security Center in the same way as any competing security product would, OneCare manages system wide security, performance and continuity requirements - combining protections with managed Windows updates, system maintenance and backup/restore features. Until OneCare, no other single product addressed system protection in such a comprehensive manner. From what I have read, Norton 360 takes this to the next level and competition being what it is, I suspect OneCare 2.0 and products from other vendors will carry it even further forward.
|
#17 By
12071 (124.168.205.173)
at
3/10/2007 7:02:11 PM
|
#15 Read the 210day one one more time and try again next time!
#16 I didn't invite it, I was merely pointing out what an average visitor to this site would read from your original post given that you basically write three different types of essays:
1) Pro-Microsoft and the very air they breathe;
2) Anti-Apple and their elitist nature; and
3) Anti-EU and everything they stand for.
If I have missed an important topic that you have written essay upon essay on I do apologize, but those are the three I have seen from you time and time again. Just to be clear, paragraph #2 of #16 falls under type #1 above.
|
#19 By
23275 (24.179.4.158)
at
3/10/2007 8:00:25 PM
|
#17, #18 - While I disagree with some of what you write, I sure to appreciate and respect your passion. Most people do their best work when confronted with challenges and against what seem to be overwhelming odds. The same is true of companies.
It is entirely valid that the feature centric focus of customers opposite the explosive growth of connected systems got way ahead of Microsoft and most other companies' efforts to secure them. Against that challenge I am certain it can be supported that Microsoft and the industry responded and effectively so. I participated in all of the BETA's for OneCare, and two others - one for Symantec [I wrote here that I would, but could not speak to that experience owing to the NDA Symantec imposed] and one for Panda Software [one of the products I still buy for the enterprise - among three]. Users of OLE and WLOC who did not uninstall BETA versions before installing release versions, may have seen the behavior you noted at #18. I couldn't replicate the behavior - though I did try. A removal tool was provided to assist users who did not follow installation instructions - one I have used to assist new home users.
Scanning and detection efficacy aside, there are other reasons to consider using products other than WLOC - one is scanning speed, which is slow and the other is WLOC's seemingly endless systems tray chatter regarding what it has allowed to access the Interent. Like Vista's UAC, it needs to become more intelligent and remember what a user, in what security context has done and willfully allowed.
I've written these as recommendations during the BETAs. For my own use, I do not use any host based AV - for my family, it depends upon the user. My wife and older kids use WLOC, but they are not constantly messing with their machines and WLOC just does its job and is more quiet about it. The younger kids are locked down tight as a tick and Panda Enterprise is used with multiple layers of protection opposite very restricted accounts. Of course these are inside many additional layers of external, edge and perimeter protections.
Thanks for the posts - I enjoy them a great deal.
|
#20 By
12071 (210.84.51.119)
at
3/11/2007 3:29:43 AM
|
#19 I figured you'd enjoy this. Aside from OneCareless deleting your emails it appears that the "bug" I mentioned in #18 was originally found and fixed in a beta only to re-appear again in v1.5! Microsoft have even taken source code control to a whole new innovative level it seems where old bugs are re-introduced without anyone knowing. So much for the apparent rigorous testing cycle that they go through that you and Parkkker keep telling us about in defense of their slow patch releases! Their customers can finally take comfort in knowing that the rigorous testing cycle is anything but, that the patch they applied previously may suddenly be un-applied with an upgrade/patch and that they will be left waiting 200+ days for any of this to begin.
http://opinion.zdnet.co.uk/leader/0,1000002208,39286244,00.htm
It would be an interesting exercise for someone to go through all the past patches that Microsoft have put out and find how many of those have reversed themselves.
|
#21 By
23275 (24.179.4.158)
at
3/11/2007 12:17:05 PM
|
#20 - Yikes - they still play rough in the U.K.
Yeah, the problem was/is a known one - in some cases and came from how systems were using the BETA and then moving to the release - leaving old installations in place.
As I said, I could not replicate the behavior - though we did try a number of times. The larger problem is how public BETA programs are managed - they seem to be used to grab market share early and opposite less experienced users who install BETA SW on production machines, or systems they depend on personally, one can see tragic results. Such problems are not limited to Microsoft software, however. Frankly, companies need to be very clear about what BETA programs are all about and while they can be used to drive interest, they need to be straight about how risky it can be. Companies seem to leverage interest and user desire to have access to free/new SW. There is good and bad in the practice, but BETA SW needs to come with huge red warning labels up front.
Having run many dev projects and funding them as well, I can't not see how tough it is to build qaulity SW - candidly, it is very hard and sometimes very bad results are produced initially. I assess far too few people get how hard it is to build even a basic product that is solid. As to the U.K. story and reader comments - I think they also need to print the BETA terms, conditions and recommendations - that is, write stories about that and properly advise users about the risks, etc... A lot has changed in the U.K./EU in the last 15 years - a new generation has come of age that I personally do not know. My perspectives are latent at best, so it is hard to relate to many stories, or that which motivates them. The open and inclusive nature of the net has given rise to younger voices and placed them at an equal station with those of older ones - not a bad thing at all, but one has to remember that what younger people know is based upon what they have seen and experienced, which must benefit from less shared history and exposure to fewer cycles - I'm not sure we've found a balance that is going t be needed in coming decades. One thing all people should consider is that despite how fast technology and the net move, many other things move much more slowly and as many more remain fundamentally the same. I think perhaps is that from time to time, we expect things to evolve as quickly as the technologies influencing them - they don't and periods of regression are often imposed upon humanity. I can imagine what the starving, muddied knots of people felt as they struggled to survive in the shadows of great engineering examples left over by the nations and people that came before them - think on a family in the year 800 looking upon a bridge built by the Romans 700 years before them, and you'll understand what I mean. So often, when I see something that is held out as new.... I shudder... after recognizing that it isn't new at all - it's just new to whomever happens to be speaking to it in the present. The net hasn't prevented that at all - it's made it worse.
|
#22 By
958138 (175.44.6.188)
at
12/21/2012 2:33:43 PM
|
<a href=http://www.chinakobeshoes.com>Kobe Bryant Shoes</a>
<a href=http://www.nikefreeoutletusa.com>Nike Free Outlet</a>
 Cheap Lebron 9 Shoes as ninth pairs of individual signature boots to the king trend debut.The shoes with innovative Hyperfuse technology strong back, super light, super wear-resistant, strong support and cushioning performance of the perfect perfect defend small emperor's new NBA journey.Lebron 9 Galaxy The mesh and the filling layer composite tongue, which can be snugly foot while ensuring excellent air permeability and comfort.Arch fixed design using Flywire lifting support effect, combined with the built-in elastic inner boots, can be firmly attached to the foot.Cast in a type Phylon light in the end to reduce weight, provides shock absorption, Lebron 9 Elite ensure comfortable.Carbon glass shoes bone bearing plate and enhanced resistance to torsion and support performance.Hard rubber outsole signature lines to create excellent durability.
<a href=http://www.airmaxup.com>Air Max 2013</a>
<a href=http://www.kobeshoescompany.com>Kobe Shoes</a>
<a href=http://www.menairmax.com>Mens Air Max</a>
fsJREED12
|
|
|
|
|