Microsoft released seven security bulletins, including fixes for three critical vulnerabilities, as part of its monthly Patch Tuesday update delivered on Dec. 12. The software giant shipped 11 security patches in total, including a cumulative Internet Explorer bulletin and an update meant to fix a flaw in the Windows Media file format.
Looks like most (if not all) of these patches don’t apply to Windows Vista which means under the hood, they’re doing something right. It’s always reassuring. I noticed the same thing for IE7 although I didnt specifically look.
Well, as Windows XP came out, it was the same. Some years later, XP was seen as a big security hole in itself that has to be cured by the almighty SP2.
On the other hand, if you compare XP to 9X, there is lots of progress. And I think they are getting into the right direction. Also Windows 2003 Server has a good reputation security-wise.
Well, as Windows XP came out, it was the same.
No, it wasn’t. The same bugs were being patched in Win9x and Vista. But, in this case, the XP bugs being patched weren’t even present in Vista. This is a good sign.
Also Windows 2003 Server has a good reputation security-wise.
Did you know that Vista is built on the Win2K3 codebase?
Well, 9X had many bugs in kernel space which just couldn’t be there in the NT/2k kernel. For example, 9X was famous for the “ping of death” problem, which was never existant on NT machines.
“Did you know that Vista is built on the Win2K3 codebase?” – That’s the reason I meanted 2k3 at all
Well, as Windows XP came out, it was the same. Some years later, XP was seen as a big security hole in itself that has to be cured by the almighty SP2.
I seem to recall security holes in XP right out of the gate. Does anyone remember the huge plug and play exploit? I believe that one was unleashed before XP was ever released to consumers. No, XP was a big security hole from the beginning
I’m not saying that Vista is any better though, I guess time will tell.
i cant wait for the vista exploits to start piling up
microsoft will be busy
can you beleive that microsoft is committed to security when they still have unpatched vulnerabilites in win-xp go look at secunia,
when someone tells you microsoft is good security-wise spit in their face for me, unpatched vulnerabilities are a disgrace
While I’m sure Vista vulnerabilities will be all the rage, I’m sure we’ll see way more 2000/XP issues pile up.
Microsoft has to get people to upgrade somehow.
“While I’m sure Vista vulnerabilities will be all the rage, I’m sure we’ll see way more 2000/XP issues pile up.
Microsoft has to get people to upgrade somehow.”
Of course. But it’s still their fault to have coded a buggy OS, so they should continue fixing it as long as there are vulnerabilities. People paid to them. They shouldn’t be obligued to upgrade because Microsoft’s lack of ethics.
They shouldn’t be obligued to upgrade because Microsoft’s lack of ethics.
Never ascribe to malice what can more easily be explained by incompetence.
They shouldn’t be obligued to upgrade because Microsoft’s lack of ethics.
Never ascribe to malice what can more easily be explained by incompetence.
I wasn’t aware you considered Microsoft incompetent. Or have they started working on Linux behind my back?
I don’t consider Microsoft generally incompetent. But they certainly have been incompetent at times.
ActiveX and integrating the internet explorer tightly with the OS was and is a design flaw.
Microsoft will continue to support XP with security patches for a long time.
Microsoft is much bettr about this than osnews fan-favorite Apple. Apple released OSX 10.2 on August 24, 2002, and Apple dropped support for it just 2.75 years later when they released OSX 10.4. If you have OSX 10.2 or earlier, you get no bug fixes or Security Updates.
Apple’s policy is to only support the last two 0.1 releases of OSX. And those releases are so frequent (every 12-18 months), that you normally get about 2-3 years of support before having to pay for an upgrade. So today they only support 10.4 and 10.3. Next year, they’ll only support 10.5 and 10.4. If you want Security Updates for a version earlier than the last two 0.1 releases, you are “obliged to upgrade” (and those upgrades aren’t free).
So while you inappropriately condemn Microsoft for cutting off support of XP, which they aren’t (any time soon), be sure that you also condemn Apple for really, truly, actually cutting off support for very recent OSes.
Yikes, I had no idea that the cycle time for end-0f-lifing OS X versions was so short. Thanks for the post.
True, Microsoft has very lengthy support for previous operating systems. I suspect this is because, quite frankly, they have to. The end users (especially those of the corporate type) demand and require it, and typically Microsoft will go to great lengths to retain corporate customers. There are also various real-world exploits – more than just proof-of-concept vulnerabilities – that require patching.
On the other hand, Apple doesn’t extend this type of support because they really haven’t had to – yet. Apple can be extremely stubborn, but if the users screamed loud enough, I think they’d cave. They don’t have anywhere near the level of corporate clients as Microsoft does, and there aren’t any security exploits for OS 10.2 that have had significant implications for end users. Apple’s developmental cycle has slowed to about 24 months between releases and may slow even further, so support of 10.4 should be at least 4 years. OS 10.X isn’t bulletproof, and if some of the identified proof-of-concept exploits or viruses should come to fruition, I would expect that Apple would extend support to a greater degree.
OS 10.X isn’t bulletproof
No software is.An OS is just a piece of software.I bet there’re dozens of 0day exploits for every major piece of software in the wild.
The only reason MS suppport was longer is because they were unable to deliver Vista to the world don’t get it confused Vista’s delay is the only reason 2003 and vista has had such a long support run
The only reason MS suppport was longer is because they were unable to deliver Vista to the world don’t get it confused Vista’s delay is the only reason 2003 and vista has had such a long support run
That doesn’t explain NT4, which had a support run until June of 2004 with paid extended support going all the way into 2005 iirc.
// But it’s still their fault to have coded a buggy OS, so they should continue fixing it as long as there are vulnerabilities. People paid to them. //
Not so sure I agree with you here. Every product has a lifespan and a set of conditions under which it is warranted. It’s been a while since I read the XP EULA but I’m fairly confident that it has a paragraph or two in there which states that Microsoft don’t guarantee the software will work / do what it says it will do. Of coarse I’m paraphrasing here. We all have to accept this EULA to install or use Windows.
As an analogy.. take a motor vehicle for instance.. you purchase one and it comes with a warranty period during which manufacturer’s will replace factory born faults free of charge. Once that’s expired, it’s really up to good faith for this to continue. It’s my experience it doesn’t happen.
Cars that have serious safety faults yes are recalled, but I’d be interested to know if this is law or good company policy, or after an extended period of time a combination of both.
Now, granted that cars typically don’t come out with as many faults as say Windows XP did.. you’d be a bit silly to suggest that.. however I can assure you that there are many factory born faults in motor vehicles that simply don’t get the media attention that Windows does. I’ve worked with people who were pit engineers for the Bathurst 1000 super car race and spoken to mechanics whenever my car gets serviced – they all agree that it happens all the time, you just don’t hear about it. The media just isn’t interested in the fact that your air conditioner fails due to a factory fault.
Having said that, during the lifespan of the software, sure I completely agree with you, conditional that the problems are prioritised and fixed accordingly. If there are higher priority issues that are “in front” of lower ones and the lifespan of the software expires, then I’m “okay” with them not being patched.
One only has to take a look at the time Microsoft supports their recent operating systems, even extending them (e.g. Windows 98) to see that they do offer an excellent period during which they’ll release free of charge (rightly so) fixes.
If one isn’t happy that Microsoft has dropped support for their copy of Windows 3.11 or 95/98/Me then they always have a choice to drop Microsoft for an alternative such as a good Linux distribution.
There are choices here..
a) Upgrade to a new release of the operating system
b) Live with it
c) Drop Microsoft for a Linux distribution
d) Get a Mac
Btw.. Just to be clear.. I’m no Microsoft zealot, rather one who tries to have perspective.. I’m currently a Solaris systems engineer and previous to that a linux network / web admin for several years.
The analogy doesn’t work.
* Software doesn’t wear out.
* No set warranty
* Poor security on one machine, affects other users on the internet.
* People think they have a choice of cars.
* People own there cars
* Car companies are liable for faults on there cars.
etc. etc
The point wasn’t that a car is entirely equal to Windows. I really hate analogies because people seem to love ripping them apart just to prove a point, yet I still used one.. lessen learnt.
As for wearing out, sure that’s true in the literal sense (it’s just electronic data which can be duplicated). I’d argue though, that it can certainly wear out in the metaphorical sense (design standards for instance).
Remember we do in fact agree with the EULA which I *believe* states no warranties are offered on Windows. It’s difficult to say on one hand say that you accept the EULA but then demand patches 5+ years after it was released and subsiquently dropped from support.
Additionally, I believe that each product has a lifespan after which you’re on your own. The length of time Microsoft supports their software is in my view excellent.
I don’t believe that Microsoft (or any software company for that matter) should be subject to an endless support requirement, especially when there are superseded versions of a product. It’d just be plain unreasonable that Microsoft is expected to support Windows 1x, 2x or 3x.
That aside, like I said you have a choice. Some people seem to think that when it comes to Microsoft, there are no choices. The fact is that in this situation it’s the opposite. I offered four without a great deal of thought. I’m sure there’s more.
It doesn’t wear out even in the metaphorical sense. What does that even mean?
I certainly do not agree with the EULA, and I’m I’ll be honest. I’ve yet to read one I understand.
I think its criminal that warranties are not offered, and I mean criminal in the literal sense.
I do not expect a company to indefinitely *support* its software. I do not think it is too much to say 5 years security fixes. I BTW so not think security patches are support. They should be legally obliged to do so as well as morally.
There absolutely are alternatives to windows, and without a great deal of thought, you can probably come up with more reasons of why those are not viable, although I’m happy to list them.
What? Car analogies always work! Always! You’re just missing the application.
It’s like, the car analogy is the car, right. If everything was perfect, you’d drive your car down the autobaun, or maybe it’d drive itself because it’s fancy and European. In reality though, your car is a Chevette, and your outrunning a pickup full of shotgun toting drunks down some backwards dirt road in the middle of nowhere. However, it still remains: You are in a car, driving at highspeed, on a road.
So, while car analogies may not always seem appropriate, there is always atleast a simularity if not truth to be had.
i cant wait for the vista exploits to start piling up
Why? What kind of person (other than a researcher or an antivirus vendor) looks forward to security exploits? Are you a misanthrope? Or a F/OSS zealot?
microsoft will be busy
If Win2K3 is a guide (since Vista is built on top of the Win2K3 codebase), then there’s little evidence of that.
can you beleive that microsoft is committed to security when they still have unpatched vulnerabilites in win-xp go look at secunia,
So what. The criticality of each of the unpatched vulnerabilities is low. While that may offend your sensibilities, I would submit that your threshold for outrage is a bit too low.
when someone tells you microsoft is good security-wise spit in their face for me, unpatched vulnerabilities are a disgrace
Yep, misanthrope.
“Are you a misanthrope? Or a F/OSS zealot?”
You are only seeing black and white. There are a lot of Microsoft haters that are no FOSS zealots. There’re even Microsoft haters that use Windows, like virus writers.
“If Win2K3 is a guide (since Vista is built on top of the Win2K3 codebase), then there’s little evidence of that.”
Only time will tell. In the meanwhile, I shall remember you that Win2K3 doesn’t enjoy too much popularity as a desktop platform. Not the kind of OS most malware writers and security researchers are putting all their resources. When Vista hits the streets, then we will see if there’re some nasty things the black hats have prepared.
But I disagree with the rest of the parent post content, about spitting. There’s ignorance all around us.
You are only seeing black and white. There are a lot of Microsoft haters that are no FOSS zealots. There’re even Microsoft haters that use Windows, like virus writers.
Agree, but when you intersect the set of Microsoft haters with users of OSAlert, you’re likely to see more people coming from alternative operating systems, in my opinion.
Only time will tell.
Time already has told. We haven’t seen any malware for Vista during the betas at all. Now, I’m not naive enough to believe that malware writers are sitting on their hands, so I believe that the improved security (LUAs, better encryption, etc) are making a difference.
In the meanwhile, I shall remember you that Win2K3 doesn’t enjoy too much popularity as a desktop platform. Not the kind of OS most malware writers and security researchers are putting all their resources.
Are you seriously trying to suggest that malware writers aren’t trying to break Win2K3 server? I humbly disagree. Granted, there’s a different kind of malicious attack going on — more focused on remote exploitation through worms than locally-run viruses — but see my comments below on LUAs for more on that.
When Vista hits the streets, then we will see if there’re some nasty things the black hats have prepared.
Agree, but I wouldn’t be overly pessimistic, given the move to LUAs, which restrict the damage that a malicious app can do. Malware won’t have admin privileges anymore; therefore, it can’t install itself permanently, can’t start communicating (as a zombie), can’t infect binaries, etc. All in all, it should be a better experience all around for users.
“Agree, but I wouldn’t be overly pessimistic, given the move to LUAs, which restrict the damage that a malicious app can do. Malware won’t have admin privileges anymore; therefore, it can’t install itself permanently, can’t start communicating (as a zombie), can’t infect binaries, etc. All in all, it should be a better experience all around for users.”
This is true. As Windows adopts more Unix/Linux like security policies, its makes people feel more comfortable using Desktop Linux in general.
Practically all the Windows people I’ve introduced Linux to bitch and bitch about how you have to use the admin account to, well, admin their system.
This is true. As Windows adopts more Unix/Linux like security policies, its makes people feel more comfortable using Desktop Linux in general.
But not more people. Just the same people.
If only open source had the kind of security record IIS6 and SQL 2005 have.
Edited 2006-12-13 04:43
Yeah, I guess after your product has been owned millions and millions of times costing companies in the billions… you start to pay attention.
If you compare published vulnerabilities, closed source software does great. It’s like a list of bugs: open source will have 10x as many because: A) the code is published and B) anyone can analyze it.
Bugs get noticed quicker and fixed quicker.
If only IIS and SQL server had the reputation for keeping data secure and keeping corporate information safe, like open source products do.
Yeah, I guess after your product has been owned millions and millions of times costing companies in the billions… you start to pay attention.
Isn’t that the point of customer feedback? Is that a negative in your book?
If you compare published vulnerabilities, closed source software does great. It’s like a list of bugs: open source will have 10x as many because: A) the code is published and B) anyone can analyze it.
No, security through obscurity never works.
If only IIS and SQL server had the reputation for keeping data secure and keeping corporate information safe, like open source products do.
IIS and SQL don’t need to live up to your contrived standards. They do fine on their own merits.
open source will have 10x as many because: A) the code is published and B) anyone can analyze it
Good argument for avoiding open source.
Thanks.
Why would one avoid open source because code is published and anyone can analyze it? What’s wrong with that? Hurts the economy? Besides, you don’t basically use the code you see, one will use the compiled form of that code,isn’t it?
Why would one avoid open source because code is published and anyone can analyze it? What’s wrong with that? Hurts the economy? Besides, you don’t basically use the code you see, one will use the compiled form of that code,isn’t it?
Perhaps they don’t want somebody to have insight in their dirty kitchen.They don’t want to share their bad coding practices?
As if you could use Linux on the server.
There’s no GUI to point and click on. Well, there could be, but a GUI on a server is just plain stupid.
But you miss the point completely. Open Source products will have more listed bugs because more people can find the bugs.
A closed source product like Windows has just as many, if not more (with Windows, more… lots more). But not as many PUBLISHED ones.
This is true, because all software has bugs regardless of its proprietary or open source nature.
The number of bugs which are identified actually has no correlation with the total number of bugs in the software, because with a large piece of software, that can’t be known. However, the the hope is that the more bugs which are identified and fixed, the more bug-free the software will become. That’s the idea behind “many eyes make all bugs shallow”.
Whether that will play out in the long run has yet to be seen. But it does seem to be working in many respects. In the mean time, we will continue to be barraged by zealot’s flaming posts whenever these articles come out. And by zealots I mean people who can’t think objectively about these topics but rather let their emotions drive their decisions.
It seems there are quite a few of them that post regularly on here. I kinda wish they wouldn’t post these articles at all, because they are not really news. But I guess they result in a lot of traffic or something.
Actually the idea is that bugs will be identified and fixed because the code is open to inspection. But you know that.
I guess if they aren’t identified, then they don’t exist, right?
If only open source had the kind of security record IIS6 and SQL 2005 have.
And if only MS Office had the kind of security record IIS6 and SQL 2005 have, then your point might even be more than theoretically relevant to average Windows users. You know, the ones not running Server 2003 for their daily desktop work. As in, pretty much all of them.
Actually Windows 2003 Server has had several vulnerabilities, pretty much at the same level as XP, though the problems are smaller due to the default configuration in Win2K3.
It’s a great Desktop OS, btw. And quite safe, but don’t think that it is immune. Besides that Win2K3 codebase is a revision of the XP codebase – Win2K3 is basically XP Server
I don’t particularly put any blind faith in the security abilities of Vista – as far as I’m concerned, that’s an unknown quantity until Vista has been out for a while and achieves the same sort of population density online that XP currently has.
But it is pretty funny that the argument “it will/would be more exploited when/if it’s more widely-used” is dismissed when put forth to explain the absence of malware for OS X. And then the exact same argument is used to explain the absence of malware for Vista.
I like the fact that people are saying an OS that isn’t going to be launched for over a month and a half is secure because one patch Tuesday doesn’t include patches for it.From my quick glance includes little to do with the OS.
Its a problem with Media Player, Internet Explorer, Codec handling, Visual studio, Outlook express.
The only thing I saw to do with the OS was file corruption on XP and 2000.
Security is a difficult to measure, and on a untried OS impossible. At best you can say that Vista has improved the security *design* of Vista.
What I find interesting is that very little of these vulnerabilities attack the OS itself, but more the bundled applications, and Vista has *more* of those.
That’s certainly true. I know when people flame each other over Windows vs Linux security one thing that the Linux crew argue is that it’s not the OS that is less secure, it’s the products attached to it (e.g. apache, sendmail, etc).
Perhaps this month it’s the same with Windows.. but in other months it can prove to be quite the opposite.
Frankly I agree with you about measuring security as well. Everyone likes comparisons to be based on fair playing fields and it seems as though these so-called security comparisons of both camp’s products have sufficient “level playing field” question marks to render them highly debatable.
Something I like to use is “out of the box” comparisons. Is one product, out of the box more or less secure than the alternative? Then you probably need to reconsider the scenario after hardening of the installs.
Indeed it’s difficult.
If their system is as stable as win2k3 or some of their other programs like sql and iis then i will be looking forward to this upgrade.
good info