Linked by Thom Holwerda on Wed 12th Apr 2006 18:30 UTC
Microsoft Microsoft's dominant Internet Explorer browser has undergone a major security makeover to plug 10 vulnerabilities that puts millions at risk of PC takeover, address bar spoofing and information disclosure attacks. The monster IE update includes a fix for the 'createTextRange()' code execution flaw that caused zero-day drive-by downloads and a significant modification to the way the browser renders certain ActiveX controls. In all, Microsoft shipped five bulletins with patches for 14 different vulnerabilities in a range of Windows products. At the same time Microsoft has begun requesting that users upgrade their ME/98 machines because support ends July 11th, 2006.
Order by: Score:
Patch IE even if you do not use it.
by mOOzilla on Wed 12th Apr 2006 18:43 UTC
mOOzilla
Member since:
2006-04-11

Shouldnt we patch IE because some other apps like Yahoo Messenger (just one example) take dependancies on IE COM components even if we do not use iexplorer.exe?

Reply Score: 4

Nathan O. Member since:
2005-08-11

In a word, yes.

Reply Score: 2

Microsoft and Security
by Peter Besenbruch on Wed 12th Apr 2006 18:48 UTC
Peter Besenbruch
Member since:
2006-03-13

The Web site Securiteam has especially harsh things to say concerning the Windows Shell flaw. http://blogs.securiteam.com/index.php/archives/394 They imply this was a known 0 day that was discovered 700 days ago.

Microsoft also did a major "no-no" by bundling major changes in how Internet Explorer functions with these security patches. You should not bundle security fixes with changes in function.

Reply Score: 5

Feature Patch or Service Patch
by mOOzilla on Wed 12th Apr 2006 18:49 UTC
mOOzilla
Member since:
2006-04-11

Wasn't the moto with NT patches that NO NEW FEATURES where in service packs and hotfixes? This changed with 2000, XP and 2003 Server editions? When Why blah blah?

Reply Score: 2

RE: Feature Patch or Service Patch
by Tom K on Thu 13th Apr 2006 00:18 UTC in reply to "Feature Patch or Service Patch"
Tom K Member since:
2005-07-06

No, you're thinking of the "extended support" phase. The first five years of the support life cycle include free security patches and free feature upgrades (which may come in Service Packs, hot fixes, etc.).

The next five years are the "extended" support phase, which means that security patches are still free and provided, but Microsoft will be taking no feature requests, and will not be releasing any feature upgrades unless you pay for them.

Reply Score: 0

And people think Safari has bugs...
by Luposian on Wed 12th Apr 2006 19:23 UTC
Luposian
Member since:
2005-07-27

IE has been getting "massive patches" since it was first released for Windows 95. They should rename Internet Explorer to "Patchwork Quilt", it's got so many patches nowadays!

For Microsoft: IE is the shame (for ever having been made). Windows is the curse (upon all users). Macs/MacOS X is the cure (for everyone)!

Reply Score: 3

Nelson Member since:
2005-11-29

Everything has their share of bugs, Windows is probably the most targeted system right now.

Any OS not in the spotlight would perform like Windows does, If/when Mac gains some leverage and becomes a little more mainstream I'll expect you to go through the same since frankly you lack the experience in it.

Maybe Microsoft should stop fixing bugs since you complain either way on how your crappy browser which a small percent of the market uses isn't buggy.

Bugs (even undiscovered ones) are still bugs. Remember that.

Reply Score: 3

el3ktro Member since:
2006-01-10

You and Luposian are talking about different things. He said IE is a very buggy piece of software, and the number of bugs in a product does not depend on how many users use it. As an example, Konqueror has very few bugs, I doubt it would suddenly have more bugs if suddenly more people would use it. The other way round: If IE usage would suddenly drop to something like 20%, it would still have a lot of bugs in it.

Another important thing is how quickly bugs get fixed. It took almost THREE WEEKS for this very critical IE bug to get fixed now. In contrary, a few weeks ago Konqueror had a low-risk bug, news about this bug have been spread sometimes before noon (I've read about this bug on a major IT news site at something around 11:30), when I got home from work in the evening at 17:00, Ubuntu told me there was an update for Konqueror. THATS how bug fixing should work.

Reply Score: 2

Nathan O. Member since:
2005-08-11

I'm sure Konqueror would have more bugs *noticed* if it were as popular as IE, but I'd be willing to bet that its architecture, design and execution would prove Konqueror less buggy given comparable scrutiny.

Reply Score: 2

Nelson Member since:
2005-11-29

Of course it does, if more people use it then it is a better target for exploitation. I doubt it's fair to judge how much bugs anything has, it's like calling a program foolproof. Things like this are yet to be discovered.

Microsoft fixes their bugs (weather or not I agree/disagree with them) in a speedy manner. They have a lot of things to consider when patching and they want to keep patching uniform so that people know what to expect when to expect it.

Reply Score: 2

dylansmrjones Member since:
2005-10-02

MS is extremely slow to fix the bugs. It can take years or even decades, though in most situations it only take a few months, and occasionally it can be fixed even faster than that (but that happens seldom).

Never has any company been capable of selling a system, as insecure and buggy as Windows, and receive for their (virtually non-existent) bugfix-policy.

From a security hole is found till MS fixes it, you can be sure to wait months in most cases. Occasionally years or if you're lucky just a few weeks.

Reply Score: 2

dtravis7 Member since:
2005-07-14

OSX? Interesting since BootCamp has been released that mac users all over the internet seem to be running to get Windows installed on their new Intel Macs. Makes me wonder about OSX.

Reply Score: 1

Smeagol Member since:
2006-01-16

What's there to wonder about it? Do you questions Apple's committment to Mac OS X because of BootCamp? Please.

Reply Score: 1

wow...
by helf on Wed 12th Apr 2006 19:54 UTC
helf
Member since:
2005-07-06

people want MS to fix stuff then bash them when they do.

Idiots.

Reply Score: 2

RE: wow...
by bryanv on Wed 12th Apr 2006 20:34 UTC in reply to "wow..."
bryanv Member since:
2005-08-26

What you're incinuating is exactly right! Judging from the sheer number of flaws that need fixed, Microsoft is idiots.

I couldn't have said it better myself, there helf.


Oh wait, you meant the -users- giving them hell for fixing a defective product are idiots. Oops, my bad.

Reply Score: 2

RE[2]: wow...
by helf on Wed 12th Apr 2006 20:43 UTC in reply to "RE: wow..."
helf Member since:
2005-07-06

hey, good point! So we are all idiots. yay!

Reply Score: 1

RE[2]: wow...
by tomcat on Thu 13th Apr 2006 21:33 UTC in reply to "RE: wow..."
tomcat Member since:
2006-01-06

...Microsoft is idiots.

You don't say, Forrest? ;-p

Reply Score: 1

RE: wow...
by ma_d on Wed 12th Apr 2006 23:11 UTC in reply to "wow..."
ma_d Member since:
2005-06-29

It's pretty common practice in the software industry. In fact, closing bugs without creating new ones is a big deal. Few get it quite right.

Does it really surprise you that the fix to a large number of bugs include changes some people will dislike? And how does that make them stupid, or uneducated in the area?

Jackass.

Reply Score: 1

RE: wow...
by dylansmrjones on Thu 13th Apr 2006 06:41 UTC in reply to "wow..."
dylansmrjones Member since:
2005-10-02

Actually, people bash MS for being to slow and dishonest about the patch procedure.

Reply Score: 1

RE: wow...
by copper on Thu 13th Apr 2006 15:35 UTC in reply to "wow..."
copper Member since:
2006-04-13

No ... we want them to quit using the general public as beta testers for their crappy OS.

It's not like Windows is free - how about getting it right to start with?

Also Microsoft could: Stop running millions of dollars of anti-linux ads, knocking Apple for security holes (that is the pot calling the kettle black), Trying to buy up all the patents they can - regardless if they invented the technology or not.

I could go on ... like how he ripped off the original DOS OS from a Seattle programmer to begin Microsoft.

Gates/Microsoft have never invented or coded anything that has any value - they steal or buy their technology.

Reply Score: 1

RE[2]: wow...
by ronaldst on Thu 13th Apr 2006 15:38 UTC in reply to "RE: wow..."
ronaldst Member since:
2005-06-29

@copper

Gates/Microsoft have never invented or coded anything that has any value - they steal or buy their technology.

How about Microsoft compilers?

Reply Score: 1

RE[3]: wow...
by Windows Sucks on Thu 13th Apr 2006 17:05 UTC in reply to "RE[2]: wow..."
Windows Sucks Member since:
2005-11-10

They prob got that code from BSD like their TCP/IP stack, FTP client and Telnet Client.

Reply Score: 1

Sloppiest Programmers on the planet.....
by ZaNkY on Wed 12th Apr 2006 20:36 UTC
ZaNkY
Member since:
2005-10-18

I was reading an article on theinquirer.net. The author said how he had to download 200 Mb worth of patches on a clean WinXP install. Let me quote him ;)

"I mean, this is a fresh installation of XP following the death of a hard disk. Of course, I’ve had to download a good 200Mb of patches from Vole HQ. 200MB! Sheesh, these guys have got to be the sloppiest programmers on the planet..."

http://theinquirer.net/?article=30948

I don't really keep up with how many patches come out per year, but I do know that things could be coded a LOT better (on MS's end of course) if you release so many patches at once, week after week.

--ZaNkY

Reply Score: 1

TaterSalad Member since:
2005-07-06

That could be said for any OS. I'll take linux as an example here. Install FC4 from cd, then see if you need to do updates on it. I'm pretty sure you will. And FC4 came out after WinXP did.

But on the bright side of things, if your installing XP on corporate desktops you would only need to do the do the 200 meg download once then make a slipstream cd of XP with patches. Home users are a different story.

Reply Score: 3

mmebane Member since:
2005-07-06

Why even 200 MB?

http://ryanvm.net/msfn/

Reply Score: 1

suryad Member since:
2005-07-09

You know 52 mb worth of updates after SP2 aint bad at all! SP2 was what a 110 mb? So thats a total of 162 mb of patches? Hmm...interesting metric.

Reply Score: 1

anyweb Member since:
2005-07-06

so, for someone reinstalling windows xp pro (the article didnt mention whether it was xp gold, xp sp1, xp sp2 then you could assume that it was xp gold, and that the end user had to download all patches (and/or service packs) released since then.

big download ? yep, big deal.

Try installing a linux distro from the time that xp was released and do apt-get update && apt-get upgrade -y or yum -y update (or whatever your distro wants to update itself)

then check how many megs of updates are downloaded....


i've had similar issues with fresh installs of distros recently released, especially if it involves openoffice.

I am glad that Microsoft are patching their products, however i'd like to see them be more flexible on the timeframe of patch releases,

in other words, it would be great if they could release patches to 'critical' issues as soon as possible - instead of end users having to resort to third party patches to alleviate the issue.

cheers
anyweb

Reply Score: 4

prismX Member since:
2005-08-19

There are several issues affecting immediate patch release. Patch quality and compatibility test is one of them. Windows is very sofisticated OS and it runs on the majority home and business workstations with millions of different settings and configurations. MS should provide patch able not only solve a specific problem, but also this patch should not break applications, specific configurations. It is especially important for business users. Of particular importance, not to break compatibilities too.
Another minor issue: sysadmin cannot update every time the a huge numbers of workstation, system administration requires scheduling, so patch release date is very good for business computing. And if some serious issue exists, sysadmin may tighten security, change some setting to prevent the security bug exploit, so good sysadmin is not so unequivocally dependent on the OS patching.

The fact that MS patches products shows that they work hard to improve their product, if somebody does not like this nobody convinces him to update Windows, it is personal problem of each one, but it is wonderful that for a short time Apple released 6 big updates for their fanfared Tiger in additional regular patches, but nobody even think to blame them.
People must understand that never mind bugs are identified or are not they are bugs. THe difference between Apple and MS is that Apple is praised for everything it is doing, MS is shamed for everything is done. All this and of course other aspects makes me think that most of people are not able for consecutive logical thinking, they are deeply dependent trade tricks and advertising compaigns...
It is very pity....

Reply Score: 5

ma_d Member since:
2005-06-29

Well, actually, Sasser convinced a lot of people to run their updates. But I suppose inanimate worms aren't really "someone."

Reply Score: 1

lemme Member since:
2006-04-13

>MS should provide patch able not only solve a specific problem, but also this patch should not break applications, specific configurations.

Patch that can break apps which wasnt broken on unpatched vulnerable system?

_Patch_ that can break _configuration_?

/me is looking at "Designed for Windows XP" sticker...Highly compatible? High code quality?

Oh my...

Reply Score: 2

smitty Member since:
2005-10-13

Try installing a linux distro from the time that xp was released and do apt-get update && apt-get upgrade -y or yum -y update (or whatever your distro wants to update itself)

True, but to be fair you should really only update the kernel (not kernel sources), a few libraries, and DE (GNOME or KDE). Because that is all that XP provides (actually quite a bit less than KDE). Otherwise you should include updates for MS Office, Visual Studio, etc. into the Windows updates as well.

Reply Score: 2

ma_d Member since:
2005-06-29

Ya know, there's a good reason why the apt update size and windows update size are completely incomparable:
1.) Apt just reinstalls the offending package. Microsoft reinstalls the offending file(s).
2.) Apt contains tons of feature upgrades, Microsoft typically makes those optional/recommended.

The really obnoxious thing about winupdate to me is redoing it, over and over. It'd be nice if they could at least fully automate it to where I start it. It runs. It reboots. It runs again (without me saying anything). It reboots, etc. Is there a program out there that does that which I should remember?

And for those who only have a WinXP cd, I think Microsoft will ship you an SP2 cd as a small fee these days.

Reply Score: 1

lemme Member since:
2006-04-13

download sizes comparsion: hmm...

first note: can you feel the difference between security fix and updating to _new version_?

second note: can windows update (or microsoft update) help any particular user update, say, acrobat reader? yum and apt-get (or whatever app your whatever distro is using for updates) can.


microsoft patch release timeframe...yep, here i completely agree w/you

cheers
lemme

Reply Score: 1

dylansmrjones Member since:
2005-10-02

Well, you only have to install the security fixes and critical bugfixes. All the small trivial point releases should not be counted. Only security fixes and critical bugfixes as these are the only equivalents to Microsofts updates.

And then it's a completely different matter when updating GNU/Linux. We are then talking about a few MBs, that's all.

Reply Score: 1

kaiwai Member since:
2005-07-06

I don't really keep up with how many patches come out per year, but I do know that things could be coded a LOT better (on MS's end of course) if you release so many patches at once, week after week.

Oh pulease, Fedora Core 5 has been out for less than 2 weeks, and there is already over 100MB worth of updates already - so please, lets not try to declare that our respective shit don't stink.

The issue shouldn't be about the updates, but ensuring that the updates are released promptly with good documentation, and correct the problem as described in the errata.

The problem isn't the mistake, but whether you acknowledge it, fix it and then learn something from it.

Reply Score: 1

dylansmrjones Member since:
2005-10-02

Well, those updates are NOT security fixes NOR critical bugfixes, but merely point releases.

Microsoft do not release point releases this way, so they should not be counted in.

Reply Score: 1

A linux user gives credit to Microsoft
by fretinator on Wed 12th Apr 2006 20:54 UTC
fretinator
Member since:
2005-07-06

I am a died-in-the-wool Linux and BSD user, but I have to give credit for Microsoft on a couple things:

At the same time Microsoft has begun requesting that users upgrade their ME/98 machines because support ends July 11th, 2006

WOW! That is about 9 years of free upgrades. How well supported is a 1997/98 version of RedHat, SUSE, or whatever? Microsoft has two things that impress me - long support for a product for free, and binaries from ages ago still run on a recent version of Windows. Many old Dos executables can still run under XP (granted, many don't). Go grab an early Redhat executable and run it on a recent kernel. Glib, what??

OK, start flaming me.

Reply Score: 5

Nathan O. Member since:
2005-08-11

Given the proprietary, binary-only nature of Windows, I have to agree that this is awesome of Microsoft (contrast with, say, Apple, whom I otherwise hold in high regard).

But contrast this offer with that of Linux distributors:

Microsoft: "We'll support our ancient products with security fixes for almost a decade."

Red Hat (for example): "We'll offer every version for free."

(Granted, many distributors have premium, nonfree versions, but those offer a different model.)

Microsoft offers security updates, Linux offers security and feature updates.

The flip side of this being that not much proprietary software is available for Linux, it's really a double-edged sword. But for my uses, one side of that sword is much sharper than the other.

Reply Score: 2

smashIt Member since:
2005-07-06

you can't compare red hat and microsoft

RH make a package out of 3rd party software and if you want support from them you have to spend a lot of money

ms sells you software that was developed by them and offer support/updates for free

@ZaNkY:
stop reading theinquirer. they are as bad as /.
you only download >200mb when you get the full package of patches. if you download only those wich are relevant for your system you'll end up with less than 50mb

Reply Score: 1

fyysik Member since:
2006-02-19

not only DOS-binaries can run, but those also included -
e.g. EDLIN editor and much more:)

Reply Score: 2

Lettherebemorelight Member since:
2005-07-11

My "free" windows 98se license cost me around $200 if memeory serves correct. I downloaded red hat ISOs for free.

Reply Score: 1

Lettherebemorelight Member since:
2005-07-11

OK, start flaming me.

Now that Ive read the full article, Im going to have to flame you for not reading it.

Customers running Windows 98, Windows Millennium Edition and Windows 2000 (pre SP4) are affected, but because these operating systems are out of mainstream lifecycle support, there are no free patches.

Those users must pay for custom support to get protection, Microsoft said in the FAQ section of the bulletin.


Free stuff from MS sure costs a lot!

Reply Score: 4

fretinator Member since:
2005-07-06

Good point (I didn't read the article), I was just interested in the 98/ME line in the lead in. I installed 98 not to long ago (for old games) and I was able to download a bunch of updates. I didn't notice they weren't releasing any new ones. I'm still just amazed that ANY support, paid or not is available for such an old OS. I would like to see support like this for my Linux distros. I think (probably because I'm getting older!) that I finally have tired of the endless update cycle in the Linux world. However, I don't think I would want to go back to waiting for Longhorn/Vista since XP came out in 2001 (Debian Woody, anyone!). I just want to give credit to Microsoft for carrying customers a little longer than they need to. And I really would like to see binary compatability given a little more attention in the Linux world. I'm tired of having to have exact version of libraries, kernels, modules, etc. Every time a new version of GCC comes out we go through this cycle again.

Reply Score: 1

hal2k1 Member since:
2005-11-11

//"I would like to see support like this for my Linux distros. "//

There IS support like this from Linux distros. It is quite possible to run old applications on modern Linux distributions very easily and at zero cost.

//"And I really would like to see binary compatability given a little more attention in the Linux world. I'm tired of having to have exact version of libraries, kernels, modules, etc. Every time a new version of GCC comes out we go through this cycle again."//

There is no need (for the most part) for binary compatibility. Either update your system regularly from repositories, and you will be able to use new packages from those same repositories ... or don't upgrade your system/compiler and use a source-based distribution such as Gentoo and portage.

The choice is yours ... either way means you are still able to run today even quite ancient applications on your Linux system for no charge.

Reply Score: 1

Ookaze Member since:
2005-11-14

I installed 98 not to long ago (for old games) and I was able to download a bunch of updates. I didn't notice they weren't releasing any new ones. I'm still just amazed that ANY support, paid or not is available for such an old OS

This is the benefit of having a big company, and of having a monopoly. Picture that : you are forced to use an old OS everyone think is sh*t (crash prone, security nightmare, full of bugs), even Windows users.
And yet you are amazed. I find YOU are amazing, but not in a good way !

I would like to see support like this for my Linux distros

I don't !! Are you mad ? You want an old distro when the newer ones provide better tools ? What's wrong with you ?

I think that I finally have tired of the endless update cycle in the Linux world

You really think the endless update cycle is specific to the Linux world ?
I can assure you it's the same in the Windows world.

I just want to give credit to Microsoft for carrying customers a little longer than they need to

They don't. Only money talks, or everything is deprecated (VB6, old multimedia libs, MS Office viewers, ...).

And I really would like to see binary compatability given a little more attention in the Linux world. I'm tired of having to have exact version of libraries, kernels, modules, etc. Every time a new version of GCC comes out we go through this cycle again

Actually, no, you don't. The versions you are talking about are imposed to you by your package manager because it is responsible for keeping the system stable for you, and can't know everyone's install, so it has to streamline everything.
If you knew what you were doing, you could bypass these limitations without problem.
I update my GCC on live systems and never had a problem, I even update glibc live.
Binary compatibility is only a matter of keeping some old core libraries.

Reply Score: 0

hal2k1 Member since:
2005-11-11

"WOW! That is about 9 years of free upgrades. How well supported is a 1997/98 version of RedHat, SUSE, or whatever? Microsoft has two things that impress me - long support for a product for free, and binaries from ages ago still run on a recent version of Windows. Many old Dos executables can still run under XP (granted, many don't). Go grab an early Redhat executable and run it on a recent kernel. Glib, what?? "

It cost money to upgrade from one Windows version to the next.

OTOH for Linux, I have upgraded versions countless times for no charge. None.

You have a fundamental misunderstanding (or a deliberate misrepresentation - I'm not sure which) of the situation here.

There is no need whatsoever for a binary executable from circa 1995 to still run on a recent kernel if there is either:

(1) an up-to-date compiled version available from repositories for no charge, or
(2) source code from the early version available (even if it is no longer being actively supported).

For "early Redhat executables" normally both (1) and (2) are readily available. Even then most old binaries will still run on a recent kernel, despite what you claim above ... but if they don't then either option (1) or (2) above should be available (often both are) and the executable is still supported on a recent kernel.

For Windows recent kernels, however, a huge number of binaries from early versions of Windows will not run. And further, in the Windows world, a binary is notmally all that you have for a legacy application, and neither option (1) or (2) above is available.

The real situation is the exact reverse of what you imply. The real situation is that one is far, far more likely to be able to still run an early Linux application on a modern Linux kernel (in one way or another) for no cost than one is able to run an early Windows (or even worse, DOS) application on a modern Windows kernel - for any price.

Reply Score: 3

Windows Sucks Member since:
2005-11-10

Remember MS doesn’t actually give away patches for old OS's for free, they still support older OS's ONLY because they have enterprise customers who still use them! So they make patches for problems they fix for customers that pay for support and then they give the patches to everyone. If the business customers didn't use 98/ME and still pay for support (Which is waning now) you would not still be getting patches as home users.

And you wonder who is still using 98/ME. I work for the US government and the agency I worked for just went to Windows 2000 two years ago, and would not have done that if it wasn't for security problems with 95/98/ME. They were very happy with 95/98/ME and still have a few 98 machines in the environment!

Reply Score: 1

siki_miki Member since:
2006-01-17

You are right, MS has excellent compatibility with old software. However 16-bit support ends with 64-bit version of Vista (and with XP64). Linux doesn't require that much of compatibility because usual apps running on it are open source. They get updated (mantained), even the most obsolete ones. For proprietary apps there may be a problem though.

Another big problem is running new apps on older OS. For example, I had to run through much hassle to get recent Pan (newsgroup reader) to work with older version of pcre library. My scientific linux 3 (RHEL3 variant) still defaults to older version. Running some of the latest apps(games especially) on Windows 98 doesn't end much better either.

Maybe bestway is to use emulation/virtualisation. Dosbox for example tends to be much better (though for some games still really slow) way to run DOS games than WinXP NTVDM.

Reply Score: 1

RE: A linux user gives credit to Microsoft
by Sheld on Wed 12th Apr 2006 21:12 UTC
Sheld
Member since:
2005-12-21

Well, I've been running Linux for even longer than that without having to pay for the priviledge to upgrade.

And it's not exactly 'free upgrades' from Microsoft's part either, it's support in a free product (IE) for their older platforms. It's more as if Mozilla made Firefox available for RedHat 6, it'd actually be interesting to test this...

Reply Score: 1

fretinator Member since:
2005-07-06

ait's support in a free product (IE) for their older platforms

Actually, I'm talking about the security udates, etc. still being available for Windows 98/Me. I think it is amazing that support for the OS is just now ending 8 or 9 years later.

Reply Score: 3

Havin_it Member since:
2006-03-10

Oh aye... nice of them to fix that WMF vulnerability for Win98/ME. Since my gf's WinME laptop came with a shell-based image previewer preinstalled, she'd be vulnerable to instant infection via a compromised website if they hadn't patched that'n.

...what's that you say? Never patched it? Not deemed 'critical'? Oh, sh...

Reply Score: 1

Good news for non-MS-oses
by Punktyras on Wed 12th Apr 2006 23:10 UTC
Punktyras
Member since:
2006-01-07

Talking about droping win98/me support
"Timing is unfortunate given Windows Vista's delay," he added. "Consumers with Windows 98 or Me will be looking at new Windows XP PCs -- or even a Mac -- instead of Windows Vista."

Reply Score: 2

A little slow
by Fuji257 on Thu 13th Apr 2006 01:14 UTC
Fuji257
Member since:
2006-01-24

http://www.microsoft.com/downloads/details.aspx?FamilyID=1e1550cb-5...

They cut service for WinME, which I think is completely acceptable; but yet the latest version/update of IE still has a 66mhz 80486 on it's system requirements.

Not a real clear message on where they stand.

Reply Score: 1

The part that scares me!
by Windows Sucks on Thu 13th Apr 2006 05:04 UTC
Windows Sucks
Member since:
2005-11-10

The part that scares me is there are holes that have been in some of their products 10 years plus!

And yes Windows is the most popular product so it's the most attacked! But what does being attacked have to do with 10 year old flaws? Its not like the attackers are making the holes! ?? That is why the “Having more machines out there, so you have more problems” train of thought does not hold water! All that being the most popular does is make the holes already there show up quicker and more often. But the holes were there nonetheless! Just shows that MS really only got serious about security when Windows XP SP2 came out (And there are still a ton of problems in that)

Also everyone remember MS doesn’t actually give away patches for old OS's for free, they still support older OS's ONLY because they have enterprise customers who still use them! So they make patches for problems they fix for customers that pay for support and then they give the patches to everyone. If the business customers didn't use 98/ME and still pay for support (Which is waning now) you would not still be getting patches as home users.

And you wonder who is still using 98/ME. I work for the US government and the agency I worked for just went to Windows 2000 two years ago, and would not have done that if it wasn't for security problems with 95/98/ME. They were very happy with 95/98/ME and still have a few 98 machines in the environment!

Ether way I am still shocked that there are things in Windows that they are patching that have not changed for years yet there is still hole, after hole after hole! Crazy!

Reply Score: 2

RE: The part that scares me!
by utopia on Thu 13th Apr 2006 06:09 UTC in reply to "The part that scares me!"
utopia Member since:
2005-07-14

I'm interested to know more about the "10 year old flaws" you've mentioned. Would you please point me to the resources detailing these flaws.

Thanks in advanced.

Reply Score: 1

RE[2]: The part that scares me!
by Ookaze on Thu 13th Apr 2006 12:27 UTC in reply to "RE: The part that scares me!"
Ookaze Member since:
2005-11-14

I'm interested to know more about the "10 year old flaws" you've mentioned. Would you please point me to the resources detailing these flaws

This story is talking about bugs that affect MS OS from Windows 95 to those of today. Hence the 10 years old flaws.
Basic math and logic.
Now, the resources should be in MS report.
Go blame them if it's not the case.

Reply Score: 1

RE[2]: The part that scares me!
by Windows Sucks on Thu 13th Apr 2006 12:40 UTC in reply to "The part that scares me!"
Windows Sucks Member since:
2005-11-10

If you look at all the flaws that are listed in the article above you will see that they apply to all versions back to Windows 98 (And would apply to older versions of Windows also if those versions were still supported)

Some of that comes from MS trying to support older versions of Windows with new software. But to do that they wind up writing flaws to support the old OS's and then rolling those flaws up into Windows XP and 2003

The rest of the problems come from MS sometimes just pushing old software and techneques forward. For instance the way Windows handles meta files has been the same in Windows for ages so when there was a problem with meta files last year it applied to almost every version of Windows ever created.

For instance I have seen Dr Watson errors pop up in Windows XP! ??? How old is that crap! (Back from Windows NT 3.5)

Reply Score: 1

RE: Sloppiest Programmers on the planet.....
by kaiwai on Thu 13th Apr 2006 05:28 UTC
kaiwai
Member since:
2005-07-06

I don't really keep up with how many patches come out per year, but I do know that things could be coded a LOT better (on MS's end of course) if you release so many patches at once, week after week.

Oh pulease, Fedora Core 5 had been out for less than 2 weeks, and there were already over 100MB worth of updates already - so please, lets not try to declare that our respective shit don't stink.

The issue shouldn't be about the updates, but ensuring that the updates are released promptly with good documentation, and correct the problem as described in the errata.

The problem isn't the mistake, but whether you acknowledge it, fix it and then learn something from it.

ps. Attention OSNews.com maintainers, fix the f--king edit feature, its not working; better yet, moth ball the whole damn site and use a decent forum software with a database that does die when two people try to access the site at once!

Reply Score: 1

dylansmrjones Member since:
2005-10-02

These updates are not security fixes as such, but general point releases.

Only count in security fixes and critical bugfixes as these updates are the only one equivalent to the releases from MS.

Reply Score: 1

kaiwai Member since:
2005-07-06

These updates are not security fixes as such, but general point releases.

Only count in security fixes and critical bugfixes as these updates are the only one equivalent to the releases from MS.


Why? some of those fixes recently in Fedora could be considered 'serious'.

Now I'm not trying to say that one is better than the other, because quite frankly, the quality of software overall is pretty shocking, but at the same time, lets not play the 'my software isn't buggy' trumpet because one can easy do a response.

Like I said, bugs aren't necessarily a problem if the respective company/organisation/project acknowledge the existance, promptly fix it, and learn something from it.

For example, there is a security issue with a module, the organisation release a patch and in response, they audit that module of code.

If you think life is going to be easy for Linux in the future, its not; you're going to end up getting proprietary software vendors demanding compatibility, customers demanding compatibility with old applications - and so this 'beak compatibility for the sake of technological improvement' will no longer fly as the user base gets larger.

Microsoft, tomorrow, would LOVE to drop all backwards compatibility and work arounds; but they know if they did, they would lose customers, anger ISV's and IHV's, so they have to play that tightrope between fixing and compatibility; when Linux gets larger, it'll face the same dilemma.

Reply Score: 1

dylansmrjones Member since:
2005-10-02

Why? some of those fixes recently in Fedora could be considered 'serious'.

Yes, count in the serious fixes, but leave out anything which isn't equivalent to the fixes from Microsoft Update and/or Windows Update.

I'm not playing the "my software isn't buggy"-trumpet. None have done so in this thread. However, there has been certain posts claiming that all point releases in Linux should be compared with the bugfixes in Windows, rather than just comparing bugfixes in linux with bugfixes in Windows.

I don't doubt you're right about demands from proprietary software vendors and customers, but it's unrelated to this thread on security fixes and bugfixes in Windows vs. Linux.

Reply Score: 1

kaiwai Member since:
2005-07-06

I'm not playing the "my software isn't buggy"-trumpet. None have done so in this thread. However, there has been certain posts claiming that all point releases in Linux should be compared with the bugfixes in Windows, rather than just comparing bugfixes in linux with bugfixes in Windows.

I don't think think that neither should be compared to each other; if one wishes to advocate Linux over Windows; using subjective jingoisms like 'its more secure' or 'its more stable' merely brings the quality of the over all discussion down to 15 year old fanboy level.

I don't doubt you're right about demands from proprietary software vendors and customers, but it's unrelated to this thread on security fixes and bugfixes in Windows vs. Linux.

How so? security bug fixes can just as easily stuff up compatibility as a bug fix; just look at what happens when a bug is fixed in Mozilla, and there are 1/2 dozen applications that rely on Mozilla.

So no, Linux isn't immune to the basic laws of programming; you can f--k things up easily and compatibility can be broken, irrespective of whether its a bug fix or security fix.

Reply Score: 2

Ookaze Member since:
2005-11-14

I don't think think that neither should be compared to each other; if one wishes to advocate Linux over Windows; using subjective jingoisms like 'its more secure' or 'its more stable' merely brings the quality of the over all discussion down to 15 year old fanboy level

Perhaps with your straw man, but the fact that any Linux distro is generally more secure than Windows (I can even go further and say there are few OS less secure than Windows) is not subjective at all. Only zealots go on saying that any Linux distro is as or less secure than Windows.
Only MS execs can get away with so childish comments among some adults, but I see at least you think they are at 15 years old fanboys level.

How so? security bug fixes can just as easily stuff up compatibility as a bug fix; just look at what happens when a bug is fixed in Mozilla, and there are 1/2 dozen applications that rely on Mozilla

I've now abandonned Mozilla, but when I had it, no security bugfix patch ever changed anything in the dependant apps (mostly Galeon, Epiphany and OOo).
Guess what, even most point releases didn't change anything in the dependant apps.

So no, Linux isn't immune to the basic laws of programming; you can f--k things up easily and compatibility can be broken, irrespective of whether its a bug fix or security fix

Of course, but it depends on the kind of bug. A bug that does not affect the architecture won't do any harm. Most bugs on Linux are of those kind, that's why they can be fixed and validated pretty fast, in a matter of minutes or hours.

Reply Score: 1

kaiwai Member since:
2005-07-06

Perhaps with your straw man, but the fact that any Linux distro is generally more secure than Windows (I can even go further and say there are few OS less secure than Windows) is not subjective at all. Only zealots go on saying that any Linux distro is as or less secure than Windows.

Oh pulease, when you're releasing new versions of Linux distros every 6 months, and comparing it to a product which has been out for 5 years, what the hell do you think is going to happen?

Lets compare like with like, a distro released 2001, the same time as Windows XP and share the comparison; I certainly don't rush around making bold claims that Windows XP is more or less secure, but it would be nothing more than a childish tit for tat comparison.

Only MS execs can get away with so childish comments among some adults, but I see at least you think they are at 15 years old fanboys level.

They are, they're just as childish as those who claim that Linux is more secure; If Microsoft executives wish to gain some credibility, why don't they first publicly acknowledge that Windows XP like 2000 and NT4, fundamentally sacrificed security in favour of ease of use and backwards compatibility.

That is the problem with Windows - not necessarily the code, or the actual NT design which is on paper, but the hair brained sacrifice they made to accomodate lazy ISV's unwilling to update their software rather than say, 'here is a line in the sand, we're going to put security before backwards compatibility' - and those who don't keep up, well, those ISV's who don't update and provide compatibility for the end users will just have to put up with less people purchasing their product.

I've now abandonned Mozilla, but when I had it, no security bugfix patch ever changed anything in the dependant apps (mostly Galeon, Epiphany and OOo).
Guess what, even most point releases didn't change anything in the dependant apps.


Incorrect; the best example would have been, be it a while back, when Mozilla needed to be updated, but Epiphany relied on Mozilla to be installed; so both had to be updated at the same time.

READ MY POST!!!!!!!!!!!!!!! there is NOTHING wrong with this, AT ALL, but the SAME TIME, but lets also remember that Microsoft isn't in the same boat; they can fix up a feature, then they must create something which allows those applications which rely on the broken feature, to keep working.

If Microsoft could turn around tomorrow, purge out all the work arounds, and fix thens as required, you would never have any problems with Windows in reference to patches not working as intended, but the simple fact, Windows development is hanstrung by the ISV's, and their unwillingness to maintain and provide support to their customers, so Microsoft, when ever someones application doesn't work, gets the blame, when the reality is, its the application vendor who has the responsibility to provide an update to maintain compatibility NOT Microsoft.

Of course, but it depends on the kind of bug. A bug that does not affect the architecture won't do any harm. Most bugs on Linux are of those kind, that's why they can be fixed and validated pretty fast, in a matter of minutes or hours.

Same with Windows; Windows NT architecture isn't flawed, the flaw is in the implementation; the fact that they had ActiveX so open you could fly a 747 through it, the bringht eyed optimism that 'no one would ever abuse that feature!'.

If there is one failure with Microsoft, its their overly optimistic view of end users and the internet; they should have designed Windows XP with the assumption that every end user is a clueless moron who doesn't know the first thing about maintaining and securing a computer, and that every user on the internet is a potential cracker who will abuse every feature you give to them.

Its about taking the worst possible scenario and basing a product around that, the only story of 'never underestimate your enemy'.

Reply Score: 1

Ookaze Member since:
2005-11-14

Why? some of those fixes recently in Fedora could be considered 'serious'

And most could not, but that's not the point.

Now I'm not trying to say that one is better than the other, because quite frankly, the quality of software overall is pretty shocking, but at the same time, lets not play the 'my software isn't buggy' trumpet because one can easy do a response

I see one is better thant the other, sorry. One can run for years with updates without rebooting, the other can't.
But the worst is that one has LOTS of ARCHITECTURE bugs, which are the worst kind of bugs.
Why do I say that ? Because most Windows bugs stay for years or months, because MS can't fix them without breaking other things.
That means fixing these bugs require architecture change in the program. While most security bugs in the FOSS world are non-validated data, or buffer overflow kind of bugs.
The kind of bugs that won't break anything once fixed (unless you fix sloppily, this happened once or twice), and that can be fixed in minutes, a bit more in multi-threaded apps.

If you think life is going to be easy for Linux in the future, its not

I say it will.

you're going to end up getting proprietary software vendors demanding compatibility, customers demanding compatibility with old applications - and so this 'beak compatibility for the sake of technological improvement' will no longer fly as the user base gets larger

BS. Proprietary software have the source, and can adapt without ANY problem (see NVidia).
Old applications basically only need old compatible libraries, which is easy to do and already done in lots of consumer grade distros (the famous compat-libs packages).

when Linux gets larger, it'll face the same dilemma

Linux already faced this (like with Oracle) and already manage this, sorry to disapoint you.

Reply Score: 1

Angel--Fr@gzill@
Member since:
2005-12-23

!!!

What about Ms stopping all the greedy marketing and business of future Vista OS and Office, other software ...during the rest of this whole year, and declare it "Ms Patch Year" for all their software...!!! ;)

It would be more benefic to the human kind that all the donations made by Bill to charities in order to save taxation... ;)

I wonder if they whould have enough time to patch everything in one year, though...

Yeah, I know... I just woke up! Good morning...

!!!

Reply Score: 1

At what point?
by Caspian on Thu 13th Apr 2006 17:28 UTC
Caspian
Member since:
2006-01-01

At what point should you rewrite the code? I think almost a decade is long enough. Yet 7.0 is still based off of 1.0

Sad really.

Reply Score: 1

More like ...
by aGNUstic on Thu 13th Apr 2006 20:06 UTC
aGNUstic
Member since:
2005-07-28

"Also Microsoft could: Stop running millions of dollars of anti-linux ads, knocking Apple for security holes (that is the pot calling the kettle black), Trying to buy up all the patents they can - regardless if they invented the technology or not."

I would say it's more like a galaxy-sized gravity-well, read MS, calling Sol, Linux, a gravity hog.

Reply Score: 1