Linked by Thom Holwerda on Fri 7th Jul 2006 13:28 UTC
Microsoft Microsoft plans to issue patches for 'critical' Windows and Office security problems as part of a regular update scheduled for Tuesday. The software company said in an advisory Thursday that it will issue four bulletins for Windows flaws and three for Office. At least one Windows and one Office problem are deemed 'critical', Microsoft's highest-risk category for security vulnerabilities, according to the advisory.
Order by: Score:
WGA required...
by xiaokj on Fri 7th Jul 2006 14:49 UTC
xiaokj
Member since:
2005-06-30

And the evil spreads...

I simply love my linux system where none of this nonsense exists. Its really horrid that I still have MS machines on the network to administer... I have people in the house that just won't change. They hubble on even when the Sasser hit... I hope WGA is the last straw for widespread chaos. That is the only thing linux can hope for...

PS: Well, other than Sasser, my MS machines rarely get hit. At least the Avast/Spybot/regular updates + strict sysadmin works. But the amount of workload to tighten security on Wintels only increases with each release. Thank the gods for cloning. I believe thats the only savior for Winsysadmins.

Reply Score: 5

RE: WGA required...
by monkeyhead on Sat 8th Jul 2006 03:01 UTC in reply to "WGA required..."
monkeyhead Member since:
2005-07-11

So Microsoft is releasing a 'regular update' with some security fixes...and somehow this relates to your distaste for WGA, even though you use linux and it doesn't affect you.

I'm sure I'm just being dense about making the connection... Maybe I used my Wintel laptop at work for too long today, and need to chill here on my gentoo box for a bit before it makes sense.

Reply Score: 3

RE[2]: WGA required...
by Rocinante on Sat 8th Jul 2006 04:59 UTC in reply to "RE: WGA required..."
Rocinante Member since:
2005-11-18

afaik MS mandates WGA to update now. That could be the connection.

Reply Score: 1

RE: WGA required...
by Rayz on Sat 8th Jul 2006 08:33 UTC in reply to "WGA required..."
Rayz Member since:
2006-06-24

Mmm ... I think you've made a mistake.

WGA is not required to download any critical fixes.

>> That is the only thing linux can hope for... <<

Really?

Oh dear ... :-(

Reply Score: 2

Sigh - More oil leaks
by RawMustard on Fri 7th Jul 2006 14:49 UTC
RawMustard
Member since:
2005-10-10

How about - Instead of giving me a new and improved oil pan for my driveway, you fix the rear main seal?

Reply Score: 5

well
by liamdawe on Fri 7th Jul 2006 15:11 UTC
liamdawe
Member since:
2006-07-04

Who didn't see this comming...haha

Reply Score: 1

RE: well
by xiaokj on Fri 7th Jul 2006 15:24 UTC in reply to "well"
xiaokj Member since:
2005-06-30

I'd rather they release patches than not... at least they are trying to save the net from degrading into total botnets. I don't think many sites can handle DDOS attacks by all those wintels out there...

I don't mind spending the effort to patch my coms. Its the requirement of WGA irking me. Other than the deflated bug count and completely obscure patch advisories. And Windows Malicious Software Removal Tool? I sincerely hope nobody takes it seriously...

Reply Score: 3

RE[2]: well
by ma_d on Fri 7th Jul 2006 15:38 UTC in reply to "RE: well"
ma_d Member since:
2005-06-29

I don't think I'd say "save the net." I think I'd say "not be responsible for the bad things on the net..."

Reply Score: 3

RE[2]: well
by DonQ on Sat 8th Jul 2006 14:06 UTC in reply to "RE: well"
DonQ Member since:
2005-06-29

And Windows Malicious Software Removal Tool? I sincerely hope nobody takes it seriously...

Actually this tool (MSRT) is in some way more efficient than commercial antiviruses - not by amount of detected malware, but due to the automated delivery and PC scanning every month.

MSRT is basically meant to kill most annoying malware, like rootkits, botnets and some aggressive worms. Dealing with infected PCs on daily basis, I've noticed substantial drop in this kind of malware after introducing MSRT by microsoft.

Some information and data about MSRT:

http://www.microsoft.com/security/malwareremove/families.mspx
http://news.com.com/Microsoft+Zombies+most+prevalent+Windows+threat...

Reply Score: 2

RE[3]: well
by Rayz on Sun 9th Jul 2006 05:13 UTC in reply to "RE[2]: well"
Rayz Member since:
2006-06-24

The MSRT is just a tool to gauge the size of the virus/malware problem. Removal of the virus is a just a polite courtesy.


And the results? Just over 2% of the machines tested had a virus. Between that and the release of OneCare, it's not surprising that the likes of Sophos are sniffing round Macs for a new market.

Reply Score: 1

patches
by CPUGuy on Fri 7th Jul 2006 15:37 UTC
CPUGuy
Member since:
2005-07-06

Wait wait wait...


So releasing patches is a bad thing?






SHUTUP, seriously.

Reply Score: 1

RE: patches
by Dias on Fri 7th Jul 2006 17:04 UTC in reply to "patches"
Dias Member since:
2006-02-20

Seems so...

People are blame MS for release bugfix but they love Ubuntu with daily updates. Seriously, I don't get it.

Reply Score: 5

RE[2]: patches
by SlackerJack on Fri 7th Jul 2006 17:48 UTC in reply to "RE: patches"
SlackerJack Member since:
2005-11-12

The difference is it gets more fuctionallity and newer versions, thats including bug fixes. When people pay 200 for Office you dotn expect big service packs just for office software on top of OS patches, on top of OS service packs.

Reply Score: 3

RE[3]: patches
by orestes on Fri 7th Jul 2006 18:39 UTC in reply to "RE[2]: patches"
orestes Member since:
2005-07-06

Why wouldn't they?
Personally I'd expect people who pay for software to be demanding prompt resolution of issues, not sitting around whining about it.

Reply Score: 5

RE[4]: patches
by ma_d on Fri 7th Jul 2006 18:45 UTC in reply to "RE[3]: patches"
ma_d Member since:
2005-06-29

Several channels of distribution never leads to prompt resolution, especially when one of them is service packs.
People expect one update mechanism for the product, and service packs to only add value and not security fixes. Unfortunately, our here in the real world, they're gonna get both and I don't think that's an unreasonable thing.

Reply Score: 3

RE[3]: patches
by Bending Unit on Fri 7th Jul 2006 18:47 UTC in reply to "RE[2]: patches"
Bending Unit Member since:
2005-07-06

No it's not the difference. Ubuntu (my distro) and probably other Linux distros have to be patched regularly and often for security bugs, yet it's the best thing since self sealing stem bolts. Or is it a "you get what you pay for" issue?

Reply Score: 2

RE[3]: patches
by suryad on Fri 7th Jul 2006 19:53 UTC in reply to "RE[2]: patches"
suryad Member since:
2005-07-09

I see what you are saying. It is indeed annoying to need to have such massive Service Packs for even Office! What are we on...SP2 for Office?! And even so there are patches coming out every month now for an Office distro. How about Microsoft fixes problems right at the beginning before launching a product? It seems that the tried and tested rule of using Microsoft products is to wait till at least SP1 is out for the product to be stable and mature. I enjoy using Microsoft products for the most part because they are very easy and intuitive to use...now if only Microsoft fixed things up on the security side of things it would be a lot more pleasant computing experience.

Reply Score: 1

RE[2]: patches
by angryrobot on Fri 7th Jul 2006 18:46 UTC in reply to "RE: patches"
angryrobot Member since:
2006-04-26

How come I don't get daily updates for Ubuntu? ;)

I think people blame MS for having insecure software that needs to be patched every week for critial security vulnerabilities. Please try to prove me wrong, but I don't think Ubuntu has that kind of track record.

Remember...the patches for a distro like Ubuntu are for ALL software packages, of which there are thousands, not the basic operating system like this MS patch.

Reply Score: 3

RE[2]: patches
by Buffalo Soldier on Sat 8th Jul 2006 03:48 UTC in reply to "RE: patches"
Buffalo Soldier Member since:
2005-07-06

People are blame MS for release bugfix but they love Ubuntu with daily updates. Seriously, I don't get it.

There are two kind of updates in Ubuntu GNU/Linux:
- normal updates
- security updates

Normal updates happen often (but not DAILY). It updates functionally and additional capabilities. NOT bug fixes.

Security updates contains bug fixes. It does not happens DAILY too. There have been only a few security updates and those are usually during the first few week of a major version release. Plus the security updates team responds a lot more swiftly to bugs reports and security holes compared to MS teams.

There are NO DAILY updates in Ubuntu. You must have been confused by the rigorous and frequent normal and security updates that happens in Ubuntu development/beta/pre-release versions. Of course those happens daily.

Reply Score: 3

RE: patches
by atsureki on Fri 7th Jul 2006 23:50 UTC in reply to "patches"
atsureki Member since:
2006-03-12

Sitting on a long list of flaws that even they admit are critical for a while and then saying "oh, by the way, *truckload of patches with a WGA chaser*" is a bad thing. It's basically dangling a virus over your computer and saying "install our spyware." Commending someone for making mistakes, regardless of whether they've fixed them, is also a bad thing. To (mis)quote Wicked, "there are none more celebrated than the rehabilitated." How about we stop singing the praises of murderers who find Jesus and software companies that think of security as an incremental reaction and start acknowledging those that are actually, as in reality, good? But noooooo, Microsoft is a saint for patching their own hole and OS X and Linux are worse than Hitler for knowing that their security is better.

Reply Score: 2

WGA Required?
by ma_d on Fri 7th Jul 2006 15:41 UTC
ma_d
Member since:
2005-06-29

Multiple people have mentioned WGA being required in this one and I can't find where it says that. It mentions WGA but I don't see it mentioning it being a required part of *this* update.

Reply Score: 3

Patches are nice
by Sphinx on Fri 7th Jul 2006 16:24 UTC
Sphinx
Member since:
2005-07-09

For what version and how long, they should put an expiration date on the box; "Good until 2007", or, "Best Before 2007".

Reply Score: 2

Me too!
by aGNUstic on Fri 7th Jul 2006 16:55 UTC
aGNUstic
Member since:
2005-07-28

I'm glad I'm past that too.

A non proprietary OS gives me more time to do `real` work in systems.

Constant patching is a curse for IT professionals since it takes away from `real` work.

Reply Score: 5

RE: Me too!
by Bending Unit on Fri 7th Jul 2006 18:51 UTC in reply to "Me too!"
Bending Unit Member since:
2005-07-06

And as we all know, open source software doesn't need any patching nor updates.

Reply Score: 2

RE[2]: Me too!
by aGNUstic on Fri 7th Jul 2006 21:27 UTC in reply to "RE: Me too!"
aGNUstic Member since:
2005-07-28

If you compare and contrast the time spent on proprietary vs. non-proprietary, well, having been in the industry for some time, the time required to download, even automated, and install requires a huge investment in time.

Nothing like having a staff member or faculty say, `Where's my files?` after an automated patch or upgrade.

Reply Score: 4

RE[2]: Me too!
by bornagainenguin on Sat 8th Jul 2006 03:06 UTC in reply to "RE: Me too!"
bornagainenguin Member since:
2005-08-07

Sure open source software needs patches; but how often do you install a patch for open sourced programs in order to get less functionality out of your computer?

--bornagainpenguin

Reply Score: 1

RE[3]: Me too!
by bornagainenguin on Sat 8th Jul 2006 20:39 UTC in reply to "RE[2]: Me too!"
bornagainenguin Member since:
2005-08-07

I don't see how what I said here is a troll, off topic, or a flame. Geeze! It's times like this I wonder why I bother to comment.

--bornagainpenguin

Reply Score: 1

Microsoft Office 2004 Mac
by s_groening on Fri 7th Jul 2006 17:18 UTC
s_groening
Member since:
2005-12-13

Actually, the latest update for Microsoft Office 2004 Mac, version 11.2.4, promises the following:

'This update fixes vulnerabilities in Office 2004 for Mac that an attacker can use to overwrite the contents of your computer's memory with malicious code. This update also fixes issues in Microsoft PowerPoint 2004 and Entourage 2004, and it includes all of the improvements released in all previous Office 2004 updates.'

...To me this seems like Microsoft code introducing serious security concers in relation to otherwise
http://www.sophos.com/pressoffice/news/articles/2006/07/securityrep...
'secure' operating system software.... It had to happen, should Microsoft follow their own path...

Edited 2006-07-07 17:19

Reply Score: 2

WGA in Windows update ...
by WorknMan on Fri 7th Jul 2006 21:49 UTC
WorknMan
Member since:
2005-11-13

I don't mind the WGA politically speaking, but I wish the damn thing would stop showing up in Windows update. I've downloaded it successfully before, but at least twice a month I get a notice that updates are available, and it's nothing about this f**king WGA bit. Are we gonna have to download it twice a day pretty soon, or what?

Reply Score: 2

Just so I'm clear on this ...
by tomcat on Sat 8th Jul 2006 00:30 UTC
tomcat
Member since:
2006-01-06

... so when MS releases a patch, it's bad ... and when others do it ... it's good? Uhhhhhhhhhhh....

Reply Score: 1

RE: Just so I'm clear on this ...
by garymax on Sat 8th Jul 2006 03:24 UTC in reply to "Just so I'm clear on this ..."
garymax Member since:
2006-01-23

Any OS is going to need critical bug fixes and updates. But with Microsoft, you get more updates and security fixes than other OS's, and then there's the need to reboot between patches, making it a longer process, etc.

But the real rub with Microsoft is the fact that you are paying for their software. And if you part with your hard-earned money to get something, that "something" should at least be as good as a free counterpart--if not better.

Week after week Linux shows its stability and its security by out-performing Microsoft with a cost of *free*.

It wouldn't be so bad if Microsoft didn't charge so much for their software. But with Microsoft, you not only get to pay outrageous sums for mediocre software, you spend a good deal of your time messing with malware, spyware, security updates and bug fixes.

Good thing they don't charge you for that too...

Reply Score: 5

suryad Member since:
2005-07-09

Despite being an XP user I totally agree.

Reply Score: 1

tomcat Member since:
2006-01-06

Any OS is going to need critical bug fixes and updates. But with Microsoft, you get more updates and security fixes than other OS's...

I disagree -- because it depends on how you define "OS updates". Windows comprises not only a kernel but also all of the drivers and applications that ship with the product. Linux devotees tend to draw a distinction between these components -- but the fact of the matter is that, if you ship them on a CD with a distro and the packages are installable, users tend to think of them as one and the same, regardless of the technical distinctions. And, if you consider apps and drivers as part of a particular distro, then Linux has just as many (if not more) updates.

Granted, you get many of those updates faster than you would with Microsoft. But it's questionable whether businesses can consume patches with that kind of regularity. Usually, they have to stage the patched production system somewhere, test it, and then deploy after it passes some level of testing. That takes time; in fact, if I recall correctly, many of Microsoft's corporate customers told the company that they want monthly updates in order to help with their planning.

and then there's the need to reboot between patches, making it a longer process, etc.

Depends on the patch. Not all patches require a reboot.

But the real rub with Microsoft is the fact that you are paying for their software. And if you part with your hard-earned money to get something, that "something" should at least be as good as a free counterpart--if not better.

Linux isn't free -- unless your time is free. Mine isn't. There's always a cost associated with my time.

Week after week Linux shows its stability and its security by out-performing Microsoft with a cost of *free*.

See previous comment.

It wouldn't be so bad if Microsoft didn't charge so much for their software. But with Microsoft, you not only get to pay outrageous sums for mediocre software, you spend a good deal of your time messing with malware, spyware, security updates and bug fixes.

I don't spend any time messing around with malware. I don't run software contained in email attachments or unknown software from the Web. I don't mess around with updates because my machine automatically downloads and installs updates in the middle of the night. So, honestly, I fail to see why the TCO with Linux would be much better than that.

Don't get me wrong. I use Linux all the time on some of my boxes. It's a useful OS. I just don't think that its use and maintenance are free; if anything, I spend a lot of time hunting for information on problems that are readily taken care of by Windows, itself. But at least there are solutions, either way.

Reply Score: 1

garymax Member since:
2006-01-23

I can see your points but it is a little disingenuous to say that Linux isn't free unless your time is free. That argument won't hold water.

Linux is free as in cost. Microsoft's product is not. Out of the gate, there is a higher tco for windows. Even if you factor in the time element, I spend less time managing my linux box, never have to reboot after an update, and regardless of whether we're discussing the kernel or userland gui's, the amount and frequency of updates are far less and aren't as critical--usually-- than the updates for windows boxes.

Though XP is better than anything that went before it, it still falls short of Linux in terms of maintenance.

But this is just my experience.

YMMV

Edited 2006-07-09 00:08

Reply Score: 2

atsureki Member since:
2006-03-12

Linux isn't free -- unless your time is free. Mine isn't. There's always a cost associated with my time.

It could just be the dentist effect, but knowing my way around both Linux and Windows, the latter seems to take a lot more of my time to set up. Install has to be attended, initial updates sometimes require four or five reboots, I have to track down settings all over the place before the interface is what I would consider even usable, and I have to download extra software by hand with IE for all sorts of basic things, like opening archives and changing more unpleasant UI defaults. On top of that, Windows frequently hits snags where an entire reinstall is necessary. This isn't necessary as often as it used to be or as often as people still think it is, but the complete lack of manual control in Windows makes it inevitable sometimes.

With most modern Linux distros, I can type one line to initiate an automatic update of every package on the system and the addition of whatever other packages I want, and then walk away and watch a movie or have lunch. That is, if it's Gentoo. If it's Debian, maybe go to the bathroom and get a drink of water. And when it's done, only on the conditions that a) there is a new kernel, and b) I want to start using it now, will I ever need to reboot.

Setting up Linux seems like it takes a long time if you're learning how to do it while you do it, but once you learn it, it's very quick. With Windows, no amount of knowledge can speed up the process. The only way to do it is to follow the wizard and then reboot the system every time.

See previous comment.

Please try to avoid goto statements in comments. Everything he said was there before you started typing. Edit and respond appropriately.

Reply Score: 3

I don't see why this is news
by butters on Sat 8th Jul 2006 03:11 UTC
butters
Member since:
2005-07-08

I'm not normally "that guy" that questions why dumb submissions are posted on OSNews, but this is a little ridiculous. For one thing, there's no useful discussion that can come from this, as we have seen from the above posts and this one as well. It's flamebait _at best_, and otherwise it simply reminds us that Microsoft is going to release patches on the second Tuesday of July, just as they have done every other month for some time now.

OSNews doesn't post a story every time a Linux kernel dev tags a new .y kernel, and I don't understand how this is very different.

Reply Score: 3