Speaking of Microsoft shipping bad code, how about an absolutely humongous ‘patch Tuesday’?
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
↫ Brian Krebs
Happy new year, Windows users.
Thom conveniently ignored other massive sources of vulnerabilities, such as a tiny Rsync utility, https://kb.cert.org/vuls/id/952657
It’s always “evil” “incompetent” Microsoft. Never mind multiple critical vulnerabilities in the Linux kernel every year, and pretty much in all open source software.
On the other hand, Thom might have noticed that Microsoft has started using AI to search for vulnerabilities, so they discover and fix more. Basically a win-win for their customers.
A myth of a thousand eyes has been debunked so many times that it’s not even funny anymore.
Artem S. Tashkinov,
I think you’re trying to troll us but most of us understand that there can be vulnerabilities in any software irrespective of software license. Anyone who’s worked on proprietary software will attest that the quality of code is not better on the proprietary side of the fence. There’s rushing and cost cutting everywhere. That’s the software industry for you.
I favor FOSS because it grants us more freedoms and yes it’s harder to hide nefarious activities.
Thank god we have you to defend the poor multitrillion dollar company from lone bloggers like me.
Crisis averted.
Thom, I’ve always thought that you strive to be unbiased, almost a journalist, and covering this story the way you did doesn’t do it justice. There is no complex software without bugs and vulnerabilities, and to say that Microsoft products are a sieve is kind of unfair.
You don’t have to be a “defender” of a multitrillion-dollar company to point out obvious bias.
If you want my opinion, Microsoft learned their hard lessons from the Summer of Worms and forces OEMs to accept security updates for Windows whether those OEMs want it or not. Meanwhile, the Linux kernel in all those Android smartphones and Internet of Shit devices… jeez, some of those devices are even shipping with months-old vulnerabilities from the factory, and most are patched never. The Linux Foundation could add something to the Linux kernel that auto-updates the kernel, but this would annoy several “partners”, so they are taking their chances with security like Microsoft did in the late 90s and early 200s0s. And then there is the userland (either we are talking about Android or Desktop Linux), forked a million times by OEMs and also patched never. But since the blame for that can be conveniently assigned to a million places, let’s focus on the Linux kernel.
kurkosdr,
Focusing on the linux kernel wouldn’t solve the majority of issues because the majority of issues aren’t with the kernel.
Even if the linux foundation has a back door, which lets face it that’s what your asking for here, what are they supposed to do with it? The linux foundation can’t just update the kernel absent vendor patches and drivers. Vendors have to compile their own kernels. We can have a whole debate over the merits of stable kernel ABIs (my opinion here is clear, the lack of ABI has been bad for users), but for better or worse device owners are dependent on vendors for updates. And it’s not like the linux foundation can easily add new restrictions on the kernel to stop vendors from creating their forks… this allowed by the GPL and linux can’t change it. Maybe they could do something on trademark grounds, but the vast majority of phones/IoT devices/etc don’t specifically advertise that they run “linux” and therefor even trademark licensing agreements are non starters for this market.
Ultimately the lack of device support is obviously real, but it genuinely is the manufactures fault. The Linux kernel is supported by linux devs but they can’t force manufacturing forks of the kernel (and more importantly proprietary userspace software) to be supported.
What you are describing is the architectural and licensing choices that make Linux a security nightmare. Instead, a pro-user effect of the MS-EULA is that it forces OEMs to accept security patches whether they want it or not, and they can’t fork their way out of it.
In plain English, Microsoft Windows is not the biggest security issue of IT like it was 20 years ago, all those various unpatched Linux devices are. This makes Thom appear extremely biased when he goes “hurr durr,,,, Happy new year, Windows users”. Or completely clueless, I am not sure.
Anyway, one thing that the Linux Foundation people could do is build an auto-updater in the Linux kernel and safeguard the “Linux” trademark from forks, much like Mozilla safeguards the “Firefox” trademark from forks. And no, an auto-updater is not a backdoor, modern update mechanisms rely on certificates to verify the update. Also, Google could safeguard the “Android” trademark from forks, or at least prevent unpatched devices from accessing the Play Store. That is, if either the Linux foundation or Google frickin’ cared about security. Which they don’t. When they eventually get their own version of Summer of Worms, they will start caring. Remember when Microsoft asked users if they want to enable Windows Update or not during OOBE back in Windows XP days? They’ve learned their lesson after the Summer of Worms.
kurkosdr,
The license was set in the 90s and I don’t think they can change it.
These devices happen to run linux, but I think it’s wrong to say linux is the reason they are unsafe or unpatched. After all the linux kernel IS relatively safe and well supported. Many linux distros are very well maintained including those that compete against windows on desktop PCs. Not only are they well maintained, but sometimes I even find linux support on desktop to be superior to windows.
As much as it sucks that there are many manufacturers who fail to provide long term support, I don’t think pointing the finger at linux can possibly do any good because linux isn’t the bottleneck here.
We can agree that manufacturers aren’t doing their job, but how exactly do you propose linux kernel devs should fix this especially given that the vast majority of exploits don’t attack the kernel head on but come in through unpatched user-space applications like web servers, streaming codecs, php, mysql, openssl, xz, etc. These all need to be updated. The scope of this is clearly larger than the linux kernel. Here’s an idea that I could get behind: device manufactures get out of the operating system game altogether. This would fix most of the support issues. Have them use an existing well supported distro instead of failing customers with their own.
When it comes to kernel vulnerabilities such as Futex (aka Towelroot), the fact those devices happen to run Linux is the reason they are unsafe or unpatched. The Linux Foundation not protecting their trademark and not having a means to automatically update the kernel being the cause.
I wonder how many Internet of Shit devices out there are still running kernels with the Futex or DirtyCOW vulnerability.
You can’t pick and choose, as long as those unpatched Internet of Shit devices can legally call their kernel “Linux” (for example in the About screen), they are “Linux”. Again, this goes back to the Linux Foundation not protecting their trademark (like Mozilla does for the Firefox trademark) and not having a means to automatically update the kernel.
The Linux Foundation and Google are the bottleneck here. Their trademark, their duty to protect it from forks that are never updated. Simple as that. Otherwise, that unpatched amorphous blob that is Android smartphones or Internet of Shit devices is legally “Android” and “Linux” respectively, and any reputational damage stemming from unpatched vulnerabilities in the base Android OS or the Linux Kernel should rightfully be assigned to Google or the Linux Foundation respectively.
Kernel vulnerabilities are the worst though, even if they are technically the minority. And not only is the Linux Foundation not doing anything about it, but they encourage forks that can’t be updated to the newer version even by the user, by allowing those forks to use the Linux trademark. And that’s what makes me mad.
What the Linux Foundation (and Google) are doing is the exact opposite of that. They throw OEMs a pile source code they can customize to their heart’s content to make their product just different enough from the competition (and achieve the shareholder-desired differentiation), without protecting the “Linux” or “Android” trademark from such never-updated forks, thus putting OEMs completely in charge.
Meanwhile, Microsoft does the reasonable thing: As an OEM, you are getting a copy of Windows that you can’t modify, you can’t disable the auto-updater (the OS will restore it), and you can’t modify critical system files (the OS will complain). Trying to ship a modified copy that changes this behaviour risks a call from Microsoft Legal. And you know what? That’s a good thing. It’s why Android and Internet of Shit devices are the major security problem today, not Windows. No matter what the neckbeards squealing about “my second freedum!!!” say. In the real world, you don’t get that second freedom, the OEM gets it (to abuse to their heart’s content).
BTW the reason your favorite Desktop Linux distro is well-maintained is because its market share is too small for the Samsungs and Lenovos to care about it. If your favorite Desktop Linux distro ever becomes popular, you can expect the Samsungs and Lenovos to want to ship their customized version of it that differentiates their product from the competition, and they will lock the bootloader so you can’t install a vanilla version of the distribution even if you want to (and the vanilla version is not guaranteed to work with the hardware anyway). Remember, Android started out as pretty much stock with unblocked bootloaders, then the OEMs had their way with it.
Yes, there is a small chance your favorite Desktop Linux distribution will protect its trademark, but let’s be real, they will bend over to OEMs for some pre-installs, like Google did and never managed to back out of it ever since.
But again, even if your favorite distro is well-maintained, you can’t pick and choose.
kurkosdr,
I’m not saying kernel vulnerabilities don’t exist. But the kernel IS MAINTAINED AND BEING UPDATED. You are scapegoating linux even though they are objectively not the party at fault. If you use a maintained distro, you will get all the kernel updates. If you use an unmaintained distro, you won’t. It’s that simple. The linux kernel is not the bottleneck. Your criticism really is severely misplaced.
I already specifically pointed out why “trademark licensing agreements are non starters for this market”. You can go buy thousands of linux devices online or from big box stores today and you’ll see no mention of linux whatsoever. Manufactures are selling these products under their own branding and there’s no trademark to license.
Maybe you’d like to see them start a licensing program on the grounds of long term support and I think that would be a very good idea…but they have no way to compel manufacturers to participate in a trademark deal. Code-wise GPL explicitly protects forks from new requirements. They could try to encourage manufactures to sign up, but it’s not clear to me they would given that legally manufactures are free to refuse and continue failing at updates.
But the kernel is fixed and maintained!!! I for one am furious with manufactures for not allowing users to upgrade independently… and you should be too.
It’s open source….anyone is free to take the code and use it. Blaming the original developers for bad forks of their code is not a reasonable position to take! If your company published something as open source and then you got flack for someone else’s bad fork you obviously would find that terribly unfair. The same is true here.
Well technically you can, but the question is whether one is allowed. I tried to lookup windows IOT manufacturing restrictions, but I couldn’t find any information about it. I am curious if you find anything about this. Windows isn’t very relevant in the IOT market and in the desktop & server markets there are many linux distros that are very well maintained on hardware going back decades so those can’t really be used as an example of “windows is better”.
kurkosdr,
I see that being a bigger problem with ARM. We’re fairly fortunate that x86 evolved around ubiquitous standards. Conceivably they could lock down x86 computers with their own linux distro such that it couldn’t run anything else. But I think it would be a hard sell so long as there is a healthy market for x86 alternatives that don’t restrict distros.
I don’t know why you say they won’t enforce trademarks? You can’t fork debian/ubuntu/redhat/oracle/etc and call it debian/ubuntu/redhat/oracle/etc. Their respective trademarks are already being enforced. If a manufacture that wants to create their own fork is allowed to, they just have to call it a different name.
I still think the “Linux” trademark has some value, since it is used in some boxes (for example Enigma boxes), but anyway, my main gripe is with Google, since they have the power to both protect the “Android” trademark and ban any forked (or at least not updated) devices from the Play Store.
See, this is what you don’t understand. “Manufacturers” can’t be held accountable for anything. Anyone can glue some chips on a PCB and become a manufacturer, as long as they have an OS readily available. Microsoft’s smartest strategic move was keeping creative ownership of MS-DOS (and later Windows) instead of letting it fracture into a million forks that are updated never. And of course, Microsoft’s dumbest strategic move was letting Windows CE (and the Windows Mobile that run on top of it) fracture into a million forks that are updated never, but fortunately, that entire line is dead now.
Windows CE (and the Windows Mobile that run on top of it) were the only Windows operating systems OEMs could modify, you can’t modify Windows IoT because you don’t have the source code. That alone makes forks impossible, which is already a big step forward compared to the Android chaos, since Microsoft can force updates any time they want (like they did with desktop Windows).
There were Android phones with x86 CPUs that run forked versions of Android (updated never as usual). The laptop and desktop market evolved around ubiquitous standards because of Microsoft. Microsoft forces standards on manufacturers of laptops and desktops, by not allowing them to modify Windows. If you want your laptop or desktop to run Windows, you’ve got to build it in a certain way. Desktop Linux happens to benefit from that. And it will benefit from Windows on ARM (now that Microsoft is getting serious about it) by being able to ship universal ISOs/ROMs. Not that the average Desktop Linux users will acknowledge that, let alone express gratitude for it.
When it comes to Ubuntu, the only ones who have any sort of pre-installs in the consumer sector, they will allow it if some OEMs wants it in exchange for more pre-installs. They are already letting China fork their OS and use the Ubuntu trademark. And this is my point: If Ubuntu ever becomes popular, watch for it and plan ahead (if you can). And don’t blame “manufacturers” (manufacturers cannot be held accountable), blame OS vendors for such nonsense (and any security fallout that results from those never-updated forks). That’s my point.
@birdie – >”It’s always “evil” “incompetent” Microsoft. Never mind multiple critical vulnerabilities in the Linux kernel every year, and pretty much in all open source software.”
Oh yes, that’s why the world is overwhelmed by ransomeware that routinely compromises GNU/Linux desktop boxes.
Oh wait, no – those are pretty much all compromised Windows boxes. Troll harder birdie.
There will be no numbers, right?
Yeah, let’s claim something outrageous and make it look like you’ve invalided the opponent’s point. You didn’t, you just failed hard.
And don’t get me started on hundreds of thousands of compromised Linux based IoT devices because NO ONE supports them.
Don’t get me started on tens of thousands of compromised Linux servers because NPM Ruby and such repos are FULL of malware.
God, you’re so pathetic.
Microsoft FIXES stuff and supports it for sometimes up to 13 years (Windows XP).
Linux “solutions”? More like “SUPPORT YOURSELF” solutions.
The Linux cult strikes again. With its utmost illiteracy, bias and bigotry. You could really stick to Phoronix and r/Linux where like-minded bigots will appreciate your “input”.
Artem S. Tashkinov,
Your anger seems to be misdirected pointing your finger at linux as a scapegoat even though linux developers are not responsible for what manufacturers do with linux. The vast majority of IoT devices are running proprietary software, not FOSS software, and it’s this software that is most likely exploitable and not the linux kernel itself. Look, it’s totally fair to blame linux for actual linux vulnerabilities. But when you are bent on blaming linux for things that linux can’t be responsible for, that just highlights your own biases.
It’s clear that linux is a lot more popular than windows with manufactures, but do you have any evidence that their products would be more robust if they used windows instead? I hope you can provide at least some evidence, let’s see.
>”God, you’re so pathetic.”
Self-righteous indignation in defense of mega-corp reputations really fits you birdie. Perfection.