back to article Microsoft plugs 'critical' hole in Vista

Microsoft on Tuesday issued two security updates, one of them rated critical that fixes nasty bugs in Windows Vista that could allow an attacker to gain complete control over a user's machine. The patch, which also applies to the XP, 2003 Server and 2000 versions of Windows, plugs two holes in the way the operating systems …

COMMENTS

This topic is closed for new posts.
  1. Joseph Helenihi
    Thumb Up

    Yet another reason...

    to switch to Linux. Currently I am trying/testing Mandriva and so far, so good.

  2. Aaron
    Paris Hilton

    well, yeah, its tuesday

    To be fair, im not sure why we have to wait for a tuesday for fixes, often years in the case of 2000/XP, having a 'bug fix' day is always a sign of a failing project.

    Im not sure its even worth reporting on these anymore since :

    a) its a pretty regular occurance (every tuesday)

    b) it uses valuable disk space that could be used to report on PH, or show the eee girl

    Q: Since these exploits were never discovered in XP or 2k, does this mean that Vista is easier to find exploits in?

  3. Jach
    Coat

    Sigh

    Bill, you promised that Vista was the most secure OS out there now and forever!

  4. Morely Dotes
    Jobs Horns

    @ Jach

    Now, now, don't be too hard on Bill. After all, he's been a visionary, predicting the future with certainty, for example:

    "Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981

    And his company expanded on that:

    "DOS addresses only 1 Megabyte of RAM because we cannot imagine any applications needing more." Microsoft on the development of DOS - 1980

    And then:

    "Windows 95 needs at least 8 MB RAM." -- Bill Gates, 1996

    And now, looking at the "minimum system requirements" for Windows Vista, the bare minimum of system RAM is 512 MB (Vista Home Basic), or 1024 MB (Home Premium / Business / Ultimate).

    So let's cut Bill some slack on Vista's security. He's been right about so much, so often, that one little mistake shouldn't be held against him!

  5. Don Mitchell

    Perfect Software

    Are you suggesting that Linux doesn't release updates to fix security bugs? If not, then do you believe it doesn't have any security holes?

    Microsoft keeps fixing bugs, keeps hiring scary Germand and Russian "penetration engineers" to attack their system, and the open source guys continue to believe in the ideological purity of their software. In the long run, who is winning?

  6. Anonymous Coward
    Anonymous Coward

    or slightly less tin foil

    > The bugs addressed by Microsoft Security Bulletin MS08-001 are evidence that the

    > program doesn't always work as advertised

    It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.

  7. Anonymous Coward
    Anonymous Coward

    @Morely Dotes

    The "correct" quote is:

    "640K ought to be enough for anybody."

    And he never said it. If you insist, I challenge you to find out when, where and to who he said it. A proper quote always contain a source, and it shouldn't then be too hard to find out where.

    While you are at it, I seriously doubt the second quote aswell. Why would an OS maker say such a thing when the hardware they designed for had an absolute limit of 1MB of RAM. When you write software it is very little you can do about the hardware you design for. In this case they couldn't even switch hardware, since they wrote for IBM, and it thus was IBM's call.

    For the third quote, I like it when software designers tell me system requirements so I know if I can use software before I buy it.

    Bestest of luck in your source hunt.

    Need to be a coward for this one. Sticking up for Gates, pfft, I spit on you.

  8. Anonymous Coward
    Gates Horns

    bug compatible

    Once again we see that Vista is bug compatible with a previous operating system from Microsoft.

    So how much of Vista _is_ new code?

  9. stizzleswick
    Linux

    @Don Mitchell

    With the OSS community, you don't have to wait for a tuesday several months hence until the patch is posted... and that's one of the great points about OSS. If you don't like to wait until somebody else fixes the problem, you can even fix it yourself. Try talking any commercial software developer into giving you access to their code so you can fix their problem for them...

  10. Anonymous Coward
    Stop

    Groan

    Every OS, without exception, have security holes in them. get over it.....

    Stop this crappy Linux / Mac / Unix / Atari / Amiga/ Speccy / BBC MicroB bollox and grow up! Shhesss when do the pubs open so I can get away from these people !

  11. Daniel

    Not installed...?

    > It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.

    The 'effected' protocol was TCP/IP. So, no, that's not possible. Next question?

    I tend to regard the way this whole patching business gets reported (regardless of *who* is patching *what* code) to be a bit upside down, to be honest. After all, the argument for Open Source has always been that, because the code can be scrutinised, security vulnerabilities can be found more easily, and patches can be issued more swiftly and more frequently. The same logic holds for any other software, be it OS X, Windows, proprietary Unix, or the flash hardware on your domestic home router. A flaw has been found, a patch is available: apply the patch, or be an idiot.

    Unless you assume that programmers can see into the future, and program flawless code, in advance, you should regard frequent code patching as a Good Thing, and not a sign of vulnerability. Infrequent patching is more likely to mean that flaws are either not being looked for, or are being found but hushed up.

  12. Anonymous Coward
    Coat

    @ he never said it

    It's to *whom* he said it.

  13. Steven Hewittt

    @ Joesph

    XP Pro in 2003 had 30 security advisories. 50% were rated as 'moderate' or higher. 40% were exploitable from a remote connection.

    Ubuntu 7.04 in 2007 had 91 security advisories. 62% were rated 'moderate' or higher. 76% were exploitable from a remote connection.

    Vista in 2007 had 17 security advisories. 53% were rated as 'moderate' or higher. 59% were exploitable from a remote connection.

    Data taken from secunia.com, looking at the data for the first year of release on a OS. It's worth noting that Ubuntu Linux is on a 6 month lifecycle, so a new version is released after just 6 months - thus viewing it over a longer period of time isn't really possible with accuracy.

    My view? I'll stick with Vista thanks. According to the stats it seems a better choice for security than Ubuntu Linux.

    Oh, and having one or two 'critical' patches/bugs is better to manage than 91 moderate or high security holes.

    Ubuntu Linux 7.04 had more securtiy advisories, more advisories that were rated 'moderate' or higher and more security holes that could be exploited remotely during it's first year of release compared to XP or Vista's first year of release.

    XP: http://secunia.com/product/22/?task=statistics_2003

    Ubuntu: http://secunia.com/product/14068/?task=statistics_2007

    Vista: http://secunia.com/product/13223/?task=statistics_2007

  14. John Bayly
    Linux

    @Don Mitchell

    Yes Linux & OSS needs to be patched and has vulnerabilities, but unless the kernel needs to be patched (which doesn't happen too often) the machine doesn't need to be restarted. You just stop the service, patch it & restart.

    Where as my XP workstation is asking me to reboot every 5 minutes (I've now got a shortcut on my Start menu to stop the windows update service), my 2003 Server wants to install it's updates and says it may (read definitely will) need to restart afterwards.

    Basically, it's not vulnerabilities that I take issue with (they will happen with every OS), it's the fact a reboot is required nearly every time.

    Any chance this is related to MS insistence of having everything in one big slab? http://www.theregister.co.uk/security/security_report_windows_vs_linux/#monolithic

  15. Anonymous Coward
    Anonymous Coward

    @ Daniel

    I think you'll find that the TCP/IP stack is completely new in Vista and 2008 server so it’s possible that they criticality is different.

    @ Stu Reeves

    Well said. Why people are so surprised that a large piece of software like Vista needs a patch is beyond me. My Ubuntu box reminds me about patches on a regular basis and sometimes they mess things up that's just what happens.

  16. toxic monkey
    Thumb Down

    Buggy Fix

    Anyone else noticed that the latest patch cripples the ability to right-click in Explorer and shrink a photo for sending? It hangs after the photos have been shrunk and never creates the mail window.

  17. Craig

    "with OSS... you can even fix it yourself"

    lol, this is the worst argument ever against Windows. You really want the rabid masses who are at this very minute opening BritneySpearsNude.exe to have any choice over how and what is patched? If Windows was OSS, malware and backdoors would be sneaked into various community 'patches', and some idiots would fall for it. This would also create a support nightmare.

    Like it or not, most computer users don't understand or care, and a closed OS that auto updates is probably the best solution for them.

  18. P. Pod

    Memory

    "Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981

    Don't forget that in 1981 by far the most common home computer in the UK was the Sinclair ZX81 with a massive 1K of RAM or if you were really extravogant 16K with the RAM pack. Most Vista machines today probably have 2GB RAM - what applications can you think of that will need a million times as much memory?

    It's very easy to make snide remarks about Bill's predictions but I don't recall anybody predicting the scale of the computing revolution that has occured. In 1981 I only knew three other people who had computers at home, now most homes have at least one.

  19. Frank
    Linux

    @Steven Hewittt

    So easy to overlook the fact that the advisories for Ubuntu include the advisories for applications that are installed with Ubuntu. Like OpenOffice.org, Mozilla Firefox, Evolution, etc...

  20. Anonymous Coward
    Anonymous Coward

    @Daniel

    Specifically it is related to multicast traffic (IGMPv3). Windows 2003 does not have any multicast addresses active by default, hence the lower criticality than XP or Vista which do.

  21. Anonymous Coward
    Thumb Down

    @ Craig

    Um off the mark a bit there.

    In OSS someone with the appropriate knowledge can fix a bug for themselves then submit the fix to the maintainers/developers to be included in the official version of the software. They could also post their patch online, of course.

    Sure, someone with the appropriate knowledge (so NOT the britneynude.exe-clicking brigade) could write a backdoor, install it on their own machine and stick it on a website but it almost certainly wouldn't make it into the official source tree.

    Anyone installing anything from outside a trusted source tree does so at their own risk - just like anyone clicking on thet britneynude.exe link does.

  22. Glenn
    Flame

    Lies, damn lies, and statistics

    http://secunia.com/graph/?type=sol&period=2007&prod=13223 shows that Vista was 6% full of unpatched holes whereas the comparative graph for Ubuntu shows no such horror.

    Reading Secunia's pages will inform one of the lack utility in comparing this data as its like comparing apples to useful computers or even oranges.

  23. Barry Carr
    Coat

    Vista!...

    ...from the people that brought you edlin.

  24. Chris
    Linux

    @Steven Hewitt

    Like Frank said Ubuntu's vulnerabilities also included everything that Ubuntu includes in it's repositories which included thousands of packages!

    >Oh, and having one or two 'critical' patches/bugs is better to manage than 91 moderate or high security holes.

    Really?! I'd rather use an OS that doesn't have *any* critical patches (e.g. Ubuntu).

    It's interesting how you, Steven, quoted the stats to suit your argument. If you'd gone for 'High' or 'Extreme' critical vulnerabilities then Vista doesn't look so favourable: 47% vs 21%. Not so good for an OS that was developed and publically advertised as a secure system.

    Plus, every single vulnerability has been patched in Ubuntu, but MS despite it's amount of resources and 'fewer' vulnerabilities still can't be bothered in patching them all. 6% of vulnerabilities are still unpatched.

    You can keep Vista I'll stick to Linux, thanks.

  25. Peter Kay

    Reboots not needed

    If you think a reboot is needed for every Windows patch, you've not been patching lately. It's now increasingly rare to need a reboot.

    I would, in fact, say that Microsoft is better than many deeply shitty third party software vendors on this point.

  26. Ken Hagan Gold badge

    Re: Nobody will ever need more than 640k RAM!

    On a system with an 8086 chip that's probably *still* true.

  27. Steven Hewittt

    @Frank

    Like Windows Media Player, IE7 and Windows Mail...? (Fair enough with OpenOffice though!)

    ;-)

    To be fair, I'm not trolling or saying that one OS is 'better' than another - I use a mix of platforms and have to patch them all regularly.

    I just hate seeing the constant comments when a patch is out for Windows then the OSS fanboi's start their attack.

    A few weeks ago when the random number generator in Windows was discovered to not be as random as we first thought. How strange that El Reg in it unbias glory didn't post the same article that was on SecurityFocus regarding the same flaw... (http://www.securityfocus.com/bid/25348/discuss)

    Let's all try and remember that ALL systems and applications need patching. From Windows and Linux through to Cisco IOS and even printer drivers.

    Good administrators keeps systems secure - not the platform.

  28. Anonymous Coward
    Stop

    @Glenn

    So according to that graph you linked to (http://secunia.com/graph/?type=sol&period=2007&prod=13223), 6% of Vista's 17 advisories were unpatched - that's actually just 1 advisory.

  29. tony trolle
    Unhappy

    reboot

    bloody xp system autoupdated overnight then rebooted. fek . will have to try again P2P tonight for those linux ISO's lol. only thought Vista was being fixed...

  30. Steven Hewittt

    @Glenn and @Chris

    As AC said - thats ONE SINGLE unpatched advisory. Just one. Plus you need to be a locally authenticated users first, and then you can view the filenames of files in a directory which is protected. That's the security issue.

    Needless to say Secunia give it the lowest of it's ratings - "not critical".

    Yep, if you look at the severity of the advisories then Vista has more higher severity ones than Ubuntu. Then again if someone can get access to my system I couldn't careless what rating the advisory gives it. Generally speaking, a moderate rating allows access to the system remotely.

    It's obviously personal choice - but I would rather have a system with 53% of the holes being of a high rating but with just 17 advisories than a system with 61% of the holes being high rating with 91 advisories. (i'm using 'high rating' as moderate or above. Secunia marks advisories that are remotely exploitable resulting in system access or denial of service as moderate)

    Regardless of how you want to dice the facts (and lets face it, anyone who wants to prove a point can always twist the facts - including me!) the bottom line is that Ubuntu had more advisories than Vista, and more advisories that were remotely exploitable than Vista.

    No matter how you cut that cake, the facts are there.

    And again - to repeat myself - this isn't one OS is more secure than another. I'm pointing out the massive misconception that Vista is very insecure compared to Linux. It's not - it's the user base that are the muppets rather than developers. And that can be said for the majority of software out there regardless of your OS religion.

  31. Joseph Helenihi
    Boffin

    @ Steven Hewittt

    Any stats on Mandriva? I did try Ubuntu, but for some reason the only applications that would work with it were the ones that it installed itself. Any other Open apps that I installed in Ubuntu would just hang or not work at all. Alas, could have been user error, I am still new to Linux.

    As for Vista, XP, 2000, ME, 98, 95, Workgroups 3.11, 3.1, 3.0(shudder) and DOS 2.1 through 6.22, I have tried them all, and done support on these for family, friends and co-workers over the years.

    After various malware has thoroughly compromised the Windows system to the point that nothing loads very fast or is rendered inopperable I must admit that the fix is always simple enough on a Window box.

    Backup any relevant data, delete the primary partion, low level format the drive, and reinstall the operating system and any applications if the user still has the original disks. Voom, brand new and very fast, until the next bugfestation.

    Having said that, frustration and boredom with the endless updates patches and reboots has driven me to try Linux. I suspect that is the main reason Linux even exists, but I could be wrong.

    And a choice of operating system is simply that, a choice. Someone wise once said that all Operating Systems suck in some way or another.

    There's even a Linda Lovelace scale of suckieness that goes from water up a soda straw on the low end to watermellons through a swizzle stick into low earth orbit on the highest end.

  32. Chris
    Linux

    @Steven Hewitt pt2

    OK. Maybe 6% unpatched vulnerabilities (i.e. one) is over-stating the fact.

    Also, I must admit that Vista is an improvement (statistically) in terms of security over previous versions of Windows, although that isn't hard ;)

    However, you still forget that the numbers of 91 (ubuntu) vs 17 (Vista) advisories are not comparable in absolute terms as Ubuntu bundles many, many more applications with the OS than Vista does. Plus, there's the thousands of apps available from the repositories, which aren't directly under the control of Ubuntu, but are included in Secunia's advisories for Ubuntu e.g. MySQL, VMWare, perl, Firefox.

    A nearer comparison would be if you added the vulnerabilities for MS Office, Explorer, WMP, Photoshop, Realplayer, Shockwave, Dreamweaver et al to Vista.

    BTW the stats for Mandriva are here:

    http://secunia.com/product/12165/?task=statistics_2007

  33. Marty
    Alert

    @ tony trolle

    why dont you reconfigure things so windows does not automaticly install and reboot updates.....

    why not have it just tell you updates are available?

This topic is closed for new posts.

Other stories you might like