back to article How to not get pwned on Windows: Don't run any virtual machines, open any web pages, Office docs, hyperlinks ...

Microsoft has posted the April edition of its monthly security update, which kills a bug that allows guests to escape to hosts on Hyper-V. A malicious app running in a virtual machine can exploit this flaw to drill down to the host server, execute code on the machine, and interfere with the system and other VMs. Which is bad …

  1. Anonymous Coward
    Anonymous Coward

    How not to get pwned on Windows...

    Switch to Linux.</sarcasm?>

    1. Anonymous Coward
      Windows

      Re: How not to get pwned on Windows...

      Spoken like a Windows user... Use of XML when given the chance, but no idea how to use it.

    2. Anonymous Coward
      Anonymous Coward

      Re: How not to get pwned on Windows ...

      Don't run Windows Update.

    3. AMBxx Silver badge
      Thumb Down

      Re: How not to get pwned on Windows...

      ZZZZZZZZZZZZZZZZzzzzzz

      I wish they'd stop allowing comments on Windows update posts, always the same comments, get's really boring.

      1. 1Rafayal

        Re: How not to get pwned on Windows...

        Shhhhhhhh, thou must not say anything but the negative when referring to Windows here.

    4. bitmap animal

      Re: How not to get pwned on Windows...

      If you think MS has a lot of updates you'll be horrified by the number Linux requires. Why don't you have a look and count them.

      1. JLV

        Re: How not to get pwned on Windows...

        >Why don't you have a look and count them.

        Actually, I would be interested in an honest appraisal of such. On Win, Linux, OSX, which patches are delivering true OS, non-app, high grade vulns fix, such as remote exec flaws? Severity vs just volume, with CVE the judge. Anyone knows? Also pick one OS release on each end - Win 10 vs OS X El Capitan vs latest kernel Linux.

        I think Windows, but am willing to hear counterarguments. As a cynical and open-eyed Apple user, I am more surprised that it doesn't get powned more often than blindly trusting in Apple's ability to maintain BSD-level security on their own code. They've had some doozies over the years and I've had friends get powned on Macs, very occasionaly.

        Doubt I'll get a straight answer I can believe from too many here, though hopefully some of you certainly know it.

        But one thing I think I can answer myself: which of those 3 OSs will, on desktops, require the most reboots to accomodate those patches? Which OS doesn't typically know and has the always helpful "may require a reboot" rather than stating so outright?

        1. Roland6 Silver badge

          Re: How not to get pwned on Windows...

          >Why don't you have a look and count them.

          Actually, I would be interested in an honest appraisal of such.

          Well I'm not certain that looking at the current numbers of patches is a valid comparison between Win and Linux. Simply because of Linux's install base compared to Windows and hence it's attractiveness to developers - both those who are trying to get stuff done and those who wish to exploit it.

          1. JLV

            Re: How not to get pwned on Windows...

            Valid points between Windows and Linux, to an extent.

            But OSX has pretty much the same userbase attractiveness wrt malware as Windows. And very few people bother to run AV software on it - I de-installed Sophos because it tended to hog CPU atrociously from time to time and, for the overhead, I was uncertain at its actual efficacy on Mac malware. I do have ClamAV, but only use to scan downloads. So, along with the capacity of its users to pay the Apple surtax, it would seem like a valuable enough malware target.

            And, going back to Linux, there is plenty of $ to be made in server breaches.

            I would also separate app & browser patches (IE, Edge) from OS level patches. After all, you can always run FF or Chrome on Windows. And browser vulns are only the OS's fault if the OS allows them to propagate - an OS should be totally paranoid about resident browsers at all times. While there is no doubt in my mind that Office macros are a cesspit of threats, that's not core Windows fault, even though MS as a whole does bear responsibility for them and patches them.

            So, do we have any hard numbers besides the "yours has more bugs than mine" arguments that all sides quote with happy abandon? MS does seem to focus a lot more on security than it did 10 years ago, so are we still judging them from that time?

            1. oldcoder

              Re: How not to get pwned on Windows...

              "focus a lot more on security" doesn't mean they do anything about it...

              the same failures from 17/18 years ago are still present.

            2. azaks

              Re: How not to get pwned on Windows...

              >> But OSX has pretty much the same userbase attractiveness wrt malware as Windows.

              How do you figure that? How many companies create products that are relevant to < 10% of their potential customer base? Custom malware for a targeted attack yes, generic malware to maximise returns = no.

        2. Anonymous Coward
          Anonymous Coward

          Re: How not to get pwned on Windows...

          "Actually, I would be interested in an honest appraisal of such"

          According to Secunia, SUSE Server 10 is on well over 4,000 (and OS-X is on well over 2,000) listed vulnerabilities.

        3. azaks

          Re: How not to get pwned on Windows...

          Very valid points about volume not being the only metric - clearly it isn't.

          Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid.

          Another factor that affects bugs found is the number of people motivated to look for them. We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit. Finding usable exploits costs time and money, and if maximising your return on said exploit is your goal, it doesn't take a rocket scientist to predict where most of the investment is going to go.

          1. h4rm0ny

            Re: How not to get pwned on Windows...

            >>"Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid."

            It's not stupid. There are actual variations in security flaws between different OSs. Back in pre-Vista era, Windows was inherently less secure than GNU/Linux. That's no longer true. Windows is probably slightly more secure than GNU/Linux these days. And maybe that will change again over time - who knows. But it's not right to reject comparisons between OSs. It's useful. If nothing else, it keeps different vendors trying hard to compete in the area of closing down vulnerabilities.

            >>"We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit."

            It's not "complete bullshit". It's a valid argument that Open Source benefits from people being able to inspect the source and find flaws. The problem is that the more complex the project, the more specialized you have to be to notice flaws. I can find a flaw in the MySQL source code. I can't find one in Firefox source - I simply wouldn't know where to start with their code base. But that doesn't mean that other people can't or that it's "bullshit".

            The biggest security advantage of Open Source, though, is not guarding against accidental flaws, but against deliberate ones. It lets you examine the source for deliberate backdoors by the vendor. That has a lot of value, imo.

    5. People's Poet

      Re: How not to get pwned on Windows...

      It's a shame it's just not true though, I received 50 Security Advisories from Red-Hat between the 2nd March and 7th April. I've often woken to seeing 10 or more come out in 1 night. Stop believing the hype that Linux or any OS is any more secure than Windows. It's just the sheer numbers of Windows desktops that make being pwned more likely however give your average Windows user a Linux desktop and don't apply the patches and they're just as likely to get pwned over time.

      1. John 104

        Re: How not to get pwned on Windows...

        So true. At a previous job I set up alerts for updates for RHEL. It got to the point that it was just spam there were so many. And like spam, they pretty much got ignored...

      2. azaks

        Re: How not to get pwned on Windows...

        How dare you bring facts to this forum - shame on you!

        If you don't have anything negative to say about M$, don't say it at all!

    6. Darryl

      Re: How not to get pwned on Windows...

      Well, it is true. You won't get pwned on Windows.

      You'll get pwned on Linux

  2. This post has been deleted by its author

  3. The little voice inside my head

    Sad pretty much not being able to use the PC

    We are living in an era when you cannot even turn on your PC and make it "face" the Internet, it is so full of viruses that somebody will "cough" and spread them to your PC.

    1. Palpy

      Re: Sad pretty much not being able to use the PC

      Well, you can use your PC. You just have to be careful when using Windows. I might venture that one should be increasingly careful. As the malware writers game-up, you would be well advised to tighten your defenses wherever you can.

      I'll avoid the Linux-Windows-Mac malware debate, except to note that efforts are being made to craft OSes which are less vulnerable to attack. None will ever be perfect, but Qubes, OpenBSD, and others present significantly higher hurdles for attackers to overcome.

      So your PC is usable and you may even Goggle the Online in a relatively carefree manner. It's the OS setup you mostly need to worry about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sad pretty much not being able to use the PC

        "You just have to be careful when using Windows."

        Or a version of Linux that anyone actually uses - like say Android...

    2. Mikel

      Re: Sad pretty much not being able to use the PC

      Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess.

      1. MrRimmerSIR!

        @Mikel

        Haven't caught Stagefright yet?

      2. Goit

        Re: Sad pretty much not being able to use the PC

        You mean like a Microsoft smartphone? You're right, I've never had a problem with it! FYI, I've recently had to root and clear out two friends kids Android smartphones and my nieces' Android tablet to rid them of malware.

        1. oldcoder

          Re: Sad pretty much not being able to use the PC

          They had to deliberately install the malware...

      3. oldcoder

        Re: Sad pretty much not being able to use the PC

        That is because most phones and tablets are not Windows... They are iPhone/ipads and Android

      4. Dan Paul

        Re: Sad pretty much not being able to use the PC

        If you change the word "vendor" to "Target" you may have a point. Otherwise just more boring drivel. There is little reason for virus and malware creator/users to target obscure and little used operating systems. Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.

        The second that other operating systems become more popular, these virus writing scum will make "product" that targets the more popular OS. This has already happened with Mac's and the other are next.

        Smug pontification about the "superiority" of your brand of OS gets us nowhere.

        1. oldcoder

          Re: Sad pretty much not being able to use the PC

          There are more linux systems in the field than there are Windows systems... Yet Windows is still the most vulnerable.

          1. This post has been deleted by its author

        2. Mikel

          Re: Sad pretty much not being able to use the PC

          @Dan Paul

          >Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.

          That is what has been said for 20 years. We know now that it was always a lie. Far more people use Android than Windows. Over a billion more. There are more users of the Facebook app on Google Play than all the Windows users, all versions, worldwide. And they use Android more often, for more minutes each day too.

          This lie is toast now. The insecurity of Windows is inherent in the design compromises they made to kill its early competition, and now they are stuck with them for backwards compatibility reasons. They fell into their own trap by taking shortcuts with security. The global malware ecosystem and industry are all theirs and they are welcome to keep them.

      5. Anonymous Coward
        Anonymous Coward

        Re: It's almost as if there were a specific software vendor involved in all of this

        Yep. Adobe.

        1. JLV
          Facepalm

          Re: It's almost as if there were a specific software vendor involved in all of this

          >Yep. Adobe.

          OK, I get that OS preferences is resulting in very mixed up/down vote counts here.

          But did someone really downvote in defense of Adobe here???

      6. h4rm0ny

        Re: Sad pretty much not being able to use the PC

        >>"Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess."

        I'd lay good money that you would also be critical of the Windows Store. In fact, given that this is Mikel, long-time poster on El Reg. noted for virulent anti-Microsoft posts, I'd say it's almost a certainty you've been against it. Yet you compare Windows (open and free to install what you want) to locked down systems like iPads and Windows RT. If you can't see the relevant distinction between an iPad and a Windows OS machine is not vendor but user privileges, you're wilfully blind.

        Oh, and you should check out Android sometime (the most popular OS used for phones) which even at one's most charitable could not be described as having "nary a twitch" when it comes to security.

    3. veti Silver badge

      Re: Sad pretty much not being able to use the PC

      Well, looking at the specific vulnerabilities - I only see one that's an immediate threat to me, plus a couple that could be threats in the medium term. The rest all target specific software or services that I don't use, or require a level of pre-existing access that, if someone else has it, I think I'm already boned.

      So I'd call it irritating rather than sad. And the chance of actually getting hit by one of the vulnerabilities that isn't completely irrelevant, in the time between discovery/promulgation and patching? Slim.

    4. kitekrazy

      Re: Sad pretty much not being able to use the PC

      This is the best use of sarcasm I've seen in a while

    5. Anonymous Coward
      Anonymous Coward

      Re: Sad pretty much not being able to use the PC

      Hmmm, let's not get too carried away now. Even on Windows, a bit of cleverness goes a long way:

      - add a JS blocker like NoScript to your browser. Whitelist very selectively. prefer to whitelist temporarily.

      - NoScript on FF can really act up at the most inconvenient times for ecommerce sites. Rather than turning off some of its paranoid settings, open up your secondary browser (Chrome for me) and complete your transaction there instead.

      - never click on email links unless you know they are from your actual friends. be courteous and always provide a bit of personal chit-chat when emailing a link to someone, just so they know it's you and so they know that you expect that courtesy yourself.

      - avoid Flash and Adobe Reader like the plague. Ditto Java applets.

      - macros in Office docs you didn't write yourself? red flag!

      - be wide-eyed, I mean extra-careful, around smut sites. never download 'extra required codecs' to view files.

      - never run warez code. A crack generator? Whodathought I would be the one getting hacked?

      - download mostly from at least somewhat competent download aggregator sites or open source repos.

      - use your AV to scan what you've downloaded before running it.

      - google up 'malware virus <name-of-something-I-want-to-install>' liberally.

      - backup and take into consideration crypto ransomware when doing so.

      - never, ever, reuse sensitive passwords, though there's nothing wrong with reusing 'foobar1234' on all the various websites you don't care about (sorry, The Register, that means you).

      - encrypt your sensitive data in a mount-on-demand container like TrueCrypt. (be careful about TrueCrypt containers & backup sofware - TrueCrypt goes out of its way to keep file timestamps constant)

      None of this is rocket science, nor very demanding. I spent years using primarily Windows at home without much ado.

  4. TxRx
    Go

    Happy Tuesday!

    Not sure what's more interesting, the volume of vulns on Windows out there or if MS are closing in on more vulns quicker. Go update!! (after testing it doesn't impact your prior pipe/infrastructure)

    1. Mark 85

      Re: Happy Tuesday!

      Go update!! (after testing it doesn't impact your prior pipe/infrastructure)

      Or maybe just wait a few days until all the hidden and disguised updates are found and exposed? I've learned not to be to quick to do the updates...

      1. fran 2

        Re: Happy Tuesday!

        Or wait a week and watch the early adopters wail on the various MS forums that the updates borked their servers

    2. Pascal Monett Silver badge

      Re: "MS are closing in on more vulns quicker"

      Really ? If that were the case I would expect that faults in Secondary Logon would have been found and corrected last decade. It was introduced with 98, if I'm not mistaken, it's about time they ironed out the issues there.

      Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.

      It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade.

      1. regadpellagru

        Re: "MS are closing in on more vulns quicker"

        "Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.

        It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade."

        I'm thankfull I'm apparently not the only one feeling this !

        Apparently, this time, it's only IE 9,10,11 & 12 (Edge). Most of the other weeks, it's IE 6-12, like if, IE 12 code was IE 6 minus AcriveX ...

  5. alain williams Silver badge

    I am told ...

    that keeping it switched off keeps it secure.

    1. Dan 55 Silver badge

      Re: I am told ...

      No, Intel removed that option with AMT.

    2. Anonymous Coward
      Anonymous Coward

      Re: I am told ...

      "that keeping it switched off keeps it secure."

      A friend was surprised to find his PC switching itself on and rebooting at 3am to install Windows updates that had been automatically downloaded.

  6. VinceH

    The real question is how many of the 'security' updates include Windows 10 update malware.

    1. Mikel

      Hey

      What happened to the courtesy !!! SPOILER ALERT !!! ?

      That is from tomorrow's story.

      1. VinceH
        Coat

        Re: Hey

        I do apologise. Next time I'll double-ROT13 such a comment, and give a warning for people to read before decoding it. ;)

        1. DropBear
          Trollface

          Re: Hey

          Double-ROT13 has been successfully attacked ages ago. If you insist using that ancient thing, a minimum of ten or twelve rounds is recommended.

          1. tirk
            Coat

            Re: Hey

            Information theory suggests that applying ROT-13 e times gives the optimal result.

    2. Keith Glass

      There's a GWX Control panel available. . .

      . . . .to prevent the installation of the Win10 malware.

      https://askleo.com/block-windows-10-with-gwx-control-panel/

  7. elDog

    Allowing a VM to corrupt the host is a sin

    That's one of the 10 commandments and it shalt be done.

    I mean really, so much of the hypervisor stuff is done in the hardware nowadays I'd think that someone was asleep at the wheel, a code kiddo, or a malicious agent. (Hmmmm.)

    1. TheVogon

      Re: Allowing a VM to corrupt the host is a sin

      "I mean really, so much of the hypervisor stuff is done in the hardware nowadays I'd think that someone was asleep at the wheel, a code kiddo, or a malicious agent. (Hmmmm.)"

      I seem to recall Amazon, Rackspace, etc. having to panic patch a similar hole in KVM not so long ago?

    2. patrickstar

      Re: Allowing a VM to corrupt the host is a sin

      The complexity lies in emulating all the hardware needed and/or providing interfaces for paravirtualization. The actual virtual machine management itself (i.e. fiddling with VMX or AMDs equivalent) is minimal.

      Compare VMware Workstation for example (since it's what I have handy at the moment)

      Actual thing that does what the CPU helps you with: vmx86.sys, 66KB

      The rest: vmware-vmx.exe, 20MB

      VMware might be the worst in this aspect (even on ESXi guests frequently have more hardware than the host!) but even if you shave it down to 1/5 that's still a lot of exposed code...

  8. Glenn 6

    I always thought my mouse was a little shifty.

  9. Gde

    What tha..?

    I'm a bit disappointed, I was presented with 13 updates for Windows 7 but not one critical, crucial, vital, essential, important, significant, major, decisive, historic (Guess who found his Thesaurus?), fateful, pivotal, precarious, urgent, serious, compelling patch to sneak in their GWX malware.

    A month without the little cat & mouse game? Someone at Microsoft should lose their job due to this oversight. We know its not because they're listening to their customers.

    1. Aniya
      Trollface

      Re: What tha..?

      How certain are you that Microsoft haven't snuck in a presently-dormant payload within one of the security patches which shall unleash itself in days or weeks to come to the "surprise" of those who haven't yet caved into their demands to install Windows 10? :P

      Everyone will be caught off-guard and left wondering where the hell the latest nag or forced download and upgrade came from.

      In all seriousness though I did give Windows 10 another go just a week ago. Still doesn't fly. My two major complaints (forced driver updates and configuration parameters which have a mind of their own) are still not resolved.

      As a simple test; I installed the latest available ISO build of Windows 10 on a test system with its network interface disconnected and then set it all up. My privacy preferences, various operating system and application preferences, and so on. When I was done I hooked the network interface up and had Windows update itself. All good. Except that after the update half of my Edge preferences disappeared. At least one privacy setting and file association changed itself. And the "new" audio driver which Windows Update installed (which was in fact older than the one I installed manually) failed to install and broke the one which I manually installed. Now one could argue that RealTek makes crap drivers, but this is why I demand to control my own driver installations.

      Sigh.

      1. The Quiet One

        Re: What tha..?

        I feel blessed that my Win 7 PC has not been receiving the GWX nagware, despite my being a good little drone and updating it each month. It did appear briefly back in November then the PC went in storage for 2 months while I moved house, it hasn't come back since.

        So, there you go, The real solution to avoiding Windows 10, just shut down your PC for two months and you'll be fine!

        1. VinceH

          Re: What tha..?

          I have a 'new' PC at home - which I bought back in July - that I have yet to set up. I think I'll wait until August at the earliest, so after the 'free' period has ended (assuming it doesn't get extended).

        2. Anonymous Coward
          Anonymous Coward

          Re: What tha..?

          I'm waiting with interest to see what MS have planned for when their free "upgrade" offer expires. After all, the business imperative (for them) to get everybody onto W10 won't have gone away, and presumably the unrelenting nagging will have left only those who'll move in their own good time (corporates) or those who'll never move voluntarily. Having exhausted the potential of the carrot, what will the stick look like?

          1. Michael Strorm Silver badge

            Re: What tha..?

            "I'm waiting with interest to see what MS have planned for when their free "upgrade" offer expires."

            Most likely outcome:- The offer will be "generously" extended, either to some arbitrary point in the future or indefinitely (the latter of which will happen if the former is reached before everyone has taken advantage of (translation; been forced onto via weasellish bordering-on-malware abuse of updates) Windows 10.

            Pretty sure they'll be more enthusiastically using the stick at that point too, though, since most people who haven't upgraded by then quite obviously don't want to and won't, if not forced or bullied into it.

        3. Roland6 Silver badge

          Re: What tha..?

          I feel blessed that my Win 7 PC has not been receiving the GWX nagware, despite my being a good little drone and updating it each month.

          Visited a client this morning and inspected two 'identical' Win7 machines (identical in that they are the same model and were purchased at the same time, run the same suite of software and had auto install of WuP etc.) one was displaying the "you really want to upgrade to Win10 now popup and the other didn't even know that Win10 existed - a new install of GWX found no trace...

    2. Anonymous Coward
      Anonymous Coward

      Re: What tha..?

      A month without the little cat & mouse game?

      Don't be so sure. KB3035583 reappeared in the list yesterday, I had to hide it again.

      1. Anonymous Coward
        Anonymous Coward

        Re: What tha..?

        It offered me KB3035583 again last week.

        Today it has resurrected the equally notorious KB2952664 that has also been hidden many, many times.

    3. phuzz Silver badge

      Re: What tha..?

      It's a shame you can't shift the unwanted upgrade from a copy of Win 7, because I've got a couple of family members still on Vista that I'd love to move to Win 10. That and an SSD can turn an old crappy laptop into something perfectly useful.

  10. J__M__M

    Would it really that effing hard?

    for MS to include this sort of info in the general vicinity of the freaking update window? You know, were you see the list of updates they want you to install. I hate Microsoft. Why? Because I can't avoid them and they suck.

  11. hypernovasoftware

    Still the same after all these years...

    Windows, still held together with tape and bailing wire.

    Yuk!

    1. Ole Juul
      Coat

      Re: Still the same after all these years...

      "Windows, still held together with tape and bailing wire."

      Actually I think it is user loyalty and market share which is holding it together. When Mark Zuckerberg comes up with a native Facebook OS, MS-Windows will be toast because it won't serve any purpose outside a business environment.

      1. werdsmith Silver badge

        Re: Still the same after all these years...

        When Mark Zuckerberg comes up with a native Facebook OS, MS-Windows will be toast because it won't serve any purpose outside a business environment.

        Out of the frying pan into the end of humanity.

        I can't think of a more distasteful alternative to Windows or a worse scenario than a ubiquitous Faecebook OS.

        1. Michael Habel

          Re: Still the same after all these years...

          So that would be either Android,or iOS now would it? Really the only reason I ever got on Facef[REDACTED]k was 'cause I needed something to do with this SmartThingy. Well that and the fact that such friends, and Family that I do have, are on it. Had this phase never happened , and somehow all was well. i.e better then it is today the PC were still King. I you couldn't have paid me to touch it.

      2. allthecoolshortnamesweretaken

        Re: Still the same after all these years...

        "When Mark Zuckerberg comes up with a native Facebook OS..."

        Please, don't even make jokes about this.

    2. RedneckMother

      Re: Still the same after all these years...

      "Windows, still held together with tape and bailing wire."

      As an IBM Field Engineer explained to me, decades ago:

      "Well, here's your problem. Yeah, someone found and fixed the physical interlock failure, but they used amateur (Scotch) tape! You have to use professional (filament) tape!"

      Sure enough, filament tape enabled us to get through the night, until parts arrived the next day.

      I miss "Earl the Pearl" (the IBM FE). He was a common sense farm boy, and impressed me with his ability to get things working until parts could be obtained and installed. I remember him scavenging batteries from our company cars and using vise grip pliers (for clamps) and spare wire to help us get through a different night, when a 24VDC supply went "South" and the replacement part wouldn't arrive for 12 hours.

    3. chivo243 Silver badge

      Re: Still the same after all these years...

      @hypernovasoftware

      I thought it was bubble gum and paperclips? Oh well, to each their own.

    4. naive

      Re: Still the same after all these years...

      It is just like a bad school report for the industry as a whole. Comparing Linux and Windows is useless, since both are written in 3GL's by humans, and it is just too easy to forget a bounds check here or there, reusing freed memory etc.

      Although i believe that from a conceptual point of view, Linux is a bit more sound, at least most people won't browse with root under Linux, while it is common practice in windows (user with admin rights).

      What a saddening company MS must be if they still have no clue about concepts like sandboxing, using reduced privileges in a web browser. Resources is hardly an excuse nowadays to run explorer in a solid VM, sealed off from the OS itself, prompting the user for anything the webpage wants to do with things on C:\. But ok, maybe reality is harder then is looks to a layman.

      1. Anonymous Coward
        Anonymous Coward

        Re: Still the same after all these years...

        Comparing Linux and Windows is useless, since both are written in 3GL's by humans

        But, but.. the Skynet software was also written by humans, and it evolved!

  12. Anonymous Coward
    Windows

    Windows 10 news!

    Far more significant strategically is the simultaneous released of Windows 10 and Windows 10 Mobile 10586.218. MSFT has gone through the pain barrier of creating a core OS and can now push ahead on all platforms with a unified code base and one API for developers.

    1. oldcoder

      Re: Windows 10 news!

      It still only runs on one architecture...Intel

      and partly runs on ARM

      Still hasn't learned portability. No Power, MIPS, or the 50 other platforms Linux runs on.

      1. patrickstar

        Re: Windows 10 news!

        Windows (NT) has at one point existed for both of those, and a bunch more, so if there was a compelling reason for it I'm certain it'd reappear, or appear on an entirely new platform for that matter.

        Hell, it wasn't even developed for x86 originally and rumor has it the x86 port was a skunkworks project.

        But maybe they un-learned this since then?

  13. Michael Habel

    So...

    Which one of these Updates has an additional Get Windows X NOW! Payload hidden with in it, or whatever bit of Malware i.e. additional tracking? The fainbois will howl like Monkey's, and likely downvote this to Hell.

    But, if it has gotten as far down the rabbit hole, that someone should even have to ask this of all things, MicroSoft Updates. Then try apologizing first for that one first. As it's really not even a question that should have, had to be asked in the first place.The fact that they've done this, and will likely continue to do so.Should give most People here room for pause.

    1. Anonymous Coward
      Anonymous Coward

      Re: So...

      KB2952664 reappeared in the list again today - pre-ticked ready to go.

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        KB2952664 was hidden yesterday - but the other updates weren't applied. There was the IE11 "Security" update that was suspicious - and the link to its "non-security features" explanation doesn't go anywhere.

        This morning it prompted again with the list of updates - and the pre-ticked KB2952664 was back again.

  14. Anonymous Coward
    Anonymous Coward

    That virtual machine compromising the hypervisor machine is a bad one. I know at least one security consultantcy who spin up virtual machines to work on bespoke jobs to stop intra client propagation and blow it away afterwards, but who keep the original hypervisor machine installed all the time on their windows host machine.

    Equally I know some orgs who are using virtual machine technology to replace machines in multiple security domains with a single virtual machine host with seperate instances. We flagged the potential for this scenario and were told it was impossible by design. Bit like when they introduced "secure cloud" etc. You've only got to have dropped the ball once to make a nonsense of things...

    Still can't beat having electrically seperate machines. Unless your a beancounter.

  15. jms222

    Just goes to show Virtualisation on x86, because it's been done in a hurry to follow what IBM did decades earlier, actually creates horrific security problems.

    1. oldcoder

      Not in a hurry. Intel did take their time with it.

      The problem is that Intel doesn't have the ability to force virtualization on all the hardware controllers. IBM could because they made all the hardware controllers.

      1. patrickstar

        Not to mention Intel's implementation isn't even particularly good. It's mostly microcoded, so a simple VM exit takes literally hundreds of clock cycles before the VMM even gains control. Compare that with SPARC (sun4v) - one (1) cycle.

  16. Anonymous Coward
    Anonymous Coward

    Patch Tuesday? Now if only I could prevent Nvidia from updating.

    Microsoft, if you are reading this, give us back some control. This is becoming ridiculous.

    Really struggling here (and why you should really avoid Windows 10 1511 or using a Mac to do anything that doesn't involve OSX). Anything off the beaten track with Apple is a no no.

    We need to run an older Nvidia Graphics Driver on an iMac in BootCamp running Win10 1511 (latest). It must not update/replace itself with a Windows Update Driver. Simple you say?

    Windows 10 Update thinks it knows better, updates the Nvidia Driver to a generic newer Nvidia one through Windows Update (replacing the one from Bootcamp 5.1). The iMac freezes and is generally unstable with this Windows Update Driver (designed for PC's running Windows obviously). Oddly (which becomes important) Windows Update is offering two identical Nvidia Drivers at the same time. (Is this because the Bootcamp driver only supports Win8.1?, so is offering Win8.1 Update + Win10 Update)

    I remove the updated Nvidia driver, replace it back with (older) BootCamp 5.1 Driver, Windows Update downloads and replaces (as above).

    I've tried System->Advanced Settings->Hardware: Device Installation Settings, 'Do you want to automatically download manufacturer's apps and custom icons that are available for your devices'

    Set to 'No'. Makes no difference - still downloads and installs.

    I've tried using local Group Policy Manager to block Hardware Device Drivers by Hardware ID (but this still allows the Nvidia setup.exe to be run, hence installs all the support software, ovewrites everything, installing the driver a different way (that doesn't check GPM) shows all the software updated, machine freezes. Duplicates and leaves the older Nvidia 3D Control Driver in place.

    Had some partial success with this, in that it prevents the BootCamp driver been reinstalled manually, but doesn't prevent Windows Update running Nvidia setup.exe files and reinstalling all the driver software, i.e with no graphics driver installed, this method prevents the BootCamp driver from been installed.

    Tried setting Group policy for Downloads to Notify and download, still installs.

    Tried using the KB3073930, to hide updates, doesn't work, because Windows Update is offering two identical drivers at the same time, if you hide one, the other is still visible, and installs.

    Tried installing Powershell Windows Update Module add-on, using Powershell commands to prevent any Windows Updates beginning with 'NVIDIA', still installs, again because WindowsUpdate is offering up two identical drivers at the same time, catches the first, second installs.

    Another option is to prevent execution of any drivers signed by Nvidia, and also prevent device drivers by Hardware IDs at the same time, but Windows Update still offers the Nvidia Driver for download, and then tried to install, filling the Windows Update log with multiple failed driver installs.

    I generally know what I'm doing, how can something so simple have become so f'in frustrating!

    FU Microsoft and you controlling tendencies.

    1. Pookietoo

      Re: Patch Tuesday? Now if only I could prevent Nvidia from updating.

      Did you try just setting permissions on the installed driver files to read-only? (I have no idea how WU would treat that - I don't use Windows any more.)

    2. Aniya
      Thumb Up

      Re: Patch Tuesday? Now if only I could prevent Nvidia from updating.

      Thank you for perfectly illustrating precisely why I possess an extremely strong stance against forced driver updates. It works very well in theory right up until the point where you are running a combination of parameters or requirements which Microsoft hadn't thought of and you're fucked.

      This is why I say that it is absolutely arrogant and outright delusional for Microsoft to think that they know better than the billions of possible hardware, operating system and application configurations possible with modern computers.

      Furthermore, and this especially applies with drivers; new doesn't always mean better. And this can become an even bigger issue on previous-generation hardware where unified driver packages tend to focus their optimizations on current-generation hardware.

      If I have found a driver which performs well I do not wish to upgrade and risk either a system crash (instant loss of productivity) or performance degradation (gradual loss of productivity over time). What's more Windows Update can even go as far as overriding new drivers with older revisions.

      Ugh.

  17. Anonymous Coward
    Coat

    it's easy

    Frettle some gruntbuglies or splurgle your gaggleblodgets instead. Just say NO to PCs.

    Being serious for a mo, though, it does all make me wonder if it'd be possible (even if not practical) to simply make everything computery a damned sight simpler, so there'd be less code in which bugs could hide. The WP and spreadsheets I used on the Amiga were fine for anything I'd want to do with either type of application, and as I recall my last Amiga only had 14MB of RAM because I'd expanded it considerably, plus its HD was, I think only 200MB. And the OS was about 20MB?

    OK, so it won't run Kerbal Space Program, but it had email and hypertext browsing (I used IXG),

    OK, OK - I'll get my coat, though I shan't wear it - it's a lovely sunny day out there, beats sitting in front of a computer...

    1. phil 27

      Re: it's easy - take off your rose tinted spectacles and back away from the pc.

      It also had no memory protection so a single bug in a single application could bring down the entire host machine. It also supported no concept of permissions or different privilege layers during execution, nor protection to prevent a simple text handler from suddenly writing bytes into the main control registers for the bit blitter and doing bad things for instance.

      When you only ran a single application, didn't care about security and could just power cycle it when this happened then it was a minor annoyance. Today it would be unthinkable.

      I loved the Amiga, but systems engineering has progressed significantly since. And I have a accelerated amiga and a peg2 ppc based machine running morphos next to me. And lovely as the peg2 is for demo's and being responsive, it also has no mmu and falls flat on its face fairly often.

      1. patrickstar

        Re: it's easy - take off your rose tinted spectacles and back away from the pc.

        For desktop, sure, but what about mobile?

        I'd certainly prefer PalmOS to iOS, Android, etc. And it doesn't even have preemptive multitasking!

  18. jack d

    An easy (pragmatic) solution

    Ditch Windows for any Web or network related tasks, leave it only on airgapped machines/workstations used for running professional apps. You can send works thus created via your IT infrastructure based primarily on Linux.

    It is already 10 years I found Windows unusable on the Internet - why should anyone bother any longer. The costs related to Windows security are increasingly disproportionate to effects - remember the "God Mode"? Don't you think that a system with an architecture permitting such monstrosity has some other modes conveniently fired up - Government Mode or an Agency Mode? Or that perhaps some bright lads out there already have their own private Windows Mode?

    1. JC_

      Re: An easy (pragmatic) solution

      "God Mode"? You mean, the Control Panel view that lists the various helpers and utilities?

      Next you'll be getting all breathless telling us how you hacked into Google using tracert.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like