How not to get pwned on Windows...
Switch to Linux.</sarcasm?>
Microsoft has posted the April edition of its monthly security update, which kills a bug that allows guests to escape to hosts on Hyper-V. A malicious app running in a virtual machine can exploit this flaw to drill down to the host server, execute code on the machine, and interfere with the system and other VMs. Which is bad …
>Why don't you have a look and count them.
Actually, I would be interested in an honest appraisal of such. On Win, Linux, OSX, which patches are delivering true OS, non-app, high grade vulns fix, such as remote exec flaws? Severity vs just volume, with CVE the judge. Anyone knows? Also pick one OS release on each end - Win 10 vs OS X El Capitan vs latest kernel Linux.
I think Windows, but am willing to hear counterarguments. As a cynical and open-eyed Apple user, I am more surprised that it doesn't get powned more often than blindly trusting in Apple's ability to maintain BSD-level security on their own code. They've had some doozies over the years and I've had friends get powned on Macs, very occasionaly.
Doubt I'll get a straight answer I can believe from too many here, though hopefully some of you certainly know it.
But one thing I think I can answer myself: which of those 3 OSs will, on desktops, require the most reboots to accomodate those patches? Which OS doesn't typically know and has the always helpful "may require a reboot" rather than stating so outright?
>Why don't you have a look and count them.
Actually, I would be interested in an honest appraisal of such.
Well I'm not certain that looking at the current numbers of patches is a valid comparison between Win and Linux. Simply because of Linux's install base compared to Windows and hence it's attractiveness to developers - both those who are trying to get stuff done and those who wish to exploit it.
Valid points between Windows and Linux, to an extent.
But OSX has pretty much the same userbase attractiveness wrt malware as Windows. And very few people bother to run AV software on it - I de-installed Sophos because it tended to hog CPU atrociously from time to time and, for the overhead, I was uncertain at its actual efficacy on Mac malware. I do have ClamAV, but only use to scan downloads. So, along with the capacity of its users to pay the Apple surtax, it would seem like a valuable enough malware target.
And, going back to Linux, there is plenty of $ to be made in server breaches.
I would also separate app & browser patches (IE, Edge) from OS level patches. After all, you can always run FF or Chrome on Windows. And browser vulns are only the OS's fault if the OS allows them to propagate - an OS should be totally paranoid about resident browsers at all times. While there is no doubt in my mind that Office macros are a cesspit of threats, that's not core Windows fault, even though MS as a whole does bear responsibility for them and patches them.
So, do we have any hard numbers besides the "yours has more bugs than mine" arguments that all sides quote with happy abandon? MS does seem to focus a lot more on security than it did 10 years ago, so are we still judging them from that time?
>> But OSX has pretty much the same userbase attractiveness wrt malware as Windows.
How do you figure that? How many companies create products that are relevant to < 10% of their potential customer base? Custom malware for a targeted attack yes, generic malware to maximise returns = no.
Very valid points about volume not being the only metric - clearly it isn't.
Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid.
Another factor that affects bugs found is the number of people motivated to look for them. We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit. Finding usable exploits costs time and money, and if maximising your return on said exploit is your goal, it doesn't take a rocket scientist to predict where most of the investment is going to go.
>>"Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid."
It's not stupid. There are actual variations in security flaws between different OSs. Back in pre-Vista era, Windows was inherently less secure than GNU/Linux. That's no longer true. Windows is probably slightly more secure than GNU/Linux these days. And maybe that will change again over time - who knows. But it's not right to reject comparisons between OSs. It's useful. If nothing else, it keeps different vendors trying hard to compete in the area of closing down vulnerabilities.
>>"We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit."
It's not "complete bullshit". It's a valid argument that Open Source benefits from people being able to inspect the source and find flaws. The problem is that the more complex the project, the more specialized you have to be to notice flaws. I can find a flaw in the MySQL source code. I can't find one in Firefox source - I simply wouldn't know where to start with their code base. But that doesn't mean that other people can't or that it's "bullshit".
The biggest security advantage of Open Source, though, is not guarding against accidental flaws, but against deliberate ones. It lets you examine the source for deliberate backdoors by the vendor. That has a lot of value, imo.
It's a shame it's just not true though, I received 50 Security Advisories from Red-Hat between the 2nd March and 7th April. I've often woken to seeing 10 or more come out in 1 night. Stop believing the hype that Linux or any OS is any more secure than Windows. It's just the sheer numbers of Windows desktops that make being pwned more likely however give your average Windows user a Linux desktop and don't apply the patches and they're just as likely to get pwned over time.
This post has been deleted by its author
Well, you can use your PC. You just have to be careful when using Windows. I might venture that one should be increasingly careful. As the malware writers game-up, you would be well advised to tighten your defenses wherever you can.
I'll avoid the Linux-Windows-Mac malware debate, except to note that efforts are being made to craft OSes which are less vulnerable to attack. None will ever be perfect, but Qubes, OpenBSD, and others present significantly higher hurdles for attackers to overcome.
So your PC is usable and you may even Goggle the Online in a relatively carefree manner. It's the OS setup you mostly need to worry about.
If you change the word "vendor" to "Target" you may have a point. Otherwise just more boring drivel. There is little reason for virus and malware creator/users to target obscure and little used operating systems. Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.
The second that other operating systems become more popular, these virus writing scum will make "product" that targets the more popular OS. This has already happened with Mac's and the other are next.
Smug pontification about the "superiority" of your brand of OS gets us nowhere.
This post has been deleted by its author
@Dan Paul
>Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.
That is what has been said for 20 years. We know now that it was always a lie. Far more people use Android than Windows. Over a billion more. There are more users of the Facebook app on Google Play than all the Windows users, all versions, worldwide. And they use Android more often, for more minutes each day too.
This lie is toast now. The insecurity of Windows is inherent in the design compromises they made to kill its early competition, and now they are stuck with them for backwards compatibility reasons. They fell into their own trap by taking shortcuts with security. The global malware ecosystem and industry are all theirs and they are welcome to keep them.
>>"Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess."
I'd lay good money that you would also be critical of the Windows Store. In fact, given that this is Mikel, long-time poster on El Reg. noted for virulent anti-Microsoft posts, I'd say it's almost a certainty you've been against it. Yet you compare Windows (open and free to install what you want) to locked down systems like iPads and Windows RT. If you can't see the relevant distinction between an iPad and a Windows OS machine is not vendor but user privileges, you're wilfully blind.
Oh, and you should check out Android sometime (the most popular OS used for phones) which even at one's most charitable could not be described as having "nary a twitch" when it comes to security.
Well, looking at the specific vulnerabilities - I only see one that's an immediate threat to me, plus a couple that could be threats in the medium term. The rest all target specific software or services that I don't use, or require a level of pre-existing access that, if someone else has it, I think I'm already boned.
So I'd call it irritating rather than sad. And the chance of actually getting hit by one of the vulnerabilities that isn't completely irrelevant, in the time between discovery/promulgation and patching? Slim.
Hmmm, let's not get too carried away now. Even on Windows, a bit of cleverness goes a long way:
- add a JS blocker like NoScript to your browser. Whitelist very selectively. prefer to whitelist temporarily.
- NoScript on FF can really act up at the most inconvenient times for ecommerce sites. Rather than turning off some of its paranoid settings, open up your secondary browser (Chrome for me) and complete your transaction there instead.
- never click on email links unless you know they are from your actual friends. be courteous and always provide a bit of personal chit-chat when emailing a link to someone, just so they know it's you and so they know that you expect that courtesy yourself.
- avoid Flash and Adobe Reader like the plague. Ditto Java applets.
- macros in Office docs you didn't write yourself? red flag!
- be wide-eyed, I mean extra-careful, around smut sites. never download 'extra required codecs' to view files.
- never run warez code. A crack generator? Whodathought I would be the one getting hacked?
- download mostly from at least somewhat competent download aggregator sites or open source repos.
- use your AV to scan what you've downloaded before running it.
- google up 'malware virus <name-of-something-I-want-to-install>' liberally.
- backup and take into consideration crypto ransomware when doing so.
- never, ever, reuse sensitive passwords, though there's nothing wrong with reusing 'foobar1234' on all the various websites you don't care about (sorry, The Register, that means you).
- encrypt your sensitive data in a mount-on-demand container like TrueCrypt. (be careful about TrueCrypt containers & backup sofware - TrueCrypt goes out of its way to keep file timestamps constant)
None of this is rocket science, nor very demanding. I spent years using primarily Windows at home without much ado.
Really ? If that were the case I would expect that faults in Secondary Logon would have been found and corrected last decade. It was introduced with 98, if I'm not mistaken, it's about time they ironed out the issues there.
Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.
It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade.
"Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.
It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade."
I'm thankfull I'm apparently not the only one feeling this !
Apparently, this time, it's only IE 9,10,11 & 12 (Edge). Most of the other weeks, it's IE 6-12, like if, IE 12 code was IE 6 minus AcriveX ...
The real question is how many of the 'security' updates include Windows 10 update malware.
"I mean really, so much of the hypervisor stuff is done in the hardware nowadays I'd think that someone was asleep at the wheel, a code kiddo, or a malicious agent. (Hmmmm.)"
I seem to recall Amazon, Rackspace, etc. having to panic patch a similar hole in KVM not so long ago?
The complexity lies in emulating all the hardware needed and/or providing interfaces for paravirtualization. The actual virtual machine management itself (i.e. fiddling with VMX or AMDs equivalent) is minimal.
Compare VMware Workstation for example (since it's what I have handy at the moment)
Actual thing that does what the CPU helps you with: vmx86.sys, 66KB
The rest: vmware-vmx.exe, 20MB
VMware might be the worst in this aspect (even on ESXi guests frequently have more hardware than the host!) but even if you shave it down to 1/5 that's still a lot of exposed code...
I'm a bit disappointed, I was presented with 13 updates for Windows 7 but not one critical, crucial, vital, essential, important, significant, major, decisive, historic (Guess who found his Thesaurus?), fateful, pivotal, precarious, urgent, serious, compelling patch to sneak in their GWX malware.
A month without the little cat & mouse game? Someone at Microsoft should lose their job due to this oversight. We know its not because they're listening to their customers.
How certain are you that Microsoft haven't snuck in a presently-dormant payload within one of the security patches which shall unleash itself in days or weeks to come to the "surprise" of those who haven't yet caved into their demands to install Windows 10? :P
Everyone will be caught off-guard and left wondering where the hell the latest nag or forced download and upgrade came from.
In all seriousness though I did give Windows 10 another go just a week ago. Still doesn't fly. My two major complaints (forced driver updates and configuration parameters which have a mind of their own) are still not resolved.
As a simple test; I installed the latest available ISO build of Windows 10 on a test system with its network interface disconnected and then set it all up. My privacy preferences, various operating system and application preferences, and so on. When I was done I hooked the network interface up and had Windows update itself. All good. Except that after the update half of my Edge preferences disappeared. At least one privacy setting and file association changed itself. And the "new" audio driver which Windows Update installed (which was in fact older than the one I installed manually) failed to install and broke the one which I manually installed. Now one could argue that RealTek makes crap drivers, but this is why I demand to control my own driver installations.
Sigh.
I feel blessed that my Win 7 PC has not been receiving the GWX nagware, despite my being a good little drone and updating it each month. It did appear briefly back in November then the PC went in storage for 2 months while I moved house, it hasn't come back since.
So, there you go, The real solution to avoiding Windows 10, just shut down your PC for two months and you'll be fine!
I'm waiting with interest to see what MS have planned for when their free "upgrade" offer expires. After all, the business imperative (for them) to get everybody onto W10 won't have gone away, and presumably the unrelenting nagging will have left only those who'll move in their own good time (corporates) or those who'll never move voluntarily. Having exhausted the potential of the carrot, what will the stick look like?
"I'm waiting with interest to see what MS have planned for when their free "upgrade" offer expires."
Most likely outcome:- The offer will be "generously" extended, either to some arbitrary point in the future or indefinitely (the latter of which will happen if the former is reached before everyone has taken advantage of (translation; been forced onto via weasellish bordering-on-malware abuse of updates) Windows 10.
Pretty sure they'll be more enthusiastically using the stick at that point too, though, since most people who haven't upgraded by then quite obviously don't want to and won't, if not forced or bullied into it.
I feel blessed that my Win 7 PC has not been receiving the GWX nagware, despite my being a good little drone and updating it each month.
Visited a client this morning and inspected two 'identical' Win7 machines (identical in that they are the same model and were purchased at the same time, run the same suite of software and had auto install of WuP etc.) one was displaying the "you really want to upgrade to Win10 now popup and the other didn't even know that Win10 existed - a new install of GWX found no trace...
"Windows, still held together with tape and bailing wire."
Actually I think it is user loyalty and market share which is holding it together. When Mark Zuckerberg comes up with a native Facebook OS, MS-Windows will be toast because it won't serve any purpose outside a business environment.
When Mark Zuckerberg comes up with a native Facebook OS, MS-Windows will be toast because it won't serve any purpose outside a business environment.
Out of the frying pan into the end of humanity.
I can't think of a more distasteful alternative to Windows or a worse scenario than a ubiquitous Faecebook OS.
So that would be either Android,or iOS now would it? Really the only reason I ever got on Facef[REDACTED]k was 'cause I needed something to do with this SmartThingy. Well that and the fact that such friends, and Family that I do have, are on it. Had this phase never happened , and somehow all was well. i.e better then it is today the PC were still King. I you couldn't have paid me to touch it.
"Windows, still held together with tape and bailing wire."
As an IBM Field Engineer explained to me, decades ago:
"Well, here's your problem. Yeah, someone found and fixed the physical interlock failure, but they used amateur (Scotch) tape! You have to use professional (filament) tape!"
Sure enough, filament tape enabled us to get through the night, until parts arrived the next day.
I miss "Earl the Pearl" (the IBM FE). He was a common sense farm boy, and impressed me with his ability to get things working until parts could be obtained and installed. I remember him scavenging batteries from our company cars and using vise grip pliers (for clamps) and spare wire to help us get through a different night, when a 24VDC supply went "South" and the replacement part wouldn't arrive for 12 hours.
It is just like a bad school report for the industry as a whole. Comparing Linux and Windows is useless, since both are written in 3GL's by humans, and it is just too easy to forget a bounds check here or there, reusing freed memory etc.
Although i believe that from a conceptual point of view, Linux is a bit more sound, at least most people won't browse with root under Linux, while it is common practice in windows (user with admin rights).
What a saddening company MS must be if they still have no clue about concepts like sandboxing, using reduced privileges in a web browser. Resources is hardly an excuse nowadays to run explorer in a solid VM, sealed off from the OS itself, prompting the user for anything the webpage wants to do with things on C:\. But ok, maybe reality is harder then is looks to a layman.
Windows (NT) has at one point existed for both of those, and a bunch more, so if there was a compelling reason for it I'm certain it'd reappear, or appear on an entirely new platform for that matter.
Hell, it wasn't even developed for x86 originally and rumor has it the x86 port was a skunkworks project.
But maybe they un-learned this since then?
Which one of these Updates has an additional Get Windows X NOW! Payload hidden with in it, or whatever bit of Malware i.e. additional tracking? The fainbois will howl like Monkey's, and likely downvote this to Hell.
But, if it has gotten as far down the rabbit hole, that someone should even have to ask this of all things, MicroSoft Updates. Then try apologizing first for that one first. As it's really not even a question that should have, had to be asked in the first place.The fact that they've done this, and will likely continue to do so.Should give most People here room for pause.
KB2952664 was hidden yesterday - but the other updates weren't applied. There was the IE11 "Security" update that was suspicious - and the link to its "non-security features" explanation doesn't go anywhere.
This morning it prompted again with the list of updates - and the pre-ticked KB2952664 was back again.
That virtual machine compromising the hypervisor machine is a bad one. I know at least one security consultantcy who spin up virtual machines to work on bespoke jobs to stop intra client propagation and blow it away afterwards, but who keep the original hypervisor machine installed all the time on their windows host machine.
Equally I know some orgs who are using virtual machine technology to replace machines in multiple security domains with a single virtual machine host with seperate instances. We flagged the potential for this scenario and were told it was impossible by design. Bit like when they introduced "secure cloud" etc. You've only got to have dropped the ball once to make a nonsense of things...
Still can't beat having electrically seperate machines. Unless your a beancounter.
Microsoft, if you are reading this, give us back some control. This is becoming ridiculous.
Really struggling here (and why you should really avoid Windows 10 1511 or using a Mac to do anything that doesn't involve OSX). Anything off the beaten track with Apple is a no no.
We need to run an older Nvidia Graphics Driver on an iMac in BootCamp running Win10 1511 (latest). It must not update/replace itself with a Windows Update Driver. Simple you say?
Windows 10 Update thinks it knows better, updates the Nvidia Driver to a generic newer Nvidia one through Windows Update (replacing the one from Bootcamp 5.1). The iMac freezes and is generally unstable with this Windows Update Driver (designed for PC's running Windows obviously). Oddly (which becomes important) Windows Update is offering two identical Nvidia Drivers at the same time. (Is this because the Bootcamp driver only supports Win8.1?, so is offering Win8.1 Update + Win10 Update)
I remove the updated Nvidia driver, replace it back with (older) BootCamp 5.1 Driver, Windows Update downloads and replaces (as above).
I've tried System->Advanced Settings->Hardware: Device Installation Settings, 'Do you want to automatically download manufacturer's apps and custom icons that are available for your devices'
Set to 'No'. Makes no difference - still downloads and installs.
I've tried using local Group Policy Manager to block Hardware Device Drivers by Hardware ID (but this still allows the Nvidia setup.exe to be run, hence installs all the support software, ovewrites everything, installing the driver a different way (that doesn't check GPM) shows all the software updated, machine freezes. Duplicates and leaves the older Nvidia 3D Control Driver in place.
Had some partial success with this, in that it prevents the BootCamp driver been reinstalled manually, but doesn't prevent Windows Update running Nvidia setup.exe files and reinstalling all the driver software, i.e with no graphics driver installed, this method prevents the BootCamp driver from been installed.
Tried setting Group policy for Downloads to Notify and download, still installs.
Tried using the KB3073930, to hide updates, doesn't work, because Windows Update is offering two identical drivers at the same time, if you hide one, the other is still visible, and installs.
Tried installing Powershell Windows Update Module add-on, using Powershell commands to prevent any Windows Updates beginning with 'NVIDIA', still installs, again because WindowsUpdate is offering up two identical drivers at the same time, catches the first, second installs.
Another option is to prevent execution of any drivers signed by Nvidia, and also prevent device drivers by Hardware IDs at the same time, but Windows Update still offers the Nvidia Driver for download, and then tried to install, filling the Windows Update log with multiple failed driver installs.
I generally know what I'm doing, how can something so simple have become so f'in frustrating!
FU Microsoft and you controlling tendencies.
Thank you for perfectly illustrating precisely why I possess an extremely strong stance against forced driver updates. It works very well in theory right up until the point where you are running a combination of parameters or requirements which Microsoft hadn't thought of and you're fucked.
This is why I say that it is absolutely arrogant and outright delusional for Microsoft to think that they know better than the billions of possible hardware, operating system and application configurations possible with modern computers.
Furthermore, and this especially applies with drivers; new doesn't always mean better. And this can become an even bigger issue on previous-generation hardware where unified driver packages tend to focus their optimizations on current-generation hardware.
If I have found a driver which performs well I do not wish to upgrade and risk either a system crash (instant loss of productivity) or performance degradation (gradual loss of productivity over time). What's more Windows Update can even go as far as overriding new drivers with older revisions.
Ugh.
Frettle some gruntbuglies or splurgle your gaggleblodgets instead. Just say NO to PCs.
Being serious for a mo, though, it does all make me wonder if it'd be possible (even if not practical) to simply make everything computery a damned sight simpler, so there'd be less code in which bugs could hide. The WP and spreadsheets I used on the Amiga were fine for anything I'd want to do with either type of application, and as I recall my last Amiga only had 14MB of RAM because I'd expanded it considerably, plus its HD was, I think only 200MB. And the OS was about 20MB?
OK, so it won't run Kerbal Space Program, but it had email and hypertext browsing (I used IXG),
OK, OK - I'll get my coat, though I shan't wear it - it's a lovely sunny day out there, beats sitting in front of a computer...
It also had no memory protection so a single bug in a single application could bring down the entire host machine. It also supported no concept of permissions or different privilege layers during execution, nor protection to prevent a simple text handler from suddenly writing bytes into the main control registers for the bit blitter and doing bad things for instance.
When you only ran a single application, didn't care about security and could just power cycle it when this happened then it was a minor annoyance. Today it would be unthinkable.
I loved the Amiga, but systems engineering has progressed significantly since. And I have a accelerated amiga and a peg2 ppc based machine running morphos next to me. And lovely as the peg2 is for demo's and being responsive, it also has no mmu and falls flat on its face fairly often.
Ditch Windows for any Web or network related tasks, leave it only on airgapped machines/workstations used for running professional apps. You can send works thus created via your IT infrastructure based primarily on Linux.
It is already 10 years I found Windows unusable on the Internet - why should anyone bother any longer. The costs related to Windows security are increasingly disproportionate to effects - remember the "God Mode"? Don't you think that a system with an architecture permitting such monstrosity has some other modes conveniently fired up - Government Mode or an Agency Mode? Or that perhaps some bright lads out there already have their own private Windows Mode?
"God Mode"? You mean, the Control Panel view that lists the various helpers and utilities?
Next you'll be getting all breathless telling us how you hacked into Google using tracert.