
Awesome!
You, sir, deserve a beer!
A computer security outfit claims to have plugged an information leak in Windows that was publicly revealed by Google before Microsoft had a patch ready. Could this third-party patching become a trend? Last month, Google's Project Zero team disclosed details of a trivial vulnerability in the Windows user-mode GDI library: the …
I think MS have had their systems hacked with everything dire going on with them. Thats not to say linux is any better, but the beauty of hacked systems is that once you have got your exploit into a system, you can target individuals on an ad-hoc basis which mean the spooks/law enforcement of a country cant spot whats going on let alone the IT security dept tasked with looking after govt & corporate systems.
Most people get lazy once in a secure job, so exploit that psychological trait et voila you have hacked most of the systems in the world.
>"Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available.”
"Our security updates are tested extensively after release, and we recommend customers enable automatic updates to test the latest protections when available.”
TFTFY
wyatt, you are right.. Anti Microsoft stuff aside, any vendor needs to test patches for vulnerabilities such as this thoroughly. Microsoft, for all their faults, actually do. If they rush a patch to market it may or may not fix the problem, and may introduce others. Especially a patch to the GDI library, as it's likely that most Windows applications do use some of the functionality of this library, even if indirectly.
It may be a good idea to patch via a 3rd party patch, but you have no way of knowing how thoroughly the patch has been tested, and you are also unlikely to have any warranty if the patch fails.
It's one thing to patch if you are a home user, and have one or two machines to fix if it goes wrong. As a computer geek, you might have up to 10. A system admin for a medium or large enterprise might be managing thousands, and might be running the risk of the bad patch disabling whatever remote management tool they use.
"any vendor needs to test patches for vulnerabilities such as this thoroughly. Microsoft, for all their faults, actually do"
You must look after different stuff to me then because increasingly Microsoft software fails in really common use cases with patches that blatantly can't have been well tested. There was a time I did believe that and it did seem to largely be the case, but not for a long time.
“We’re unable to endorse unverified third party security updates," a spokesperson for Microsoft said. "Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available.”
Your security updates are extensively tested but still break things and get pulled.