Mine can't, at least not via any of the issues listed in the article.
Microsoft delivered another hefty bundle of patches with its scheduled monthly update. Redmond bulks up for Vancouver The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver. Hopefully nobody was …
Genuinely interested in finding out the answer to this. Given there are so many vulnerabilities found and they keep patching the code, are the fixes they make likely to open up more vulnerabilities or break fixes for old ones? It seems never ending and I do realise just how big these code bases are it just amazes me that they can never ever get near fully secure.
Patches are a useful place to go looking for old flaws, and these can sometimes point at new flaws.
You can never get an "informally" developed OS like Linux, Windows, Mac OS, completely correct. Even the venerable VAX VMS is still yielding bugs 30+ years on. There's simply too many ways (gazillions) in which sequences of system calls can be strung together with varying parameters to allow exhaustive testing. Kernel fuzzing is all about trying out random stuff, see what combinations work.
Instead you have to design the OS "formally"; that is pretty unusual, because it means the OS, the compiler, the library, the CPU and major peripherals all have to be expressed in a kind of maths (a formal specification language), and then do a load of algebra to prove that process A cannot access process B's address space, etc. Then you have to implement it, and formally show that what has been written and built implements that maths.
This is sooooooo far removed from what most programmers want to do that it's almost never done.
There's Greenhill's INTEGRITY 178b OS, which is excellent, and that's about it. But even that is based on the assumption that the silicon it's running on is perfect, and as Meltdown and Spectre have shown that's far from guaranteed. As it happens INTEGRITY is a hard real time OS, with fixed runtime allocations, so it's probably quite difficult to do a timing sidechannel attack.
"Given there are so many vulnerabilities found"
I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch and that Windows 10 has had far fewer CVEs since launch than say a similar specced commercial Linux distro install or OS-X?
"are the fixes they make likely to open up more vulnerabilities or break fixes for old ones?"
Microsoft have not iintroduced many known regression type security flaws.
"I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch and that Windows 10 has had far fewer CVEs since launch than say a similar specced commercial Linux distro install or OS-X?"
I don't think this was a pissing contest question.
"'I'm not sure if you mean by Microsoft, but did you realise that Edge has far fewer CVEs than say Chrome since launch..."
It does but it's a meaningless statistic as the launch date difference is significant. Per month since launch both Edge on Chrome have had a very similar number of bugs on average (Edge ever so slightly more). What's of concern is that over 60% of those bugs for Edge involve RCE, like many of these new ones too.
So the moral of the story is, if you want a secure browser then use Chromium. :)
"it just amazes me that they can never ever get near fully secure"
Nothing can ever be made fully secure. The best you can hope for is to make attacks uneconomical. The problem is that economics change over time -- what was uneconomical 10 years ago is cheap to do now, so there will always be the need for security patches in any system as time and tech moves forward.
Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed.
Interesting. By this, is MS not telling what's being fixed or were the bugs not disclosed publically? Either way means they could be slipping something under the door. They tried burning us on Win10 why not try for something else?
so ,er , let me try to digest and understand that ...
You think that by not disclosing security vulnerabilities (of which the vendor is aware) to the world at large before the scheduled fixes are rolled out Microsoft is up to unspecified "evil" bad things?
hmm , you could be right - just to be safe i propose a second layer of tinfoil. That might stop Nadella watching you through your screen.
Example: if a given something (like a Risk item) that might, or might not, happen, and there's zero information about the odds, then the odds may be assumed to be "fifty / fifty". A more experienced manager would actually set the assumed odds to "one-third / one-third / one-third", because they'd already know that in addition to 'might' and 'might not' happen, there's also the distinct possibility that 'something else entirely' could happen instead.
Using this basic method, and given "75 Microsoft bugs squashed this month", then how can we estimated the number of bugs remaining in Windows?
If you casually walk past a huge (mile-high) haystack, look down and can see 75 needles, then you might be able to extrapolate to guesstimate the total number of needles in the haystack.
Somebody somewhere (a Statistician) must have the skills and info at hand to produce a reasonable guesstimate of the number of remaining bugs in Windows. I would have guessed about three million, but now it must be closer to 2,999,925.
I don't expect my car to be "updated" every month. Why should I have to put up with that for my computer?
The answer, I suppose, is that computers are orders of magnitude more complicated. I therefore have doubts about the results of human work subject to commercial necessities. Would I trust a CPU + other bits designed by AI? Hahahahahahahaha.
I do wonder whether in the secret world somebody has a validated toolchain of hardware and software.
"The answer, I suppose, is that computers are orders of magnitude more complicated."
If we're talking about security patches, that's not the answer. The real answer is that your computer is exposed to the internet and your car isn't. That is a large attack surface that is exposed to a large number of threats that constantly evolve and change.
Your car doesn't have to face that. If it did, then your car would be getting regular updates as well. In fact, the latest cars that are so connected do, in fact, have to do that.
It's not about "flaws". It's about an ongoing arms race.
Biting the hand that feeds IT © 1998–2021