back to article It's 2014 and Microsoft Windows PCs can still be owned by a JPEG

Microsoft has fixed security bugs in Internet Explorer and Windows that allow hackers to remotely execute code on victims' vulnerable machines – one bug a result of poor JPEG handling. Redmond said the March edition of Patch Tuesday – out today, natch – tackles programming errors in the software giant's web browser, operating …

COMMENTS

This topic is closed for new posts.
  1. Herby
    Coat

    Fir for IE6??

    Obvious:

    $>del IE6.exe

    Or whatever it is called. That should fix all the security holes and truly be bug free. Please do it NOW!

    1. Wibble
      Mushroom

      Re: Fir for IE6??

      $> del IE.exe

      There, fixed it for ya.

      Hmm, maybe we can improve that...:

      $>rm Windows.exe

      1. MissingSecurity
        Linux

        Re: Fir for IE6??

        Remember Windows doesn't like to give users any control so make sure its done properly:

        #> rm -f Windows.exe

  2. Gray
    Facepalm

    Striving to persevere to endure the never-ending ...

    365 days a year (+1 for Leap Year) the 'miscreants' can hammer on the Windows OS/Apps, except for those 12 magic days in which Microsoft urges its clients to urgently apply the monthly bandaids.

    After long striving to persevere to endure the never-ending story of patch, pray, and evade the slings and arrows of OS attacks, I've begun to wonder why XP has managed to survive, and why MS abandonment of XP will really matter ... really?

    If our existing anti-virus safeguards, and safe-computing practices have kept XP alive all these years of 30 days/month, 353 days/year naked exposure before MS deigns to release its patches, where's the worry? Nonetheless, after striving to persevere to endure this sorry never-ending story, we've opted for Linux -- SolydK on the wife's box, and PClinuxOS on mine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Striving to persevere to endure the never-ending ...

      Phew, thanks goodness after enduring that, there are never any updates for Linux or the software running on it.

      PS currently "patching" a Linux box.

      1. Anonymous Bullard
        Thumb Up

        Re: Striving to persevere to endure the never-ending ...

        "Phew, thanks goodness after enduring that, there are never any updates for Linux or the software running on it."

        Oh there are... but the point was you get a patch as soon as it's available. And in most cases, security related patches are applied automatically, and that's not limited to the OS either.

      2. Anonymous Coward
        Anonymous Coward

        Re: Striving to persevere to endure the never-ending ...

        Mmmm... to be fair, you should also state the following measures:

        1- How many times your antivirus has detected a dangerous file in your OS?

        2- How many times your OS configuration has been altered without you realizing that? Such as browser toolbars appearing from nowhere, or your browser homepage changed?

        3- How many of your CPU and RAM your antivirus is devoting to protect your machine instead of doing other tasks?

        4- How long does it take from vulnerability discovery to patch time in each OS?

        5- How disruptive is patching?

        I curate and carefully keep both my Windows and Linux installs on all 5 machines in the house. In spite of that, my Windows/Linux scores on the questions are:

        (1) a few multimedia files trying to download malicious code disguised as multimedia codecs/none (I don't even run AV in Linux) those MP3 and AVI files simply don't play (audio) or display (video) a pathetic message suggesting me to download a codec from a dodgy site.

        (2) a few carelessly installed programs that don't require elevated privileges (kids)/none

        (3) About 25% CPU and a few hundred megs of RAM/none (I don't have any kind of AV in Linux)

        (4) Depends on the whim of Microsoft, anything from days ("out of band because we can be sued to oblivion, lose all credibility or both") to weeks if it will be patched next patch Tuesday/usually 24-48 hours

        (5) I have to close the applications being patched and there is a nagging popup reminding me to reboot/nothing happens and I can keep working while the system is being patched. Sometimes I'm informed that some changes will have to wait for the next reboot.

        Plus, bonus final question: how do you know for sure that vulnerabilities discovered in Linux don't lurk somewhere inside Windows codebase? You don't know because you don't have Windows source code.

        Currently "patching" a Linux box, by the way. At the same time I'm converting some video files, using it to backup of a Windows laptop and browsing the web.

        1. Anonymous Coward
          Anonymous Coward

          Re: Striving to persevere to endure the never-ending ...

          "Plus, bonus final question: how do you know for sure that vulnerabilities discovered in Linux don't lurk somewhere inside Windows codebase? You don't know because you don't have Windows source code."

          Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS (obviously including audio players and image viewers, even though you clearly don't lower yourself to such common offal as images and videos)?

          What's that? You HAVEN'T?? But, but, you said that...

          Damnitall, people, there are good reasons to use Linux. So why does it seem like Linux users never actually mention them?!

          Arguing that having the source to your operating system enables you to avoid security issues via advance knowledge makes about as much sense as claiming that your granpa-paw's shotgun is going to stop the US army.

          Sanctimonious git.

          1. Anonymous Coward
            Anonymous Coward

            Re: Striving to persevere to endure the never-ending ...

            "Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS (obviously including audio players and image viewers, even though you clearly don't lower yourself to such common offal as images and videos)?

            What's that? You HAVEN'T?? But, but, you said that..."

            I didn't say that. Read again just in case. The point is, anyone has the chance of doing it, as the stream of vulnerabilities discovered proves. What are the chances of doing it with Windows? (excluding of course being NSA/CIA/etc...) Zero. Nothing. Nada. So you have a non zero chance (Linux) against zero chance (Windows) Either you trust a single private entity -whose interests may or not include security- where at best a few individuals are reviewing code in a closed room versus a huge community that openly shares his discoveries. Which side wins?

            Guess that the majority of the world has already picked a winner.

            And there are many other reasons to use Linux, which is not the point of the article or the original post. Rarely someone will commit to use an OS for a single reason. But security is definitely one of them.

            1. Anonymous Coward
              Anonymous Coward

              Re: Striving to persevere to endure the never-ending ...

              "The point is, anyone has the chance of doing it"

              Uh, no. First, you only have a chance in theory if you're a good enough programmer that you're -better- than most of the people who worked on the code already, and have extensive experience with the same emvironment and tools. And you also need to have enough frhundreds to undertake a thorough security review of hundreds of thousands - millions? - of lines of code within the window of time in which you become aware (how?) of a potential vulnerability and when it is exploited by someone else.

              Essentially, to have even the slightest chance of efficacy, your argument - almost by definition - requires an average user to single-handedly have the knowledge, time, and skill of every hacker and security researcher in the world put together. By your own admission, one of Linux's strengths is that of vast numbers of individuals accomplishing things impossible for a single user - yet you expect a single user to gain an advantage from personally scouring every shred of those thousands' work, presumably on an ongoing basis?

              At least suggest something that passes the sniff test rather than another of the Linux zealots' bag of pompous, self-important encyclicals. You guys make Julian Assange look like a people person.

              1. Anonymous Coward
                Anonymous Coward

                Re: Striving to persevere to endure the never-ending ...

                You don't have to do it all by yourself, you can share the effort with the rest of the community. And you don't have to audit the whole thing, just the pieces that you use. You don't necessarily have to know how the code works to spot a buffer overflow, a double free or many other sources of vulnerabilities, there are even tools that automate that. And the better the code the more readable it is.

                Sure, it is not cheap or quick, or 100% safe, and it only makes sense to do when what is a stake is higher than the cost of doing it. But...

                Still having some chance, however small, beats having no chance at all.

                1. dogged

                  Re: Striving to persevere to endure the never-ending ...

                  > You don't have to do it all by yourself, you can share the effort with the rest of the community.

                  If you trust each and every member of that community with your bank details, yeah.

                  Face it, the "added security" of open source code is largely a placebo. It makes smug people feel a bit more smug. I personally code for several F/OSS projects. By your implication I am therefore wholly trustworthy. Shyeahright.

                  In practical terms, F/OSS is no more secure than any other code except in tiny projects.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Striving to persevere to endure the never-ending ...

                    "If you trust each and every member of that community with your bank details, yeah"

                    Exactly how is that related to a code audit? Really intrigued, last time I read some source code I did not had to give my credit card to anyone. If you had to do that, I'd suggest you call the police and tell them your story.

                    "Face it, the "added security" of open source code is largely a placebo"

                    Citation needed. It would be curious to know how the placebo effect applies to source code. How a machine feels (or actually is) more secure because someone told the machine that it was going to be more secure by running F/OSS? Oh right, you're referring to the people feeling more secure. Citation needed still, or at least anecdotal evidence?

                    The feeling of security, not only in IT but anywhere in life, comes from trust. So what you're saying is that in the end you trust Microsoft more than the F/OSS contributors to a project? Fortunately it is your choice and your security, not mine.

                    "It makes smug people feel a bit more smug."

                    Relationship between ability to inspect source code and smug needs to be explained, really.

                    "I personally code for several F/OSS projects. By your implication I am therefore wholly trustworthy. Shyeahright."

                    Best logic contortion seen in ages. Note that applying the same principle and your previous sentence, you're also a smug.

                    I've coded for some F/OSS projects, and don't think anyone should put special trust on me. Quite the opposite, and that's why my code being F/OSS is becoming better, because more people looking at it can improve on it. Not only security wise but in general.

                    1. dogged

                      Re: Striving to persevere to endure the never-ending ...

                      > Citation needed. It would be curious to know how the placebo effect applies to source code

                      It applies to the user, who believes him/herself protected and superior when s/he is neither.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: Striving to persevere to endure the never-ending ...

                        "It applies to the user, who believes him/herself protected and superior when s/he is neither."

                        The discussion is about security of the computer, not the feelings of the user.

                2. Slawek

                  Re: Striving to persevere to endure the never-ending ...

                  And why do you assume that all "members of community" have benevolent intentions? And if not, why do you assume that always the malevolent will be caught and exposed by the benevolent? (Remember Ken Thompson compiler hack?)

                  1. eulampios

                    @Slawek and dogged

                    And why do you assume that all "members of community" have benevolent intentions?

                    Just the mere statistics. The Law of Big Numbers (quite an important topic in Statistics and Probability Theory) The fact that with an open code given enough popularity for the project, the chances are higher than in the case when it is proprietary.

                    @dogged

                    Why do you have to trust all developers? A few people might be enough to spot mistakes or malevolent intentions of those you don't trust. Once again, no code is available to examine, change and redistribute, you have to have a trust to one entity? How reliable is that?

                    Okay, who do we trust? Say, Adobe flash player, pdf reader? Yes, sure. No malevolent intentions are needed.

                    1. eulampios

                      64 bit version rewrites

                      Another example that stands out is skype with the shitty design, apparently, since Microsoft or the former code owner seem to fail the main principle of IT of modular programming. The current MS skype offering has no 64-bit builds for Linux. You gotta install a whole bunch of dependent libs emulating i386 if you run a 64-bit version of the OS (multiarch in Debian terms). It's still a shitty little app as far as the sound is concerned. Compare it with linphone a sip client for Linux/BSD/Windows/Android working flawlessly on each platform.

              2. earl grey
                Trollface

                Re: Striving to persevere to endure the never-ending ...

                make Julian Assange look like a people person.

                Ah ha ha ha ha....He is; but only if you're a female of the species.

          2. Rick Giles
            Linux

            @David W. Re: Striving to persevere to endure the never-ending ...

            "Oh, and you presumably carefully check though each line of source for every patch issued for your linux machines, and have personally evaluated every routine in your OS..."

            All Linux users do review the code. They just don't admit to it as they don't want you Windows tw@'s to feel bad.

            Now go back to the rest of the Windows sheep and pay your licensing fees.

  3. bob, mon!
    Mushroom

    Update pushes "End of support notification" as well...

    I presume this is the pop-up nag window that's been bruited about lately. Since I don't intend to update my XP VM, I declined that particulary "Security patch".

  4. Anonymous Coward
    Anonymous Coward

    rollocks

    We have been told many times, that Win7/Server 2012 are a complete re-write of the Windows code base. So judging from all the bugs that cover all versions of Windows, MS either re-wrote all the bugs from the old versions of the code, they never learnt from mistakes and authored new code including the same failures as last time or by Occam's razor rule, the simplest explanation is that they're lying and the rewite never occured, the most econimic & profitable route was taken, a cut and paste job of bug ridden old code and Windows dressed up in a new frock.

    Due diligence by companies should mean that the use of windows in the enterprise is prima facie negligence. Windows has numerous security flaws, bad security and authorisation, is the biggest OS attack target and should be dumped immediately. Windows is not of merchantability and a heavily invested enterprise should start the ball rolling by sueing Microsoft for every penny they can get.

    1. Anonymous Coward
      Anonymous Coward

      Re: rollocks

      Actually, the simplest explanation is that if you use the same specification to write code, you end up with broadly similar bugs, if they are fundamental to the spec, rather than the code itself.

      That said, I wasn't aware than Win2012 was supposed to be a full re-write.

    2. John Smith 19 Gold badge
      Devil

      Re: rollocks

      "We have been told many times, that Win7/Server 2012 are a complete re-write of the Windows code base. "

      Funny how that works.

      Whole new code base.

      Whole set of old bugs.

      A strange definition of "backward compatibility" is it not?

      1. Anonymous Coward
        Anonymous Coward

        Re: rollocks

        > Whole set of old bugs.

        >

        > A strange definition of "backward compatibility" is it not?

        The benefit is obviously that the same set of patches can be rolled out on old and new code.

    3. adnim

      Re: rollocks

      EULA.

      Software is a product one can buy with NO guarantee of it doing what is said on the tin or actually working at all. MS are not alone in this. I don't condone the use of weasel words in licencing agreements to avoid responsibility for providing an unfit for purpose product... It is just they way it is.

      One can accept this with software that is given away free of charge. It is generally the case that one gets what one pays for right? Not so with commercial software.

    4. Anonymous Coward
      Anonymous Coward

      Re: rollocks

      "Win7/Server 2012 are a complete re-write of the Windows code base"

      Never, ever heard that. Perhaps in the end user space this may be true for some components, but the kernel and base Win32 libraries have been essentially untouched for about a decade. Only bug fixes and additional support for hardware has been added, but nowhere near a complete rewrite.

      True, there has been some effort (at last!!!) in Server 2012 to separate GUI code from low level services, what they call "Server Core"

      But note that it has been achieved by patching APIs on non kernel components in places where they wanted to use the GUI. And that still legacy programs may require you to install GUI components on the server.

      A rewrite approach is far too risky given the sacred compatibility cow Microsoft has to pay tribute to.

    5. Not That Andrew

      Re: rollocks

      Don't know who told you that but they were lying or grossly misinformed. Vista was apparently originally meant to be a ground up rewrite but the rewrite was running way late and overbudget, and fell foul of MS's Machiavellian internal politics so it was cancelled and the Vista we got was based on the XP codebase.

      There are a couple of handy but minor new features under the hood of Win 8/Server 2012 but that's all. TIFKAM basically just sits on top of the Win32 API's much like the various wrappers they've cooked up over the years to make Win32 more palatable.

      1. jason 7

        Re: rollocks

        What I read was the original Vista code was going badly. Then the Head of the Vista Project found a small team using a very clean version of Server 2003 and they decided to switch to that.

        Hence the delays.

        1. Not That Andrew

          @Jason7 Re: rollocks

          My bad, yeah, Longhorn wasn't a rewrite, rather based on XP, but it did suffer from massive feature and scope creep and was dropped and rebased on Server 2003 SP1. That minimalist 2003 is what inspired MinWin, presumably. Pity that we will never see WinFS,

      2. Tom 13

        Re: rollocks

        If Vista had been based on the XP code base it would not have failed as miserably as it did.

        Or perhaps you haven't noticed all the recent articles bemoaning the fact that even with XP being EOL next month it still runs neck and neck with Windows 7 for installed user base with Vista and Win 8 falling far, far behind.

  5. Mikel

    This is not possible

    Trustworthy Computing pledge, since 2002. You're saying that in 12 years a company with Microsoft's resources can't figure out how to safely display a jpeg? That is not possible.

    1. Charles Manning

      MS Resources

      Dear Sir/Madam

      Your attempt to find programming resources has been forwarded to another division. All resources previously dedicated to programming have been reassigned to the FUD department, since this is how we now preserve our market monopoly.

      Yours

      Microsoft.

  6. Anonymous Coward
    Anonymous Coward

    Microsoft making good choices?

    Still supporting IE6 ending support for XP. Are sure that's wise, sir?

    1. Tom 13

      Re: Microsoft making good choices?

      Oh I'm pretty sure they know it is unwise. Problem is they don't have a lot of choice.

      Having finally eliminate Netscape as a competitor, they assume IE6 would be the forever IE. Then they linked in Activex etc and told business execs they could code their intranet pages to execute OS code for company-only apps. And the business execs did generating the lock-in MS desired. And then the business execs explained that because of the vast amounts of money invested in those apps, the lock-in was now a two-way street. Which is where we are to this day.

  7. arctic_haze
    FAIL

    If Microsoft ran the Post Office, you could be infected by cholera just by reading a postcard.

  8. Frankee Llonnygog

    Note to self

    When I go home tonight - uninstall Flash

  9. RyokuMas

    Bash, bash, bash...

    I especially like the way the headline is all about screaming at how vulnerable Windows PCs are (bonus points for getting "Microsoft" in there, and for not mentioning which versions), and then at the bottom, almost as an afterthought: "Oh, and Adobe released a fix too for a cross-OS vulnerability".

    Personally, I believe that there's no such thing as a vulnerability-free system. However, it's very easy to target the runaway market majority holder, especially when they've traditionally painted a bulls-eye on their forehead. And yes, it would be a lot better if patches were released as soon as possible.

    But this is just patch Tuesday. It's the way Microsoft have decided to do things as a corporation, and it's been that way for ages. No need to make a fuss.

  10. John Smith 19 Gold badge
    Unhappy

    You have to wonder...

    Does Microsoft keep a list of all the file formats it repeatedly has trouble with.

    So when they do a complete-from-the-bare-metal-absolutely-no-code-cut-and-pasted-nosiree-not-a-line rewrite you have a list of stuff-to-not-screw-up-this-time.

    One defense I've heard over the years is that MS has to patch it's drivers because the hardware suppliers versions are so p**s poor. It could be argued that at some level this format has to be actually rendered by some sort of display device and this is tricky.

    But then it's always been tricky, back since the days of Windows 1.0.

  11. Anonymous Coward
    Anonymous Coward

    "[Update] Internet Explorer to the latest stable release"

    Is there such a thing?

  12. Rick Giles
    Linux

    Microshaft whould just give up

    And make a windows system that runs on the Linux kernel. Look at how well that works for Apple...

    1. Anonymous Coward
      Anonymous Coward

      Re: Microshaft whould just give up

      Small point but important: Apple used a BSD Unix kernel. Linux was banned because Apple's lawyers could not find any way around the GPL.

  13. Stevie

    Bah!

    So job one is to write a start-up script that copies a file called Visa_Card_Details.txt to the clipboard.

    Said file to contain: "You know, all the cool kids are out getting laid, not poking around in my clipboard"

  14. Anonymous Coward
    Anonymous Coward

    Speaking of JPEG...

    ...What about Autorun?

    If a machine has IE6 (or reacts to %windir%, in some cases), it is bound to have a CD-ROM or USB bus with autorun enabled. I hope to God that was fixed permanently. Nobody proved (exhaustively) otherwise until now.

  15. Tex Arcana

    look, just get it thru your heads...

    ...if it's "Windows" and "Microsoft", it's malware.

    [/thread]

This topic is closed for new posts.

Other stories you might like