Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed Microsoft and Adobe have teamed up to deliver more than 70 patches with this month's Patch Tuesday batch released today. Microsoft contributed the bulk of the fixes emitted this month, kicking out updates for 60 CVE-listed vulnerabilities in its products. These should be installed as soon as you're able to test and deploy them …
There's much to do about everything, El Reg, but Microsoft patching holes in its DODGI Operating Systems will not make any great difference. And to think that they don't already know that is either a)risible or b)another systemic vulnerability for future exploitation and non patching.
and who still uses anything by Adobe [that isn't a decade or so old] ?
Flash Player - people STILL use that?
Acrobat Reader - I bought a re-conditioned PC a couple of years ago [came with Win 7, 'while I could get one' basically] and it had Acrobat Reader pre-installed.
THE @#$%'ing THING WANTED ME TO LOG INTO IT AND REGISTER MY E-MAIL ADDRESS! Bit-bucket.
Don't blame the people. No one wants to use Flash. But it's because of stupid outdated websites and web apps that companies and governments don't bother upgrade to HTML5 or something similar
There are still critical websites using Flash, rendering them useless on mobile phones. Pure laziness
IMO it's incomprehensible that Microsoft has zero accountability
Any liability is mediated by their ability to provide patches which, thus far, have been accepted as sufficient redess.
To be clear this covers all software where it is not possible to determine negligence. But, while it covers exploits due to sloppy programming, it also covers exploits of code that, at the time of writing was considered safe, with the exploits based on techniques that have been subsequently developed; cryptography being an obvious example.
I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case.
"I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case."
I honestly think this idea needs to speed up. Too many software houses are pushing out shit (not properly reviewed / tested) code and expecting the public / customers to simply accept this as the status quo. Would we accept this level of ineptitude in the physical world? Absoutely not!
Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches
When (and some might argue this is now) poorly coded software starts affecting peoples lives, there needs to be some accountability for shonky sloppy coding, simply putting a user license agreement saying you are not responsible for jack shit is not good enough anymore
If your software needs to be patched, time and time again, and then some more, you need to take a introspectional look at your software development cycle, perhaps not enough money is being invested into the testing phase and as a company you have decided to kick that particular conundrum down the path
I should mention the Tesla (BETA) autopilot which had a disclaimer to the driver that if they enabled it they acknowleged it was still BETA and accepts the risks with no liability to Telsa.
What the actual fuck, what choice did other roads users get?
This is the kind of "we're not responsble" malarky that needs to fucking change
Honestly, when you have a government which doesnt know the difference between a hashtag and hashing, what chance do we have to have a government to properly legislate for this technological clusterfuck waiting to happen. I'm no luddite but some people need to wake up and smell the impending technological signularity, before its too late
Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches
Most bridges are designed to be single-function, mostly solid, mostly immovable objects, though, and meant to last for centuries; you can't say the same for any general-purpose OS. Bridges do receive regular maintenance to keep them fit for purpose (well, maybe not in Genoa), and are occasionally closed for things like widening, repairing the roadbed or even adding suicide nets, not to mention for carrying out repairs for damage caused by storms, floods and/or earthquakes.
That said, patching Windows does occasionally feel like painting the Forth Road Bridge. And they don't even have to repaint that every year now.
"you can't say the same for any general-purpose OS"
Ok fair points, my analogy probably isn't the best. But still the point I was trying to express is that of lives being lost due to poor cultural practices. It's become a common and normal practice to patch "bugs", lets be clear here, they are blunders and we should refer to them as such. Some of these blunders result in serious harm.
At what stage in our technological development do we stop and say enough is enough, this shit needs to be properly frameworked into a best practices and enshrined in law. Companies are profiting from their shonky untested code, and we will start seeing it costing peoples lives.
Have company executives gone to jail because of negligence?
Yes
Could we see technology company executives going to jail because of negligence.
I hope so
Given the events in Italy, that's a really bad analogy.
It's a good analogy if perhaps a little insensitive. The collapse is an example of the kind of catastrophic failure that physical products suffer from. We'll have to wait the results of the investigation to see what caused the failure, but if it is not the design or a original installation then the point stands.
The term zero-day for the most part means what you think it means, unknown to anti-virus definitions for example
But there can be "in the wild" zero-day expliots, meaning they are actively being exploited, but not sufficiently protected against. They are however still zero-days, but hopefully not zero-days for long.
Hope that makes sense
Anyone who believes you can simply kick out a fix for something in a few days is ignorant about the process... and a moron for not taking the time to learn a bit more about it.
First off... nearly anytime you increase security--albeit slightly--you impact usability. Therefore, it must be tested by security and users. Many times, it must be tested against a load of different software to ensure it doesn't negatively impact them.
Just like chess, when you move a piece to strengthen your position, you also create a weakness because you're no longer defending areas where you once were.
So... the entire operation, usability, security, etc. must be checked, attacked, worked with etc. Sometimes, it isn't fixed during the first iteration, so it must be done over.
This does take some time. If you think you can do better, and teach people something they don't know... then by all means, step up and jump froggy jump! It's easy to be a beotch and complain about something, when you're a moron.
Sometimes it's better to keep your mouth shut and let people think you're an idiot, than to open it up and remove all doubt.
"This is patently not true."
I beg to differ....
you can make a computer that is completely secure, guaranteed not be be remotely compromised. guaranteed to be impervious to physical compromise. guaranteed to never crash.. guaranteed the data stored in it to remain on it, unaltered and uncompromised.
but to make it useable, the compromise you make is you have to take it out of the Inconel box it is encased in, plug in a power supply, attach a keyboard and display and if you really need to, connect it to a network. then its useable but not entirely secure.
Why after all these years do we not have a FIXED operating system?
They will never finish the bloatware because they sell subscriptions not product!
All you people seem to forget your buying into a LIE.
Wake ALL up stupid people.
When you buy a toaster machine, does it only toast when it wants and only in one small corner?
No it does as advertised, it toasts to your needs.
This is called a requirement.
You need to know what your requirement is!
Wake up, smell the coffee.
Your all acting like SHEEP.
Move to another operating system which you don't even have to pay for.
You may note, however, that the alternative software is being continually patched and has not sprung fully formed from the godlike brow of a super-penguin. Some patches may even be to correct hitherto unnoticed security vulnerabilities and coding errors. Some of which have been present for 10 years or more.
On the subject of Windows, how much did you pay for your copy? Almost certainly less than £100. Many will have paid significantly less. How much dedicated manpower do you think this will fund over the perhaps 10 years or more you will be using this system? [Looking at you, XP.]
If, as some seem to be proposing, software suppliers are held accountable by law for any defects in the software then how long do you expect nominally free or low cost software to be available? No revenue stream, serious legal liabilty, you do the cost/benefit analysis. Do you expect a one-off sale to carry expensive legal liability in perpetuity?
TANSTAAFL.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
