Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about Microsoft has emitted more than 100 fixes in its March batch of security updates. The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild. One particularly nasty remote-code execution hole revealed …
Not a programmer. Designing software for a home or business PC.
There would be an operating system, which tells the computer what to do.
There would be programmes, which the OS runs to let the users use to do stuff to data.
And there would be data, which the user creates or views
And all three would be separate. And there would be strict rules about what could be passed down from the data ( call that the outer ring) to the programmes and then to the centre ( call that the kernel).
Data would only be allowed to change or address superficial components of the programmes; what to display, what to operate on etc. Stuff that used the programmes' features and nothing else.
Likewise the programmes would tell the core where to store data files, which (permitted) operations to perform with it and nothing else.
And the OS would perform the operations that it is permitted to, with the programmes. And nothing else.
That's how users imagine these things work.
Then programmers come along and spoil it.
To a user data is the stuff they read and write. Programmes are the things that make,show and change the data, then save it and bring it back.
Users make and use data.
Programmers make..... programmes, that do things to the data
Microsoft and Apple make Windows/macOs that they need to start the computer and make the programmes work.
And that's how it should be
And the point is that from the users' viewpoint the control should run OS to programmes to data. But never the other way round. Access to programmes and OS to make changes/updates should go though a very narrow route and not some random code inserted in a web page.
It may not be how it is in real life. But it's how the users have every right to expect it to be.
Everyone in IT who didn't already know this should have learned it in the first week of November 1988.
*1 That's how users imagine these things work.
*2 And they do know they're using Word and that's in Windows, which is the thing that starts the computer- even if they have no idea what exactly it does. And they know that Windows 10 replaced 7/8. And ditto with what their Macs use.
They even know what version of Android/iOs they have on their phones, for the most part.
You are lucky if your user have no idea.
For what I saw, there are indeed such users. But among others, one can find:
- Those who assume it is magic ("Oh, you need time to think before acting ?")
- Those who believe they know. <= ALERT Call for troubles
Note this is not specific to computer science, BTW
If you are complaining about Bloat's design it has roots in the CPM/DOS days when there were no hard drives or networks. PCs were completely standalone devices that had exactly 1 user and only 1 user with input either from a keyboard or a file on a floppy. Output was often printed. There were many design decisions that made sense in the old days but have consequences when computers are networked together and it is possible for code from different 'users' to be running simultaneously on the box.
The saving grace of Linux and BSD is they are Unix derived/based. Since Unix was designed for a multiuser environment there were design decisions made that make it more secure.
Back to the bugs at hand, it is unclear which ones are due to ancient design decisions (probably none) and which ones are due to bad code (probably all). Buffer overruns are a programming problem.
At least M$ decided to not change the settings for LDAP Channel binding and LDAP signing, which would have definitely been a 'hair on fire' emergency on the scale (or worse) of the infamous CredSSP Encryption oracle fix.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Apparently, enough large companies complained loudly enough to their TAMS and other high ups within Microsoft, so while it's still good security practice, they decided to not break stuff with this patch update. Either that, or someone in the update chain is learning that Breaking Stuff In the Name of Security is not necessarily a good thing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
