A hundred bugs a month for microsoft. You'd think by now microsoft would know how to code safe and secure applications. Yugos had better quality control.
Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course
For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements. On the one hand, vendors glommed to Microsoft's Patch Tuesday on the pretense that users and system administrators could …
COMMENTS
-
-
Wednesday 9th December 2020 06:58 GMT James12345
Given the number of products Microsoft provide, I think 100 a month is probably just scratching the surface. Every complicated software product has many programming flaws. Kick Microsoft if you want, but you'll be better off understanding FOSS is no better and your preferred vendor will be just as bad.
-
-
Wednesday 9th December 2020 08:30 GMT Anonymous Coward
"don't forget Google has emitted a bunch of security fixes for Android"
Pity they forgot to build it with an update mechanism, eh?
(Yes, I realise that finally they managed to bodge it in, but that doesn't help the millions out there with older, unpatchable Androids. Remember how many Googletards there used to be on here explaining how it was impossible for Google to provide updates?)
-
Wednesday 9th December 2020 20:14 GMT Michael Wojcik
OpenSSL bug
In case anyone's concerned: The OpenSSL issue is rated High because it's a potential DoS, but nothing more than that - it's a null dereference. And in practice it probably doesn't affect many applications. The most plausible attack vector involves a malicious certificate and a malicious CRL. Some applications check received certificates for CRL access points, and then use those to try to download an updated CRL, which would make that attack feasible; but it's not trivial to implement that using OpenSSL (it requires using various fairly-obscure OpenSSL APIs and using some sort of HTTP client), so I believe it's relatively rare.
Of course there's something to be said for updating to the latest 1.1.1 release, and if you're on 1.0.2 and don't have a support contract you have bigger problems. But this isn't one that most people have to scramble over.