Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements. On the one hand, vendors glommed to Microsoft's Patch Tuesday on the pretense that users and system administrators could …
Given the number of products Microsoft provide, I think 100 a month is probably just scratching the surface. Every complicated software product has many programming flaws. Kick Microsoft if you want, but you'll be better off understanding FOSS is no better and your preferred vendor will be just as bad.
Pity they forgot to build it with an update mechanism, eh?
(Yes, I realise that finally they managed to bodge it in, but that doesn't help the millions out there with older, unpatchable Androids. Remember how many Googletards there used to be on here explaining how it was impossible for Google to provide updates?)
In case anyone's concerned: The OpenSSL issue is rated High because it's a potential DoS, but nothing more than that - it's a null dereference. And in practice it probably doesn't affect many applications. The most plausible attack vector involves a malicious certificate and a malicious CRL. Some applications check received certificates for CRL access points, and then use those to try to download an updated CRL, which would make that attack feasible; but it's not trivial to implement that using OpenSSL (it requires using various fairly-obscure OpenSSL APIs and using some sort of HTTP client), so I believe it's relatively rare.
Of course there's something to be said for updating to the latest 1.1.1 release, and if you're on 1.0.2 and don't have a support contract you have bigger problems. But this isn't one that most people have to scramble over.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
