Light patching for Windows tomorrow.....

Started by Gary, Nov 08, 2010, 11:33:21

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Gary

Microsoft is planning a light Patch Tuesday for November with just three bulletins that collectively address a total of 11 security vulnerabilities.

The trio cover flaws in Office (and Powerpoint) for Windows, Office for Mac 2011 and Forefront Unified Access Gateway. The Office for Windows patch is rated critical while the other two updates are rated as important.

Its amazing how any company can put out a brand new product and a week or so later it needs security patches  :shake:

Note that a that a recently discovered zero-day vulnerability in Internet Explorer remains unfixed in this round of patches.

http://www.theregister.co.uk/2010/11/05/ms_november_patch_tuesday/
Damned, if you do damned if you don't

Rik

Well, they can't rush things can they, Gary. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Rik on Nov 08, 2010, 11:34:40
Well, they can't rush things can they, Gary. ;)
Office for Mac 2011 has been out about a week ish (I'm avoiding, its buggy right now) and already it needs patching  ::)
Damned, if you do damned if you don't

armadillo

Quote from: Gary on Nov 08, 2010, 11:33:21

Its amazing how any company can put out a brand new product and a week or so later it needs security patches  :shake:

I think this is easy to understand. How many developers can Microsoft employ on, say, the OS? 100? 200? 50? Out in the wide world, there are perhaps several million clever script kiddies competing for the kudos of breaking it. I million people for one hour is approx the same as 100 people for a whole year if they work 24 hours per day, 3 years if they work a standard pattern.

Gary

Quote from: armadillo on Nov 08, 2010, 13:26:48
I think this is easy to understand. How many developers can Microsoft employ on, say, the OS? 100? 200? 50? Out in the wide world, there are perhaps several million clever script kiddies competing for the kudos of breaking it. I million people for one hour is approx the same as 100 people for a whole year if they work 24 hours per day, 3 years if they work a standard pattern.
I see your point, but a week? That still seems a bit of a blunder, if software built from the ground up to be more secure is not in just over seven days, well I do wonder if I will just use a 'Bic" style laptop online and keep my main machine patched but more isolated.
Damned, if you do damned if you don't

Lance

Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

I agree that testing will continue after product release.

I also think that the importance of security patching for clued up home users is very overrated. In a corporate environment, you have to do it because you never know when someone will do something silly.

Gary

Quote from: Lance on Nov 09, 2010, 10:30:10
Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.
True, Lance. Maybe its just that the drive to find holes is greater now than it ever was, and the Promise find them in the coding stage is harder to achieve than people thought.
Damned, if you do damned if you don't

esh

Quote from: Lance on Nov 09, 2010, 10:30:10
Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.

Absolutely. Half the software (games or otherwise) I purchase these days has half a dozen patches immediately after I've installed it. I have no idea why people are flipping out over this at all -- most of the points have already been listed.


  • Manpower limit - there is only so much one man can test
  • Time limit - Eventually those CDs have got to be pressed
  • Hardware limit - some inconvenient berk out there is going to try and run it on a Cyrix 100 or something
  • Popularity - it's not only popular software, but it's popular to try and hack it, and popular to bash it when people *do* hack it
  • Internet proliferation - pretty much everyone who runs modern software has net access for patching (laziness or convenience? you decide)

The open source motto for product releases is typically 'release early, release often'. Okay, you don't have the source code to hand to fix it yourself, but I suspect hardly anyone bothers to fix Linux/OpenOffice/etc bugs themselves either. As long as Microsoft patch them in reasonable time -- of which yes, they have had a spotty history, but I think a week is good -- then all is fair and well. No bit of software is going to be perfect on release, or probably *ever* be perfect. The best you can do is read the bug reports, prioritise them, and fix as best you can.
CompuServe 28.8k/33.6k 1994-1998, BT 56k 1998-2001, NTL Cable 512k 2001-2004, 2x F2S 1M 2004-2008, IDNet 8M 2008 - LLU 11M 2011

Gary

Quote from: esh on Nov 09, 2010, 12:45:14
Absolutely. Half the software (games or otherwise) I purchase these days has half a dozen patches immediately after I've installed it. I have no idea why people are flipping out over this at all -- most of the points have already been listed.


  • Manpower limit - there is only so much one man can test
  • Time limit - Eventually those CDs have got to be pressed
  • Hardware limit - some inconvenient berk out there is going to try and run it on a Cyrix 100 or something
  • Popularity - it's not only popular software, but it's popular to try and hack it, and popular to bash it when people *do* hack it
  • Internet proliferation - pretty much everyone who runs modern software has net access for patching (laziness or convenience? you decide)

The open source motto for product releases is typically 'release early, release often'. Okay, you don't have the source code to hand to fix it yourself, but I suspect hardly anyone bothers to fix Linux/OpenOffice/etc bugs themselves either. As long as Microsoft patch them in reasonable time -- of which yes, they have had a spotty history, but I think a week is good -- then all is fair and well. No bit of software is going to be perfect on release, or probably *ever* be perfect. The best you can do is read the bug reports, prioritise them, and fix as best you can.
Its down to cost, holding back costs, they have a known list of bugs but anything they consider not a deal breaker they leave till later versions, which makes sense, it just seems a pity that security is included in that, possibly.
Damned, if you do damned if you don't