Bumper Patch Tuesday tackles multiple Windows flaws Microsoft has released 13 bulletins, covering 26 vulnerabilities, as part of a bumper Patch Tuesday. All supported versions of Windows will need patching, though Vista and Win 7 (three critical updates) are less exposed than XP and Windows 2000 shops (five critical fixes). Three of the bulletins are particularly severe and …
Yes, I know AmigaOS is - but you probably didn't know that RISC OS was. I wasn't trying to come over all superior, I didn't honestly think anybody (except the small cliquish sect who actually perform the updates) would have been aware. Ah, RISC OS. A new lease of life on the Beagleboard? Who knows.
If you'd bothered to read the article before engaging commentard mode, you would have seen that as a result of the new TCP/IP stack Win7 and 2008/R2 are not vulnerable to some exploits affecting earlier versions, so perhaps there was some point to the changes after all. And it's not as though TCP/IP has been frozen for the last couple of decades, judging by the rate at which new RFCs are appearing - I'm pretty sure that you'll find most Linux distros incorporate regular enhancements to this software.
And the prize for the most appropriate handle goes to ...
What I find more alarming than the number of patches being released is that there are several patches which replace previous hotfixes. I wonder whether the flaws were present in the original unpatched version of the code and went unnoticed when MS first patched it, or were these new vulnerabilities introduced as a result of the previously-released patches?
Also, I note that in the Microsoft announcements for each patch, they describe those vulnerabilities that were privately reported as being 'responsibly disclosed' - presumably anyone who goes public before the patch is released (not necessarily without having informed the vendor) is being irresponsible according to Microsoft.
Does anyone really believe that the Baddies out there are incapable of finding vulns themselves and that they all sit around waiting for Metasploit to release an exploit before targeting their victims? I seem to remember that Microsoft were aware of the IE6 Google Hack vulnerability 4 months prior to the rest of us (minus the Baddies) being aware of its existence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
