How not to get pwned on Windows...
Switch to Linux.</sarcasm?>
Microsoft has posted the April edition of its monthly security update, which kills a bug that allows guests to escape to hosts on Hyper-V. A malicious app running in a virtual machine can exploit this flaw to drill down to the host server, execute code on the machine, and interfere with the system and other VMs. Which is bad …
>Why don't you have a look and count them.
Actually, I would be interested in an honest appraisal of such. On Win, Linux, OSX, which patches are delivering true OS, non-app, high grade vulns fix, such as remote exec flaws? Severity vs just volume, with CVE the judge. Anyone knows? Also pick one OS release on each end - Win 10 vs OS X El Capitan vs latest kernel Linux.
I think Windows, but am willing to hear counterarguments. As a cynical and open-eyed Apple user, I am more surprised that it doesn't get powned more often than blindly trusting in Apple's ability to maintain BSD-level security on their own code. They've had some doozies over the years and I've had friends get powned on Macs, very occasionaly.
Doubt I'll get a straight answer I can believe from too many here, though hopefully some of you certainly know it.
But one thing I think I can answer myself: which of those 3 OSs will, on desktops, require the most reboots to accomodate those patches? Which OS doesn't typically know and has the always helpful "may require a reboot" rather than stating so outright?
>Why don't you have a look and count them.
Actually, I would be interested in an honest appraisal of such.
Well I'm not certain that looking at the current numbers of patches is a valid comparison between Win and Linux. Simply because of Linux's install base compared to Windows and hence it's attractiveness to developers - both those who are trying to get stuff done and those who wish to exploit it.
Valid points between Windows and Linux, to an extent.
But OSX has pretty much the same userbase attractiveness wrt malware as Windows. And very few people bother to run AV software on it - I de-installed Sophos because it tended to hog CPU atrociously from time to time and, for the overhead, I was uncertain at its actual efficacy on Mac malware. I do have ClamAV, but only use to scan downloads. So, along with the capacity of its users to pay the Apple surtax, it would seem like a valuable enough malware target.
And, going back to Linux, there is plenty of $ to be made in server breaches.
I would also separate app & browser patches (IE, Edge) from OS level patches. After all, you can always run FF or Chrome on Windows. And browser vulns are only the OS's fault if the OS allows them to propagate - an OS should be totally paranoid about resident browsers at all times. While there is no doubt in my mind that Office macros are a cesspit of threats, that's not core Windows fault, even though MS as a whole does bear responsibility for them and patches them.
So, do we have any hard numbers besides the "yours has more bugs than mine" arguments that all sides quote with happy abandon? MS does seem to focus a lot more on security than it did 10 years ago, so are we still judging them from that time?
>> But OSX has pretty much the same userbase attractiveness wrt malware as Windows.
How do you figure that? How many companies create products that are relevant to < 10% of their potential customer base? Custom malware for a targeted attack yes, generic malware to maximise returns = no.
Very valid points about volume not being the only metric - clearly it isn't.
Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid.
Another factor that affects bugs found is the number of people motivated to look for them. We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit. Finding usable exploits costs time and money, and if maximising your return on said exploit is your goal, it doesn't take a rocket scientist to predict where most of the investment is going to go.
>>"Security bugs are a fact of life in all software - the bigger the code base, the more you can expect. Saying "my OS is less likely to get pwned than your OS" is just stupid."
It's not stupid. There are actual variations in security flaws between different OSs. Back in pre-Vista era, Windows was inherently less secure than GNU/Linux. That's no longer true. Windows is probably slightly more secure than GNU/Linux these days. And maybe that will change again over time - who knows. But it's not right to reject comparisons between OSs. It's useful. If nothing else, it keeps different vendors trying hard to compete in the area of closing down vulnerabilities.
>>"We all know that the "many eyes" theory spouted by the OSS hardliners is complete bullshit."
It's not "complete bullshit". It's a valid argument that Open Source benefits from people being able to inspect the source and find flaws. The problem is that the more complex the project, the more specialized you have to be to notice flaws. I can find a flaw in the MySQL source code. I can't find one in Firefox source - I simply wouldn't know where to start with their code base. But that doesn't mean that other people can't or that it's "bullshit".
The biggest security advantage of Open Source, though, is not guarding against accidental flaws, but against deliberate ones. It lets you examine the source for deliberate backdoors by the vendor. That has a lot of value, imo.
It's a shame it's just not true though, I received 50 Security Advisories from Red-Hat between the 2nd March and 7th April. I've often woken to seeing 10 or more come out in 1 night. Stop believing the hype that Linux or any OS is any more secure than Windows. It's just the sheer numbers of Windows desktops that make being pwned more likely however give your average Windows user a Linux desktop and don't apply the patches and they're just as likely to get pwned over time.
This post has been deleted by its author
Well, you can use your PC. You just have to be careful when using Windows. I might venture that one should be increasingly careful. As the malware writers game-up, you would be well advised to tighten your defenses wherever you can.
I'll avoid the Linux-Windows-Mac malware debate, except to note that efforts are being made to craft OSes which are less vulnerable to attack. None will ever be perfect, but Qubes, OpenBSD, and others present significantly higher hurdles for attackers to overcome.
So your PC is usable and you may even Goggle the Online in a relatively carefree manner. It's the OS setup you mostly need to worry about.
If you change the word "vendor" to "Target" you may have a point. Otherwise just more boring drivel. There is little reason for virus and malware creator/users to target obscure and little used operating systems. Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.
The second that other operating systems become more popular, these virus writing scum will make "product" that targets the more popular OS. This has already happened with Mac's and the other are next.
Smug pontification about the "superiority" of your brand of OS gets us nowhere.
This post has been deleted by its author
@Dan Paul
>Regardless of what you think about Windows, it has a greater market share and thus will always be targeted by those criminals.
That is what has been said for 20 years. We know now that it was always a lie. Far more people use Android than Windows. Over a billion more. There are more users of the Facebook app on Google Play than all the Windows users, all versions, worldwide. And they use Android more often, for more minutes each day too.
This lie is toast now. The insecurity of Windows is inherent in the design compromises they made to kill its early competition, and now they are stuck with them for backwards compatibility reasons. They fell into their own trap by taking shortcuts with security. The global malware ecosystem and industry are all theirs and they are welcome to keep them.
>>"Yet somehow your phone and tablet can be on the Internet wherever you go all day long with nary a twitch. It's almost as if there were a specific software vendor involved in all of this PC malware mess."
I'd lay good money that you would also be critical of the Windows Store. In fact, given that this is Mikel, long-time poster on El Reg. noted for virulent anti-Microsoft posts, I'd say it's almost a certainty you've been against it. Yet you compare Windows (open and free to install what you want) to locked down systems like iPads and Windows RT. If you can't see the relevant distinction between an iPad and a Windows OS machine is not vendor but user privileges, you're wilfully blind.
Oh, and you should check out Android sometime (the most popular OS used for phones) which even at one's most charitable could not be described as having "nary a twitch" when it comes to security.
Well, looking at the specific vulnerabilities - I only see one that's an immediate threat to me, plus a couple that could be threats in the medium term. The rest all target specific software or services that I don't use, or require a level of pre-existing access that, if someone else has it, I think I'm already boned.
So I'd call it irritating rather than sad. And the chance of actually getting hit by one of the vulnerabilities that isn't completely irrelevant, in the time between discovery/promulgation and patching? Slim.
Hmmm, let's not get too carried away now. Even on Windows, a bit of cleverness goes a long way:
- add a JS blocker like NoScript to your browser. Whitelist very selectively. prefer to whitelist temporarily.
- NoScript on FF can really act up at the most inconvenient times for ecommerce sites. Rather than turning off some of its paranoid settings, open up your secondary browser (Chrome for me) and complete your transaction there instead.
- never click on email links unless you know they are from your actual friends. be courteous and always provide a bit of personal chit-chat when emailing a link to someone, just so they know it's you and so they know that you expect that courtesy yourself.
- avoid Flash and Adobe Reader like the plague. Ditto Java applets.
- macros in Office docs you didn't write yourself? red flag!
- be wide-eyed, I mean extra-careful, around smut sites. never download 'extra required codecs' to view files.
- never run warez code. A crack generator? Whodathought I would be the one getting hacked?
- download mostly from at least somewhat competent download aggregator sites or open source repos.
- use your AV to scan what you've downloaded before running it.
- google up 'malware virus <name-of-something-I-want-to-install>' liberally.
- backup and take into consideration crypto ransomware when doing so.
- never, ever, reuse sensitive passwords, though there's nothing wrong with reusing 'foobar1234' on all the various websites you don't care about (sorry, The Register, that means you).
- encrypt your sensitive data in a mount-on-demand container like TrueCrypt. (be careful about TrueCrypt containers & backup sofware - TrueCrypt goes out of its way to keep file timestamps constant)
None of this is rocket science, nor very demanding. I spent years using primarily Windows at home without much ado.
Really ? If that were the case I would expect that faults in Secondary Logon would have been found and corrected last decade. It was introduced with 98, if I'm not mistaken, it's about time they ironed out the issues there.
Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.
It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade.
"Seriously, I have the impression that I've been reading more or less the same patch notes since Y2K. A "remote execution vulnerability" in IE and Edge, wow, what a surprise. The exact same wording in two different patches on the same day for both Microsoft browsers - thank goodness Edge does not support ActiveX, I might have been made to think that Edge is just a rebadge of IE.
It's nice that MS is patching obviously, but it would be nicer if I didn't have the impression that, whatever the version, they're always patching the same issues from last decade."
I'm thankfull I'm apparently not the only one feeling this !
Apparently, this time, it's only IE 9,10,11 & 12 (Edge). Most of the other weeks, it's IE 6-12, like if, IE 12 code was IE 6 minus AcriveX ...
The real question is how many of the 'security' updates include Windows 10 update malware.