Riddled to high heaven
Mother of God - is there no end to this?
Microsoft has today published patches for more than 50 security flaws in its products – including three serious holes being exploited right now in the wild. These updates should be applied as soon as possible. The May edition of Patch Tuesday addresses blunders in Internet Explorer, Edge, Windows, Office, and the .NET …
@s2bu and they have also had some bad CVEs in the recent past...
No operating system is safe or secure. If you want to make your PC secure, disconnect it from the main, drill holes in the disk, bury it in concrete, place the concrete block in a secure room, brick up the doorway... And be certain that it still isn't 100% safe.
Worth pointing out that one of the recent Shadowbrokers dumps included docs showing CNE tools ported to every platform under the sun, including Free (at least) BSD. If they can target BSD, so can other threat actors -- the sort who are more likely to want to compromise an average Commentard's site than the NSA.
https://forums.freebsd.org/threads/58590/
I'm fond of any BSD flavour, but OpenBSD is tighter on security than all the others.
I see a huge difference between the time Linux CVEs, once know of, are dealt with by the community, compared to how slow M$ deals with theirs.
Most of the time it's hours to days for Linux fixes, where, from what I've witnessed over the years, M$ takes anywhere from days to years to fix issues theirs. I seem to recall numerous CVEs which M$ took 6 - 12 months to fix and others years to fix.
Even better is the OpenBSD model, their code is severely scoured and exhaustively scrutinized for possible problems before release, so they opt to only release every 6 months - that's confidence, that's impressive!
Yep, whichever Intel programmer thought that was a good idea should be shot!
How long is the password you are sending me? 0 bytes, OK, I'll just compare the 0 bytes with the first 0 bytes of the correct password and see if they match... Oh, '' matches '38de34ef09e3', you have access!
I mean, the password has a fixed length that Intel knows about (it is dervied from some checksum), so it knows the password must be x characters long, so why even allow the incoming response to define how long its password is? And if it does, then surely the first check would be to see if its length matches that of the correct password!
But, no, if the response is 0 length, then it must be correct!
And then if hundreds of millions of users switched and really started pounding Linux or any other...the same would be found I'm sure. Let's be realistic here.
Most modern software and code is pretty crap and built around the philosophy of "Don't worry about it, if a user finds a bug them fix it, if they don't...fine, don't worry about it!"
I'd dispute "modern" and "philosophy". I have been watching people complain on the internet about the low quality of "modern" software for the last 25 years. It both puzzles and amuses me.
It has always been the case that software written for cash has taken the business-like approach of asking "how much will this bug cost to find (let alone fix) and how much will it cost to leave it in". You test until finding new bugs becomes unacceptably costly and you hope that the bugs left in will be relatively low impact as a result.
All commercial anything has used this approach since forever. It's basic economics. Happily, we can use equally basic economics to conclude that if you negotiate penalty clauses for bugs, you can increase the incentive to find and fix them before release. Since most shrink-wrap EULAs go out of their way to say "this software is not fit for anything" I think you can probably guess where the bar lies by default!
>I'd dispute "modern" and "philosophy"
My observation is that most of the problems lie in GUI software.
The first is "blob" input. When input is text, parsing and checking is relatively simple and the dodgy inputs are not expected to get past the person entering the data. Passing a pointer to spreadsheet object leaves the receiver wide open to a great deal more abuse.
Where I see a great failure on modern OS design is the inability to set resource capabilities at run-time from the OS. MSOffice's "protected view" etc is all well and good, but how about telling the OS to open execute Excel without network capabilities and disk write capabilities except to a quick-provisioned RAM disk for it and its sub-processes?
That would kill attack vectors dead, even if the application is vulnerable to corruption.
Not really.
The security on Unix-variants is different than Windows. What does Windows do to thwart installing software? pops up a box which says "Are you sure you want to install this program? ... OK/Cancel" - which can be scripted to click the OK/YES button and the software gets installed.
If you want to install on a Unix-variant (less secure platforms Mac & Android excepted) you need to know the user's password - that's little detail makes a huge difference in being able to corrupt a non-M$ system.
No system is perfect, but it takes me less than 5 minutes to crack a Windows system remotely. If I have to spend that, or longer, trying to just get past a Linux pw requirement, I'm not going to bother - there are easier targets.
And ^that is precisely why Windows is responsible for being targeted by approximately 85% of all malware - it's so freakin' easy to own a Windows machine. Now, Mac and Android - having changed security requirements - are likewise being hit and gaining % of the malware attempts.
Because 2017 is not the year of desktop Linux... nor 2018, 2019, etc. etc.
Every time I run a Linux desktop manager I have a feeling of being transported back in time at least ten years, often more. KDE and Gnome would really need a big overhaul, and, especially, better developers and designers - and, especially, better development tools. But developing good tools for desktop development is expensive, and in an environment where it's very difficult to sell software, nobody will invest - while user of business software don't really like command-line applications <G>
Thereby, the quality of most desktop applications is far below the Windows and macOS ones.
Most users prefer to live with bugs that may be exploited (if they know it...), than lack of features they must use, and the lack of means a lot of wasted time to re-invent the wheel.
"Every time I run a Linux desktop manager I have a feeling of being transported back in time at least ten years"
It's obvious you're using ten year old FUD.
Ugly UIs designed by people who can't understand what a good UI is, sorry. Good UI design is an art, and it needs true experts with extensive knowledge in design, besides programming.
KDE Plasma is really following the ugly Google monochromatic UI. Ubuntu Mate has the wrong aspect ratios for UI elements, looks childish.
Most dialogs box I see are clearly designed by people without a clue about proper UI elements positioning and flow. And the widgets are really ugly, just like icons and fonts, can't understand why Linux can't come with good fonts.
Fancy graphical effects just get in the way. MS understood it when it attempted animated menus, and nobody liked them.
But there's a chance, for Linux. MS is dumbing down Windows UI so much, it will reach Linux level soon.
"Ugly UIs designed by people who can't understand what a good UI is, sorry."
Vista, Win8, and Win10.
Plus 90% of the Android phones out there using 'custom' UIs.
Most of the ugly UIs for linux distros I've seen are copies of that flat minimalist UI pushed by MS and Apple as 'hip'.
"the quality of most [Linux] desktop applications is far below the Windows and macOS ones."For some unusual definition of "far", but yes, not as good as.
Example 1: The windows versions of Firefox and Chrome have the option to print in monochrome or colour in the Print dialog box. The Linux versions require you to click six times to invoke the Printer settings dialog box and click twice more to change the setting.
Example 2: On windows, Nero Vision required me to click six times to make a video DVD for a friend. The Linux equivalent took more than 60 mouse clicks, and required typing the track titles manually because, unlike Nero Vision, it didn't default to using the filenames. Then the application only created an ISO that needed to be opened in another application in order to burn the DVD. Less than five minutes versus the best part of 30.
That said, for the best part of 18 months I used Cinnamon Mint as my main OS and wishing windows was as smoo. But switching between w7 in a VM to get my work done and back to Mint for recreation eventually persuaded me back to w7.
-- and Linux still holds dead-steady at about 2% desktop share (Netmarketshare and Statcounter, can't be arsed to look further, it's too depressing).
And FYI, yes, all of my household machines are non-Windows. Something like 4 Linux and 3 Mac, not counting a couple of Android fondlies and the wife's iPhone.
And yes, my employer's IT dept says "We are a Microsoft shop" with apparent pride.
Excactly @luminous. People who live in glass houses shouldn't throw stones.
My Linux PCs and servers also get regular patches for the Kernel and applications, my Android phone got the latest patches yesterday from Google, the iPhone gets regular patches, BSD and derivatives get patches.
If you have a computer, of any form, and it has an operating system installed, you can guarantee that it has undiscovered bugs and vulnerabilities. Even if it doesn't have an OS installed, it might still be vulnerable (look at the bugs found in the radio layer of smartphone last year or the current Intel AMT/IME debacle.
If you have a computer, of any form, and it has an operating system installed, you can guarantee that it has undiscovered bugs and vulnerabilities.
True, but there are bugs, and there are BUGS. I can't see Linus approving a kernel patch adding a Javscript engine to the kernel, for instance.
Possible reasons for Linux minority Desktop share:-
1) PC and Laptop manufactures ship their gear with something Microsoft installed
2) Games, VMware (historically) and even VR equipment has software written for Windows
3) People brought up in Microsoft land have been brainwashed and are scared of Linux
4) Games a re written for Windows and don't always work on Linux
5) Windows has been the majority desktop operating system for a long time so companies have old software that may not run on WINE
6) etc
"1) PC and Laptop manufactures ship their gear with something Microsoft installed"
Because people want Windows. If there was a demand for Linux, you will see the machines. That demand doesn't simply exist. It's no longer 1990, and MS has no longer that hold on OEMs. With PC sales so low, do you believe vendors wouldn't offer a different OS to increase sales? Most servers are sold without Windows, nowadays.
"2) Games, VMware (historically) and even VR equipment has software written for Windows"
Because there's very little demand for Linux games, there is the usual issue of devices support, many gamers are not software experts, they just want to play. And as long as Linux pundits wants to avoid "closed source" drivers for things like video cards (and gamers shell out lots of money for the most advanced ones), well, it's not really the friendlier game environment.
"3) People brought up in Microsoft land have been brainwashed and are scared of Linux"
Actually, it's exactly the other way round. Most Windows users uses it just because it runs the software they need. Sure, in the past many were scared by the complexity of running Linux (not many like to type cryptic commands on a command line), and the lack of compatibility with needed devices. But people have been, and are brainwashed by people like you into thinking MS is evil and Windows the spawn of Satan.
"5) [...] companies have old software that may not run on WINE"
Why people should take the risk of running their needed, and often, critical, software outside the native environment?
The reason is Linux needs applications, web ones are not yet a substitute for native ones. IMHO, what Linux always lacked, was a tool like Visual Basic or Delphi which helped a lot to establish Windows as the desktop operating system, allowing to write desktop applications quickly, and often with sophisticated UI, without requiring big investments and lots of developers.
Yes, you could sneer at them today, but in the past a lot of small companies were able to deliver business applications (and not only) using those tools. In 2017, developing a GUI in Linux is still more complex and time consuming than it was on Windows in 1995, and the result worse.
>Because people want Windows. If there was a demand for Linux, you will see the machines.
Android proves most people actually don't care, many (if not most) have little understanding or interest in OS. It also shows that switching to Linux doesn't magically improve user security.
Indeed. As I have said before I CAN'T GIVE LINUX AWAY!
I tell cash strapped customers they can save £100 on a box if they use Linux. I show them it will do Ebay, Facebook, Word docs etc. etc. but they all say no. They pay the extra £100.
Folks want Windows. Never had a customer take the Linux option.
"A Windows 10 Pro OEM license is £12 - surprised you have 'customers'"
I'm not Dell or HP. That and I don't get my license keys off Ebay either.
I sell/build maybe a dozen machines a year, mostly gaming rigs or video editing machines. Most of my work is support or consultancy.
But at the end of the day...folks still wont touch Linux with a bargepole.
"Never had a customer take the Linux option."Probably because you didn't give them the chance to use Linux. Last dozen friends/relatives who wanted me to fix their w7 problems have been shown Cinnamon Mint using a live DVD. All have said go for it and none have come back for support.
Wish it was that easy for me [sigh]
Same here, I put complete newbs on Mint and they're fine right from the start. Likewise, I never get any tech support requests.
Installing Win-X on someone's system guarantees I'll get a call "I can't find my files", "I can't change my home page", "how do I install Java?", "my computer's running slow", ... etc, it's never-ending.
"1) PC and Laptop manufactures ship their gear with something Microsoft installed"
<br />
Because people want Windows. If there was a demand for Linux, you will see the machines. That demand doesn't simply exist. It's no longer 1990, and MS has no longer that hold on OEMs. With PC sales so low, do you believe vendors wouldn't offer a different OS to increase sales? Most servers are sold without Windows, nowadays.
As an OEM, do that, offer Linux 1:1 (any computer with Windows and Linux), and your Windows tax just increased 100 fold ...
Go look at Dell, choose Linux as OS, count the number of models that ship with Linux, switch to Windows 10, count the number of models ... notice, the Linux models are crap, you cannot get best display, best graphics with Linux ... what you get are weirdo systems with odd resolutions ... that are expensive for what they are, imho.
I call that pisstake on Dell's part, I am SURE it is NOT Dell's fault ...
Try find one on hp.com, go, try ... tell me, I had a quick look, could not find one ...
Try find one on hp.com, go, try ... tell me, I had a quick look, could not find one ...
I have a (real crap, ridiculously low-end and underpowered, but adequate for web and playing music and the odd but of iPlayer) HP laptop that had Ubuntu pre-installed. Cost me less than £200 (I spent £30 maxxing out the RAM, then discovered that installing it involved disassembling the entire machine - keyboard out, motherboard out -- it was emphatically NOT designed for post-sale upgrades).
Biggest problem is that external monitor support died after a major version upgrade and hasn't been fixed so far.
Ubuntu's site lists 140 HP models "certified" with Ubuntuhttps://certification.ubuntu.com/certification/make/HP/
Here's HP's Linux stuff:
http://www8.hp.com/us/en/workstations/linux.html?jumpid=reg_r1002_usen_c-001_title_r0007
>Go look at Dell, choose Linux as OS, count the number of models that ship with Linux ... the Linux models are crap, you cannot get best display, best graphics with Linux
http://www.dell.com/learn/us/en/555/campaigns/xps-linux-laptop
[All Dell's top-end workstations (laptop and desktop) support Linux - just choose Ubuntu from the OS menu when you checkout if you want that pre-installed - or chat with sales for other options. With RHEL etc it's usually the OS provider not hardware vendor to support - all high-end Dell hardware is pre-certified by the major distros.]
Actually I think the main reason is that very few Windows users are even aware there is an alternative. I just switched an elderly friend's aging laptop (it came with Vista!) to Linux Mint Cinnamon running from a new SSD drive and she's delighted with the result. It probably helped that over the years I've moved her away from M$ software to use things like Firefox, Thunderbird and Libre Office so the switch to Linux actually gave a pretty familiar experience. I'm expecting a lot less support calls from now on.....
I have some linux instances (multi boot setups mainly), however doubt they register on statcounter or similar as I browse using various addins to prevent lots of third party tracking, scripting, images etc.
Not sure how much "stats" sites can be relied upon when so many people use basic anti tracking / junk content tools
In this day and age, Microsoft should have realized that baking applications into the OS core, IE, Edge and all the new crap Windows 10 has now had added, that it will make building a bug free secure OS impossible. As soon as they start to make all these apps optional and have to be installed after the OS has been installed the better.
Just look at the UAC, log onto a computer as an administrator and you cannot run File explorer or IE as a full administrator. Why, cause they are already running as soon as you logged on as a user, not administrator. Moving to third party apps that are not integrated into the OS makes running administrator tasks easier.
because it is the Microsoft Way of doing things.
OR
Perhaps the rats nest of code is so bad, it would be impossible to separate them after all this time and they really don't want to try.
Who knows but whatever reason it is it seems Windows users (you lucky people) are stuck with it.
There is no such integration. All the apps you mention are user-space and no more privileged than anything you can buy from third parties (like me). Even Explorer only has the property you mention because it is the user shell. (I'm not sure where you get the idea about IE. It's totally separate. Not that anyone would ever want to run it as a full Administrator, of course.)
Tip: If you *do* want an administrative copy of Explorer, fire up something harmless (like NOTEPAD) with full privileges and use the File Open dialog.
"There is no such integration. All the apps you mention are user-space and no more privileged than anything you can buy from third parties"
OK, show me how to totally uninstall IE and Edge without breaking the system and I'll believe you.
The last 2 I set up didn't have IE enabled (direct re-install of 10 Pro using Creater Update ISO). I tried to start IE for installing TM, but it wasn't installed, I had to go to optional features. I created a new account instead (policy doesn't allow the domain administrator to use Edge).
>You can remove it by going into the Add/Remove Windows Features. You will get a warning, but you can remove it
Yeah, that is akin to deleting the shortcut on your desktop, sort of ... ok, it removes some more crap ... will STILL NOT save you from that dodgy image, because IE rendering engine is part of the OS ... AND that is the whole BLOODY point.
Tip: If you *do* want an administrative copy of Explorer, fire up something harmless (like NOTEPAD) with full privileges and use the File Open dialog.
Imagine .... sudo nautilus now no longer works, you have to sudo gedit, for example, then use the File > Open dialog to do stuff ... WTF ? BTW, when I am in explorer and want to do anything privileged, I get UAC and then can do it ... am I missing something ?
BTW, I have a quick question ... on stock Windows, how do you edit %windir%\System32\drivers\etc\hosts ? It is 2017, and Windows still hates files without extension ...
Why do we continually put up with this crap to run "Windows", when 9/10 we are just accessing a browser. Microsoft, just give us a Windows 10 skin running on Linux, i.e. security , with familar desktop.
I couldn't care less regards the fundamenals of Windows 10 itself, its just garbage, it's so full of holes. The registry model is like an old film, good in its day, but boy, its looking dated now, compared the ground up design of Linux.
You just read the next security headline, and there is no longer any surprise. Windows is fcuked from the ground up. If it's not script kiddies, hackers, it's NSA/GCHQ "compliance", fundamentally conduiting our data.