back to article It's October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old... bug

Microsoft has released the October edition of its monthly security update, addressing a total of 49 CVE-listed bugs. DLL bug a blast from the past Among the 49 fixes were three issues that have already been publicly disclosed and a fourth that was being targeted in the wild. On top of that, a remote code execution bug in …

  1. Anonymous Coward
    Anonymous Coward

    Yay, more updates

    apt, yum, pacman, emerge, dnf: One of these is sometimes slower than Windows Update.

  2. Tromos

    "...other Android devices will need to be updated through their respective vendors"

    And therein lies the problem.

    1. Captain Scarlet Silver badge

      Re: "...other Android devices will need to be updated through their respective vendors"

      Users don't tend to click the update button in my experience on phones anyway, one iphone users raves about Apple but refuses to update based on a previous experience where their phone went slower after updating.

  3. Maelstorm Bronze badge
    Boffin

    As a developer...

    As a developer myself, it's nearly impossible to ship software that is bug free. The best that you can do is just check your input and make sure that it makes sense. I write operating systems, so there is a level of expertise that is required that most other developers do not have, and the security implications are more serious. For an app developer, a security hole can compromise a user. For a system software developer like myself, a security hole can compromise the whole system.

    1. Anonymous Coward
      Anonymous Coward

      Re: As a developer...

      As a developer myself, it's nearly impossible to ship software that is bug free. The best that you can do is just check your input and make sure that it makes sense.

      The best that you can do is not work for incompetent managers who set unrealistic timescales.

      1. Bronek Kozicki

        Re: As a developer...

        It is impossible to ship bug-free software, but it is NOT impossible to ship software hardened, and tested, against bad inputs.

    2. Anonymous Coward
      Anonymous Coward

      "The best that you can do is just check your input "

      Ehm, NO. You also ensure abnormal conditions - wherever they happen, even outside your code - are caught and processed in ways that don't lead to unexpected execution paths. There's a big difference from a bug that leads to an error, and a bug that leads to a remote execution with high privileges silently.

      Unluckily languages like C were designed with performance in mind only, security was a non-issue back then. While programmers need to have the proper skill and be able to write robust, secure code, they also need help from the tools they use.

      Stubbornly thinking what was designed fifty years ago was perfect and doesn't need changes to cope with a far more complex and dangerous environment is like thinking the Earth is flat because a book tells so.

    3. Claptrap314 Silver badge

      Re: As a developer...

      Dude, really. If you aren't even going to attempt excellence then go do something else.

      There are lots & lots of things that can be done to avoid bugs. Usually, I would say that avoiding magical thinking is the first. In your case, clearly you need to start by giving up on defeatism.

      Seriously, at my favorite job, we were bought out & shut down. My last project was a month long. I never got to see it go live. I met up with our sysadmin at our next job & asked him how it went. "Everything was fine."

      At my least favorite job, I skunkworked over the course of four years a switch to a 20k assembly language test tool to make the pointer size selectable. When the time came to make use of it, I asked the implementer how much of that code he needed to fix. "None. Everything was fine."

      Certainly, these are "small" projects. But the discipline of software excellence really can achieve code that you can leave alone.

  4. Version 1.0 Silver badge
    Facepalm

    Security? Yes, we've heard of it

    Let's just fix the bugs and add more features ...no need to worry is there?

    Face it - nobody buys an operating system or application because it's "secure" - they are sold on their features and the ability to operate in the cloud these days. I wonder how this will work out in the end?

  5. Down not across

    Experience

    For Digital Editions, the update will patch nine CVE-listed vulnerabilities that could allow remote code execution. The Adobe Experience Manager update addresses five cross-site scripting vulnerabilities, while an update for Framemaker includes fixes for a single privilege escalation flaw.

    What is is with everyone insisting in some "experience". In my, ahem, experience any software with experience in their name has been total and utter crap. I don't want a bloody experience, I just want stuff that simply works.

    1. Anonymous Coward
      Anonymous Coward

      "Adobe Experience Manager"

      It's a marketing tool - its name needs to be deceiving

  6. GnuTzu
    Childcatcher

    Eight-Year Olds

    The pictures they put on these articles mess with my head. I just had a vision of eight-year-olds with bugs. Yet, when people start having robot children... I am so seriously going to be creeped out by all the excessively life-like humanoid robots. Yet, it's pretty clear that they'll be here. Not to mention... No; I'm not going to be the one to mention it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like