Quantcast
Channel: Comments for Six Years of Patch Tuesdays
Browsing latest articles
Browse All 50 View Live

Comment from Andy on 2009-10-19

I know that this is a security blog, but don't forget that once in a while patches are to fix functionality bugs rather than security bugs. Sometimes those are even as urgent. While we need to develop...

View Article



Comment from Jay on 2009-10-19

@Stefan: This old saw? You can pull out the "stop using C/C++" thing when your JVM/interpreted-language-of-choice is itself not written in C. Oh, and neither are any of the libraries it uses (so no...

View Article

Comment from Anton on 2009-10-19

@mr wriggly Planes don't crash because the software they deploy is well designed. The technology to create good software is on the table, the will and financial incentive to use it is not.

View Article

Comment from Nick Clarke on 2009-10-19

@Stefan W: a typical editor doesn't keep the file open (as in, keep an operating system file handle) once it has read and displayed the contents. It only momentarily has the disk file 'open' when it...

View Article

Comment from Bob on 2009-10-19

@Anton: "Planes don't crash because the software they deploy is well designed. The technology to create good software is on the table, the will and financial incentive to use it is not." A friend of...

View Article


Comment from billswift on 2009-10-19

Bob, you're missing the economics of a mass market. People pay much, much more than a million dollars for word processors - probably billions. The problem is that it goes into "features" rather than...

View Article

Comment from pik on 2009-10-19

(sorry for my english) What is the problem? "in house" I am after XPsp2 no more server, I am client. Look for issues after full (auto) patched XPsp3 as restricted user. Please tell me your exploits to...

View Article

Comment from Clive Robinson on 2009-10-19

@ billswift, "People pay much, much more than a million dollars for word processors - probably billions." Then you need to add the cost of the "blue screen of death", "Your program has stoped...

View Article


Comment from pdf23ds on 2009-10-19

"You can reach assurance, when you build-in 5 "walls" and HOPE, bad gay have after 4 wall no more desire. THATS ALL." I believe that's the approach the Pentagon takes.

View Article


Comment from Lawrence D'Oliveiro on 2009-10-20

Linux distributions typically do not have “Patch Tuesdays”, they tend to release patches very quickly from when vulnerabilities are discovered. Yet it’s rare to hear of fixes introducing new bugs,...

View Article

Comment from John on 2009-10-20

Security has to be designed in but more that than there has to be a well designed Software Architecture. People joked about the Software Architecture Architecture at DEC but it worked.

View Article

Comment from Nostromo on 2009-10-20

Does any of this matter? If security is important to you, you shouldn't be using Microsoft Windows.

View Article

Comment from nzruss on 2009-10-20

a quick way to get your PC up to patch state after a fresh install, is to use Offline Update tool from http://www.h-online.com/. (its free) It runs a script that gets all the patches from release up...

View Article


Comment from Markus on 2009-10-20

It is impossible to "mathematically prove" the correctness or security of a program -- you can only prove that the program behaves according to a specification. In the case of a modern word processor,...

View Article

Comment from Anonym on 2009-10-20

Well, MS has done really good in this regards. I especially admire the Windows Server Update Services (WSUS) helps a lot.

View Article


Comment from Clive Robinson on 2009-10-20

@ Nostromo, "If security is important to you, you shouldn't be using Microsoft Windows." Although I would agree with you if security where the only concern, in a modern business it is not. Security is...

View Article

Comment from HJohn on 2009-10-20

@Clive Robinson at October 20, 2009 8:53 AM: Although I would agree with you if security where the only concern, in a modern business it is not. ______________ I think you make a good point. MS...

View Article


Comment from Clive Robinson on 2009-10-20

@ Bruce, Without being seen to be or being nasty security experts and gurus are a large part of the problem. For instance you say, "We need to design security into our systems right from the...

View Article

Comment from David on 2009-10-20

@savanik: Many businesses treat Windows versions like that, not adopting an OS until it's been out a long time and service packs applied. Businesses tend to be well behind the leading edge, and often...

View Article

Comment from David on 2009-10-20

@Stefan: There is no such language as C/C++, and I don't trust anybody who uses that particular phrase to know much about either. Modern C++, for example, can be easily written to avoid all of the...

View Article

Comment from moo on 2009-10-20

@David: Real applications are not written like that. I can only laugh at the claim that C++ has "a consistent method for managing all resources". Spoken like a true language wonk. :) RAII is some nice...

View Article


Comment from moo on 2009-10-20

wow.. edit and multi-post for the win! Maybe Moderator can blow away some of those. @David: @Stefan: @Everybody! Anyway its flamewar territory and irrelevant to the main post. Sorry Bruce, feel free...

View Article


Comment from Spider on 2009-10-20

@nzruss. Are you really suggesting people trust a man in the middle to update their systems? I think you may be on the wrong website ;) @Bruce. OK microsoft's patching sucks, their systems aren't...

View Article

Comment from Ellison on 2009-10-20

It's a good thing that Oracle doesn't need patches. You can't break it and you can't break in.

View Article

Comment from Ageless_Stranger on 2009-10-20

Check out Marcus Ranum's excellent article about patching: http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html

View Article


Comment from Clive Robinson on 2009-10-20

@ HJohn, "best we can do is harden our environment to reduce the risk a vulnerability will be exploited and reduce the damage that can occur." It's not just hardening the environment. One issue I'm...

View Article

Comment from HJohn on 2009-10-20

@Clive: "It's not just hardening the environment. One issue I'm sure you have seen is peoples unwarented access after they have been promoted or moved to another department. _________ I would agree. I...

View Article

Comment from HJohn on 2009-10-20

HJohn: "bad news gets camoflauged" ___________ Reminds me of the old story: 1. Staff tests product or service, tells supervisor "it is a crock of crap." 2. Supevisor tells division head "it comes in a...

View Article

Comment from Hey Nony Mouse on 2009-10-20

Ellison : It's a good thing that Oracle doesn't need patches. You can't break it and you can't break in. Diden't some "Larry" make a similar comment and then had to eat it? Ah the joys of marketing...

View Article



Comment from HJohn on 2009-10-20

@Hey Nony Mouse: "Diden't some "Larry" make a similar comment and then had to eat it?" _________ I remember some spokesperson stating that their product "could be hacked." Honestly, it had pretty good...

View Article

Comment from Mark R on 2009-10-20

@Savanik: "Now, on the other hand, take the console industry - Playstations, N64, etc. Up until a few years ago, they never patched anything. They couldn't, without internet access. Every game that...

View Article

Comment from Tom on 2009-10-20

You want an operating system that was designed with security in mind then look at z/OS for the IBM mainframe. You will find that when a operating system is originally designed for business, and not...

View Article

Comment from moo on 2009-10-20

@Savanik: To build on Mark R's point.. modern console games are far more complicated than the earlier-generation games. They have a lot more code in them, and therefore a lot more bugs. We're talking...

View Article


Comment from el chubbo on 2009-10-20

bruce is right when he says "There were jokes that a Microsoft patch was indistinguishable from a DoS attack." i used to tell this joke at swanky cocktail parties in Manhattan, and i got laid like a...

View Article

Comment from HJohn on 2009-10-20

@el chubbo: "i used to tell this joke at swanky cocktail parties in Manhattan, and i got laid like a bandit." ________ Probably works better than talking about 3 1/2 inch floppies.

View Article

Comment from David on 2009-10-20

@Tom: Thing is, modern Windows was designed for businesses. The line of development from 3.11 to 95 to 98 to Me was based on the idea of a single user, and the later versions of this line were...

View Article


Comment from Nick P on 2009-10-20

It's quite easy to reduce this steady stream of patches. The methodologies to do it already exist. All of them have a consistent focus on security and/or quality throughout the lifecycle. Problematic...

View Article


Comment from Josh on 2009-10-20

"We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design." Arguably MS is more thorough about this than any other...

View Article

Comment from anonymous moi? on 2009-10-20

@Josh I thing the sarcasm tag was missing from the original "can't break" quote. What's David Litchfield's new book?

View Article

Comment from Clive Robinson on 2009-10-20

@ moo, "Exception handling is not really practical in languages without garbage collection. What most people do in real C/C++ applications (yes, that label you disdain) is write their code and manage...

View Article

Comment from DC on 2009-10-20

@Craig, It's even worse than you describe (long time systems programmer for windows, finally out of that game). How 'bout the registry, which just about everything needs to make changes to? It has the...

View Article


Comment from Eric H on 2009-10-20

The neat thing about going in for automatic patch updates is that you have decided to trade known problems for unknown problems and a possibly false sense of security. Given the regularity of patches,...

View Article

Comment from Nathan Tuggy on 2009-10-21

@DC: "How 'bout the registry, which just about everything needs to make changes to? It has the same problem set -- can't change the underlying file without a reboot." I'm not quite sure what you mean....

View Article


Comment from Richard on 2009-10-21

From IT operations perspective, reboot or not reboot differs significantly. "reboot" means service down time. So it's much more sensitive to business user and systme admins. Actually, many MS patches...

View Article

Comment from anon on 2009-11-15

It would be curious to see the comparison with various Linux distributions. I've had Ubuntu patches break a computer just as I've had Windows patches. I've had it to "here" with the frequency and...

View Article


Comment from Peter Meldrum on 2009-11-15

I've got on average five machines running XP at any given time. Eah and every one of them has been buggered at least once by a patch from MS. Invariably requiring a full Repair Install and attendant...

View Article

Comment from Mike Acker on 2009-11-16

when you connect with the internet you are connected to a world-wide network. and the world-wide network is connected to you. this is why authentication is important: we all need to be certain who we...

View Article

Comment from OPV on 2009-11-17

I'm no longer so worried about the MS updates. The lurking danger is stuff like Adobe's Flash Player and Adobe Acrobat Reader. These are full of very serious security problems, infrequently patched...

View Article

Comment from gary on 2009-12-01

That last paragraph about Security Engineers is important. The current thinking about Security Engineering (SE) is that an SE checks things after design. The SE needs to be involved in the design and...

View Article


Comment from Otto Hottentot on 2011-12-19

@all: For everybody reading this, Markus here is the only one that knows what he is talking about, and Bruce Schneier talking is just silly: - security dont bring money like features. The security...

View Article

Browsing latest articles
Browse All 50 View Live




Latest Images