Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Windows

Microsoft's 'Patch Tuesday' Includes 129 Security Updates, Mostly to Windows (krebsonsecurity.com) 41

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.

The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."
This discussion has been archived. No new comments can be posted.

Microsoft's 'Patch Tuesday' Includes 129 Security Updates, Mostly to Windows

Comments Filter:
  • by shanen ( 462549 ) on Saturday September 12, 2020 @12:47PM (#60499582) Homepage Journal

    One of my Windows 10 boxes is unable to install some of the security updates. Another has to be forcibly rebooted several times a day after hard freezes.

    Something is seriously wrong with an economic model that allows Microsoft to be one of the most profitable companies in the world in spite of producing such gawdawful products for so many years.

    Funny small world syndrome. Just reading a Taschen book about supposedly great websites. One of them was the promotional website for Windows Vista. Rather amusing to contrast the actual product with the advertising, eh?

    I'm NOT saying that Microsoft shouldn't try to deliver reliable and secure software. I'm just (again) noting that they are doing it REALLY badly.

    • I keep saying beloved Linux would be destroyed if it had even remotely the user base of Windows...and thus the focus of the intentions of thousands of motivated and intelligent bad actors. We've seen it start catching such flack in the past at various times.

      Don't think any other OS or product set is more secure for a microsecond under such assault.

      • by guruevi ( 827432 ) on Saturday September 12, 2020 @01:06PM (#60499636)

        About 84% of the Internet-accessible systems runs on Linux, only some end-users and some corporations run Windows publicly.

        If you want to create a wide botnet system, and we've seen them on Linux for Apache, various database products and various web frameworks, then Linux would be a prime target.

      • by Zitchas ( 713512 ) on Saturday September 12, 2020 @01:09PM (#60499644) Journal

        That might be true, but they also are not really making it any easier for themselves, either.

        All I need my OS to do is a) manage my files, and b) launch my programs. That's it, that's all.

        I explicitly do NOT want my OS: searching the internet, suggesting new programs that I might like, manage my settings, synchronize my settings (and files) to online repositories, bugging me about connecting my local account to some nebulous online account, looking fancy.... And there's a couple hundred other things that they do that the OS really doesn't need to be doing. All that stuff should be plug-ins, extensions, or dedicated programs.

        That all just wastes space, time, and effort. I am *never* going to sit around staring at my OS going "that looks pretty!" or "I'm so glad that it does this animation while I move files!"

        I realize there's a lot of drivers, libraries, and other stuff that need to be there in order to support the programs that I'm using, but there's so much garbage too. For instance, searching the internet. I can guarantee you that absolutely 100% of the time, if I am searching for something in my OS, I am looking for something local. If I want to search the internet, I'll go use something specifically designed for using the internet. Use the right tool for the right job, after all.

        I suspect that they'd have a more stable and robust system if they cut out all the extraneous stuff and focused on the core job of the OS: Manage files, and run the programs that I *actually* need to work in order to do my work.

        • by shanen ( 462549 )

          Well said and I wish I had a mod point for you.

        • You might want to look into Windows LTSB:

          https://www.ecosia.org/search?... [ecosia.org]

          • by Anonymous Coward
            Remind us again of the procedure for obtaining the Windows LTSB builds legally.
            • Good point.

              OTOH I don't feel dirty for having a paid-for license for Windows 10 Pro and installing LTSB instead. YMMV.

          • LTSC still has the same vulnerabilities ðY. Sure it also got patched but not some magic bullet. Infact it has more bugs as it's a 2015 version of Windows and is missing alot of stuff like WSL for Linux and azure and drivers for newer hardware

            • The subject has changed to "Windows without cruft".

              LTSB/LTSC has a lot less, but Microsoft doesn't want you to have it.

        • I suspect that they'd have a more stable and robust system if they cut out all the extraneous stuff and focused on the core job of the OS: Manage files, and run the programs that I *actually* need to work in order to do my work.

          May I respectfully suggest you might prefer to be running RSX11, and running FROM Microsoft products - at the speed of the latest Intel offering.

        • And that's both the problem with Windows and the fix. Note the problem report:

          in its Windows operating system and supported software

          It's all the crap that's shovelled onto a Windows PC that has most of the flaws. I went through some of that list and it was mostly "disabled that, uninstalled that, blocked that, turned that off, ...". In the end there weren't any significant vulns I needed to worry about because I'd removed or blocked all the crap that had the vulns in it, and I've noticed no loss of functionality from doing so. If they had all this shit tur

    • Something is seriously wrong with an economic model that allows Microsoft to be one of the most profitable companies in the world in spite of producing such gawdawful products for so many years.

      People need computers, most of them have Microsoft preinstalled.

      • by shanen ( 462549 )

        Seems rather shallow reasoning and I'm not sure if your evidence is still valid. I would certainly count smartphones as computers and Microsoft lost that battle for preinstallation. Badly. I even mourn for Nokia.

    • The path to the efficient and the optimum rarely leads to greatness or perfection.

      • by shanen ( 462549 )

        Superficially attractive as a philosophic statement, but unclear how you map it to Microsoft's claims and track record.

        • In business it is common to see products that are "good enough" to be profitable, and trying to make them better is essentially a waste of society's resources. Their claims are not relevant. Their track record is that they have made a lot of money selling their "crap", and their products have provided much productivity. The value of the bulk of what has been produced with those products seems more ripe for debate.

          • by shanen ( 462549 )

            I'm not disagreeing, but in the context of this article I think the negative value, that is to say the harms, caused by the security problems should be the primary focus. If Microsoft had merely had to cover the damage their software has allowed, then I think the company would be bankrupt. They have LOTS of customers.

            Of course the liability should go beyond covering the costs where negligence can be proven. But I think that 40+ years of security incompetence should be sufficient proof.

            • You may be right about their effect on society being a net loss, but that discussion could get quite complicated. Limiting liability, however, is a common concept that societies find useful, and even though Microsoft may have been unhelpful, the rules that allowed them to become that way likely also encouraged many other ventures that were necessary for the immense progress in personal computing. Is there an alternate history where Linux is developed to provide an alternative to CP/M, etc...

              • by shanen ( 462549 )

                I don't think those timelines (UNIX -> Linux and CP/M (8 -> 16 -> 32?)) could have been fit together, but I do think alternative history is always possible. In particular, I think the confusion of the English word "free" did enormous damage, mixing the minor economic senses of the word with all the more important meanings and resulting in disaster. Possibly even our extinction as a species (though in that case I suspect it's merely the most frequent resolution of the Fermi Paradox).

                The solution app

    • by shanen ( 462549 )

      Weird. How did I get an FP? Well, partly by cutting the story short, so here's the rest of that first example for Windows 10. (Unfortunately I can't access that machine right now, so I don't have access to all of the details.)

      The problematic update is a major one. Based on this machine's logs, the latest version of the failure is most likely associated with KB4574727 for the base system, but the various versions of the corresponding updates been failing for some months. (Feels like years, but who can tell i

    • It does. It's called Android and iOS. Windows solely exists for corporate software and that is it. No one should use Windows for Facebook or to browse the web like they used to 10 years ago.

      College campuses are loaded with all Macs for those that still need Office to type papers.

      Linux has it's own can of worms and is far from perfect. Gnome3 truly is aweful and so is Kde for the past 14 years. The only people who defend it are slashdotters because they are used to it and forced it upon themselves. 99% of th

      • by shanen ( 462549 )

        I only asked one question and I don't see how "It does" is an answer to it. Were you intending to reply to a different comment in the thread? There was something someone else wrote about the prevalence of Windows.

    • What gets me is that my updates for Ubuntu Linux are not just for the OS. All the applications are included in the updates. These updates are generally no trouble at all, and only take a few minutes.

      At one time, I used to build Windows systems for specialist access control software. I thought it a good idea to upgrade Windows to the latest edition, before installing our software and shipping the PC. The Windows update took hours, and I had a real struggle keeping up with deliveries. Having been used to Linu

  • A "critical" bug in supported software is a "critical" bug in the Operating System, namely Microsoft Windows.
  • by davebarnes ( 158106 ) on Saturday September 12, 2020 @04:39PM (#60500170)

    "Microsoft's 'Patch Tuesday' Includes 129 Security Updates, Mostly to Windows"
    And, none for MacOS.
    Lazy gits.

To stay youthful, stay useful.

Working...