EDIT: On another note, I didn't even know that there was an update. I consider that to be a very good thing, not only for me, but for consumers.

20 minutes ago, magicalclick wrote

Because it should be future proof for a little while.

Why? Microsoft stopped building Win8 in late June / early July.

Since then, they've had a ton of error messages back via Watson, external people have posted bugs, internal tests have found issues.

Should Microsoft leave those bugs open for people to exploit? Or should they patch them?

Security patches aren't a big deal. They're just fixing up bugs that have been found.

21 minutes ago, magicalclick wrote

Because it should be future proof for a little while.

Why? It's not been rewritten from scratch. Something that affects previous versions could reflect in the latest version. (Note, I don't know what the vulnerability is). Of course brand new code isn't safer. Sure, there's more mitigations in each version, DEP, ASLR etc. so the risk might be lesser on later OSes, but expecting it to be future proof is, in my opinion, unreasonable.

In any case, none of this makes sense.

3 minutes ago, blowdart wrote

*snip*

Why? It's not been rewritten from scratch. Something that affects previous versions could reflect in the latest version. (Note, I don't know what the vulnerability is). 

The bug in question is in Microsoft XML Core Services - code that was written and deployed in Windows XP SP3.

A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles objects in memory. The vulnerability could allow remote code execution if a user views a website that contains specially crafted content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

http://technet.microsoft.com/en-us/security/bulletin/ms12-043

My vote is that Microsoft was right to patch it. I'd prefer to have to install patches (annoying as that is), than to allow remote attackers to gain access to my Windows8 device.

edit: Just for clarification, I believe that the latest versions of Windows are very secure, and are getter more secure as time elapses.

-Josh

1 hour ago, JoshRoss wrote

@evildictaitor: How do you even know what magicalclick is even talking about? At any given point, there are multiple critical remote execution vulnerabilities for Windows or some component there of.

Because that is the critical bug that was patched this month for Windows8. I assumed Magicalclick didn't find an 0-day in Windows8 himself, and there aren't many other Windows8 patches to choose from :/

Yeah, I think that's what you found. I only know it is about remote code execution, but, not knowing it is as serious as you described. I don't mind frequent security patches. But, I really prefer to have new OS not open to big attacks like this.

At least make it hard enough for people to find security holes slower.

1 hour ago, magicalclick wrote

@evildictaitor:

At least make it hard enough for people to find security holes slower.

It's a whole lot harder to find security bugs in Windows8 than against most other commercial products that I've seen.

I would put $200 on you having written a bug that would be marked by Microsoft's security team as being "remote code execution" at some point in your career - it's just you probably wouldn't know to classify it as such, and probably aren't looking for those bugs.

1 day ago, magicalclick wrote

@evildictaitor:

Yeah, I think that's what you found. I only know it is about remote code execution, but, not knowing it is as serious as you described. I don't mind frequent security patches. But, I really prefer to have new OS not open to big attacks like this.

At least make it hard enough for people to find security holes slower.

Your expectations are unreasonable. Maybe you don't understand that the hole was found in existing code, not code new to Win8? That's the only way I can interpret "make it hard enough for people to find security holes slower." In any case, it is what it is. Microsoft is doing at least as well as everyone else here, and patching rapidly is a good thing that should give you more confidence, not less.

MS has insane security standards in place since the security push of XPSP2. This is literally as good as they can make it, and they're already at least as good, if not better, than anyone else. It's simply not possible to do better with current software engineering techniques.

30 minutes ago, ScanIAm wrote

The only future proof device is a rock.

Yep. That's city building 101