Coffeehouse Thread

16 posts

security patch win8

Back to Forum: Coffeehouse
  • magicalclick

    Seriously Microsoft, patch it before release. Not saying you should hold off the security patch. But, I just feel less confident about my OS when it patch soon after its initial release.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • kettch

    @magicalclick: Chances are, to make it into Windows Update right now, the patch was in the works before the release but after RTM. You can't delay RTM for every little thing that you find, otherwise you'd never release.

    EDIT: On another note, I didn't even know that there was an update. I consider that to be a very good thing, not only for me, but for consumers.

  • evildictait​or

    Microsoft releases a patch once a month for all of it's products. Why do you think Windows8 wouldn't be being patched a month after release?

  • magicalclick

    Because it should be future proof for a little while.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • evildictait​or

    , magicalclick wrote

    Because it should be future proof for a little while.

    Why? Microsoft stopped building Win8 in late June / early July.

    Since then, they've had a ton of error messages back via Watson, external people have posted bugs, internal tests have found issues.

    Should Microsoft leave those bugs open for people to exploit? Or should they patch them?

    Security patches aren't a big deal. They're just fixing up bugs that have been found.

  • blowdart

    , magicalclick wrote

    Because it should be future proof for a little while.

    Why? It's not been rewritten from scratch. Something that affects previous versions could reflect in the latest version. (Note, I don't know what the vulnerability is). Of course brand new code isn't safer. Sure, there's more mitigations in each version, DEP, ASLR etc. so the risk might be lesser on later OSes, but expecting it to be future proof is, in my opinion, unreasonable.

     

  • JoshRoss

    This is one of the most cryptic threads ever. Are you advocating applying patches to Windows 8, creating patches for Windows 8, or something even crazier, not creating or applying patches for Windows 8?

    In any case, none of this makes sense.

  • evildictait​or

    , blowdart wrote

    *snip*

    Why? It's not been rewritten from scratch. Something that affects previous versions could reflect in the latest version. (Note, I don't know what the vulnerability is). 

    The bug in question is in Microsoft XML Core Services - code that was written and deployed in Windows XP SP3.

    A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles objects in memory. The vulnerability could allow remote code execution if a user views a website that contains specially crafted content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    http://technet.microsoft.com/en-us/security/bulletin/ms12-043

    My vote is that Microsoft was right to patch it. I'd prefer to have to install patches (annoying as that is), than to allow remote attackers to gain access to my Windows8 device.

  • JoshRoss

    @evildictaitor: How do you even know what magicalclick is even talking about? At any given point, there are multiple critical remote execution vulnerabilities for Windows or some component there of.

    edit: Just for clarification, I believe that the latest versions of Windows are very secure, and are getter more secure as time elapses.

    -Josh

  • evildictait​or

    , JoshRoss wrote

    @evildictaitor: How do you even know what magicalclick is even talking about? At any given point, there are multiple critical remote execution vulnerabilities for Windows or some component there of.

    Because that is the critical bug that was patched this month for Windows8. I assumed Magicalclick didn't find an 0-day in Windows8 himself, and there aren't many other Windows8 patches to choose from :/

  • magicalclick

    @evildictaitor:

    Yeah, I think that's what you found. I only know it is about remote code execution, but, not knowing it is as serious as you described. I don't mind frequent security patches. But, I really prefer to have new OS not open to big attacks like this.

    At least make it hard enough for people to find security holes slower.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • evildictait​or

    , magicalclick wrote

    @evildictaitor:

    At least make it hard enough for people to find security holes slower.

    It's a whole lot harder to find security bugs in Windows8 than against most other commercial products that I've seen.

    I would put $200 on you having written a bug that would be marked by Microsoft's security team as being "remote code execution" at some point in your career - it's just you probably wouldn't know to classify it as such, and probably aren't looking for those bugs.

  • wkempf

    , magicalclick wrote

    @evildictaitor:

    Yeah, I think that's what you found. I only know it is about remote code execution, but, not knowing it is as serious as you described. I don't mind frequent security patches. But, I really prefer to have new OS not open to big attacks like this.

    At least make it hard enough for people to find security holes slower.

    Your expectations are unreasonable. Maybe you don't understand that the hole was found in existing code, not code new to Win8? That's the only way I can interpret "make it hard enough for people to find security holes slower." In any case, it is what it is. Microsoft is doing at least as well as everyone else here, and patching rapidly is a good thing that should give you more confidence, not less.

  • Sven Groot

    Look, it's pretty simple. If Microsoft could make a version of Windows that wouldn't need to patched for several months on end, they would do it. Unfortunately, they can't. And for as long as software is written by humans, no one will be able to accomplish such a feat.

    MS has insane security standards in place since the security push of XPSP2. This is literally as good as they can make it, and they're already at least as good, if not better, than anyone else. It's simply not possible to do better with current software engineering techniques.

  • ScanIAm

    The only future proof device is a rock.

  • Blue Ink

    , ScanIAm wrote

    The only future proof device is a rock.

    Yep. That's city building 101 Smiley

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.