[Info-vax] A possible platform for VMS?

terry+googleblog at tmk.com terry+googleblog at tmk.com
Sun Mar 1 06:14:45 EST 2015 

On Saturday, February 28, 2015 at 5:53:24 PM UTC-5, johnwa... at yahoo.co.uk wrote:
> IE might historically have had more holes than a Swiss cheese, but
> even if you eliminate all the IE-specific holes there are plenty left.
> I specifically picked the two I mentioned above, from the larger
> selection in that month's list, because those two didn't require IE
> as part of the exploit.

Regarding the IE issue, a good chunk of the problem is due to the historical decision to make IE "part of Windows" (IE code in the OS proper, and OS code in IE). 3rd-party browsers manage to provide (generally) more nimble and more secure implementations in a smaller footprint. Perhaps Microsoft's "new browser" (the code they're working on that will NOT be called IE and jettisons IE compatibility) will have learned from this mistake.

As someone who advises a number of customers on patching / security on a number of platforms, what is of much more concern in the Microsoft Model is the number of dud patches in the last year or so. I think the record was "the patch to fix the patch to fix the patch that patched the bug".*

Also of concern are "critical" or "important" patches that are un-necessary. The one that really drives this point home is this month's KB3006137, which caused a reboot when a user logged out. Why? "Update changes the currency symbol of Lithuania from the Lithuanian litas (Lt) to the euro (EURO) in Windows". That is just idiotic to release as an out-of band force-reboot patch, and I told Microsoft that (not that they listen to me any more).

On the other hand, in modern Windows a good number of the patches can be applied without needing a reboot. Video drivers are an excellent example of wholesale driver replacement without needing a reboot. Quite a far cry from the old "Your mouse pointer has moved. Windows must restart to recognize these changes" model.

Patch-in-place is becoming more popular. Recent Linux kernels now support live patching, for example. Perhaps this is something VSI can investigate as part of the port to a new architecture.

* http://www.theregister.co.uk/2015/02/15/microsofts_patchwork_falls_apart_again

More information about the Info-vax mailing list