News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much

    Posted on February 8th, 2019 at 10:04 woody Comment on the AskWoody Lounge

    Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and likely never will.

    What’s startling to me, though, is that numbers from Microsoft now confirm that waiting 30 days to install those monthly patches realistically doesn’t put you at greater risk for getting clobbered by a cretin.

    Computerworld Woody on Windows.

    Thx, Susan!

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much

    This topic contains 44 replies, has 15 voices, and was last updated by  anonymous 1 month, 3 weeks ago.

    • Author
      Posts
    • #322862 Reply

      woody
      Da Boss

      Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and
      [See the full post at: Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much]

    • #322892 Reply

      anonymous

      It’s also much safer to design software so that it’s secure by design, rather than not really caring much about security when first making it and then trying to plug in the holes after it’s been released. Looking at you, Windows.

      6 users thanked author for this post.
      • #322898 Reply

        anonymous

        I’d say that’s not fair.  The threat landscape was very different in the ’90s.  Microsoft does design with security in mind these days.

        4 users thanked author for this post.
        • #322955 Reply

          Seff
          AskWoody Plus

          Doesn’t Windows 10 have more security flaws reported every month than any other older version of Windows?

          1 user thanked author for this post.
          • #323044 Reply

            b
            AskWoody Plus

            Of course: All older versions are beyond mainstream support, so are not being developed; no changes means no new bugs.

            Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

            2 users thanked author for this post.
            • #323077 Reply

              Seff
              AskWoody Plus

              And yet the new systems that are being developed with security more in mind are failing in that respect.

              If it’s true that no new bugs are being introduced to older versions because there aren’t any changes (and the original bugs have presumably been patched by now), why are we being advised not to use older versions once they are out of extended support?

              I’m not trying to argue with you, far from it, I’m just looking at the gaps in the logic behind the claim that compared with the 1990s MS designs with security in mind these days. If they do, the end result doesn’t seem to be any different.

            • #323087 Reply

              b
              AskWoody Plus

              (and the original bugs have presumably been patched by now)

              Because that is an incorrect assumption.

              Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

              1 user thanked author for this post.
            • #323096 Reply

              Seff
              AskWoody Plus

              Some won’t have been, but most will have been surely? Either way, the point remains that since MS are claimed to have been more security-minded with newer versions the end results have proved to be no different.

              However, I said I wasn’t seeking to get into an argument so I’ll leave it there! Thanks for your contributions.

            • #335532 Reply

              anonymous

              The point is demonstrated when you compare SMBv1 to SMBv2.  SMBv1 was written by developers with no focus on security and was considered beyond hope when security became a concern.

            • #323261 Reply

              BobT
              AskWoody Lounger

              Are you saying the new “bugs” are ONLY in the new features?

            • #323270 Reply

              b
              AskWoody Plus

              Yes. (Newly introduced, not newly discovered.)

              Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

              1 user thanked author for this post.
          • #323149 Reply

            warrenrumak
            AskWoody Plus

            Not significantly so.  95% of the vulnerabilities found in Windows 10 are also present in Windows 7 and 8.1.

            It’s worth keeping in mind that Windows 10 has a lot more features and capabilities than old versions.  Edge has a built-in PDF reader, for example, which replaces the standalone “Reader” app from the Windows 8 / early 10 days.  And of course, Windows 7 can’t read PDF’s on its own.  Any security vulnerabilities that come up in the Edge PDF reader now show up as Windows vulnerabilities.  Windows 10 also sometimes gets two vulnerability reports for the same browser flaw, because the flaw exists separately in IE and Edge and requires two separate fixes. (e.g. CVE-2018-8280 and CVE-2018-8242)

            There are also Windows 10 features like Device Guard which have had a few vulnerabilities.

            But this isn’t a one-way street.  There are still new “Windows 7 only” vulnerabilities being found, such as CVE-2018-8589, which allows any application running as a standard user to silently elevate to full system privileges.  The most serious of that rash of GDI vulnerabilities found & fixed last summer, CVE-2018-8397, was a Windows 7 special, too.  Yeah, they’re still finding stuff like that, almost 10 years after Windows 7’s original release.

            You can verify all this for yourself by having a look through the US Government’s National Vulnerability Database.

            Windows 10: https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe=cpe%3a%2fo%3amicrosoft%3awindows_10%3a-%3a%3a%7e%7e%7e%7ex64%7e

            Windows 7: https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe=cpe%3a%2fo%3amicrosoft%3awindows_7%3a-%3asp1%3ax86&startIndex=1

            1 user thanked author for this post.
    • #322909 Reply

      BobT
      AskWoody Lounger

      But oh noes, what about the “Cliff Edge” for Windows 7 on Jan 2020???/1!!!11!! Can’t possibly go a single day without patches!!1??!1

      2 users thanked author for this post.
    • #322930 Reply

      Seff
      AskWoody Plus

      “only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed.”

      How many are ever seen in an exploit at all? That’s the question I’d like to see them answer.

    • #322963 Reply

      b
      AskWoody Plus

      For those of you in the “patch in haste, recover at leisure” crowd, the numbers simply don’t support the drive to install every patch immediately:
      … the exploits these days are laser-focused on zero days.
      The malware world’s getting more sophisticated: The bad guys are going for zero days, not for security holes that have already been patched.

      Except for that 17% of exploits last year which were not zero-days but were exploited within 30 days. (The laser was only 83% focused on zero-days.)

      You’ve got to ask yourself one question: ‘Do I feel lucky?’

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

      1 user thanked author for this post.
      • #323041 Reply

        woody
        Da Boss

        Yes, but the percentage you want isn’t 17%. To a first approximation:

        The chance of getting zapped by a patched security hole (CVE) =

        The number of patched CVEs

        Times the percentage of CVEs that have been exploited before you installed the patch (I’m currently recommending between 15 and 25 days or so, depending on the version of Windows – the MS statistic is for 30 days)

        Times the percentage of exploits that actually hit your machine (in my experience, that’s extremely small – although there are major exceptions like WannaCry).

        So the real question is whether your chance of getting bit by a buggy patch (impossible to quantify but, in my experience, non-trivial) exceed your chance of getting bit by a patched CVE that you haven’t installed (in my experience, with notable exceptions, almost vanishingly small).

        • #323064 Reply

          b
          AskWoody Plus

          Yes, but the percentage you want isn’t 17%. To a first approximation:

          The chance of getting zapped by a patched security hole (CVE) =

          The number of patched CVEs

          The number has no relevance when the percentage has already been calculated (unless it’s zero, I guess).

          Times the percentage of CVEs that have been exploited before you installed the patch (I’m currently recommending between 15 and 25 days or so, depending on the version of Windows – the MS statistic is for 30 days)

          Which is 17%.

          Times the percentage of exploits that actually hit your machine (in my experience, that’s extremely small – although there are major exceptions like WannaCry).

          Which is the “Do I feel lucky?” part.

          So the real question is whether your chance of getting bit by a buggy patch (impossible to quantify but, in my experience, non-trivial) exceed your chance of getting bit by an unpatched CVE (in my experience, with notable exceptions, almost vanishingly small).

          My experience is that the chance of a buggy patch has been vanishingly small, uninstallation when absolutely necessary is nearly always trivial, and the chance of getting bit by an unpatched exploit during the first month can only be guessed by anyone.

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        • #323070 Reply

          NetDef
          AskWoody_MVP

          Agree on the math.  But there is a big variable that’s really hard to quantify.

          Are you (more like your organization) a desirable target?  I’m speaking of companys that have valuable IP, (targeted by corporate espionage – pick your vector) or are known to have deep pockets (targeted by spear phishing ransomware or remote intrusion).

          The type of malware I have personally seen on small networks/home systems is very different from the scary stuff I’ve seen on large enterprise networks.  Add into this fuzzy variable different levels of pre-mitigation (firewalls, AV, intrusion detection/automatic-reactions) that vary wildly and you have a rather loose risk analysis in terms of ones chances of being hit.

          In my business we like to speak of the three pillars of security: (your number may vary)

          In order of effectiveness at the 50K meter resolution:

          1) Customer (worker or end-user) education.  Phishing resistance, click-bait resistance, device awareness, strange behavior recognition.

          2) Firewall / AV / Group Policy restrictions / network segregation / worker (end-user) permissions control (don’t run as Admin!!) / plus all other background technical mitigations.

          3) System patch level, third party software updates and restrictions.

          Even though I place patching third on that list – in my mind it’s close to the other two.  We’re not talking a wide gap in effectiveness.  And it takes all three, you can’t skip any one.

          Having said that – it’s our policy that unless a patch is known to break a mission critical software suite or system – we apply patches roughly 10 days after release.  It’s a decent compromise on securing the workstations/servers at that level, and skipping what has become all to often a major ‘oops’ from Microsoft (and not just them!) which generally gets pulled or corrected by them within five to seven days anyway.

          This lets us miss the pain, and be within a reasonable window to avoid a mess.

          As for Zero Day exploits:  I want to be clear that in the parlance of the bad guys, these are exploits that have not yet been patched, but have just been discovered.  Patching does not help with those.

          For major longer term malware and intrusions:  patching definitely does help.

          ~ Group "Weekend" ~

          • This reply was modified 2 months, 1 week ago by
             NetDef.
          3 users thanked author for this post.
    • #323125 Reply

      anonymous

      And than there are the AV-scanners and firewalls. Even IF someone would attack you, the chance is higher it will be blocked by a security suite than a monthly blurp of patches that no one knows wgat exactly they do…

      • #323154 Reply

        warrenrumak
        AskWoody Plus

        Third-party AV products also introduce their own instability and security vulnerabilities into the system.  This Wired article from a couple of years ago covers this: https://www.wired.com/2016/06/symantecs-woes-expose-antivirus-software-security-gaps/

        Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. One particularly devastating flaw could be exploited with a worm. Just by “emailing a file to a victim or sending them a link to an exploit … the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could “easily compromise an entire enterprise fleet.”

        It gets worse. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault.

        Lovely….

        Do you trust that all no such problems exist with your AV product of choice?  Is that trust based on something other than emotion, or the fact that your reputation might be at risk because you recommended that AV product to your employer or client?

        As for stability…. just this week I answered a question on Quora from someone who was seeing repreated blue screens attributed to “vfsmfd.sys”.  They thought this was a Windows system file, but it’s actually Symantec Endpoint Protection’s file system filter driver.

         

        • This reply was modified 2 months, 1 week ago by
           warrenrumak.
        2 users thanked author for this post.
    • #323164 Reply

      OscarCP
      AskWoody Plus

      On the question of delaying patches and security: leaving aside actual zero-day threats already seen at large in the wild, I usually wait at least three weeks to patch, and sometimes I do it even after the green light has been given here with the rising of the DEFCON. But there is something I’ve never waited long enough to see what happens (or particularly care to, but it could happen nevertheless, for example, if I go away for a couple of weeks) and it is this: What if one waits so long that the next Patch Tuesday comes and goes and the new patches show up together with the previous ones in the Windows Update window?

      I imagine that there could be some not obvious conflicts that can cause problems if one applies the previous and current patches together. So what is a safe way to proceed, in such a case of overlapping patch releases? Thanks.

      • This reply was modified 2 months, 1 week ago by
         OscarCP.
      • #323400 Reply

        Fred
        AskWoody Lounger

        @oscarcp  In my very humble opinion: either anyway you choose to maintain your computer, it all can go very wrong for various reasons. Patching over patching, and repair over repair can result in very strang pc behaviour, or sudden death etc. Once a hidden part of the registry or some crucial systemfiles are damaged, it is very possible there simply will NOT be a real repair possible; this is true for many malware infections, you will never know what really was changed by the bad guys.. It is beyond repair.

        Having a full (1:1 sector) image on a seperate hard drive , made once in a while, can save you lots of time to start all fresh over…

         

        • This reply was modified 2 months, 1 week ago by
           Fred.
        1 user thanked author for this post.
      • #323410 Reply

        GoneToPlaid
        AskWoody Plus

        Hi OscarCP,

        Good question. If the green light is given for the latest updates, install them first. Then try to install the missing updates in reverse order of their release dates. If the update has been entirely superseded, then Windows will show you a message that the update is not applicable to your computer. If only parts of the older update have been superseded, then the older update will install, yet supersedence will take precedence such that newer file versions do not get replaced with older file versions. I have used this supersedence technique a few times in the past, in order to get around issues in some of Microsoft’s buggy updates.

        Best regards,

        –GTP

         

        1 user thanked author for this post.
    • #323166 Reply

      anonymous

      Off topic. Short answer, they won’t appear together. Often read posts where the cumulative update desired is “lost”. After 12 February, use the “hide” function to remove the 2019-02 update from the offered list. Then the 2019-01 will display on the recheck, when needed.

      1 user thanked author for this post.
    • #323204 Reply

      anonymous

      Just the term Zero-day does not say a thing to me, it is like what?… but google’ing it: “Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.”

      So how are we supposed to “Watch out for zero days” when it took years to find out exploits like meltdown/spectre. That not even today has been used as much as an exploit, because it is patched.

      • #323250 Reply

        lurks about
        AskWoody Lounger

        Zero-day means the exploit is possibly known to hackers but unknown to anyone else. The danger is the hackers have an exploit they can use that no one has any defense for. If it is being exploited and you are hacked you are cooked. However, known, patched exploits are much less of risk if you routinely patch your system even if you wait a month to patch.

        The lessened risk is not inherently obvious but it comes for the time lag to develop an effective exploit and to deploy it. Even this takes a week to happen, the exploit will not be heavily used initially and by the time it becomes widely known the patches should have been installed if you are patching within 30 days or so. So if you have good surfing and email habits, the risks be hit by a hack are quite low in reality.

        It is good practice to keep your computers patched but it does not mean one needs to panic every time a patch is released and install stat. One can wait a couple weeks and patch when more convenient. One of the complaints about W10 is there is no control over patching if you have the Home edition and that much if you have the Pro edition.

        1 user thanked author for this post.
    • #323207 Reply

      Fred
      AskWoody Lounger

      It’s also much safer to design software so that it’s secure by design, rather than not really caring much about security when first making it and then trying to plug in the holes after it’s been released. Looking at you, Windows.

      “quote”  For most of us with less-than-NSA-level protection budgets, you can basically bend over and kiss your keister goodbye. One redeeming social value: The really good zero days are hoarded by countries and organizations with their own agendas. They don’t care about you. “end-quote”

      Who can tell the difference?  ZeroDay vs BackDoor  is quite a revenue model

      • This reply was modified 2 months, 1 week ago by
         Fred.
      1 user thanked author for this post.
    • #323211 Reply

      Fred
      AskWoody Lounger

      Just the term Zero-day does not say a thing to me, it is like what?… but google’ing it: “Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.” So how are we supposed to “Watch out for zero days” when it took years to find out exploits like meltdown/spectre. That not even today has been used as much as an exploit, because it is patched.

      and to make it a bit less nice:
      a Zeroday (backdoor) is not known to antimalware software and cannot be recognized. Once a patch is there, or the 0Day can identified than this is simply not a 0Day anymore but a weakness/flaw whatever.
      AND once when you have got this flaw/weakness on your system, than one can never be sure anymore if there is nothing else damaged….
      Ergo: you have to format and reimage the whole pc with a fresh copy indeed….
      {quite a business}

      1 user thanked author for this post.
      • #323230 Reply

        anonymous

        So, that’s why Microsoft reinstall Windows 10 2 times a year.

        • #323240 Reply

          Fred
          AskWoody Lounger

          Yes, to fill us all up with new piles of potential 0Days. Hurray for the secret services and the shadow economies of the malware industry, hah!

          1 user thanked author for this post.
    • #323214 Reply

      alkhall
      AskWoody Lounger

      So, allowing users to choose whether to update or not, i.e. no forced updates, is not that bad after all…

      • #323272 Reply

        joep517
        AskWoody MVP

        From an ecosystem perspective it is a terrible idea. It created a support nightmare for Microsoft.

        The vast majority of end users have neither the inclination, technical background, and discipline to examine individual updates each month. They may have had a technical friend or relative turn off automatic updating and have no clue that it is off much less how to turn it on. Even those who have the necessary background and inclination can easily miss prerequisite patches and superseded patches. With the vast Windows ecosystem imagine all the possibilities created by allowing individual patches to be applied or not.

        --Joe

        3 users thanked author for this post.
        • #323278 Reply

          anonymous

          The other alternative, forcing users to patch, is also equally undesirable. So you see, Microsoft is kinda stuck in a situation where, no matter what they do, someone is going to be unhappy with them.

          2 users thanked author for this post.
    • #323310 Reply

      GoneToPlaid
      AskWoody Plus

      Hi everyone,

      My takeaways from the graphs and data…

      — Starting in 2010, exploits of CVEs have steadily declined.

      — Starting in 2010, Zero Day exploits have steadily increased, albeit with some wobbling in terms of whether or not the Zero Days were exploited either before or after the release of a patch.

      — The year 2015 is a “magic year” in that, since 2010, malware authors reverted to some degree in terms of releasing Zero Days after patches were already available.

      Recall that Nadella became CEO of Microsoft the year before, and that Nadella fired the Windows Update Quality Assurance Team. Recall that 2015 is the year that Windows Update quality began to take a noticeably downhill slide, and users began to delay installing Windows patches. Thus it is no surprise that since 2014, a significant percentage of Zero Days are being released more than 30 days after patches have become available.

      Why does 2010 appear to be an inflection point in the graphs? Because a lot was going on with antivirus companies in 2009. Many of them were reading the writing on the wall. Many of them at around the same time were realizing that simple signature and heuristic based protection solutions were not sufficient since the in-the-wild virus and malware samples which they were seeing were increasing at an exponential rate. Many of them realized that the exponential rate of increase had obviously “started to go round the curve” of the exponential function. Many of them realized that the number of exponentially increasing individual virus and malware samples would soon become too much to handle with simple signature and heuristic detection techniques. Many of them realized that additional solutions were necessary.

      The realization by AV companies about everything in the above paragraph resulted in the creation of cloud based scanning within antivirus programs. The concept is rather simple in layman’s terms. Some sort of hash for every new file is sent by the AV program to the AV company cloud scanners. The hash might contain info about the file name, file timestamp, the file size, and CRC or MD5 or other types of checksums. If heuristics indicates that the file appears to be malicious, either the malicious part of the file or perhaps the entire file might be sent for analysis if the AV company already hasn’t received the malicious file.

      The upshot is this: If the AV company’s cloud scanners suddenly see the same type of file suddenly showing up on a plethora of their customer’s computers, this should rightly trip an alarm bell that the file could be either malware or could be part of a malware package. There is a good bit more to it, in terms of how this cloud scanning thing works. For example, digitally signed files from known trusted vendors generally are automatically approved if the file hash is correct. Basically, this is why virtually all AV vendors missed the CCleaner infection in CCleaner version 5.33. All of the AV vendors are much more careful as a result of the infamous CCleaner incident which occurred in the summer of 2017.

      Your takeaways from the graphs and data, and the above should be…

      1. Use an AV product which includes some type of built-in form of cloud scanning. Cloud scanning is the latest and greatest thing in terms of helping you to avoid being hit by a Zero Day — so long as enough other people already got hit such that your AV company is now automatically detecting and blocking the Zero Day which they now see as being in the wild. Virtually all of the major AV vendors now incorporate some form of cloud scanning into their AV products. **

      2. Use an AV product which is capable of alerting you when any new and previously unseen and unknown process tries to run on your computer. A user might see such alerts when installing really old yet trusted programs. I have seen this from time to time when reinstalling really old yet trusted programs.

      The following also is preferable in an AV program…

      3. The ability to protect specific drives (non-OS hard drives which only contain data) and/or other folders from having their file contents modified by any program other than any trusted or user approved programs. The AV manufacturers have a lot of variations for this general concept. The general goal is to protect your data from unknown ransomware, from data tampering, from data deletion, or from data file name obfuscation.

      ** I am talking only about your primary AV program which is your first line of protection. Specialized products are available which work in conjunction with your installed AV program. Such specialized products may use other proprietary detection techniques which do not rely on any form of cloud scanning.

      Best regards,

      –GTP

       

      4 users thanked author for this post.
      • #323313 Reply

        OscarCP
        AskWoody Plus

        GoneToPlaid,

        Thanks for your perceptive observations on that graph, and in particular for explaining, in some more detail than I have found looking around for information on the Web, about the cloud-based AVs and how they work. Mine “went cloud” several years ago. And, I should add here to what you wrote, since then it runs wickedly faster compared to how it used to when the scanning was done entirely on my PC.

        1 user thanked author for this post.
        • #323317 Reply

          GoneToPlaid
          AskWoody Plus

          Hi OscarCP,

          You’re welcome! You brought up a rather interesting additional point which cloud scanning affords users in terms of conventional signature and heuristics based scanning — speed! It is very quick to generate the hash (as described) for any file, in comparison to checking the file against all current signatures and with heuristics. Then it usually takes a mere instant to check with the cloud or a local hash database in order to see if that file hash is associated with a known safe file. Many AV products which incorporate cloud scanning also save hashes of files on the user’s computer. This allows the product to locally and virtually instantly check file hashes. As you have observed, this process is quite fast — even on older hardware.

          Best regards,

          –GTP

           

      • #323340 Reply

        b
        AskWoody Plus

        — Starting in 2010, Zero Day exploits have steadily increased, albeit with some wobbling in terms of whether or not the Zero Days were exploited either before or after the release of a patch.

        — The year 2015 is a “magic year” in that, since 2010, malware authors reverted to some degree in terms of releasing Zero Days after patches were already available.

        If a CVE is exploited after a patch is available, then it’s not a zero-day.

        Recall that Nadella became CEO of Microsoft the year before, and that Nadella fired the Windows Update Quality Assurance Team. Recall that 2015 is the year that Windows Update quality began to take a noticeably downhill slide, and users began to delay installing Windows patches. Thus it is no surprise that since 2014, a significant percentage of Zero Days are being released more than 30 days after patches have become available.

        I don’t see any data or graphs in the presentation about CVEs which were exploited more than 30 days after patches were available (and if there were, they wouldn’t be zero-days).

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        2 users thanked author for this post.
    • #323377 Reply

      AlexEiffel
      AskWoody_MVP

      Very interesting, Woody.

      Now the question is, with Windows 7 going out of support next year, after a while will we start to see more exploits from now unpatched but known vulnerabilities from those people still running it after its expiration date?

    • #323399 Reply

      GoneToPlaid
      AskWoody Plus

      Hmm…

      I wonder if we should start petitioning our legislators for force MS to continue to support Windows 7 for at least another 2 years. After all, Windows 8 was a fiasco. Windows 8.1 was an improvement. And Windows 10 is a telemetry platform which has been plagued by update fiascos.

      1 user thanked author for this post.
      • #325060 Reply

        OscarCP
        AskWoody Plus

        GoneToPlaid, One might argue that there is enough reason to do so, because of the disruption to work that is necessary for the functioning of advanced industrial societies, regardless of which one. I have given in greater detail the reasons why I am inclined to think so here: #323132

        MS has made Windows into a most important tool for doing such work and now is replacing it with something just not good enough for it without offering a convenient replacement. Although, if something like a legal challenge were ever mounted, even on such (in my view) compelling grounds, I’m sure that MS lawyers will mount an excellent counter-attack.

        • #325073 Reply

          b
          AskWoody Plus

          Are you aware how many millions of Windows 10 users are doing productive work in businesses every day?

          Good luck suing Ford because you don’t like the 2020 Explorer as much as the 2010.

          Or asking congress to force a re-issue. 🙄

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

          1 user thanked author for this post.
          • #327566 Reply

            rc primak
            AskWoody_MVP

            What @b said. You can’t force any company to support or to manufacture any product or service in a free economy.

            I liked the 2005 Toyota Prius better than the 2010 model, because the dashboard displays have been getting more and more complicated and distracting to my driving. But no country or international agency has the authority to mandate that the old interface be made available beyond its date of retirement. Not even if my driving safety is at risk.

            It’s called free market capitalism, and if we aren’t going the way of centrally managed economies which have failed, we have to suck it up and adapt.

            That said, good companies will listen to their customers, and if there is serious demand to preserve or bring back an old product or service or interface, good companies will do so. Look at how consumer resistance forced both Coke and Pepsi to revert their “New” formulas to older recipes. It can happen — just not (so far) with most tech companies.

            -- rc primak

    • #323447 Reply

      alkhall
      AskWoody Lounger

      From an ecosystem perspective it is a terrible idea. It created a support nightmare for Microsoft. The vast majority of end users have neither the inclination, technical background, and discipline to examine individual updates each month. They may have had a technical friend or relative turn off automatic updating and have no clue that it is off much less how to turn it on. Even those who have the necessary background and inclination can easily miss prerequisite patches and superseded patches. With the vast Windows ecosystem imagine all the possibilities created by allowing individual patches to be applied or not.

      And the other alternative; an OS that is secure and does not need constant patching, is quite the impossibility.

      I would prefer to have the option, to apply some or all patches, as I do now with W7.

    • #324025 Reply

      Fred
      AskWoody Lounger

      Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and[See the full post at: Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much]

      Adding this article: quite enlightning aswell:

      https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/

      1 user thanked author for this post.
    • #325074 Reply

      Fred
      AskWoody Lounger

      Hmm… I wonder if we should start petitioning our legislators for force MS to continue to support Windows 7 for at least another 2 years. After all, Windows 8 was a fiasco. Windows 8.1 was an improvement. And Windows 10 is a telemetry platform which has been plagued by update fiascos.

      At this very moment Microsoft offers businesses per Windows7pro companyPC a longer term support possibility, a support and maintenance (if I read it right) contract for $100 1year, 200 for 2 years, and $300 for 3 years. After that it’s all over.

      • This reply was modified 2 months, 1 week ago by
         Fred.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: