Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much

Topic

New Reply

Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and
[See the full post at: Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much]

13 users thanked author for this post.

abbodi86, lurks about, Mele20, GoneToPlaid, Elly, SueW, ch100, JSTechGeek, Cybertooth, Microfix, GreatAndPowerfulTech, Mr. Natural, Joulia.S

Reply | Quote

Replies

It’s also much safer to design software so that it’s secure by design, rather than not really caring much about security when first making it and then trying to plug in the holes after it’s been released. Looking at you, Windows.

6 users thanked author for this post.

Elly, CADesertRat, lanceboil, Fred, lurks about, woody

Reply | Quote

I’d say that’s not fair.  The threat landscape was very different in the ’90s.  Microsoft does design with security in mind these days.

4 users thanked author for this post.

rc primak, Mele20, JSTechGeek, woody

Reply | Quote

Doesn’t Windows 10 have more security flaws reported every month than any other older version of Windows?

1 user thanked author for this post.

lanceboil

Reply | Quote

Of course: All older versions are beyond mainstream support, so are not being developed; no changes means no new bugs.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

2 users thanked author for this post.

rc primak, woody

Reply | Quote

And yet the new systems that are being developed with security more in mind are failing in that respect.

If it’s true that no new bugs are being introduced to older versions because there aren’t any changes (and the original bugs have presumably been patched by now), why are we being advised not to use older versions once they are out of extended support?

I’m not trying to argue with you, far from it, I’m just looking at the gaps in the logic behind the claim that compared with the 1990s MS designs with security in mind these days. If they do, the end result doesn’t seem to be any different.

Reply | Quote

Seff wrote:

(and the original bugs have presumably been patched by now)

Because that is an incorrect assumption.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

Some won’t have been, but most will have been surely? Either way, the point remains that since MS are claimed to have been more security-minded with newer versions the end results have proved to be no different.

However, I said I wasn’t seeking to get into an argument so I’ll leave it there! Thanks for your contributions.

Reply | Quote

The point is demonstrated when you compare SMBv1 to SMBv2.  SMBv1 was written by developers with no focus on security and was considered beyond hope when security became a concern.

Reply | Quote

Are you saying the new “bugs” are ONLY in the new features?

Reply | Quote

Yes. (Newly introduced, not newly discovered.)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

Not significantly so.  95% of the vulnerabilities found in Windows 10 are also present in Windows 7 and 8.1.

It’s worth keeping in mind that Windows 10 has a lot more features and capabilities than old versions.  Edge has a built-in PDF reader, for example, which replaces the standalone “Reader” app from the Windows 8 / early 10 days.  And of course, Windows 7 can’t read PDF’s on its own.  Any security vulnerabilities that come up in the Edge PDF reader now show up as Windows vulnerabilities.  Windows 10 also sometimes gets two vulnerability reports for the same browser flaw, because the flaw exists separately in IE and Edge and requires two separate fixes. (e.g. CVE-2018-8280 and CVE-2018-8242)

There are also Windows 10 features like Device Guard which have had a few vulnerabilities.

But this isn’t a one-way street.  There are still new “Windows 7 only” vulnerabilities being found, such as CVE-2018-8589, which allows any application running as a standard user to silently elevate to full system privileges.  The most serious of that rash of GDI vulnerabilities found & fixed last summer, CVE-2018-8397, was a Windows 7 special, too.  Yeah, they’re still finding stuff like that, almost 10 years after Windows 7’s original release.

You can verify all this for yourself by having a look through the US Government’s National Vulnerability Database.

Windows 10: https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe=cpe%3a%2fo%3amicrosoft%3awindows_10%3a-%3a%3a%7e%7e%7e%7ex64%7e

Windows 7: https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe=cpe%3a%2fo%3amicrosoft%3awindows_7%3a-%3asp1%3ax86&startIndex=1

1 user thanked author for this post.

NetDef

Reply | Quote

But oh noes, what about the “Cliff Edge” for Windows 7 on Jan 2020???/1!!!11!! Can’t possibly go a single day without patches!!1??!1

2 users thanked author for this post.

GoneToPlaid, Cybertooth

Reply | Quote

“only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed.”

How many are ever seen in an exploit at all? That’s the question I’d like to see them answer.

Reply | Quote

woody wrote:

For those of you in the “patch in haste, recover at leisure” crowd, the numbers simply don’t support the drive to install every patch immediately:
… the exploits these days are laser-focused on zero days.
The malware world’s getting more sophisticated: The bad guys are going for zero days, not for security holes that have already been patched.

Except for that 17% of exploits last year which were not zero-days but were exploited within 30 days. (The laser was only 83% focused on zero-days.)

You’ve got to ask yourself one question: ‘Do I feel lucky?’

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

NetDef

Reply | Quote

Yes, but the percentage you want isn’t 17%. To a first approximation:

The chance of getting zapped by a patched security hole (CVE) =

The number of patched CVEs

Times the percentage of CVEs that have been exploited before you installed the patch (I’m currently recommending between 15 and 25 days or so, depending on the version of Windows – the MS statistic is for 30 days)

Times the percentage of exploits that actually hit your machine (in my experience, that’s extremely small – although there are major exceptions like WannaCry).

So the real question is whether your chance of getting bit by a buggy patch (impossible to quantify but, in my experience, non-trivial) exceed your chance of getting bit by a patched CVE that you haven’t installed (in my experience, with notable exceptions, almost vanishingly small).

Reply | Quote

woody wrote:

Yes, but the percentage you want isn’t 17%. To a first approximation:

The chance of getting zapped by a patched security hole (CVE) =

The number of patched CVEs

The number has no relevance when the percentage has already been calculated (unless it’s zero, I guess).

woody wrote:

Times the percentage of CVEs that have been exploited before you installed the patch (I’m currently recommending between 15 and 25 days or so, depending on the version of Windows – the MS statistic is for 30 days)

Which is 17%.

woody wrote:

Times the percentage of exploits that actually hit your machine (in my experience, that’s extremely small – although there are major exceptions like WannaCry).

Which is the “Do I feel lucky?” part.

woody wrote:

So the real question is whether your chance of getting bit by a buggy patch (impossible to quantify but, in my experience, non-trivial) exceed your chance of getting bit by an unpatched CVE (in my experience, with notable exceptions, almost vanishingly small).

My experience is that the chance of a buggy patch has been vanishingly small, uninstallation when absolutely necessary is nearly always trivial, and the chance of getting bit by an unpatched exploit during the first month can only be guessed by anyone.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Agree on the math.  But there is a big variable that’s really hard to quantify.

Are you (more like your organization) a desirable target?  I’m speaking of companys that have valuable IP, (targeted by corporate espionage – pick your vector) or are known to have deep pockets (targeted by spear phishing ransomware or remote intrusion).

The type of malware I have personally seen on small networks/home systems is very different from the scary stuff I’ve seen on large enterprise networks.  Add into this fuzzy variable different levels of pre-mitigation (firewalls, AV, intrusion detection/automatic-reactions) that vary wildly and you have a rather loose risk analysis in terms of ones chances of being hit.

In my business we like to speak of the three pillars of security: (your number may vary)

In order of effectiveness at the 50K meter resolution:

1) Customer (worker or end-user) education.  Phishing resistance, click-bait resistance, device awareness, strange behavior recognition.

2) Firewall / AV / Group Policy restrictions / network segregation / worker (end-user) permissions control (don’t run as Admin!!) / plus all other background technical mitigations.

3) System patch level, third party software updates and restrictions.

Even though I place patching third on that list – in my mind it’s close to the other two.  We’re not talking a wide gap in effectiveness.  And it takes all three, you can’t skip any one.

Having said that – it’s our policy that unless a patch is known to break a mission critical software suite or system – we apply patches roughly 10 days after release.  It’s a decent compromise on securing the workstations/servers at that level, and skipping what has become all to often a major ‘oops’ from Microsoft (and not just them!) which generally gets pulled or corrected by them within five to seven days anyway.

This lets us miss the pain, and be within a reasonable window to avoid a mess.

As for Zero Day exploits:  I want to be clear that in the parlance of the bad guys, these are exploits that have not yet been patched, but have just been discovered.  Patching does not help with those.

For major longer term malware and intrusions:  patching definitely does help.

~ Group "Weekend" ~

3 users thanked author for this post.

rc primak, AlexEiffel, warrenrumak

Reply | Quote

And than there are the AV-scanners and firewalls. Even IF someone would attack you, the chance is higher it will be blocked by a security suite than a monthly blurp of patches that no one knows wgat exactly they do…

Reply | Quote

Third-party AV products also introduce their own instability and security vulnerabilities into the system.  This Wired article from a couple of years ago covers this: https://www.wired.com/2016/06/symantecs-woes-expose-antivirus-software-security-gaps/

Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. One particularly devastating flaw could be exploited with a worm. Just by “emailing a file to a victim or sending them a link to an exploit … the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could “easily compromise an entire enterprise fleet.”

It gets worse. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault.

Lovely….

Do you trust that all no such problems exist with your AV product of choice?  Is that trust based on something other than emotion, or the fact that your reputation might be at risk because you recommended that AV product to your employer or client?

As for stability…. just this week I answered a question on Quora from someone who was seeing repreated blue screens attributed to “vfsmfd.sys”.  They thought this was a Windows system file, but it’s actually Symantec Endpoint Protection’s file system filter driver.

 

2 users thanked author for this post.

rc primak, NetDef

Reply | Quote

On the question of delaying patches and security: leaving aside actual zero-day threats already seen at large in the wild, I usually wait at least three weeks to patch, and sometimes I do it even after the green light has been given here with the rising of the DEFCON. But there is something I’ve never waited long enough to see what happens (or particularly care to, but it could happen nevertheless, for example, if I go away for a couple of weeks) and it is this: What if one waits so long that the next Patch Tuesday comes and goes and the new patches show up together with the previous ones in the Windows Update window?

I imagine that there could be some not obvious conflicts that can cause problems if one applies the previous and current patches together. So what is a safe way to proceed, in such a case of overlapping patch releases? Thanks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

@OscarCP  In my very humble opinion: either anyway you choose to maintain your computer, it all can go very wrong for various reasons. Patching over patching, and repair over repair can result in very strang pc behaviour, or sudden death etc. Once a hidden part of the registry or some crucial systemfiles are damaged, it is very possible there simply will NOT be a real repair possible; this is true for many malware infections, you will never know what really was changed by the bad guys.. It is beyond repair.

Having a full (1:1 sector) image on a seperate hard drive , made once in a while, can save you lots of time to start all fresh over…

 

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

rc primak

Reply | Quote

Hi OscarCP,

Good question. If the green light is given for the latest updates, install them first. Then try to install the missing updates in reverse order of their release dates. If the update has been entirely superseded, then Windows will show you a message that the update is not applicable to your computer. If only parts of the older update have been superseded, then the older update will install, yet supersedence will take precedence such that newer file versions do not get replaced with older file versions. I have used this supersedence technique a few times in the past, in order to get around issues in some of Microsoft’s buggy updates.

Best regards,

–GTP

 

1 user thanked author for this post.

rc primak

Reply | Quote

Off topic. Short answer, they won’t appear together. Often read posts where the cumulative update desired is “lost”. After 12 February, use the “hide” function to remove the 2019-02 update from the offered list. Then the 2019-01 will display on the recheck, when needed.

1 user thanked author for this post.

OscarCP

Reply | Quote

Just the term Zero-day does not say a thing to me, it is like what?… but google’ing it: “Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.”

So how are we supposed to “Watch out for zero days” when it took years to find out exploits like meltdown/spectre. That not even today has been used as much as an exploit, because it is patched.

Reply | Quote

Zero-day means the exploit is possibly known to hackers but unknown to anyone else. The danger is the hackers have an exploit they can use that no one has any defense for. If it is being exploited and you are hacked you are cooked. However, known, patched exploits are much less of risk if you routinely patch your system even if you wait a month to patch.

The lessened risk is not inherently obvious but it comes for the time lag to develop an effective exploit and to deploy it. Even this takes a week to happen, the exploit will not be heavily used initially and by the time it becomes widely known the patches should have been installed if you are patching within 30 days or so. So if you have good surfing and email habits, the risks be hit by a hack are quite low in reality.

It is good practice to keep your computers patched but it does not mean one needs to panic every time a patch is released and install stat. One can wait a couple weeks and patch when more convenient. One of the complaints about W10 is there is no control over patching if you have the Home edition and that much if you have the Pro edition.

1 user thanked author for this post.

rc primak

Reply | Quote

anonymous wrote:

It’s also much safer to design software so that it’s secure by design, rather than not really caring much about security when first making it and then trying to plug in the holes after it’s been released. Looking at you, Windows.

“quote”  For most of us with less-than-NSA-level protection budgets, you can basically bend over and kiss your keister goodbye. One redeeming social value: The really good zero days are hoarded by countries and organizations with their own agendas. They don’t care about you. “end-quote”

Who can tell the difference?  ZeroDay vs BackDoor  is quite a revenue model

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

rc primak

Reply | Quote

anonymous wrote:

Just the term Zero-day does not say a thing to me, it is like what?… but google’ing it: “Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.” So how are we supposed to “Watch out for zero days” when it took years to find out exploits like meltdown/spectre. That not even today has been used as much as an exploit, because it is patched.

and to make it a bit less nice:
a Zeroday (backdoor) is not known to antimalware software and cannot be recognized. Once a patch is there, or the 0Day can identified than this is simply not a 0Day anymore but a weakness/flaw whatever.
AND once when you have got this flaw/weakness on your system, than one can never be sure anymore if there is nothing else damaged….
Ergo: you have to format and reimage the whole pc with a fresh copy indeed….
{quite a business}

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

rc primak

Reply | Quote

So, that’s why Microsoft reinstall Windows 10 2 times a year.

Reply | Quote

Yes, to fill us all up with new piles of potential 0Days. Hurray for the secret services and the shadow economies of the malware industry, hah!

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

rc primak

Reply | Quote

So, allowing users to choose whether to update or not, i.e. no forced updates, is not that bad after all…

Reply | Quote

From an ecosystem perspective it is a terrible idea. It created a support nightmare for Microsoft.

The vast majority of end users have neither the inclination, technical background, and discipline to examine individual updates each month. They may have had a technical friend or relative turn off automatic updating and have no clue that it is off much less how to turn it on. Even those who have the necessary background and inclination can easily miss prerequisite patches and superseded patches. With the vast Windows ecosystem imagine all the possibilities created by allowing individual patches to be applied or not.

--Joe

3 users thanked author for this post.

rc primak, NetDef, b

Reply | Quote

The other alternative, forcing users to patch, is also equally undesirable. So you see, Microsoft is kinda stuck in a situation where, no matter what they do, someone is going to be unhappy with them.

2 users thanked author for this post.

rc primak, alkhall

Reply | Quote

Hi everyone,

My takeaways from the graphs and data…

— Starting in 2010, exploits of CVEs have steadily declined.

— Starting in 2010, Zero Day exploits have steadily increased, albeit with some wobbling in terms of whether or not the Zero Days were exploited either before or after the release of a patch.

— The year 2015 is a “magic year” in that, since 2010, malware authors reverted to some degree in terms of releasing Zero Days after patches were already available.

Recall that Nadella became CEO of Microsoft the year before, and that Nadella fired the Windows Update Quality Assurance Team. Recall that 2015 is the year that Windows Update quality began to take a noticeably downhill slide, and users began to delay installing Windows patches. Thus it is no surprise that since 2014, a significant percentage of Zero Days are being released more than 30 days after patches have become available.

Why does 2010 appear to be an inflection point in the graphs? Because a lot was going on with antivirus companies in 2009. Many of them were reading the writing on the wall. Many of them at around the same time were realizing that simple signature and heuristic based protection solutions were not sufficient since the in-the-wild virus and malware samples which they were seeing were increasing at an exponential rate. Many of them realized that the exponential rate of increase had obviously “started to go round the curve” of the exponential function. Many of them realized that the number of exponentially increasing individual virus and malware samples would soon become too much to handle with simple signature and heuristic detection techniques. Many of them realized that additional solutions were necessary.

The realization by AV companies about everything in the above paragraph resulted in the creation of cloud based scanning within antivirus programs. The concept is rather simple in layman’s terms. Some sort of hash for every new file is sent by the AV program to the AV company cloud scanners. The hash might contain info about the file name, file timestamp, the file size, and CRC or MD5 or other types of checksums. If heuristics indicates that the file appears to be malicious, either the malicious part of the file or perhaps the entire file might be sent for analysis if the AV company already hasn’t received the malicious file.

The upshot is this: If the AV company’s cloud scanners suddenly see the same type of file suddenly showing up on a plethora of their customer’s computers, this should rightly trip an alarm bell that the file could be either malware or could be part of a malware package. There is a good bit more to it, in terms of how this cloud scanning thing works. For example, digitally signed files from known trusted vendors generally are automatically approved if the file hash is correct. Basically, this is why virtually all AV vendors missed the CCleaner infection in CCleaner version 5.33. All of the AV vendors are much more careful as a result of the infamous CCleaner incident which occurred in the summer of 2017.

Your takeaways from the graphs and data, and the above should be…

1. Use an AV product which includes some type of built-in form of cloud scanning. Cloud scanning is the latest and greatest thing in terms of helping you to avoid being hit by a Zero Day — so long as enough other people already got hit such that your AV company is now automatically detecting and blocking the Zero Day which they now see as being in the wild. Virtually all of the major AV vendors now incorporate some form of cloud scanning into their AV products. **

2. Use an AV product which is capable of alerting you when any new and previously unseen and unknown process tries to run on your computer. A user might see such alerts when installing really old yet trusted programs. I have seen this from time to time when reinstalling really old yet trusted programs.

The following also is preferable in an AV program…

3. The ability to protect specific drives (non-OS hard drives which only contain data) and/or other folders from having their file contents modified by any program other than any trusted or user approved programs. The AV manufacturers have a lot of variations for this general concept. The general goal is to protect your data from unknown ransomware, from data tampering, from data deletion, or from data file name obfuscation.

** I am talking only about your primary AV program which is your first line of protection. Specialized products are available which work in conjunction with your installed AV program. Such specialized products may use other proprietary detection techniques which do not rely on any form of cloud scanning.

Best regards,

–GTP

 

4 users thanked author for this post.

rc primak, NetDef, AlexEiffel, Cybertooth

Reply | Quote

GoneToPlaid,

Thanks for your perceptive observations on that graph, and in particular for explaining, in some more detail than I have found looking around for information on the Web, about the cloud-based AVs and how they work. Mine “went cloud” several years ago. And, I should add here to what you wrote, since then it runs wickedly faster compared to how it used to when the scanning was done entirely on my PC.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Hi OscarCP,

You’re welcome! You brought up a rather interesting additional point which cloud scanning affords users in terms of conventional signature and heuristics based scanning — speed! It is very quick to generate the hash (as described) for any file, in comparison to checking the file against all current signatures and with heuristics. Then it usually takes a mere instant to check with the cloud or a local hash database in order to see if that file hash is associated with a known safe file. Many AV products which incorporate cloud scanning also save hashes of files on the user’s computer. This allows the product to locally and virtually instantly check file hashes. As you have observed, this process is quite fast — even on older hardware.

Best regards,

–GTP

 

Reply | Quote

GoneToPlaid wrote:

— Starting in 2010, Zero Day exploits have steadily increased, albeit with some wobbling in terms of whether or not the Zero Days were exploited either before or after the release of a patch.

— The year 2015 is a “magic year” in that, since 2010, malware authors reverted to some degree in terms of releasing Zero Days after patches were already available.

If a CVE is exploited after a patch is available, then it’s not a zero-day.

GoneToPlaid wrote:

Recall that Nadella became CEO of Microsoft the year before, and that Nadella fired the Windows Update Quality Assurance Team. Recall that 2015 is the year that Windows Update quality began to take a noticeably downhill slide, and users began to delay installing Windows patches. Thus it is no surprise that since 2014, a significant percentage of Zero Days are being released more than 30 days after patches have become available.

I don’t see any data or graphs in the presentation about CVEs which were exploited more than 30 days after patches were available (and if there were, they wouldn’t be zero-days).

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

2 users thanked author for this post.

rc primak, GoneToPlaid

Reply | Quote

Very interesting, Woody.

Now the question is, with Windows 7 going out of support next year, after a while will we start to see more exploits from now unpatched but known vulnerabilities from those people still running it after its expiration date?

Reply | Quote

Hmm…

I wonder if we should start petitioning our legislators for force MS to continue to support Windows 7 for at least another 2 years. After all, Windows 8 was a fiasco. Windows 8.1 was an improvement. And Windows 10 is a telemetry platform which has been plagued by update fiascos.

1 user thanked author for this post.

Fred

Reply | Quote

GoneToPlaid, One might argue that there is enough reason to do so, because of the disruption to work that is necessary for the functioning of advanced industrial societies, regardless of which one. I have given in greater detail the reasons why I am inclined to think so here: #323132

MS has made Windows into a most important tool for doing such work and now is replacing it with something just not good enough for it without offering a convenient replacement. Although, if something like a legal challenge were ever mounted, even on such (in my view) compelling grounds, I’m sure that MS lawyers will mount an excellent counter-attack.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Are you aware how many millions of Windows 10 users are doing productive work in businesses every day?

Good luck suing Ford because you don’t like the 2020 Explorer as much as the 2010.

Or asking congress to force a re-issue. 🙄

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

What @b said. You can’t force any company to support or to manufacture any product or service in a free economy.

I liked the 2005 Toyota Prius better than the 2010 model, because the dashboard displays have been getting more and more complicated and distracting to my driving. But no country or international agency has the authority to mandate that the old interface be made available beyond its date of retirement. Not even if my driving safety is at risk.

It’s called free market capitalism, and if we aren’t going the way of centrally managed economies which have failed, we have to suck it up and adapt.

That said, good companies will listen to their customers, and if there is serious demand to preserve or bring back an old product or service or interface, good companies will do so. Look at how consumer resistance forced both Coke and Pepsi to revert their “New” formulas to older recipes. It can happen — just not (so far) with most tech companies.

-- rc primak

Reply | Quote

joep517 wrote:

From an ecosystem perspective it is a terrible idea. It created a support nightmare for Microsoft. The vast majority of end users have neither the inclination, technical background, and discipline to examine individual updates each month. They may have had a technical friend or relative turn off automatic updating and have no clue that it is off much less how to turn it on. Even those who have the necessary background and inclination can easily miss prerequisite patches and superseded patches. With the vast Windows ecosystem imagine all the possibilities created by allowing individual patches to be applied or not.

And the other alternative; an OS that is secure and does not need constant patching, is quite the impossibility.

I would prefer to have the option, to apply some or all patches, as I do now with W7.

Reply | Quote

woody wrote:

Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and[See the full post at: Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much]

Adding this article: quite enlightning aswell:

https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

rc primak

Reply | Quote

GoneToPlaid wrote:

Hmm… I wonder if we should start petitioning our legislators for force MS to continue to support Windows 7 for at least another 2 years. After all, Windows 8 was a fiasco. Windows 8.1 was an improvement. And Windows 10 is a telemetry platform which has been plagued by update fiascos.

At this very moment Microsoft offers businesses per Windows7pro companyPC a longer term support possibility, a support and maintenance (if I read it right) contract for $100 1year, 200 for 2 years, and $300 for 3 years. After that it’s all over.

* _ the metaverse is poisonous _ *

Reply | Quote