If any of you pay any attention to patch Tuesday Microsoft updates I am sure you have noticed the slew of updates and that all versions of DOT NET FRAMEWORK get big patches pretty much monthly.
In the past, on at least 3 computers I have had 1 or 2 dot net updates fail to install and continued to fail. (not even the same update) If the computer was set to automatically update, the process of retrying the update continues forever and the computer was never without the yellow warning shield. I fixed 1 of these computers by downloading the failing update manually. The other 2 cost me over 8 hours of grief between them because I had to completely uninstall all versions of dot net then in a particular order reinstall them. One of these was not even fixed by this reinstall and my final remedy was to replace the computer with a new one running Windows 7 Professional 64. Fortunately this was not an Aloha machine and fortunately it was time to explore Windows 7.
Patching the Microsoft operating system is never ending. As I write this I have 11 new patches (4 for dot net) and the Malicious Software Removal Tool for June waiting to be applied. What is going to blow up next.
from a computerworld article.....
This month's Patch Tuesday will fix 28 vulnerabilities
In May, Microsoft fixed 23 security flaws.
Of the seven updates, Microsoft tagged three as "critical," the highest threat ranking in its four-step scoring, and the other four as "important," the next-most serious rating.
One update will address all supported versions of IE, ranging from the 11-year-old IE6 to last year's IE9; four will affect Windows; and the remaining pair will tackle vulnerabilities in all versions of Office on Windows and Dynamics AX 2012, an enterprise resource planning (ERP) product.
Storms singled out the IE update, identified in the advance notification as one of the three critical bulletins, as most likely to climb to the top of users' to-do lists.
"That's going to be the obvious one to deploy first," Storms said, using the long-established logic of security professionals to patch the browser with haste because of its widespread use and its broad attack surface.
--snip---
to read the article here is the link
Even though it does not even mention Dot Net... take my word for it you get a slew of dot net updates each year (pretty much monthly) 4 in June, 4 in May, and I believe 4 in April.
Why do I mention/gripe about this
It seems to me that large companys put too much coding into products via dot net and I would think the big guys would be able to code stuff in such a way as to avoid using vulnerable frameworks. Intuit is one of the biggest culprits here (computer I was forced to replaced was running Quickbooks) but I would like to see NCR/Radiant code something that did not use or rely on dot net on FOH or BOH. Maybe I am uneducated as to why these practices flourish.
A lot of these patches are to patch browser vulnerabilities. If my BOH and terminals have no web browser interface why can't I set windows update to ignore those updates.
If you are like me your terminals do nothing but run Windows and your POS software. No multi terminal environment would ever have terms with internet access much less a functioning browser. But to do so means you rely on "compensating controls" to be PCI compliant because your not going to be running windows update on your terminal operating system
Letting people web browse from ALOHABOH is bad news. Internet access to do credit cards can be managed and restricted but we all have to keep our BOH servers patched for each new browser vulnerabilities too even if we have another separate computer for office use and even if we have the browser access locked down.
We do a lot of patching for dot net which I would like to see POS coders avoid using and we do a lot of patching for browser vulnerabilities that, at least I hope, are going to waste because our terminals and even our BOH are NOT or should not be web browsing environments.
Could NCR/Radiant be successfully lobbied to STOP their use of Dot Net and pursuade their vendors to do likewise.
Can anyone explain to me why dot net is so pervasive?
In the past, on at least 3 computers I have had 1 or 2 dot net updates fail to install and continued to fail. (not even the same update) If the computer was set to automatically update, the process of retrying the update continues forever and the computer was never without the yellow warning shield. I fixed 1 of these computers by downloading the failing update manually. The other 2 cost me over 8 hours of grief between them because I had to completely uninstall all versions of dot net then in a particular order reinstall them. One of these was not even fixed by this reinstall and my final remedy was to replace the computer with a new one running Windows 7 Professional 64. Fortunately this was not an Aloha machine and fortunately it was time to explore Windows 7.
Patching the Microsoft operating system is never ending. As I write this I have 11 new patches (4 for dot net) and the Malicious Software Removal Tool for June waiting to be applied. What is going to blow up next.
from a computerworld article.....
This month's Patch Tuesday will fix 28 vulnerabilities
In May, Microsoft fixed 23 security flaws.
Of the seven updates, Microsoft tagged three as "critical," the highest threat ranking in its four-step scoring, and the other four as "important," the next-most serious rating.
One update will address all supported versions of IE, ranging from the 11-year-old IE6 to last year's IE9; four will affect Windows; and the remaining pair will tackle vulnerabilities in all versions of Office on Windows and Dynamics AX 2012, an enterprise resource planning (ERP) product.
Storms singled out the IE update, identified in the advance notification as one of the three critical bulletins, as most likely to climb to the top of users' to-do lists.
"That's going to be the obvious one to deploy first," Storms said, using the long-established logic of security professionals to patch the browser with haste because of its widespread use and its broad attack surface.
--snip---
to read the article here is the link
Even though it does not even mention Dot Net... take my word for it you get a slew of dot net updates each year (pretty much monthly) 4 in June, 4 in May, and I believe 4 in April.
Why do I mention/gripe about this
It seems to me that large companys put too much coding into products via dot net and I would think the big guys would be able to code stuff in such a way as to avoid using vulnerable frameworks. Intuit is one of the biggest culprits here (computer I was forced to replaced was running Quickbooks) but I would like to see NCR/Radiant code something that did not use or rely on dot net on FOH or BOH. Maybe I am uneducated as to why these practices flourish.
A lot of these patches are to patch browser vulnerabilities. If my BOH and terminals have no web browser interface why can't I set windows update to ignore those updates.
If you are like me your terminals do nothing but run Windows and your POS software. No multi terminal environment would ever have terms with internet access much less a functioning browser. But to do so means you rely on "compensating controls" to be PCI compliant because your not going to be running windows update on your terminal operating system
Letting people web browse from ALOHABOH is bad news. Internet access to do credit cards can be managed and restricted but we all have to keep our BOH servers patched for each new browser vulnerabilities too even if we have another separate computer for office use and even if we have the browser access locked down.
We do a lot of patching for dot net which I would like to see POS coders avoid using and we do a lot of patching for browser vulnerabilities that, at least I hope, are going to waste because our terminals and even our BOH are NOT or should not be web browsing environments.
Could NCR/Radiant be successfully lobbied to STOP their use of Dot Net and pursuade their vendors to do likewise.
Can anyone explain to me why dot net is so pervasive?