MSIE Security Worsens: Patch Bungled

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

Biased

You guys sound like nobody ever finds any holes in Linux.

BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Slashdot
News for Linux. Stuff that's biased.

Re:Biased

[macpeep]

Yeah. I know.. I was just thinking that too.. Weird how people have such selective memories. Netscape.. let's see:

4.0
4.01
4.02
4.03
4.04
4.04a
4.05
4.06
4.07
4.08
4.5
4.51
4.7
4.71
4.72
4.73
4.74
4.75
4.76

and a few days ago, 4.77 appeared on Netscape's FTP sites even though Netscape 6 (don't even get me started!) was released.. Oh.. And Netscape 6 is actually at 6.01 now.. Yes, you guessed it.. a security patch release. I'm sure I left out some 4.x versions, but notice that only a couple of those are feature releases (4.5, 4.7 and 4.06 if memory serves). For many of those releases, way more than one bug has been patched. So to claim that this is a Microsoft-only problem is just plain wrong.

Cheap red herring/spin doctoring

[Tim+Doran]

"Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments."

In other words: "Chrysler spokesman Corporate G. Bastard said that although every Chrysler vehicle produced in the last year could be unlocked, its alarm disabled and driven away using Bic brand ballpoint pens, the vulnerability exists only for a few of several hundred colours available."

This is the worst (ie. least skillful) spin doctoring I've ever seen. Just because all MIME attachments don't open your machine's front door, well, we shouldn't worry about this "typical software error."

...blow your byte limit, wipe your drive...

[leonbrooks]

If people get access to my PC, why should I worry?

...borrow your credit card details, passwords to any/all accounts you access through the machine, use your machine to break others (thus dropping you in the pooh en passant), post emails and the like in your name, yadda yadda yadda.

Trust me, it's not a good idea.

Overstating Things

[augustz]

"despite all claims to the contrary from Microsoft"

For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

Your firewall avails you nought

[dingbat_hp]

What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

Mailers just shouldn't trust incoming email.

erk...

[bencc99]

This is really starting to get ridiculous. I suspect it would be far less of a problem were IE (and it's renderer/scripting) and the other parts of windows scripting not so heavily integrated into the shell - at least people would have some kind of control.

What's more worrying is that the increasing integration of things like KDE and Gnome are heading the same way. Admittedly the problems won't be around for so long, but as the number of unclued linux users goes up I suspect things may only start to get worse...

Slightly O/T

[MonkeyMagic]

It's quite interesting how the average computer user is unused to patching applications for security concerns/product upgrades. Most people won't apply this patch regardless of any problems the installation may or may not cause. It's just not something they are aware of - they have never really been told (by the software houses) that the product must be upgraded. When I first became interested in the unix world it was quite a shock to see the rapidity with which everyone spread the word about a major bug or (minor) security issue. This information doesn't filter down to average users, and they don't go looking for it (I find most www.linuxrules.org or www.macrulez.com websites as boring as hell so god knows how most people would find them).

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone and not try to hide the whole process incase someone thinks their software is crap.


DILBERT: But what about my poem?

Re:If Netscape would just get off their ass

[DrSkwid]

hehe I see this kind of comment :

Poster A : Mozilla sucks
Poster B : You should see last night's build - awesome

one month later

A : Mozilla sucks
Poster B : You should download last night's build

and so the treadmill continues

.oO0Oo.

Re:Not on windowsupdate

[tomknight]

This is why I subscribe to the Microsoft security notification service (http://www.microsoft.com/technet/security/notify. asp), not to mention NTBugTraq (http://ntbugtraq.ntadvice.com/default.asp?pid=31& sid=1#020). As a sys admin (among other things), I've found these two lists damn useful. They give more information than the average user needs, but if you're tech-savvy, and interested about what's going on, they're useful lists to be on.

Tom.

In fairness to Microsoft

[phaze3000]

This was on the original bulletin:

Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

--

best foot forward

[deran9ed]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products,

First off its not ALL of the Linux zealots and in fact I've noticed the majority who get caught up in that (OS name calling) mix, tend to be newer users of Linux who could barely chop up source on their own often jumping on irc channels or mailing lists with the shittiest questions.

claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

Actually I don't think its the most worthless piece of shit OS on the market by any means, in fact I think MS has strategically placed itself on the markets for reasons like Ease of Use, familiarity, since OS's like Linux, NSD, etc., are almost impossible for Mary Joe Homemaker, and Sally Secretary to handle, however its bullshit to think anyone can keep a Windows machine up all day is a moron. E.g. there's been plenty of times I've seen Windows go bonkers for no reason especially Windows2000k with all the patches to date for the machine.

Last year when I was tinkering with codes on a DoS paper I wrote, I slightly modified my code to connect to a non open TCP port on my Windows laptop and it still crashed it for no reason. (FYI code is here) The OS did a great job of crashing from time to time when it wasn't online, no one touched it, just pooped out on its own.

Sure, you have to reboot to patch and install software, but who the hell cares?

I would care if I oversaw a network of 1,000 boxes which needed patch upgrades every week, only to be restarted. Think about it for a quick second as I outlined in the funny Microsoft Kills paper, 1,000 servers multiplied by about 3 minutes downtime, then you've got lost time spent and I don't think any administrator be it Microsoft or any other company is going to be kind enough to say "Hey don't worry I'll patch these on my own time, no need to pay me." Fuck no that shit costs money after a while.

Come on, get a damn clue and jump off that damn bandwagon.

I find it funny seeing OS wars go on when in reality 95% or more depend on Windows in some shape form or fashion, last time I checked accounting was looking for Excel files, secretaries were saving *.doc files... Sure Linux advocates have the right to moan its their choice, just sit back and get a kick out of it, I do.

Not on windowsupdate

[AaaL]

Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$