Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSIE Security Worsens: Patch Bungled

Posted by ryuzaki0 on from the NOT-April-Fool dept.

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

7 of 288 comments (clear)

  1. Cheap red herring/spin doctoring by Tim+Doran · · Score: 5
    "Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments."

    In other words: "Chrysler spokesman Corporate G. Bastard said that although every Chrysler vehicle produced in the last year could be unlocked, its alarm disabled and driven away using Bic brand ballpoint pens, the vulnerability exists only for a few of several hundred colours available."

    This is the worst (ie. least skillful) spin doctoring I've ever seen. Just because all MIME attachments don't open your machine's front door, well, we shouldn't worry about this "typical software error."

  2. Overstating Things by augustz · · Score: 5
    "despite all claims to the contrary from Microsoft"

    For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

  3. Re:Biased by macpeep · · Score: 5

    Yeah. I know.. I was just thinking that too.. Weird how people have such selective memories. Netscape.. let's see:

    4.0
    4.01
    4.02
    4.03
    4.04
    4.04a
    4.05
    4.06
    4.07
    4.08
    4.5
    4.51
    4.7
    4.71
    4.72
    4.73
    4.74
    4.75
    4.76

    and a few days ago, 4.77 appeared on Netscape's FTP sites even though Netscape 6 (don't even get me started!) was released.. Oh.. And Netscape 6 is actually at 6.01 now.. Yes, you guessed it.. a security patch release. I'm sure I left out some 4.x versions, but notice that only a couple of those are feature releases (4.5, 4.7 and 4.06 if memory serves). For many of those releases, way more than one bug has been patched. So to claim that this is a Microsoft-only problem is just plain wrong.

  4. Your firewall avails you nought by dingbat_hp · · Score: 5

    What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

    At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

    We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

    Mailers just shouldn't trust incoming email.

  5. Re:If Netscape would just get off their ass by DrSkwid · · Score: 5

    hehe I see this kind of comment :

    Poster A : Mozilla sucks
    Poster B : You should see last night's build - awesome

    one month later

    A : Mozilla sucks
    Poster B : You should download last night's build

    and so the treadmill continues

    .oO0Oo.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  6. In fairness to Microsoft by phaze3000 · · Score: 5

    This was on the original bulletin:

    Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

    If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

    --

    --
    Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
  7. Not on windowsupdate by AaaL · · Score: 5

    Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$