Uber-patch for Internet Explorer

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

Hmm.

[Shaman]

I thought this was the bug that couldn't be fixed because it was worked so deep into the OS.

For IE 5.5 users

[The+Bungi]

This does not appear to be a service pack, and the target builds listed for the hotfix are only IE 5.5 SP2 and 6, so you'll need to head here to get yer SP and then install the hotfix (get directly to it from here).

It seems unlikely that the SP2 for 5.5 includes this as of right now, although it will eventually (I know sometimes I'll download an SP and take a few days to actually install it). Check your versions before you plunge your box into browser hell =)

Download URLs

[nstrom]

Here's the direct download URLs, so you don't have to wade through MS's crufty site:

for IE6:
http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe
for IE5.5:
http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

These updates have not yet appeared on Windows Update.

It's not just IE - other apps need this!

[PacketMaster]

It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.

Re:It's not just IE - other apps need this!

[neonstz]

It is possible to turn off the use of IE (or whatever) for displaying mail in Eudora. In Tools->Options->Viewing Mail just uncheck the "Use Microsoft's Viewer" checkbox. (I'm using Eudora 5.1 btw.)

Re:Question for michael...

[sroddy]

You better check your info again bud.... It is patched. at least Sun and IBM.

Besides, anyone not using ssh rather than telnet and rlogin is not very worried about security anyway.

Re:not too bright

[jvj24601]

I downloaded the 2.15 mb patch. I try to run it, and I get a prompt that I need IE5 Service pack 2 installed. That's it, it doesn't supply a link, it doesn't try to download it, nothing. Microsoft rushed this one out.

The update only works with IE 5.5 or 6.0. You might be running 5.0.

Interesting note: If you read the bulletin and click on the Technical Details submenu, you'll find the worst part:

"Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support."

As someone who does some sysadmin stuff at work, I didn't know this before. This means that a large majority of users (as far as my limited experience goes) that still use IE 5.0 will still have exploit available that won't be tested nor fixed. Wow...

Slashdot Inconstancies

[Captain_Frisk]

Seriously guys calm down.

Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

Re:Download URLs - Must Have 5.5 SP2

[Cy+Guy]

for IE5.5 for IE5.5:
http://download.microsoft.com/download/ie55sp2/s ec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

Note, that is for IE 5.5 SP2 if you have SP1, or plain vanilla 5.5, you will first have to upgrade, so you may want to wait till a full release with the patches is available. SP2 is 17MB download.

Anyone know what the equivalent version is if you have the AOL version of IE? (not that I do) but you can imagine AOL will be slowed to a crawl if every single user must get an upgrade first to SP2 or IE6, then get this patch. When - oh - when will AOL finally become browser neutral or go entirely to Netscape/Mozilla?

Re:Uber Patch

Sorry to break it to you, but a significant protion of the readership *does* use IE. Rob used to publish statistics on this and stopped for obvious, embarassing reasons.

I turned off Active Scripting to be secure

[Pinball+Wizard]

Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.

By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.

Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

This qualifies more as "troll" than "flamebait"

[oGMo]

Flamebait is typically written to elicit strong emotional response and name-calling from the target audience... this falls under the "troll" category which gives a more subtle feeling of disturbance, saying something usually inaccurate or incorrect in a seemingly reasonable manner to generate lots of "discussion". Let's go point-by-point:

Remember Michael's over-the-top misinformed rant about this 3 days ago?

Seeing as michael's story was neither misinformation nor an over-the-top rant (read the story), this plays on the popular opinion that slashdot gets a lot of stuff wrong all the time, as well as our obvious anti-Microsoft bias, to pretend that it was in fact an over-the-top misinformed rant.

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago.

Did they provide information about when a patch was available? At the time, they did not, so this is hardly misinformation. Whether they release a patch today or three months from now, "no information" is still "no information".

Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Correct me if I'm wrong, but I believe "M$" is childish name calling. "If it agrees with me, it's opinion, otherwise it's bias": This just about sums it up. There is nothing wrong with bias; there is no way to avoid it, claiming something is unbiased is a great indication that something is trying to be intentionally misleading. I read slashdot because the bias mostly agrees with my own. Perhaps your time would be better spent looking for a more agreeable forum, instead of trolling on this one.

Can't turn off search-from-toolbar??

[I-man]

Interesting. After installing this patch, I typed in some garbage to the address bar to make sure it was still seeing my proxy (which should display a custom no-such-address page).

What happened? That bloody search-from-the-address-bar thingy had turned itself on. Oh well, I say, just go to Options -> Advanced -> Do Not Search From The Address Bar. I do this, type in "asdfa sdfsdfsa dfwer" (note the spaces) and POW: search-from-the-address-bar turns itself back on.

Much the same thing happens if you change the option and then restart IE.

WTF?

Re:Uber Patch

[Xerithane]

Mozilla isn't where yet, exactly? I find Mozilla to be more capable than IE often times. My current project at work has an extensive CGI front end so I'm having to deal with all the cross-browser issues. Writing standard-compliant HTML/CSS works beautiful in Mozilla, have not had one problem yet.
What was the last version of Mozilla you used?

Re:Won't even install!

[Kevinb]

(IE v. 6.00.2462.0000 to be exact)

2462 is not the final release build of IE 6. I think that's IE 6 beta 2, or maybe the "public preview" that went out before XP shipped.

The shipping version of IE 6 is 6.0.2600.0. If you go to Windows Update you should be able to install it, and then after you do that install the patch.