Uber-patch for Internet Explorer

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

All in one patch is 1/2 the solution

[Rev.LoveJoy]

This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

1). It takes too much time to keep up on MS software patches.

AND

2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

Cheers,
-- RLJ

Re:All in one patch is 1/2 the solution

[pigeonhed]

Patching occurs on all software that is well maintained. I would be very upset if all companies did not patch software. I agree that updating a system can be a nightmare but without it trouble will soon follow. No matter what the OS/application is a progressive series of steps is important to making a mature product. Many open source products get their strength from the fact that work is not only always being done but that end users in theory receive a better product threw a testing process. Patching may not be a pretty name and Microsoft has a way of making anything feel dirty but it is a good step even if a company I don't support takes it.

Oh yeah just my opinion I could very well be wrong.

Windowsupdate quite annoying!

[imuffin]

I find it very annoying to try to install Microsoft patches. I work in a place where I am responsible for several windows installations. When I install a M$ OS, in order to patch it, i have to:

1. Start IE (click through internet connection wizard)
2. Open the windows update website
3. Download an activeX application to determine what updates I need
4. Download and install the updates (often, more than 5!) one at a time, rebooting in between each one!

It's so much easier to swivel my chair around to my redhat box and do a simple 'up2date -i'.

I wonder if there's any particular reason why Microsoft makes it so difficult? Do they actually like their security holes?

Re:Windowsupdate quite annoying!

[lynx_user_abroad]

Do they actually like their security holes?

In a word, yes.
If you think this is a troll, take this little test...
You have just found out that Your Favorite Operating System, which you run on Your Computer, has a vulnerability which you consider important enough to do something about.
Do you:

Locate and apply the appropriate patches for Your Favorite Operating System, and make whatever other changes are necessary to mitigate the situation.

Learn more about Your Favorite Operating System so that you'll be even better able to assess these threats and prevent vulnerabilities in the future.

Lose interest, and just continue running Your Favorite Operating System, vulnerabilities and all, and go back to reading Slashdot, surfing the web, etc.

Get fed-up, say "This is the last straw!" and abandon Your Favorite Operating System, replacing it (and all of the applications, data files, and procedures which depend upon it) with Some Other Operating System which you may have heard about.

We can all see ourselves or think of others who would react in any (or perhaps all) of the first three ways, all ow which favor the incumbent. I can't think of anyone who would respond similarly to the last, which is the only one which would topple the status quo. With the exception of a few individuals who are charged with setting the strategic computing direction for large organizations, (that is, in a position to dictate what other people will run on their computers) security holes tend to reinforce the market position of the incumbent. And the harder it is to fix, the more time your customers spend with your product (increasing your mindshare) and the less likely it is that the hole will be patched, meaning you'll have another chance in the future to grab their attention again...

So, if you're charged with selecting a strategy to promote your operating system, your obvious tactics are:

Focus your energies on those few people who set the computing direction for major corporations.

(IFF you are the incumbent) Don't worry about security, because as long as you have a majority share of the market any security hole will only increase your mindshare. And mindshare is what it's all about.

Want to know how to apply this to Free Software, Open Source, and Linux?

Code, if you can. (and can do it well)

Document, if you can. (and can do it well)

Report bugs, if you can. (and can do it well)

But most importantly, Use it.
By just using the software, you create a habitat for the evolution of the software. If something works well, praise it. If something sucks, say so. The habitat for evolution is the key to success for both proprietary and free software. The key advantage that free software has over proprietary software lies in:

the ability to try to be all things to all people. Most of these will fail, but the ones that don't will be spot on.

the knowledge that no one is going to get fired or lose their job for producing something that no one wants. That's an incredibly liberating feeling for a software designer.

If Microsoft appears to be getting stronger, it's only because they're retreating back onto their own territory.

scariest thing on that page

[Rai]

How to uninstall

Uninstall is not available

tee hee

[Frac]

Michael exaggerated this exploit beyond belief:

If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.

Re:tee hee

[DeadMeat+(TM)]

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

Re:You gotta wonder...

[stapedium]

or maybe the announcement was part of Microsoft's PR plan to get everyone to download this "uber-patch." Or maybe slashdoters (myself included) are just paranoid nerds that haven't been diong "stuff that matters" in too long.

Re:Question for michael...

[robogun]

If IE is "the best browser out there", then how do you explain the BILLIONS and BILLIONS of dollars in lost productivity every year due to spreading of MICROSOFT-BORNE VIRII?

Well?

Re:Untill the next one is found next week

[Junks+Jerzey]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

Just like any large software project, including the Linux kernel, KDE, Mozilla, you name it.

Sensationalism courtesy of /.

[fumble]

Warning: mild flamebait.

Remember Michael's over-the-top misinformed rant about this 3 days ago?

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Re:Sensationalism courtesy of /.

Michael was right. Microsoft refused to release any information about when a patch would be available until a patch was made available.

What's the problem?

More sensationalism courtesy of fumble (you dropped the ball).

Re:not too bright

So these same people who couldn't be arsed to upgrade IE to 5.5 + sp2 can actually be counted on to apply a security patch?

Re:Question for michael...

The Solaris/AIX hole has been patched by both vendors with temp patches. The fact that IE "is the best browser" means nothing to opensource people simply because it's basically not opensource. Most of the people you see on slashdot condeming IE or any other program for that matter aren't apart of what I would promote as an opensource promoter. I just simply don't care and neither does most of the freesoftware community. If you've read slashdot for a while you'd notice that we tend to dislike Microsoft for other reasons it's just that with the recent influx of people using freesoftware/opensource etc etc it's brought alot of new people into the ring. These people scream in digust at Microsoft for all the wrong reasons. They aren't apart of opensource or the free software movement.. We don't promote it, old slashdot people don't promote it and neither does any other true opensource zealot promote. We don't care about Microsoft in terms of software at the end of the day unless it's bitching about having to read another office file format and then having to go to a windows machine to do so.

Re:Oh, come ON.

I'm sure that the FBI always plays by the rules and never does anything illegal. Never ever in a million years would they ever do something illegal or against the law. Wake up and get your head out of the sand.

Re:Slashdot Inconstancies

[fumble]

... is there anything they could do that would appease this croud?

I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

No brainer...

[sterno]

How many gaping security holes has Mozilla had?

The BEST is all in how you measure it, non?

Although realisitcally this isn't so much a flaw in IE, rather it is a flaw in the tight integration of IE and windows. How many of the major Microsoft security problems it the last couple of years can be directly tied to the integrations between the operating system and the applications? Frankly I can't think of many that aren't directly attributable to that.

It all boils down to the usual sacrifice of security for convenience. A computer in a 6 foot thick block of concrete at the bottom of the ocean is very secure and nearly unusable. Microsoft has chosen to focus more on convenience and their security must pay the corresponding price.

Re:Question for michael...

[SCHecklerX]

IE is the best browser out there.

Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

• Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
• Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
• Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
• Cookie management on a per-site basis
• Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
• Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
• Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
• FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software

Does anyone else feel immoral?

[Sludge]

I've been thinking about this for a long time, and it's time I asked my peers at slashdot- Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT? I'm going to state what seems obvious to me:

• Company designs nice website with features that are only supported with IE.
• Company realises that Netscape market share is too high to do these cool things, so they downgrade their website. Animosity is felt towards the browser not developed for (in my experience this goes both ways)
• Company waits a year and a half, and ends up re-evaluating their Netscape support position based on their current USER_AGENT stats showing 95% IE clients.
• Company switches webpage to use proprietary and non standard technologies, locking us alternative software people out of another website.

By this logic, which I feel is a common path for businesses to take, using Internet Explorer and letting webmasters know that you do will harm our freedom to choose our client software in the future.

I don't understand why no one else has come forward and stated that they feel this way. For this reason, I refuse to use the software except in situations where it's seriously inconvenient to do otherwise.

I don't mean to be alarmist. If the web is only accessible from IE, a project will be started to supply a proxy for other browsers which interprets the data from the web server and converts it to nice, standardized HTML. This could get kludgy, and is the worst case scenario I see.

Re:who cares?

[gmhowell]

Actually, I think the server logs show that either a bunch of people on /. use IE, or a bunch of people on /. changed their http-client string.

CT has mentioned it in the past. Granted, a smaller percentage use IE here than, say, www.yahoo.com, but it is still a significant (and if I remember, majority) browser.

Remember, lots of us are on here from work where we have no choice (I actually have the choice of Mozilla/Netscape, but am too lazy to install it, as IE 5.5 seems okay)

Re:not too bright

[TheAwfulTruth]

Not informative at all. Here's the real information: The patches can be applied to IE 6.0 OR IE 5.5 SP2 ONLY. If you do not have either of those you need to upgrade to one of them then apply the appropriate patch.

If you have not already upgraded to these versions then you are (and have been ) vunerable to numerous PAST holes. So if you haven't bothered to upgrade by now, why do you care about patching all of a sudden?

Please mod me up to 5 now thank you.

Re:Uber Patch

[ncc74656]

That would require that a significant portion of Slashdot users use IE.

...and you're implying that they don't? It's not like there are many options...Konqueror and Mozilla aren't all there yet, there seems to have been some sort of stink lately WRT Opera, and there's no way in hell that I'd use Nutscrape. Not everyone who reads /. is a flaming anti-MS zealot...MS has its warts (you're nuts if you put a Windows box directly on the Internet), but then so does nearly everything/everyone else.

Remember when Netscape was on top

[Shabazz]

I was just a CS undergrad at UC Berkeley. The year was '96. Netscape dominated the market. Eric Brewer (founder of Inktomi) and his group of grad students continually found security flaws in Netscape. They received a lot of press. Netscape looked bad.

It's no different with IE now. It's possible that Mozilla really is less flawed than IE, but I guar-an-tee that if it had 85% of the market, we'd be hearing about security problems all the time. I'm not a MS apologist, I just want to shed some light.

Pursuant to Appropriate Legal Process != YES

[Jon+Howard]

Note that the segment you highlighted did not say "YES" - why do you suppose they didn't say yes?

Re:who cares?

Mozilla is owned by AOL, who puts a TON of crap in with Netscape releases. I know that you can download just Mozilla with its own standalone projects (Gecko?), but that is a lot of work. For most things, IE works and it is already installed.

Re:Hmm.

Let's just wait and see if the patch actually works. Will the holes stay patched? How much else in th OS will be broken?

Microsoft doesn't have a good record on previous patches.

Re:Slashdot Inconstancies

[bughunter]

Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ...

I'd wonder what the hell he was up to and look for another door!

Gee... you hit on a pretty good analogy there.

Re:Uber Patch

[slashdot_commentator]

Hmmm, I don't recall any version of IE working for linux. Perhaps the underlying truth is more embarrassing than we realize...

Nah, probably working stiffs who are stuck on NT/2K/Win9X boxes at work...

Re:Happy Friday

And you forgot the part where your mail and network access mysteriously stop working. Not to mention your office phone line.

If I was you, man, I wouldn't fuck with someone who could really make your life hell when you have a deadline looming.

Yeah, man, you miss your release, and then blame the sysadmin for your problems.

Makes you come out looking like a first class CHUMP, Mr. Impo'tent Programmer Dude.