Slashdot Mirror
Uber-patch for Internet Explorer
malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."
how long this patch was developed. Suddenly when the hole is "announced" wammo! a patch in 3 days. Maybe Microsoft doesn't want to reduce it's "features"
We had to destroy the sig to save the sig.
Uhhh.... How to fix MS's reputation:
1) stop abusing monopolistic powers
2) stop releasing product before it is ready
3) teach your porgrammers how to program ROBUSTLY
4) IMPROVE STABILITY DAMNIT! Sure it is profitable for me to go and reinstall windows for someone every six months at the tune of $60 and hour, but I sure get tired of doing it.
5) Play nice with the competition
Consumers (not just slashdot ubergeeks) will have to sit up and take notice at this one, I think. It's getting a bit more coverage / product placement, and isn't being couched in esoteric terms (MS has a tendency of releasing patches that have descriptions which underplay the effects of not patching, or else are so laden with jargon that the layman cannot quite process them). It really is an "uber patch", and it really is MS saying, "We've been releasing insecure software for awhile. In fact, we're still doing so, as evidenced by the three bugs that you don't even know about that we're patching. Please install this patch or else you're screwed."
I think consumers can weather something like, "Apply this patch in order to ensure that your copy of internet explorer appropriately identifies content header types and reconciles them with dialogue saving and automated execution routines." because it just looks so *foreign*. Approached from a non-computing background, it looks like something very small and unlikely to affect anyone. This patch, though, looks a bit more like "Oops. Our browser sucks for security. Install immediately."
Hopefully this will draw peoples attention to:
1) The importance of frequent patching
2) The lack of security in MSIE
3) The problems associated with bundling a browser into core OS functionality (bit more unlikely).
Of course, the spin is still there, but:
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Impact of vulnerability: Run code of attacker's choice.
Maximum Severity Rating: Critical
Recommendation: Customers using IE should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
...is still pretty cut & dry. Anyone with even half a brain should realize that if a gaping hole in a consumer product existed through *2* releases (like having a 2000 and a 2001 Honda both explode in flames under appropriate conditions), that product may not be the best built out there.
Right?
Of course, I'd be much more pleased if people were being notified via a big ol' link on msn.com, and through a mail from the beloved "Hotmail Staff". What, are they scared of leveraging a monopoly to insure the security of their users?
-l
I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .
I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.
Microsoft said that only 6.0 was affected?
Or is this something different than what they have supposedly patched?
What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....
...naw. ;-)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!
IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX systems that still isn't patched? Why aren't you going off on that?)
Remember when you had to purchase Netscape, but IE was free?
Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?
You guys need to be less Open Source/Anti-Microsoft Zealotous.
I'd post anonymously to preserve karma, but the authors already know my IP (see sig).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Its because of the way windows works. It wo't let you overwrite a .exe or .dll that is in use, and since IE is so tied into the OS itself, most of the IE components are in use all the time. Therefore you have to reboot in otder for the update to take effect. When rebooted, it copies the file sover while in protected mode, before IE loads.
That is all.
And will this cause the /. effect on Microsoft?
That would be neat...
I like you, Stuart. You're not like everyone else, here, at Slashdot.
I tried to install the patch...and received the following error:
This update requires Internet Explorer 6.0 to be installed.
I'm running v6.00.2462
Go figure.
Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?
Why? Because at times like these when the FBI is engineering Trojan horses to be snuck onto people's computers--and the US antivirus industry has capitulated--closed source operating systems, browsers and other software seriously lose credibility with anyone desirng privacy.
Mozilla and Konqueror might not do everything that IE can do, but they have 80-90% of its functionality. Try KDE under Mandrake 8.1 and you'll see just how far OSS has come.
At least with open source products the code is laid bare and people can audit it to be sure that spook agencies haven't embedded keystroke loggers and other such goodies.
And why the hell have they not rolled it into windowsupdate? I could tell my users:
Check windowsupdate.
or.
Go to this huge MS address. Then go here, or here. Then download and run this.
Outlook is most of them. And I never claimed that Outlook is a great email program. Not to mention the hundreds of clueless users that open any attachments sent to them.
And if I was to create a browser virus, I'd target the most used browser, and the browser that the "clueless-mother-type" users use.
That isn't an insult to IE, but for computer/internet learners, IE is the browser they learn on.
If linux was the biggest OS and Mozilla the largest browser, I think you'd find more Virii in linux and mozilla.
Target the many, target the weak (users). That's what virus writers do.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Comment removed based on user account deletion
For all the reasons that you state, I:
Since Microsoft anounced it's policy of attempting to keep the lid on the security holes that exist within it's software, I would assume that 'known' means ones that they are willing to reveal to us.
So the word 'all' preceeding 'known' has no meaning since Microsoft itself admits to witholding the true extent of the damage its software can do to your system through security holes.
I consider this another decietful marketing attempt to make consumers feel safe about their products despite their worse than poor track record. They may not be outright lying, but there planting the seeds for others to do it for them. How many sysadmins will now send out an email saying that "IE will be free from all security bugs by installing this patch"? Of course that is a lie.
Cute!
Tried installing the 6.0 UberPatch on 2 separate boxes now, both running W2kPro sp2 with IE 6.0 installed with VS.NET beta2.
(IE v. 6.00.2462.0000 to be exact)
The installation quits with an error telling me I must have IE 6.0 to install.
Also seen as mentioned above similar effect on 5.x versions other than 5.5 with that version install.
Leaves me not exactly feeling warm and fuzzy about whether the actual patch will really patch the holes it's supposed to or not!
No Comment.
VNC's built-in security is not great. You set one password per machine (if you administering a bunch, you'll probably set it to be the same on all) and you can create a registry entry to specify IP ranges which are permitted to connect. Beyond that, you need to get in to installing OpenSSH and tunnelling VNC through that. By default, VNC doesn't allow loopback connections so you have to change something in the registry so it'll tunnel.
/computer:luser28", start VNC service, run VNCviewer and paste in the computername as the VNC Server address (netbios names will get resolved to IP), enter the VNC password (plus domain login if I'm not looking over a logged-in user's shoulder) and I'm in. When I'm done I bring computer management to the front and stop the service. Starting the service remotely requires local admin rights on the machine so if a cracker can do that, we're already screwed.
What I also do is leave the VNC service set to Manual, then use something like Computer Mangement(a Win2k tool) to start the service when I want to use it.
My routine goes like this: find out user's computername (let's say "luser28"),run "compmgmt.msc
There are also a number of ways to execute programs remotely without resorting to login scripts, psexec.exe comes to mind.
I would just like to say at the outset that I am not a raving nut. But I have puzzled at the unusually close relationship between Microsoft and the Bush administration. And consider the following disclaimer from the End User License Agreement (EULA) at passport.com:
.NET Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to:
.NET Passport Web Site, or the public.
.Net databases will surely contain? And is there a person on the planet who believes that MS wouldn't use its users privacy as a bargaining chip to extract a favourable deal from the gov't? (Not that they ever had any respect for it before, of course.)
. . . d. Act under exigent circumstances to protect the personal safety of users of Microsoft, the
With the recent terrorist activities and the sweeping new anti-terrorist legislation, any "exigent circumstances" could be said to be met as a matter of course. So what guarantees do we have that MS and the gov't doesn't have a secret agreement in place to continuously sift and profile all the data (OUR data) that the
And you are nuts if you put one behind the firewall where any old Outlook or MSIE flaw will put a keylogger, sniffer or what ever. What's the point of a nice little firewall when some goon can soap his way through the browser?
I suppose you just have to be wild and crazy to use M$ at all. Look at what your money buys: a poor security model with intentional bypasses, monthly crashes, Magic Lantern, WMP sound, Digital Rights Management (now patented!), remote kill switches, and the opertunity to pay again and again. What a bargain, but spending is good for someone else's economy so party on, fanboy!
Posted using Mozilla, running through a secure shell from a 650MHz Athlon to my punny little 150 MHz Pentium laptop on my lap in my bed. Try that with M$ garbage. What MSIE won't run in 24MB RAM? What Billy G won't let you run coppies of it on more than one machine at once? Where did you want to go yesterday?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Actully I read it for the so called news, however I use IE simply because it's better than the alternatives on my desktop. Linux isn't for desktop, I dislkike macos, that leaves windows. IE is the best browser for windows.
Oops....you'll know what I'm talkin about in a bit.