Uber-patch for Internet Explorer

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

Uber Patch

[IgnorantKnucklehead]

What does the "uber patch" do, install Mozilla?

Re:Uber Patch

[Negadecimal]

Or better, Magic Lantern.

It'd be the perfect trojan horse... MS gets leniency from the DOJ in exchange for some...favors.

Re:Uber Patch

Sorry to break it to you, but a significant protion of the readership *does* use IE. Rob used to publish statistics on this and stopped for obvious, embarassing reasons.

Re:Uber Patch

[ncc74656]

That would require that a significant portion of Slashdot users use IE.

...and you're implying that they don't? It's not like there are many options...Konqueror and Mozilla aren't all there yet, there seems to have been some sort of stink lately WRT Opera, and there's no way in hell that I'd use Nutscrape. Not everyone who reads /. is a flaming anti-MS zealot...MS has its warts (you're nuts if you put a Windows box directly on the Internet), but then so does nearly everything/everyone else.

Re:Uber Patch

[Xerithane]

Mozilla isn't where yet, exactly? I find Mozilla to be more capable than IE often times. My current project at work has an extensive CGI front end so I'm having to deal with all the cross-browser issues. Writing standard-compliant HTML/CSS works beautiful in Mozilla, have not had one problem yet.
What was the last version of Mozilla you used?

Re:Uber Patch

[mickeyreznor]

IIRC i believe Opera 5.0 was the version that had problems. v 6.0 is out for all platforms, and that one doesn't have any reported problems.

Re:Uber Patch

[Xerithane]

*cough* bullshit *cough*

I have 5 windows open at the moment, which is less than I normally have. Curently has a 64M footprint, which is taking into account the java_vm (which is bloated and the cause of all crashes I have encountered with 0.9.6) and it stays up far longer than IE 5.5 on another box. Renders very quickly (full page load in 2 seconds on the lan, including all graphics and content - while IE and NS4.7 take about 5 seconds)

Launch time is also relatively short, especially in comparison with IE if Explorer is not your shell and not loading at start up and staying resident which is why everything thinks IE is so quick.

Mozilla is also conclusivly more stable than Netscape's 4.x series so if you wouldn't mind not being an idiot for a moment and actually looking at the facts and.. oh I don't know.. use it (which is obvious that you haven't recently based on your statements) I'm sure a lot of people would appreciate it.

Re:Uber Patch

[Trepidity]

I dunno about on Windows, but the mozilla version I'm using for Solaris (0.9.1 I think) is incredibly slow, which is the main reason I don't use it. When it takes a full 30-45 seconds to start up the browser, it's not really worth the effort. So I stick with NS4, flaws and all.

Re:Uber Patch

[Trepidity]

Well, when it's a system used by 1000 people, you can't be doing software upgrades every week...

Re:Uber Patch

[slashdot_commentator]

Hmmm, I don't recall any version of IE working for linux. Perhaps the underlying truth is more embarrassing than we realize...

Nah, probably working stiffs who are stuck on NT/2K/Win9X boxes at work...

Re:Uber Patch

[discogravy]

or slashdot has an unusually large Mac-user readership.

Re:Uber Patch

[ncc74656]

What was the last version of Mozilla you used?

I tried building 0.9.6 from source on an LFS system earlier this week. It segfaulted when it tried to start up. I was able to build KDE 2.2.2 on the same system and get Konqueror running with the display going to XFree86 4.1.0 for Cygwin under Win2K. (This was done mainly so that apps like DDD that want to bring up webpages have access to a graphical browser...otherwise, it would've used Lynx.)

As for Windows versions of Mozilla...it's been a few months. It rendered pages properly without crashing too much, but I wouldn't have characterized it as a better browser than IE. More recently, I've installed K-Meleon. It seems stable enough, but doesn't offer any compelling reason to switch away from IE. I haven't seen that it supports anything that IE doesn't. OTOH, I will allow that it does a much better job of handling CSS than Nutscrape 4.x ever did.

Re:Uber Patch

[Xerithane]

Having a LFS build would have probably helped the developers find the problem and make the build more robust - I hope you submitted a bug report for it.

But, if you haven't been able to get a working recent build of Mozilla running it seems less than likely to be able to perform an accurate analysis of Mozilla. Konquerer I think is absolutely great for doing HTML reports and such - as for the LFS, I have been thinking of spending some time doing something with it; how is it faring for you?

Back to mozilla, you really should try using it if you are open to it -- it's came a very long way in the last few months. As I've said before, I use it exclusively now (Skypilot is also a very quick theme) and am happily hacking away on it. It's CSS2 support makes me a happy hacker.. even when I hate doing web-based user interfaces. :)

Hmm.

[Shaman]

I thought this was the bug that couldn't be fixed because it was worked so deep into the OS.

What a ripoff.

[Mike+Schiraldi]

Boy, Microsoft sucks. This patch doesn't even address future, yet-to-be-discovered vulnerabilities.

Re:What a ripoff.

[SubtleNuance]

...no but it probably introduces a few...

Question for michael...

[turbine216]

Could you have been any LESS enthusiastic about that blurb? What, have your hopes for "armageddon courtesy of your pals at Microsoft" been obliterated? Sorry to hear it.

Anyway, this is a really good indication on the part of MS...perhaps an indicator of more initiative on these problems in the future. I definitely think that this is the type of thing that they need to continue if they wish to salvage their reputation at all...

Re:Question for michael...

[FortKnox]

I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!

IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX systems that still isn't patched? Why aren't you going off on that?)

Remember when you had to purchase Netscape, but IE was free?

Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?

You guys need to be less Open Source/Anti-Microsoft Zealotous.

I'd post anonymously to preserve karma, but the authors already know my IP (see sig).

Re:Question for michael...

[sroddy]

You better check your info again bud.... It is patched. at least Sun and IBM.

Besides, anyone not using ssh rather than telnet and rlogin is not very worried about security anyway.

Re:Question for michael...

[robogun]

If IE is "the best browser out there", then how do you explain the BILLIONS and BILLIONS of dollars in lost productivity every year due to spreading of MICROSOFT-BORNE VIRII?

Well?

Re:Question for michael...

[rabidcow]

Remember when you had to purchase Netscape, but IE was free?

No, I was a student back then. How is this relevant anyway? (Remember when IE TOTALLY SUCKED?) So MS had deeper pockets than Netscape. So what? How much do you have to pay for mozilla?

Mozilla MAY -become- better, but it isn't, yet.

For me it is. For everyone else, who cares?

The bias on /. is VERY old news.

Re:Question for michael...

[FortKnox]

Outlook is most of them. And I never claimed that Outlook is a great email program. Not to mention the hundreds of clueless users that open any attachments sent to them.

And if I was to create a browser virus, I'd target the most used browser, and the browser that the "clueless-mother-type" users use.

That isn't an insult to IE, but for computer/internet learners, IE is the browser they learn on.

If linux was the biggest OS and Mozilla the largest browser, I think you'd find more Virii in linux and mozilla.

Target the many, target the weak (users). That's what virus writers do.

Re:Question for michael...

[SCHecklerX]

IE is the best browser out there.

Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

• Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
• Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
• Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
• Cookie management on a per-site basis
• Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
• Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
• Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
• FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software

Re:Question for michael...

[Tom7]

I actually really do like mozilla more than IE now. Mozilla basically supports everything IE does, now, and has some extra nice features like tabs.

I agree with you about the anti-microsoft stuff. I hate microsoft too, but I think it's just wishful thinking on the part of slashdot kids that Microsoft software is automatically insecure and Linux/UNIX is automatically secure. I recall many recent high-profile vulnerabilities in linux software, for instance, and to get rooted through those I didn't need to browse to some hacker's site -- just sit back and let them do all the work.

Personally, I think as MS moves to .NET and higher-level, safe languages like C#, they are going to be the ones laughing at us. I wish it wasn't so...

Re:Question for michael...

[haruharaharu]

How do you know Mozilla is rendering it improperly and IE isn't?

There's this thing called using your brain and reading the spec. How do you think something gets made compliant in the first place?

Re:Question for michael...

[CoolVibe]

ssh had a bug, it was only relevant if you used your system's login (which it doesn't by default, but you _can_ opt for that). Which can be handy if you use a non-standard login(1).

Re:Question for michael...

[weave]

If you don't like favicon crap, you can turn it off. It's in the preferences under appearances, "Show Web Site Icons."

Can that be done in IE?

Re:Question for michael...

[Ian+Bicking]

FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

It has a fast rendering engine, yet it still manages to feel slow. Really the same criticism applies to IE as well. NS4, for all its many, many sins, feels way faster than Mozilla or IE, because it gives really immediate UI feedback.

Overall, responsiveness has gotten worse and worse in software, even as other speeds have gotten better. And it's the less-than-a-second pauses that really annoy me (and a lot of other people too) -- I can't really tell that they are there, but they make the whole experience feel worse.

Re:Question for michael...

[Old+Wolf]

How do you explain the millions of dollars of damage in illiteracy rates and unintelligence done to the general populace by the perpetuation of such lexical abominations as "virii" ?

Re:Question for michael...

[SCHecklerX]

Duh. no. I 'built' it with Vi, using the w3c documentation on CSS.

Re:Question for michael...

[SCHecklerX]

Not to mention the fact that the default behavior of mozilla will be to NOT go probing for favicon.ico on every web site it hits (as IE does...go look at some apache logs some time). Mozilla supports this that way, if you explicitly enable it through an undocumented prefs.js entry, but also does it the proper way with tags.

MS Craziness

[Fatal0E]

Just when I thought that I knew the difference between a Service Pack, Security Rollup Patch and a cumulative Hot Fix they go and release a Security Bulletin like this one.

Re:MS Craziness

[Chundra]

Ok it's easy:

Service Packs are the small, 6-8oz cups with the foil tops. They usually contain yogurt or pudding.

Rollup Patches are dried fruit puree attached to thin plastic wrap. You tear the fruit substance off the plastic before eating.

Hot Fixes are the things you remove from the plastic bag and put in the microwave. They usually consist of some sort of bread substance with a meaty and/or cheesy filling.

Hope that clears things up.

You gotta wonder...

[reflexreaction]

how long this patch was developed. Suddenly when the hole is "announced" wammo! a patch in 3 days. Maybe Microsoft doesn't want to reduce it's "features"

Re:You gotta wonder...

[stapedium]

or maybe the announcement was part of Microsoft's PR plan to get everyone to download this "uber-patch." Or maybe slashdoters (myself included) are just paranoid nerds that haven't been diong "stuff that matters" in too long.

All in one patch is 1/2 the solution

[Rev.LoveJoy]

This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

1). It takes too much time to keep up on MS software patches.

AND

2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

Cheers,
-- RLJ

Re:All in one patch is 1/2 the solution

[michaela]

I have found two solutions around this (although I agree about SMS pricing).

1. Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.
2. Install VNC server on the user stations and set it to run at bootup. Then you can do nearly any administration task short of recovering from a complete blowout without leaving your desk. Do it after hours and you can reboot the machines right away. Or, use parts of #1 with a logout script instead to reboot the machine the next time they log out.

Re:All in one patch is 1/2 the solution

So I guess you've never heard of installation or SMS servers that make an installation of this nature possible at the click of a single button from any workstation in the company? Microsoft had them out years ago. Currently Windows Update and Dynamic Update can be pointed to intranet servers. Active Directory, MSI, or WMI can "push" installations automatically from centralized locations as well, again at the click of a button and without interrupting the user. Maybe you need to start researching solutions for this problem instead of complaining about them to slashdot?

Walk to individual machines. Hah, that's so 80s.

Re:All in one patch is 1/2 the solution

[Rev.LoveJoy]

2 good ideas! The login scripting does fall down occassionally (as with respect to what the earlier respondant had to say - I have been in that boat as well).

I have been pining to get VNC (or just about any remote desktop app) on the clients for some time. My one concern here is that I don't know much about VNC's security implications. I think I'll do some reading...

Cheers,
-- RLJ

Offtopic - I find it interesting that the flames are by anon cowards and do not contain supporting materials. Hmmmm ... :-)

Re:All in one patch is 1/2 the solution

[pigeonhed]

Patching occurs on all software that is well maintained. I would be very upset if all companies did not patch software. I agree that updating a system can be a nightmare but without it trouble will soon follow. No matter what the OS/application is a progressive series of steps is important to making a mature product. Many open source products get their strength from the fact that work is not only always being done but that end users in theory receive a better product threw a testing process. Patching may not be a pretty name and Microsoft has a way of making anything feel dirty but it is a good step even if a company I don't support takes it.

Oh yeah just my opinion I could very well be wrong.

Re:All in one patch is 1/2 the solution

[Col.+Klink+(retired)]

Why not just replace your home page with a trojan that runs the patch?

If you want to prioritize who gets patched first, you can send the patch as an email to everyone and warm them not to run it. The ones you need to worry most about will be the first patched...

Re:All in one patch is 1/2 the solution

[extra88]

VNC's built-in security is not great. You set one password per machine (if you administering a bunch, you'll probably set it to be the same on all) and you can create a registry entry to specify IP ranges which are permitted to connect. Beyond that, you need to get in to installing OpenSSH and tunnelling VNC through that. By default, VNC doesn't allow loopback connections so you have to change something in the registry so it'll tunnel.

What I also do is leave the VNC service set to Manual, then use something like Computer Mangement(a Win2k tool) to start the service when I want to use it.

My routine goes like this: find out user's computername (let's say "luser28"),run "compmgmt.msc /computer:luser28", start VNC service, run VNCviewer and paste in the computername as the VNC Server address (netbios names will get resolved to IP), enter the VNC password (plus domain login if I'm not looking over a logged-in user's shoulder) and I'm in. When I'm done I bring computer management to the front and stop the service. Starting the service remotely requires local admin rights on the machine so if a cracker can do that, we're already screwed.

There are also a number of ways to execute programs remotely without resorting to login scripts, psexec.exe comes to mind.

Re:All in one patch is 1/2 the solution

[0xA]

I feel your pain.

We now run all of our user applications from Citrix Metaframe server farm. It's not the solution for everyone but I can't tell you how happy I am that I only have to patch 4 boxes tonight.

Re:All in one patch is 1/2 the solution

[Rev.LoveJoy]

That's nice if you're assuming that the users on your target boxen have local admin rights (which, mine do not).

Giving users local admin rights to boxes is like handing them the matches and pointing to the TNT shed.

Granted, some of the patches for IE on Win2k do not require local admin rights to install, but most still want reg.modify access and to replace a system DLL or two. NOTE: the same thing that lots and lots of viruses like to do.

Cheers,
-- RLJ

For IE 5.5 users

[The+Bungi]

This does not appear to be a service pack, and the target builds listed for the hotfix are only IE 5.5 SP2 and 6, so you'll need to head here to get yer SP and then install the hotfix (get directly to it from here).

It seems unlikely that the SP2 for 5.5 includes this as of right now, although it will eventually (I know sometimes I'll download an SP and take a few days to actually install it). Check your versions before you plunge your box into browser hell =)

Re:For IE 5.5 users

[The+Bungi]

Ooops, thanks for catching that.

Download URLs

[nstrom]

Here's the direct download URLs, so you don't have to wade through MS's crufty site:

for IE6:
http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe
for IE5.5:
http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

These updates have not yet appeared on Windows Update.

Re:Download URLs

[ZzeusS]

And why the hell have they not rolled it into windowsupdate? I could tell my users:

Check windowsupdate.

or.

Go to this huge MS address. Then go here, or here. Then download and run this.

Re:Download URLs

[WildBeast]

Usually, patches take about 2 days or so to be available on windowsupdate.

Re:Download URLs

[barzok]

Or, you could download and publish it via your intranet. Or push it out via login scripts. End-users going to WindowsUpdate just causes more problems for administrators.

Windowsupdate quite annoying!

[imuffin]

I find it very annoying to try to install Microsoft patches. I work in a place where I am responsible for several windows installations. When I install a M$ OS, in order to patch it, i have to:

1. Start IE (click through internet connection wizard)
2. Open the windows update website
3. Download an activeX application to determine what updates I need
4. Download and install the updates (often, more than 5!) one at a time, rebooting in between each one!

It's so much easier to swivel my chair around to my redhat box and do a simple 'up2date -i'.

I wonder if there's any particular reason why Microsoft makes it so difficult? Do they actually like their security holes?

Re:Windowsupdate quite annoying!

[brunes69]

Its because of the way windows works. It wo't let you overwrite a .exe or .dll that is in use, and since IE is so tied into the OS itself, most of the IE components are in use all the time. Therefore you have to reboot in otder for the update to take effect. When rebooted, it copies the file sover while in protected mode, before IE loads.

Re:Windowsupdate quite annoying!

[lynx_user_abroad]

Do they actually like their security holes?

In a word, yes.
If you think this is a troll, take this little test...
You have just found out that Your Favorite Operating System, which you run on Your Computer, has a vulnerability which you consider important enough to do something about.
Do you:

Locate and apply the appropriate patches for Your Favorite Operating System, and make whatever other changes are necessary to mitigate the situation.

Learn more about Your Favorite Operating System so that you'll be even better able to assess these threats and prevent vulnerabilities in the future.

Lose interest, and just continue running Your Favorite Operating System, vulnerabilities and all, and go back to reading Slashdot, surfing the web, etc.

Get fed-up, say "This is the last straw!" and abandon Your Favorite Operating System, replacing it (and all of the applications, data files, and procedures which depend upon it) with Some Other Operating System which you may have heard about.

We can all see ourselves or think of others who would react in any (or perhaps all) of the first three ways, all ow which favor the incumbent. I can't think of anyone who would respond similarly to the last, which is the only one which would topple the status quo. With the exception of a few individuals who are charged with setting the strategic computing direction for large organizations, (that is, in a position to dictate what other people will run on their computers) security holes tend to reinforce the market position of the incumbent. And the harder it is to fix, the more time your customers spend with your product (increasing your mindshare) and the less likely it is that the hole will be patched, meaning you'll have another chance in the future to grab their attention again...

So, if you're charged with selecting a strategy to promote your operating system, your obvious tactics are:

Focus your energies on those few people who set the computing direction for major corporations.

(IFF you are the incumbent) Don't worry about security, because as long as you have a majority share of the market any security hole will only increase your mindshare. And mindshare is what it's all about.

Want to know how to apply this to Free Software, Open Source, and Linux?

Code, if you can. (and can do it well)

Document, if you can. (and can do it well)

Report bugs, if you can. (and can do it well)

But most importantly, Use it.
By just using the software, you create a habitat for the evolution of the software. If something works well, praise it. If something sucks, say so. The habitat for evolution is the key to success for both proprietary and free software. The key advantage that free software has over proprietary software lies in:

the ability to try to be all things to all people. Most of these will fail, but the ones that don't will be spot on.

the knowledge that no one is going to get fired or lose their job for producing something that no one wants. That's an incredibly liberating feeling for a software designer.

If Microsoft appears to be getting stronger, it's only because they're retreating back onto their own territory.

What they didn't tell you..

[Dutchmaan]

They already applied their uber-patch to the DOJ and it *worked*!

More like Deja Patch...

[chinton]

100s of beautiful security fixes... and 3 ugly ones.

Re:More like Deja Patch...

[laserjet]

For those that didn't get this, (and correct me if I am wrong), but this is a reference from a strip club (well, now it's just a topless bar i think, but I haven't been there in several years). Their slogan reads something like "The Deja Vu: 100 pretty girls, and 3 ugly ones."

I know they have one in SpoCompton (aka Spo-Angeles aka Spokane).

Since I bet there are a large number of /.'ers who have never been to a strip club, I thought I would point this out.

This has to be chipping away at confidence....

[lblack]

Consumers (not just slashdot ubergeeks) will have to sit up and take notice at this one, I think. It's getting a bit more coverage / product placement, and isn't being couched in esoteric terms (MS has a tendency of releasing patches that have descriptions which underplay the effects of not patching, or else are so laden with jargon that the layman cannot quite process them). It really is an "uber patch", and it really is MS saying, "We've been releasing insecure software for awhile. In fact, we're still doing so, as evidenced by the three bugs that you don't even know about that we're patching. Please install this patch or else you're screwed."

I think consumers can weather something like, "Apply this patch in order to ensure that your copy of internet explorer appropriately identifies content header types and reconciles them with dialogue saving and automated execution routines." because it just looks so *foreign*. Approached from a non-computing background, it looks like something very small and unlikely to affect anyone. This patch, though, looks a bit more like "Oops. Our browser sucks for security. Install immediately."

Hopefully this will draw peoples attention to:

1) The importance of frequent patching
2) The lack of security in MSIE
3) The problems associated with bundling a browser into core OS functionality (bit more unlikely).

Of course, the spin is still there, but:

Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Impact of vulnerability: Run code of attacker's choice.

Maximum Severity Rating: Critical

Recommendation: Customers using IE should install the patch immediately.

Affected Software:

Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0


...is still pretty cut & dry. Anyone with even half a brain should realize that if a gaping hole in a consumer product existed through *2* releases (like having a 2000 and a 2001 Honda both explode in flames under appropriate conditions), that product may not be the best built out there.

Right?

Of course, I'd be much more pleased if people were being notified via a big ol' link on msn.com, and through a mail from the beloved "Hotmail Staff". What, are they scared of leveraging a monopoly to insure the security of their users?

-l

Re:This has to be chipping away at confidence....

[Zico]

Actually, the truth of the matter is, what else are they going to use? Linux? Well no, we're looking for something secure, not with something needing more security patches than Windows. More difficult to use plus more insecure plus poor software choices isn't exactly a winning combination. Macs? That'd be the top alternative, but it's kind of hard to justify Mac prices when they're so limited power-wise and software-wise compared to Windows PCs. And that's why people prefer Windows.

Re:Hmm...

[kigrwik]

> It said Requires Windows 95 or better, so I installed Linux. Now what?

That's easy !

$ wine iexplore.exe
err:win32:PE_fixup_imports No implementation for SHLWAPI.dll.249(StrRetToStrW) imported from C:\windows\system\shdocvw.dll, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

ah, well. "apt-get install mozilla" , then I guess...

Only 5.5 and 6.0?

I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .

Content-Type: audio/x-wav; name="sample.exe"
Content-Transfer-Encoding: base64

I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.

Microsoft said that only 6.0 was affected?

Or is this something different than what they have supposedly patched?

Re:Only 5.5 and 6.0?

[MrResistor]

Microsoft said that only 6.0 was affected?

No, they said they were only supplying a patch for 6.0 and 5.5SP2. Everyone else has to upgrade before they can apply the patch.

Even weirder...

[oGMo]

What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....

...naw. ;-)

scariest thing on that page

[Rai]

How to uninstall

Uninstall is not available

Re:scariest thing on that page

[RazzleFrog]

Usually interim patches are not uninstallable. Only when an official service pack is released can you uninstall it.

Off Timing

[perdida]

I wouldn't install any Uber-Patch in this day and age of Microsoft vertical integrated software/Magic Lantern/Ashcroft.

A cheer for code you can verify yourself before you trust it to secure your computer for you.

Re:Untill the next one is found next week

[Webmoth]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

It's not just IE - other apps need this!

[PacketMaster]

It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.

Re:It's not just IE - other apps need this!

[neonstz]

It is possible to turn off the use of IE (or whatever) for displaying mail in Eudora. In Tools->Options->Viewing Mail just uncheck the "Use Microsoft's Viewer" checkbox. (I'm using Eudora 5.1 btw.)

tee hee

[Frac]

Michael exaggerated this exploit beyond belief:

If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.

Re:tee hee

[DeadMeat+(TM)]

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

Re:tee hee

[zerocool^]

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages....


Sure! Here ya go!

~z

Re:not too bright

[jvj24601]

I downloaded the 2.15 mb patch. I try to run it, and I get a prompt that I need IE5 Service pack 2 installed. That's it, it doesn't supply a link, it doesn't try to download it, nothing. Microsoft rushed this one out.

The update only works with IE 5.5 or 6.0. You might be running 5.0.

Interesting note: If you read the bulletin and click on the Technical Details submenu, you'll find the worst part:

"Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support."

As someone who does some sysadmin stuff at work, I didn't know this before. This means that a large majority of users (as far as my limited experience goes) that still use IE 5.0 will still have exploit available that won't be tested nor fixed. Wow...

Re:Protecting customers

[Webmoth]

Microsoft is like a condom. It'll protect you, but if you use it, you're screwed.

Fast Patching.

[saintlupus]

Well, it's certainly a good thing that there are so many people looking at the source to produce a patch...

er....

Never mind.

--saint

Oh, come ON.

[corky6921]

The news article about Magic Lantern, which you apparently failed to read when it was posted to Slashdot, contains the following text:

"When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: 'Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process.'" (my emphasis)

So unless the FBI has gotten a court order against the 84.8% of web surfers who use Internet Explorer, this is pure FUD.

Sheesh.

Re:Oh, come ON.

[TWR]

FBI it would be used pursuant to the appropriate legal process.'"

I guess we better read those End User Licence Agreements a lot more carefully from now on ;-)

-jon

Re:who cares?

[(H)elix1]

No, it does not patch Mozilla... but since Microsoft merged the browser into the OS, think of it more as a kernel patch for those running the Win32 version of Mozilla (grin)

Re:Attribution where attribution is due, please...

[Pfhreakaz0id]

You're kidding, right? That joke is an old Mac joke dating from the win 3.x days ("the box said Windows 3.1 or better, so I installed Mac OS whatever")

Re:Untill the next one is found next week

[Junks+Jerzey]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

Just like any large software project, including the Linux kernel, KDE, Mozilla, you name it.

Slashdot Inconstancies

[Captain_Frisk]

Seriously guys calm down.

Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

Re:Slashdot Inconstancies

[fumble]

... is there anything they could do that would appease this croud?

I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

Re:Slashdot Inconstancies

[bughunter]

Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ...

I'd wonder what the hell he was up to and look for another door!

Gee... you hit on a pretty good analogy there.

Re:Slashdot Inconstancies

[Erris]

No inconsistency here. Does anyone think this patch will really make M$ any harder to crack? Is anyone here less than amazed by all the shit M$ consumers have to go through to continue to be screwed? All the insane and evershifting versioning and names for their "products" Is it possible to see three steps happen the same way on that upgrade train? Why do people keep doing it to themselves?

Re:Download URLs - Must Have 5.5 SP2

[Cy+Guy]

for IE5.5 for IE5.5:
http://download.microsoft.com/download/ie55sp2/s ec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

Note, that is for IE 5.5 SP2 if you have SP1, or plain vanilla 5.5, you will first have to upgrade, so you may want to wait till a full release with the patches is available. SP2 is 17MB download.

Anyone know what the equivalent version is if you have the AOL version of IE? (not that I do) but you can imagine AOL will be slowed to a crawl if every single user must get an upgrade first to SP2 or IE6, then get this patch. When - oh - when will AOL finally become browser neutral or go entirely to Netscape/Mozilla?

Sensationalism courtesy of /.

[fumble]

Warning: mild flamebait.

Remember Michael's over-the-top misinformed rant about this 3 days ago?

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Re:Sensationalism courtesy of /.

Michael was right. Microsoft refused to release any information about when a patch would be available until a patch was made available.

What's the problem?

More sensationalism courtesy of fumble (you dropped the ball).

Re:Sensationalism courtesy of /.

[juju2112]

Why does every feel that it's necessary to bash the story posters? It almost seems like people are making a point of it on every story.

Can they not give their opinion on something? He's allowed to be wrong -- he's a person for chrissakes.

Been there, done that

[LittleGuy]

Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.

The patch that blew up this approach for us was MS01-50. It had two critical patches to apply at the same time, and the system tried to apply both at once, when you needed a reboot for each. Guess who was "volunteered" to re-patch the machines.

*sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.

Re:Been there, done that

*sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.


Not so fast, buster. First we need you to change the toner cartridge on the LJ4 up on third floor.

hup-hup to it, now, IT boy. The girls in the secretary pool don't call you 'sysadmin' (while smirking) for nothing.

What about using Opera?

[BCGlorfindel]

"IE is the best browser out there. Check ANY review. " Maybe it's just my opnion, but I the opera http://www.opera.com is better. It's faster and in my experience far more stable on NT and in 2000. Most reviews to date ignore or are unaware of opera's existence. Give it a try. I do however agree with your overall point, people to need be a little less biased on slashdot. Just dont step too far pointing it out with dubious statements like the above as it will only result in the people your talking to ignoring you as ignorant. Though I'm not sure they won't simply because they disagree. The line between troll and zealot is kind blurry.

Great

[El_Smack]

Now Microsoft will get Slahdotted. One more reason for them to hate us. *sigh*

Win2K still ships with IE 5.0, right?

[Animats]

Does Windows 2000 still come with IE 5.0 in the box? I have a new system purchased this year, with the current Win2K service pack installed, and I still have IE 5.0.

Of course, I don't use IE.

No brainer...

[sterno]

How many gaping security holes has Mozilla had?

The BEST is all in how you measure it, non?

Although realisitcally this isn't so much a flaw in IE, rather it is a flaw in the tight integration of IE and windows. How many of the major Microsoft security problems it the last couple of years can be directly tied to the integrations between the operating system and the applications? Frankly I can't think of many that aren't directly attributable to that.

It all boils down to the usual sacrifice of security for convenience. A computer in a 6 foot thick block of concrete at the bottom of the ocean is very secure and nearly unusable. Microsoft has chosen to focus more on convenience and their security must pay the corresponding price.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Attribution where attribution is due, please...

[MeowMeow+Jones]

But you forget, noone on slashdot believes in Intellectual Property. Providing attribution would imply ownership.

I turned off Active Scripting to be secure

[Pinball+Wizard]

Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.

By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.

Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

Re:I turned off Active Scripting to be secure

[dR.fuZZo]

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

Seems pretty professional to me. Some of the finest porn sites do that.

Re:I turned off Active Scripting to be secure

[Pinball+Wizard]

troll

moron

just read the fucking help file.

How about making a site that doesn't require javascript? Really, who's the moron here?

I'll assume you were one of the $MS astroturfers I referred to. Needless to say, I no longer trust Microsoft and will no longer be using javascript in IE, even for your site.

Your company has lost a lot of business by the very same attitude you just showed in your post. Next year, I will not be renewing MSDN, and customers that I use to sell Microsoft products to will be steered toward Apache, Oracle, and Unix.

Yeah you can call me a moron, or you can go back to work and fix your broken site. Well I guess I already know what will happen.

Re:I turned off Active Scripting to be secure

[hyoo]

You are concerned over security, yet you use hotmail and passport?

Re:Download URLs - Must Have 5.5 SP2

[Quizme2000]

Ok, for us crusty corporate types that have IE 5sp2, are we vunerable to these security bugs? My company uses mozilla that has been tweaked for our browser, but they are on windows machines. I still haven't got a IE free windows machine without crashing it. And upgrading these 2500 client machines will cost a chunk of change and time for our small IT department. This sucks we work hard to keep MS from costing money, but still sell to thier customers.

Does anyone else feel immoral?

[Sludge]

I've been thinking about this for a long time, and it's time I asked my peers at slashdot- Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT? I'm going to state what seems obvious to me:

• Company designs nice website with features that are only supported with IE.
• Company realises that Netscape market share is too high to do these cool things, so they downgrade their website. Animosity is felt towards the browser not developed for (in my experience this goes both ways)
• Company waits a year and a half, and ends up re-evaluating their Netscape support position based on their current USER_AGENT stats showing 95% IE clients.
• Company switches webpage to use proprietary and non standard technologies, locking us alternative software people out of another website.

By this logic, which I feel is a common path for businesses to take, using Internet Explorer and letting webmasters know that you do will harm our freedom to choose our client software in the future.

I don't understand why no one else has come forward and stated that they feel this way. For this reason, I refuse to use the software except in situations where it's seriously inconvenient to do otherwise.

I don't mean to be alarmist. If the web is only accessible from IE, a project will be started to supply a proxy for other browsers which interprets the data from the web server and converts it to nice, standardized HTML. This could get kludgy, and is the worst case scenario I see.

Re:Does anyone else feel immoral?

[90XDoubleSide]

A major problem that users of alternative browsers will encounter is that many webmasters use JavaScripts that only enable advanced features or let users view the site at all if they have an IE USER_AGENT, thus forcing people to spoof their USER_AGENT and killing server stats for alternative browsers. I have personally seen sites like this where I go to a page and it doesn't work/doesn't work correctly, then I change my USER_AGENT to IE, hit reload, and the site works perfectly.

A good solution to this problem is having the browser identify itself to the HTTP server as what it really is (so that it will be logged correctly) and identify itself to JavaScripts as another browser (so that the site will work correctly). This feature is in the prerelease versions of OmniWeb 4.1.

Re:Does anyone else feel immoral?

[istartedi]

Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT?

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings] "User Agent"="Mozilla/Church Lady 3.01"

Would that make you morally superior?

Re:who cares?

[gmhowell]

Actually, I think the server logs show that either a bunch of people on /. use IE, or a bunch of people on /. changed their http-client string.

CT has mentioned it in the past. Granted, a smaller percentage use IE here than, say, www.yahoo.com, but it is still a significant (and if I remember, majority) browser.

Remember, lots of us are on here from work where we have no choice (I actually have the choice of Mozilla/Netscape, but am too lazy to install it, as IE 5.5 seems okay)

I just installed it

[MrResistor]

Strangely, it actually seems to be faster. I can't say I've ever had that experience when upgrading a Microsoft product. Could just be that new code smell going to my head though...

Hmm..

[Mike+Hicks]

Hey, I just tried updating my system through Windows Update. I wasn't prompted for anything, and I haven't updated my NT 4 box for about a week. Does this mean that I already got the patch a week ago, or has Microsoft not put it on Windows Update yet?

If it's just not in Windows Update, shame on MS. That is the only place I go for updates. I don't waste my time wading through all of the other crap on MS's website.

/me strokes debian woody..

Re:not too bright

[MrResistor]

Nothing new there, that's how all MS updates are. Hell, I can't install MS Office SP2 or some of the SP1 security fixes because our CDs aren't SP1. They're all SP0, and we upgraded to SP1 from windowsupdate.

Re:not too bright

[TheAwfulTruth]

Not informative at all. Here's the real information: The patches can be applied to IE 6.0 OR IE 5.5 SP2 ONLY. If you do not have either of those you need to upgrade to one of them then apply the appropriate patch.

If you have not already upgraded to these versions then you are (and have been ) vunerable to numerous PAST holes. So if you haven't bothered to upgrade by now, why do you care about patching all of a sudden?

Please mod me up to 5 now thank you.

IE the Best?

[zelyan]

I'm not a Karma Whore, as my karma will immediately show, so please don't think I'm saying this just for the points. I'm not convinced that IE is the best out there.

For years I used Netscape and loved it, up through about 4.0 (4.5-7 are bad, bad, bad). I even used 4.7 for a long time, before finally deciding that I just couldn't live with the shitty rendering, slow reaction time, and general bugginess. So I tried IE, just to see how bad it was.

And it was amazingly fast, clean, and surprisingly not crashy, considering it was Microsoft's. Slowly, I started to accept that IE was the best browser out there. And I used IE, and netscape actually disappeared from my computer.

Sure, I tried Mozilla, and Netscape 6.0 and 6.1. Quite honestly, they're crap. They're slow, not particularly stable, and ugly. But mostly they're just slow, fucking slow. It's not just loading the program, it's also in large part that I open a page and Mozilla takes about three times as long to render as IE.

But when I read that security page the other day, I found a new program to try. So I tried it: Opera. I last used Opera on a mac a couple of years ago, when it was small, shitty, buggy, and lacking features, like security. So I wasn't really expecting anything.

Opera is fucking brilliant. It's fast--it's actually faster both to load and to render pages than IE. It gets rid of a lot of the useless shit that IE throws up--like dialogs to go from secure to insecure. It has security, it has a full feature set (at least, all the stuff I use, like plugins and java and working pages). It lets me use the keyboard more than IE.

And the best part: it lets me block out pop-up windows. You have no idea how amazing a feeling it is to go to a site that throws pop-ups at me like mad and watch them, well, not load. No idea until you try it. It even pretends to be IE for pages that require IE.

I have had one page fail to load correctly--a credit card account page. But considering it loads wrong half the time in IE, it's not too bad. Still, I'm keeping IE around (and patched it) in case I find something glaringly wrong with Opera, but until that time, I'm happy with this.

Oh, did I mention it sits in _half_ the memory footprint of IE, and about a third of Mozilla?

Check it out. Opera. It's not Open Source, but then again, if we're talking about IE, we're talking about windows, so...

Jeff

Re:IE the Best?

[Xerithane]

Sure, I tried Mozilla, and Netscape 6.0 and 6.1. Quite honestly, they're crap. They're slow, not particularly stable, and ugly.

Now.. which chrome is ugly? Calling a completely skinnable browser ugly doesn't make sense.. sorry.

And, Mozilla reports less crashes than netscape 4.x ever had - so they are actually an improvement above Netscape even when you used it.

As far as speed, I'm not sure what you are doing wrong but it is very quick. I use Mozilla extensively and exclusively and it is exceptionally fast. As far as your memory foot print comment, you realize you can't accurately guage IE's memory foot print? It's threaded into the shell, too.

Mozilla still has a way to go, but anyone who thinks it's slow, ugly, and unstable obviously hasn't used it recently. Or ever, feel free to prove me wrong - but it runs as fast (faster than IE on another box of the same specs) as I could want it to.

Re:IE the Best?

[Xerithane]

I'm not giving much thought to replying to an AC,
What part of Mozilla is ugly?

Most end users (especially one who used Netscape 6/6.1) don't even understand anything beyond what they see. Therefor using your analogy is incorrect, they care about looks and Mozilla delivers fully in that aspect, and many more.

Pity you are posting AC... you could show the world how stupid your comment was.

Remember when Netscape was on top

[Shabazz]

I was just a CS undergrad at UC Berkeley. The year was '96. Netscape dominated the market. Eric Brewer (founder of Inktomi) and his group of grad students continually found security flaws in Netscape. They received a lot of press. Netscape looked bad.

It's no different with IE now. It's possible that Mozilla really is less flawed than IE, but I guar-an-tee that if it had 85% of the market, we'd be hearing about security problems all the time. I'm not a MS apologist, I just want to shed some light.

Pursuant to Appropriate Legal Process != YES

[Jon+Howard]

Note that the segment you highlighted did not say "YES" - why do you suppose they didn't say yes?

Re:Happy Friday

[SuiteSisterMary]

Step 1: Download patch.
Step 2: load onto test box. Start tests.
Step 3: Works great. Create SMS package.
Step 4: Schedule SMS to install the package Saturday at, oh, say three PM.
Step 5: Send out yet another email reminding users that if they don't leave their computers on over the weekend, the full virus scan, software updates and disk defrag that would have run, will infact run on Monday when they come in, and it will NOT be stopped, and their managers know this, even if they don't.
Step 6: Profit!

Don't be immoral

[Weasel+Boy]

For all the reasons that you state, I:

• do not write web pages that work only in IE or Netscape. If your page doesn't work in Lynx, it doesn't work.
• do not falsify my USER_AGENT. When I'm using iCab, your server sees iCab.
• do not use Internet Explorer at all. If your page doesn't work in iCab, Opera, or Netscape, then I don't need to do business with you.

This qualifies more as "troll" than "flamebait"

[oGMo]

Flamebait is typically written to elicit strong emotional response and name-calling from the target audience... this falls under the "troll" category which gives a more subtle feeling of disturbance, saying something usually inaccurate or incorrect in a seemingly reasonable manner to generate lots of "discussion". Let's go point-by-point:

Remember Michael's over-the-top misinformed rant about this 3 days ago?

Seeing as michael's story was neither misinformation nor an over-the-top rant (read the story), this plays on the popular opinion that slashdot gets a lot of stuff wrong all the time, as well as our obvious anti-Microsoft bias, to pretend that it was in fact an over-the-top misinformed rant.

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago.

Did they provide information about when a patch was available? At the time, they did not, so this is hardly misinformation. Whether they release a patch today or three months from now, "no information" is still "no information".

Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Correct me if I'm wrong, but I believe "M$" is childish name calling. "If it agrees with me, it's opinion, otherwise it's bias": This just about sums it up. There is nothing wrong with bias; there is no way to avoid it, claiming something is unbiased is a great indication that something is trying to be intentionally misleading. I read slashdot because the bias mostly agrees with my own. Perhaps your time would be better spent looking for a more agreeable forum, instead of trolling on this one.

all "known" vulnerabilities

[Jettra]

In the spirit of legal debate over the meaning of the specific usage of words, what is meant by 'known'?

Since Microsoft anounced it's policy of attempting to keep the lid on the security holes that exist within it's software, I would assume that 'known' means ones that they are willing to reveal to us.

So the word 'all' preceeding 'known' has no meaning since Microsoft itself admits to witholding the true extent of the damage its software can do to your system through security holes.

I consider this another decietful marketing attempt to make consumers feel safe about their products despite their worse than poor track record. They may not be outright lying, but there planting the seeds for others to do it for them. How many sysadmins will now send out an email saying that "IE will be free from all security bugs by installing this patch"? Of course that is a lie.

Can't turn off search-from-toolbar??

[I-man]

Interesting. After installing this patch, I typed in some garbage to the address bar to make sure it was still seeing my proxy (which should display a custom no-such-address page).

What happened? That bloody search-from-the-address-bar thingy had turned itself on. Oh well, I say, just go to Options -> Advanced -> Do Not Search From The Address Bar. I do this, type in "asdfa sdfsdfsa dfwer" (note the spaces) and POW: search-from-the-address-bar turns itself back on.

Much the same thing happens if you change the option and then restart IE.

WTF?

Won't even install!

[GeckoX]

Cute!

Tried installing the 6.0 UberPatch on 2 separate boxes now, both running W2kPro sp2 with IE 6.0 installed with VS.NET beta2.

(IE v. 6.00.2462.0000 to be exact)

The installation quits with an error telling me I must have IE 6.0 to install.

Also seen as mentioned above similar effect on 5.x versions other than 5.5 with that version install.
Leaves me not exactly feeling warm and fuzzy about whether the actual patch will really patch the holes it's supposed to or not!

Re:Won't even install!

[Kevinb]

(IE v. 6.00.2462.0000 to be exact)

2462 is not the final release build of IE 6. I think that's IE 6 beta 2, or maybe the "public preview" that went out before XP shipped.

The shipping version of IE 6 is 6.0.2600.0. If you go to Windows Update you should be able to install it, and then after you do that install the patch.

Re:Download URLs - Must Have 5.5 SP2

[Gaijin42]

Supposedly ie 5.5sp2 and ie6 do not run java. However, I have ie 6 as included with XP. If I go to http://java.sun.com/applets all the demo applets run just fine.

Shrug

Re:M$ is a string variable

[oGMo]

I stand corrected. :-)

IE Vulnerability Page

[djaxl]

Check out http://www.guninski.com/browsers.html.

Re:Ahhhh GOOD!

[Anonymous+DWord]

They got snakes out here this biiiig?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Update.

[ImaLamer]

Gee thanks... who would think the last place to look would be the first?

Why isn't this on windows update ... IE is a part of the OS right?

in any group there will be inconsistencies

[David+Jao]

Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program.

Slashdot is a group, and a group can have diverse opinions. Unless you can produce examples of the same individual adopting both these views, there is nothing inconsistent to cry about.

In MS we trust.

[doodleboy]

I would just like to say at the outset that I am not a raving nut. But I have puzzled at the unusually close relationship between Microsoft and the Bush administration. And consider the following disclaimer from the End User License Agreement (EULA) at passport.com:

.NET Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to:

. . . d. Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.

With the recent terrorist activities and the sweeping new anti-terrorist legislation, any "exigent circumstances" could be said to be met as a matter of course. So what guarantees do we have that MS and the gov't doesn't have a secret agreement in place to continuously sift and profile all the data (OUR data) that the .Net databases will surely contain? And is there a person on the planet who believes that MS wouldn't use its users privacy as a bargaining chip to extract a favourable deal from the gov't? (Not that they ever had any respect for it before, of course.)

Re:Show me proof

[Trepidity]

...which is why I use Opera v6.0 on Windows. =P

Re:Sucky Patch..

[Chris+Johnson]

They haven't got the bugs worked out of the Magic Lantern code yet :D

Re:Keeping track of the total MB of IE Patches

[SuiteSisterMary]

Like somebody else said, "Release early, release often...unless it's Microsoft. Then, deride them for not getting it right the first time."

A little late for that.

[fm6]

IE itself is the ultimate trojan horse!

Re:Attribution where attribution is due, please...

[Pfhreakaz0id]

how would that work. doesn't Mac run on a different architecture?,/p>

Yes, my mistake. The original was "The box said Windows 3.1 (or 95) or better, so I bought a Mac". My bad

Actually, it's quite simple (was Re:Uber Patch)

[Enahs]

The folks who actually care about the news on /. are most likely MacOS/*n?x users using a variety of browsers.

The trolls and other people who don't care, the people who're just here to ruin the experience for everyone, use IE on Windows.

Simple when you think about it, really. And it makes sense.

Oh, I know; I have no proof. But hell, it'd be funny, wouldn't it?

Re:Actually, it's quite simple (was Re:Uber Patch)

[Enahs]

Linux isn't for desktop, I dislkike macos, that leaves windows.

Linux isn't for the desktop? Damn. I've been such an idiot for the last 5 years. This easy-to-use KDE2 desktop I'm using right now (I just backed up /var/cache/apt/archives by opening the dir in Konqueror, right-clicking, and choosing "create ISO image", which fired up KreateCD, and one click on "Burn CD!" burnt a CD. Wasn't that hard?), despite the fact that it's so damned easy to use, isn't for the desktop.

Nevermind that I installed an IDE CD-RW drive last night, and it took me a fraction of the time to set up under Linux than it did under Windows The software bundled with the drive managed to hose several "trivial" files like SYSTEM.INI. And then, after reinstalling Windows (yep) I had to go through 12 different sequences of steps to get my video card's drivers working again (a Voodoo3 2K, which is very well supported...at least under Linux.) Windows is certainly more ready for the desktop, yessir.

really wild and crazy folks ...

[Erris]

you're nuts if you put a Windows box directly on the Internet

And you are nuts if you put one behind the firewall where any old Outlook or MSIE flaw will put a keylogger, sniffer or what ever. What's the point of a nice little firewall when some goon can soap his way through the browser?

I suppose you just have to be wild and crazy to use M$ at all. Look at what your money buys: a poor security model with intentional bypasses, monthly crashes, Magic Lantern, WMP sound, Digital Rights Management (now patented!), remote kill switches, and the opertunity to pay again and again. What a bargain, but spending is good for someone else's economy so party on, fanboy!

Posted using Mozilla, running through a secure shell from a 650MHz Athlon to my punny little 150 MHz Pentium laptop on my lap in my bed. Try that with M$ garbage. What MSIE won't run in 24MB RAM? What Billy G won't let you run coppies of it on more than one machine at once? Where did you want to go yesterday?

Re: Mozilla?

[Xerithane]

Try a recent build, much much much more stable (since 0.9.4 - on my laptop I had some weird issues with it, but otherwise it's been very solid) and it is pretty speedy since 0.9.2 - Opera is still the choice for quick browsing though, but I just can't get past the interface.

As for the search pane, yeah - I am with you, that irritated the living hell out of me.. till I disabled it 2 minutes later ;)

Re:Untill the next one is found next week

[ThatComputerGuy]

Except that those projects are always undergoing version changes, which requires addition and possibly change of existing code.

How many patches are there to KDE 2.2? And IE 5.5?

Re: Mozilla?

[crealf]

Additionally, I'll puke before I will allow my browser to decide to open an extra "pane" on the screen when I use Google, which is every few minutes for me.

Agreed, they should had a button "Disable this feature forever" in this pane. I was relieved later to discover that it could be disabled in the "Preferences" menus.

Alternative solution (funny)

[edunbar93]

Actually, I think that if you send out an e-mail virus that patches IE automatically and then propogates itself, that would work quite well, despite the fact that you've been screaming and shouting for people never to open e-mail attachments. Just remember to use a subject line like "free porn!" ;)

Re:who cares?

[Wakko+Warner]

Oh, come on. I'm sure SOMEBODY here runs IE in WINE! Or is forced to use it only at work!

- A.P.

Well if everyone here got bullied by MS...

[Otis_INF]

But I hardly think that's the case. Most MS-bashers are just following a loud-mouth because it makes them belong to some group, be popular in some weird way.

For the people who got bullied by MS, agreed, you have a point, for the rest of them (imho a majority): they should grow up.

Isn't this like PHB's reading Dilbert, kinda?

[leonbrooks]

a significant protion of the readership *does* use IE

Isn't this like PHB's reading Dilbert... and not getting it, either?

How many of those were IE for Mac? Until the advent Mozilla, that was a pretty reasonable choice. Things like fixed-position HTML objects actually worked.

Probably the Uber-Patch installs Linux in a VM and runs IE under that. (-:

You'll probably find that your soundcard works now

[leonbrooks]

...at least, that's the traditional thing for an IE patch to do. (-:

Netscape PlugIns

[Corrado]

Waht effect does this have on IE 5.5 in releation to the removal of the Netscape PlugIn architechture? I don't want to install this "patch" if it removes my ability to use NS plugins.

Comment removed

[account_deleted]

Comment removed based on user account deletion

another good question;

[jafac]

how many fucking reboots to apply THIS one?

I swear, every goddamn time I go to Microsoft's update website, it's threee reboots minimum. IE service pack update, SP update, critical updates, application compatability update, security update.

I thought that with NT, reboots would never be needed (that's what they were saying back in the 3.0 days) - and of course, the "rare" occasions where a reboot was necessary, they promised to fix those in 4.0. Well, now I'm running Win 2000, and I feel like I'm rebooting more often than I did with Win95.

Don't worry, I run Linux at home. 2000 at work where it's mandatory, lest the jack-booted IT thugs hunt me down as a "terrorist".

Re:Untill the next one is found next week

[dzym]

One word: apache quoted from the FAQ

Why the name "Apache"? A cute name which stuck. Apache is "A PAtCHy server". It was based on some existing code and a series of "patch files".