Uber-patch for Internet Explorer

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

Uber Patch

[IgnorantKnucklehead]

What does the "uber patch" do, install Mozilla?

Re:Uber Patch

[Negadecimal]

Or better, Magic Lantern.

It'd be the perfect trojan horse... MS gets leniency from the DOJ in exchange for some...favors.

Re:Uber Patch

Sorry to break it to you, but a significant protion of the readership *does* use IE. Rob used to publish statistics on this and stopped for obvious, embarassing reasons.

Re:Uber Patch

[ncc74656]

That would require that a significant portion of Slashdot users use IE.

...and you're implying that they don't? It's not like there are many options...Konqueror and Mozilla aren't all there yet, there seems to have been some sort of stink lately WRT Opera, and there's no way in hell that I'd use Nutscrape. Not everyone who reads /. is a flaming anti-MS zealot...MS has its warts (you're nuts if you put a Windows box directly on the Internet), but then so does nearly everything/everyone else.

Re:Uber Patch

[slashdot_commentator]

Hmmm, I don't recall any version of IE working for linux. Perhaps the underlying truth is more embarrassing than we realize...

Nah, probably working stiffs who are stuck on NT/2K/Win9X boxes at work...

What a ripoff.

[Mike+Schiraldi]

Boy, Microsoft sucks. This patch doesn't even address future, yet-to-be-discovered vulnerabilities.

Re:What a ripoff.

[SubtleNuance]

...no but it probably introduces a few...

MS Craziness

[Fatal0E]

Just when I thought that I knew the difference between a Service Pack, Security Rollup Patch and a cumulative Hot Fix they go and release a Security Bulletin like this one.

Re:MS Craziness

[Chundra]

Ok it's easy:

Service Packs are the small, 6-8oz cups with the foil tops. They usually contain yogurt or pudding.

Rollup Patches are dried fruit puree attached to thin plastic wrap. You tear the fruit substance off the plastic before eating.

Hot Fixes are the things you remove from the plastic bag and put in the microwave. They usually consist of some sort of bread substance with a meaty and/or cheesy filling.

Hope that clears things up.

All in one patch is 1/2 the solution

[Rev.LoveJoy]

This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

1). It takes too much time to keep up on MS software patches.

AND

2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

Cheers,
-- RLJ

Re:All in one patch is 1/2 the solution

[michaela]

I have found two solutions around this (although I agree about SMS pricing).

1. Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.
2. Install VNC server on the user stations and set it to run at bootup. Then you can do nearly any administration task short of recovering from a complete blowout without leaving your desk. Do it after hours and you can reboot the machines right away. Or, use parts of #1 with a logout script instead to reboot the machine the next time they log out.

For IE 5.5 users

[The+Bungi]

This does not appear to be a service pack, and the target builds listed for the hotfix are only IE 5.5 SP2 and 6, so you'll need to head here to get yer SP and then install the hotfix (get directly to it from here).

It seems unlikely that the SP2 for 5.5 includes this as of right now, although it will eventually (I know sometimes I'll download an SP and take a few days to actually install it). Check your versions before you plunge your box into browser hell =)

Download URLs

[nstrom]

Here's the direct download URLs, so you don't have to wade through MS's crufty site:

for IE6:
http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe
for IE5.5:
http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

These updates have not yet appeared on Windows Update.

Only 5.5 and 6.0?

I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .

Content-Type: audio/x-wav; name="sample.exe"
Content-Transfer-Encoding: base64

I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.

Microsoft said that only 6.0 was affected?

Or is this something different than what they have supposedly patched?

Even weirder...

[oGMo]

What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....

...naw. ;-)

Re:Question for michael...

[FortKnox]

I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!

IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX systems that still isn't patched? Why aren't you going off on that?)

Remember when you had to purchase Netscape, but IE was free?

Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?

You guys need to be less Open Source/Anti-Microsoft Zealotous.

I'd post anonymously to preserve karma, but the authors already know my IP (see sig).

Re:Untill the next one is found next week

[Webmoth]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

It's not just IE - other apps need this!

[PacketMaster]

It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.

tee hee

[Frac]

Michael exaggerated this exploit beyond belief:

If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.

Re:tee hee

[DeadMeat+(TM)]

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

Re:not too bright

[jvj24601]

I downloaded the 2.15 mb patch. I try to run it, and I get a prompt that I need IE5 Service pack 2 installed. That's it, it doesn't supply a link, it doesn't try to download it, nothing. Microsoft rushed this one out.

The update only works with IE 5.5 or 6.0. You might be running 5.0.

Interesting note: If you read the bulletin and click on the Technical Details submenu, you'll find the worst part:

"Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support."

As someone who does some sysadmin stuff at work, I didn't know this before. This means that a large majority of users (as far as my limited experience goes) that still use IE 5.0 will still have exploit available that won't be tested nor fixed. Wow...

Re:Protecting customers

[Webmoth]

Microsoft is like a condom. It'll protect you, but if you use it, you're screwed.

Fast Patching.

[saintlupus]

Well, it's certainly a good thing that there are so many people looking at the source to produce a patch...

er....

Never mind.

--saint

Slashdot Inconstancies

[Captain_Frisk]

Seriously guys calm down.

Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

Re:Slashdot Inconstancies

[fumble]

... is there anything they could do that would appease this croud?

I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

Re:Download URLs - Must Have 5.5 SP2

[Cy+Guy]

for IE5.5 for IE5.5:
http://download.microsoft.com/download/ie55sp2/s ec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

Note, that is for IE 5.5 SP2 if you have SP1, or plain vanilla 5.5, you will first have to upgrade, so you may want to wait till a full release with the patches is available. SP2 is 17MB download.

Anyone know what the equivalent version is if you have the AOL version of IE? (not that I do) but you can imagine AOL will be slowed to a crawl if every single user must get an upgrade first to SP2 or IE6, then get this patch. When - oh - when will AOL finally become browser neutral or go entirely to Netscape/Mozilla?

Sensationalism courtesy of /.

[fumble]

Warning: mild flamebait.

Remember Michael's over-the-top misinformed rant about this 3 days ago?

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Great

[El_Smack]

Now Microsoft will get Slahdotted. One more reason for them to hate us. *sigh*

Re:Question for michael...

[SCHecklerX]

IE is the best browser out there.

Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

• Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
• Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
• Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
• Cookie management on a per-site basis
• Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
• Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
• Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
• FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Been there, done that

*sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.


Not so fast, buster. First we need you to change the toner cartridge on the LJ4 up on third floor.

hup-hup to it, now, IT boy. The girls in the secretary pool don't call you 'sysadmin' (while smirking) for nothing.

I turned off Active Scripting to be secure

[Pinball+Wizard]

Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.

By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.

Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

Does anyone else feel immoral?

[Sludge]

I've been thinking about this for a long time, and it's time I asked my peers at slashdot- Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT? I'm going to state what seems obvious to me:

• Company designs nice website with features that are only supported with IE.
• Company realises that Netscape market share is too high to do these cool things, so they downgrade their website. Animosity is felt towards the browser not developed for (in my experience this goes both ways)
• Company waits a year and a half, and ends up re-evaluating their Netscape support position based on their current USER_AGENT stats showing 95% IE clients.
• Company switches webpage to use proprietary and non standard technologies, locking us alternative software people out of another website.

By this logic, which I feel is a common path for businesses to take, using Internet Explorer and letting webmasters know that you do will harm our freedom to choose our client software in the future.

I don't understand why no one else has come forward and stated that they feel this way. For this reason, I refuse to use the software except in situations where it's seriously inconvenient to do otherwise.

I don't mean to be alarmist. If the web is only accessible from IE, a project will be started to supply a proxy for other browsers which interprets the data from the web server and converts it to nice, standardized HTML. This could get kludgy, and is the worst case scenario I see.

Re:Does anyone else feel immoral?

[istartedi]

Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT?

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings] "User Agent"="Mozilla/Church Lady 3.01"

Would that make you morally superior?

Re:not too bright

[TheAwfulTruth]

Not informative at all. Here's the real information: The patches can be applied to IE 6.0 OR IE 5.5 SP2 ONLY. If you do not have either of those you need to upgrade to one of them then apply the appropriate patch.

If you have not already upgraded to these versions then you are (and have been ) vunerable to numerous PAST holes. So if you haven't bothered to upgrade by now, why do you care about patching all of a sudden?

Please mod me up to 5 now thank you.

This qualifies more as "troll" than "flamebait"

[oGMo]

Flamebait is typically written to elicit strong emotional response and name-calling from the target audience... this falls under the "troll" category which gives a more subtle feeling of disturbance, saying something usually inaccurate or incorrect in a seemingly reasonable manner to generate lots of "discussion". Let's go point-by-point:

Remember Michael's over-the-top misinformed rant about this 3 days ago?

Seeing as michael's story was neither misinformation nor an over-the-top rant (read the story), this plays on the popular opinion that slashdot gets a lot of stuff wrong all the time, as well as our obvious anti-Microsoft bias, to pretend that it was in fact an over-the-top misinformed rant.

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago.

Did they provide information about when a patch was available? At the time, they did not, so this is hardly misinformation. Whether they release a patch today or three months from now, "no information" is still "no information".

Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Correct me if I'm wrong, but I believe "M$" is childish name calling. "If it agrees with me, it's opinion, otherwise it's bias": This just about sums it up. There is nothing wrong with bias; there is no way to avoid it, claiming something is unbiased is a great indication that something is trying to be intentionally misleading. I read slashdot because the bias mostly agrees with my own. Perhaps your time would be better spent looking for a more agreeable forum, instead of trolling on this one.

all "known" vulnerabilities

[Jettra]

In the spirit of legal debate over the meaning of the specific usage of words, what is meant by 'known'?

Since Microsoft anounced it's policy of attempting to keep the lid on the security holes that exist within it's software, I would assume that 'known' means ones that they are willing to reveal to us.

So the word 'all' preceeding 'known' has no meaning since Microsoft itself admits to witholding the true extent of the damage its software can do to your system through security holes.

I consider this another decietful marketing attempt to make consumers feel safe about their products despite their worse than poor track record. They may not be outright lying, but there planting the seeds for others to do it for them. How many sysadmins will now send out an email saying that "IE will be free from all security bugs by installing this patch"? Of course that is a lie.

Can't turn off search-from-toolbar??

[I-man]

Interesting. After installing this patch, I typed in some garbage to the address bar to make sure it was still seeing my proxy (which should display a custom no-such-address page).

What happened? That bloody search-from-the-address-bar thingy had turned itself on. Oh well, I say, just go to Options -> Advanced -> Do Not Search From The Address Bar. I do this, type in "asdfa sdfsdfsa dfwer" (note the spaces) and POW: search-from-the-address-bar turns itself back on.

Much the same thing happens if you change the option and then restart IE.

WTF?

Won't even install!

[GeckoX]

Cute!

Tried installing the 6.0 UberPatch on 2 separate boxes now, both running W2kPro sp2 with IE 6.0 installed with VS.NET beta2.

(IE v. 6.00.2462.0000 to be exact)

The installation quits with an error telling me I must have IE 6.0 to install.

Also seen as mentioned above similar effect on 5.x versions other than 5.5 with that version install.
Leaves me not exactly feeling warm and fuzzy about whether the actual patch will really patch the holes it's supposed to or not!