Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber-patch for Internet Explorer

Posted by michael on from the repatch-and-sin-no-more dept.

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

25 of 590 comments (clear)

  1. What a ripoff. by Mike+Schiraldi · · Score: 5, Funny

    Boy, Microsoft sucks. This patch doesn't even address future, yet-to-be-discovered vulnerabilities.

    --

    --
    Mod up a post Rob doesn't like and you'll never mod again

    1. Re:What a ripoff. by SubtleNuance · · Score: 5, Funny

      ...no but it probably introduces a few...

  2. Re:Uber Patch by Negadecimal · · Score: 5, Funny

    Or better, Magic Lantern.

    It'd be the perfect trojan horse... MS gets leniency from the DOJ in exchange for some...favors.

  3. MS Craziness by Fatal0E · · Score: 5, Funny



    Just when I thought that I knew the difference between a Service Pack, Security Rollup Patch and a cumulative Hot Fix they go and release a Security Bulletin like this one.

    --

    BOSTON SUCKS!
    1. Re:MS Craziness by Chundra · · Score: 5, Funny

      Ok it's easy:

      Service Packs are the small, 6-8oz cups with the foil tops. They usually contain yogurt or pudding.

      Rollup Patches are dried fruit puree attached to thin plastic wrap. You tear the fruit substance off the plastic before eating.

      Hot Fixes are the things you remove from the plastic bag and put in the microwave. They usually consist of some sort of bread substance with a meaty and/or cheesy filling.

      Hope that clears things up.

  4. All in one patch is 1/2 the solution by Rev.LoveJoy · · Score: 5, Insightful
    This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

    For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

    1). It takes too much time to keep up on MS software patches.

    AND

    2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

    Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

    Cheers,
    -- RLJ

    1. Re:All in one patch is 1/2 the solution by michaela · · Score: 5, Interesting
      I have found two solutions around this (although I agree about SMS pricing).

      1. Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.
      2. Install VNC server on the user stations and set it to run at bootup. Then you can do nearly any administration task short of recovering from a complete blowout without leaving your desk. Do it after hours and you can reboot the machines right away. Or, use parts of #1 with a logout script instead to reboot the machine the next time they log out.
      --
      That is all.
  5. Download URLs by nstrom · · Score: 5, Informative

    Here's the direct download URLs, so you don't have to wade through MS's crufty site:

    for IE6:
    http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe
    for IE5.5:
    http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

    These updates have not yet appeared on Windows Update.

  6. Only 5.5 and 6.0? by Anonymous Coward · · Score: 5, Interesting

    I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .




    Content-Type: audio/x-wav; name="sample.exe"
    Content-Transfer-Encoding: base64


    I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.



    Microsoft said that only 6.0 was affected?



    Or is this something different than what they have supposedly patched?

  7. Even weirder... by oGMo · · Score: 5, Interesting

    What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....

    ...naw. ;-)

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  8. Re:Question for michael... by FortKnox · · Score: 5, Interesting

    I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!

    IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX systems that still isn't patched? Why aren't you going off on that?)

    Remember when you had to purchase Netscape, but IE was free?

    Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?

    You guys need to be less Open Source/Anti-Microsoft Zealotous.

    I'd post anonymously to preserve karma, but the authors already know my IP (see sig).

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  9. It's not just IE - other apps need this! by PacketMaster · · Score: 5, Informative

    It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.

    --

    Some people take their .sig way too seriously

  10. tee hee by Frac · · Score: 5, Insightful

    Michael exaggerated this exploit beyond belief:

    If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

    Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

    In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

    Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.

    1. Re:tee hee by DeadMeat+(TM) · · Score: 5, Insightful
      Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?
      Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

      So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

  11. Re:not too bright by jvj24601 · · Score: 5, Informative
    I downloaded the 2.15 mb patch. I try to run it, and I get a prompt that I need IE5 Service pack 2 installed. That's it, it doesn't supply a link, it doesn't try to download it, nothing. Microsoft rushed this one out.

    The update only works with IE 5.5 or 6.0. You might be running 5.0.

    Interesting note: If you read the bulletin and click on the Technical Details submenu, you'll find the worst part:

    "Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support."

    As someone who does some sysadmin stuff at work, I didn't know this before. This means that a large majority of users (as far as my limited experience goes) that still use IE 5.0 will still have exploit available that won't be tested nor fixed. Wow...
  12. Slashdot Inconstancies by Captain_Frisk · · Score: 5, Informative
    Seriously guys calm down.

    Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

    They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

    1. Re:Slashdot Inconstancies by fumble · · Score: 5, Insightful

      ... is there anything they could do that would appease this croud?

      I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

  13. Sensationalism courtesy of /. by fumble · · Score: 5, Insightful

    Warning: mild flamebait.

    Remember Michael's over-the-top misinformed rant about this 3 days ago?

    ... they refuse to provide any information about when a patch might be made available, if ever.

    I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

  14. Re:Uber Patch by Anonymous Coward · · Score: 5, Informative

    Sorry to break it to you, but a significant protion of the readership *does* use IE. Rob used to publish statistics on this and stopped for obvious, embarassing reasons.

  15. Re:Question for michael... by SCHecklerX · · Score: 5, Insightful
    IE is the best browser out there.

    Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

    • Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
    • Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
    • Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
    • Cookie management on a per-site basis
    • Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
    • Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
    • Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
    • FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

    Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software

  16. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  17. Re:Been there, done that by Anonymous Coward · · Score: 5, Funny

    *sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.


    Not so fast, buster. First we need you to change the toner cartridge on the LJ4 up on third floor.

    hup-hup to it, now, IT boy. The girls in the secretary pool don't call you 'sysadmin' (while smirking) for nothing.

  18. Re:not too bright by TheAwfulTruth · · Score: 5, Insightful

    Not informative at all. Here's the real information: The patches can be applied to IE 6.0 OR IE 5.5 SP2 ONLY. If you do not have either of those you need to upgrade to one of them then apply the appropriate patch.

    If you have not already upgraded to these versions then you are (and have been ) vunerable to numerous PAST holes. So if you haven't bothered to upgrade by now, why do you care about patching all of a sudden?

    Please mod me up to 5 now thank you.

    --
    Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
  19. Re:Uber Patch by ncc74656 · · Score: 5, Insightful
    That would require that a significant portion of Slashdot users use IE.
    ...and you're implying that they don't? It's not like there are many options...Konqueror and Mozilla aren't all there yet, there seems to have been some sort of stink lately WRT Opera, and there's no way in hell that I'd use Nutscrape. Not everyone who reads /. is a flaming anti-MS zealot...MS has its warts (you're nuts if you put a Windows box directly on the Internet), but then so does nearly everything/everyone else.
    --
    20 January 2017: the End of an Error.
  20. Re:Does anyone else feel immoral? by istartedi · · Score: 5, Funny

    Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT?

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings] "User Agent"="Mozilla/Church Lady 3.01"

    Would that make you morally superior?

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?