Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSIE Uber-patch Of The Month

Posted by ryuzaki0 on from the windstorm-'97 dept.

mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.

18 of 357 comments (clear)

  1. God Forbid... by KingAdrock · · Score: 1, Insightful

    God forbid Microsoft release a patch. What would you rather have them do? If this were the newest version of the Linux kernel, the people of Slashdot would be planning a parade. It is a patch to a microsoft product though, so it is time to bring out the bashing. Give me a break!!!

    1. Re:God Forbid... by FortKnox · · Score: 3, Insightful
      I gotta agree.
      Slashdot opinion:
      • Rail on MS for making faulty software
      • Rail on MS for not doing anything with said software
      • Rail on MS for attempting to patch said software
      • Rail on MS for being swift quickly releasing a 'cure to the symptom', while the 'cure to the solution' is being worked on
      • Rail on MS for a product most of them haven't touched since Win98


      Bah, I'm clicking "ignore posts from MS" on my preferences. I'm starting to think Taco could get his "cult" to commit mass suicide if he could prove that it'd help them rail on MS...
      --
      Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  2. I have a question? by Peridriga · · Score: 1, Insightful

    News for Nerd. Stuff that matters.

    Does this really matter anymore? It's kinda like my weekly routine of buying milk. It's getting pretty dull...

    1. Re:I have a question? by ILikeRed · · Score: 3, Insightful

      fobbman gushes:
      The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.

      Exactly, security is directly tied to popularity, why just look at Apache... oops.

      The diference is that the people who bring you Apache are subject to peer review everyday, and they don't whine that people only exploit their code because it is popular when holes are found, but rather look at their project rationally, and FIX IT. Pretty amazing difference in handling criticism I would say....

      --
      I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
  3. Why is this news? by oever · · Score: 2, Insightful

    It worries me that a patch can be news. Microsoft really has people waiting in anxiety for a new patch to fix (and add some new) security holes.

    Brr. I hate monopolies.

    I going to write a letter like the Peruvian one to my government right now!

    --
    DNA is the ultimate spaghetti code.
  4. I wish things were always so easy... by pubjames · · Score: 5, Insightful

    Warning! Positive comments about Microsoft ahead...

    I have Windows XP on my desktop and RedHat on my public server.

    I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.

    I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.

    1. Re:I wish things were always so easy... by Kraegar · · Score: 3, Insightful
      Until someone hacks yours (or your ISPs) DNS server, and adds a line to the hosts file that points windows update to their box. Then you're running their code with full trust... automatically.

      While you're at it, I'm offering a service where I'll monitor your checking account and pay your bills automatically each month for you. Please forward me your Credit card number and a copy of your drivers license and social security card at your convenience.

    2. Re:I wish things were always so easy... by hyoo · · Score: 3, Insightful

      Until someone hacks yours (or your ISPs) DNS server, and adds a line to the hosts file that points kernel.org (for example) to their box. Then you're downloading and using their pathes and code with full trust... (not automatically, but hardcores probably download the latest and greatest quite often, and I doubt that they verify each line of code).

      If you claim that you are immune to this because you only use IP addresses or go directly to the root DNS servers, then you deserve to use linux. Please stay in your moms basement updating your software and save the rest of the world from the horrors of encountering freaks like you.

      MS uses certificates to verify that the patches are in fact from them. I'm not sure if there is any mechanism in place for linux kernel updates. You just gotta trust that kernel.org and the mirrors point to where they should be.

  5. Microsoft is getting smart by mikosullivan · · Score: 5, Insightful
    The increased pace of security patches from MS may indicate that they're finally serious about security. If so, the OSS movement needs to be wary. Windows lack-of-security has always been a major harping point for the OSS movement. Yes, I'm glad for the windows-users of the world that their OS is getting better, but those of us who preach OSS to our colleagues and friends need to be aware that a major talking point may be going away. If MS really has decided that Security Counts, they've got pretty deep pockets to do something about it. Sun and IBM have both proven that the closed-source system can in fact produce pretty secure operating systems.

    Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.

    --
    Miko O'Sullivan
  6. Re:Netscape not secure by rmpotter · · Score: 2, Insightful

    I agree. We tested the Netscape/Mozilla vulnerability and it work on Linux systems also. I submitted the link to Slashdot and the story was REJECTED.

    If this had been an MS vulnerability with a working exploit, it would have been posted here in a second --and would have generated 800 MS-bashing comments.

    Slashdot has been good entertainment over the years, but I pity anyone who PAYS for a site that is so slanted it can't see beyond it's navel.

    (Guess how this post will be mod'd ;-)

    --
    Is this sig nificant?
  7. How to autoupdate RedHat by daves · · Score: 3, Insightful

    it is a bit of a pain in the butt having to apply patches to my RedHat server each month

    Try AutoUpdate. It does a good job keeping RedHat up to date.

    --
    People who disagree with you are not automatically evil, greedy, or stupid.
  8. Re:Uh huh. Meanwhile, in Mozilla... by Anonymous Coward · · Score: 1, Insightful

    Does Slashdot post a huge exposé every time someone fixes another crippling security hole in Mozilla?

    Maybe once Mozilla is actually released, then they might.

    I don't know about you, but I consider beta software and final released software somewhat differently.

  9. They deserve to be flamed by Vicegrip · · Score: 5, Insightful

    Nobody else claims their browser is a key component of the operating system-- that it cannot be removed because its functionality is so interwoven into the operation of the system.

    Of course people are going to flame Microsoft for designing such a product with so many critical security holes which compromise their computer, making it part of the OS and then arrogantly refusing to give people the ability to remove it. At least I can un-install every other browser if I decide it doesn't suit me.

    You complain about people flaming Microsoft. I submit to you that if that corporation wasn't so arrogant, pushing its views and way of doing things onto everyone else then stifling the innovation of others, that people would be a lot more forgiving of mistakes.

    I have no sympathy. Not for this corporation. Microsoft made this bed, it can sleep it in now.

    --
    Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
  10. Browser wars by Jungle+guy · · Score: 4, Insightful

    These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
    Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.

  11. Re:how to get them (MSFT) to make patches that wor by talks_to_birds · · Score: 4, Insightful
    • "...Remember "Code Red" ? It was just like any other worm attack..."

    Bullsh*t.

    How come my firewall is *still* seeing 80+ Code Red/Nimda probes daily?

    Just like any other worm?

    You have no clue.

    The number of infected Micro$oft boxes out there is scarcely any less than it was six months ago, thanks mainly to clueless Micro$oft users...

    t_t_b

    --
    I'm on PJ's "enemies" list! Are you?
  12. What I found interesting... by gosand · · Score: 3, Insightful
    Was that in the post to Bugtraq, the author mentioned his URL http://jscript.dk/unpatched/. I checked it out, and he also lists bugs in Netscape/Mozilla. So he isn't just a MS basher, as some would have you believe. Of course, he also said that one of them was fixed within 24 hours.

    Just because someone bashed MS, that doesn't mean that they are being unreasonable.

    --

    My beliefs do not require that you agree with them.

  13. MS (in)security and /. MS bashing by theolein · · Score: 5, Insightful

    I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.

    This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.

    I *want* to read extremely critical news here on /. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.

    /. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.

  14. Cure worst then the disease by disco_stu00 · · Score: 2, Insightful

    I just went to WindowsUpdate to update IE. The installation of the security patch caused my computer to crash. No kidding.

    I go back to the site to try again, but it says I have the patch already. The question is, did it finish installing before it crashed?