MSIE Uber-patch Of The Month

mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.

No IE.. No holes :)

[matth]

Yet another reason to use lynx :)
or even better

telnet www.webserver.com 80
GET / http/1.0

Re:The difference is...

[KingAdrock]

Congrats on running Mozilla.. However that doesn't mean you are Bug Free

Actually, I use both Mozilla and IE, but these stories that are being posted on Slashdot are just silly. You are mad if they do patch. You are mad if they don't patch. Make up your mind Slashdotters!

Ironically...

[clevershark]

The "Windows Update" icon on my taskbar failed to retrieve the patch last night, I had to manually go to the Windows update site and download it. I only discovered this when I started wondering why my VAIO was getting so damn warm, and why the fan hadn't stopped in several hours...

And then they "recommend" that you go for automatic updating. Typical.

Re:But... But..

[neuroticia]

Well, the primary purpose of the last patch seemed to be to *add* bugs. My guess is that this patch is to take them away?

-Sara

Well, golly. If only I COULD patch mine.

[2Flower]

Windows Update fatally crashes my system each time I go to download all the 'critical updates' my system needs. Which means that I'm unable to actually patch my boxen, unless I maybe reinstall the operating system, which would make me lose all my application settings/components and be forced to reinstall them, etc, etc.

One central source, one update system. One critical point of failure. One of the many problems that come with having one operating system to rule them all and in the darkness find them...

Boy, do I hope nobody tries to r00t my 98 box. After plugging in my shiny new cable modem it probably looks real attractive now.

Re:Well, golly. If only I COULD patch mine.

[SilentBob]

My laptop came with XP on it - the first time I connected to the internet it downloaded updates (I was on a pretty fast network and didn't notice it happening) - next thing I knew, the thing rebooted and I couldn't search for local files anymore. And it ran slow as ass. So I uninstalled the patches, which is kind of nice that it lets you do (of course it doesn't tell you which patch does what, just gives you the number in the knowledge base). Anyway, the point is that even after uninstalling all those patches, I couldn't search for *local* files unless I was connected to a network of some kind. Go windows update. That's why you don't want some program downloading/installing automagically for you.

bugtraq

[NastyGnat]

speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.

Date: Thu, 16 May 2002 12:32:17 -0500
Subject: MS02-023 Patch Breaks JAVASCRIPT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
case) breaks the following Javascript code. This code works in IE versions
*not* patched with Q321232 but fails to execute on IE6 which has been
patched. I don't have IE 5 or below so I don't know if they broke those
versions as well.

Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
The original message should be in the bugtraq archive by now ;)

Re:It Breaks Javascript

[tomgilder]

However this is rubbish, his code is wrong - this has nothing to do with the patch.

Don't name form elements "submit", folks.

Re:I wish things were always so easy...

[4of12]

But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.

I don't run XP (though my bro-in-law does, hates it, is going back to Win2K, a good move IMHO), but some feature like what you describe would be nice if they're properly balanced and thought out.

I'd like the ability to assess what the patches are needed, what they are supposed to do, and ideally be able to see the source code before I patch my servers.

The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.

Rather, let me decide and then it's my fault if I download a worm.

One of the nice things about Linux in general is that it exposes its guts to you and lets you make as many decisions as you want about what to do with it and how to modify it. If you want to shoot yourself in the foot or shoot for the moon in a new way that works for you, then by all means go for it. Linux distributions won't be so arrogant as to presume that "they know better what's good for you".

You can see where it's difficult to judge the proper tradeoffs between ease and convenience on one hand, and security on the other hand. All those Outlook attachments have been more than sufficient evidence of how easily such judgement can be in error.

for fucks sake..

[DraKKon]

At least M$ is fixing problems, maybe not as fast as the oss companies/people, but christ.. None of you guys bash redhat, suse and the like when they release an update for an app that can give you root. I know in the /. eyes M$ is the root of all evil, but you know what, best item/app/os for the job.

I don't care if its a mac/ms/*nix/*BSD or what, but if it gets the job done, relatively well and fast, I will use it.

For programming, i don't care if its VB/C/Glade/Perl/Python whatever.. whatever suits the job best. And yes, sometimes, if not MOST of the time, it's a MS solution (for me at least, YMMV).

And for the record, win win98 installation, which I just reinstalled everything ( 2 days worth of installs and hundreds of reboots ) is showing the same symptoms of the problem for the reinstall, which I'm assuming came from windows-update. So no, I'm not living in a perfect world. At the moment, I'm cursing Billy boys name, but I'm still using Win98 for most of development work and 2 linux machines as servers, since, like I said, best solution for the problem.

So flame away, you /. hypocrites, bring this post to a -1.

Re:I wish things were always so easy...

[zangdesign]

You get one system - one install. I made the mistake of registering my box after installation and then did a full reload from zero several times because I was trying to learn the process and didn't know better at the time. I couldn't register that machine again.

Not exactly a newbie-friendly feature. I'm still pissed at RedHat for that one.

Re:God Forbid...

[erasmus_]

I have to agree. Just earlier today at an online Microsoft seminar, the presenter mentioned that the original version of the IIS Lockdown tool completely broke Exchange Server. To paraphrase him to the best of my abilities, "pretty interface, no email." To be fair, he demonstrated the newest version of the tool, which is supposed to do an outstanding job of locking down IIS, and that problem now has been completely eliminated.

Best way to update machines at client site??

[fatboy1234]

So how do I go about updating 20+ Win2k machines at a client site running all different version of IE?

There has to be an easier way than running around to each machine applying a patch every month.

Comment removed

[account_deleted]

Comment removed based on user account deletion