Slashdot Mirror
MSIE Uber-patch Of The Month
mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/"
Maybe not even all six -- the maintainer of the above URL
claims in a post to Bugtraq
that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability.
Also, please compare to previous MSIE Uber-Patches Of The Month:
December 2001, 3+? holes in IE;
March 2002, 2+? holes in IE;
April 2002, 2+? holes in Mac IE.
speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.
;)
Date: Thu, 16 May 2002 12:32:17 -0500
Subject: MS02-023 Patch Breaks JAVASCRIPT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
case) breaks the following Javascript code. This code works in IE versions
*not* patched with Q321232 but fails to execute on IE6 which has been
patched. I don't have IE 5 or below so I don't know if they broke those
versions as well.
Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
The original message should be in the bugtraq archive by now
-- this space for rent --
But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.
I don't run XP (though my bro-in-law does, hates it, is going back to Win2K, a good move IMHO), but some feature like what you describe would be nice if they're properly balanced and thought out.
I'd like the ability to assess what the patches are needed, what they are supposed to do, and ideally be able to see the source code before I patch my servers.
The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.
Rather, let me decide and then it's my fault if I download a worm.
One of the nice things about Linux in general is that it exposes its guts to you and lets you make as many decisions as you want about what to do with it and how to modify it. If you want to shoot yourself in the foot or shoot for the moon in a new way that works for you, then by all means go for it. Linux distributions won't be so arrogant as to presume that "they know better what's good for you".
You can see where it's difficult to judge the proper tradeoffs between ease and convenience on one hand, and security on the other hand. All those Outlook attachments have been more than sufficient evidence of how easily such judgement can be in error.
"Provided by the management for your protection."
You get one system - one install. I made the mistake of registering my box after installation and then did a full reload from zero several times because I was trying to learn the process and didn't know better at the time. I couldn't register that machine again.
Not exactly a newbie-friendly feature. I'm still pissed at RedHat for that one.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
I have to agree. Just earlier today at an online Microsoft seminar, the presenter mentioned that the original version of the IIS Lockdown tool completely broke Exchange Server. To paraphrase him to the best of my abilities, "pretty interface, no email." To be fair, he demonstrated the newest version of the tool, which is supposed to do an outstanding job of locking down IIS, and that problem now has been completely eliminated.
Please subscribe to see the more insightful version of th
Comment removed based on user account deletion