Slashdot Mirror
MSIE Uber-patch Of The Month
mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/"
Maybe not even all six -- the maintainer of the above URL
claims in a post to Bugtraq
that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability.
Also, please compare to previous MSIE Uber-Patches Of The Month:
December 2001, 3+? holes in IE;
March 2002, 2+? holes in IE;
April 2002, 2+? holes in Mac IE.
Microsoft released another security patch for Internet Explorer
Is it Thursday already?
--saint
Saying you're trying to fix all the holes in IE is like saying you mean to turn a sieve into a bowl.
::shudder::).
Seriously, it seems they are finally turning around and trying to make their products more reliable. They've come a long way since Win95 (or WinME...
The speed of time is one second per second.
luckily several other competing browsers have much less patches that have to be applied.
netscape - doesnt have any holes - it crashes before anyone have time to exploit them.
mozilla - its not called holes, its a feature until further notice.
opera - pages download quick, dont they? then stfu.
The example code that fails with the patch is here.
Those who will sacrifice Freedom and Security will get Windows...
the page you link to HAS the vulnerabilities fixed LISTED.
i tical/Q321232/default.asp)
And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cr
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
Warning! Positive comments about Microsoft ahead...
I have Windows XP on my desktop and RedHat on my public server.
I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.
I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.
Although, there is a NTBugtraq post just now that say the patches break Javascript on MS browsers so maybe you don't want to install it just yet. It states:
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this case) breaks the following Javascript code. This code works in IE versions *not* patched with Q321232 but fails to execute on IE6 which has been patched. I don't have IE 5 or below so I don't know if they broke those versions as well.
Russ Cooper had an article on NTBugtraq recently pointing out how bad MS quality control is. They have separate patch sites for different products with tools that break each others patches. We don't need to break Microsoft up. It is doing so on its own.
Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.
Miko O'Sullivan
speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.
;)
Date: Thu, 16 May 2002 12:32:17 -0500
Subject: MS02-023 Patch Breaks JAVASCRIPT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
case) breaks the following Javascript code. This code works in IE versions
*not* patched with Q321232 but fails to execute on IE6 which has been
patched. I don't have IE 5 or below so I don't know if they broke those
versions as well.
Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
The original message should be in the bugtraq archive by now
-- this space for rent --
Slashdot opinion:
Bah, I'm clicking "ignore posts from MS" on my preferences. I'm starting to think Taco could get his "cult" to commit mass suicide if he could prove that it'd help them rail on MS...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
2. Choose a cool marketing name for the hole, like "achilles' hole" or such. Make it fancy.
3. Call the news agencies. Once there is a fancy marketing name, they will jump on it and create public hysteria. Remember "Code Red" ? It was just like any other worm attack except that it had a cool name for the media blew it way out of proportion.
4. Watch the patches roll in.
5. Lather, rinse, repeat. Every six weeks should do it. The public should see a pattern sooner or later.
Come on, they exist.
upgrading with apt is easy, and not much work.
*BSD also have their update tools, and some other posters mentioned Redhat tools.
These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.
For those that are SO lazy that you can't click on the link:
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.
they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
They are finally making the software robust and not crash 20 times a day.
They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
They are finally making it a good product.
What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.
Actually you can download the updates manually if you wish; they're on their website somewhere or other. This is a supported patch technique.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"fobbman gushes:
The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.
Exactly, security is directly tied to popularity, why just look at Apache... oops.
The diference is that the people who bring you Apache are subject to peer review everyday, and they don't whine that people only exploit their code because it is popular when holes are found, but rather look at their project rationally, and FIX IT. Pretty amazing difference in handling criticism I would say....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
it is a bit of a pain in the butt having to apply patches to my RedHat server each month
Try AutoUpdate. It does a good job keeping RedHat up to date.
People who disagree with you are not automatically evil, greedy, or stupid.
I cannot go patching my software every morning after booting the computer!!
thats one of the things that Windows does rather seamlessly though. I booted to it this morning to take care of a few things, and a little reminder notice popped up in the toolbar saying "a update is available"... all i did was click "Yes" and it was installed, it told me i had to restart to finish the update, and i ignored that part...once i finally do restart my computer it will be fully installed. This process took me a grand total of about 1 second of my time.
There are plenty of valid complaints about MS, but this is one of those cases where they are doing something right.
Nobody else claims their browser is a key component of the operating system-- that it cannot be removed because its functionality is so interwoven into the operation of the system.
Of course people are going to flame Microsoft for designing such a product with so many critical security holes which compromise their computer, making it part of the OS and then arrogantly refusing to give people the ability to remove it. At least I can un-install every other browser if I decide it doesn't suit me.
You complain about people flaming Microsoft. I submit to you that if that corporation wasn't so arrogant, pushing its views and way of doing things onto everyone else then stifling the innovation of others, that people would be a lot more forgiving of mistakes.
I have no sympathy. Not for this corporation. Microsoft made this bed, it can sleep it in now.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.
Except (if you read the bugtraq post) MS left IE6 vunerable (and released no patch for IE5). It gave incorrect information about several vunerabilities, which makes one suspect that they might have not fixed them correctly.
/. users use IE. Some of them may well be opera or other browser users who have their browsers to announce otherwise, but certainly, a number of /. users actually use IE. Some of us still use Win98 too, even if just at work or at home because our families can't use another OS (yet...)
I can't vouch for the accuracy of the bugtraq post, but if true, this is not 'fixing the symptom until the underlying problem can be fixed', this is 'fixing one popularized symptom while leaving others untouched'.
A number of people have noticed that a majority of
Bullsh*t.
How come my firewall is *still* seeing 80+ Code Red/Nimda probes daily?
Just like any other worm?
You have no clue.
The number of infected Micro$oft boxes out there is scarcely any less than it was six months ago, thanks mainly to clueless Micro$oft users...
t_t_b
I'm on PJ's "enemies" list! Are you?
Just because someone bashed MS, that doesn't mean that they are being unreasonable.
My beliefs do not require that you agree with them.
I have to agree. Just earlier today at an online Microsoft seminar, the presenter mentioned that the original version of the IIS Lockdown tool completely broke Exchange Server. To paraphrase him to the best of my abilities, "pretty interface, no email." To be fair, he demonstrated the newest version of the tool, which is supposed to do an outstanding job of locking down IIS, and that problem now has been completely eliminated.
Please subscribe to see the more insightful version of th
I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.
/. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.
This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.
I *want* to read extremely critical news here on
/. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.
Comment removed based on user account deletion