Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSIE Uber-patch Of The Month

Posted by ryuzaki0 on from the windstorm-'97 dept.

mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.

18 of 357 comments (clear)

  1. Like clockwork. by saintlupus · · Score: 5, Funny

    Microsoft released another security patch for Internet Explorer

    Is it Thursday already?

    --saint

  2. So basically... by Indras · · Score: 5, Funny

    Saying you're trying to fix all the holes in IE is like saying you mean to turn a sieve into a bowl.

    Seriously, it seems they are finally turning around and trying to make their products more reliable. They've come a long way since Win95 (or WinME... ::shudder::).

    --
    The speed of time is one second per second.
  3. other browsers are teh bomb! by grazzy · · Score: 5, Funny

    luckily several other competing browsers have much less patches that have to be applied.

    netscape - doesnt have any holes - it crashes before anyone have time to exploit them.
    mozilla - its not called holes, its a feature until further notice.
    opera - pages download quick, dont they? then stfu.

  4. Breaks some Javascript by DaDigz · · Score: 5, Informative
    Just posted to the NTBugTraq list is a message noting that it breaks some Javascript.

    The example code that fails with the patch is here.

    --
    Those who will sacrifice Freedom and Security will get Windows...
  5. C'mon, guys... by bricriu · · Score: 4, Informative

    the page you link to HAS the vulnerabilities fixed LISTED.

    And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cri tical/Q321232/default.asp)

    --

    AHHHHHHH! I'm burning with goodness again!
    - Reakk, Sluggy Freelance

    1. Re:C'mon, guys... by gclef · · Score: 5, Informative

      Yes, but the patch doesn't actually *do* what it claims. Therein lies the problem. There has been a steady stream of messages to various security lists today about how this patch does not actually fix many of the issues that it claims to fix, and breaks other stuff in the process. see http://jscript.dk/unpatched/ for the present list of unpatched IE problems, and some commentary on this patch.

  6. I wish things were always so easy... by pubjames · · Score: 5, Insightful

    Warning! Positive comments about Microsoft ahead...

    I have Windows XP on my desktop and RedHat on my public server.

    I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.

    I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.

    1. Re:I wish things were always so easy... by SirThomas · · Score: 5, Informative

      Um, RedHat comes with an auto-updater 'up2date'.

      You just need to register your machine and it can automatically update your machine for you.

      Some may complain that it is a 'for pay' service but you do get one system for FREE.

      Check rhn.redhat.com for more details.

    2. Re:I wish things were always so easy... by 4of12 · · Score: 4, Interesting

      But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.

      I don't run XP (though my bro-in-law does, hates it, is going back to Win2K, a good move IMHO), but some feature like what you describe would be nice if they're properly balanced and thought out.

      I'd like the ability to assess what the patches are needed, what they are supposed to do, and ideally be able to see the source code before I patch my servers.

      The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.

      Rather, let me decide and then it's my fault if I download a worm.

      One of the nice things about Linux in general is that it exposes its guts to you and lets you make as many decisions as you want about what to do with it and how to modify it. If you want to shoot yourself in the foot or shoot for the moon in a new way that works for you, then by all means go for it. Linux distributions won't be so arrogant as to presume that "they know better what's good for you".

      You can see where it's difficult to judge the proper tradeoffs between ease and convenience on one hand, and security on the other hand. All those Outlook attachments have been more than sufficient evidence of how easily such judgement can be in error.

      --
      "Provided by the management for your protection."
    3. Re:I wish things were always so easy... by Mike+Schiraldi · · Score: 5, Funny

      That's not Windows Update; i own your box and have been busy setting it up the way i like it.

      --

      --
      Mod up a post Rob doesn't like and you'll never mod again

  7. Microsoft is getting smart by mikosullivan · · Score: 5, Insightful
    The increased pace of security patches from MS may indicate that they're finally serious about security. If so, the OSS movement needs to be wary. Windows lack-of-security has always been a major harping point for the OSS movement. Yes, I'm glad for the windows-users of the world that their OS is getting better, but those of us who preach OSS to our colleagues and friends need to be aware that a major talking point may be going away. If MS really has decided that Security Counts, they've got pretty deep pockets to do something about it. Sun and IBM have both proven that the closed-source system can in fact produce pretty secure operating systems.

    Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.

    --
    Miko O'Sullivan
  8. Debian by nuggz · · Score: 4, Informative

    Come on, they exist.
    upgrading with apt is easy, and not much work.
    *BSD also have their update tools, and some other posters mentioned Redhat tools.

    These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.

  9. What the patches fixed (for the lazy) by aardwolf64 · · Score: 4, Informative
    http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-023.asp

    For those that are SO lazy that you can't click on the link:

    Technical description:

    This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:

    • A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run in the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
    • An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user's system. Further, it requires that the intended file contain a single, parcicular ASCII character.
    • An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
    • A zone spoofing vulnerability that could allow a web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
    • Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file's Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.


    Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.

  10. MS is rich because.... by Steveftoth · · Score: 4, Informative

    they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
    They are finally making the software robust and not crash 20 times a day.
    They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
    They are finally making it a good product.

    What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.

  11. They deserve to be flamed by Vicegrip · · Score: 5, Insightful

    Nobody else claims their browser is a key component of the operating system-- that it cannot be removed because its functionality is so interwoven into the operation of the system.

    Of course people are going to flame Microsoft for designing such a product with so many critical security holes which compromise their computer, making it part of the OS and then arrogantly refusing to give people the ability to remove it. At least I can un-install every other browser if I decide it doesn't suit me.

    You complain about people flaming Microsoft. I submit to you that if that corporation wasn't so arrogant, pushing its views and way of doing things onto everyone else then stifling the innovation of others, that people would be a lot more forgiving of mistakes.

    I have no sympathy. Not for this corporation. Microsoft made this bed, it can sleep it in now.

    --
    Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
  12. Browser wars by Jungle+guy · · Score: 4, Insightful

    These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
    Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.

  13. Re:how to get them (MSFT) to make patches that wor by talks_to_birds · · Score: 4, Insightful
    • "...Remember "Code Red" ? It was just like any other worm attack..."

    Bullsh*t.

    How come my firewall is *still* seeing 80+ Code Red/Nimda probes daily?

    Just like any other worm?

    You have no clue.

    The number of infected Micro$oft boxes out there is scarcely any less than it was six months ago, thanks mainly to clueless Micro$oft users...

    t_t_b

    --
    I'm on PJ's "enemies" list! Are you?
  14. MS (in)security and /. MS bashing by theolein · · Score: 5, Insightful

    I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.

    This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.

    I *want* to read extremely critical news here on /. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.

    /. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.