Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
Um, shouldn't you allow your family to make their own decisions? You can suggest they don't use MS, but saying you don't allow it seems a little peculiar. And guess what? Programmers aren't perfect. Even the best ones make errors (even Knuth, rarely). The fact that Microsoft found six holes, disclosed it, and released patches is a terrible reason to say "I won't allow my family to use MS". Jeez. Remember the hole in OpenSSH? Do you refuse to let your family use that too?
slashdot!=valid HTML
You know, I really hate this changing of the EULA... It should be illegal. Its their fault that they screwed up and had it insecure...
This is like Ford issuing a recall, then changing your lease/puchase agreement when you bring it in for the recall...
Slashdot is like Playboy: I read it for the articles
"OH MY GOSH!!!! MICROSOFT HAS ANOTHER VULNERABILITY!!! THAT'S NEWS!!!"
Just for kicks, I signed up for Microsoft security bulletins. I get hoards of e-mail every week, as new vulnerabilites are continually found in each of their products. Being an IE administrator it's important to subscribe to this stuff.
New IE patches come out about every 2 months. This patch is not all that big of a deal. All the fixed issues had workarounds, and a lot of it could be prevented by using a good proxy server.
The fact that Slashdot immediately jumps all over Microsoft for this is ludicrous. Get a life.
There is no reasonable defense against an idiot with an agenda
:wq
What if Microsoft has an API to by pass the filters Zone Alarm hooks in?
I have never seen the sense in firewalling a machine with the same machine.
DRM? No thanks, I'll just get it somewhere else...
Maybe it's just me, but I fail to see a single mention of the EULA, much less a statement that it changes when you apply this patch. Even when installing, the only dialog presented to the user is the "Do you want to install this update?" box. I'm as concerned as the next guy about Microsoft's propensity to sneak in unannounced EULA changes and automatic updates without telling you, but let's not point fingers where there's nothing to see.
Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?
This is an honest question that I'm wondering about. I agree with the people who also wonder why Microsoft flaws get so much attention from /. and Linux/Solaris/Apple/etc flaws get next to none. To those that say "Because there aren't any worthwhile reporting on." I say "Read more." The recommended patch cluster from Sun has lots of interesting reading.
There seem to be _alot_ of alternatives for almost everything. How many of those alternatives are used by more than the developers of those alternatives? By more than the friends/family of the developers? For my part, I don't have the money right now to get a second machine and my current Windows machine is used primarily for games. However, when I get the money, I will be running something other than Microsoft products where possible. My browser of choice right now is Mozilla. But there are sites that require me to use I.E. much to my disappointment. What are the technically savvy people doing to help their companies move away from Microsoft and what alternatives are they proposing? [And no 'Linux' isn't a good answer. What distro of Linux?]
Personally, I'm glad Microsoft changed their EULA to say that it gives them the right to run whatever they want on your computer. It gave me a wakeup call to read the EULAs more carefully. Occasionally, I turn down the EULA and don't use the product. Are other people finding that they are reading EULAs more carefully and actually turning them down more?
--Maarten
Don't -1 the parent, a good point was made , just not that well.
If your servers are configured correctly and you have redundancy in place then there should be no problem installing this update,
If you don't use load balancing then just bring the warm/cold server online while you take the server your about to update off line.
Spend a few days testing the updated server.
and then sync with the cold/warm server and repeat.
If you load balancing then take some servers out of the loop and run them concurrently to make sure Microsoft hasn't broken anything then repeat until all servers are updated.
If all of the above sounds like voodoo then you should be more concerned about you internal systems than any bugs that might be in Windows.
thank God the internet isn't a human right.
You know, I think I would rather trust the strangers.
I believe the phrase is, "Better the Devil you know."
This means Microsoft, sorry to say. Of course, I use Mozilla exclusively on a Mac and a Linux machine. No Windows boxes for me at all.
-----
"You spilled my egg... I needed that egg."
People who actually examine the patches on their Open Source O.S. raise your hands.
Linus put your hand down.
Seriously, we should be pushing for accountability, not a world were everybody's grandma has to learn C++ just to make sure that the big bad software company hasn't installed a trojan horse.
When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?
I know that you probably change your own oil. It's an example.
*everything* is Orwellian to cats.
And that Debian releases a security notice for every flaw found in every (over 10k) packages that they maintain.
MS on the other hand offen ignores security issues (21 open security problems with IE.) and do not maintain as many packages.
I noticed the same thing. The question is, does the lack of oppurtunity to view the EULA negate it?
DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there
Speaking of moot points, I'll use one now.
Linux appreciation/zealotry is about ideals. It's not that we necessarily want to look at the components, but just that we have the option to do it if we are so truly paranoid.
That said, I agree with you anyway.
Though what you say may at first appear to be true,
You may require FTP or HTTP access onto other parts of the network from the servers.
Local documentation may be in HTML
configurations may render though an inbeded IE component (like the evily unstable Micsoroft Management Console)
When you consider that IE isn't a web browser any more than a HTML rendering component then updating IE makes sense.
Maybe the question you should ask is 'Why are you running a GUI on a server'
thank God the internet isn't a human right.
I use debian, which has a distributed system of people who approve patches, typically separate from the OSS projects that produce the patches. I'm not going to say Debian is the perfect system (a patch may be integrated without really looking at it, or a server may be hacked and malicious code uploaded), but it is good enough that I don't really feel I have to worry about it.
Then again, I don't worry too much about MS on the malicious code side. I won't install a patch the first day it comes out and will watch for installer's reactions (with debian I'll install and if I'm havign a new problem I'll check debian boards about the patch). I am, however, getting more and more upset on the EULA side. For a product that is supposed to be free, I.E. sure asks for a lot.
-no broken link
The fact that someone actually can check the contents of the patch makes vendors think twice before doing something stupid. And that's important.
When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?
Same applies here. The fact that I can open the engine and check, or give my car to another mechanic, who will check it for me and make a rabbit in the engine an obvious reason of engine malfunction, forces the first mechanic not to do so. :) :)
There are other reasons of course, but I find this one to be most persuasive
Leonid Mamtchenkov
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
Hey, those of you who actually operate a printing press raise your hands.
See? There's only about three of them. There's no point in freedom of the press if only three people use it.
Ok, now everyone who's been arrested this week raise your hands.
Only a couple dozen out of a couple hundred thousand? Ok, no point in rights for the accused, then.
Next up, let's see how many of you are black. Only about ten percent? Well, what's the point in those equal protection and non-discrimination clauses? Most people don't need them.
No, because I could sue my mechanic for breaking my car. I can't sue Microsoft for breaking my computer.
It'll cut that down to 10 minutes. Forget going to individual desktops - and FORGET MICROSOFT SMS.
heh heh
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
Plus you still have spent two+ hours on that, or another, installation issue.
The Mongrel Dogs Who Teach
...a lot of Microsoft patches do not under go regression testing.
HotFixes and QFE patches state that they have NOT been fully regression tested.
This is a known fact to most decent NT/W2K sysadmins.
Comment removed based on user account deletion
For me, the cost of running Red Hat 7.3 on that machine is not zero. It was about two hours of my time.
But you would have spent time setting up the machine, whatever the OS.
Of course being a total anti-Microsoft comment, this little tidbit was conveniently left out.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
But you would have spent time setting up the machine, whatever the OS.
Nope. Installing Windows 2000 Professional is about three ten-minute jobs, separated by big gaps of free time to do other things. Job #1: boot from the CD and partition and format the drive. Go do something else for an hour or so. Job #2: kick off the OS install. Go do something else, or have lunch, or whatever. Job #3: finish the OS install and set up the RAID set. Go home while the RAID set formats overnight.
Total time from start to finish is measured by looking at a calendar. Total time spent on the job is about half an hour.
You complain about it when it's patched.
You complain about it when it isn't patched.
You complain about them finding security holes.
You complain about them not finding security holes.
Grow up.
It's a big program used by a lot of people with a lot of other people trying to break it.
There will always be holes.
Nothing is perfect.
Nothing is totally secure.
Except possibly something broken and completely worthless, and probably not even then...
I must admit, Mr. Gates is one incredible business man.
Don't announce security holes unless you are ready to release a patch, then you look like you're acting fast with no delay to solve the problem. Customers like that. Customers don't like to be warned that there is a hole with no patch, even if it will help them avoid potential problems, because it makes your company look irresponsible or slow or lazy or whatever.
When I say customer, I mean the portion of the population that doesn't even know what an EULA is. I mean the portion who, if told they need to pay a monthly license fee, would shovel out the money as a necisary expense. I mean those who think a web browser or it's home page determine the ISP that you use.
TodayTM BillyJoelTM GoogleTMd for StitchTMes due to WindowsTM while RollerbladeTMing with an AppleTM and a PopsicleTM
First off, im not saying that MS doesnt need to work harder at making thier software more secure BEFORE releasing it. But if you think about it, there really is nothing computer related that is 100% secure. Theres always someone that finds some way around whatever security that gets implemented. Windows is the #1 OS by a long shot, and therefore has WAY more people trying to exploit any vulnerabilities. I believe that if Linux or some other OS had such a huge market share that perhaps there would be a lot more people finding security holes in those systems. Personally, I run FreeBSD on my server, but I use WinXP on my personal box, b/c its primarily used for gaming. Anyway, just my viewpoint
R.
So.... You prove your point (that ie isn't the only insecure browser) by linking to a page, that lists ONE hole in mozilla and related, which is FIXED? Actually, if that page speaks the ultimate truth, mozilla isn't insecure, since they fixed their one bug.
Besides. The same page shows that IE has 16 unpatched vulnerabilities!! And about 15 patched ones. How can you even begin to think that that comparison speaks in favour of anything than mozilla and it's offspring?
------- I fumbled my registration and I now must suffer
It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.
From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?
Don't you wish your girlfriend was a geek like me?
"The security warnings are the latest headaches for the Redmond, Washington- based software company."
Headaches for Microsoft? How about headaches for their users?
Why the hell can't MS stop making these stupid mistakes and save us all form these damn headaches?
Download now to continue keeping your computer secure. ;) I stopped messing with patches a couple of years ago, and am probably much safer than anyone who is almost current.
Microsoft's idea of security. It's really just as secure after the download and patch as it was before