Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
What if Microsoft has an API to by pass the filters Zone Alarm hooks in?
I have never seen the sense in firewalling a machine with the same machine.
Maybe it's just me, but I fail to see a single mention of the EULA, much less a statement that it changes when you apply this patch. Even when installing, the only dialog presented to the user is the "Do you want to install this update?" box. I'm as concerned as the next guy about Microsoft's propensity to sneak in unannounced EULA changes and automatic updates without telling you, but let's not point fingers where there's nothing to see.
You know, I think I would rather trust the strangers.
I believe the phrase is, "Better the Devil you know."
This means Microsoft, sorry to say. Of course, I use Mozilla exclusively on a Mac and a Linux machine. No Windows boxes for me at all.
-----
"You spilled my egg... I needed that egg."
People who actually examine the patches on their Open Source O.S. raise your hands.
Linus put your hand down.
Seriously, we should be pushing for accountability, not a world were everybody's grandma has to learn C++ just to make sure that the big bad software company hasn't installed a trojan horse.
When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?
I know that you probably change your own oil. It's an example.
*everything* is Orwellian to cats.
I noticed the same thing. The question is, does the lack of oppurtunity to view the EULA negate it?
DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there
I use debian, which has a distributed system of people who approve patches, typically separate from the OSS projects that produce the patches. I'm not going to say Debian is the perfect system (a patch may be integrated without really looking at it, or a server may be hacked and malicious code uploaded), but it is good enough that I don't really feel I have to worry about it.
Then again, I don't worry too much about MS on the malicious code side. I won't install a patch the first day it comes out and will watch for installer's reactions (with debian I'll install and if I'm havign a new problem I'll check debian boards about the patch). I am, however, getting more and more upset on the EULA side. For a product that is supposed to be free, I.E. sure asks for a lot.
-no broken link
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
Hey, those of you who actually operate a printing press raise your hands.
See? There's only about three of them. There's no point in freedom of the press if only three people use it.
Ok, now everyone who's been arrested this week raise your hands.
Only a couple dozen out of a couple hundred thousand? Ok, no point in rights for the accused, then.
Next up, let's see how many of you are black. Only about ten percent? Well, what's the point in those equal protection and non-discrimination clauses? Most people don't need them.
No, because I could sue my mechanic for breaking my car. I can't sue Microsoft for breaking my computer.
Plus you still have spent two+ hours on that, or another, installation issue.
The Mongrel Dogs Who Teach
Comment removed based on user account deletion
For me, the cost of running Red Hat 7.3 on that machine is not zero. It was about two hours of my time.
But you would have spent time setting up the machine, whatever the OS.
But you would have spent time setting up the machine, whatever the OS.
Nope. Installing Windows 2000 Professional is about three ten-minute jobs, separated by big gaps of free time to do other things. Job #1: boot from the CD and partition and format the drive. Go do something else for an hour or so. Job #2: kick off the OS install. Go do something else, or have lunch, or whatever. Job #3: finish the OS install and set up the RAID set. Go home while the RAID set formats overnight.
Total time from start to finish is measured by looking at a calendar. Total time spent on the job is about half an hour.
Why is it that a company can use such a poor security model and people will still think they should make up for it buy buying all sorts of band-aids to the real problem of a late implementation of a security model by Microsoft?
Because Microsoft owns the computer industry. It sucks. Their software is worthless. What's an admin supposed to do? Go deploying linux boxes at every workstation? Sure, I'd love that. There's a few UNIX geeks in various departments who would love that too. For the people who have no business using a computer, having e-mail, or getting on the internet, it'd take us years to train them in on linux. Then all we'd hear is "why can't I install this dancing puppy thingy that my stupid ass aunt sent me?"
The fact is, to deploy linux and force users into it goes against everything that an IT department stands for. We have to cater to the greater audience. If 90% of our users refuse to use anything other than Windows, we're screwed. Wed can hold daily meetings about what Microsoft has done NOW, why they're eveil, why their software is bad for us, they still won't get it.
When it comes to anti-virus, firewall, and ad blocking, open source is a great option. Squid, MIMEDefang, SpamAssassin, junkbuster, it's all good. Better yet, it's all free. An IT department can put up an open source blockade at the door, the users don't know the difference, and we're much happier.
So, to sum it up, we know MS sucks. I hate their software with a passion. SOMETIMES YOU JUST DON'T HAVE A CHOICE. I run linux at work and at home. We run linux products at the T1 entry point here at work. We have to run Windows on most desktops because THE PEOPLE WHO USE THEM ARE MORONS AND DON'T CARE ABOUT SECURITY.
There is no reasonable defense against an idiot with an agenda
:wq
It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.
From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?
Don't you wish your girlfriend was a geek like me?
Download now to continue keeping your computer secure. ;) I stopped messing with patches a couple of years ago, and am probably much safer than anyone who is almost current.
Microsoft's idea of security. It's really just as secure after the download and patch as it was before