Microsoft Rereleases Patch to Fix Problems

AbdullahHaydar writes "From CRN: 'One day after releasing a fix for an Office XP flaw, Microsoft upgraded the severity of the vulnerability to critical and re-issued a new patch to address a new attack scenario discovered in the last 24 hours.' The funny thing is that the second bug they missed with the first fix is 'critical' whereas the original bug the fix was for is 'important.'"

It ain't necessarily so

[Space+cowboy]

The fact that 24 hours after releasing an 'important' bug patch, Microsoft re-released a 'critical' bugpatch should *not* be held against them! It certainly would not be the first time someone had realised that the consequences of X are far more than previously thought.

I'm no apologist for MS (see my posting history :-), but re-relasing a new patch at a higher security classification ought to be applauded, not ridiculed. Fair play, guys, and play the game according to *all* the rules, not just the "Redmond -4" ruleset...

Simon

Re:It ain't necessarily so

[Kethinov]

Yeah, my thoughts exactly.

I read the headline and the summary and it left me wondering "uh, and?"

This just in, grass is green! Whether you're OS is corporate or open source, security patches are going to happen and revisions of security patches are going to happen.

Re:It ain't necessarily so

[GuyMannDude]

I'm no apologist for MS (see my posting history :-), but re-relasing a new patch at a higher security classification ought to be applauded, not ridiculed.

Applauding Microsoft for having to re-release a patch is like applauding Idi Amin for only eating some dude's skin and muscles and not his intestines or eyeballs. Or applauding Paris Hilton for having the good sense to only videotape herself having regular and oral sex and not anal sex.

GMD

Re:It ain't necessarily so

[whoever57]

But perhaps Microsoft should be criticised for releasing a partial fix earlier? For not investigating the earlier problem with enough dilligence?

Re:It ain't necessarily so

[pilgrim23]

Seems I rememebr reading somewhere: http://slashdot.org/article.pl?sid=04/02/26/155520 8&mode=thread that the only reason Windows has holes is due to the patchs. Was the 1st patch not creating a big enough crevasse and the Redmond crowd needed to dig a deeper one?

Re:It ain't necessarily so

[THE+ROCK]

Or applauding Paris Hilton for having the good sense to only videotape herself having regular and oral sex and not anal sex.

I for one DO applaud Paris Hilton for doing just that. After all, videotaping yourself having ANAL sex and having it leaked all over the internet might get a little embarrasing for her. Good thing she didn't let things go THAT far!

Re:It ain't necessarily so

Considering they had seven months to get it right, what's shocking is that they could get it so incredibly wrong! I wouldn't hold it against Microsoft if they took less than a week to patch the vulnerability (like some of their competitors do)

Re:It ain't necessarily so

[dynamo]

Frankly, I would have applauded her more if she had gone ahead and videoed the anal sex scenario as well. But that's just me. I'm sure no one feels that way.

Re:It ain't necessarily so

[dynamo]

Sorry, that should have been 'no one else'

Re:It ain't necessarily so

One video caused $50,000,000 damage to the Hilton trademark. Support American women in their desire to be completely irresponsible!

Re:It ain't necessarily so

[pantycrickets]

Frankly, I would have applauded her more if she had gone ahead and videoed the anal sex scenario as well. But that's just me. I'm sure no one feels that way.

You're right! What she did was disgusting, and the fact that no one downloads her raunchy XXX video is further proof that America, and the world at large is FED UP with that kind of behavior.

Re:It ain't necessarily so

[dnoyeb]

whew. I was just about to check it out for myself. But since I know its raunchy thanks to you, I can spare myself :)

Re:It ain't necessarily so

[pantycrickets]

But perhaps Microsoft should be criticised for releasing a partial fix earlier? For not investigating the earlier problem with enough dilligence?

Perhaps nearly every network enabled software developer should be criticised for the same? I'm sorry, but that was an asinine statement.

Nearly every major piece of software on any OS, especially those that accept network connections have had multiple vulnerabilities over time. Even those developers who are extremely diligent (ie. OpenBSD) have had their share of problems.

Any action on a developers part, especially a proactive one, should be commended..

Re:It ain't necessarily so

[Phexro]

It's a hot thing to do in bed if you're a slutty shaved blonde worth $30m.

It is not a hot thing to do if you're a 300lb, hairy, sweaty slashdot nerd 'flying solo.' I beg you, slashdot readers, don't video tape yourselves in bed.

Re:It ain't necessarily so

[pantycrickets]

I thought my sarcasm was obvious. Yeah, everyone talks so much about how she's too skinny, too nasty, too stupid. But I bet nearly anything it was the most downloaded video in internet history. I can't think of something that would compete.

I know I had to check it out. NASTY SKANK!, I think I'll just, yeah.. go ahead and let it loop...

Re:It ain't necessarily so

[the_mad_poster]

So everyone could get on their ass for slow patching instead?

Look, they patched a hole in a relatively decent period of time. They then patched additional issues quickly as well.

I hate Microsoft too, but for crying out loud... how utterly fucking naive do you have to be to sit there trying to spin reasonable patch fixes against the company? Some people just need to get a life...

Re:It ain't necessarily so

[shadowbearer]

After reading your post and the ones below it, I am left wondering if Microsoft didn't quite let their testing department finish before releasing the patch.

At least they fixed it, in any case. But now I'm wondering if there aren't other things they missed, or that the poor Patch Testing monkeys will find tomorrow.... not that releasing incomplete or flawed patches is that unusual for Microsoft (and yes, I'm aware that it can happen to anyone, but MS has quite a track record in that respect)

SB

Re:It ain't necessarily so

[sik0fewl]

And of course if Microsoft didn't fix it right away there'd still be a slashdot story about it. Only it would be about how Microsoft is so irresponsible and takes forever to release patches instead of fixing them right away.

Re:It ain't necessarily so

[whoever57]

Perhaps nearly every network enabled software developer should be criticised for the same?

Clearly multiple vulnerabilities exist and are discovered. My issue is that if a new patch is released one day after the first patch was released, it appears that insufficient investigation went into the first problem. One might also want to question the level of quality control that went into the second patch.

Any action on a developers part, especially a proactive one, should be commended.

I agree that Microsoft should be commended for putting out the second patch and not ignoring the issue.

Re:It ain't necessarily so

[whoever57]

So everyone could get on their ass for slow patching instead?

Look, they patched a hole in a relatively decent period of time. They then patched additional issues quickly as well.

An alternative explanation that fits the known facts is that Microsoft did not expend sufficient resources investigating the problem and fixing it. Time has nothing to do with it if they did a lousy job in the first case.

Spinning multiple fixes within a day of each other benefits no-one. Microsoft should be expected to:
1. Do it within a reasonable time
2. Get it right first time
With the resources avaialable to Microsoft, expecting this is not unreasonable.

Re:It ain't necessarily so

[pantycrickets]

One might also want to question the level of quality control that went into the second patch.

As you always should, especially for security sensitive applications.

Re:It ain't necessarily so

[Cyno01]

Shes worth $300m, if that makes it any hotter... :p

Re:It ain't necessarily so

[ameoba]

It's a hype thing. Everyone wanted to see it 'cuz "everyone" was looking at it already. When coupled with the fact that she's in the richest 1% of the population, somewhat famous & better looking than most women it's all the more interesting.

But she's not that hot; I can go downtown to any bar in the city & get turned town by a dozen prettier girls.

Re:It ain't necessarily so

[bl8n8r]

Microsoft has been patching patches, to patch patches with patches, for the past 10 years with limited success. It's gotten out of control and now they call the really big patches "Upgrades".

This article seems more a testament to the futility of patching windows, not a dig at making mistakes.

- Oxymoron: Microsoft Works

Re:It ain't necessarily so

[AnonymousNoMore]

the fact that she's .... better looking than most women

Seriously? I think she's got a hideous face. Maybe she just seems better looking with all that cash in her wallet.

I think that video was shot in the dark for a reason. The guy probably couldn't keep it up if he's had a lamp lit.

Re:It ain't necessarily so

[void+warranty()]

Dude, Murphy's law apply to everyone, even Microsoft.

Re:It ain't necessarily so

[Otter]

Indeed it does.

Fortunately, thanks to Phexro's warning, I now know better than to film myself.

Re:It ain't necessarily so

[bill_doors]

Sex in all its ways is something beautiful... IMHO i don't think that is good idea mess Sex with M$, at least we are talking about sex brutality or something like that ;)

Re:It ain't necessarily so

[the_mad_poster]

You've got to be kidding me, right? Look, I've got it in for Microsoft-the-monopoly, but not like this. They patched a damn problem and they did it fairly quickly. Even if they goofed on the first one, they took a mere 24 hours (a fairly typical OSS turnaround) to come back and offer reparations for it. Not only did they not drag their feet on the fix, they didn't drag their feet on repairs of a potential oversight from the first one.

Note the bold highlights since it's all speculation as to whether it was their goof or a mere coincidence that additional issues were discovered in the process. Some people are just trying to spin one of Microsoft's rare good moments against them as a knee-jerk reaction. I'm all for alternative OS's and choice, but on technical merit, not knee-jerk anti-MS reactions and unsubstantiated speculation.

Re:It ain't necessarily so

[the_mad_poster]

Exactly - I'm far from a Microsoft fan. I used to sit around saying "well, let's give them the benefit of the doubt", but the more I use MS products, the less I like them and the company that made them. However, in this instance, Microsoft did a good job. STILL there are psychotic zealots trying to spin this against them.

What amazes me is that if you confront these people (likely like whatever moron modded me flamebait while I responded to your sister post) they'll claim they're doing it "for Linux" or something similar, but they don't realize that all they're doing is making those of us who actually LIKE the system for what it is look like frothing dolts who have nothing better to do than invent bizarre, make-believe bullshit against some percieved nemesis.

Re:It ain't necessarily so

[FuzzyBad-Mofo]

Yeah, but it's totally cheating the way Redmond uses that Spell Trigger with Absolute Immunity, Spell Turning, and Spell Trap!

Re:It ain't necessarily so

[gad_zuki!]

>but re-relasing a new patch at a higher security classification ought to be applauded, not ridiculed.

You're new here aren't you?

This is just our Microsoft Two Minutes of Hate. When you see these posts you're supposed to seeth in rage and imagine Bill Gates.

Perhaps if we weren't such hypocrites we would be taken more seriously and more people would be running Linux for its merits and not for the hype or manufactured political reasons.

Re:It ain't necessarily so

[Ralph+Wiggam]

In night-vision, Paris Hilton looks like a slutty racoon. That girl needs to eat some cheeseburgers, too.

-B

Re:It ain't necessarily so

[Lobo93]

Shes worth $300m, if that makes it any hotter... :p

Nope. A shallow, mindless whore is just that, no matter the number of digits on a CRT. Incidentally, did you know the human body represent $0.97 when broken down into purchasable(!) chemicals?

I guess the definition of human worth per se has relative connotations in the specific classes/castes of society, with the common denominator being a monetary expression.

"Money, money, money
Must be funny
In the rich-bitch world
Money, money, money
Always sunny
In the rich-bitch world"

Flaxscript, anyone? ;)

Re:It ain't necessarily so

[RockDoctor]

Or applauding Paris Hilton for having the good sense to only videotape herself having regular and oral sex and not anal sex.

So, all those spams I've been getting refer to some woman getting low down and dirty (with what? a man? a root vegetable? the scheduler code in kernel 2.5.3?), and not to advertising an over-priced French guest house. It's all so much clearer now!

Re:It ain't necessarily so

The Dancing Baby was probably more downloaded.

Re:It ain't necessarily so

[SFBwian]

*rants and raves*

DEVELOPERS! DEVELOPERS! DEVELOPERS!

Good job, MS!

[/rant] Is imagining Ballmer OK too? :D

Re:It ain't necessarily so

It's not even worth arguing about. Slashdot will spin every story with the word "Microsoft" in it to be bad. That's the whole point of this website. It's not news for nerds anymore.

Re:It ain't necessarily so

[nobody69]

Yeah, everyone talks so much about how she's too skinny, too nasty, too stupid. But I bet nearly anything it was the most downloaded video in internet history.

Well, McDonalds sells more burgers than anyone else, but not too many people think they make the best burgers...

Re:It ain't necessarily so

[SillySlashdotName]

Yes, as you point out, "Nearly every major piece of software on any OS, especially those that accept network connections have had multiple vulnerabilities over time".

BUT - and here is where your post leaves rationality - what NEW vulnerability was discovered, investigated, fixed, extensively tested, and released in those 24 hours?

G'parent post is not asinine, it makes a good point - why was a fix that evidently was already in the pipeline not released 24 hours earlier with the other patch, or, if 24 hours more testing was needed for the 'critical' patch, why was the earlier patch not delayed 24 hours so that only one patch (and reboot) would be required?

Re:It ain't necessarily so

[windex82]

Even if they goofed on the first one, they took a mere 24 hours (a fairly typical OSS turnaround)

And one is making millions of dollars a day, the other is (usually) not.

Re:It ain't necessarily so

[Phexro]

See, your problem is that you're trying to sell the raw human chemicals. Complete, functioning organs get much more on the black market.

Start with a kidney, then work your way up.

Re:It ain't necessarily so

[abertoll]

When I read the title, I didn't assume that anything is being held against MS. I thought it was just big news that they fixed something.

Re:It ain't necessarily so

In night-vision, Paris Hilton looks like a slutty racoon.

Ummm... have you seen her in the daylight? She still looks like a slutty raccoon.

The problem.. hmm...

[thrillbert]

I love that headline.. a patch to fix problems.. great.. I'll apply it to my marriage, my job, my car, my bank account (too little money could be a problem).. and I'll apply it twice to my teenage daughter for better results..

I knew eventually microsoft would do something right...

---
Universe, n.:

• The problem.

Re:The problem.. hmm...

I'll apply it twice to my teenage daughter for better results..

I always do.

Re:The problem.. hmm...

[El]

'll apply it twice to my teenage daughter for better results. The question is, how many times will your teenage daughter have to apply the patch to you? (My own daughter is 3 and I can't wait until she's a teen... in fact, I can't wait until she stops trying to pull me out of my chair while demanding over and over that I come play with her... your teenager doesn't still do this, does she?)

Re:The problem.. hmm...

[frenetic3]

I'll apply it twice to my teenage daughter for better results..

No sweat dude, I already took care of it.

...okay, okay, I'm going to hell... :)

-fren

Re:The problem.. hmm...

No, she will just be out having sex with men...

Re:The problem.. hmm...

Woops, s/n././

Re:The problem.. hmm...

[shadowbearer]

Yeah, but can this patch help me drop my nicotine habit?

*grumbles*

SB

Re:The problem.. hmm...

read this please

Re:The problem.. hmm...

Read this please

I'm not going through the trouble of adding fucking backslashes when people are parsing what I write, not computers, you self-righteous turd.

So now there's four 'R's?

[NecroPuppy]

Retry, Reboot, Reapply, and Reinstall...

Re:So now there's four 'R's?

Retry, Reboot, Reapply, and Reinstall...
...Rinse and Repeat.

Re:So now there's four 'R's?

Love the signature

Re:So now there's four 'R's?

[WorkEmail]

MS releasing patches reminds me of a cartoon character trying to stop a dam from leaking where they are stretching and using poles and brooms and all of their fingers and toes to stop all of the little water leaks.

Re:So now there's four 'R's?

Retry, Reboot, Reapply, Reinstall, Rinse and Repeat... Resist Ranting Redundantly

Re:So now there's four 'R's?

[dasmegabyte]

Really?

It reminds me of a company trying to fix problems with a popular software product so that their customers' computers aren't fucked up by hackers.

But, you know, your cartoon analogy is good, too.

Re:So now there's four 'R's?

[OwlWhacker]

What about Microsoft patches causing BSODs, crashes, or preventing applications from working correctly?

Isn't that more like using a wrecking ball to stop a dam from leaking?

This is consistent

[El]

Remember, to Microsoft it is not an important problem unless they already have a fix for it!

Re:This is consistent

[schnarff]

Especially because, after all, Windows vulnerabilities result from MS patches, and there's no such thing as a hole that's not already been patched. ;-)

Re:This is consistent

[pointbeing]

Remember, to Microsoft it is not an important problem unless they already have a fix for it!

I know you were kidding around, but -

This is true almost everywhere. If you release information about a vulnerability before you have a fix for it you invite folks to test your shiny new vulnerability ;-)

I've been impressed with MS' stance on security since about last June - but now we see people using MS security bulletins to write worms.

Look at Blaster - MS released a security bulletin and a fix, and Blaster showed up days or weeks later (I think it was about three weeks) to target unprotected machines. IM frequently less than HO if there'd been no security bulletin there'd have been no virus.

This takes us in a new and particularly frightening direction - and puts MS in a no-win situation. Release the security bulletin and patch and wait for users to howl because they didn't think the update was worth their time and their machine got infected?

I think over the next couple years you're gonna see a much more proactive stance from MS on consumer security - and even if they were a little slow on the uptake it's still good to see them taking security seriously now.

24 hours

Wow, that's fast.

Re:24 hours

Wow, that's fast.

They probably contracted some Open Source coders to do it, which would explain the rapid turnaround.

More information on the vulnerability

[windows]

More information on the vulnerability can be found here.

Re:More information on the vulnerability

[HFKIRSpyderMonkey]

Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector.

Much like other users have suggested, there's no reason in harrassing them. They discovered the patch was exploitable on a wider scale than previously thought, and quickly released a patch to address it. No biggie.

Re:More information on the vulnerability

[dottyk]

http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0403&L=ntbugtraq&O=D&F=P&P=1 313

is a full description about just what MS is fixing with MS04-009, and how it might be expolited, by its discoverer, Jouko Pynnonen. Please note that he knew that "Outlook Today" didn't have to be your Outlook startpage before MS's revision. Does MS not run their patches by the discoverers of the exploits to see if the patch actually fixes the reported probelm?

He reported the exploit to MS on July 21, 2003, for those who are keeping track.

And he says some prior versions of Outlook are vulnerable, just not supported by MS. Office2000 had a patch released for it in like November '03. Thanks for running the meter out, Mr. Bill.

There's always some wannabes at work who insist on using Outlook, though it's not our supported mail client. Since it's included with Office, the customer-oriented chiefs say they can have it. Shudder.

Two bugs in one place

As I recall it took more than 24 hours for the second bug in the mremap function to be found in Linux. While bashing MS is always fun & exciting (and I do think their security sucks). I think Slashdot should try to post more stories about how Linux could be improved (security & functionality). Not to imply that Linux is bad, but there is this reactionary attitude where we must adapt to everything MS does as opposed to doing things first. No Longhorn till 2006 should not mean we sit around waiting for MS to come out with something to whine about. It should be seen as an opportunity to evolve Linux in new directions that MS can't emulate. Don't be afraid to embrace changes that could propel us way ahead of them.

Re:Two bugs in one place

[KingOfBLASH]

One of the nremap bugs posted on slashdot was really a dupe. It was the same thing and already fixed. At least, that's what I was told. See this thread on LinuxQuestions.org

Re:Two bugs in one place

No, this is the same patch - not fixing any additional bugs, it just found a new way of exploiting the error and thus raised the severity level of the patch. In order to raise the severity level they call it 're-issuing' the patch.

Same code, same fix, new severity level assigned.

Re:Two bugs in one place

[rew]

It was the same thing and already fixed

Wrong. There were two mremap bugs. Regretfully, some people with the right background didn't have time to look at the bug and the fix before the first one went public. So a second public fix was needed.

Facts of life?

[nmoog]

"People have resigned themselves to this being a fact of life. "

Life, death, taxes, and patching flaky patches.

Re:Yo

[Canadian1729]

and Linux has never released a security patch..or two patches in 24 hours?

Patches

[black+mariah]

Exactly how is this different from the multitude of patches to fix things in the Linux kernel? Or patches in ANY OSS project? Are you trying to tell me that there has never been a security patch to any Linux kernel ever?

I seem to recall a /. story just a short while back about a security vulnerability in the Linux kernel that was patched and te resulting posts were nothing but a bunch of open source taint nuzzling. When MS fixes a problem on the other hand, it's a bad thing.

Re:Patches

[Homology]

Exactly how is this different from the multitude of patches to fix things in the Linux kernel? Or patches in ANY OSS project? Are you trying to tell me that there has never been a security patch to any Linux kernel ever?

Not at all. It's just that Windows is plagued with exploits and viruses, while *BSD and Linux does not suffer the same fate.

Re:Patches

mod parent +1 Funny, just for "open source taint nuzzling"...

Re:Patches

[rusty0101]

Nope. When Microsoft releases a patch, it's not always good or bad. I think that most people would catagorize what is updated into one of three catagories,

Good thing: patches that prevent remote exploits of upnp, remote takeover via corrupted mp3 files, or valid mp3 files with embeded URL's to locations that allow script kiddies to make use of your computer, and the like.

Bad thing: patches that update the EULA to allow Microsoft to keep track of what music, videos, etc. you like to pay attention to. Patches that break your firewall, knocking you off the Internet completely.

WTF?: stuff that gets tossed in, updating files that do not seem to have anything to do with the documented issues that the patch supposedly addresses.

Then again, how many of us know exactly what each file in the Windows package is responsible for what actions? Not a lot of us. So if you do a md5sum catalog of the files on your system, install the patch, then compare the md5sums and discover a bunch of files that you can't explain have been changed, who would you go to?

As far as comparing it to patches for Linux, again, there really are not all that many people who know exactly what every line affected by a patch does, but you can at least look for yourself, and if you have questions, there there are an abundance of people who _can_ read the affected files, with understanding, who can explain what the patch does affect.

Then again what do I know, I only use Win2kP, and a couple different distributions of Linux. I'm probably some crazy Linux advocate who would threaten your very existance if you said anything realy bad about Linux.

-Rusty

Re:Patches

The difference is this is a patch to patch a patch for a patched OS.

Re:Patches

> Not at all. It's just that Windows is plagued with exploits and viruses, while *BSD and Linux does not suffer the same fate.

Yet.

Give 'em time, the script kiddies will get around to that eventually. Too much fun to ignore forever.

Re:Patches

So you're saying that Linux has only had one patch to the OS?

Uh....

[mrseigen]

So what, they did a dupe?

Re:Uh....

[himself]

>
> So what, they did a dupe?
>
No, they just called a "do-over".
What, you didn't do that when you were a kid?

Re:Yo

[An-Unnecessarily-Lon]

Not saying that. Just making a point that these systems are incredible complex and if you think about it, we are really on whatever version that I made up. If you count a pats as a +.1 or whatever.

Apache OS

[Eberlin]

Ok, ok, patching is a part of life -- that's understood. We have to patch our Linux installs too, after all. However, the Linux community doesn't seem to wrap itself in this strange PR shroud that MS does. You know the one -- how hackers are good for testing MS software and then how hacks aren't found until after MS releases a patch...oh and this business about making patch management easier by bundling patches monthly instead of releasing them sooner to protect their customers from harm.

Right. So here we have a patch that should've probably been QA-ed to death (since they're doing this monthly instead of knee-jerk) and then later issuing another patch to properly plug the hole.

I guess after they um...opened the source to some of Windows, they're only following suit by doing the "Release early, release often" mantra. Next thing we know, they'll be sponsoring Linux-friendly news sites and even exhibiting in Open Source conventions.

Re:Apache OS

The patch itself was fine. Re-issuing the patch (in this case) means that they changed the severity level. It doesn't mean that they changed the code or that the original patch had some problems with it.

Also, the monthly patch release scenario is NOT for critical security updates, but non-security bugfixes. Security-related patches are released as often as need be.

Re:Apache OS

"Security-related patches are released as often as need be."

And by that you mean like maybe 6 months after the vuln was found? Then how about ones we're still waiting for?

Re:Apache OS

[aztracker1]

AFAIK, it was re-released to raise the status to "critical" which means people with critical update notification, or installation will get it more readily... also, AFAIK anything which could compromise the OS has generally been "Critical"... it's the use of "Recommended" that they are fishy on.. :)

Also, I tend to stay current on fixes, with the exception of Service Packs, which I wait 2 weeks on.

that patch must be huge

[minusthink]

"Microsoft Rereleases Patch to Fix Problems"

all of them?

Re:that patch must be huge

[Unnngh!]

Yeah it's called Longhorn. The box reads "Caveat Emptor" though...

Re:that patch must be huge

[Anti-S]

none of them :p The patches just makes more problems to fix :/

Re:that patch must be huge

[dynamo]

No, the EULA reads 'Caveat Emptor'.

Re:that patch must be huge

[Mr.+Sketch]

all of them?

No, you have to apply this patch to fix all of them. Which is quite a large patch as you guessed.

Re:that patch must be huge

[minusthink]

1.) I wasn't bashing MS, jackass.
2.) I use BSD.

Re:that patch must be huge

[moosesocks]

I don't know... how big is a basic Fedora installation nowindays? :)

Re:that patch must be huge

[MonkeyBoy]

And best of all, MS's patch is free... ...unlike Viagra.

Great choice of article

[mattgreen]

I applaud the Slashdot editors once again in choosing a relevant and timely news story. Never before has a patch been reissued. This is surely a momentous day on the Internet.

Plus we can have a chance to talk about how our favorite operating system would never do such a thing! This IS a great post!

They did not re-issue a new patch!

[Nevo]

It's the same patch they released yesterday. They just discovered it's more serious than they first thought, so they released the same binaries with a higher severity.

http://www.microsoft.com/technet/security/bullet in/ms04-009.mspx

Read the revisions section

Re:They did not re-issue a new patch!

[Nevo]

Just to quote the relevant section:

Why is Microsoft re-issuing this bulletin
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

Re:They did not re-issue a new patch!

[AbdullahHaydar]

Wrong! From the microsoft patch site:

• V1.0 (March 9, 2004): Bulletin published
• V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update.
• V2.1 (March 10, 2004): Frequently Asked Question "What is the scope of the vulnerability?" updated.

Re:They did not re-issue a new patch!

[LBArrettAnderson]

um..... you just showed us that he is right. read the second bullet again. "Bulletin updated to reflect on a revised severity rating"

Re:They did not re-issue a new patch!

[praxis]

Right! From the microsoft patch site:

"In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section."

They re-issued the bulletin to upgrade the security rating to "critical" due to new information. See here:

"Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action. "

Re:They did not re-issue a new patch!

wow! you sure are smart, mister!

Re:They did not re-issue a new patch!

honestly moderators.... READ the post you are moderating. this guy's an idiot.

Excuse me...

[Quinn_Inuit]

"The funny thing"? The funny thing? That's like walking out of a Monty Python show and saying, "Man, that one joke was really funny."

Re:Excuse me...

is this a five minute argument or the full half hour ?

Great news!

[eV_x]

With news like this, I no longer need to watch the grass grow.

Anyone else notice...

[ManxStef]

...the broken PGP signature on the e-mail update Microsoft sent round relating to this? (The original was fine.) Just seemed a bit sloppy from a company who's now supposed to be taking security so seriously is all...

BTW The Register chastised MS for marking the original as only "important", looks like they were right on the money!

You shouldn't feed the trolls.

There's always someone who has this stuff ready to cut and paste whenever there's a new article posted. Stay above "-1" and you won't have to see this kind of crap.

Re:You shouldn't feed the trolls.

What exactly does this have to do with the article?

Re:You shouldn't feed the trolls.

yeah, I suppose. I browse at -1 because sometimes there are interesting posts modded as flaimbait and such. (I know, "YHBTHAND" and all that...)

Re:You shouldn't feed the trolls.

Guess you should get some mod points and mod this down, eh?

Considering how pathetic the article is, I would rather talk about this (or anything else for that matter).

Re:You shouldn't feed the trolls.

I wish I could mod the article itself down instead of just the posts...

Re:What about the recent Linux kernel vulnarabilit

[toltas]

How is this completely ignored(march 7th 11:22AM)?

I think you should read more slashdot before thinking they arent up to snuff with their vulnarability reporting.

new method

[firstadopter.com]

Microsoft needs a new method of installing these patches. How many us have spent HOURS a day installing and installing and rebooting and rebooting.

Re:new method

No me... not one second 8-)

Re:new method

[value_added]

FWIW, you can use Microsoft's qchain utility that purportedly allows you to apply several patches a single reboot. Haven't tried it yet, as my hours are still being spent trying to figure out what patches I need on my systems. Seems that between the Windows update site, the HFNetChk commandline utility, and a handful of patch management programs I've been looking at, I'm getting a variety of results as to what's needed and what's been installed.

If anybody has any favourite suggestions for managing this mess, I'm all ears.

Re:new method

[chavo+valdez]

Check out Autopatcher.
It's a great utility to keep your Windows boxess up to date. It's a hefty download, but it's braindead simple to use. It's strength is bringing a freshly installed WindowsXP SP1 box up to date, but you can use it on an older install. Assuming of course you have SP1 installed already.
I heard about it on the forums at Neowin. They've done an awesome job of collecting post SP1 updates and critical fixes. They have also included some other useful utilities and programs.

I highly recommend this program to anyone that has to administer WindowsXP, especially if you have to look over more than one box.

Re:new method

[agallagh42]

Qchain is no longer required to install multiple patches with a single reboot. Qchain functionality has been included in all windows patches for a while now. Just hit "no" when it asks you to reboot, then reboot manually when you've installed them all. If you want to script it, there are command line switches for all the patches allowing silent installs with no reboot.

Also, you should be using the new MBSA (Microsoft Baseline Security Analyser) instead of HFNetChk.

Another great tool is SUS (Software Update Services). It's basically in internal copy of Windows Update, where you can approve patches that you've tested, and the clients will then pull approved updates down automatically according the schedule you set. Set the schedule via AD group policy, by manually editing the registry, or with a logon script.

Re:new method

[Wingsy]

1. "How many us have spent HOURS a day installing and installing and rebooting and rebooting." Not me. And when an upgrade does come along I let it install in the background while I continue to work, and if a reboot is needed I'll do that when I get around to it. 2. "Nearly every major piece of software on any OS, especially those that accept network connections have had multiple vulnerabilities over time. Even those developers who are extremely diligent (ie. OpenBSD) have had their share of problems." Yes this is certainly true. But some OS's have far fewer than others. And it's those "others" that rightfully should get raked over the coals. 3. "Ok, ok, patching is a part of life -- that's understood." And it's exactly this sentiment that really amazes me. Why in h*ll would anyone put up with the security flaws and patch-n-fix routine that MS has allowed to become so commonplace. There really *is* a better solution. -A Satisfied OSX User

Everytime a story like this is posted....

[gatkinso]

....I am tempted to check the kernel cvs source tree history.

But why inject objectivity and reality into an otherwise excellent discussion?

Re:Everytime a story like this is posted....

[Imperator]

The kernel source isn't stored in CVS.

But why inject truth into an otherwise excellent troll?

Re:Everytime a story like this is posted....

[gatkinso]

Well you are right about that - my cvs-centricness pervades all rational thought.

However my post was not a troll (any more than the orignal story is at any rate), and is sound even if the sources aren't in cvs... because when you look at the change logs http://www.kernel.org/pub/linux/kernel/v2.6/Change Log-2.6.4 and see BS like "fix build breakage" immediately after the same guy committed something that says "Fix compilation warning in bond_alb.c" well we can see just the type of developer is working on the kernel.

But I guess in Open Source land changes that don't compile are worthy of being committed.

So take that truth and shove straight up your ass.

Re:Everytime a story like this is posted....

[Imperator]

Have you ever considered that code that builds on one system might not build on another? That this is especially likely in a kernel full of preprocessor conditionals for different hardware and different options? And since you're taking a shot at "Open Source land" and telling me to shove something up my ass, I stand by my assertion that your post was a troll.

Stone the crows!

[polyp2000]

Microsoft Rereleases Patch to Fix Problems....

Heavens above, Shock Horror!, Its not like thats news... Is it ?

It'll be better tomorrow...

after they re-release the story and you're not so cranky.

Us vs Them

Don't be afraid to embrace changes that could propel us way ahead of them.

So this is what it's come down to? How many people share the "us" vs. "them" mentality? I thought people contributed to Linux in order to take part in something greater than what they could do alone, rather than as a way of beating Gates & Co.

I know, I know... I must be new around here.

Re:Us vs Them

How many people share the "us" vs. "them" mentality?

Just those other idiots.

Awesome.

[pb]

Maybe if they did this for all of their patches, people would actually install them... ...naah.

Patch requires install CDs

[mmusson]

I tried to install the first patch last night and found that I had to apply office SP2 first. Ok. So, I ran office SP2 and it required the install CDs.

I travel extensively for work and I don't carry around all my install CDs for my laptop. So, I cannot even install the critical security patch because I cannot install office SP2.

I think this is a problem when people that would want to install this 'critical' security patch are not able to. Why can't this patch be stand-alone (not require install CDs) like the ones available from the windows update site?

Re:Patch requires install CDs

[xandroid]

I glanced at one Microsoft page about this latest patch, and under the heading "affected packages" (or something), the only entries were variants of the Office XP SP2, so if you don't have SP2 you may not have to worry about this.

Re:Patch requires install CDs

No, that's the wrong implication -- Office XP prior to SP2 is not supported, so MS will not tell you if it's vulnerable or not.

Re:Patch requires install CDs

[enosys]

Office XP SP3 also fixes the problem. You can get a version of SP3 that doesn't require access to the install CDs:
OfficeXpSp3-kb832671-fullfile-enu.exe 58925 KB

Re:Patch requires install CDs

[sumdumass]

i think the fix asumes you are running the most recent version because they think you want ot layer all the bs on top of the opriginal release.

as for not needing the cd, that may be more of a theft protection thing that anything else. i burn copies of my cds and then store the original in a safe location. i can install from the burnt cd. i have a list of office install codes we own that work for each system but when updating, if it asks for the cd the burnt copy won't work. go figure.

i have found however that i can reduce the need for the cd 99 percent of the time if i goto the add-remove programs and select the remove office. then it gives a box with several choices. i choose the add componant and set everything to run from the harddrive. it usually eliminates the need for the cd even when it says it need s to install somethign to perform what your asking it to do.

Re:Patch requires install CDs

> Office XP SP3 also fixes the problem.

And, since it's a new SP, what might it break?

Curious (and Cautious) admins want to know!

attention moderators

[GunFodder]

Please moderate this story as both "Redundant" and "Flamebait" (definitely not clever enough to be a "Troll"). What, we're not allowed to moderate stories? Sounds like Slashdot needs a patch...

Re:attention moderators

May I suggest you visit http://slashcode.org.

Re:attention moderators

[sik0fewl]

Sounds like Slashdot needs a patch...

Yes, and then after annoucning it to slashdot we'll reissuse that same patch with a higher severity rating and post it on the front page of slashdot!

Re:attention moderators

[/dev/trash]

It's called Kuro5hin.

Must have CD to install

[ccnull]

How aggravating that many people won't install these service packs because Microsoft requires you have the original CD to install them.

There is a workaround: Download the larger (the 58MB one with "fullfile" in the name) file on this page here and you can do the update without a CD.

Re:Must have CD to install

Holy fuck! 58MB for a patch! Well, I guess that is a little better than WW2 Online.

Re:Must have CD to install

[ccnull]

... on second analysis, this method has now failed on 2 different machines -- both of which asked me for the CD despite being eligible for the CD-free patch per Microsoft's own rules. Use at your own risk, folks! (And apologies if I led anyone astray...)

Re:Must have CD to install

[hughk]

Yep, this really annoys me. You are on the road in some godforsaken place but your link to the outside world is through your Win notebook. You really want to keep the patches up to date, especially Outlook ones. Do you really want to haul your original CDs everywhere with you?

Luckily in that particlar case, I was able to buy and use a pirate CD ($2) so that I could update my fully licensed Office-Pro.

My copy of Office must not need the patch...

[pdcryan]

...because when right click on the paperclip and ask it if there is a security problem... and he told me Word already had security features.

Thank god!

Re:My copy of Office must not need the patch...

Ooh, a Paperclip joke!

How refreshing!

It has been nearly two years since Microsoft announced that they were getting rid of him, and I was afraid people were going to forget about him. It's good to know that as long as the people on Slashdot are unwilling to come up with new material, Clippy will live on, in the form of hilarious suicide jokes.

In other news, Tux the penguin looks like he has DOWNS SYNDROME.

Re:What about the recent Linux kernel vulnarabilit

Not only that, but the response times on the Linux patches were seven months faster than Microsoft's response time, the patches and vulnerabilities were both well (and correctly) documented due to better research than the Microsoft patch, AND that the Linux exploits required you to have local access to the machine, and the Microsoft vuln was remotely exploitable. They're soooooo similar!

Re:Most Important Patch

There is. Install squid and bannerfilter, that's saved me more than once.

*gasp*

[PhrostyMcByte]

Why is stupid stuff like this getting onto the front of /. - are we really *that* obsessed with ms? Instead, why not report on something more useful, like the new apache 1.x/2.x remote exploit floating around. I'm sure that effects a lot more people here than a bugfix from ms.

Re:*gasp*

Could you provide any info about the Apache exploit? I checked here but I don't see anything recent that looks like a big deal.

Re:Press the ReDo button.....

[rusty0101]

As opposed to releasing a patch that breaks a previous patch? As was the primary problem with the SQL issue that SQL slammer exploited?

Everyone should read your post...

[msimm]

And for all the misplaced Microsoft fan bois, the post is obvoiusly meant to be funny, but it carries a bit of the old truth. If Linux was in Microsofts position (convicted monopolist, proprietary, pedatory) we'd all be laughing at them. News? I though Slashdot was more of a IT gossip column. ;-)

Re:Everyone should read your post...

But can you imagine an IT tabloid? Gates to be wed to the blushing McBride in a San Francisco wedding! Torvalds announced as best man.

"Gossip for Nerds, Stuff that might have happened" just doesn't have the same ring to it. :)

Re:Everyone should read your post...

[msimm]

You mean the register? He he, its close.

Not news, but bored

[t_allardyce]

The words "critical" and "disable the Outlook Today page" in the same paragraph?

So they patched a small hole in the side of the ship and the next day discoverd that the name-plate had broken causing the ship to list 30 degrees.

This really is Critical

While I agree about the MS-bashfest that goes on around here, IMO this story deserves to be on Slashdot.

You can virtually guarantee that this hole will be exploited by e-mail viruses, and the Windows sysadmins out there really need to get this patch out. (And most sysadmins don't seem to keep up on Office patches as well as stuff on windowsupdate.)

Re:This really is Critical

and them reading it on slashdot will help?

I see very few 'linux' bugs vs 'ms' bugs of which there seem to be alot on slashdot. It seems every MAJOR MS bug is front page sometimes even minor. While every linux bug is fixed with very little fan-fare. I for one am getting tired of it. While sure it is important. Is it REALLLLLLLY that slow of a news day that MS bugs are so cool? Take this one for example. I do not use office xp yet there it is... The company I work for still uses 2k. Which probably has TONS of exploits. Yet we dont bother with a newer version...

Re:What about the recent Linux kernel vulnarabilit

[U.I.D+754625]

Your sig: I'm being modbombed for my opinions. Check my posting history.

No... you're getting modded down because you're wrong.

Outlook?

Who cares about Outlook problems? Nobody here should be using Outlook anyway. That should be the litmus test as to whether or not you belong on this site. It's not an anti-Microsoft thing, it's a common sense thing. Outlook has more bugs in it than a middle eastern embassy in Washington D.C.

First tuesday

[redwoodtree]

I thought patches were only supposed to come out first tuesday of the month from now on, what happened?

Of course we could read the updated bulletin

[TheRealSlimShady]

Straight from the horses mouth:

The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.(emphasis mine)

In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.

So they didn't actually release a new update, just a new way of applying the update, and they increased the importance.

Re:Mozilla, anybody?

[sik0fewl]

Of course it was.. you can fix the remaining stuff yourself :)

My question is...

So does this patch require a restart? Because I'd hate to lose my 8 hours of uptime.

Re:My question is...

To paraphrase Family Guy, when they reference Galagher and know the joke isn't funny: "Wow. Is it 1995 again?"

Re:My question is...

Ha, it's funny because Windows is so unstable! Wait, no it isn't...

It had to be said

Help! Help! I'm being repressed!

Re:It had to be said

[fwarren]

Bloody Pesant!

Re:It had to be said

There's nothing like a well proofread posting.

...and that was nothing like a well proofread posting...

Not the first time?

[loconet]

correct me if I'm wrong but it seems like this is not the first time Microsoft is wasting customer's time:

It seems like a patch for SP1 Internet explorer 6.0 (released released February 2, 2004 - KB832894) also broke functionality on several websites in the form of displaying "HTTP 500 internal server error" messages for no reason. 5 days later they released a patch to fix the patch.

Slashdot is so biased

"As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action. "

" In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section."

"AbdullahHaydar writes "From CRN: 'One day after releasing a fix for an Office XP flaw, Microsoft upgraded the severity of the vulnerability to critical and re-issued a new patch to address a new attack scenario discovered in the last 24 hours.' The funny thing is that the second bug they missed with the first fix is 'critical' whereas the original bug the fix was for is 'important.'"

What a deliberate trick. Bias at its worst. Why don't people check their sources?

Why can't we moderate news as Moronic or better yet moderate people as Stupid?

Re:Slashdot is so biased

[Tristandh]

Slashdot is so biased
"No shit..."

Re:Slashdot is so biased

Microsoft is our favorite punching bag. You wouldn't want to spoil everyone's fun now would you? Everyone just seem to have no respect for a company that forces a EULA like theirs down users throats.

Re:Slashdot is so biased

Ahhh, is someone calling your baby ugly?

Good response time

[Gary+Destruction]

It shows that Microsoft is taking things more seriously. And maybe next time, maybe they'll catch more potential problems before they're discovered. If MS were to actually break itself up into smaller companies, it wouldn't have to worry about keep tabs on so much stuff. I know it won't do that, but I think it would be alot more efficient. When it comes to patches, Microsoft is like a giant. Someone hits it on the leg, so it has to look down and find the source of the attack and fix it. But at the same time, someone could be attacking it on the back and neck.

Re:Good response time

But great goddess, it's an *OUTLOOK* patch, not a fundamentally a Microsoft Windows. What sane person uses that RFC-violating security hole for any real work? Its mis-handling of attachments and auto-installation of various typically virus-laden files, coupled with its inability to have both an Exchange client and an IMAP client at the same time, and coupled with its rabid insistence on duplicating the content of all outgoing email as a non-standards compliant "ms-tnef" attachment all make it an extremely painful and untrustworthy tool to use.

Why would anyone install it? Excel, OK, it's a decent spreadsheet. Word is decent at composing fancy documents the way you want them to look, and PowerPoint is easy to set up decent presentations with.

But Outlook? Puh-leez.....

Re:Good response time

[Gary+Destruction]

I never said I liked Outlook or MS products for that matter. Like I said, there's too much software being handled by one company and that leaves room for alot of gaps. And when Microsoft decided to take security seriously, they were already too late. They let things go for so long that it could take them years to get everything locked down. I'm afraid alot of that is going to be answered with upgrades which could create more holes than they're supposed to fix.

What Differentiates Linux from Windows

[jlrowe]

It is odd that only moments after reading about 'What differentiates Linux from Windows', how the very design of Windows leads to problems making fixes for security things gone wrong, the story of this latest patch problem appears. It is verification of the story I just read, in perfect example.

Synopsis:
Microsoft reacts to marketing pressure to make design decisions favoring running a few processes faster but then finds itself forced first to layer in backward compatibility and then to engage in a patch-and-kludge upgrade process until the code becomes so bloated, slow and unreliable that wholesale replacement is again called for.

Slashdot Rereleases Story to Fix Accuracy

Slashdot Rereleases Story to Fix Accuracy

Oh, sorry, no, this is reality and not some odd dreamworld.

I grow weary...

[Epistax]

of these threatening severity levels. I will install no patch less severe than "orgasmic" or possiblity "chocolicious".

No, there are FIVE R's

Retry, Reboot, Reapply, Reinstall, and Repeat

Yeah..

[destiney]

Yeah yeah.. M$ sucks, we know. Move along now, nothing to see here but a bunch of ./ editors with too much time on their hands.

New Service Pack

[CycoChuck]

I heard that MS is releasing a new SP for Office that would fix all the problems. They're calling it OpenOffice. The new Windows SP, code named Linux, is suppose to be released soon as well.

Re:New Service Pack

I hear OpenOffice will eventually have cutting edge functionality in future releases, too!

Like Cut n' paste!

Can you imagine? /fawn

Nice headline

My first thought was, "Damn, that would be a tremendous patch."

Download?

[utlemming]

And the big problem of the day is that you cannot download the file, because, well Microsoft is having problems with their website. Go figure. I mean, they say that the file is a critical upgrade, and then it is inaccessable. You would think that for the $300-$800 people pay for Office, they would at least have the bandwidth to get critical patches.

Re:Download?

[utlemming]

Just another update -- they removed the link, as of 8:32MST, from the download page. The link is here. Which is rather interesting. Too much demand or did they find another bug?

Wow! They've released...

[bigattichouse]

Windows XP Service Pack 2 Update 4 Patch 7.3!

What Else is a Patch For?

[handy_vandal]

Microsoft Rereleases Patch to Fix Problems

Well, that's a relief -- could be worse -- imagine a headline that reads "Microsoft Rereleases Patch to Cause Problems" ....

-kgj

Re:What about the recent Linux kernel vulnarabilit

[PhoenixFlare]

I'm being modbombed for my opinions. Check my posting history.

Help! Help! I'm being repressed!

cowboy neil is a cum guzzling faggot

No really, he is. Just last night he swallowed my load. Good to the last drop, eh CN? You fucking clueless loser.

The thing is

[uptownguy]

I get your anger at... but I think you are missing the forest for the trees when you say things like "Slashdotters don't care much about the truth as long as they can whine... If they're not complaining...when did anyone on Slashdot..." Come on. Slashdot isn't some monolithic discussion board. That's what makes it great. That's why YOU come here and that's why YOU post. It's because Slashdot is the home the great unwashed masses -- the strongest from every side here come to passionately defend their case. You never see one "side" persuaded... you don't ever get to see one side win...

...but I don't know. I come here, not to have my point of view reinforced but rather to read intelligent people discussing an issue. I don't spend all my time discussing issues. I go out with friends to bars. I watch movies. But sometimes I like to think about issues. And this is a great place to come to find ideas. Sometimes I even find myself being surprised by a different point of view...

I just think the parent post dripped with a little too much bravado. And just to stay on topic ... wouldn't you say that the VAST MAJORITY of us are just keeping quiet on this because there isn't that much insightful to say? I mean, really, releasing patches of known vulnerabilities is a good thing. Duh.

critical second patch

[natex84]

the second patch was critical? whaddya bet it fixed a new, more serious hole introduced by the first patch? :P

The severity of the patch increased! NO NEW PATCH

It's the same patch they released yesterday. They just discovered it's more serious than they first thought, so they released the same binaries with a higher severity.

http://www.microsoft.com/technet/security/bullet in/ms04-009.mspx

Why is Microsoft re-issuing this bulletin
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

But they had enough time to find out before!

[Slashi]

The timeline of the vulnerability tells us that Microsoft was informed November 12, 2003. Now, they got 4 months to find a patch and release their security bulletin. Couldn't they find out that it was more critical in the 24*30*4 hours before?

From MS04-009:
Reason for Major Revision
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector.

What the heck? Does the severity of a bug depend upon how much people are affected?

Does a local root depend upon the number of people who are potentially affected? Ask someone who has lost money via such a local root.

Another interesting posting is available on full-disclosure mailing list, covering Microsoft's understanding of "security" (the Author, Nick FitzGerald, is a helpful and understanding regular poster on full-disclosure)

Re:But they had enough time to find out before!

[dannannan]

What the heck? Does the severity of a bug depend upon how much people are affected?

To a certain degree, yeah -- it's a cruel world.

<tongue in="cheek">And why doesn't the Department of Homeland Security just leave the threat level at "severe" everyday because on any given day someone, somewhere, might be attacked?</tongue>

Sure, severity is heavily based on the impact the bug has if you hit it, but it also takes into account any significant factors that mitigate damages to lower the risk.

Issues with awful consequences that affect someone using the software with the default settings are typically riskier than those that only affect, say, those of us using some obscure feature with a few uncommon configuration changes.

Bottom line is that the severity isn't a moral statement; its goal here is to make the security bulletins more useful by giving people a way to filter them, if they know how the system works. If everything is posted "critical", there's no point in using that field anymore. Not everyone thinks about this, but when you change your configuration or software usage scenario even the slightest bit away from the beaten path, you may also need to change your system for supporting the software. If you don't use the default settings for a piece of software, it might be a good idea to treat those "important" bulletins as "critical".

If you don't understand the system, or just want to spite it, ignore that field and just treat everything as critical, and if you don't agree with the system, post on Slashdot.

DDL

think again...

[uv_light]

Ms fix their problem in 24 hours? First thought to my mind is that, they have improved... it seems...

but think again, they have been criticize by people all over the world (well, maybe most part of the world) that they are slow-ness of their bug fix. Could that just be a marketing plan? They found the bug, they get the patch ready, then tell the world about the bug. In less than 24 hours, they release the patch.

Well, just some thought

Almost totally off topic

...but this pic is hilarious;

http://www.secureteam.org/~skyline/pic06578.jpg

Just avoiding "critical" on the first go.

[SgtChaireBourne]

MS is just fiddling with the stats to try to avoid the number of critical patches, upgraded-to-critical will almost certainly be in a different category.

MS has listed many remote exploits as 'moderately' critical or less. Given that its poor security has been hitting its customers in the pocket book for years and now finally hitting MS, this is just more spin. Just like when a few years ago it started bundling multiple issues into single announcements and then a year later, with much fanfare, proclaimed that the number of security announcements had gone down (while the number of actual issues and unresolved issues went up)

If people are serious about improving security, they'll put MSIE on the back shelf and use mozilla, drop MS-Outlook and use Eudora, Evolution, Squirrelmail, Pine, Mutt, Mozilla, Thunderbird or whatever. For OS's there are Linux, OS X, and QNX. Given that most Linux distros are now much easier to install, customize and, especially, maintain than MS-Windows variants, it seems like the obvious choice in these hard economic times since you can get more performance out of your existing hardware by dropping MS completely.

If you want ease of use, then OS X is the obvious choice. However, KDE on QNX or Linux is just as easy as MS-Windows XP, but more customizable.

mod parent up

The submitted story is a retarded flame, however there's no need for a Straw Man - no decent IT person will claim that linux (which is version controlled by BitKeeper) is *The Security* :\

Re:What about the recent Linux kernel vulnarabilit

[Disevidence]

What about it?