Slashdot Mirror
Microsoft Rereleases Patch to Fix Problems
AbdullahHaydar writes "From CRN: 'One day after releasing a fix for an Office XP flaw, Microsoft upgraded the severity of the vulnerability to critical and re-issued a new patch to address a new attack scenario discovered in the last 24 hours.' The funny thing is that the second bug they missed with the first fix is 'critical' whereas the original bug the fix was for is 'important.'"
More information on the vulnerability can be found here.
and Linux has never released a security patch..or two patches in 24 hours?
New news forum for Canadians - CanadaSpeaks
http://www.microsoft.com/technet/security/bullet in/ms04-009.mspx
Read the revisions section
...the broken PGP signature on the e-mail update Microsoft sent round relating to this? (The original was fine.) Just seemed a bit sloppy from a company who's now supposed to be taking security so seriously is all...
BTW The Register chastised MS for marking the original as only "important", looks like they were right on the money!How is this completely ignored(march 7th 11:22AM)?
I think you should read more slashdot before thinking they arent up to snuff with their vulnarability reporting.
One of the nremap bugs posted on slashdot was really a dupe. It was the same thing and already fixed. At least, that's what I was told. See this thread on LinuxQuestions.org
How aggravating that many people won't install these service packs because Microsoft requires you have the original CD to install them.
There is a workaround: Download the larger (the 58MB one with "fullfile" in the name) file on this page here and you can do the update without a CD.
filmcritic.com - Movie reviews on Internet time
Your sig: I'm being modbombed for my opinions. Check my posting history.
No... you're getting modded down because you're wrong.
//Blessed are they that run around in circles, for they shall be known as wheels.
The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.(emphasis mine)
In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.
So they didn't actually release a new update, just a new way of applying the update, and they increased the importance.
correct me if I'm wrong but it seems like this is not the first time Microsoft is wasting customer's time:
It seems like a patch for SP1 Internet explorer 6.0 (released released February 2, 2004 - KB832894) also broke functionality on several websites in the form of displaying "HTTP 500 internal server error" messages for no reason. 5 days later they released a patch to fix the patch.
[alk]
The patch itself was fine. Re-issuing the patch (in this case) means that they changed the severity level. It doesn't mean that they changed the code or that the original patch had some problems with it.
Also, the monthly patch release scenario is NOT for critical security updates, but non-security bugfixes. Security-related patches are released as often as need be.
Shes worth $300m, if that makes it any hotter... :p
"Sic Semper Tyrannosaurus Rex."
"As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action. "
" In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section."
"AbdullahHaydar writes "From CRN: 'One day after releasing a fix for an Office XP flaw, Microsoft upgraded the severity of the vulnerability to critical and re-issued a new patch to address a new attack scenario discovered in the last 24 hours.' The funny thing is that the second bug they missed with the first fix is 'critical' whereas the original bug the fix was for is 'important.'"
What a deliberate trick. Bias at its worst. Why don't people check their sources?
Why can't we moderate news as Moronic or better yet moderate people as Stupid?
FWIW, you can use Microsoft's qchain utility that purportedly allows you to apply several patches a single reboot. Haven't tried it yet, as my hours are still being spent trying to figure out what patches I need on my systems. Seems that between the Windows update site, the HFNetChk commandline utility, and a handful of patch management programs I've been looking at, I'm getting a variety of results as to what's needed and what's been installed.
If anybody has any favourite suggestions for managing this mess, I'm all ears.
Office XP SP3 also fixes the problem. You can get a version of SP3 that doesn't require access to the install CDs:
OfficeXpSp3-kb832671-fullfile-enu.exe 58925 KB
Qchain is no longer required to install multiple patches with a single reboot. Qchain functionality has been included in all windows patches for a while now. Just hit "no" when it asks you to reboot, then reboot manually when you've installed them all. If you want to script it, there are command line switches for all the patches allowing silent installs with no reboot.
Also, you should be using the new MBSA (Microsoft Baseline Security Analyser) instead of HFNetChk.
Another great tool is SUS (Software Update Services). It's basically in internal copy of Windows Update, where you can approve patches that you've tested, and the clients will then pull approved updates down automatically according the schedule you set. Set the schedule via AD group policy, by manually editing the registry, or with a logon script.
Carpe Cerevisi - Seize the Beer
>but re-relasing a new patch at a higher security classification ought to be applauded, not ridiculed.
You're new here aren't you?
This is just our Microsoft Two Minutes of Hate. When you see these posts you're supposed to seeth in rage and imagine Bill Gates.
Perhaps if we weren't such hypocrites we would be taken more seriously and more people would be running Linux for its merits and not for the hype or manufactured political reasons.
It was the same thing and already fixed
Wrong. There were two mremap bugs. Regretfully, some people with the right background didn't have time to look at the bug and the fix before the first one went public. So a second public fix was needed.