Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Rereleases Patch to Fix Problems

Posted by CowboyNeal on from the if-at-first-you-don't-secure dept.

AbdullahHaydar writes "From CRN: 'One day after releasing a fix for an Office XP flaw, Microsoft upgraded the severity of the vulnerability to critical and re-issued a new patch to address a new attack scenario discovered in the last 24 hours.' The funny thing is that the second bug they missed with the first fix is 'critical' whereas the original bug the fix was for is 'important.'"

20 of 226 comments (clear)

  1. It ain't necessarily so by Space+cowboy · · Score: 5, Insightful

    The fact that 24 hours after releasing an 'important' bug patch, Microsoft re-released a 'critical' bugpatch should *not* be held against them! It certainly would not be the first time someone had realised that the consequences of X are far more than previously thought.

    I'm no apologist for MS (see my posting history :-), but re-relasing a new patch at a higher security classification ought to be applauded, not ridiculed. Fair play, guys, and play the game according to *all* the rules, not just the "Redmond -4" ruleset...

    Simon

    --
    Physicists get Hadrons!
    1. Re:It ain't necessarily so by Kethinov · · Score: 4, Insightful

      Yeah, my thoughts exactly.

      I read the headline and the summary and it left me wondering "uh, and?"

      This just in, grass is green! Whether you're OS is corporate or open source, security patches are going to happen and revisions of security patches are going to happen.

      --
      You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
    2. Re:It ain't necessarily so by pantycrickets · · Score: 3, Insightful

      But perhaps Microsoft should be criticised for releasing a partial fix earlier? For not investigating the earlier problem with enough dilligence?

      Perhaps nearly every network enabled software developer should be criticised for the same? I'm sorry, but that was an asinine statement.

      Nearly every major piece of software on any OS, especially those that accept network connections have had multiple vulnerabilities over time. Even those developers who are extremely diligent (ie. OpenBSD) have had their share of problems.

      Any action on a developers part, especially a proactive one, should be commended..

    3. Re:It ain't necessarily so by the_mad_poster · · Score: 4, Insightful

      So everyone could get on their ass for slow patching instead?

      Look, they patched a hole in a relatively decent period of time. They then patched additional issues quickly as well.

      I hate Microsoft too, but for crying out loud... how utterly fucking naive do you have to be to sit there trying to spin reasonable patch fixes against the company? Some people just need to get a life...

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
    4. Re:It ain't necessarily so by whoever57 · · Score: 2, Insightful
      Perhaps nearly every network enabled software developer should be criticised for the same?

      Clearly multiple vulnerabilities exist and are discovered. My issue is that if a new patch is released one day after the first patch was released, it appears that insufficient investigation went into the first problem. One might also want to question the level of quality control that went into the second patch.

      Any action on a developers part, especially a proactive one, should be commended.

      I agree that Microsoft should be commended for putting out the second patch and not ignoring the issue.

      --
      The real "Libtards" are the Libertarians!
    5. Re:It ain't necessarily so by ameoba · · Score: 2, Insightful

      It's a hype thing. Everyone wanted to see it 'cuz "everyone" was looking at it already. When coupled with the fact that she's in the richest 1% of the population, somewhat famous & better looking than most women it's all the more interesting.

      But she's not that hot; I can go downtown to any bar in the city & get turned town by a dozen prettier girls.

      --
      my sig's at the bottom of the page.
    6. Re:It ain't necessarily so by the_mad_poster · · Score: 3, Insightful

      You've got to be kidding me, right? Look, I've got it in for Microsoft-the-monopoly, but not like this. They patched a damn problem and they did it fairly quickly. Even if they goofed on the first one, they took a mere 24 hours (a fairly typical OSS turnaround) to come back and offer reparations for it. Not only did they not drag their feet on the fix, they didn't drag their feet on repairs of a potential oversight from the first one.

      Note the bold highlights since it's all speculation as to whether it was their goof or a mere coincidence that additional issues were discovered in the process. Some people are just trying to spin one of Microsoft's rare good moments against them as a knee-jerk reaction. I'm all for alternative OS's and choice, but on technical merit, not knee-jerk anti-MS reactions and unsubstantiated speculation.

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
    7. Re:It ain't necessarily so by the_mad_poster · · Score: 2, Insightful

      Exactly - I'm far from a Microsoft fan. I used to sit around saying "well, let's give them the benefit of the doubt", but the more I use MS products, the less I like them and the company that made them. However, in this instance, Microsoft did a good job. STILL there are psychotic zealots trying to spin this against them.

      What amazes me is that if you confront these people (likely like whatever moron modded me flamebait while I responded to your sister post) they'll claim they're doing it "for Linux" or something similar, but they don't realize that all they're doing is making those of us who actually LIKE the system for what it is look like frothing dolts who have nothing better to do than invent bizarre, make-believe bullshit against some percieved nemesis.

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  2. Two bugs in one place by Anonymous Coward · · Score: 5, Insightful

    As I recall it took more than 24 hours for the second bug in the mremap function to be found in Linux. While bashing MS is always fun & exciting (and I do think their security sucks). I think Slashdot should try to post more stories about how Linux could be improved (security & functionality). Not to imply that Linux is bad, but there is this reactionary attitude where we must adapt to everything MS does as opposed to doing things first. No Longhorn till 2006 should not mean we sit around waiting for MS to come out with something to whine about. It should be seen as an opportunity to evolve Linux in new directions that MS can't emulate. Don't be afraid to embrace changes that could propel us way ahead of them.

  3. Patches by black+mariah · · Score: 4, Insightful

    Exactly how is this different from the multitude of patches to fix things in the Linux kernel? Or patches in ANY OSS project? Are you trying to tell me that there has never been a security patch to any Linux kernel ever?

    I seem to recall a /. story just a short while back about a security vulnerability in the Linux kernel that was patched and te resulting posts were nothing but a bunch of open source taint nuzzling. When MS fixes a problem on the other hand, it's a bad thing.

    --
    'Standards' in computing only impress those who are impressed by things like 'standards'.
  4. Everytime a story like this is posted.... by gatkinso · · Score: 4, Insightful

    ....I am tempted to check the kernel cvs source tree history.

    But why inject objectivity and reality into an otherwise excellent discussion?

    --
    I am very small, utmostly microscopic.
  5. Re:They did not re-issue a new patch! by praxis · · Score: 2, Insightful

    Right! From the microsoft patch site:

    "In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section."

    They re-issued the bulletin to upgrade the security rating to "critical" due to new information. See here:

    "Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action. "

  6. Re:What about the recent Linux kernel vulnarabilit by Anonymous Coward · · Score: 2, Insightful

    Not only that, but the response times on the Linux patches were seven months faster than Microsoft's response time, the patches and vulnerabilities were both well (and correctly) documented due to better research than the Microsoft patch, AND that the Linux exploits required you to have local access to the machine, and the Microsoft vuln was remotely exploitable. They're soooooo similar!

  7. *gasp* by PhrostyMcByte · · Score: 1, Insightful

    Why is stupid stuff like this getting onto the front of /. - are we really *that* obsessed with ms? Instead, why not report on something more useful, like the new apache 1.x/2.x remote exploit floating around. I'm sure that effects a lot more people here than a bugfix from ms.

  8. Re:Press the ReDo button..... by rusty0101 · · Score: 3, Insightful

    As opposed to releasing a patch that breaks a previous patch? As was the primary problem with the SQL issue that SQL slammer exploited?

    --
    You never know...
  9. Re:More information on the vulnerability by HFKIRSpyderMonkey · · Score: 2, Insightful

    Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector.

    Much like other users have suggested, there's no reason in harrassing them. They discovered the patch was exploitable on a wider scale than previously thought, and quickly released a patch to address it. No biggie.

  10. Good response time by Gary+Destruction · · Score: 3, Insightful

    It shows that Microsoft is taking things more seriously. And maybe next time, maybe they'll catch more potential problems before they're discovered. If MS were to actually break itself up into smaller companies, it wouldn't have to worry about keep tabs on so much stuff. I know it won't do that, but I think it would be alot more efficient. When it comes to patches, Microsoft is like a giant. Someone hits it on the leg, so it has to look down and find the source of the attack and fix it. But at the same time, someone could be attacking it on the back and neck.

  11. Re:So now there's four 'R's? by dasmegabyte · · Score: 4, Insightful

    Really?

    It reminds me of a company trying to fix problems with a popular software product so that their customers' computers aren't fucked up by hackers.

    But, you know, your cartoon analogy is good, too.

    --
    Hey freaks: now you're ju
  12. The thing is by uptownguy · · Score: 4, Insightful

    I get your anger at... but I think you are missing the forest for the trees when you say things like "Slashdotters don't care much about the truth as long as they can whine... If they're not complaining...when did anyone on Slashdot..." Come on. Slashdot isn't some monolithic discussion board. That's what makes it great. That's why YOU come here and that's why YOU post. It's because Slashdot is the home the great unwashed masses -- the strongest from every side here come to passionately defend their case. You never see one "side" persuaded... you don't ever get to see one side win...

    ...but I don't know. I come here, not to have my point of view reinforced but rather to read intelligent people discussing an issue. I don't spend all my time discussing issues. I go out with friends to bars. I watch movies. But sometimes I like to think about issues. And this is a great place to come to find ideas. Sometimes I even find myself being surprised by a different point of view...

    I just think the parent post dripped with a little too much bravado. And just to stay on topic ... wouldn't you say that the VAST MAJORITY of us are just keeping quiet on this because there isn't that much insightful to say? I mean, really, releasing patches of known vulnerabilities is a good thing. Duh.

    --


    I would have to say that explosives are the most abused technology in all of history.
  13. Re:This is consistent by pointbeing · · Score: 2, Insightful
    Remember, to Microsoft it is not an important problem unless they already have a fix for it!

    I know you were kidding around, but -

    This is true almost everywhere. If you release information about a vulnerability before you have a fix for it you invite folks to test your shiny new vulnerability ;-)

    I've been impressed with MS' stance on security since about last June - but now we see people using MS security bulletins to write worms.

    Look at Blaster - MS released a security bulletin and a fix, and Blaster showed up days or weeks later (I think it was about three weeks) to target unprotected machines. IM frequently less than HO if there'd been no security bulletin there'd have been no virus.

    This takes us in a new and particularly frightening direction - and puts MS in a no-win situation. Release the security bulletin and patch and wait for users to howl because they didn't think the update was worth their time and their machine got infected?

    I think over the next couple years you're gonna see a much more proactive stance from MS on consumer security - and even if they were a little slow on the uptake it's still good to see them taking security seriously now.

    --
    we see things not as as they are, but as we are.
    -- anais nin