Slashdot Mirror


IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

8 of 421 comments (clear)

  1. Re:That reminds me... by WoodstockJeff · · Score: 4, Interesting
    I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server. Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

    I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

  2. Re:NOT an actual fix by Lehk228 · · Score: 3, Interesting

    when you set high security you cannot even use windows update, and putting windows update into trusted sites does not work right

    --
    Snowden and Manning are heroes.
  3. Re:In Other News... by chris_mahan · · Score: 4, Interesting

    I notice that MS releases a "fix" of some sort when DoHS says: use another browser.

    Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

    Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on .NET?

    I wonder.

    Somebody probably lit the proverbial fire under their bums this morning.

    (They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.

    --

    "Piter, too, is dead."

  4. Yippee! by callipygian-showsyst · · Score: 5, Interesting
    Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird) Microsoft did act pretty fast here. It was less than a week, wasn't it?

    And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

  5. Is this just coincidence? by Anonymous+Writer · · Score: 3, Interesting

    It was only mentioned two posts before this that CERT advised people to stay away from IE, even though CERT released that advisory on June 10, and it was even reported on BBC on June 14. Now this story comes along mentioning the patch will be available later today? The CERT advisory could have been published on Slashdot nearly a month ago, but conveniently is published on the same day as the fix is released. Was it intentional to keep information about the CERT announcement off of Slashdot until the fix was released?

  6. Re:FYI by dasmegabyte · · Score: 4, Interesting

    You're making claims that are untrue and short sighted. I call FUD.

    First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done. If there is a change to an existing setting that can defray the effect of the vulnerability and give you more time to test, it would be remiss of you not to inform customers of it. Would you rather they ask customers to wait a few days until the patch is thoroughly QA'd?

    Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would. The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will. And the VAST majority of IE fixes have had no ill effects whatsoever. On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.

    I do agree that IE isn't the best browser ever, but this doesn't excuse you from putting blame where it doesn't belong. If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future. That's one cue from OSS they'd be smart to heed. All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it.

    --
    Hey freaks: now you're ju
  7. Attack and solution known since Aug. 2003 by weld · · Score: 5, Interesting
    See Full Disclosure list for an attack that used same technique back in Aug. 2003:

    FullDisclosure: ADODB.Stream object

    Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.


    -weld

  8. Security and MS "Getting it" by geomon · · Score: 4, Interesting

    Okay, everyone has had a great deal of fun at Microsoft's expense today with the stories of Dept of Homeland Security dumping IE, and Microsoft taking nearly a month to fix a BIG exploit in IE. But I wonder if Microsoft's problems are less a function of them 'getting it' as much as it is a case of them being a 'victim of their own success'. Follow along with me for a minute.

    When MS started its rise to the top, they hired as many of the brightest minds as they could to make their software the best of class. While many of us probably find the corner-cutting a bit too much to take, it is possible to have both world-class software while meeting a marketing deadline. It happens, but less frequently than MS or its defenders/supporters would like to think it does (lightning striking the same point twice *without* a lightning rod).

    They continued to compete heavily in the OS market despite the fact that they initially wanted to be nothing more than a computer language business. The OS was to be the cash cow that would allow them to be a more effective language business. But now they own the OS business and are driving their business model into other ventures (consoles, entertainment centers, telephones, automotive brainboxes, etc). They just follow the same formula that lead to their smashing success in moving into the OS and office app market: buy the best brains in the field and use their project management skills and VOILA!, they are the new masters of the [insert market segment].

    But consider the sandbox their bright minds play in: a homogeneous computing environment with computer scientists guarding the facility from outside intrusion. As has been noted in another slashdot article, Microsoft's products work wonderfully inside of Microsoft's campus.

    They have extremely talented people working with the highest-end equipment in an environment where everything works nearly 100% of the time. Is it so surprising that they do not view the world the way we do?

    After all, most of the companies that I have worked for are staffed with (largely) computer-illiterate people and whose firewall is maintained by a PFY with a high-school diploma.

    Perhaps it would be better for Microsoft if they force their developers to create their products in environments that their customers use. In fact, maybe they should send their developers to test their products in the heterogeneous environments of their customers for a month or two.

    Let them work the bugs out on their time for a change.

    --
    "Rocky Rococo, at your cervix!"