Microsoft to Issue Out-of-Cycle Patch for IE

rsw writes "Microsoft will be breaking their normal patch cycle and issuing a patch for the Download.Ject attack (a.k.a. Scob). They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob." Note that this does not mean that they are replacing IE with FireFox.

Wow

[Anonymous+Crowhead]

The released a patch when it's needed, not when it's scheduled. How novel.

Re:Wow

[EtherAlchemist]

I'm only playing devil's advocate here, but it's possible (likely?) that Microsoft suffers from internal politics, like many other software companys, that actually work against the process.

I work for a software company where fixes to bugs on live products are held up for weeks and months on end while managers seek the person to blame, assign blame, come up with a plan to make the fix, revise the plan to include 8 other random and unrelated things they want to fix, slap them into one rollout that will now require 6 developers on 3 teams and 4 QA guys who will follow the spec to the letter (even if it is mispelled) and file 200 new bugs. This cycle goes on for a month or so and by the time the fix is released, a dozen other problems have surfaced and been deemed not important enough to fix now. Afterall, we just had a hariy cycle trying to get the last fix out.

Now, the way it should have gone: Identify the problem, design a fix, make the fix, test the fix, deploy the fix. Days, not weeks or months.

Damn

[Billobob]

Note that this does not mean that they are replacing IE with FireFox.

Awww damn, and here I thought that Microsoft would include one of its strongest competing products instead of it's own that millions of dollars were funneled in to. Maybe I'm just too naive...

Re:Does anyone use IE anymore?

[neilcSD]

Of course they do. IE is by far the most used browser in the world. It is, after all, included with the most used OS's in the world. Those who know their stuff don't use a lot of Microsoft products, but a lot of people aren't in the know.

Firefox is not the answer.

[garcia]

I am throwing Karma out the window on this one as my comments on this subject fall on deaf ears here but... Firefox is not an acceptable replacement for IE for 90% of the users out there so I really think we could have done without the snide comment.

Yesterday I mentioned that nearly everyone who visits my site with Firefox are coming in from Slashdot URLs. It may come as a surprise to you but more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities. It may also come as a surprise to you but Firefox isn't exactly the best browser out there if you want 100% compatibility with the "broken" sites on the Internet. These same users that don't know of the issues w/IE are more concerned that they cannot reach their online banking, see their sites the way that the "broken" authors intended, and have a seamless browsing experience.

Firefox is not the answer to MS' issues. Better preparation for security is.

Re:Firefox is not the answer.

[garcia]

Give me a broken site with a significant level of traffic (in other words, don't give me some 13 year old kid's site hosted off Geocities) that doesn't work in Firefox 0.8. Or, were you talking out your ass?

http://slashdot.org (left side overlaps main text requiring a page refresh to correct -- this has been noted MANY times and not corrected).

http://geocaching.com/my (fonts do not render correctly. I have to routinely change the sizes in order to view the page even half-acceptably -- strangely enough this happens on many pages but never with IE).

Re:Firefox is not the answer.

[R2.0]

The reasons you state do not support your assertion that "Firefox is not an acceptable replacement for IE for 90% of the users out there"

1)"more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities"
So what? That has no bearing on whether Firefox would be an acceptable replacement. It might address WHY people find no incentive to switch, but not whether that switch would bew a good idea.

2)"Firefox isn't exactly the best browser out there if you want 100% compatibility with the "broken" sites on the Internet". Question? Is IE 100% compatible with "broken" sites? Thought not. Some sites don't work well, IE or no IE, and users are aware of this. There will always be crappy sites, and users blaming the software instead of the site - that is not a reason why Firefox can't replace IE for the average user.

Also, are there any statistics on how many sites are "actually" poorly rendered w. Firefox? 1%, 5%, 10%, 20%? My experience is that it's way down into single digits, but that is anecdotal.

Finally, what is "a seamless browsing experience?" Other than marketingspeak, I don't understand its meaning. When MS uses the phrase, it is as justifivation for browser integration, but that always struck me as a red herring to cover anti-competitive practices. Does the phrase mean anything real?

Re:Firefox is not the answer.

[Devi0s]

Firefox is most of the answer. People programming websites to adhere to standards such that IE and Firefox can render them correctly and using cross-platform non-monopolistic technologies instead of things like ActiveX is another part of the answer.

I have trained about ten broadband users to use firefox with limited javascript, cookie firewalling, zero disk cache, and zero java for everything, and if an important page (like online banking, or online billpay systems) doesn't work correctly, to look at that page ONLY in IE.

The average person can adhere to the above with only a few hours of training, whereas trying to fully educate people about security implications requires a great deal more time, especially teaching those that consider computers to be an invasive and immature technology (read: the sane, not you, most of the world, etc.)

I explain a bit of how cookie firewalling thwarts advertisers and how you really don't need to accept cookies from anything but *.yahoo.com to use the yahoo.com site.

I explain that disk cache on a broadband connection will actually slow your browsing experience on a cluttered hard drive.

I explain that java is almost never used for anything critical and that for those sites that use java that are important, just use IE.

I explain that in Firefox, it is wise to disable all of the features of javascript that Firefox lets you disable, because malicious web designers abuse those features and ruin your browsing experience, but OTHER javascript features enable things like hotmail and gmail to work. Again, if you need more javascript for sites that are important, just use IE.

If you are using a site that needs realplayer or quicktime, or flash, or shockwave, and you *really* need to go to that site, just use IE.

When the users start to get a feel for firefox, and start using the google search bar and tabbed browsing and are able to surf without pop-up windows and automatic window resizing, etc., they can't thank me enough.

Now, if only I could find a way to easily teach openoffice and non-outlook* adoption, I'd feel like superman... I'd certainly feel like the users are much safer than they were.

Re:Firefox is not the answer.

[gnu-generation-one]

"Firefox is not an acceptable replacement for IE for 90% of the users out there so I really think we could have done without the snide comment."

Huh?

Microsoft Internet Explorer isn't an acceptable browser for 90% of the users out there.

Nevermind your "snide" assertions about the websites that don't work, people are getting owned here. It's a serious problem. It's the spam problem and the virus problem and all the tech support problems, all stemming from this one application that's so insecure that everyone, from DHS to MSN themselves recommend getting rid of it immediately.

If your favorite website doesn't work in a generic web-browser, get them to fix it, or get a new supplier. Even the banks have got HTML websites now.

Re:Firefox

[datadriven]

I only use firefox. What render problems? I haven't been able to get IE to run on slackware anyway.

Re:Does anyone use IE anymore?

[dotslasher_sri]

Many users are not aware that there are good alternatives to IE. What firefox needs is publicity. Sure we all know about firefox but many home users havent heard about it yet.

Re:The mounting pressure

[EnnTeeDee]

"Our [Microsoft IE] users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Hachamovitch said.

Umm, yeah, we should (in a perfect world) be able to have confidence that the biggest software company on the planet puts out the best product. But Microsoft is too big and juicy a target to inspire confidence.

We also should be able to trust our elected leaders to be able to spend our tax funds wisely, but I'm not holding my breath on that either.

Long-term solution?

[RonnyJ]

They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob."

So, are their patches normally NOT long-term solutions to vulnerabilities then?

Re:Does anyone use IE anymore?

i open IE about once a day to look at pages that don't load in firefox

Re:Slashdot

[LilJC]

Parent has been modded funny, but I think a lot of us do.

I've walked into work before with the owners complaining of not being able to get to half the web sites they like to peruse and hit slashdot to see what's up. Half the time I'm back in 20 seconds with an satisfactory explanation about a recent or in-progress attack.

Of course, I have to (for the umpteenth time) explain to my boss/CEO that I can't fix other peoples' servers, only ours. Wish I could at least get that guy to remember how a sort works in Excel.

It seems that ...

[Hatfieldje]

One of the biggest complaints against MS is that they are slow to respond to user need, while quick to add profit-margin-stretching-even-though-the-user-does n't-want/need-anyway "features" (e.g. Clippy). So how is the /. community going to react when MS actually starts listening to the customer and adding true features like security, speed, efficiency?

I've noticed over the past couple of months that there have been a few of opinions coming out. One is that it's too late for MS. They screwed the pooch years ago and their entire user base will end up jumping ship.

Another is that this is nothing but a marketing ploy. MS isn't really changing their ideology, they're just making us think they are, so we're better off jumping ship.

The other (my personal opinion) is that it's a welcome change. I will be glad when Windows becomes an environment that is as stable and easily configurable as linux. I love competition. It's what makes America thrive, and if MS can become competitive (again) in the eyes of /. geeks, just think about how much more time/effort will go into linux to make it even better. And, as for jumping ship, we'll have no need. But we may have a fleet comprised of MS, *nix/*BSD, etc.

Kudos to MS for trying to fix their old mistakes, and hopefully in a couple of years, they'll have them fixed and we can really have an OS War!

Fired

anybody who writes i.e only sites should be fired on the spot.

they have no business in the IT industry. I don't care if ie was the defacto standard - you write to industry standard - especially web pages.

firefox is great!! it is fast and renders pages the way they are suppose to - it is ie and the web sites that are broken and need to get fixed.

Re:Does anyone use IE anymore?

[93+Escort+Wagon]

"The problem I found is that a lot of web apps are coded for IE's "extensions" that don't translate over to Firefox... my power company paid some contractor to put together an online bill pay system for them, and obviously they're not interested in fixing it."

Complain! Even with major companies it can be that easy. Verizon Wireless's pages were IE-only for a while - I (along with many others, I'm sure) complained about it and threatened to take my business elsewhere; and they fixed it.

I thought the patch was released already.

[oogoliegoogolie]

It's hard to keep up with what MS patch fixes which exploit, but I thought a patch for this was issued a few days after the exploit was discovererd. Am I confusing this with that that recent firefox run-shell bug?

All these bugs are difficult to keep track of. It was so much simpler before the net. Virus scanner updates came once a month, windows updates came once a quarter or longer, and most of them were fixes for feature or performance bugs, not security updates. Now we have daily virus updates and each week half a dozen OS updates for serious exploits.

Man I am starting to sound like an old fart.

Re:Does anyone use IE anymore?

I work for a very large corporation, with employees ranging at least in the hundreds of thousands, if not more. When corporate IT puts the newest releases of IE on every single desktop, and states that we *will* use it as the one browser, we use IE. A few holdouts still use Netscape 4.7, as they work on contracts requiring it for some reason.

As an internal web developer, I try to make sure my apps. are cross-browser compliant, but I am not everyone. Even some of the web apps. we use that have come from 3rd parties only work properly in IE.

Considering the internal project I work on has been fighting with Corporate for months now over getting just one tiny Linux box for running CVS (Open Source?! We don't know how to back up something that's not a Windows box!), I'd hate to see the hell it takes to get Firefox, Opera, or anything else in here.

There are a lot of 400 lb. gorilla IT depts. out there running the computing for large corps. They don't like the security holes, but there's no budging them off IE. Combine that with the fact that non-technical people want to use one browser at home and work, and well, you have IE all over the place.

I have Firefox at home and love it. I turn on others where I can. I wish we had it at work, as my life would be easier. But, there's nothing I can do about that 400 lb. gorilla.

Re:Firefox

[bryhhh]

Occaisionally the slashdot homepage will not fully render in Firefox. It will appear blank except for images until a reload or two is done.

I've seen this a few times, but it's been a while since I last saw it happen.

The comments pages also tend to be text-biased too far left on occaision, rendering the comments' text a bit into the Sections and help left-sidebar.

For what it's worth, this is caused by the vertical ad on the right side of the page.

Even with the Adblock extension it still exhibits this behaviour.

Re:The mounting pressure

Our elected leaders aren't keeping 3/4 of their revenue for themselves.

Re:Firefox has more holes?

[Fuzzums]

bugs != hole.

- user profiles are a mess!
- Crash triple-clicking on textbox during page load.
- TestCookie crashes in NSPR logging
and so on, and so on.

What am I missing in the big bug-list? Hmmm. Remote exploits, security holes, javascript exploits, Active-X exploits.....

And - Clipboard does not work - can hardly be seen as a critical bug. It's a feature ;)

Re:Does anyone use IE anymore?

[It'sYerMam]

So basically, instead of using a secure browser, your cripple the insecure, featureless, bloated one in the hope that it'll be vaguely acceptable in the security department at least?
What about Tabbed Browsing, extensions, standards compliance and all that?

Firefox is more than IE SP2...

Why does everyone thing Firefox is "winning?"

[NitroWolf]

I've been contemplating which thread to post this to, so I'll post it here.

Why does everyone thing we're "winning" against Microsoft/IE with Mozilla Firefox? It's not that we are winning, it's that Microsoft isn't playing anymore.

There's no reason for them to have the dominant browser on the market anymore, and one HUGE reason for them to explicitly NOT have the dominant browser. Their DOJ investigations focused, in part, on the fact that IE was bundled with Windows and thus constituted a monopoly. However, if Microsoft now lets IE flounder and lets Mozilla (or another browser) become dominant, they have a huge lever to use against any future DOJ or legal inqueries. They can then say they aren't a monopoly, as another browser is dominant.

And why not? There's no money to be made on IE - it's strictly a resource drain. They don't make a single dime from it... why pay someone to keep IE up to standards, when they can get the whole Open Source community to do it for free - in the form of Mozilla.

Stop and think about it for a moment, there's absolutely NO reason for MS to have the dominant browser any longer... there's no financial or legal advantage to it. A browser is effectively a commodity, and anyone developing one is going to have to expend resources to do so - with no return on that investment. Thus, Microsoft's only real logical conclusion would be to let IE slowly fade away, it solves not only the money/resource drain, but also protects them from further DOJ inquiries.

So Firefox isn't winning, exactly... Microsoft just took their ball and went home, because the game had no point for them anymore.

Re:Why does everyone thing Firefox is "winning?"

[pandrijeczko]

This isn't about winning in terms of more users using Firefox than IE - that's irrelevant because Open Source is not about smashing Microsoft to a pulp but ensuring everyone has a choice.

If MS release a patch that unwelds IE from the rest of Windows into an independent browser (thus closing the major security holes in it) and makes it fully HTML/XHTML standards compliant, that would be good enough because then every web site would also have to be standards compliant and we could all browse all web sites no matter what OS or browser we are using.

Re:Why does everyone thing Firefox is "winning?"

there's absolutely NO reason for MS to have the dominant browser any longer

Yes there is - to keep Gecko and KHTML browsers out of the market.

XAML is coming with Longhorn. Gecko already provides this functionality with XUL. KDE is already experimenting with rendering XUL with KaXUL.

XAML will directly compete with XUL. If Gecko and KHTML-based browsers have a significant market-share by then, XUL may prove to be too widespread for Microsoft to shake. They couldn't get rid of HTML, and they might not be able to get rid of XUL - just as long as people are using it. People can't use it if they aren't using non-IE browsers.

Users are still users

[AceyMan]

It became apparent to me that unless we techs educate (not proselytize) the method for `safe computing`, we are doomed.

This is much akin to how the CDC, HHS, etc, try to teach the public about safe sex. We have to make it appear important (because it is vitally so), but cannot risk alienating our audience for that very reason. Similar to sex-ed, if you have a weak link in your method, you're effed.

I worked on a user's PC this week that had current AV software, 2 different malware scanners, and was free of junk/popup software. Good, right? Oh, but he didn't have a SINGLE Microsoft patch on the system (it was XP Pro, box stock, pre SP1). Clearly, even though he was better then the average user, he missed critical knowledge about `Safe Computing`.

These are the kinds of hurdles we face before we can have any success on the desktop (as we know it now = largely Windows(TM)).

Re:Does anyone use IE anymore?

[binner1]

Because that would just cause braindead developers to continue to do things wrong. Firefox is gaining momentum lately...a little message from the DHS gets people's attention much better than I ever did. I've since switched several people to firefox (they all love tabs, etc now).

The more people we switch, the more people who will complain that websites are broken.

Things will get better/are getting better. FOSS software should be relentless in its pursuit of implementing standards completely, and sticking to them. If we start tossing in hacks to support other broken software, we've already lost.

-Ben

Re:Does anyone use IE anymore?

If I go to a site that's coded for IE extensions, (or $deity forbid - ActiveX), I simply go elsewhere. They're not the only place selling their friggin widgets, and they just lost a customer.

Oh - I'm simply a techno-terrorist, geek syndrome, low demographic? Wise up! Most users are and abandoning IE.

Re:Does anyone use IE anymore?

[tdemark]

I guess you're not letting your precious Firefox remember any passwords for you, then.

First of all, I use Safari all the time - unless I am on a Window or Linux box, then I use Firefox.

Second, correct, I do NOT let any browser remember passwords or sites I have visited (with the exception of the ones in my bookmarks).

Third, there is a difference between me the user making a bad security decision and the server (IE / Intranet) not giving me a choice.

- Tony