Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Issue Out-of-Cycle Patch for IE

Posted by CmdrTaco on from the download-reboot-repeat dept.

rsw writes "Microsoft will be breaking their normal patch cycle and issuing a patch for the Download.Ject attack (a.k.a. Scob). They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob." Note that this does not mean that they are replacing IE with FireFox.

77 of 391 comments (clear)

  1. The mounting pressure by Mz6 · · Score: 4, Interesting

    Seems as though all of the exploits coming out against IE has finally got to them. I've counted about 5+ just from the Full Disclosure and BugTraq mailing lists in the past few weeks. All of them different in nature of thier attacks.

    --
    Hmmm.
    1. Re:The mounting pressure by EnnTeeDee · · Score: 5, Insightful

      "Our [Microsoft IE] users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Hachamovitch said.

      Umm, yeah, we should (in a perfect world) be able to have confidence that the biggest software company on the planet puts out the best product. But Microsoft is too big and juicy a target to inspire confidence.

      We also should be able to trust our elected leaders to be able to spend our tax funds wisely, but I'm not holding my breath on that either.

    2. Re:The mounting pressure by Anonymous Coward · · Score: 2, Insightful

      Our elected leaders aren't keeping 3/4 of their revenue for themselves.

  2. Wow by Anonymous+Crowhead · · Score: 5, Insightful

    The released a patch when it's needed, not when it's scheduled. How novel.

    1. Re:Wow by chrisgeleven · · Score: 5, Informative

      Except this patch was needed a few weeks ago (and the exploit if I remember right has been known for months).

    2. Re:Wow by Anonymous Coward · · Score: 3, Interesting

      But didn't MS say it's the patches that cause the exploits?

      Plus the patch won't be ready till NEXT week.
      Normally MS doesn't PR their minor patchs. Maybe their Service Packs, but i don't really know.
      So, how much of this PR stunt has to do with what Home Land (in)Security had to say about IE?

    3. Re:Wow by EtherAlchemist · · Score: 5, Insightful

      I'm only playing devil's advocate here, but it's possible (likely?) that Microsoft suffers from internal politics, like many other software companys, that actually work against the process.

      I work for a software company where fixes to bugs on live products are held up for weeks and months on end while managers seek the person to blame, assign blame, come up with a plan to make the fix, revise the plan to include 8 other random and unrelated things they want to fix, slap them into one rollout that will now require 6 developers on 3 teams and 4 QA guys who will follow the spec to the letter (even if it is mispelled) and file 200 new bugs. This cycle goes on for a month or so and by the time the fix is released, a dozen other problems have surfaced and been deemed not important enough to fix now. Afterall, we just had a hariy cycle trying to get the last fix out.

      Now, the way it should have gone: Identify the problem, design a fix, make the fix, test the fix, deploy the fix. Days, not weeks or months.

      --
      R(k)
    4. Re:Wow by LittleGuy · · Score: 2

      Normally MS doesn't PR their minor patchs. Maybe their Service Packs, but i don't really know. ...except it's been since February since their last IE Culmulative Patch....

      Way overdue, even for MS.

      --
      Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
    5. Re:Wow by Q2Serpent · · Score: 4, Funny

      who will follow the spec to the letter (even if it is mispelled)

      It happens to the best of us :)

    6. Re:Wow by HumorousFounder · · Score: 2, Interesting

      I think something to remember here is that IE integrates into a lot of their products so I think a better way of describing the process would be Identify the problem, design a fix, make the fix, test the fix, fix the fix, test the fix, fix the fix, test the fix, deploy the fix, hope that they didn't rush the fix out too quickly and break other peoples software. Weeks not Days or Months (well mabye months on occasion)

  3. Firefox by FortKnox · · Score: 4, Interesting

    Note that this does not mean that they are replacing IE with FireFox.

    Good, cause firefox has render problems on slashdot all the time (where as IE doesn't). I don't think its firefox, either, cause it doesn't happen on any other site I go to.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    1. Re:Firefox by Mz6 · · Score: 2, Informative

      Well... I think someone submitted that as a Slashdot bug and they wrote it off as a Mozilla one instead.

      --
      Hmmm.
    2. Re:Firefox by Billobob · · Score: 2, Interesting

      It could have something to do with the fact that Slashdot doesn't exactly use standards-friendly HTML...

      --
      If you have to ask, you'll never know.
    3. Re:Firefox by datadriven · · Score: 3, Insightful

      I only use firefox. What render problems? I haven't been able to get IE to run on slackware anyway.

      --
      GETPKG - Package Management for Slackware
    4. Re:Firefox by AliasTheRoot · · Score: 4, Informative

      /. doesn't exactly produce the most compliant html...

      however I've never had any problems with the site using firefox.

    5. Re:Firefox by Malc · · Score: 3, Funny

      Come on now! You don't think the /. authors live up to expectations and actually develop under Linux using one of the many standard's compliant browsers do you? It's obvious that they code for and test with IE! ... how else could you explain it?

    6. Re:Firefox by hattig · · Score: 5, Interesting

      I think it is a problem with Firefox. I've noticed that it happens a lot on table layout pages, especially large ones. Livejournal can have the same problem.

      Basically it guesses widths of table cells/columns at some stage, then sticks with them as more of the page loads, and doesn't compensate for the new contents, which may include more tables, which will then overflow other elements on the page. Well, it is something like that. I think it could be solved by merely re-formatting the page after it has fully loaded ... although the simple Resize Font trick fixes everything anyway (ctrl+mousewheel)

    7. Re:Firefox by hattig · · Score: 5, Interesting

      What is sad is the multitudes of fixed HTML examples that Slashdot readers keep coming up with, but still haven't been used even though I remember some of them being done a year ago!

    8. Re:Firefox by dsanfte · · Score: 2, Informative

      Occaisionally the slashdot homepage will not fully render in Firefox. It will appear blank except for images until a reload or two is done. The comments pages also tend to be text-biased too far left on occaision, rendering the comments' text a bit into the Sections and help left-sidebar. This is also fixed after three or four reloads.

      --
      occultae nullus est respectus musicae - originally a Greek proverb
    9. Re:Firefox by StRex · · Score: 2, Informative

      The funny thing is that, as mentioned elsewhere in this discussion, changing the font size using Ctrl+Mousewheel, and then changing back to the original size fixes the problem--until you refresh. It is particularly strange that the only site where I have Firefox rendering issues is /. though....

    10. Re:Firefox by Anonymous Coward · · Score: 2, Funny

      So that's the problem - Firefox rendering Slashdot. I just thought they were using a new sickening glowing olive color for the IT section.

    11. Re:Firefox by br0ck · · Score: 2, Informative

      They're working on it.

    12. Re:Firefox by bryhhh · · Score: 2, Insightful

      Occaisionally the slashdot homepage will not fully render in Firefox. It will appear blank except for images until a reload or two is done.

      I've seen this a few times, but it's been a while since I last saw it happen.

      The comments pages also tend to be text-biased too far left on occaision, rendering the comments' text a bit into the Sections and help left-sidebar.

      For what it's worth, this is caused by the vertical ad on the right side of the page.

      Even with the Adblock extension it still exhibits this behaviour.

    13. Re:Firefox by Reckless+Visionary · · Score: 2, Informative

      Apparently this is fixed on trunk, but not on the aviary branch.

      http://bugzilla.mozilla.org/show_bug.cgi?id=2175 27

      --
      I think I'll stop here.
  4. Damn by Billobob · · Score: 3, Insightful
    Note that this does not mean that they are replacing IE with FireFox.

    Awww damn, and here I thought that Microsoft would include one of its strongest competing products instead of it's own that millions of dollars were funneled in to. Maybe I'm just too naive...

    --
    If you have to ask, you'll never know.
  5. Does anyone use IE anymore? by AngryScot · · Score: 4, Interesting

    and if they do why?

    I mannaged to get my work to use fireFox after showing them a /. thread about it

    --

    All spelling mistakes are due to solar flares...honest

    1. Re:Does anyone use IE anymore? by neilcSD · · Score: 2, Insightful

      Of course they do. IE is by far the most used browser in the world. It is, after all, included with the most used OS's in the world. Those who know their stuff don't use a lot of Microsoft products, but a lot of people aren't in the know.

    2. Re:Does anyone use IE anymore? by dotslasher_sri · · Score: 2, Insightful

      Many users are not aware that there are good alternatives to IE. What firefox needs is publicity. Sure we all know about firefox but many home users havent heard about it yet.

    3. Re:Does anyone use IE anymore? by ErichTheRed · · Score: 4, Informative

      The problem I found is that a lot of web apps are coded for IE's "extensions" that don't translate over to Firefox. We have a few internal apps at work like that, but there are public examples too. E.g, my power company paid some contractor to put together an online bill pay system for them, and obviously they're not interested in fixing it. Open the page in IE, and it works fine. Open it in Firefox, and you get a blank screen.

    4. Re:Does anyone use IE anymore? by syates21 · · Score: 2, Interesting

      Please feel free to demonstrate how FireFox can seamlessly (and securely) used a user's workstation credentials to authenticate to a web server without requiring a username/password as IE does with Windows Integrated Authentication.

      That is one of the larger issues that cannot be solved by just tweaking some HTML to make it more compliant. It's also a big deal from a user experience standpoint in the corporate intranet world.

    5. Re:Does anyone use IE anymore? by Unnngh! · · Score: 2, Interesting
      If you look at most large websites that get lots of hits from the random public (i.e. yahoo, etc.), I think you will find that their browser stats show 90-99% of people using IE. Several years ago the place I worked at was at the 99% mark with IE so we simply stopped worrying about Netscape compliance, etc.

      Those numbers may have changed some since '99 but even back then Netscape was supposed to be "big". It just wasn't big enough for us to care.

    6. Re:Does anyone use IE anymore? by 93+Escort+Wagon · · Score: 2, Insightful

      "The problem I found is that a lot of web apps are coded for IE's "extensions" that don't translate over to Firefox... my power company paid some contractor to put together an online bill pay system for them, and obviously they're not interested in fixing it."

      Complain! Even with major companies it can be that easy. Verizon Wireless's pages were IE-only for a while - I (along with many others, I'm sure) complained about it and threatened to take my business elsewhere; and they fixed it.

      --
      #DeleteChrome
    7. Re:Does anyone use IE anymore? by Anonymous Coward · · Score: 2, Insightful

      I work for a very large corporation, with employees ranging at least in the hundreds of thousands, if not more. When corporate IT puts the newest releases of IE on every single desktop, and states that we *will* use it as the one browser, we use IE. A few holdouts still use Netscape 4.7, as they work on contracts requiring it for some reason.

      As an internal web developer, I try to make sure my apps. are cross-browser compliant, but I am not everyone. Even some of the web apps. we use that have come from 3rd parties only work properly in IE.

      Considering the internal project I work on has been fighting with Corporate for months now over getting just one tiny Linux box for running CVS (Open Source?! We don't know how to back up something that's not a Windows box!), I'd hate to see the hell it takes to get Firefox, Opera, or anything else in here.

      There are a lot of 400 lb. gorilla IT depts. out there running the computing for large corps. They don't like the security holes, but there's no budging them off IE. Combine that with the fact that non-technical people want to use one browser at home and work, and well, you have IE all over the place.

      I have Firefox at home and love it. I turn on others where I can. I wish we had it at work, as my life would be easier. But, there's nothing I can do about that 400 lb. gorilla.

    8. Re:Does anyone use IE anymore? by It'sYerMam · · Score: 2, Insightful
      So basically, instead of using a secure browser, your cripple the insecure, featureless, bloated one in the hope that it'll be vaguely acceptable in the security department at least?
      What about Tabbed Browsing, extensions, standards compliance and all that?

      Firefox is more than IE SP2...

      --
      im in ur .sig, writin ur memes.
    9. Re:Does anyone use IE anymore? by anomalous+cohort · · Score: 2, Informative
      Open the page in IE, and it works fine. Open it in Firefox, and you get a blank screen.

      This is what I do when I run into one of those mysterious "blank screens."

      • Launch konqueror
      • Configure konqueror to identify itself as Internet Explorer to the web server
      • Surf to the offending page

      This gets me past the "blank screen" problem about 75% of the time.

    10. Re:Does anyone use IE anymore? by aWalrus · · Score: 3, Informative

      That conclusion is a non sequitur, since it is usually made from the standpoint of webmasters who have non-compliant sites that break in alternate browsers. If you're looking at the traffic statistics for your site that breaks in Firefox, it is *obvious* that you won't find very many Firefox users, since you're driving them away.

      To provide some numbers, check the Google Zeitgeist. Although it does show that IE 6 has a clear dominance, the Mozilla traffic is on par with IE 5.0 and IE 5.5 -- If you support those, you should support Mozilla.

      If you go to more techie-oriented sites you'll see very different results. In my site's own stats, IE accounts for less than 50% of visitors (and yes, there *are* more than 5 people visiting daily).

      --
      Overcaffeinated. Angry geeks.
    11. Re:Does anyone use IE anymore? by binner1 · · Score: 2, Insightful

      Because that would just cause braindead developers to continue to do things wrong. Firefox is gaining momentum lately...a little message from the DHS gets people's attention much better than I ever did. I've since switched several people to firefox (they all love tabs, etc now).

      The more people we switch, the more people who will complain that websites are broken.

      Things will get better/are getting better. FOSS software should be relentless in its pursuit of implementing standards completely, and sticking to them. If we start tossing in hacks to support other broken software, we've already lost.

      -Ben

    12. Re:Does anyone use IE anymore? by tdemark · · Score: 2, Insightful

      I guess you're not letting your precious Firefox remember any passwords for you, then.

      First of all, I use Safari all the time - unless I am on a Window or Linux box, then I use Firefox.

      Second, correct, I do NOT let any browser remember passwords or sites I have visited (with the exception of the ones in my bookmarks).

      Third, there is a difference between me the user making a bad security decision and the server (IE / Intranet) not giving me a choice.

      - Tony

  6. I've migrated ove... by Ratchet · · Score: 4, Interesting

    ...the most finiky of users, my Mom, to Firefox without her even knowing it. Now if Dad would stop playing Solitaire long enough for me to get at his computer then I'd de-IE him as well.

  7. Slashdot by john_smith_45678 · · Score: 4, Funny

    ...where I come for all my MS IE patch news.

    --
    John Kerry is a Joke!
    1. Re:Slashdot by LilJC · · Score: 4, Insightful
      Parent has been modded funny, but I think a lot of us do.

      I've walked into work before with the owners complaining of not being able to get to half the web sites they like to peruse and hit slashdot to see what's up. Half the time I'm back in 20 seconds with an satisfactory explanation about a recent or in-progress attack.

      Of course, I have to (for the umpteenth time) explain to my boss/CEO that I can't fix other peoples' servers, only ours. Wish I could at least get that guy to remember how a sort works in Excel.

      --

      The only thing more dangerous than a file named -rf is renaming it -rf\ /
  8. /. threads work like that?! by UFNinja · · Score: 2, Funny

    Maybe I can convince my boss to let me play Doom 3 on my workstation. I'll just show him a /. thread on it. ;-)

  9. Firefox is not the answer. by garcia · · Score: 3, Insightful

    I am throwing Karma out the window on this one as my comments on this subject fall on deaf ears here but... Firefox is not an acceptable replacement for IE for 90% of the users out there so I really think we could have done without the snide comment.

    Yesterday I mentioned that nearly everyone who visits my site with Firefox are coming in from Slashdot URLs. It may come as a surprise to you but more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities. It may also come as a surprise to you but Firefox isn't exactly the best browser out there if you want 100% compatibility with the "broken" sites on the Internet. These same users that don't know of the issues w/IE are more concerned that they cannot reach their online banking, see their sites the way that the "broken" authors intended, and have a seamless browsing experience.

    Firefox is not the answer to MS' issues. Better preparation for security is.

    1. Re:Firefox is not the answer. by kid_wonder · · Score: 5, Informative

      I disagree. I use firefox for just about everything; online banking, online account management, etc. Every once in a while I need to open up IE to view a flash animation or some other stupid site that uses ActiveX - but at that point I know what they are trying to do and can establish the risks of going to it in IE.

      btw, regarding all these /. problems, for some reason I get this render problem intermittently, but a simple reload typically handles the problem.

      --

      "Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
    2. Re:Firefox is not the answer. by PeteQC · · Score: 5, Informative

      There is a lot of "broken" sites that won't be right in IE when Microsoft will release it's SP2 for XP with a lot of added security to IE.

      Pop-up won't show, and all the non-correctly defined elements won't show right neither. So, maybe finally the webmasters will correct their sites.

      --
      Montreal - Best city to live in!
    3. Re:Firefox is not the answer. by mbourgon · · Score: 2, Interesting

      "more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities."

      That's odd. At least every week I have someone mention some new spyware or popup they run into, and how do I deal with it. Many of them are now quite happily running Mozilla or Firefox.

      And the problem with viewing people's sites isn't my problem, it's the site's. If it doesn't work, I go elsewhere. And my bank's site works just fine with Moz.

      --
      "Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
    4. Re:Firefox is not the answer. by garcia · · Score: 2, Insightful

      Give me a broken site with a significant level of traffic (in other words, don't give me some 13 year old kid's site hosted off Geocities) that doesn't work in Firefox 0.8. Or, were you talking out your ass?

      http://slashdot.org (left side overlaps main text requiring a page refresh to correct -- this has been noted MANY times and not corrected).

      http://geocaching.com/my (fonts do not render correctly. I have to routinely change the sizes in order to view the page even half-acceptably -- strangely enough this happens on many pages but never with IE).

    5. Re:Firefox is not the answer. by R2.0 · · Score: 2, Insightful

      The reasons you state do not support your assertion that "Firefox is not an acceptable replacement for IE for 90% of the users out there"

      1)"more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities"
      So what? That has no bearing on whether Firefox would be an acceptable replacement. It might address WHY people find no incentive to switch, but not whether that switch would bew a good idea.

      2)"Firefox isn't exactly the best browser out there if you want 100% compatibility with the "broken" sites on the Internet". Question? Is IE 100% compatible with "broken" sites? Thought not. Some sites don't work well, IE or no IE, and users are aware of this. There will always be crappy sites, and users blaming the software instead of the site - that is not a reason why Firefox can't replace IE for the average user.

      Also, are there any statistics on how many sites are "actually" poorly rendered w. Firefox? 1%, 5%, 10%, 20%? My experience is that it's way down into single digits, but that is anecdotal.

      Finally, what is "a seamless browsing experience?" Other than marketingspeak, I don't understand its meaning. When MS uses the phrase, it is as justifivation for browser integration, but that always struck me as a red herring to cover anti-competitive practices. Does the phrase mean anything real?

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
    6. Re:Firefox is not the answer. by stratjakt · · Score: 2, Informative

      Netscape still has the name recognition.

      If someone fights against Mozilla, just have this conversation:

      "I'm installing Firefox on your machine to use instead of IE"

      "NO! I need IE, I dont want to try some other software!"

      "Ummm, ok, how about Netscape?"

      "Sure!"

      Firefox isn't even to a 1.0 release. It's good, but it's not finished. It's not ready to be shoved down everybodies throats, there are still plenty of issues.

      --
      I don't need no instructions to know how to rock!!!!
    7. Re:Firefox is not the answer. by Devi0s · · Score: 2, Insightful

      Firefox is most of the answer. People programming websites to adhere to standards such that IE and Firefox can render them correctly and using cross-platform non-monopolistic technologies instead of things like ActiveX is another part of the answer.

      I have trained about ten broadband users to use firefox with limited javascript, cookie firewalling, zero disk cache, and zero java for everything, and if an important page (like online banking, or online billpay systems) doesn't work correctly, to look at that page ONLY in IE.

      The average person can adhere to the above with only a few hours of training, whereas trying to fully educate people about security implications requires a great deal more time, especially teaching those that consider computers to be an invasive and immature technology (read: the sane, not you, most of the world, etc.)

      I explain a bit of how cookie firewalling thwarts advertisers and how you really don't need to accept cookies from anything but *.yahoo.com to use the yahoo.com site.

      I explain that disk cache on a broadband connection will actually slow your browsing experience on a cluttered hard drive.

      I explain that java is almost never used for anything critical and that for those sites that use java that are important, just use IE.

      I explain that in Firefox, it is wise to disable all of the features of javascript that Firefox lets you disable, because malicious web designers abuse those features and ruin your browsing experience, but OTHER javascript features enable things like hotmail and gmail to work. Again, if you need more javascript for sites that are important, just use IE.

      If you are using a site that needs realplayer or quicktime, or flash, or shockwave, and you *really* need to go to that site, just use IE.

      When the users start to get a feel for firefox, and start using the google search bar and tabbed browsing and are able to surf without pop-up windows and automatic window resizing, etc., they can't thank me enough.

      Now, if only I could find a way to easily teach openoffice and non-outlook* adoption, I'd feel like superman... I'd certainly feel like the users are much safer than they were.

      --
      - Have you ever noticed that the more you learn about technology, the more stupid you sound trying to explain it?
    8. Re:Firefox is not the answer. by gnu-generation-one · · Score: 5, Insightful

      "Firefox is not an acceptable replacement for IE for 90% of the users out there so I really think we could have done without the snide comment."

      Huh?

      Microsoft Internet Explorer isn't an acceptable browser for 90% of the users out there.

      Nevermind your "snide" assertions about the websites that don't work, people are getting owned here. It's a serious problem. It's the spam problem and the virus problem and all the tech support problems, all stemming from this one application that's so insecure that everyone, from DHS to MSN themselves recommend getting rid of it immediately.

      If your favorite website doesn't work in a generic web-browser, get them to fix it, or get a new supplier. Even the banks have got HTML websites now.

  10. Does this mean Microsoft is going... by Anonymous Coward · · Score: 3, Funny

    ...with the Rhythm method?

  11. Long-term solution? by RonnyJ · · Score: 5, Insightful
    They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob."

    So, are their patches normally NOT long-term solutions to vulnerabilities then?

  12. Is there something wrong with me? by Klar · · Score: 3, Interesting

    shhh, don't tell anyone, but I'm still using IE6.. I dunno, I'm just so used to using it, and it seems to work well for me. I haven't had any virus or security problems(that I know of).. I always want to try firefox after reading posts about its power, but man.. IE is just so..so.. easy.

    --
    Boxing Equipment Reviews
    1. Re:Is there something wrong with me? by GigsVT · · Score: 5, Informative

      My wife was infected by spyware by simply visiting a site that was an etrade affilliate site (they were offering a free PDA if you opened an etrade account).

      She told me at the time the only difference between her computer and her friend that sent it to her was that she had Sun Java installed and he didn't. He didn't get infected and she did.

      This was several months ago, she searched and didn't find any exploit info about it.

      A couple days ago she found the exact exploit she had encountered on a vulnerability list, a combination of Sun Java and an IE bug cause a certain vulnerability.

      So you might think you are safe, but how many "zero day" or unknown exploits, such as the one my wife got infected by spyware via are out there?

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    2. Re:Is there something wrong with me? by tshak · · Score: 2, Informative

      Spyware has more to do with social engineering by visiting questionable than anything else. Most people click "OK" past the IE security warnings when spyware is trying to install itself. Microsoft is doing it's part to try and mitigate this problem in XP SP2 by making warning dialogs more clear and urgent, and in some cases even adding a timer before the user can actually click OK (Outlook 2003 currently does this if any outside program tries to send email through it. It's annoying but it's better than the alternative).

      --

      There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  13. Remove need for patching...by removing IE. by The+Fifth+Man · · Score: 5, Informative

    Build a CD of Windows 2000 without IE (or Outlook, etc. etc)

    Build a CD of Windows 2k, XP, or 2k3 without IE (or Outlook, etc. etc)

    Download an IE removal program for Win2k

    1. Re:Remove need for patching...by removing IE. by Apathetic1 · · Score: 2, Informative

      Removing IE will not remove the vulnerability. The vulnerability is in the MS-HTML control not in the Internet Explorer executable. Any application that uses the MS-HTML control is vulnerable.

      --

      My username does not make me Apathetic. It's irony, get it?

    2. Re:Remove need for patching...by removing IE. by Bachus9000 · · Score: 2, Interesting

      With Nlite you can even remove the IE rendering engine. Of course, some things in Windows won't work afterward, but that shouldn't be surprising considering how hard MS has worked to make IE impossible to remove. Take note that Nlite is still very much beta software and has plenty of bugs that need to be worked out, but all-in-all it is a very nice program. Currently it requires the .net framework 1.1, but the author is currently working on a C++ version. I suggest anyone who uses Windows 2000/XP/2003 check it out.

  14. My organization just dumped IE for Firefox by gearmonger · · Score: 5, Interesting
    "long-term solution" hee hee ha ha *snort* [coke comes out nose] riiiight.

    Rightly or not, that Homeland Defense notice got some peeps in senior management a little spooked and asked our IT department to start making Firefox the default browser on all new systems they set up for employees.

    As a long-time Mozilla and Firefox user, I couldn't be happier. Whether it's the right reason or not, I couldn't care -- at least there's a hint at the IE domination trend slowing down a bit, and that is good for consumers.

  15. IE vs Mozzy by Anonymous Coward · · Score: 3, Interesting

    Microsoft may have won the browser-war in the late 1990's but at what cost???

    Mozilla/Netscape as of the last couple of years made fantastic progress and is definately now the better browser in both functionality, security and last but not least mozilla looks better to me and renders websites better too...

    M$FT should just throw in the towel on IE and reduce its function to Windows Update and able to download Mozilla/Netscape, (just make it a ftp downloader tool)

  16. It seems that ... by Hatfieldje · · Score: 3, Insightful

    One of the biggest complaints against MS is that they are slow to respond to user need, while quick to add profit-margin-stretching-even-though-the-user-does n't-want/need-anyway "features" (e.g. Clippy). So how is the /. community going to react when MS actually starts listening to the customer and adding true features like security, speed, efficiency?

    I've noticed over the past couple of months that there have been a few of opinions coming out. One is that it's too late for MS. They screwed the pooch years ago and their entire user base will end up jumping ship.

    Another is that this is nothing but a marketing ploy. MS isn't really changing their ideology, they're just making us think they are, so we're better off jumping ship.

    The other (my personal opinion) is that it's a welcome change. I will be glad when Windows becomes an environment that is as stable and easily configurable as linux. I love competition. It's what makes America thrive, and if MS can become competitive (again) in the eyes of /. geeks, just think about how much more time/effort will go into linux to make it even better. And, as for jumping ship, we'll have no need. But we may have a fleet comprised of MS, *nix/*BSD, etc.

    Kudos to MS for trying to fix their old mistakes, and hopefully in a couple of years, they'll have them fixed and we can really have an OS War!

    --
    for maximum effect, the preceding post should be read monotone and at a steady cadence
  17. Do people care? by taylortbb · · Score: 5, Informative

    Do people care about IE security problems? Most do actually, people just either don't know about the vulnerabilities or if they do they don't know there's anything that can be done.

    Everyone I know when I talk to them about how bad IE is, if they listen, switches to Mozilla, I switched my school's computers and those of atleast 60 others.

    People are listening now more than ever, its becoming so bad (atleast one a week) the mainstream media is even going "Another Internet Explorer vulverability has been found".

    All I tell people is that:
    1. Mozilla works faster
    2. It has a pop-up blocker
    3. It is immune to those once a week IE vulnerabilities
    4. You just about don't get spyware (and mention keyloggers). <---The Killer One And BTW, I use Firefox 0.9.2 (mozilla.org build for Linux/x86) and have never had problems with how /. renders.

    1. Re:Do people care? by pandrijeczko · · Score: 2, Informative
      since foxfire accepts cookies, you DO have spyware installed on your machine.

      Don't be a jerk and go read a book on the subject.

      Cookies are essentially passive data files that can be pulled by a web server to track what sites you've been to, who you are, etc - they need an interaction between a web browser and a web server to do anything.

      Spyware refers to an independent program that gets downloaded through a scripting hole or an email that runs as a task in Windows and "phones home" all manner of information about you to somebody somewhere. Deinstall IE and a spyware program will still be there running away merrily to itself.

      If you're stupid enough to manually run an untrusted program you've downloaded in Mozilla then that's the only way it will dump spyware onto your PC.

      --
      Gentoo Linux - another day, another USE flag.
  18. Best Quote From Story by CHaN_316 · · Score: 3, Interesting

    "Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience." - Microsoft group product manager for Internet Explorer

    Yes they should have this powerful secure browser .... funny funny. Maybe they're talking about FireFox 1.0.

    --
    "There is no spoon." - The Matrix
  19. I simply HAD to switch to Firefox. by gpinzone · · Score: 2, Interesting

    It just got too scary for me when my whole PC got infested with spyware. It's true that I didn't have IE patched to the abosulte latest version. However, there's exploits coming out all the time and the time to patch is way too long. I'm glad I did switch and I doubt I'd go back. Firefox's popup filter does everything better than IE with the google toolbar. Adblock is the best comprimise (so far) for simplicity and effective ad blocking.

    I admit that the features in SP2 sound promising, but I'm already too comfortable with Firefox.

  20. Avoid IE by UMhydrogen · · Score: 2, Interesting
    The problem with security does in fact lie within Internet Explorer or many of the Office products. Most of the worms these days either take advantage of 1) Internet Explorer or 2) Outlook or Outlook Express. It should be Microsoft's duty to patch these holes as soon as their brought to our attention. It is nice to finally see Microsoft take a strong stance and release an out-of-turn patch.

    This should not surprise you though. As seen by the eventual release of Window XP SP2 you will see a new version of Windows that represents Microsofts new focus on security. Their goal is to make people aware that there are security risks and they must make an active effort to keep their computers up to date and patched. Windows Update will take a more active role and SP2 will include a Virus Program "checker" to make sure you are running some sort of virus protection.

    While many of you say that 90% of the Internet Explorer users aren't aware of the security problems, it is microsofts goal to make this aware. I wouldn't be surprised to see the number of unaware users quickly diminish. With all the news about the viruses and exploits, people can't be that dumb to just ignore them. While people may not do something now, when SP2 comes out I have reason to believe that people will begin to realize that they need to keep their computers patched.

    Upgrading to Firefox is also a start. While it blocks most of the ActiveX scripts which get exploited, it also provides many additional features, including popup blocking and more.

    It would also be nice to see Antivirus or firewall companies taking a more active role in advertising. Firewall programs like Kerio Personal Firewall monitor existing applications and notify the user when an application is trying to be replaced (for example during an upgrade). These firwalls prevent ad-ware and other programs from being installed without the user knowing (for example my roommate had "My Horroscope" somehow installed on her computer without her knowing, meanwhile Kerio blocked it from being installed on my computer).

    We're starting to see an age where more people are aware and more companies are making people aware of the security risks of not keeping an up-to-date computer.

  21. I thought the patch was released already. by oogoliegoogolie · · Score: 2, Insightful

    It's hard to keep up with what MS patch fixes which exploit, but I thought a patch for this was issued a few days after the exploit was discovererd. Am I confusing this with that that recent firefox run-shell bug?

    All these bugs are difficult to keep track of. It was so much simpler before the net. Virus scanner updates came once a month, windows updates came once a quarter or longer, and most of them were fixes for feature or performance bugs, not security updates. Now we have daily virus updates and each week half a dozen OS updates for serious exploits.

    Man I am starting to sound like an old fart.

    1. Re:I thought the patch was released already. by pandrijeczko · · Score: 4, Interesting
      It was so much simpler before the net.

      Not strictly true.

      The development of TCP/IP allowed the ARPANet to happen (which later became the Internet follwing commercialisation in the late 80s).

      UNIX-based servers formed the core of the ARPANet because TCP/IP has always been built into UNIX and UNIX was designed as a multi-user multi-platform network operating system.

      Microsoft assumed that the world would use their poor quality NetBIOS/LanManager protocols until the early 90s when they were forced to include TCP/IP support into Windows - that was after they almost ruined Novell by worming their way into using IPX/SPX networking protocols.

      In other words, a kludgy operating system had to be kludged even more to support TCP/IP. This is a legacy that has lived with MS since and while the support of TCP/IP has improved over the various Windows iterations, the fact is that the Windows architecture is not as suitable for Internet connectivity as UNIX.

      Everything in UNIX is designed for simplicity - one program doing one task. If you need a network service, just turn it on - if you don't, turn it off.

      Where UNIX has a weakness is the security model because, in ARPANet days, information was open and there was no need to secure servers. However, that has improved a thousandfold over the years with features like shadow passwords, better authentication models and secure protocols. The simplistic security model of "you, those you trust and the rest of the world" now works to it's advantage because it's very easy to apply to a system - the difficult part is knowing all the potential holes to apply it to that can only come from experience.

      If Windows was not an Internet OS today, we would still have crackers and security exploits on UNIX. However, there would be less of it because fewer crackers would be clever enough to break into a UNIX system and whilst there might be the occasional worm program, email viruses simple would not exist.

      --
      Gentoo Linux - another day, another USE flag.
  22. Re:Firefox has more holes? by Fuzzums · · Score: 3, Insightful

    bugs != hole.

    - user profiles are a mess!
    - Crash triple-clicking on textbox during page load.
    - TestCookie crashes in NSPR logging
    and so on, and so on.

    What am I missing in the big bug-list? Hmmm. Remote exploits, security holes, javascript exploits, Active-X exploits.....

    And - Clipboard does not work - can hardly be seen as a critical bug. It's a feature ;)

    --
    Privacy is terrorism.
  23. Firefox vs. IE by bannerman · · Score: 2, Informative

    I have problems viewing PDFs with Firefox. If I open more than one at a time I almost always wind up watching Firefox crash and burn. I think it may have to do with the fact that I have Acrobat, not just Reader. I'm not sure. I can't reproduce it all of the time, but it's very frustrating when I'm in the middle of a good slashdot thread and everything goes bye-bye. Crashes suck. I still prefer to use Firefox, though.. I'd rather crash once in awhile than spend my morning trying to remove VX2 or something of that nature.

    --
    I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
  24. Re:beige by threephaseboy · · Score: 4, Informative

    theres a better way. change the url from it.slashdot.org to just slashdot.org
    or whatever.
    example:
    http://it.slashdot.org/article.pl?sid=04/07/29/175 1213 turns into
    http://apple.slashdot.org/article.pl?sid=04/07/29/ 1751213

    --
    .
  25. Why does everyone thing Firefox is "winning?" by NitroWolf · · Score: 5, Insightful

    I've been contemplating which thread to post this to, so I'll post it here.

    Why does everyone thing we're "winning" against Microsoft/IE with Mozilla Firefox? It's not that we are winning, it's that Microsoft isn't playing anymore.

    There's no reason for them to have the dominant browser on the market anymore, and one HUGE reason for them to explicitly NOT have the dominant browser. Their DOJ investigations focused, in part, on the fact that IE was bundled with Windows and thus constituted a monopoly. However, if Microsoft now lets IE flounder and lets Mozilla (or another browser) become dominant, they have a huge lever to use against any future DOJ or legal inqueries. They can then say they aren't a monopoly, as another browser is dominant.

    And why not? There's no money to be made on IE - it's strictly a resource drain. They don't make a single dime from it... why pay someone to keep IE up to standards, when they can get the whole Open Source community to do it for free - in the form of Mozilla.

    Stop and think about it for a moment, there's absolutely NO reason for MS to have the dominant browser any longer... there's no financial or legal advantage to it. A browser is effectively a commodity, and anyone developing one is going to have to expend resources to do so - with no return on that investment. Thus, Microsoft's only real logical conclusion would be to let IE slowly fade away, it solves not only the money/resource drain, but also protects them from further DOJ inquiries.

    So Firefox isn't winning, exactly... Microsoft just took their ball and went home, because the game had no point for them anymore.

    1. Re:Why does everyone thing Firefox is "winning?" by pandrijeczko · · Score: 2, Insightful
      This isn't about winning in terms of more users using Firefox than IE - that's irrelevant because Open Source is not about smashing Microsoft to a pulp but ensuring everyone has a choice.

      If MS release a patch that unwelds IE from the rest of Windows into an independent browser (thus closing the major security holes in it) and makes it fully HTML/XHTML standards compliant, that would be good enough because then every web site would also have to be standards compliant and we could all browse all web sites no matter what OS or browser we are using.

      --
      Gentoo Linux - another day, another USE flag.
  26. Re:So what by pandrijeczko · · Score: 3, Interesting
    Firefox has to impress me on its own merits if they want my loyalty

    Please post your home address on Slashdot and we will ask the Firefox programmers to come over to your house and give you a personal demonstration. If they deliver the demonstration as a singing barber's shop quartet, will that impress you?

    Is there any particular night of the week that's better for you?

    Nobody, least of all the OSS "philosophers" give a damn about your "loyalty".

    It's software, it's free, it's there but it's up to you to get off your butt and try it for yourself.

    --
    Gentoo Linux - another day, another USE flag.
  27. Users are still users by AceyMan · · Score: 2, Insightful

    It became apparent to me that unless we techs educate (not proselytize) the method for `safe computing`, we are doomed.

    This is much akin to how the CDC, HHS, etc, try to teach the public about safe sex. We have to make it appear important (because it is vitally so), but cannot risk alienating our audience for that very reason. Similar to sex-ed, if you have a weak link in your method, you're effed.

    I worked on a user's PC this week that had current AV software, 2 different malware scanners, and was free of junk/popup software. Good, right? Oh, but he didn't have a SINGLE Microsoft patch on the system (it was XP Pro, box stock, pre SP1). Clearly, even though he was better then the average user, he missed critical knowledge about `Safe Computing`.

    These are the kinds of hurdles we face before we can have any success on the desktop (as we know it now = largely Windows(TM)).

    --
    -- Experience is a wonderful thing. It enables you to recognize a mistake when you make it again.
  28. *yawn* Are the security-consciou still using IE? by HSpirit · · Score: 2, Informative

    I mean, seriously, if you're concerned about on-line security, there are a plethora of alternatives about, so this news should be a non-event.

    Ours is a small office, gtanted, but I've installed Mozilla 1.7 (and 1.6 before that, and Netscape 7 before that) on all the PCs (Windows/Mac), made it their default browser, and upped security on IE's Internet Zone so that all active content is blocked.

    Following this, I emailed (and followed up with personal explanation) the following advice:

    1. Use Mozilla as your first browser of choice. Nine out of ten times the site will work just fine.
    2. If the site appears to be not working, try it in Internet Explorer.
    3. If the site still doesn't work, even in Internet Explorer, email me the URL and I will add it to the 'Trusted Sites' zone - this should allow it to work in Internet Explorer while maintaining our network security.

    Given that the majority of serious web developers seem to be mindful of cross-browser support (if not standards compliance outright) these days I am somewhat bemused that any security-minded organisation still insists on using IE.