Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Issue Out-of-Cycle Patch for IE

Posted by CmdrTaco on from the download-reboot-repeat dept.

rsw writes "Microsoft will be breaking their normal patch cycle and issuing a patch for the Download.Ject attack (a.k.a. Scob). They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob." Note that this does not mean that they are replacing IE with FireFox.

26 of 391 comments (clear)

  1. The mounting pressure by Mz6 · · Score: 4, Interesting

    Seems as though all of the exploits coming out against IE has finally got to them. I've counted about 5+ just from the Full Disclosure and BugTraq mailing lists in the past few weeks. All of them different in nature of thier attacks.

    --
    Hmmm.
    1. Re:The mounting pressure by EnnTeeDee · · Score: 5, Insightful

      "Our [Microsoft IE] users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Hachamovitch said.

      Umm, yeah, we should (in a perfect world) be able to have confidence that the biggest software company on the planet puts out the best product. But Microsoft is too big and juicy a target to inspire confidence.

      We also should be able to trust our elected leaders to be able to spend our tax funds wisely, but I'm not holding my breath on that either.

  2. Wow by Anonymous+Crowhead · · Score: 5, Insightful

    The released a patch when it's needed, not when it's scheduled. How novel.

    1. Re:Wow by chrisgeleven · · Score: 5, Informative

      Except this patch was needed a few weeks ago (and the exploit if I remember right has been known for months).

    2. Re:Wow by EtherAlchemist · · Score: 5, Insightful

      I'm only playing devil's advocate here, but it's possible (likely?) that Microsoft suffers from internal politics, like many other software companys, that actually work against the process.

      I work for a software company where fixes to bugs on live products are held up for weeks and months on end while managers seek the person to blame, assign blame, come up with a plan to make the fix, revise the plan to include 8 other random and unrelated things they want to fix, slap them into one rollout that will now require 6 developers on 3 teams and 4 QA guys who will follow the spec to the letter (even if it is mispelled) and file 200 new bugs. This cycle goes on for a month or so and by the time the fix is released, a dozen other problems have surfaced and been deemed not important enough to fix now. Afterall, we just had a hariy cycle trying to get the last fix out.

      Now, the way it should have gone: Identify the problem, design a fix, make the fix, test the fix, deploy the fix. Days, not weeks or months.

      --
      R(k)
    3. Re:Wow by Q2Serpent · · Score: 4, Funny

      who will follow the spec to the letter (even if it is mispelled)

      It happens to the best of us :)

  3. Firefox by FortKnox · · Score: 4, Interesting

    Note that this does not mean that they are replacing IE with FireFox.

    Good, cause firefox has render problems on slashdot all the time (where as IE doesn't). I don't think its firefox, either, cause it doesn't happen on any other site I go to.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    1. Re:Firefox by AliasTheRoot · · Score: 4, Informative

      /. doesn't exactly produce the most compliant html...

      however I've never had any problems with the site using firefox.

    2. Re:Firefox by hattig · · Score: 5, Interesting

      I think it is a problem with Firefox. I've noticed that it happens a lot on table layout pages, especially large ones. Livejournal can have the same problem.

      Basically it guesses widths of table cells/columns at some stage, then sticks with them as more of the page loads, and doesn't compensate for the new contents, which may include more tables, which will then overflow other elements on the page. Well, it is something like that. I think it could be solved by merely re-formatting the page after it has fully loaded ... although the simple Resize Font trick fixes everything anyway (ctrl+mousewheel)

    3. Re:Firefox by hattig · · Score: 5, Interesting

      What is sad is the multitudes of fixed HTML examples that Slashdot readers keep coming up with, but still haven't been used even though I remember some of them being done a year ago!

  4. Does anyone use IE anymore? by AngryScot · · Score: 4, Interesting

    and if they do why?

    I mannaged to get my work to use fireFox after showing them a /. thread about it

    --

    All spelling mistakes are due to solar flares...honest

    1. Re:Does anyone use IE anymore? by ErichTheRed · · Score: 4, Informative

      The problem I found is that a lot of web apps are coded for IE's "extensions" that don't translate over to Firefox. We have a few internal apps at work like that, but there are public examples too. E.g, my power company paid some contractor to put together an online bill pay system for them, and obviously they're not interested in fixing it. Open the page in IE, and it works fine. Open it in Firefox, and you get a blank screen.

  5. I've migrated ove... by Ratchet · · Score: 4, Interesting

    ...the most finiky of users, my Mom, to Firefox without her even knowing it. Now if Dad would stop playing Solitaire long enough for me to get at his computer then I'd de-IE him as well.

  6. Slashdot by john_smith_45678 · · Score: 4, Funny

    ...where I come for all my MS IE patch news.

    --
    John Kerry is a Joke!
    1. Re:Slashdot by LilJC · · Score: 4, Insightful
      Parent has been modded funny, but I think a lot of us do.

      I've walked into work before with the owners complaining of not being able to get to half the web sites they like to peruse and hit slashdot to see what's up. Half the time I'm back in 20 seconds with an satisfactory explanation about a recent or in-progress attack.

      Of course, I have to (for the umpteenth time) explain to my boss/CEO that I can't fix other peoples' servers, only ours. Wish I could at least get that guy to remember how a sort works in Excel.

      --

      The only thing more dangerous than a file named -rf is renaming it -rf\ /
  7. Re:Firefox is not the answer. by kid_wonder · · Score: 5, Informative

    I disagree. I use firefox for just about everything; online banking, online account management, etc. Every once in a while I need to open up IE to view a flash animation or some other stupid site that uses ActiveX - but at that point I know what they are trying to do and can establish the risks of going to it in IE.

    btw, regarding all these /. problems, for some reason I get this render problem intermittently, but a simple reload typically handles the problem.

    --

    "Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
  8. Long-term solution? by RonnyJ · · Score: 5, Insightful
    They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob."

    So, are their patches normally NOT long-term solutions to vulnerabilities then?

  9. Re:Firefox is not the answer. by PeteQC · · Score: 5, Informative

    There is a lot of "broken" sites that won't be right in IE when Microsoft will release it's SP2 for XP with a lot of added security to IE.

    Pop-up won't show, and all the non-correctly defined elements won't show right neither. So, maybe finally the webmasters will correct their sites.

    --
    Montreal - Best city to live in!
  10. Remove need for patching...by removing IE. by The+Fifth+Man · · Score: 5, Informative

    Build a CD of Windows 2000 without IE (or Outlook, etc. etc)

    Build a CD of Windows 2k, XP, or 2k3 without IE (or Outlook, etc. etc)

    Download an IE removal program for Win2k

  11. My organization just dumped IE for Firefox by gearmonger · · Score: 5, Interesting
    "long-term solution" hee hee ha ha *snort* [coke comes out nose] riiiight.

    Rightly or not, that Homeland Defense notice got some peeps in senior management a little spooked and asked our IT department to start making Firefox the default browser on all new systems they set up for employees.

    As a long-time Mozilla and Firefox user, I couldn't be happier. Whether it's the right reason or not, I couldn't care -- at least there's a hint at the IE domination trend slowing down a bit, and that is good for consumers.

  12. Re:Is there something wrong with me? by GigsVT · · Score: 5, Informative

    My wife was infected by spyware by simply visiting a site that was an etrade affilliate site (they were offering a free PDA if you opened an etrade account).

    She told me at the time the only difference between her computer and her friend that sent it to her was that she had Sun Java installed and he didn't. He didn't get infected and she did.

    This was several months ago, she searched and didn't find any exploit info about it.

    A couple days ago she found the exact exploit she had encountered on a vulnerability list, a combination of Sun Java and an IE bug cause a certain vulnerability.

    So you might think you are safe, but how many "zero day" or unknown exploits, such as the one my wife got infected by spyware via are out there?

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  13. Do people care? by taylortbb · · Score: 5, Informative

    Do people care about IE security problems? Most do actually, people just either don't know about the vulnerabilities or if they do they don't know there's anything that can be done.

    Everyone I know when I talk to them about how bad IE is, if they listen, switches to Mozilla, I switched my school's computers and those of atleast 60 others.

    People are listening now more than ever, its becoming so bad (atleast one a week) the mainstream media is even going "Another Internet Explorer vulverability has been found".

    All I tell people is that:
    1. Mozilla works faster
    2. It has a pop-up blocker
    3. It is immune to those once a week IE vulnerabilities
    4. You just about don't get spyware (and mention keyloggers). <---The Killer One And BTW, I use Firefox 0.9.2 (mozilla.org build for Linux/x86) and have never had problems with how /. renders.

  14. Re:Firefox is not the answer. by gnu-generation-one · · Score: 5, Insightful

    "Firefox is not an acceptable replacement for IE for 90% of the users out there so I really think we could have done without the snide comment."

    Huh?

    Microsoft Internet Explorer isn't an acceptable browser for 90% of the users out there.

    Nevermind your "snide" assertions about the websites that don't work, people are getting owned here. It's a serious problem. It's the spam problem and the virus problem and all the tech support problems, all stemming from this one application that's so insecure that everyone, from DHS to MSN themselves recommend getting rid of it immediately.

    If your favorite website doesn't work in a generic web-browser, get them to fix it, or get a new supplier. Even the banks have got HTML websites now.

  15. Re:I thought the patch was released already. by pandrijeczko · · Score: 4, Interesting
    It was so much simpler before the net.

    Not strictly true.

    The development of TCP/IP allowed the ARPANet to happen (which later became the Internet follwing commercialisation in the late 80s).

    UNIX-based servers formed the core of the ARPANet because TCP/IP has always been built into UNIX and UNIX was designed as a multi-user multi-platform network operating system.

    Microsoft assumed that the world would use their poor quality NetBIOS/LanManager protocols until the early 90s when they were forced to include TCP/IP support into Windows - that was after they almost ruined Novell by worming their way into using IPX/SPX networking protocols.

    In other words, a kludgy operating system had to be kludged even more to support TCP/IP. This is a legacy that has lived with MS since and while the support of TCP/IP has improved over the various Windows iterations, the fact is that the Windows architecture is not as suitable for Internet connectivity as UNIX.

    Everything in UNIX is designed for simplicity - one program doing one task. If you need a network service, just turn it on - if you don't, turn it off.

    Where UNIX has a weakness is the security model because, in ARPANet days, information was open and there was no need to secure servers. However, that has improved a thousandfold over the years with features like shadow passwords, better authentication models and secure protocols. The simplistic security model of "you, those you trust and the rest of the world" now works to it's advantage because it's very easy to apply to a system - the difficult part is knowing all the potential holes to apply it to that can only come from experience.

    If Windows was not an Internet OS today, we would still have crackers and security exploits on UNIX. However, there would be less of it because fewer crackers would be clever enough to break into a UNIX system and whilst there might be the occasional worm program, email viruses simple would not exist.

    --
    Gentoo Linux - another day, another USE flag.
  16. Re:beige by threephaseboy · · Score: 4, Informative

    theres a better way. change the url from it.slashdot.org to just slashdot.org
    or whatever.
    example:
    http://it.slashdot.org/article.pl?sid=04/07/29/175 1213 turns into
    http://apple.slashdot.org/article.pl?sid=04/07/29/ 1751213

    --
    .
  17. Why does everyone thing Firefox is "winning?" by NitroWolf · · Score: 5, Insightful

    I've been contemplating which thread to post this to, so I'll post it here.

    Why does everyone thing we're "winning" against Microsoft/IE with Mozilla Firefox? It's not that we are winning, it's that Microsoft isn't playing anymore.

    There's no reason for them to have the dominant browser on the market anymore, and one HUGE reason for them to explicitly NOT have the dominant browser. Their DOJ investigations focused, in part, on the fact that IE was bundled with Windows and thus constituted a monopoly. However, if Microsoft now lets IE flounder and lets Mozilla (or another browser) become dominant, they have a huge lever to use against any future DOJ or legal inqueries. They can then say they aren't a monopoly, as another browser is dominant.

    And why not? There's no money to be made on IE - it's strictly a resource drain. They don't make a single dime from it... why pay someone to keep IE up to standards, when they can get the whole Open Source community to do it for free - in the form of Mozilla.

    Stop and think about it for a moment, there's absolutely NO reason for MS to have the dominant browser any longer... there's no financial or legal advantage to it. A browser is effectively a commodity, and anyone developing one is going to have to expend resources to do so - with no return on that investment. Thus, Microsoft's only real logical conclusion would be to let IE slowly fade away, it solves not only the money/resource drain, but also protects them from further DOJ inquiries.

    So Firefox isn't winning, exactly... Microsoft just took their ball and went home, because the game had no point for them anymore.