Slashdot Mirror
Microsoft To Provide IE Patches for Windows XP Only
Fortunato_NC writes "Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP. This news.com article has the complete scoop. A choice quote: 'Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.' This should provide a huge boost to Mozilla and other alternative browser backers."
Then they'll come back in a couple of days/weeks and say that "our business customers are unhappy with this decision" and decide to extend the patches through the end of 2006.
I don't see this as anything but GOOD news for the alt browser market.
;)
I have already moved all my customers off IE and onto firefox and have received NO complaints as of yet, actually they are like wow I don't seem to get any more of those pop up ads, you're a great admin...
Microsoft continues to shoot them selves in the foot in the area of security. I thought they wanted to keep their market share, I guess the greed is getting to them.
-=Linsys=-
http://www.intrusionsec.com
This sounds like microsoft. But you know they'll just say they are going to do give them out anyway until 2007 or something like they always do.
/. rendering left side.
The summary says that it will boost browsers like Firefox, but I highly doubt it. I don't know that many people who aren't already on Windows xp, but the plain fact is, plenty of people browse websites that can ONLY be viewed properly in IE. I hate it. You hate it. But the fact is, people need to put more pressure on webmasters to create standards-compliant websites.(AHEM SLASHDOT) COUGH COUGH
Chris
Well, my 6 employee company has standardized on W2K. We've been testing Firefox for the past month, and with the exception of a few IE specific apps, we'll be staying with Firefox now.
I don't respond to AC's.
Though I must admit, there is some trepidation at the alternative browser approach. Just because the browser isn't used to, say, view webpages, doesn't mean a downloaded jpg (for example) won't be automatically opened in IE (for various reasons). Unless IE can actually be physically uninstalled easily and quickly, the threat still remains.
Not that I'm saying you shouldn't use an alternative browser, it's just that the potential for harm is still there as long as the security hole remains present. And it worries me.
Really, how many reasons do people need to switch to another browser before they do it?
I know a LOT of really intelligent, well educated people, many of whom are programmers or use linux in a server environment, who still use IE / Outlook [Express] on their desktops.
That is just begging for it.
I tell them over and over again the risks, and they still stay where they are. Ironically, complete neophites switch over as soon as I tell them about Firefox / Thunderbird.
I guess the meek really will inherit the earth.
Lose Weight and Feel Great with Isagenix
This should provide a huge boost to Mozilla and other alternative browser backers.
Even if people switch to a different browser IE is still installed on the machine and vulnerable to attacks without the security 'updates' in SP2.
So even though you've installed a much more secure 'door' (Firefox, etc) your backdoor is still just as wide open.
Since MS decided to 'combine' the browser into the OS they should be required to support ALL of the OS with their security fixes.
People in cars cause accidents....accidents in cars cause people
"couldn't a corporation hold microsoft liable for damages incurred to an unpatched system"
If that where the case people would be sueing microsoft for worms, holes, vulnerabilites etc... Most worms that have been written where created due to security problems Microsoft knew about MONTHS if not Years before the problem ever surfaced.
Don't get me wrong I would love someone to try it, but I don't see that happening.
-=Linsys=-
http://www.intrusionsec.com
We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows
Seeing as IE isn't apart of windows (wasn't that part of the anti-trust agreement?), shouldn't I be able to D/L the latest and greatest version of IE (with patches already included) from MS??
When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."
Oh, I see... the settlement is ancient history....
I can see them only including it in windows update for XP only, but not giving out the latest and greatest as a standalone product? Bad move.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
So, if there's a safety problem with my 1998 Ford Contour, do I have to upgrade to a 2004 Ford in order to have it corrected?
This sounds more like a marketing move combined with laziness.
There's no licensing agreement that says MS has to provide any patches. Legally, MS can sell you Windows and never offer any patches for it at all.
I hate liberals. If you are a liberal, do not reply.
While they might stop patching everything but XP, the text you cite does not say that. Nor does it even imply it. They're only specifcally saying that SP2-related security enhancements will not be delivered to any other version of windows, until longhorn comes out sometime in 2014.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
-
"Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."
Well yes that's true but it's also true that a large portion of the zombie PCs out there spewing spam, viruses, worms and DDoS attacks are NOT running the latest product from Microsoft. Effectivly Microsoft's saying "well we'll concentrate on security only in a future sense." Bet that once Longhorn finally arrives XP will stop getting security patches shortly thereafter.Frankly we can only hope that there's enough big business clients that have "legacy" Windows OSs that will raise holy hell with Microsoft on this. Otherwise we can expect the situation with compromised machines to not get any better. It seems most of the people with badly compromised PCs don't even try to get them fixed until they finally grind to a halt, they're not likely to be upgrading to XP anytime soon.
I think the confusion is that the article says the recent security ENHANCEMENTS wouldn't be provided to anything but XP. This means no pop-up blocker/firewall/{insert service pack 2 goodie here} for Win2k or below.
They are not saying that they're going to stop making hotfixes for the older versions. Windows 2000 is still officially supported...just don't hold your breath for a pop-up blocker.
The key word in that quote is "Improvements"... I see that as tools to help you stay secure, not security patches.
There's a difference between giving the user a firewall (improvement) vs giving the user a patch in a security flaw in the OS (patch).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Squatting on your old customers and letting a burst of yellow water go.
Why? Because IE upgrades themselves drive other upgrades for Microsoft products. For the vast majority of people, nonIE choices simply aren't an option, particularly for users wanting to use the Windows Update site. (Yes, I know that you can use the Mozilla Firefox extension for Windows Update, but my point is that many people don't)
Windows Update is actually usable now -- something I never thought I would have seen only a few years ago.
I understand that MS has to draw the line somewhere; I understand that MS has to support a huge array of old code; I just wish they would be a touch more responsible about it.
I have been dealing with this exact issue all this week for various clients, and I really wish I could just simply get them all to move off Windows permanently. Wishful thinking...
========================================
Death will come, and will have your eyes
-- Pavese
I see its the last alt browser mentioned.
Does anybody use it. Does it have something that other browsers don't. Its it written in Java?
It makes complete sense.
Ford is including OnStar in lots of its vehicles. They haven't showed up to install it in the 1978 Ranger I use to tear around in the fields.
Slashdot, in it's "we hate MS" fervor has resorted to all-out bullshit. They lie worse than MS's marketting department.
I don't need no instructions to know how to rock!!!!
Everything is eventually motivated by money: MS figures that this calculated move will cause 1) fence-walkers to take the plunge and upgrade to XP and/or 2) allow them to focus their efforts on IE on one platform only. However, there still are many corporations that are trying to hold back due to the time and expense needed to upgrade. For most people, this is a way to get alternative browsers like the recently released Firefox 1.0pr in the door. As long as Firefox remains popular, the OSS community won't abandon it - one leg up that it has on MS. All we need to de is bide our time and wait for the masses to come onboard.
The EULA doesn't trump basic consumer protection law.
BTW, I'm a liberal. Suck it!
Ok, so let's say that all the biggest car manufacturers in the world (that would be Microsoft) welded their hoods shut (closed source).
I have my very nice 1969 Mustang soupped up and taking me every place _I_ need to go. Then we find out that the fuel pump has a problem with it that could cause a tremendous fire or explosion.
Now I have to go to the dealer as they're the only one that can do work on the car, purchase a 2004 Mustang to prevent my car from potentially exploding and causing serious damage to myself and others _and_ I have to pay them for the new car?
I don't think so.
IANAL
Not many people are.
but couldn't a corporation hold microsoft liable for damages incurred to an unpatched system
They could try, but they would probably fail. Others have tried, and failed.
1. First off, with a security flaw, you need to be exploited to suffer damages. In a court case it will be easy to argue that MS shouldn't be responsible because even though they made a flawed product there was an overt criminal act involved that trumps their involvement. For example, if a car manufacturer makes cars with easily defeated locks, or locks that sometimes don't work, can the owner of the car sue the car company for damages if the car is stolen? They could try, butit probably won't get far just on that argument.
2. Second off, in liability cases you have to do your honest best to mitigate your exposure to loss. If I buy a product, and later am notified that is defective, it is my obligation to act appropriately. That may include stopping to use the product. In this case, it may mean active content filters, firewalling, security zone changes, etc.
3. Finally, many industries are exempt from liability in certain cases. For example, auto-manafacturers do not have to recall cars after a certain age. It doesn't make sense for the government to require Chevy to recall the remaining 1976 S-10's because of a latch that might go dangerously bad at 200,000 miles. Microsoft would have a good claim that Win2k and earlier is the equivalent of that outdated pickup truck. You drive that old pickup at your own risk. Windows XP is running on well over half of all Windows machines now. That percentage is getting bigger and bigger. Soon it will be 66%. At what point is it okay to stop supporting a product?
One last point. It may be tempting to say that MS should be liable for exploited systems. That is a bad road to go down. If all of the sudden liability is assignable to software makers because of exploits like this, the whole software world has a major problem.
Software liability could be exactly the tool that MS wants to destroy Linux in the business world. If an individual writing OSS software new that any possible flaw they introduced coul cost them everything they own you can bet that the number of checkins to Sourceforge will drop drastically. Companies like MS will be able to whither the storm. They'll force everyone to use only signed binaries. Machines will become locked down to the Nth degree, and proprietary will be back in. Every software vendor will force their users to run approved-only configurations. It'll be like the mainframe days of the 70s and 80s only worse. Companies like MS can afford to buy the liability insurance and the lawyers to hold on. Meanwhile, the Mozilla foundation will flounder and die.
Software liability is a bad, bad, bad, bad idea for the entire industry, but absolutely deadly for Linux and FOSS in general.
I have four letters for you: E U L and A.
Be interesting to see if this, finally, gets them tested in a court of law. Problem is, and much as a despise them, it would do an awful lot of damage to the software industry if they weren't upheld.
Bad analogies are like waxing a monkey with a rainbow.
"couldn't a corporation hold microsoft liable for damages incurred to an unpatched system"
/. I can assume your general feelings regarding this subject but please do not forget the law of unintended consequences resulting from such a move. [HINT: Think beyond Microsoft being sued here] It would be a two way street instead of situational ethics.
Don't get me wrong I would love someone to try it, but I don't see that happening.
Since this is
BSD is designed. Linux is grown. C++ libs
A lot of product documentation is in HTML these days, often with foolish javascript/ActiveX menus, index etc.
Having a functional browser on your server is not completely insane, especially in a small shop.
I fail to see how Opera is a viable choice considering that Mozilla and Safari are free (as in beer).
I'm being completely serious here mind you. Opera will fill a niche market, but that is how Netscape "died". Internet Explorer was free, and un-bundled in the beginning. Being a Microsoft product it was favored by the masses.
Now that Mozilla is gaining word of mouth marketshare it will again be the standard. Opera will not last long, all IMHO.
After all, how many people want ads IN their browser.
Get your Unix fortune now!
All I see is this gives Google even more incentive to roll out their Gbrowser even sooner. M$ great job at shooting yourself in the foot... again... "Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981
Timing couldn't be better. Until the end of the year, we'll have Firefox 1.0 ready. A Brazilian Portuguese version should be ready not long after. I'm happy with this, because I work as a network admin in a public school in Brazil, and this situation will enable me to mandate a no-IE policy in our LAN. We only have licenses for Windows 2000, therefore we aren't eligible for IE updates. IE6, by itself, is already dangerous, despite the fact SP2 is a step in the right direction. But an unmaintained IE6 is nothing but trouble, and I think it will be easy to convince the school's principal of this. I foresee this happening in many other places, now.
Thunderbird is my next target, I'm eagerly waiting for a full-feature, almost-no-bugs release. I had some trouble this week with some recalcitrant Outlook Express users and viruses, and I already managed to convince them to change the e-mail client. You can use good arguments to convince them, but downtime can usually be even stronger than your arguments. ^^
My neighbor's
problem here is, IE shoud _NOT_ be considered part of the OS, and as such it should be supported as a standalone product, no matter what microsoft says.
What ? Me, worry ?
Now that IE patches are going to stop users of outlook (aka enterprise) on win2k will have to switch unless they want to get 'auto infected' by viruses. While people may switch to foxfire for browsing, switching away from outlook will be very difficult for enterprise users. Note: You will always have the idiot who will click on an attachment.
Believe me, if I started murdering people, there would be none of you left.
Man, you people are gullible.
Microsoft has said that they will not make IE6 SP2 available for older versions of Windows, not that they won't provide security patches.
Generally speaking, I don't criticize the Slashdot crew because they have enough story submissions to read through that things will slip past, but this is ridiculous. Microsoft has committed to several more years of Windows 2000 support, and there are still a couple of years left on Millenium. Because they view the browser as part of the OS, it would be asinine to think that they would patch XP's IE and leave the older ones to sit where they are now.
You can never go home again... but I guess you can shop there.
Care to show some proof of this directly from Microsoft? I know this is true for a 'downgrade', but Microsoft isn't stupid enough to sell you a Win2k for XP, are they?
When you get to hell -- tell 'em Itchy sent ya!
your logic isn't 100%. Microsoft has a share of the market that affects users to a much higher degree than does Linux or Macs. Macs are rarely used for internet edge type applications like web servers, and let's be honest -- if Linux ran as an internet edge with 1.x versions... they would be just as bad as MS is now.
A *lot* of companies still run NT4 as their web servers and I agree, there should be an end of life for those servers entirely, as IT has an evolving cost and also helps to increase innovation in areas inside IT, by using more cutting edge technology. However, the example of Windows 2000 being pushed out is ludicrus, because many companies still use it widely since the difference between that and XP are few and far between.
The price is always right if someone else is paying.
Unfortunately, I don't think it will. I work for a small business (a Microsoft partner) which provides IT services for other small to medium sized businesses. We provide both solutions and support. If we chose to use a non-microsoft product, we loose tens of thousands of dollars in support. No viruses, worms, spyware, hijacked browsers == no money.
It seriously bothers me, but I would argue that the strength Microsoft has is not in providing well written software, but providing poorly written software prone to exploits.
Not to mention that if you're a dev with a bigger than 2-way SMP box (say 4 CPUs, for example), you *MUST* have W2KServer or better. XPPro and 2KPro support only 2 CPUs.
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
It's kind of like how Ext2 is a big favorite even though there are all these clever new FSes. The maintainers never said "Hey, we're done. Upgrade to Ext3 or a journalized FS."
Less so if it only applies to software which is sold--a commercial Linux vendor would be liable, but Joe Developer who writes that email client and doesn't charge for it would be okay.
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
Microsoft states:
"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement.
SlashDuh gurgles:
Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP.
Slashdot generating it's own FUD now?
There are two different things that are being confused in the news.com article, the slashdot article and the slashdot comments: 'security patches' and 'security enhancements' lets call them.
'Security patches' are bug fixes to solve problems in the browser. These are needed to have a secure browser. They are not new features. The 'security patches' will continue for other versions of Windows.
news.com: Microsoft promised "ongoing security updates" for all supported versions of Windows and IE. and The ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month.
The 'security enhancements' are the new features added to IE in XP SP2 such as pop-up blockers. There are new useful features--nice to have, but the products still works without them. The security enhancements are only going to be available in XP.
from news.com: Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2.
The security enhancements are important though and there absence will be felt by those who use IE:
news.com: And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organizations have lauded for addressing IE's graver security concerns.
For me, it's all academic. I've been using Firefox/Firebird/Phoenix/Mozilla since Mozilla 1.2 and I used Netscape before that. I've never used IE as my main browser.
Software protection only gets you so far. We need hardware protection too. We've got a number of old machines that were originally running NT 4, which are now running (slowly) windows 2000. XP has even higher system requirements. The systems are already maxed out on the RAM that the motherboards can handle. XP won't work. It would utterly kill those machines. So MS is trying to force folks not only to upgrade their software, but their hardware as well.
Be very scared. If this trial succeeds, you'll be forced into the Microsoft upgrade schedule for everything, instead of upgrading on your own schedule.
I don't upgrade operating systems because my old computer won't even run the modern OS well. WinXP would take nearly 2/3's of my maxed out 384MB just to load itself. I'm stuck with what my hardware can handle.
It is in the best interests of all of us that Microsoft does not succeed in this!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
These enhancements are totally separate from security holes. Microsoft has committed to supporting Windows 2000 with hotfixes until 2010. Read it straight from Microsoft:
http://support.microsoft.com/default.aspx?scid=fh; [ln];LifeWin
Back in the days when Mozilla wasn't a great performer, lots of /.'ers would say stuff like, "if IE's a free download, why should I use this crappy Mozilla stuff". Well, now you know why.
It was only a matter of time before MS decided to tie browser upgrades to OS upgrades. After all, for a large portion of users, the browser's the only app they use. With their ill-gotten browser semi-monopoly, why wouldn't MS force you to buy an OS upgrade to get a new browser. DOJ? Not this DOJ.
Sounds like as good a reason as any to separate the browser from the OS. After all, this side-effect of bundling can't possibly be regarded as beneficial to consumers, and consumer benefit was the only defense they could come up with for exempting their bundling from antitrust regulations.
Posted from my Android phone. Oh, I can change this? There, that's better...
Is MS going to let IE in the Win2k server series go unpatched then?
Sounds like a r00ting waiting to happen.
Is Capitalism Good for the Poor?
Here's what you can tell them:
"Firefox is what you get when people get together for the purpose to write the best possible software, rather than to make money."
This usually conveys the message pretty well, I found.
-- B.
This sig does in fact not have the property it claims not to have.
Secondly, we are in an academic setting. I'm not being 'stupid' as you so kindly put it. We simply don't have the cash. We run SUS server, etc, to push out patches, so wasting the admin time isn't that huge of a deal.
Windows 2000 machines are quite adequate for most desk jobs. Forcing an upgrade is silly when the machines are working fine as-is and don't require that much maintenence. And as for e-machines... their failure rate is *not good* (voice of experience here).