Slashdot Mirror
Microsoft To Provide IE Patches for Windows XP Only
Fortunato_NC writes "Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP. This news.com article has the complete scoop. A choice quote: 'Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.' This should provide a huge boost to Mozilla and other alternative browser backers."
Then they'll come back in a couple of days/weeks and say that "our business customers are unhappy with this decision" and decide to extend the patches through the end of 2006.
I don't see this as anything but GOOD news for the alt browser market.
;)
I have already moved all my customers off IE and onto firefox and have received NO complaints as of yet, actually they are like wow I don't seem to get any more of those pop up ads, you're a great admin...
Microsoft continues to shoot them selves in the foot in the area of security. I thought they wanted to keep their market share, I guess the greed is getting to them.
-=Linsys=-
http://www.intrusionsec.com
This sounds like microsoft. But you know they'll just say they are going to do give them out anyway until 2007 or something like they always do.
/. rendering left side.
The summary says that it will boost browsers like Firefox, but I highly doubt it. I don't know that many people who aren't already on Windows xp, but the plain fact is, plenty of people browse websites that can ONLY be viewed properly in IE. I hate it. You hate it. But the fact is, people need to put more pressure on webmasters to create standards-compliant websites.(AHEM SLASHDOT) COUGH COUGH
Chris
Well, my 6 employee company has standardized on W2K. We've been testing Firefox for the past month, and with the exception of a few IE specific apps, we'll be staying with Firefox now.
I don't respond to AC's.
Though I must admit, there is some trepidation at the alternative browser approach. Just because the browser isn't used to, say, view webpages, doesn't mean a downloaded jpg (for example) won't be automatically opened in IE (for various reasons). Unless IE can actually be physically uninstalled easily and quickly, the threat still remains.
Not that I'm saying you shouldn't use an alternative browser, it's just that the potential for harm is still there as long as the security hole remains present. And it worries me.
Really, how many reasons do people need to switch to another browser before they do it?
I know a LOT of really intelligent, well educated people, many of whom are programmers or use linux in a server environment, who still use IE / Outlook [Express] on their desktops.
That is just begging for it.
I tell them over and over again the risks, and they still stay where they are. Ironically, complete neophites switch over as soon as I tell them about Firefox / Thunderbird.
I guess the meek really will inherit the earth.
Lose Weight and Feel Great with Isagenix
"couldn't a corporation hold microsoft liable for damages incurred to an unpatched system"
If that where the case people would be sueing microsoft for worms, holes, vulnerabilites etc... Most worms that have been written where created due to security problems Microsoft knew about MONTHS if not Years before the problem ever surfaced.
Don't get me wrong I would love someone to try it, but I don't see that happening.
-=Linsys=-
http://www.intrusionsec.com
We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows
Seeing as IE isn't apart of windows (wasn't that part of the anti-trust agreement?), shouldn't I be able to D/L the latest and greatest version of IE (with patches already included) from MS??
When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."
Oh, I see... the settlement is ancient history....
I can see them only including it in windows update for XP only, but not giving out the latest and greatest as a standalone product? Bad move.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
So, if there's a safety problem with my 1998 Ford Contour, do I have to upgrade to a 2004 Ford in order to have it corrected?
This sounds more like a marketing move combined with laziness.
While they might stop patching everything but XP, the text you cite does not say that. Nor does it even imply it. They're only specifcally saying that SP2-related security enhancements will not be delivered to any other version of windows, until longhorn comes out sometime in 2014.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
-
"Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."
Well yes that's true but it's also true that a large portion of the zombie PCs out there spewing spam, viruses, worms and DDoS attacks are NOT running the latest product from Microsoft. Effectivly Microsoft's saying "well we'll concentrate on security only in a future sense." Bet that once Longhorn finally arrives XP will stop getting security patches shortly thereafter.Frankly we can only hope that there's enough big business clients that have "legacy" Windows OSs that will raise holy hell with Microsoft on this. Otherwise we can expect the situation with compromised machines to not get any better. It seems most of the people with badly compromised PCs don't even try to get them fixed until they finally grind to a halt, they're not likely to be upgrading to XP anytime soon.
I think the confusion is that the article says the recent security ENHANCEMENTS wouldn't be provided to anything but XP. This means no pop-up blocker/firewall/{insert service pack 2 goodie here} for Win2k or below.
They are not saying that they're going to stop making hotfixes for the older versions. Windows 2000 is still officially supported...just don't hold your breath for a pop-up blocker.
The key word in that quote is "Improvements"... I see that as tools to help you stay secure, not security patches.
There's a difference between giving the user a firewall (improvement) vs giving the user a patch in a security flaw in the OS (patch).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Ok, so let's say that all the biggest car manufacturers in the world (that would be Microsoft) welded their hoods shut (closed source).
I have my very nice 1969 Mustang soupped up and taking me every place _I_ need to go. Then we find out that the fuel pump has a problem with it that could cause a tremendous fire or explosion.
Now I have to go to the dealer as they're the only one that can do work on the car, purchase a 2004 Mustang to prevent my car from potentially exploding and causing serious damage to myself and others _and_ I have to pay them for the new car?
I don't think so.
IANAL
Not many people are.
but couldn't a corporation hold microsoft liable for damages incurred to an unpatched system
They could try, but they would probably fail. Others have tried, and failed.
1. First off, with a security flaw, you need to be exploited to suffer damages. In a court case it will be easy to argue that MS shouldn't be responsible because even though they made a flawed product there was an overt criminal act involved that trumps their involvement. For example, if a car manufacturer makes cars with easily defeated locks, or locks that sometimes don't work, can the owner of the car sue the car company for damages if the car is stolen? They could try, butit probably won't get far just on that argument.
2. Second off, in liability cases you have to do your honest best to mitigate your exposure to loss. If I buy a product, and later am notified that is defective, it is my obligation to act appropriately. That may include stopping to use the product. In this case, it may mean active content filters, firewalling, security zone changes, etc.
3. Finally, many industries are exempt from liability in certain cases. For example, auto-manafacturers do not have to recall cars after a certain age. It doesn't make sense for the government to require Chevy to recall the remaining 1976 S-10's because of a latch that might go dangerously bad at 200,000 miles. Microsoft would have a good claim that Win2k and earlier is the equivalent of that outdated pickup truck. You drive that old pickup at your own risk. Windows XP is running on well over half of all Windows machines now. That percentage is getting bigger and bigger. Soon it will be 66%. At what point is it okay to stop supporting a product?
One last point. It may be tempting to say that MS should be liable for exploited systems. That is a bad road to go down. If all of the sudden liability is assignable to software makers because of exploits like this, the whole software world has a major problem.
Software liability could be exactly the tool that MS wants to destroy Linux in the business world. If an individual writing OSS software new that any possible flaw they introduced coul cost them everything they own you can bet that the number of checkins to Sourceforge will drop drastically. Companies like MS will be able to whither the storm. They'll force everyone to use only signed binaries. Machines will become locked down to the Nth degree, and proprietary will be back in. Every software vendor will force their users to run approved-only configurations. It'll be like the mainframe days of the 70s and 80s only worse. Companies like MS can afford to buy the liability insurance and the lawyers to hold on. Meanwhile, the Mozilla foundation will flounder and die.
Software liability is a bad, bad, bad, bad idea for the entire industry, but absolutely deadly for Linux and FOSS in general.
Timing couldn't be better. Until the end of the year, we'll have Firefox 1.0 ready. A Brazilian Portuguese version should be ready not long after. I'm happy with this, because I work as a network admin in a public school in Brazil, and this situation will enable me to mandate a no-IE policy in our LAN. We only have licenses for Windows 2000, therefore we aren't eligible for IE updates. IE6, by itself, is already dangerous, despite the fact SP2 is a step in the right direction. But an unmaintained IE6 is nothing but trouble, and I think it will be easy to convince the school's principal of this. I foresee this happening in many other places, now.
Thunderbird is my next target, I'm eagerly waiting for a full-feature, almost-no-bugs release. I had some trouble this week with some recalcitrant Outlook Express users and viruses, and I already managed to convince them to change the e-mail client. You can use good arguments to convince them, but downtime can usually be even stronger than your arguments. ^^
My neighbor's
problem here is, IE shoud _NOT_ be considered part of the OS, and as such it should be supported as a standalone product, no matter what microsoft says.
What ? Me, worry ?
Man, you people are gullible.
Microsoft has said that they will not make IE6 SP2 available for older versions of Windows, not that they won't provide security patches.
Generally speaking, I don't criticize the Slashdot crew because they have enough story submissions to read through that things will slip past, but this is ridiculous. Microsoft has committed to several more years of Windows 2000 support, and there are still a couple of years left on Millenium. Because they view the browser as part of the OS, it would be asinine to think that they would patch XP's IE and leave the older ones to sit where they are now.
You can never go home again... but I guess you can shop there.
Unfortunately, I don't think it will. I work for a small business (a Microsoft partner) which provides IT services for other small to medium sized businesses. We provide both solutions and support. If we chose to use a non-microsoft product, we loose tens of thousands of dollars in support. No viruses, worms, spyware, hijacked browsers == no money.
It seriously bothers me, but I would argue that the strength Microsoft has is not in providing well written software, but providing poorly written software prone to exploits.
It's kind of like how Ext2 is a big favorite even though there are all these clever new FSes. The maintainers never said "Hey, we're done. Upgrade to Ext3 or a journalized FS."
Microsoft states:
"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement.
SlashDuh gurgles:
Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP.
Slashdot generating it's own FUD now?
Back in the days when Mozilla wasn't a great performer, lots of /.'ers would say stuff like, "if IE's a free download, why should I use this crappy Mozilla stuff". Well, now you know why.
It was only a matter of time before MS decided to tie browser upgrades to OS upgrades. After all, for a large portion of users, the browser's the only app they use. With their ill-gotten browser semi-monopoly, why wouldn't MS force you to buy an OS upgrade to get a new browser. DOJ? Not this DOJ.
Sounds like as good a reason as any to separate the browser from the OS. After all, this side-effect of bundling can't possibly be regarded as beneficial to consumers, and consumer benefit was the only defense they could come up with for exempting their bundling from antitrust regulations.
Posted from my Android phone. Oh, I can change this? There, that's better...
Here's what you can tell them:
"Firefox is what you get when people get together for the purpose to write the best possible software, rather than to make money."
This usually conveys the message pretty well, I found.
-- B.
This sig does in fact not have the property it claims not to have.
Secondly, we are in an academic setting. I'm not being 'stupid' as you so kindly put it. We simply don't have the cash. We run SUS server, etc, to push out patches, so wasting the admin time isn't that huge of a deal.
Windows 2000 machines are quite adequate for most desk jobs. Forcing an upgrade is silly when the machines are working fine as-is and don't require that much maintenence. And as for e-machines... their failure rate is *not good* (voice of experience here).