Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patch Train Leaves the Station

Posted by CmdrTaco on from the a-whole-lotta-security-going-on dept.

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

17 of 361 comments (clear)

  1. Large size crash by Anonymous Coward · · Score: 5, Interesting

    Does this fix the crash with large streched images?
    ie width=9999999 height=999999 in an

  2. IE PNGs by Enigma_Man · · Score: 4, Insightful

    That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
    1. Re:IE PNGs by swilde23 · · Score: 5, Informative
      That's mostly true... but you can mangle your way around it...

      http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx

      Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

      The smart developers call these bugs... features :)

      The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

      --
      There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
    2. Re:IE PNGs by theborg1of4 · · Score: 5, Informative

      I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

      http://www.w3.org/Graphics/PNG/

      From the first paragraph:

      "Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

      While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

    3. Re:IE PNGs by Anonymous Coward · · Score: 5, Insightful

      The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

  3. Forgive my ignorance by J+Barnes · · Score: 4, Funny

    but is there an obvious point where software become more patch then content?

    Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.

    --
    :::: the insomniac's digest
    1. Re:Forgive my ignorance by Tarcastil · · Score: 4, Insightful

      You do realize the Linux kernel is heavily dependent upon patches.

  4. Reminds me of the JPG buffer overflow by Nos. · · Score: 5, Insightful

    After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

    1. Re:Reminds me of the JPG buffer overflow by Cally · · Score: 4, Informative
      Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

      As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    2. Re:Reminds me of the JPG buffer overflow by Anonymous Coward · · Score: 5, Informative

      ...the Finish University of Uola...

      You probably meant the Finnish university of Oulu.

  5. Before you gloat too much by callipygian-showsyst · · Score: 4, Informative
    ...Slashdot seemed to have missed this doozy from less than a month ago.

    http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

    --
    Best Buy can have you arrested
  6. The NSA by Anonymous Coward · · Score: 4, Funny

    Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.

  7. Re:To bad by HiredMan · · Score: 4, Insightful

    Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

    Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

    =tkk

    --
    Bill Gates - Creationist?!?
  8. All aboard! by AtariAmarok · · Score: 5, Funny
    "MS Patch Train Leaves the Station"

    Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

    --
    Don't blame Durga. I voted for Centauri.
  9. Re:Venture to guess? by Joe+Decker · · Score: 5, Funny
    Check your god damn code

    Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

    --
    I'm a nature photographer.
  10. Re:Patches don't solve the problem on new installs by wiggys · · Score: 4, Insightful

    Yes.

    1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

    2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

    3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

    4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

    5) Download, burn and learn how to use Knoppix.

    6) ????

    7) Profit!

    --

    Sorry, but my karma just ran over your dogma.

  11. Need people be reminded? by suitepotato · · Score: 4, Interesting

    This is all partly as a result of the way the PC platform itself works, it's merely that Windows has got so much compound crap in its code that these things are bound to happen. As Linux distros continue to grow and mutate and people ignore the old idea of the smallest kernel possible, we're going to see more buffer overflow errors on Linux. If BSD had the same kind of useage rates as Linux, we'd see a similar trend there. Mac OSX is taking off, we're going to see evolutionary crap in its genetic structure as it were.

    Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.

    --
    If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)