Slashdot Mirror
Flurry of Security Patches
yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)
So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.
Voice your opinion!
...the zlib bug
You managed to dupe two stories at the same time!
http://www.frsirt.com/english/advisories/2005/1066
:
:a tch_1.4.1.txt a tch_1.4.1.txt
6 - 2005-002-kdc.txt - 2005-003-recvauth.txt
FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12
* Technical Description *
Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.
The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.
The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).
* Affected Products *
MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior
* Solution *
Upgrade to krb5-1.4.2 release
http://web.mit.edu/kerberos/dist/index.html
Or apply patches
http://web.mit.edu/kerberos/advisories/2005-002-p
http://web.mit.edu/kerberos/advisories/2005-003-p
* References *
http://www.frsirt.com/english/advisories/2005/106
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
* Credits *
Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander
Here's some good info that colfer from this MozillaZine thread dug up:
3 0
1 0
7 7
3 2
6 4
3 6
3 1 .ico file
1 8
0 6
5 2
7 0
1 3
7 8
1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.
I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder
https://bugzilla.mozilla.org/show_bug.cgi?id=2952
Tab title different from window title on initial load at gmail
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
Right arrow key after selecting autocomplete result no longer uses selected item
https://bugzilla.mozilla.org/show_bug.cgi?id=2912
update installer packages should offer unchecked check box for setting start page
https://bugzilla.mozilla.org/show_bug.cgi?id=2910
Helper app dialog incomplete for non-nsStandardURL types
https://bugzilla.mozilla.org/show_bug.cgi?id=2655
(64-bit only issue)
https://bugzilla.mozilla.org/show_bug.cgi?id=2456
Crash loading (particular)
https://bugzilla.mozilla.org/show_bug.cgi?id=1418
Table with large rowspans and colspans hangs the browser
https://bugzilla.mozilla.org/show_bug.cgi?id=2880
Drag image across browser windows --> crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2950
Obscure Javascript crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2962
Default user agent problem (AIX platform only)
https://bugzilla.mozilla.org/show_bug.cgi?id=2808
Crash on OS/2 platform
https://bugzilla.mozilla.org/show_bug.cgi?id=2937
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash
Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.
But wait, Firefox has security holes? And OS X too? But from the comments on slashdot, I was under the impression only Microsoft had security flaws...
Oh, I think I understand now. Only windows sucks when it has security holes and Open Source programs don't suck when they have security holes because they're better than closed source and the patch came out fast... or something. Gotcha.
Microsoft sucks because they release software that needs security patches. Linux rulez!
....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.
......and see all the non-existant updates I have to download. Seriously, people talk about all the updates to download, but I never can find them. Although I do have to say Firefox updates wonderfully.
However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out, that creates more problems to be patched later on. If people would just learn some basic browsing habits, there would be less zombie-boxes and "Win32:Netsky" emails in my inbox.
apple is hardly 'open source'.
"Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive." - C.S. Lewis
Look at the calendar.
Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.
The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.
The last set of patches from WindowsUpdate:
- Security Update for Windows 98 (KB891711)
- Security Update for Windows 98 (KB888113)
- Security Update for Windows 98 (KB896358)
- Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939)
freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works.
The problem is most people have ZoneAlarm set to start at boot, and do not know how to bypass ZoneAlarm to get the computer booted so they can fix it.
My guess is since Microsoft is selling its own personal firewall, they will take every opportunity to hurt ZoneAlarm. Or they just wanted to generate PC sales from all those people whose computers are now "broken". Hey, they should have paid for newer versions of Windows many times since Windows98SE was released.
I can't wait to install today's patches!
I spend my life entertaining my brain.
when microsoft releases security updates, it's cuz the software is crap. when others do it, it's cuz the software rocks. no double standards here. maybe it's like when girls get naked. if she's good looking, makes it better. if your she's bad looking, much worse. microsoft may be bloated, but needs love just like everyone else.
Before you go using the (rather bad) logic that OSS is bad because of the issuance of a high risk patch, you might want to look at how many high risk patches Microsoft has released compared to the Firefox people.
-Jenn
After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.
The sysadmin mantra lives on: All operating systems suck, they just suck differently.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Given that Microsoft always releases its patches on the 2nd Tuesday of the month (nicknamed "patch Tuesday"), I'd say it isn't a new stratedgy. Or at the very least, it isn't a new Microsoft stratedgy ... :p
Thank you.
Let the "osx==freebsd" posts begin!
best feature update for OSX:
With this update, you can use Safari to log in to MyAccount on cingular.com.
now I don't have to fire up firefox just to pay my cell phone bill.
w00t!
...spike
Ewwwwww, coconut...
It's called doublethink. That's because Microsoft is Big Brother you see...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Upgrade to Heimdal.
"freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works."
... to do it with Win98... (since most people who would care would already be running something else)
;)
--- this is with older versions of Zone Alarm, if reinstalling Zone Alarm fixes the problem... why would this be some ploy of Microsoft to hurt Zone Alarm?
Windows 98 isn't exactly new, either, I really doubt they would (if they chose an 'attack' of this sort)
===
Perhaps I am missing something, feel free to tell me what I am missing if I am, I like to have a clue sometimes
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
Ah yes, the wisdom of the AC...
If I was 'in my right mind' I'd be living in Fiji taking tourists on scuba tours of the soft corals. Since I'm not, I stay in SF and buy shiny toys; and I maintian the right to bitch about them if they don't work as expected. And I've got the balls to do it with a real login account.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Uhm, no. It's actually called double standards. However, you can link to Wikipedia as much as you like trying to prove that wrong, but in the end, you're just going to look like a clown.
Of course it would have nothing to do with the fact that one of these pieces of software is a (comparitively simple) web browser, while the other is an OS which users expect to run on some dodgy p3 which has been gathering dust in a corner for the last 6 years or so and has millions of lines of code to debug :)
they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.
Microsoft releases security updates on a regular schedule, rather than as soon as they're created. For all we know, these new patches may have been sitting on the servers at Redmond for over a month before being announced. Not so with Open Source. When a patch is needed, it's developed, tested and released. No waiting for the next scheduled patch release like Microsoft does.
Good, inexpensive web hosting
Anyone that claims open source is entirely free of bugs is dreaming and/or misinformed.
The beautiful part is the speed at which critical bugs in OSS are corrected after being discovered.
One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.
d efault.asp
The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/
No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.
I dont like defending M$, but at least they have "updates" rather than creating a whole new version like Firefox 1.05. Its about time this was fixed, dont you think?
serenity now!
the release schedule was something they moved to because of demand. they were releasing them frequently and randomly. now IT admins can plan for the patches. i believe they still release outside of the schedule if it's something that can't wait. so bash them for releasing them right away, or bash them for responding to demand and using a schedule. damned by /. if u do, damned by /. if u don't. well, at least if your m$. didn't oracle move to something like this too?
I believe this will be the case from firefox 1.1
"Religion is the most malevolent of all mind viruses." - Arthur C. Clarke.
I would be curious all things being equal, how long todays patches will take to completely saturate the base of patchable machines.
Including all of thousands of machines based on odd ball linux distros and all windows machines.
Not the time to make the patch, but the time it takes for the vulnerability to be reasonably remediated.
Any one know?
Barely matters on Mac OS X :) You really just replace one directory (that looks like a single file for all practical purposes) and that's it. Gotta love the switch!
that the Amiga is the most secure platform out there.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
you didnt clear up anything except the fact that you are blinded by your prejudices. insecure software is insecure software, regardless of the business model. this slashdot story is proof.
Most of the exploits are written AFTER the patches come out. Most exploit writers just look at the patch, see what it fixes, and then figure out the vulnerability. So the patches don't really need to be released immediately. (This is the practical reality, of course there are others who find this plan to be horrible, but it works for me.)
I really like this once a month patch cycle. I get an idea that maybe they plan the patches a little better, and test them more.
Maybe EA should have done that with Battlefield 2, instead of trying to rush a patch out.
No reason to lie.
If you can afford to live in the SF area, can you buy the rest of us some shiny toys? The computer I'm using is painfully slow, and if SGI goes under, there may well be Altix bricks on eBay for a decent price...
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
You think so? Check out the patch list for FF 1.05
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
12 vulnerabilities in this patch, the oldest was created in APRIL! And it's marked as high severity.
The newest we don't know, because Mozilla is keeping it hidden until July 20th, but if you take the Bugzilla report number, and add one to it you can get the bug that was created directly after it, and that was created in MAY!
So yes, Mozilla DOES sit on critical bugs for months.
If you need web hosting, you could do worse than here
Security patches do not taste as good in my Flurry as oreos and peanut butter cup pieces do.
Out of curisity, what do you consider "quickly"?
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
Let's look at the most recent vulnerability there, MFSA-2005-56. Unfortunately, the details are being hidden until July 20th. However, we can see the Bugzilla report numbers. The first, 294795, won't let me view it. But if we view 294796, the bug created right after we see it was created on May 19th. Nearly 2 months ago.
Is 2 months "quickly"?
You seem to be blindly making assumptions without bothering to check the facts.
This is NOT evidence that Open Source fixes bugs quickly. If anything, it proves that just like Closed source, they can keep the bugs quiet and sit on them as long as they like.
If you need web hosting, you could do worse than here
Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...
/me throws a copy of 1984 at the AC
Le français vous intéresse?
Thank you very much. The new Windows Update doesn't work with one of my computers. The link you posted works fine, and I would rather put all the patches on a hard disk, anyway.
Microsoft Internet Explorer is one of the most buggy software packages I've ever seen. Windows Update isn't as buggy, but it's trying.
Security is definitely not one of Microsoft's priorities, unless the priority is to have the most vulnerabilities.
Hello. 1948 called. It wants it's book back.
It only passes if you use a nightly. A shipped release has never passed the acid 2 test.
save the GNUs!
WTF does the openness of the code have to do with when patches are released?
Le français vous intéresse?
O yeah, I have a link that will prove you wrong.
It says something bad about Open Source. That's
just not acceptable here.
I never said there had to be a relationship. However, most open source developers tend to release important patches as soon as they're tested, to keep their project safe.
Good, inexpensive web hosting
Microsoft releases patches for IE, Mozilla foundation releases patches for Firefox, why isn't Opera patching their browser?!
Oh yeah, 0 unpatched vulnerabilities.
There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.
Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.
I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.
Link: http://update.microsoft.com/
I think it's more of giving a grace period to allow people to update -- in fact, I'm still using 1.0.2.. Ouch.
</sarcasm>
In case you hadn't guessed, these things take a bit of time.
"Those who are too smart to engage in politics are punished by being governed by those who are dumber" -- Plato
Today, I sigh in pleasure as I type this message in KDE Konqueror. Glad my browser isn't vulerable to a kitchen full of exotic security holes; taste of the week style.
Oracle Unbearable, perhaps.
/. trashing whatsoever. Interesting.
They probably have the worst security track record among major databases and yet they get no
Why wouldn't closed-source developers want to do the same thing?
Le français vous intéresse?
It only passes if you use a nightly. For those that aren't aware, you can build your own or download Safari on Acid
The company also updated its Windows Malicious Software Removal tool to add detections for variants of Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.FN). ... and to reflect its intent to buy Claria, distributor of malicious software like Dashbar and Gator, by removing the detections for their products.
I can't ever remember anybody saying that "only Microsoft had security flaws". If you were under this impression, this is more likely to be down to a misunderstanding, or some angry pro-Microsoft type trying to give Linux users a bad name.
The point is that Microsoft has vulnerabilities which are usually exploited swiftly. They're usually quite nasty. They're usually in the most popular (bloated) Microsoft software packages. Finally, there's a good chance that patches could cause just as much damage as an exploit. This is what makes people shake their heads about Microsoft security.
Added to this, Microsoft has been working extremely hard - or so we're led to believe, even to the detriment of it's beloved Longhorn - and has spent millions on security. Maybe there have been improvements, but it's still coming out with plenty of nasties after years of this.
And after saying that Windows has better security than Linux, Microsoft is now copying Unix/Linux administration rights. This seems to suggest that Microsoft doesn't see an end to the plague, and that perhaps Linux holds an upper hand in security after all. Not only that, but this is going to make it easier for people to switch to a Linux desktop, after getting used to having to log in as root on Windows for particular reasons.
Linux/Open Source/Anti Microsoft News
BTVS lives on... The only windows box in my house is named Dawn. Works well with my naming convention. I also still get to say: "It's tuesday, Dawn must be in trouble again."
Hey, how'd you know I was drinking Kool-Aid?! Damn, you're a jeenyus!
No sysadmin in his right mind runs OSX.
Brilliant! Can't wait for more! I can tell this is gonna be a fact-filled, detailed primer on what to do right. Give me the straight dope, dude. I'm waiting for it.
Unless he doesn't want *real* support.
Ah, yes. I get it. What you mean is that if you buy Apple products, you won't get *real* support. I don't know what that means or who does provide *real* support, but I guess that's because I'm a dipshit. Damn! I hate when that happens!
Or performance.
I thought Apple hardware was sexy, but I guess it doesn't really "put out" the way other hardware does. I don't need factual comparisons. You're teaching me a lot here. I can't wait to read the next kernel of wisdom.
Or security.
Yeah, OS X is a fucking sieve! If it's not trojan horses it's Mail.app viruses and malware. Every zombie machine out there is running OS X. It's a plague on us all. Fucking Apple!
Or configurability.
I never thought about that, but you're so right. That one configuration fits all XServe sucks major goat ass.
Or standards.
You said it, buddy! I wish Apple would get with the program. I mean, I can run WebStar on OS 8, but why don't they wake up and smell the coffee? It's 1996, and the world is changing. If Apple doesn't wake up, this World Wide Web thing is going to really catch them off guard.
Or a real journaling file system.
That's like *real* support, right? You must mean that HFS+ isn't *real*. I think I'm starting to understand, but you're so brilliant you may have to slow down so I can catch up.
Or real hardware.
Ah, I'm on to you now, you clever sysad, you! This is another one of those "it's not *real*" things. It looks like the hardware is there, doing its job, but it's actually not.
Thanks for clearing this all up, AC. I really learned a lot, and am looking forward to more comments from you. It's going to be tough to read them all though, because you sure are prolific!
Read the EFF's Fair Use FAQ
or are Tuesdays becoming a International patching day? World of Warcraft also patched up Tuesday too...
Patch Patch Patch Patch. Lovely Patch! Wonderful Patch!
Philip
Signatures are broken
Dunno. Mine has a little green icon in the top right corner, and if I mouseover it, it says "Update(s) available". I'll admit it would be nice if it informed me they were critical...
I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.
Aye, I just got that as well. I'm thinking in my case it's my locale: en-gb - there isn't a "British English" version yet. Could it be a locale issue with you, too?
(For the curious, I'm holding off on the upgrade, partly because I want to support localisation efforts, and partly because I'm a big feartie ;-)
This is where the serious fun begins.
I should have been more specific. By "old version of ZoneAlarm", I meant the latest download on Nov 20, 2004: version 5.5.062. The current version downloaded on July 10 is 5.5.094.
I do not know if ZoneLabs fixed something to beat MS, or whether the uninstall/reinstall fixed whatever WindowsUpdate ruined. It won't matter to anyone who's computer is broken by WindowsUpdate.
Win98SE is the best OS produced by MS. Add ZoneAlarm, Mozilla, OpenOffice, and some smarts in the user, and you have a rather secure computer. I do not like MS's later versions. WinME was an abortion. Win2K could not run older programs or use older drivers. WinXP cannot be made secure; MS has been patching at least monthly since it released, and every month they find several new flaws. Win98SE does not like more than 512MB RAM; WinXP does not like less than 2GB RAM. I have no metrics, but after replacing WinXP with Win98SE on may computers, every user has said their computer runs between 4 and 10 times faster. The only programs that I am aware run on WinXP, but not Win98, are SpiderSolitaire and a database server; I am almost certain they would work if they did not check the OS during launch.
IMO, people who care, but must have a MS OS, use Win98SE. Older is not necessarily worse. How many servers were still running RH6 when the main trunk was renamed Fedora. I worked on a RH7.2 production server last week; some of the software is not certified on later versions, and the company will not take a chance upgrading.
=== Answering the other responses:
ZoneAlarm beats Norton in every security groups tests. Search for some reviews from your favorite secuirty website.
Most of the people still running windows 98 are not computer literate enough to be using a firewall
Most of the people still running Win98 are doing so deliberately. The ignorant are running the WinXP that came with their new computer, along with spyware and other malware they picked up from close contact with the zillion other computers on the Internet.
Shouldn't that read, "ZoneAlarm on Win98 freezes PC?"
ZoneAlarm worked great for years. It was WindowsUpdate that broke my PC. If a mechanic installs a new starter and the engine won't start, you don't blame the spark plugs, even if installing new plugs makes it work.
I spend my life entertaining my brain.
Useful rules for all new users should be highlighted...
I guess today is a passable day to die.
This is Microsoft Tuesday
:-)
Perhaps they should make that Microsoft Tuesday (TM) like Microsoft Windows (TM), Microsoft Office (TM) etc
Try NetBSD... safe,straightforward,useful.
How do you define 'end of the day' on a planet?
What's the air conditioner ever done to you?
2 months? Generally accepted practice for responsive fixes to coordinated secret ("responsible", as MS and others style it) disclosure varies from 1-60 days, so 2 months could be "quickly" by some definitions.
The Mozilla team do need a more responsive security framework. It's a big project and it's a lot to handle. But they are trying; and, I might add, on a small budget, on an often volunteer or ex-developer-basis. Opera have their fair share of vulns, particularly after the damn-near rewrite of Presto (v7), but they respond and fix very quickly and I have to congratulate them on that.
MS, on the other hand... Firefox's 2 months is better than IE's 2 years!
Have a look at eEye's upcoming some time, and talk to Mark about this. MS are emphatically NOT trying, unless it threatens to become a PR issue for them.
Windows Update v6 and Microsoft Update actually fail to flag open vulnerabilities on some computers - a very serious regression, but it was pushed out the door anyway.
MS don't care at all about local exploits unless they're actively exploited and showcased by big names in the VX scene either before or after public disclosure (#VDM).
Currently, the oldest security-related bug that MS knows about remains unfixed after 4 years. It's a remotely-exploitable integer overflow in mshtml's parsing, and a similar bug is in shdocvw as well, and that's all I'll reveal publically in the hope that one of these days those idiots actually decide to take notice. If it hits 5 years and it's still unfixed, F-D and Bugtraq will hear about it.
They don't even reply to email except with form letters. They don't keep the researcher in the loop about what's going on. It sometimes takes phone calls, and digging out personal email addresses of team members, to get something done.
MS have a *long* rep of simply burying or ignoring security vulnerabilities if they think they can get away with it. They started to care when it became a PR issue, but that's why they have been paying lip service to it, not actually because they care about timely fixes. It's ridiculous to expect MS to take longer than 7 days to turnaround a fix to any security vulnerability. They have the resources, and if they really treated these things seriously, the patchsets would be once a week, and they would be willing to divert attention from all teams to pitch in with testing of particularly intractable patches. It really should be a company priority for them, and it's disappointingly not.
But hey, I'm just a security researcher, not a businessman - what would I know?
If it's a critical update, the update arrow in FF will be red.
Yup. But here's the problem: Firefox has built its reputation on "We are secure. Microsoft is not" The more incidents like this one, the less differentiation between Firefox and Microsoft.
But ofcourse, the mods "flamebait" the granparent which had a very valid point.
As gp pointed out, people become zealots so easily.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
I had the same problem, and rather than waste a bunch of time figuring it out I rebooted my machine. Suprise suprise - it update started working. Kind of old school, but not suprising.
MS also released a security update for Office.
I ran a BBC b connected to prestel for years without getting a single worm, virus or trojan.
Sysadmins pressed MS into the strategy of releasing bug fixes on a scheduled monthly basis so that they wouldn't have to be dealing with them continuously through the month. It only makes sense for everyone else to use the same day for the same reason.
Maybe this will increase the rate of application of other patches. People will essentially be reminded of the day when the MS patches automatically arrive and come to know that that is the day that they should check for patches on all of their other products that don't use such a clean patching system.
"A security issue has been identified in the Color Management Module that could allow an attacker to compromise your Microsoft Windows-based system and gain control over it. "
Leave it to Microsoft to leave a vunerability in something to do with color management. Jesus.
Yesterday I waited for FireFox to do it's automatic update thing to no avail.
I decide to go to Options->Advanced and do a manual Check for Update, which returned nothing.
Why has Mozilla abandoned me??!?
And no, I am not currently running 1.0.5
1&1 - Cheap domain and web hosting.
Anyone know when the auto-updating of Firefox is due to come? Rather than having to go to a mirror and download a new release?
Sure, the Microsoft updates are quite often OS-updates. But of the three I downloaded and installed this morning, at least one was specifically for IE (didn't check the other two). I see way more critical/high risk updates coming from Microsoft for IE than I do for Firefox.
-Jenn
That's a good question. Some do, some don't. However, most of the people we hear about doing it are Open Source. Maybe that's because there are more people out there with the code helping to get the patches written.
Good, inexpensive web hosting
No updates found
Firefox was not able to find any available updates
Back to manual updates ...
.. paranoid crackpot leftover from the days of Amiga.
No I use the U.S. English version. And since I originally posted here, I have yet to see the "Updates Available" pop-up. Very impressive.
Meanwhile, Windows XP was patched not long after the patches were released.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Is 2 months "quickly"?
For testing a patch to an extremely widely-used consumer app? Sure, that's not an unreasonable amount of time.
Frankly, if for every security vulnerability reported to Microsoft, there was a prompt response followed by a well-tested patch in eight weeks (and we'll be generous and use the oldest bug, as you did), most of us would be *estatic*.
We'd all like more speed, but if a given hole is not actively being exploited or only being exploited on a small scale, releasing a bad patch can cause more damage than it's worth. If this was...well, I guess there aren't really any worms that target Firefox, but if there were, a sort of Code Red for Firefox, where a massive outbreak is spreading, I'd predict that it's a pretty safe statement to say that the Firefox team wouldn't hold onto the patch to bundle into the next bugfix release -- there'd be a patch out as soon as they could finish it.
Any program relying on (nontrivial) preemptive multithreading will be buggy.