Slashdot Mirror
Two Unofficial IE Patches Block Attacks
Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."
As always, the advice is to weigh the risks before opting for an unofficial hotfix.
Is this not something that smart admins/companies so even with official patches and fixes? To me, the fact that the source was released shows that these people are quite serious about being taken seriously. I suppose that is better than MS assurances that they extensively tested the fix before release.
Certainly you should weigh the risks with any patch but since an "official" patch would come from the originators of the flaw (and numerous others) why should it be considered any better than an "unofficial" patch? At least these patches can be scrutinized by the outside world for problems. A MS patch will be forever hidden. The perils of closed source!
Given the fact that the average IE user would not even be aware of the flaw, how would he even know such third party patches even exist?
Most of them are going to be patched only when MS releases the patch, AND they have selected to be updated automatically.
Its a horrible situation.
1. [apple.com] and 2. [mozilla.com]
Yeah, but only number 2 "include source code for review."
If I clone myself, can I call it a thread?
If a girl winks to us, can I call it a race condition?
If it was just a testing thing, they wouldn't wait until the 2nd Tuesday of the following month. Minor patches can wait, but delaying critical patches is inexcusable.
the patch fixes the affected DLL in memory by overwriting a byte that is stored in RAM for MSHTML.DLL this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL? I believe the patch needs to be installed from an administrator account, but even then, this doesn't mean that it is good design decision, to allow an arbitrary application to overwrite in memory code of another application. Of-course if that wasn't possible this specific patch couldn't exist, but still, the OS allows questionable application behaviour to say the least.
You can't handle the truth.
Does anyone remember the previous third-party patch to IE? This is from December of '03.
The Online Slang Dictionary
I'm missing the part where the sense is....If MS released all patches as soon as they were ready, everyone who wanted to patch right away could. If large corporate IT depts still want to patch every 2nd tuesday, they still can! Scheduled Downtime is Scheduled Downtime is Scheduled Downtime. I see no connection between when MS releases a patch and when an IT department schedules their downtime to roll that patch out. (Well, other than the fact that the patch has to come first. ;)
This whole "scheduled patching" bit really is BS. All it does is leave critical problems unpatched longer than necessary, so that managers can point to MS when bad shit happens to the network. "Well, we couldn't patch until two days after patch-day, because we needed to test the patches." works lots better than "We got fucked because I decided that it wasn't critical enough to test and deploy right away."
While I can see where it would make a lot of people more confortable to know that there is patching every third Wed or something, I just don't see the value in withholding critical patches because "they aren't scheduled yet". At the very worst, let the IT departments decide if they want to schedule additional downtime, because ultimately, they know whether it will affect their systems or not. But then again, MS knows best, all the time, doesn't it?
Velociraptor = Distiraptor / Timeraptor