Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Critical IE Patch

Posted by ryuzaki0 on from the but-i-thought-all-patches-were-critical dept.

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

172 comments

  1. The Exploit by eldavojohn · · Score: 5, Informative

    The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).

    And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).

    And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).

    It is now 04.12.2006 and a patch is out to correct it.

    *checks his watch*

    Not bad, but your response time could use some imporvement.

    --
    My work here is dung.
    1. Re:The Exploit by Ravatar · · Score: 2, Informative

      It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.

    2. Re:The Exploit by Billosaur · · Score: 5, Insightful

      Not bad, but your response time could use some imporvement.

      From TFA: Microsoft Corp. has released its security software patches for April...

      Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...

      --
      GetOuttaMySpace - The Anti-Social Network
    3. Re:The Exploit by Bromskloss · · Score: 1
      The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it
      Good link. Thanks. Anyone knows what it does? All the code comment says is "Impact: Remote System Access", and it's hard to read the bulk data.
      --
      Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
    4. Re:The Exploit by truthsearch · · Score: 2, Insightful

      Considering the Windows Help system was exploitable for 7 years I'd say they're improving, although they still are usually too slow. Today there's no way to know how long they're aware of any bug. They may know about an exploit for years and just never publicly notify anyone. Or they may not know until a few days before they acknowledge it. Being a closed system that they work under (both software and business) we'll never really know.

      --
      Developers: We can use your help.
    5. Re:The Exploit by Anonymous Coward · · Score: 0

      Not bad, but your response time could use some imporvement.

      *checks his dictionary*

      Not bad, but your spelling could use some improvement.

    6. Re:The Exploit by NecroPuppy · · Score: 0, Offtopic

      We use only the finest monthly patches, dew picked and flow from Redmond, cleansed in the finest quality review process, lightly killed, and sealed in a succulent, Swiss, quintuple-smooth, treble-milk chocolate update, and lovingly frosted with reboots.

      --
      I like you, Stuart. You're not like everyone else, here, at Slashdot.
    7. Re:The Exploit by I'm+Don+Giovanni · · Score: 2, Insightful

      Being a closed system that they work under (both software and business) we'll never really know.

      And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.

      --
      -- "I never gave these stories much credence." - HAL 9000
    8. Re:The Exploit by Anonymous Coward · · Score: 0

      By your very own words it took them 20 days to release a security patch. Lets be gracious to all the haters out there and add a week on to that for that, because chances are they knew about it before hand and it took em that long to decide wether or not to go public on it.

      Now. You are telling me. That YOU are going to COMPLAIN that it took them a MONTH to put out a security patch, that has to comply to millions of different users on different systems, all with their own unique configurations and quirks.

      Im no microsoft lover, but you are being irrationally hateful here. I think thats damn speedy of them considering the factors. Do you hold yourself to this high a standard in all things you do?

    9. Re:The Exploit by Anonymous Coward · · Score: 0

      Yes, and those crafty Mozilla overlords have managed to keep all references to bugs in their software under extremely tight security by their complete and utter control over Google and the rest of the Internet.

      Crafty buggers.

    10. Re:The Exploit by mav[LAG] · · Score: 1

      That's as may be - it's still a patch.

      --
      --- Hot Shot City is particularly good.
    11. Re:The Exploit by Anonymous Coward · · Score: 0

      Actually, they had the patch done awhile ago; but they waited for their patch release schedule.

    12. Re:The Exploit by Billosaur · · Score: 1
      We use only the finest monthly patches, dew picked and flow from Redmond, cleansed in the finest quality review process, lightly killed, and sealed in a succulent, Swiss, quintuple-smooth, treble-milk chocolate update, and lovingly frosted with reboots.

      This patch should come with a big red label: "WARNING: BALLMER VOMIT!"

      Apparently levity now rates an "Offtopic"; will someone mod the parent of this reply up a bit?

      --
      GetOuttaMySpace - The Anti-Social Network
    13. Re:The Exploit by bunratty · · Score: 2, Interesting

      Brilliant idea: just look at the date the bug was opened. I know, I can't believe I figured it out on my own either! ;-)

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    14. Re:The Exploit by darkonc · · Score: 3, Interesting
      It's not that Microsoft waited until the patch was 'perfect' to release it. It's that somebody in marketing determined that it's hurting their public image to be releasing 'critical security releases' 2-3times per week/month/day (depending on how bad the week/month/day is). Instead, they're now releasing patches on a fixed monthly schedule no matter when the fix is ready.

      This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.

      In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.

      --
      Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  2. ActiveX, Java and Flash controls may be impacted by Dynamoo · · Score: 5, Informative
    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.

    This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

    --
    Never email donotemail@WeAreSpammers.com
  3. Re:"Hackers" by lathama · · Score: 1

    Anyone smarter than the writer is a hacker. To quote a client: "Hackers should be jailed unless they are working for me."

    --
    The GPL, for those that truely understand.
  4. Dammed if they do, dammed if they do not.. by Tominva1045 · · Score: 5, Insightful



    If they don't update their products people will comment on how much they suck.

    If they do update them people will claim instability due to the number of patches.

    It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.

    You decide.

    --
    Cogito Ergo Sum
    1. Re:Dammed if they do, dammed if they do not.. by Foofoobar · · Score: 1

      Most open source projects of equivalent size get patched in 24 hours. Do they have more money? no. Do they have more resources? According to Microsoft, thats another no.

      So how is it that programmers working for free developing a product for free can patch fatser than a multimillion dollar company with hundreds of highly paid developers?

      That's the ongoing question.

      --
      This is my sig. There are many like it but this one is mine.
    2. Re:Dammed if they do, dammed if they do not.. by thrillseeker · · Score: 1
      If they don't update their products people will comment on how much they suck. If they do update them people will claim instability due to the number of patches. It's a matter of perception.

      No, it's a matter of quality. If the product had been built properly in the first place this vicious cycle would never have been born. However, it was not built that way. You pay now or you pay later - but you do pay, and later always costs more.

    3. Re:Dammed if they do, dammed if they do not.. by Anonymous Coward · · Score: 0

      Maybe because the Opensource developer is not responsible if the patch / update breaks something else? And in most cases nothing else interacts with or depends on his / their code?

    4. Re:Dammed if they do, dammed if they do not.. by Nasarius · · Score: 2, Insightful
      Maybe because the Opensource developer is not responsible if the patch / update breaks something else?

      Legally, neither is Microsoft. Read your EULA.

      And in most cases nothing else interacts with or depends on his / their code?

      Yeah, nothing interacts with or depends on sendmail, or glibc, or the Linux kernel...

      --
      LOAD "SIG",8,1
    5. Re:Dammed if they do, dammed if they do not.. by asuffield · · Score: 1

      People are not complaining about the patches, they are complaining about the bugs. The unending stream of horribly horribly bad bugs.

      It's not news that IE is full of more security holes than a DHS project. Microsoft have had years to sort this mess out.

      Have they?

      No. We still have multiple grave remotely-exploitable security holes in IE every year.

      That's why people complain.

      Ongoing updates are not an indication of "true support". Nor are they an indication of hating Microsoft (although I admit, I find your logic for that part quite nonexistant). True support would be providing software that does not have security holes all the fricking time. You *can* get that kind of service, you just can't get it for Microsoft products (and you're going to have to pay for it, so you won't get it from many free software projects either).

  5. Re:ActiveX, Java and Flash controls may be impacte by Anonymous Coward · · Score: 0

    This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

    Until, of course, Eolas sues them for violating their patent. Unless Eolas's plan all along was to try and extort money from Microsoft...

  6. Re:ActiveX, Java and Flash controls may be impacte by dnwq · · Score: 0

    A permanent FlashBlock-style behaviour would have an interesting effect on how e-adverts are played.

    More people might switch to pure text ads, perhaps?

  7. Third - Party Patches by Kijori · · Score: 2, Insightful

    Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?

    I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.

    Ah well, I only use Windows for gaming anyway.

  8. I DLed them this AM. A question... by Anonymous Coward · · Score: 0

    I don't use IE, I use Firefox. Since you can't get rid of that damned IE and it's welded to the OS, I'm patching it anyway.

    But do I really need to?

    1. Re:I DLed them this AM. A question... by gregarican · · Score: 4, Insightful

      Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.

    2. Re:I DLed them this AM. A question... by flight_master · · Score: 3, Informative

      Don't forget all the proprietary apps out there that use the IE ActiveX plugin!

      --
      "Free software" is a matter of liberty, not price.
    3. Re:I DLed them this AM. A question... by Anonymous Coward · · Score: 0

      ...and Norton Antivirus, and McAfee...

    4. Re:I DLed them this AM. A question... by Anonymous Coward · · Score: 0

      Yes you can get rid of IE, I have been running Windows XP for years completely IE free. I am so tired of this myth, it is not bundled or integrated at all. You just have to dig around a bit to disable it everywhere it rears its ugly head, which is not really that hard.

    5. Re:I DLed them this AM. A question... by Tim+C · · Score: 1

      There are many hidden places in Windows where the default browser might not be Firefox.

      Essentially almost any Windows app that displays HTML and isn't either Firefox, Mozilla, Opera or Thunderbird is most likely using mshtml.dll and so is likely to be vulnerable to the exploit.

      Bottom line is that any Windows user should download and apply every IE update whether they use IE or not, as simply not using IE does not guarantee safety.

      --
      It's official. Most of you are morons.
    6. Re:I DLed them this AM. A question... by flight_master · · Score: 1

      I'd like to know how though; Here at work, we use internal software, which has a browser window built in to access a tasks list. It's IE-based, using the activeX control. How would I get rid of it? ;)

      --
      "Free software" is a matter of liberty, not price.
    7. Re:I DLed them this AM. A question... by Jtheletter · · Score: 1
      There are many hidden places in Windows where the default browser might not be Firefox.

      Very true, I found one of these today, itnerestingly enough in Flash itself. It indicated there was an update available, and the link to describe the details of the update opened up IE despite FF being my default on this machine. Talk about a security hole, an unsecure app, opening an unsecure broswer, all w/o checking user prefs on the machine or even alerting the user to the action before it is taken. Brilliant! (I know, dump flash you say, but I can't for what I do on this machine, however you can bet it's not loaded on any others I own!)

      --
      -- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
    8. Re:I DLed them this AM. A question... by Cally · · Score: 1

      I just had to set up my Dad's new Dell for him - lovely hardware BTW (well, compared to the no-name crap pulled out of skips that I normally deal with, and not counting rackmount ProLiants and whatnot at work :) - but did you know that in 2006, Windows XP (which being NT a full-blown proper multi-user kernel) *still* sets up a default user account as an administrator, with no password?! Couldn't believe my eyes. I was also amused to see the new Windows 'security' features, which are causing him no end of problems -- there are dialogs and popups and animated bubbles out of the toolbar demanding to know whether so-and-so program should be allowed to talk to the Internet - many of which shouldn't need to, so are presumably phoning home - amongst these is the "McAfee security centre" which apart from trying to get him to pressure him into buying a subscription, I noticed was using IE as it's web-browser. Surely that's a breach of the Trade Descriptions Act, selling "security software" that uses IE?? Anyway, in beween telling him he should have got a Mac like I told him, he's good to go now with Firefox, T'bird and Open Office. (He was horrified when I explained that Word, Access and Excel aren't part of Windows, and that you have to pay an extra £250 if you want to use all his old files. And no, I can't just move the old programs onto the new computer... apart from anything else, I suspect he found some dodgy geezer to fix it at some point when I wasn't around, and he doesn't seem to have any Office install CDs... heh! I think that's what they call a teachable moment.

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    9. Re:I DLed them this AM. A question... by Ash-Fox · · Score: 1

      If you actually spent a little time learning how directx works, you could find the IE active x component at:

      HKEY_CLASSES_ROOT\CLSID\{8856F961-340A-11D0-A96B-0 0C04FD705A2}

      and remove it.

      You can always use ReactOS's activex snapin replacement for it which uses the Gecko rendering engine.

      --
      Change is certain; progress is not obligatory.
    10. Re:I DLed them this AM. A question... by Ash-Fox · · Score: 1

      Oh poo, I just noticed I said 'directx' earlier when I meant 'active X'.

      --
      Change is certain; progress is not obligatory.
  9. Re:ActiveX, Java and Flash controls may be impacte by Anonymous Coward · · Score: 0
    >More people might switch to pure text ads, perhaps?


    That's crazy talk. Nobody would bother to sell those.

  10. Schedule Over Security? by eldavojohn · · Score: 4, Interesting
    They do this so that every patch on the release board gets the full testing cycle it deserves.
    Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

    The following excerpt is alarming:
    Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.
    I wasn't aware a cycle constituted 135 days.
    Microsoft rarely releases patches off-schedule now.
    That's interesting.

    I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
    --
    My work here is dung.
    1. Re:Schedule Over Security? by Tim+C · · Score: 5, Interesting

      Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

      No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".

      I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.

      Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

      --
      It's official. Most of you are morons.
    2. Re:Schedule Over Security? by 110010001000 · · Score: 0, Interesting

      They maintain the schedule to help IT Administrators not because it is convienent to MS. The purpose of the schedule is to give the admins time to test and roll out new patches, rather than releasing patches irregularly and not being able to prepare.

      If you worked in a large IT environment you would understand this.

    3. Re:Schedule Over Security? by bunratty · · Score: 4, Interesting

      Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    4. Re:Schedule Over Security? by shawnce · · Score: 1, Informative

      They haven't figured out how to do what? What does making it available ASAP instead of on a schedule that their major corporate customers have strongly requested have to do with "number and caliber of computer science researchers" at Microsoft.

      Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

      I generally don't like Windows the product or many of MS current and prior practices but I do understand the issue they face when releasing a patch into such a large and diverse customer ecosystem.

    5. Re:Schedule Over Security? by boskone · · Score: 5, Insightful

      yes...

      many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

    6. Re:Schedule Over Security? by DrXym · · Score: 3, Insightful
      Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

      There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.

      I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.

    7. Re:Schedule Over Security? by Anonymous Coward · · Score: 0
      Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.


      I really wonder about those things sometimes. Proper rollout procedures and testing nonwithstanding but wouldn't it be kind of, let's say, inconvenient if someone cracked your server and stole your credit card database while you are busy processing the fix through your (obviously very lengthy) rollout procedure?
    8. Re:Schedule Over Security? by geobeck · · Score: 1, Insightful
      Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

      I call BS on that one. It takes me five minutes to apply a patch to a test machine, and after a suitable test period it takes me another five minutes to walk into the server room, log in to the WSUS server, and approve an update.

      If I want to deploy an update off-schedule, it doesn't take a lot of time to do so. And if I don't want to deploy it off-schedule, it can just sit there on WSUS until Patch Tuesday comes around.

      Microsoft's patch schedule has nothing to do with its customers' demands, any more than Norton's ridiculous virus update schedule. Saying that they're doing it to satisfy customer requirements is like the sign at Safeway that says "For your convenience, please leave heavy items in the cart." My convenience, my ass. It's because the 16-year-old, 90-pound checkout girl can't lift the 5-gallon water jug I'm buying.

      Don't tell me you're doing something for my sake when I know you're doing it for your own business reasons.

      --
      Find environmentally and socially responsible products on http://buy-right.net
    9. Re:Schedule Over Security? by rs232 · · Score: 1
      "corporate IT departments .. have specifically demanded that patches be released on a regular schedule"
      I work in an IT department. I know of no techie that looks forward to the next round of 'patches`. In fact most/all of them hold off on installing for fear of breaking something.
      "blame the corporations for bringing that pressure to bear in the first place."
      This could have been written by the MS publicity bureau.
      Blame the corporations for the patch cycle and
      blame the competitors for MS failing to secure Windows.
      "the whole notion of improving software and making it better for users has been attacked because it makes it tough for competitors"
      Bill Gates Feb 15 2006
      --
      davecb5620@gmail.com
    10. Re:Schedule Over Security? by adarn · · Score: 1

      >Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

              Blame microsoft a second time for designing their operating system to be such a nuisance to patch.

      Adarn

    11. Re:Schedule Over Security? by enosys · · Score: 2, Insightful

      However, if information about an exploit is publicly available there is no reason to not get a patch ASAP to those who want that.

    12. Re:Schedule Over Security? by YU+Nicks+NE+Way · · Score: 1, Interesting

      Actually, that's not true. A patch for a vulnerability often provides a great deal more infomration about the vulnerability than the original exploit, particularly becouse it provides malicious people with code pattern samples which might expose other exploitable code. In that regard, Microsoft's response or providing a workaround to block the attack and then providing a correct and fully tested patch later is better then providing a half-baked patch.

    13. Re:Schedule Over Security? by MarkByers · · Score: 3, Interesting

      many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

      If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.

      It's just a poor excuse for being slow to patch.

      --
      I'll probably be modded down for this...
    14. Re:Schedule Over Security? by Anonymous Coward · · Score: 0
      I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.

      And what are you going to do about it? Stop using Microsoft products? Doubtful. Get your customers to stop using them? Even more unlikely. There is nothing in the pipeline for the next 30 years that has a hope of dethroaning Microsoft's monopoly. I'm sorry to say, but you'd better get used to this.

    15. Re:Schedule Over Security? by Slime-dogg · · Score: 3, Insightful

      There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.

      --
      You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
    16. Re:Schedule Over Security? by rbochan · · Score: 3, Informative

      ...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

      There, fixed that for you.

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
    17. Re:Schedule Over Security? by brix_zx2 · · Score: 0

      Couldn't they at least make the patch available ASAP

      Since I can't say that this never happens, but try it this way. If Microsoft found a vulnerability and even released it the next day without their standard testing, how many patches would they have to release to fix their patches? There is already enough patching going on, that would make it worse.

      --
      "brix_zx2, What is your sole purpose in this forum!?!?!"
      "To do whatever you tell me MODERATOR!!!!"
    18. Re:Schedule Over Security? by bunratty · · Score: 1
      Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.
      Do the testers come in only on certain days of the month? What technical reason is there for delaying patches until a certain day of the month for all users? Why not make the patches available as soon as they're tested for those who want them, and delay them until a monthly rollout for those who want a monthly rollout? Is this an unsolved research problem?
      --
      What a fool believes, he sees, no wise man has the power to reason away.
    19. Re:Schedule Over Security? by Anonymous Coward · · Score: 0

      Corporations DO get patches that aren't on a regular update cycle. It becomes increasingly more complex though for each patch a corporation gets will be rolled up into the next cumulative security patch. There may be 15-20 separate corporate patches of which all need individual testing.

      And security patches have been released out of band. MS triages their danger and decides for themselves how urgent the possible damage is by balancing the threat, the complexity of the exploit, if there are any current exploits in the wild, and how deep the impact of the fix will be on your system. I would rather have one large monthly patch that contained the security fix than the see 50 new patches every time I go to windows update. I know I'm not alone on that either.

    20. Re:Schedule Over Security? by conJunk · · Score: 1

      not to be an MS fan boi here, but just stop and think for a minute. MS has literaly hundreds of versions of their OSes. All the different language versions. There are well documented examples (ctrl-f for "polish") of specific bugs for specific language versions

      There's a *lot* of testing that needs done for a windows fix

    21. Re:Schedule Over Security? by shaitand · · Score: 1

      That depends, I see when exploit code was released into the wild and Microsoft acknowledged it. But how long before that was microsoft made aware of the problem and refused to acknowledge before the developer got frustrated enough to release the code?

    22. Re:Schedule Over Security? by duh+P3rf3ss3r · · Score: 1

      The simple solution is to make the system which downloads patches more finely-grained, thereby putting the user in control of the dowload/patch schedule. That way, MS could post patches whenever they felt it appropriate and sysadmins would be responsible for fetching them and installing them as they (sysadmins) see fit. So, for example, a dialogue box something like this.

      How do you want to check for and download updates?
      1 Check for (Critical/Nice 2 have/Who cares?) updates and download automatically once per (minute/day/week/month/eclipse/millenium) and then (install/don't install) automatically
      2 Don't download automatically but notify me when (Critical/Nice 2 Have/Who cares?) updates are available
      3 Fuhgeddaboudit -- I'm raw!

      Of course, this is a bit simplistic for real purposes but I think you get the drift of what I mean. For command-line users, there should be a way of scheduling a command with these options using cron or whatever Windows has that has cron-like functionality.

      --
      Give a man a match: warm him for an instant. Douse him in petrol and set him aflame: warm him for the rest of his life.
    23. Re:Schedule Over Security? by LO0G · · Score: 1

      According to the MSRC blog here, here. and here, they decided not to do an OOB release because the problem was only seen on a limited number of sites and those sites were being taken down as soon as they came up.

    24. Re:Schedule Over Security? by bfischer · · Score: 0, Troll

      And then you find it causes another problem and bitch because they released it without adequate testing?

    25. Re:Schedule Over Security? by BeanThere · · Score: 3, Insightful

      Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

      Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"

      Stop the FUD, thanks.

    26. Re:Schedule Over Security? by BeanThere · · Score: 1

      Actually you've just made an argument for releasing sooner: If the bugs in the patches are caught sooner (because of the 'patch early adopters'), then the corporates will be protected against those exploits because they won't have installed the patches yet and the new improved patch will be out in time for their update schedule.

    27. Re:Schedule Over Security? by v1 · · Score: 1

      Nobody forces you to install patches. If you don't want to install an out of schedule patch, then don't. It's not like they're twisting your arm. Run your software update app once a month or set it to only check monthly or on whatever schedule you'd like.

      I personally prefer updates to be delivered the day they are available and tested.

      The concept of a release date means nothing here anyway. Say the next scheduled patch day is tomorrow. Say you come up with a fix today. Do you release it tomorrow? I wonder? Technically it's Patch Tuesday, so lets go for it! I don't see how this keeping to a schedule does anything to increase testing prior to release.

      If they wanted to do something like that, they'd also have to have a limit saying "we will not release a patch on patch tuesday unless it has been in its final form and unmodified/unfixed for the last two weeks." I don't think they work that way.

      Any system admin that is complaining about getting patches too often (so long as they are not having to be revised every 2 days to patch the patches!) is lazy on multiple fronts.

      If my network just happens to be getting its butt kicked by some script kiddie with a mission, who is MS to decide whether or not I need the patch now ? (sometimes the risk of even bleeding edge beta is the preferred option)

      --
      I work for the Department of Redundancy Department.
    28. Re:Schedule Over Security? by MerlTurkin · · Score: 1

      All the more reason to use ANOTHER OS. Simple.

    29. Re:Schedule Over Security? by Ravatar · · Score: 1

      It sounds like you're just looking for a poor excuse to bash their patching cycle. There is no perfect solution in this scenario, and they're pandering to the wishes of the majority of their customers.

    30. Re:Schedule Over Security? by bfischer · · Score: 1

      And then you find it causes another problem and bitch because they released it without adequate testing?

      Troll?? Pull your head out of your ass, moderator - the above post is exactly what used to happen when MS would release patches on short schedules and something would get broke for certain users.

    31. Re:Schedule Over Security? by mattsday · · Score: 1

      Yeah, because Microsoft has no risk if they release broken patches, optional or not, to its consumer base... Come on! I'm no MS fanboy, but it's easy enough to see that they risk a lot by putting out 'test' patches that haven't gone through all their QA process...

      --
      Now there's one hoopy frood who really knows where his towel is!
  11. Meanwhile... by StevenHenderson · · Score: 2, Funny

    Firefox users point and laugh...

    1. Re:Meanwhile... by dextromulous · · Score: 4, Insightful

      It's not leaked memory. See Here for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)

      Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF!

      --
      There are two types of people in the world: those who divide people into two types and those who don't.
    2. Re:Meanwhile... by Anonymous Coward · · Score: 0

      I don't care what you're comparing it to, "Java applications" and "blazing fast" don't go in the same sentence. -_-

    3. Re:Meanwhile... by Anonymous Coward · · Score: 0

      Ah, yes, the "it's a feature!" response to the Firefox memory leak. Hm, leak isn't quite the right word, since it makes it sound slow and gradual. I like "Firefox memory gaping hole" better.

      But anyway, here's a good rebuttal to the "it's a feature!" response relating to memory leaks. It's not a feature. It's a bug. Opera has the same feature, and manages not to leak massive amounts of memory.

    4. Re:Meanwhile... by Rasit · · Score: 1

      If you had done some coding you should know this. It is not a bug, it is an unplanned feature.

    5. Re:Meanwhile... by m50d · · Score: 1

      And Opera users laugh at both...

      --
      I am trolling
    6. Re:Meanwhile... by dextromulous · · Score: 1

      That's a nice link you have there. I love how the "lengthy do-it-yourself process" they state is exactly this: "These memory leaks cause Firefox to not release memory that it is no longer using. 1.5.0.1 fixed several memory leaks. If you have not already, you should upgrade to this release."

      Heaven forbid you should have to upgrade a release to fix bugs, oh my!</sarcasm>

      --
      There are two types of people in the world: those who divide people into two types and those who don't.
    7. Re:Meanwhile... by Anonymous Coward · · Score: 0

      But then they realize they're actually using Opera.

    8. Re:Meanwhile... by Anonymous Coward · · Score: 0

      Now if only 1.5.0.1 fixed the massive memory leaks... The point still stands. Upgrading the browser didn't do anything, other than require recreating a profile yet again.

    9. Re:Meanwhile... by dextromulous · · Score: 1

      It could be worse, they could be anonymously ridiculing someone's browser preference on the Internet. ... or making a post to point that out, whoops!

      --
      There are two types of people in the world: those who divide people into two types and those who don't.
    10. Re:Meanwhile... by is+as+us+Infinite · · Score: 0

      So then the fact that Opera has the same functionality without a massive memory footprint is negligable?
      I use, and love, FF, but the memory usage is absurd compared to Opera. It might not be leaked memory, but it's certainly bad programming.

      --
      Quidquid latine dictum sit, altum sonatur. . . . . . . .
  12. Then don't release buggy, insecure products by Anonymous Coward · · Score: 0

    And Microsoft wouldn't have that problem, now would they?

  13. The Bob Damn them. by ackthpt · · Score: 2, Interesting
    If they don't update their products people will comment on how much they suck.
    If they do update them people will claim instability due to the number of patches.
    It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
    You decide.

    I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

    I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.

    I hate knowing something is running on my computer, chewing up CPU time, but because the way the task manager works I can't really see everything that's in memory and running.

    The Bob damn them and their monolithic view of the world.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:The Bob Damn them. by sremick · · Score: 3, Insightful

      "I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

      I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."

      Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.

      Your choice.

    2. Re:The Bob Damn them. by Anonymous Coward · · Score: 0

      If users really had a choice, wouldn't all those anti-trust lawsuits have been tossed out? Or are you going to argue that MS has a monopoly AND users have a choice? You can't have it both ways.

    3. Re:The Bob Damn them. by westlake · · Score: 1
      I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.

      Microsoft releases most patches on the second Tuesday of each month.

      The patches are generally small (under 1 MB) and can be automatically downloaded in the background. Let the program do its job and install when you are ready.

    4. Re:The Bob Damn them. by neoform · · Score: 1

      tell that to your boss when he asks you why you don't wanna use the same OS as everyone else at work..

      --
      MABASPLOOM!
    5. Re:The Bob Damn them. by sremick · · Score: 1

      Since slavery is illegal in most countries, I'm pretty sure you chose your job as well. If you don't like it, find a new job. Otherwise, it still comes down to your own choice. There are plenty of places looking for Mac/Linux/BSD geeks.

      I work with Windows at my own job. But I don't pretend that I'm "forced". I chose my job based upon pay, location, etc. I choose to put up with the headaches as a balance taking everything else into account. But no one is holding a gun to my head.

      Like I said before... you don't "have to". Somewhere along the line, it's your own choice.

  14. How much longer is this going to be NEWS? by ink · · Score: 2, Interesting

    All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.

    --
    The wheel is turning, but the hamster is dead.
    1. Re:How much longer is this going to be NEWS? by castoridae · · Score: 5, Insightful

      Why do we have to have a story every time a bug is fixed in IE or Firefox...?

      Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.

    2. Re:How much longer is this going to be NEWS? by alphasubzero949 · · Score: 1

      You must be new...oh...uhm...never mind.

    3. Re:How much longer is this going to be NEWS? by Cally · · Score: 1
      I used to post lots of comments. Now, I never post.

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  15. Re:ActiveX, Java and Flash controls may be impacte by Tackhead · · Score: 2, Funny
    > Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.
    >
    >This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

    So for the first time in history, IE's more secure out of the box than Firefox and Opera?

    "Microsoft: Where information security is the 521,000,001st priority."

  16. Re:ActiveX, Java and Flash controls may be impacte by Metabolife · · Score: 0

    Also bundled is fix to any software installed by the hackers. To quote the Microsoft Rep: "There were certain products installed by evil people before this fix was released. We made sure anyone who was affected by this firefox virus had it removed and cleaned from their system. We at Microsoft strive to make sure our software is secure"

  17. Why can't we all have portage by BoredWolf · · Score: 3, Interesting

    Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.

    --
    "Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
    1. Re:Why can't we all have portage by flight_master · · Score: 1

      I agree, but this is part of Microsoft's Business strategy. To one point, it actually helps. I admin quite a few Win2K3 servers, and having all the patches on one day, allows me to go about patching once a month, as opposed to every few days. Just my $0.02

      --
      "Free software" is a matter of liberty, not price.
    2. Re:Why can't we all have portage by BoredWolf · · Score: 1

      I understand the problems with updating servers that you point-out. To compare to Linux: you've got your portage tree updates. You don't have to sync every single day and do world updates, but you can if you want. You have options! With this method, you could select which patches you want to implement on a case-by-case basis. When I was working IT a few years back, we NEVER installed Windows Service Packs because of all the known issues with them. If you could break them up into individual patches, you could test them in a contained environment to see what played well with your system and what didn't, then implement your own 'service packs' based on your department's needs/preferences. MS would be smart to realize that they are beginning to make a product that is too large and diverse for them to maintain within a reasonable time frame, and that other groups will eventually capitalize on this by creating their own patches (IE 7, for example). If they would consider moving from their set monthly update scheme, more companies might be willing to upgrade their PCs (from 2000 to XP, let's say). No matter how functional, diverse, or inventive your product is, it isn't worth a penny if you can't fix it when it breaks.

      --
      "Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
    3. Re:Why can't we all have portage by Keeper · · Score: 1

      Microsoft used to do this: patches were released the instant they left QA. It doesn't work that way you'd hope it to.

      The instant you release a patch, you're in a race between "l33t haxx0rs" reverse engineering the patch and the customers applying the patch. Now, this doesn't seem like a big deal when you've just got a single patch you release.

      Imagine for a moment you've got 1 patch released per day, every day, for a week. Now imagine how quickly it takes your customer to apply, validate, and deploy each of those patches ... note that patches are released faster than a customer can apply, validate, and deploy each patch.

      The net result is that the act of releasing patches as they're available gives the black hats a larger window to reverse engineer and exploit the unpatched binary. For proof, go back a few years and read about the blaster worm.

      Now, is this true in all cases (or, specifically in cases where exploits have been made public)? No. However, you still end up with the patch arrival/test collision regardless, and lots of unhappy customers in the process. Microsoft has stated that they would release a patch out of cycle for certain types of problems (ie: a publicly disclosed remote attacks), but in cases where it requires the user to actively "do" something to be attacked I don't blame them for sticking to the cycle.

    4. Re:Why can't we all have portage by Ash-Fox · · Score: 1

      > To compare to Linux: you've got your portage tree updates.

      But people who run servers tend to use: Redhat, Debian, Fedora, SuSE, Mandriva more so than Gentoo. Infact, I've never seen a Gentoo server in a commericial setup before.

      --
      Change is certain; progress is not obligatory.
  18. Re:ActiveX, Java and Flash controls may be impacte by Takeel · · Score: 4, Informative

    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

    Amusingly, this behavior can be disabled with either a patch or a registry change.

  19. Concerning date formats by Bromskloss · · Score: 1

    There was a great post about it.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  20. Re:ActiveX, Java and Flash controls may be impacte by Gabest · · Score: 0

    If I use firefox, how can I enforce the patent law on myself as a good citizen? Wait... I don't even live in the USA, why do I have to get this "fix" in the first place?

  21. My question about TFA is by guzzirider · · Score: 1

    At what point do the authors of this information just do a search and replace on the last news release for the last patch (last Month, Week Yesterday, 5 minutes ago ...) TFA kind'a looks like a filled out form ...

    My other question is when does M$ release the patch that changes activation codes to valid credit card numbers. ?? I guess they could do a rural version that uses the modem to call a 1 - 900 - xxx xxxx

  22. A fix was released long ago by Jugalator · · Score: 4, Funny

    Download here

    OK, OK, so I wanted to be different from those "get Firefox" jokes!

    --
    Beware: In C++, your friends can see your privates!
    1. Re:A fix was released long ago by cheaphomemadeacid · · Score: 0

      Why bother with lynx? telnet or netcat should do the job just fine, parsing html in your mind isn't THAT hard, and there are many many other good things about this approach. Security will be maximum, you'll never have those annoying popups again, no commercials of any kind, no porn (well except ascii porn that is), childsafe and besides it will stop paedophiles in a yet unknown way! I suggest we lobby legislation to forbid ANY http client except telnet, think about the children!

    2. Re:A fix was released long ago by WilliamSChips · · Score: 1
      Security will be maximum
      No it won't
      --
      Please, for the good of Humanity, vote Obama.
    3. Re:A fix was released long ago by Anonymous Coward · · Score: 0

      Except that there aren't any current Windows binaries for Lynx available...

  23. eEye Patch Failed to Uninstall by Anonymous Coward · · Score: 0
    Although eEye's patch claimed it would uninstall itself, it failed to do so. Their website claims:
    "eEye's patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix. In fact, eEye has engineered the patch to automatically remove itself when Microsoft's official patch comes through."[emphasis added]
    Only, don't look now, but...it's still there. Start - Settings - Control Panel - Add or Remove Programs - eEye Digital Security Jscript Patch". There it sits. I'm running XP Pro SP 2 - 32 bit edition, with every single patch applied. So, if it didn't remove itself from mine, I'm guessing it didn't remove itself from a lot of other computers.

    eEye Screws the Moose
  24. A monolithic, interdependent OS is *better*? by Anonymous Coward · · Score: 0

    Or are you just pointing out another one of the faults of a monolithic, operating system where every damn thing is interdependent and with all kinds of irrelevant apps stuffed into kernel space?

    The fact that such interdependence makes it impossible to keep working properly?

  25. Re:ActiveX, Java and Flash controls may be impacte by palndron · · Score: 1

    The change isn't about security, at least the ActiveX click to activate one is not. It is complience to the patent dispute with Eolas.
    They have bundled it WITH the security rollup.

    --
    a man, a plan, a canal, panama
  26. Why? by Conspiracy_Of_Doves · · Score: 0, Troll

    Why the hell is anyone still using IE?

    --

    Technoli
    1. Re:Why? by geobeck · · Score: 3, Insightful
      Why the hell is anyone still using IE?

      Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.

      Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)

      --
      Find environmentally and socially responsible products on http://buy-right.net
    2. Re:Why? by J0nne · · Score: 2, Informative

      The IETab extension can switch the rendering engine within Firefox. You can even add a list of websites that should always use IE's engine. This way your users won't have to start IE seperately (and probably won't even notice the switching of the engine).

      I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.

  27. Name change proposal by Spy+der+Mann · · Score: 4, Funny

    Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D

    1. Re:Name change proposal by revlayle · · Score: 1

      argh... NOoooooooooooooooooo... oh, for the love of every thing decent.... i have been puneed to death... *thud*

    2. Re:Name change proposal by Anonymous Coward · · Score: 0

      Let's rename "Internet Explorer" to "Apache Browser". ...so Tuttle OK's city manager can go ballistic again? "YOU HACKED MY BROWSER DAMMIT!!!~! I INSIST YOU FIX IT OR I WILL CALL THE FB1!!!!!!~!!

  28. Shcheduled updates seem counter-intuitive by multiOSfreak · · Score: 3, Insightful

    I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.

    What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?

    --
    Transistors and Beer!!
    1. Re:Shcheduled updates seem counter-intuitive by Overly+Critical+Guy · · Score: 1

      I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.

      I don't think there's logic to it; as you point out, the patches should come out when they're ready. If IT departments want a monthly schedule for patches, they should set one themselves. Why do they have to have Microsoft do it? Nobody's forcing them to install patches right away.

      --
      "Sufferin' succotash."
    2. Re:Shcheduled updates seem counter-intuitive by m50d · · Score: 1

      Once a patch is out, every script kiddie on the planet can see what it fixes and exploit it. Until then you're only vulnerable to the moderately skilled.

      --
      I am trolling
    3. Re:Shcheduled updates seem counter-intuitive by limabone · · Score: 1

      I agree. Release the patches when they are ready, and let the companies decide when to patch by implementing WSUS in their site:
      http://www.microsoft.com/windowsserversystem/updat eservices/default.mspx
      This way everyone gets what they want. Home users can be protected immediately, for corporate users using WSUS, they get to maintain their status quo. This would even be better for some corporate users who would like to patch quicker.

    4. Re:Shcheduled updates seem counter-intuitive by TheRaven64 · · Score: 1

      The theory goes that a lot of exploits are generated by running diffs of the pre- and post-patched versions of files. If MS releases patches in an ad-hoc fashion, then there is likely to be a longer delay between releasing the patches and them being applied. This delay is the time in which most MS malware strikes. By releasing them on a regular schedule, they are able to minimise this delay (since everyone schedules time to apply MS patches).

      --
      I am TheRaven on Soylent News
    5. Re:Shcheduled updates seem counter-intuitive by JohnnyCannuk · · Score: 1

      I got news for you, script kiddies and crackers have been exploiting this since before it was an advisory.

      Most of them can go to places like this to get the exploit. And if it is here, its been floating around the underground or IRC for a lot longer.

      Releasing the patch sooner will protect more people. Holding off makes no sense. Once its patched no one can use it.

      --
      Never by hatred has hatred been appeased, only by kindness - the Buddha
    6. Re:Shcheduled updates seem counter-intuitive by JohnnyCannuk · · Score: 1

      http://www.milw0rm.com/

      Damn /. there is the link I was referring to.

      --
      Never by hatred has hatred been appeased, only by kindness - the Buddha
  29. The article's titles doesn't do it justice by suv4x4 · · Score: 4, Informative

    The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.

    1. Re:The article's titles doesn't do it justice by Cally · · Score: 1
      Top be precise, the IE patch (MS06-013, in fact) fixes ten security bugs, but only eight of them allow remote code execution.

      Mind you, MS released four other Security Bulletins today, two of which are remote code execution / rated 'critical' bugs. One's in Windows Explorer, the other's in MSDAC, some data access middleware crap that's also remotely exploitable.

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  30. gmail invite by IamGarageGuy+2 · · Score: 1

    can't figure out your email address - u want one send me a request at tedbirmingham at gmail.com.

    --
    Stay tuned for new sig...
    1. Re:gmail invite by Bromskloss · · Score: 1
      can't figure out your email address
      I had to think twice on that one too. :-) You should apparently read it backwards. (An invitation has been sent, btw.)
      --
      Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  31. open source projects of equivalant size? by way2trivial · · Score: 1

    Like- what? that has to be compatible with every pc configuration, with every software configuration, quite literally, known to man.

    1st, what OSP is on par for raw bytes & complexity... to the windows OS?
    2nd- which of that subset get's patches in 24 hours
    3rd- how often do these "right out the door" patches cause loss of functionality, for a subset of users, as (my line one above) every system configuration possibility was considered in the patch, that is still just works?

    it's kinda herculean if you think about it..

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:open source projects of equivalant size? by Moofie · · Score: 1

      So these highly paid developers have developed something that they can't support.

      And I'm supposed to give them money, why exactly?

      --
      Why yes, I AM a rocket scientist!
    2. Re:open source projects of equivalant size? by Anonymous Coward · · Score: 0

      And I'm supposed to give them money, why exactly?

      You don't. You choose to.

    3. Re:open source projects of equivalant size? by Foofoobar · · Score: 1

      Below are the answers to your obviously rhetorical question...

      1. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM,etc etc. The list goes on and on
      2. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM, etc etc. They were even recently recognized for it in a government research document stated that 24 hours was an average and that they even get patched faster on some systems.
      3. According to the same government document, hardly ever. Pathces on open source projects general reduce the numbers of bugs in code (rather than increasing them *cough*microsoft*cough*

      It's not herculean to do it right the first time and continue to do it right. It's called doing your job.

      --
      This is my sig. There are many like it but this one is mine.
  32. Re:ActiveX, Java and Flash controls may be impacte by Anonymous Coward · · Score: 0

    From the Techweb article: ...In other words, music won't play or a Flash component won't launch...

    Thank you, Eolas!

  33. Source by Goodgerster · · Score: 2, Informative

    Downloadable immediately from here.

  34. Re:"Hackers" by kubevubin · · Score: 0, Offtopic

    You know, considering the fact that Slashdot doesn't appear to have a dedicated Microsoft section, I find it rather amusing that any potentially negative Microsoft news gets posted.

  35. Yawn by berenixium · · Score: 0, Troll

    Oh, another one?

    Still saving for The Switch...

    1. Re:Yawn by Bromskloss · · Score: 2, Funny
      Still saving for The Switch...
      Come on, hop on the train and go for free software. No savings needed!
      --
      Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  36. Re:"Hackers" by nocaster · · Score: 0

    I thought Slashdot *was* a dedicated Microsoft section.

  37. Re:ActiveX, Java and Flash controls may be impacte by suv4x4 · · Score: 1

    "Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate."

    To solve the issues with Flash, check out my sig. It's free.

  38. A ay to fix IE?? by ssego · · Score: 1

    You mean they finally released an uninstaller???

  39. I don't get it by penguin-collective · · Score: 1

    This is "News for Nerds. Stuff that Matters."; a serious IE exploit seems to fit neither category.

    1. Re:I don't get it by Anonymous Coward · · Score: 0

      On the contrary; if you pull your head out of your Linux-fanboy ass, you would see that it fits both.

    2. Re:I don't get it by Anonymous Coward · · Score: 0

      As a Linux fanboy, I actually like to see every single critical vulnerability in IE shouted from the roofs.

      However, as a reader, I have to say: those happen so regularly that they can't be considered "news" anymore, and reporting them doesn't matter anymore because it's not going to affect anybody's behavior anymore.

  40. not an automatic FlashBlocker by Tumbleweed · · Score: 1

    A permanent FlashBlock-style behaviour would have an interesting effect on how e-adverts are played.

    Unfortunately, this won't act as an automatic FlashBlocker. It disables _interacting_ with the ActiveX component until it's activated. So all those lovely ads will still load and play automatically; you just won't be able to click on, say, movie volume or playback controls until you've authorized it. Basically the worst of both models, really. Sucks to be IE. *shrug*

  41. not in 24 hours, no by way2trivial · · Score: 1

    but rather, after testing, and validating- then they support it.

    how much do you pay for OS updates?

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:not in 24 hours, no by Moofie · · Score: 1

      After months and months of sometimes ineffective testing and validating (their patches still break a LOT of stuff), they charge you insane $$ for lousy support.

      I pay for the OS, which allegedly includes updates.

      I should say that I don't pay for squat...I buy Macs for my own use. Their updates seem to work just fine, and there are far fewer of them (both in number and scope).

      --
      Why yes, I AM a rocket scientist!
  42. Grammar! by slavemowgli · · Score: 1

    Argh:

    "Hackers had been exploiting this problem by installing unauthorized software on PCs."

    No, no, no. The fact that "hacker" isn't the correct term to use here anyway nonwithstanding [1], people have been installing unauthorised software on PCs by exploiting this problem, NOT the other way around.

    1. Feel free to whine that the general public does use the word "hacker" that way if you want to, but this is Slashdot, and I think we can expect a somewhat higher standard here.

    --
    quidquid latine dictum sit altum videtur.
    1. Re:Grammar! by AME · · Score: 1
      but this is Slashdot, and I think we can expect a somewhat higher standard here.

      Funniest thing I've read all week. Thanks for that!

      --
      "I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
  43. MS by certel · · Score: 0

    Does this seem like this is an inceasing reoccuring event to anyone else?

    --
    [%] Cingular Ringtones
  44. Re:ActiveX, Java and Flash controls may be impacte by TubeSteak · · Score: 1

    This won't affect IE6 on Windows 2000

    That's good. I just updated from SP2 to SP4 & had to deal with >30 SP4 specific patches.

    Is it possible that (for Win2k at least) staying a bit behind in the service pack game could afford you a bit of protection?

    Either the exploit is going effect only the latest SP, or MS is going to write a patch for all versions. In the first case, you can ignore the exploit and go about your way and in the second case, you weren't any safer than the up-to-date people.

    Though, if I was doing a fresh install today, I'd be using a CD with the current service pack already present.

    --
    [Fuck Beta]
    o0t!
  45. You mean, IE users point and laugh by koweja · · Score: 1

    So basically it's going to make it more difficult to see obnoxious flash ads take over websites as soon as a page is loaded. And in the rare chance you actually want to see a flash or java object, you have to click a button. Sounds like MS should toss this on the feature list.

    1. Re:You mean, IE users point and laugh by Bromskloss · · Score: 1
      So basically it's going to make it more difficult to see obnoxious flash ads take over websites as soon as a page is loaded. And in the rare chance you actually want to see a flash or java object, you have to click a button. Sounds like MS should toss this on the feature list.
      Click a button in the way us firefoxers already can do, you mean?
      --
      Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
    2. Re:You mean, IE users point and laugh by StevenHenderson · · Score: 1
      So basically it's going to make it more difficult to see obnoxious flash ads take over websites as soon as a page is loaded. And in the rare chance you actually want to see a flash or java object, you have to click a button. Sounds like MS should toss this on the feature list.

      Gee, I wonder where they got that idea?

    3. Re:You mean, IE users point and laugh by Anonymous Coward · · Score: 1, Informative

      Flash ads will keep working. You need to click only if you want to start *interacting* with the object.

      Also, this "click to enable" feature can be bypassed using JavaScript. That is not a bug, Microsoft allowed this as a workaround.

    4. Re:You mean, IE users point and laugh by Ash-Fox · · Score: 1

      Konqueror has had this for ages for *every* plugin. Which I prefer.

      --
      Change is certain; progress is not obligatory.
  46. Re:ActiveX, Java and Flash controls may be impacte by araemo · · Score: 1

    Overall, I'm fine with that. I'm actually used to that behavoir - I use scriptblock for firefox at home, and flashblock at work. I LIKE not seeing active content when I don't want to.

    I do NOT look forward to the calls I get the day after we deploy this patch at work though.. "My internet doesn't work!".

  47. Re:ActiveX, Java and Flash controls may be impacte by Anonymous Coward · · Score: 0
    > The change isn't about security, at least the ActiveX click to activate one is not. It is complience to the patent dispute with Eolas.

    ...the judgement for which was $521 million dollars, which is why the OP described security as Microsoft's 521,000,001st priority.

  48. Microsoft Releases Critical IE Patch...(revised) by Keweenaw · · Score: 0, Redundant

    Microsoft Releases it's newest IE Patch today. It is codenamed Firefox and can be downloaded at http://www.mozilla.com/firefox/. ;) Sorry, couldn't resist. ...and now back to our regularly scheduled program.

  49. At least it's easy to find... by Anonymous Coward · · Score: 0
    As one who has long preferred to install MS patches manually and extremely selectively, I continue to be less than impressed with Microsoft's magnificent site search engine ... :)

    Sorry, we couldn't find any pages containing ms06-013.

    Some Search Tips:

            * Make sure all words are spelled correctly.
            * Try different keywords.
            * Search the Web with MSN Search.
  50. Didn't work for me. by antdude · · Score: 1

    I use Siebel products, and it didn't fix my issues. IE still continued to freeze. Had to remove KB912812 update and reboot. :(

    Also, note that it mentioned Java with ActiveX.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  51. Re:The NEW Exploit by Anonymous Coward · · Score: 0

    Microsoft: New 'critical' security flaws detected

    Wednesday, April 12, 2006; Posted: 11:59 a.m. EDT (15:59 GMT)

    SAN FRANCISCO, California (Reuters) -- Microsoft Corp. Tuesday warned of three "critical" security flaws in its Windows operating system that could allow attackers to take control of a computer.

    Microsoft, the world's top software company whose Windows operating system runs on 90 percent of the world's computers, issued patches to fix the problems as part of its monthly security bulletin.

    http://www.cnn.com/2006/TECH/ptech/04/12/microsoft .security.reut/index.html

  52. They damned themselves in 1997... by argent · · Score: 1

    They shipped Active Desktop, which is where they started integrating IE (or rather, the HTML control that's almost the whole of IE) so deeply into the OS that it couldn't be disabled or removed without heroic measures, in 1997.

    Every new OS release since them has been an opportunity for them to step back from the brink and turn IE into just another application. Not only have they not turned back, but they have run faster and faster with every step.

    I wish them joy of their damnation, their salvation is in no-one's hands but their own.

  53. How does Apple compare? by v1 · · Score: 1

    I hear a lot of noise about MS patches and "Patch Tuesday" curse words, but no one has much to say about Apple's patch schedule. Now I realize there are a lot less security updates from Apple, but that's another debate for another thread. What do people think of Apple's timeliness in the release of security updates? Have they been known to drag their feet on releasing, or maybe are they showing some hustle?

    --
    I work for the Department of Redundancy Department.
  54. Another dup? by chrism238 · · Score: 1

    Well this patch is very likely original, but isn't this Subject line and the Contents another perennial duplicate?

  55. Let's check by way2trivial · · Score: 1

    the windows installer for apache is 4.2 mb I can't actually determine it's size-
    the download for sendmail is 1.89 MB
    postgres is 22mb
    these are single purpose- using system calls- apps..
    they aren't OS's (except for linux) and do any of those come close to 1.5 gigabytes of code/apps/parts?

    re read my list of challenge requirements for #1.. what OSP is on par for raw bytes & complexity... to the windows OS?

    I can't vett "linux" as there is no "one linux" to compare against.- and none of them come 'core' with as many features INCLUDED in the os as microsoft- the same functionality is available I grant you- but not 'stock model'- as add-ons you can add as you determine your need.

    this means however that a windows patch has to play niceley with all the other 'stock model' features.. which is my point- there is nothing more complex- serving more people- that makes it so unreasonable that a testing cycle is required to make sure that it won't break compatibility with some bizzare element 4 OS bits removed (but part of windows) over from the site of the problem.

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:Let's check by Foofoobar · · Score: 1

      These projects have been in use for longer than Microsofts products, are bundled with ALL Linux distros making most Linux distros have equivalent functionallity and even exceeding functionality in some cases.

      Now if you want to say the projects are not equivalet due to the lines of code used, thats just plain stupid. Good code take fewer lines whereas bad code can go on forever and ever.

      Every engineer knows that to build a better mousetrap, you don't make it more complex... you simplify.

      Linux and those open source applications are engineering marvels in simplification in the fact that they compete and beat standard models and are still more secure and stable.

      --
      This is my sig. There are many like it but this one is mine.
  56. Perhaps we'll never agree by way2trivial · · Score: 1

    Yes, I consider the total size of the codebase to be patched a consideration.
    yes, microsoft code is likely bloated and inefficient
    But the featureset, and functionality- is a order of magnitude or more complex than "SENDMAIL"

    the simple fact (I see) is that -a patch for a microsoft OS, with all the variables it can affect- is a much greater undertaking- with
    greater needs for getting it right the first time- than for most any other software available..

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  57. Hotfix 908531 BROKEN by Kobold+Curry+Chef · · Score: 1

    The Windows Explorer patch (KB 908531) is broken. It causes Office and IE massive problems in saving and opening files.