Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Critical IE Patch

Posted by ryuzaki0 on from the but-i-thought-all-patches-were-critical dept.

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

11 of 172 comments (clear)

  1. The Exploit by eldavojohn · · Score: 5, Informative

    The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).

    And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).

    And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).

    It is now 04.12.2006 and a patch is out to correct it.

    *checks his watch*

    Not bad, but your response time could use some imporvement.

    --
    My work here is dung.
    1. Re:The Exploit by Ravatar · · Score: 2, Informative

      It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.

  2. ActiveX, Java and Flash controls may be impacted by Dynamoo · · Score: 5, Informative
    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.

    This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

    --
    Never email donotemail@WeAreSpammers.com
  3. Re:ActiveX, Java and Flash controls may be impacte by Takeel · · Score: 4, Informative

    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

    Amusingly, this behavior can be disabled with either a patch or a registry change.

  4. Re:I DLed them this AM. A question... by flight_master · · Score: 3, Informative

    Don't forget all the proprietary apps out there that use the IE ActiveX plugin!

    --
    "Free software" is a matter of liberty, not price.
  5. Re:Schedule Over Security? by shawnce · · Score: 1, Informative

    They haven't figured out how to do what? What does making it available ASAP instead of on a schedule that their major corporate customers have strongly requested have to do with "number and caliber of computer science researchers" at Microsoft.

    Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

    I generally don't like Windows the product or many of MS current and prior practices but I do understand the issue they face when releasing a patch into such a large and diverse customer ecosystem.

  6. The article's titles doesn't do it justice by suv4x4 · · Score: 4, Informative

    The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.

  7. Source by Goodgerster · · Score: 2, Informative

    Downloadable immediately from here.

  8. Re:Schedule Over Security? by rbochan · · Score: 3, Informative

    ...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

    There, fixed that for you.

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  9. Re:Why? by J0nne · · Score: 2, Informative

    The IETab extension can switch the rendering engine within Firefox. You can even add a list of websites that should always use IE's engine. This way your users won't have to start IE seperately (and probably won't even notice the switching of the engine).

    I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.

  10. Re:You mean, IE users point and laugh by Anonymous Coward · · Score: 1, Informative

    Flash ads will keep working. You need to click only if you want to start *interacting* with the object.

    Also, this "click to enable" feature can be bypassed using JavaScript. That is not a bug, Microsoft allowed this as a workaround.