Slashdot Mirror
Microsoft Releases Critical IE Patch
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs.
"
If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
Cogito Ergo Sum
Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?
I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.
Ah well, I only use Windows for gaming anyway.
Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.
Not bad, but your response time could use some imporvement.
From TFA: Microsoft Corp. has released its security software patches for April...
Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...
GetOuttaMySpace - The Anti-Social Network
Why do we have to have a story every time a bug is fixed in IE or Firefox...?
Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.
It's not leaked memory. See Here for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)
Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF!
There are two types of people in the world: those who divide people into two types and those who don't.
yes...
many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.
I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.
Considering the Windows Help system was exploitable for 7 years I'd say they're improving, although they still are usually too slow. Today there's no way to know how long they're aware of any bug. They may know about an exploit for years and just never publicly notify anyone. Or they may not know until a few days before they acknowledge it. Being a closed system that they work under (both software and business) we'll never really know.
Developers: We can use your help.
I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.
What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
Transistors and Beer!!
I call BS on that one. It takes me five minutes to apply a patch to a test machine, and after a suitable test period it takes me another five minutes to walk into the server room, log in to the WSUS server, and approve an update.
If I want to deploy an update off-schedule, it doesn't take a lot of time to do so. And if I don't want to deploy it off-schedule, it can just sit there on WSUS until Patch Tuesday comes around.
Microsoft's patch schedule has nothing to do with its customers' demands, any more than Norton's ridiculous virus update schedule. Saying that they're doing it to satisfy customer requirements is like the sign at Safeway that says "For your convenience, please leave heavy items in the cart." My convenience, my ass. It's because the 16-year-old, 90-pound checkout girl can't lift the 5-gallon water jug I'm buying.
Don't tell me you're doing something for my sake when I know you're doing it for your own business reasons.
Find environmentally and socially responsible products on http://buy-right.net
However, if information about an exploit is publicly available there is no reason to not get a patch ASAP to those who want that.
Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.
Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)
Find environmentally and socially responsible products on http://buy-right.net
There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
Being a closed system that they work under (both software and business) we'll never really know.
And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.
-- "I never gave these stories much credence." - HAL 9000
"I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.
I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."
Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.
Your choice.
Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.
Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"
Stop the FUD, thanks.