Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Critical IE Patch

Posted by ryuzaki0 on from the but-i-thought-all-patches-were-critical dept.

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

11 of 172 comments (clear)

  1. Schedule Over Security? by eldavojohn · · Score: 4, Interesting
    They do this so that every patch on the release board gets the full testing cycle it deserves.
    Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

    The following excerpt is alarming:
    Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.
    I wasn't aware a cycle constituted 135 days.
    Microsoft rarely releases patches off-schedule now.
    That's interesting.

    I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
    --
    My work here is dung.
    1. Re:Schedule Over Security? by Tim+C · · Score: 5, Interesting

      Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

      No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".

      I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.

      Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

      --
      It's official. Most of you are morons.
    2. Re:Schedule Over Security? by 110010001000 · · Score: 0, Interesting

      They maintain the schedule to help IT Administrators not because it is convienent to MS. The purpose of the schedule is to give the admins time to test and roll out new patches, rather than releasing patches irregularly and not being able to prepare.

      If you worked in a large IT environment you would understand this.

    3. Re:Schedule Over Security? by bunratty · · Score: 4, Interesting

      Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    4. Re:Schedule Over Security? by YU+Nicks+NE+Way · · Score: 1, Interesting

      Actually, that's not true. A patch for a vulnerability often provides a great deal more infomration about the vulnerability than the original exploit, particularly becouse it provides malicious people with code pattern samples which might expose other exploitable code. In that regard, Microsoft's response or providing a workaround to block the attack and then providing a correct and fully tested patch later is better then providing a half-baked patch.

    5. Re:Schedule Over Security? by MarkByers · · Score: 3, Interesting

      many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

      If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.

      It's just a poor excuse for being slow to patch.

      --
      I'll probably be modded down for this...
  2. The Bob Damn them. by ackthpt · · Score: 2, Interesting
    If they don't update their products people will comment on how much they suck.
    If they do update them people will claim instability due to the number of patches.
    It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
    You decide.

    I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

    I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.

    I hate knowing something is running on my computer, chewing up CPU time, but because the way the task manager works I can't really see everything that's in memory and running.

    The Bob damn them and their monolithic view of the world.

    --

    A feeling of having made the same mistake before: Deja Foobar
  3. How much longer is this going to be NEWS? by ink · · Score: 2, Interesting

    All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.

    --
    The wheel is turning, but the hamster is dead.
  4. Why can't we all have portage by BoredWolf · · Score: 3, Interesting

    Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.

    --
    "Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
  5. Re:The Exploit by bunratty · · Score: 2, Interesting

    Brilliant idea: just look at the date the bug was opened. I know, I can't believe I figured it out on my own either! ;-)

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  6. Re:The Exploit by darkonc · · Score: 3, Interesting
    It's not that Microsoft waited until the patch was 'perfect' to release it. It's that somebody in marketing determined that it's hurting their public image to be releasing 'critical security releases' 2-3times per week/month/day (depending on how bad the week/month/day is). Instead, they're now releasing patches on a fixed monthly schedule no matter when the fix is ready.

    This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.

    In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.