Slashdot Mirror
Microsoft Releases Critical IE Patch
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs.
"
The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).
And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).
And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).
It is now 04.12.2006 and a patch is out to correct it.
*checks his watch*
Not bad, but your response time could use some imporvement.
My work here is dung.
This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.
Never email donotemail@WeAreSpammers.com
Anyone smarter than the writer is a hacker. To quote a client: "Hackers should be jailed unless they are working for me."
The GPL, for those that truely understand.
If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
Cogito Ergo Sum
Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?
I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.
Ah well, I only use Windows for gaming anyway.
The following excerpt is alarming: I wasn't aware a cycle constituted 135 days. That's interesting.
I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
My work here is dung.
Firefox users point and laugh...
Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.
I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.
I hate knowing something is running on my computer, chewing up CPU time, but because the way the task manager works I can't really see everything that's in memory and running.
The Bob damn them and their monolithic view of the world.
A feeling of having made the same mistake before: Deja Foobar
All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.
The wheel is turning, but the hamster is dead.
>
>This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.
So for the first time in history, IE's more secure out of the box than Firefox and Opera?
"Microsoft: Where information security is the 521,000,001st priority."
Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.
"Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.
Amusingly, this behavior can be disabled with either a patch or a registry change.
There was a great post about it.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Don't forget all the proprietary apps out there that use the IE ActiveX plugin!
"Free software" is a matter of liberty, not price.
At what point do the authors of this information just do a search and replace on the last news release for the last patch (last Month, Week Yesterday, 5 minutes ago ...) TFA kind'a looks like a filled out form ...
My other question is when does M$ release the patch that changes activation codes to valid credit card numbers. ?? I guess they could do a rural version that uses the modem to call a 1 - 900 - xxx xxxx
Download here
OK, OK, so I wanted to be different from those "get Firefox" jokes!
Beware: In C++, your friends can see your privates!
The change isn't about security, at least the ActiveX click to activate one is not. It is complience to the patent dispute with Eolas.
They have bundled it WITH the security rollup.
a man, a plan, a canal, panama
Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D
I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.
What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
Transistors and Beer!!
The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.
can't figure out your email address - u want one send me a request at tedbirmingham at gmail.com.
Stay tuned for new sig...
Like- what? that has to be compatible with every pc configuration, with every software configuration, quite literally, known to man.
1st, what OSP is on par for raw bytes & complexity... to the windows OS?
2nd- which of that subset get's patches in 24 hours
3rd- how often do these "right out the door" patches cause loss of functionality, for a subset of users, as (my line one above) every system configuration possibility was considered in the patch, that is still just works?
it's kinda herculean if you think about it..
every day http://en.wikipedia.org/wiki/Special:Random
Downloadable immediately from here.
Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.
Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)
Find environmentally and socially responsible products on http://buy-right.net
There are many hidden places in Windows where the default browser might not be Firefox.
Essentially almost any Windows app that displays HTML and isn't either Firefox, Mozilla, Opera or Thunderbird is most likely using mshtml.dll and so is likely to be vulnerable to the exploit.
Bottom line is that any Windows user should download and apply every IE update whether they use IE or not, as simply not using IE does not guarantee safety.
It's official. Most of you are morons.
"Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate."
To solve the issues with Flash, check out my sig. It's free.
You mean they finally released an uninstaller???
This is "News for Nerds. Stuff that Matters."; a serious IE exploit seems to fit neither category.
A permanent FlashBlock-style behaviour would have an interesting effect on how e-adverts are played.
Unfortunately, this won't act as an automatic FlashBlocker. It disables _interacting_ with the ActiveX component until it's activated. So all those lovely ads will still load and play automatically; you just won't be able to click on, say, movie volume or playback controls until you've authorized it. Basically the worst of both models, really. Sucks to be IE. *shrug*
I'd like to know how though; Here at work, we use internal software, which has a browser window built in to access a tasks list. It's IE-based, using the activeX control. How would I get rid of it? ;)
"Free software" is a matter of liberty, not price.
but rather, after testing, and validating- then they support it.
how much do you pay for OS updates?
every day http://en.wikipedia.org/wiki/Special:Random
Very true, I found one of these today, itnerestingly enough in Flash itself. It indicated there was an update available, and the link to describe the details of the update opened up IE despite FF being my default on this machine. Talk about a security hole, an unsecure app, opening an unsecure broswer, all w/o checking user prefs on the machine or even alerting the user to the action before it is taken. Brilliant! (I know, dump flash you say, but I can't for what I do on this machine, however you can bet it's not loaded on any others I own!)
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The IETab extension can switch the rendering engine within Firefox. You can even add a list of websites that should always use IE's engine. This way your users won't have to start IE seperately (and probably won't even notice the switching of the engine).
I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.
Argh:
No, no, no. The fact that "hacker" isn't the correct term to use here anyway nonwithstanding [1], people have been installing unauthorised software on PCs by exploiting this problem, NOT the other way around.
1. Feel free to whine that the general public does use the word "hacker" that way if you want to, but this is Slashdot, and I think we can expect a somewhat higher standard here.
quidquid latine dictum sit altum videtur.
This won't affect IE6 on Windows 2000
That's good. I just updated from SP2 to SP4 & had to deal with >30 SP4 specific patches.
Is it possible that (for Win2k at least) staying a bit behind in the service pack game could afford you a bit of protection?
Either the exploit is going effect only the latest SP, or MS is going to write a patch for all versions. In the first case, you can ignore the exploit and go about your way and in the second case, you weren't any safer than the up-to-date people.
Though, if I was doing a fresh install today, I'd be using a CD with the current service pack already present.
[Fuck Beta]
o0t!
So basically it's going to make it more difficult to see obnoxious flash ads take over websites as soon as a page is loaded. And in the rare chance you actually want to see a flash or java object, you have to click a button. Sounds like MS should toss this on the feature list.
Overall, I'm fine with that. I'm actually used to that behavoir - I use scriptblock for firefox at home, and flashblock at work. I LIKE not seeing active content when I don't want to.
I do NOT look forward to the calls I get the day after we deploy this patch at work though.. "My internet doesn't work!".
I use Siebel products, and it didn't fix my issues. IE still continued to freeze. Had to remove KB912812 update and reboot. :(
Also, note that it mentioned Java with ActiveX.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
They shipped Active Desktop, which is where they started integrating IE (or rather, the HTML control that's almost the whole of IE) so deeply into the OS that it couldn't be disabled or removed without heroic measures, in 1997.
Every new OS release since them has been an opportunity for them to step back from the brink and turn IE into just another application. Not only have they not turned back, but they have run faster and faster with every step.
I wish them joy of their damnation, their salvation is in no-one's hands but their own.
I just had to set up my Dad's new Dell for him - lovely hardware BTW (well, compared to the no-name crap pulled out of skips that I normally deal with, and not counting rackmount ProLiants and whatnot at work :) - but did you know that in 2006, Windows XP (which being NT a full-blown proper multi-user kernel) *still* sets up a default user account as an administrator, with no password?! Couldn't believe my eyes. I was also amused to see the new Windows 'security' features, which are causing him no end of problems -- there are dialogs and popups and animated bubbles out of the toolbar demanding to know whether so-and-so program should be allowed to talk to the Internet - many of which shouldn't need to, so are presumably phoning home - amongst these is the "McAfee security centre" which apart from trying to get him to pressure him into buying a subscription, I noticed was using IE as it's web-browser. Surely that's a breach of the Trade Descriptions Act, selling "security software" that uses IE?? Anyway, in beween telling him he should have got a Mac like I told him, he's good to go now with Firefox, T'bird and Open Office. (He was horrified when I explained that Word, Access and Excel aren't part of Windows, and that you have to pay an extra £250 if you want to use all his old files. And no, I can't just move the old programs onto the new computer... apart from anything else, I suspect he found some dodgy geezer to fix it at some point when I wasn't around, and he doesn't seem to have any Office install CDs... heh! I think that's what they call a teachable moment.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I hear a lot of noise about MS patches and "Patch Tuesday" curse words, but no one has much to say about Apple's patch schedule. Now I realize there are a lot less security updates from Apple, but that's another debate for another thread. What do people think of Apple's timeliness in the release of security updates? Have they been known to drag their feet on releasing, or maybe are they showing some hustle?
I work for the Department of Redundancy Department.
Well this patch is very likely original, but isn't this Subject line and the Contents another perennial duplicate?
the windows installer for apache is 4.2 mb I can't actually determine it's size-
the download for sendmail is 1.89 MB
postgres is 22mb
these are single purpose- using system calls- apps..
they aren't OS's (except for linux) and do any of those come close to 1.5 gigabytes of code/apps/parts?
re read my list of challenge requirements for #1.. what OSP is on par for raw bytes & complexity... to the windows OS?
I can't vett "linux" as there is no "one linux" to compare against.- and none of them come 'core' with as many features INCLUDED in the os as microsoft- the same functionality is available I grant you- but not 'stock model'- as add-ons you can add as you determine your need.
this means however that a windows patch has to play niceley with all the other 'stock model' features.. which is my point- there is nothing more complex- serving more people- that makes it so unreasonable that a testing cycle is required to make sure that it won't break compatibility with some bizzare element 4 OS bits removed (but part of windows) over from the site of the problem.
every day http://en.wikipedia.org/wiki/Special:Random
If you actually spent a little time learning how directx works, you could find the IE active x component at:
0 0C04FD705A2}
HKEY_CLASSES_ROOT\CLSID\{8856F961-340A-11D0-A96B-
and remove it.
You can always use ReactOS's activex snapin replacement for it which uses the Gecko rendering engine.
Change is certain; progress is not obligatory.
Oh poo, I just noticed I said 'directx' earlier when I meant 'active X'.
Change is certain; progress is not obligatory.
Yes, I consider the total size of the codebase to be patched a consideration.
yes, microsoft code is likely bloated and inefficient
But the featureset, and functionality- is a order of magnitude or more complex than "SENDMAIL"
the simple fact (I see) is that -a patch for a microsoft OS, with all the variables it can affect- is a much greater undertaking- with
greater needs for getting it right the first time- than for most any other software available..
every day http://en.wikipedia.org/wiki/Special:Random
The Windows Explorer patch (KB 908531) is broken. It causes Office and IE massive problems in saving and opening files.