Microsoft Releases Critical IE Patch

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

The Exploit

[eldavojohn]

The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).

And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).

And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).

It is now 04.12.2006 and a patch is out to correct it.

*checks his watch*

Not bad, but your response time could use some imporvement.

Re:The Exploit

[Ravatar]

It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.

Re:The Exploit

[Billosaur]

Not bad, but your response time could use some imporvement.

From TFA: Microsoft Corp. has released its security software patches for April...

Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...

Re:The Exploit

[truthsearch]

Considering the Windows Help system was exploitable for 7 years I'd say they're improving, although they still are usually too slow. Today there's no way to know how long they're aware of any bug. They may know about an exploit for years and just never publicly notify anyone. Or they may not know until a few days before they acknowledge it. Being a closed system that they work under (both software and business) we'll never really know.

Re:The Exploit

[I'm+Don+Giovanni]

Being a closed system that they work under (both software and business) we'll never really know.

And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.

Re:The Exploit

[bunratty]

Brilliant idea: just look at the date the bug was opened. I know, I can't believe I figured it out on my own either! ;-)

Re:The Exploit

[darkonc]

It's not that Microsoft waited until the patch was 'perfect' to release it. It's that somebody in marketing determined that it's hurting their public image to be releasing 'critical security releases' 2-3times per week/month/day (depending on how bad the week/month/day is). Instead, they're now releasing patches on a fixed monthly schedule no matter when the fix is ready.

This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.

In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.

ActiveX, Java and Flash controls may be impacted

[Dynamoo]

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.

This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

Dammed if they do, dammed if they do not..

[Tominva1045]

If they don't update their products people will comment on how much they suck.

If they do update them people will claim instability due to the number of patches.

It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.

You decide.

Re:Dammed if they do, dammed if they do not..

[Nasarius]

Maybe because the Opensource developer is not responsible if the patch / update breaks something else?

Legally, neither is Microsoft. Read your EULA.

And in most cases nothing else interacts with or depends on his / their code?

Yeah, nothing interacts with or depends on sendmail, or glibc, or the Linux kernel...

Third - Party Patches

[Kijori]

Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?

I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.

Ah well, I only use Windows for gaming anyway.

Schedule Over Security?

[eldavojohn]

They do this so that every patch on the release board gets the full testing cycle it deserves.

Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

The following excerpt is alarming:

Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.

I wasn't aware a cycle constituted 135 days.

Microsoft rarely releases patches off-schedule now.

That's interesting.

I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.

Re:Schedule Over Security?

[Tim+C]

Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".

I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.

Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

Re:Schedule Over Security?

[bunratty]

Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?

Re:Schedule Over Security?

[boskone]

yes...

many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

Re:Schedule Over Security?

[DrXym]

Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.

I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.

Re:Schedule Over Security?

[enosys]

However, if information about an exploit is publicly available there is no reason to not get a patch ASAP to those who want that.

Re:Schedule Over Security?

[MarkByers]

many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.

It's just a poor excuse for being slow to patch.

Re:Schedule Over Security?

[Slime-dogg]

There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.

Re:Schedule Over Security?

[rbochan]

...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

There, fixed that for you.

Re:Schedule Over Security?

[BeanThere]

Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"

Stop the FUD, thanks.

Meanwhile...

[StevenHenderson]

Firefox users point and laugh...

Re:Meanwhile...

[dextromulous]

It's not leaked memory. See Here for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)

Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF!

Re:I DLed them this AM. A question...

[gregarican]

Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.

The Bob Damn them.

[ackthpt]

If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.

I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.

I hate knowing something is running on my computer, chewing up CPU time, but because the way the task manager works I can't really see everything that's in memory and running.

The Bob damn them and their monolithic view of the world.

Re:The Bob Damn them.

[sremick]

"I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."

Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.

Your choice.

How much longer is this going to be NEWS?

[ink]

All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.

Re:How much longer is this going to be NEWS?

[castoridae]

Why do we have to have a story every time a bug is fixed in IE or Firefox...?

Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.

Re:ActiveX, Java and Flash controls may be impacte

[Tackhead]

> Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.
>
>This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

So for the first time in history, IE's more secure out of the box than Firefox and Opera?

"Microsoft: Where information security is the 521,000,001st priority."

Why can't we all have portage

[BoredWolf]

Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.

Re:ActiveX, Java and Flash controls may be impacte

[Takeel]

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

Amusingly, this behavior can be disabled with either a patch or a registry change.

Re:I DLed them this AM. A question...

[flight_master]

Don't forget all the proprietary apps out there that use the IE ActiveX plugin!

A fix was released long ago

[Jugalator]

Download here

OK, OK, so I wanted to be different from those "get Firefox" jokes!

Name change proposal

[Spy+der+Mann]

Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D

Shcheduled updates seem counter-intuitive

[multiOSfreak]

I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.

What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?

The article's titles doesn't do it justice

[suv4x4]

The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.

Source

[Goodgerster]

Downloadable immediately from here.

Re:Why?

[geobeck]

Why the hell is anyone still using IE?

Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.

Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)

Re:Yawn

[Bromskloss]

Still saving for The Switch...

Come on, hop on the train and go for free software. No savings needed!

Re:Why?

[J0nne]

The IETab extension can switch the rendering engine within Firefox. You can even add a list of websites that should always use IE's engine. This way your users won't have to start IE seperately (and probably won't even notice the switching of the engine).

I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.