Slashdot Mirror
Microsoft Releases Critical IE Patch
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs.
"
The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).
And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).
And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).
It is now 04.12.2006 and a patch is out to correct it.
*checks his watch*
Not bad, but your response time could use some imporvement.
My work here is dung.
This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.
Never email donotemail@WeAreSpammers.com
If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
Cogito Ergo Sum
The following excerpt is alarming: I wasn't aware a cycle constituted 135 days. That's interesting.
I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
My work here is dung.
Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.
Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.
"Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.
Amusingly, this behavior can be disabled with either a patch or a registry change.
Why do we have to have a story every time a bug is fixed in IE or Firefox...?
Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.
It's not leaked memory. See Here for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)
Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF!
There are two types of people in the world: those who divide people into two types and those who don't.
Don't forget all the proprietary apps out there that use the IE ActiveX plugin!
"Free software" is a matter of liberty, not price.
Download here
OK, OK, so I wanted to be different from those "get Firefox" jokes!
Beware: In C++, your friends can see your privates!
Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D
I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.
What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
Transistors and Beer!!
The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.
Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.
Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)
Find environmentally and socially responsible products on http://buy-right.net
"I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.
I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."
Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.
Your choice.