Microsoft Releases Critical IE Patch

← Back to Stories (view on slashdot.org)

Microsoft Releases Critical IE Patch

Posted by ryuzaki0 on Wednesday April 12, 2006 @03:38AM from the but-i-thought-all-patches-were-critical dept.

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

15 of 172 comments (clear)

The Exploit by eldavojohn · 2006-04-12 03:40 · Score: 5, Informative

The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it (dated 03.22.2006).

And here's Microsoft's acknowledgement of the exploit (dated 03.23.2006).

And here's an "expert" saying that releasing the above exploit is irresponsible (dated 03.24.2006).

It is now 04.12.2006 and a patch is out to correct it.

*checks his watch*

Not bad, but your response time could use some imporvement.

--
My work here is dung.
1. Re:The Exploit by Billosaur · 2006-04-12 03:55 · Score: 5, Insightful
  
  Not bad, but your response time could use some imporvement.
  
  From TFA: Microsoft Corp. has released its security software patches for April...
  
  Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...
  
  --
  GetOuttaMySpace - The Anti-Social Network
ActiveX, Java and Flash controls may be impacted by Dynamoo · 2006-04-12 03:40 · Score: 5, Informative

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.
This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

--
Never email donotemail@WeAreSpammers.com
Dammed if they do, dammed if they do not.. by Tominva1045 · 2006-04-12 03:45 · Score: 5, Insightful

If they don't update their products people will comment on how much they suck.

If they do update them people will claim instability due to the number of patches.

It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.

You decide.

--
Cogito Ergo Sum
Schedule Over Security? by eldavojohn · 2006-04-12 03:52 · Score: 4, Interesting

They do this so that every patch on the release board gets the full testing cycle it deserves.
Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

The following excerpt is alarming:
Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.
I wasn't aware a cycle constituted 135 days.
Microsoft rarely releases patches off-schedule now.
That's interesting.

I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.

--
My work here is dung.
1. Re:Schedule Over Security? by Tim+C · 2006-04-12 03:59 · Score: 5, Interesting
  
  Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.
  
  No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".
  
  I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.
  
  Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.
  
  --
  It's official. Most of you are morons.
2. Re:Schedule Over Security? by bunratty · 2006-04-12 04:03 · Score: 4, Interesting
  
  Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
3. Re:Schedule Over Security? by boskone · 2006-04-12 04:14 · Score: 5, Insightful
  
  yes...
  
  many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
Re:I DLed them this AM. A question... by gregarican · 2006-04-12 03:53 · Score: 4, Insightful

Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.
Re:ActiveX, Java and Flash controls may be impacte by Takeel · 2006-04-12 04:00 · Score: 4, Informative

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

Amusingly, this behavior can be disabled with either a patch or a registry change.
Re:How much longer is this going to be NEWS? by castoridae · 2006-04-12 04:04 · Score: 5, Insightful

Why do we have to have a story every time a bug is fixed in IE or Firefox...?

Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.
Re:Meanwhile... by dextromulous · 2006-04-12 04:10 · Score: 4, Insightful

It's not leaked memory. See Here for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)

Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF!

--
There are two types of people in the world: those who divide people into two types and those who don't.
A fix was released long ago by Jugalator · 2006-04-12 04:13 · Score: 4, Funny

Download here

OK, OK, so I wanted to be different from those "get Firefox" jokes!

--
Beware: In C++, your friends can see your privates!
Name change proposal by Spy+der+Mann · 2006-04-12 04:24 · Score: 4, Funny

Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D
The article's titles doesn't do it justice by suv4x4 · 2006-04-12 04:30 · Score: 4, Informative

The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.