Slashdot Mirror
Microsoft Flubs Patch, Putting Users At Risk
An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"
the MS has a security hole post has now become, trite, cliche, and dare I say it.... (-1, Redundant)
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
As long as, over the course of a year, the number of security holes plugged by the patches manages to outnumber the number of security holes introduced by these same patches, we're in real good shape right?
Where were you when the voynix came?
...to switch to Vista. That way, this sort of thing will never happen again. You betcha.
Weaselmancer
rediculous.
The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.
Chief Hacking Officer? I wasn't aware companies had those these days.
The theory of relativity doesn't work right in Arkansas.
Haha! This sort of thing would never happen if you used Ubuntu!
I'll probably be modded down for this...
whilst this is no doubt a bit of a "d'oh" moment for MS I doubt it will be a serious problem for anyone. * For this to have any affect on you you need to have SP1 but have the latest update of security for IE 6, surely if anyone updated regularly and applied security updates they'd be using SP2 anyway...
*If I'm wrong correct me, not being a windows user it's hard to remember what service pack is current
*''I can't believe it's not a hyperlink.''
Some clients accessing systems at the Chicago Board of Trade were rendered useless by this bug; the flaw essentially resulted in a crash on login. Didn't know until today that it was exploitable, though.
The solution for us was simple: install Firefox on affected clients. Problem solved, users happy.
-Rob
Biblical fiscal responsibility
Yes, but this is a hole created by a patch to fix a hole. On the whole, different and somewhat amusing. Or it would be amusing if I didn't have to administer Windows systems. :P
What if the Hokey Pokey really is what it's all about?
The incident may undo a great deal of the work that Microsoft has done to convince users to trust its software updates and install them by default.
Who's trust did they gain again? Which users? Certainly wasn't me!
Sure, exploits in Windows are nothing new, but when the exploit is introduced as a result of Microsoft trying to fix OTHER exploits, it's not only new(ish), but also funny. Maybe not pants-wettingly hilarious (but perhaps pants-wettingly frightening if you're a Windows user), but funny nonetheless.
Please don't automatically reboot my machines again when the patch's patch is installed. I have the custom options in MS Update to allow me to control install/reboot for the updates. Well, it ignored that this week and rebooted 2 of my machines for me.
Then, I noticed that The Register had a couple of articles this week about the same thing happening to others.
Just who in the hell does MS think they are?
Oh, and if the patch's patch's patch needs a reboot as well, don't do that too.
Oh, and if.... nevermind.
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
You should recall why it is so important to test patches before releasing them next time you want to karma whore by flaming Microsoft for "taking too long to release patches". That's called QA.
Do you ever get the feeling that IE6 is like a cartoon characters hole-riddled row-boat?
The cartoon character (lets just say it's Elmer Fudd) tries to plug a leak with his thumb, only to have another pop open on the other end of the boat. He stretchs over there to plug it with his other hand. A third appears, and he has to use his toe. Eventually, the number of leaks outnumbers the number of limbs (Or at least, the number of limbs one is allowed to show on TV. *wink* *wink*), and the boat finally goes down. A Fox riding in a Motorboat then speeds by...
IE is a microsoft product, so we will allways be safe and up-to-date.
Now, I must not forget to post anonymously...
Popcorn, anyone?
likey they rushed this patch to get it ready for the patch day and they did not fully test it. M$ will be better off with put the updates out when they are done not on a fixed time table.
...that Microsoft is going to have to release a patch to the patch?
Only SP1? Why would anyone with either XP or 2k have just patched other software but be at least a service pack behind?
Last I recalled, sp2 for XP had been out long enough even most corporations' IT departments to have tested and OKed it by now.
Dean, the IE General Manager, is a Microsoft partner so this should only be viewed as a potential promotion opportunity for VP. Get the partner bonus, fsck up, move up!
"Some clients accessing systems at the Chicago Board of Trade were rendered useless by this bug; the flaw essentially resulted in a crash on login. Didn't know until today that it was exploitable, though."
Good job, Winthorp.
"Seize all assets of Duke & Duke Commodity Brokers, as well as all personal holdings of Randolph and Mortimer Duke."
"We're ruined!"
"This is an outrage, I demand an investigation."
"You can't sell our seats. A Duke has been on this exchange since it was founded."
We founded this exchange. It's ours.It belongs to us.!!!
Where were you when the voynix came?
You know, like goldy or coppery, only with iron. Microsoft is the John Holmes of security. Sure, they'll "patch your hole," but that's just gonna make your hole bigger.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
cliched
What if Band-Aid ran their business this way?
"Oh, never mind that our latest shipment of bandages had sharp rusty jagged bits of razor blades embedded in the cloth".
Or office building sprinkler systems?
"We at Paragon Office Protection Systems do not think it is anything to get upset about that our sprinkler system sprayed gasoline instead of water on that paper-room fire last week."
Where were you when the voynix came?
My computer is full of snakes!
MS brought in those Mozilla developers to fix the problem
What? No goatse.cx link?! goatse needs a new caption: "Microsoft Customer."
Oh... wait. THATS ME
Wake me up when there is a security risk that doesn't need to go through IE.
Technoli
8 bugs have been replaced with 1 bug. That is an improvement unless the bugs it fixed were all minor bugs.
...Microsoft has a security problem, which most people will acknowledge is a constant thing. They release patches, which everyone will acknowledge happens pretty much monthly. There's a story on the /. front page complaining about how they botched the patch.
Ubuntu has a problem today, which basically renders machines inoperable that update their X software today. Ubuntu doesn't have as many security problems as Microsoft (for a lot of reasons, I imagine, but I'm tend to think it's because of the much smaller installation base). Heck, this issue doesn't even affect security - which isn't quite as important as functionality (seriously; the number of exploits for this Microsoft problem will be small, and the number of Ubuntu users locked out of their machines is probably something like 60%, given the small numbers of their user base).
Given all of this information, there is no front page story on the Ubuntu fuck up of today. Biased? Of course. Unexpected? Definitely not; this is Slashdot; News for Nerds, Stuff that Matters, assuming you use Linux. Everyone else need not apply.
As that would generate the usual screed of MS apologists modding down anyone here who dare mock the Holy Windows.
I really don't understand why Microsoft doesnt just use their marketing power and explain how executing code from another machine is actually a feature. There is really no need to purchase applications such as pcAnywhere. Thank God for Microsoft saving us all that money!
4) Check that the GUI appears.
I'll probably be modded down for this...
Or they could just change the icon. Laugh! It's funny!
Hehe, I got modded troll anyway, I might as well have...
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
That's why he uses the ACME browser.
There a users who get terribly confused with multiple windows of a browser, so they use multiple browsers to keep track of their multi-tasking. I, however, have 7 different browsers on my work computer: it's part of my job to ensure the stuff I work on at least functions.
Yes, but this is a hole created by a patch to fix a hole. On the whole, different and somewhat amusing. Or it would be amusing if I didn't have to administer Windows systems. :P
Actually this really isn't unique. There have been a few of these in the past. And only after some noticed this was happening, who knows how often it happened before people took notice of the fix busting other code than that fixed.
I used to admin a mainframe and keep up on patches rigorously, as we had any number of weasels in the labs waiting for us to leave our guard down for 'arf a mo' One patch back then did indeed open a hole, but the vendor (DEC) was on top of it within days and overnighted a patch tape to fix it. Even then they advised us how to block any attempts while we waited for the patch tape.
A feeling of having made the same mistake before: Deja Foobar
Man M$ sure does release alot of new Undocumented features
Eight steps forward, one step back. That isn't so bad is it, it's still progress. :-/
Mod parent up!! Seriously. I guess it's still worth reporting, just to let those of us who are unfortunate to have to deal with it know, but it's not really news anymore. And there certainly can't be anything to discuss or post comments about.
Are you sure the submitter meant "Patch"? It's clear they meant "Operating System".
Internet Explorer 6 Service Pack 1 unexpectedly exits after you install the 918899 update
Additionally they go on to say in this article: A new version of security update 918899 is currently in development and will be released to all Microsoft Internet Explorer 6 Service Pack 1 customers by August 22, 2006.
This patch was NOT released today - they LIED! :-)
Since that change, the crashes stopped at least but now that this is out I have much move incentive to upgrade our last few W2K machines up to WinXPSP2.
Namaste
If you unplug the power cord and make the laptop go to battery power, it will give up applying the rest of the updates. You'll then have to apply them the next day when you shut down.
I did that for about a week until I actually had enough time to sit there and watch it finish installing updates and shut down.
And Bill Gates has said this new OS is going to be the whing dinger of all time.
Meaning, the number of serious holes is going to be astonishing, because they are so sophisticated and well hidden that only the best hackers can find and exploit them without users and IT admins finding them.
Aaaaak
Holy Patch Batman!
Bet you've never heard that before either.
Get your tagline off my lawn.
The issues with the patches from this month affect desktops that are not on XP SP2. Windows XP SP2 has been out for long enough for even large organizations to put it through adequate QA. Not having SP2 on your desktop is a gaping hole and issues with these patches highlight the risk faced by lagards. I think that those who complain about lack of response by MS to address issues with a security patch that affect only XP SP1 are misplaced. They should be asking themselve why it's taken them so long to deploy a service pack that's been for almost two years!
W.C. Fields's The Fatal Glass of Beer.
This forced reboot was sort of the fatal piece of rudeness. Overriding my settings. The nerve!
I am with The Register guy who sent MS an invoice for downtime.
Who needs a virus when you have this kind of stuff?
"No fear. No envy. No meanness." Liam Clancy
Siebel is totally FUBAR due to this patch and the stupid "compatability" patch to fix it is broken and won't install on any machine. Why the fuck do people write IE-only applications and why the fuck does MS release broken patches all the time? It's like they don't even bother beta testing them. Now we are stuck with the choice of either a vital piece of software being down or a giant gaping security hole - thanks Microsoft!
As a system administrator for a small (200employee) company where I was previously employed I can safely state that THE LARGEST PRODUCTIVITY KILLERS were not viruses but malware made possible by the wonderful insecurities of Internet Exploder!!!!
In general it was not even the quality of the security features of the application itself, it was the following problems:
1. that activeX/active scripting is enabled by default
2. that the browser is so closely integrated with the rest of the operating system
3. that IE is so commonly used and so commonly trusted (it is in the required list for most IT departments of most companies etc...)
I was once running an experiment for a prof. The computer controlling the experiment has a GPIB card, which is controlling several other devices in the room (PID temperature controller, Lock in amp, yada yada yada.) The software running the experiment was written in LabVIEW.
I'm in the middle of a nine-hour experiment when this dialog box pops up. "Your computer will restart in 5 minutes to apply updates."
Now, let's review. What have I done wrong?
- This isn't a server
- AFAIK there is no "LabVIEW" for Linux. I could have written all the GPIB software in C but then no one else would have the expertise to change it, plus getting the card to work in linux would probably be hell
- I'm not using IE
- Windows update is on? Oh, that's what I'm doing wrong.
Luckily my software is much better written, so I was able to discontinue and resume the experiment wihtout losing data. But still, is this the kind of OS that is intended for a production environment? "Who the hell do they think they are" indeed."Live as if you'll die tomorrow." Ridiculous. You could die later today.
Oh well, thanks to this flaw crashing IE constantly I had to switch to Firefox and Im sure a lot of people did the same. Nice way to push everyone at the office to give Firefox a try :)
Funny how it's an EOL product and a down patched version of the "standard".
Sorry my conspiracy is showing...
Why isn't XP SP2 or 2003 SP1 affected?
Blame the user, not the software.
This is pretty typical from what I've seen.
Although I'm an IT professional, I'm speaking as an end user here.
Last night my laptop (our company's corporate build, no additions or weird stuff) auto-applied a bunch of patches. When I came in this morning, it told me to reboot. No problem. Reboot to...bluescreen. Did some digging, and found that my install is hosed. I can't do anything until I get an XP boot CD and get to a rescue console. I have no clue if it's SP1 or SP2, and quite honestly, I shouldn't have to. If I had this sort of difficulty with a car, a furnace, or a kitchen appliance, it would go RIGHT BACK TO THE MANUFACTURER! There is no way a company
This isn't a rant against MS per se, it's against all shitty computer companies (hardware and software) who build shitty products that can't do the job they're designed for in a reliable and consistent manner. The entire computer industry needs to be taken out back and shot.
Yeah, I'm railing and blowing off steam here. Doesn't matter--I challenge you to come up with a single product in the industry that (a) does what it's supposed to, in a (b) reliable and (c) consistent manner.
Linux? Nope. Firefox? Close, but nope. MS Office? Nope. OpenOffice? Nope. Any and all media players? Nope. Most hardware now? Nope.
This industry is pathetic. It shouldn't be allowed to exist, let alone thrive.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
...so that you could remove the speck from your brother's.
The ratio of code to flaws is now 1:0.8 Internet Explorer will stop seeding at 1:2
It's a bit like the old style avertisements you used to see, but with a twist.
"Microsoft... puting users at risk since Windows 3.0."
Nothing new here. Here, tell you what. They're going to do it again in less than 2 months. bet me.
I work for the Department of Redundancy Department.
"run code on computers running Windows 2000 and Windows XP Service Pack 1"
Why would you use Service Pack 1 when Service Pack 2 has been out there since ages?
IIRC, according to the Jargon File, Windows has reached critical mass.
critical mass: n. Of a software product, describes a condition of the software such that fixing one bug introduces one plus epsilon bugs. (This malady has many causes: creeping featurism, ports to too many disparate environments, poor initial design, etc.) When software achieves critical mass, it can never be fixed; it can only be discarded and rewritten.
Vista is their re-write, which is an admission of this situation.
Well, it only affects SP1, according to the summary, so fully updating your software fixes it. I would tend to call that a nonissue, but whatever.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
Oh wait, its actually a new bug. Or wait, its just the same bug over and over.
/. readers) recognize that MS will repeatedly issues patches, patches to patches, and will never really fix anything. Anyone with any sense in the IT/Net field that STILL actually uses Internet Explorer except in a heavily restricted sandbox for testing websites that the driveling masses will use it to visit is either too ignorant or blindly loyal to care about security.
/. really thinks this needs to be news, just add it as a permanent headline. In fact, heck, maybe it should get its own whole section 'Security update to MS software introduces new security hole'
Seriously, how is this news? Everyone with even half a clue (and certainly almost all
If for some reason
Internet Explorer? Internet what? Oh! The Firefox clone! I didn't know people used that anymore. ;)
Why don't you spring for a 512Mb Flash disk? About $30 or less.
I have dial-up also (and a telephone line that's lying in a swamp (it still pulls 37kbs, but that's another story)
When I need to do a windows update such as SP2, I simply visit a friend a few miles away, within town limits, who has 4mbs hi-speed.
The download for SP2 took about 5 min or so; I think copying it onto my flash disk took longer.
Since then I have installed SP2 onto the XP of several other poor deprived ruralites.
Any download of more than 12 meg is done in this manner.
Read more of my travails:
http://www.plonque.com/aqk/bell.htm
Not much has changed in ten years!
- Tony www.tonyking.tk
.
- aqk
F U
"Microsoft flubs operating system design, putting world at risk"
If you have XP Professional (this doesn't work with Home) open the Group Policy Editor by using Run from the Start menu to run gpedit.msc
/., it is possible) set the last option in the list and you will receive notifications when updates are being downloaded.
From the tree on the left menu pane go to Administrative Templates -> Windows Components -> Windows Update.
First you have to set 'Configure Automatic Updates' (or no other settings will work). I recommend setting it to '4- Autodownload and schedule install' (same as the automatic option in System properties). Then simply set 'No auto-restart for scheduled Automatic Update Installations'. With this option set, Windows will wait for you to reboot. You should also set 'Allow Automatic Updates immediate installation', this allows updates that do not need a reboot to install immediately.
Further, if you normally run as a normal user (yes
y advice you to dont use windows products , they leave you in the worst moment ,and joe do not learn
years and years of the same song
yes a like bad karma
*Little Rubber Feet
Honestly, Internet Explorer 6 is like a bridge falling apart that Microsoft is attempting their best to keep above water.
At least they have Internet Explorer 7 coming out (although that'll horribly mess up practically every website, as many of us have had to make CSS sheets for all browsers and then a separate one for IE6).
Just let IE6 die already... get IE7 out ASAP (but after Christmas, etc. please as to not mess with ecommerce too much).
I might be slightly off about whether it applies to this patch, or one that was also sent out last week, but it also messed up XP's ability to deal with compressed/zipped folders if you're running SP1, like we are at my work. You can create a zip file fine, but you cannot rename or open it through explorer. You can't get to the right-click menu at all (to copy/rename/delete etc.). It's totally been screwing with me all week. Also, you can't access the My Documents icon on your desktop, although it still works fine through Explorer and from the start menu.