Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Flubs Patch, Putting Users At Risk

Posted by ryuzaki0 on from the i'm-working-here dept.

An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"

13 of 209 comments (clear)

  1. Re:Closed source strikes again by baadger · · Score: 5, Informative

    The difference is the Ubuntu slip up was fixed within hours, the Microsoft slip up ..is still counting...

  2. Just Please... by moehoward · · Score: 5, Informative


    Please don't automatically reboot my machines again when the patch's patch is installed. I have the custom options in MS Update to allow me to control install/reboot for the updates. Well, it ignored that this week and rebooted 2 of my machines for me.

    Then, I noticed that The Register had a couple of articles this week about the same thing happening to others.

    Just who in the hell does MS think they are?

    Oh, and if the patch's patch's patch needs a reboot as well, don't do that too.

    Oh, and if.... nevermind.

    --
    "If you want to improve, be content to be thought foolish and stupid." - Epictetus
  3. Re:will it cause problems? by Jamil+Karim · · Score: 3, Informative

    Due to some programs not functioning correctly with SP2, our department was explicitly told NOT to update to SP2. However, we've been applying all of the other patches that have come out. So, the scenario is more likely than you'd think. Microsoft even has a list of programs that don't work as intended under SP2.

  4. Re:will it cause problems? by Volante3192 · · Score: 2, Informative

    You can get an SP2 CD from MS through the mail at no charge. (Looks like they have possibly added in S&H, I didn't want to go through the entire procedure, I think even that was free before though. It's been a while).

  5. Re:Closed source strikes again by repruhsent · · Score: 0, Informative

    Moderators: how is this a troll? It's a valid counterpoint to the general opinion here that Windows is always worse than Linux in every way.

    If there was a flaw in Windows (a hypothetical one, I don't mean the one from today), and someone posted "Haha! This sort of thing would never happen if you used Ubuntu!" without the link to Ubuntu's screw up, it would moderated up - maybe not to 5, but it sure as hell wouldn't be moderated as a troll.

  6. Re:will it cause problems? by QRDeNameland · · Score: 2, Informative

    whilst this is no doubt a bit of a "d'oh" moment for MS I doubt it will be a serious problem for anyone. * For this to have any affect on you you need to have SP1 but have the latest update of security for IE 6, surely if anyone updated regularly and applied security updates they'd be using SP2 anyway...

    Well, count me as "not anyone". I still run Win2000 on two machines, and my one XP box is still SP1 because I refuse to install WGA. On the other hand, this now prevents me from using Windows Update as well so you could say it doesn't affect me, but I can still update through WindizUpdate though I'm not sure if the broken patch made it there or not.

    Point being...there are still people who haven't gone to SP2 or even XP yet and don't plan to, but they still install updates. They might be a small minority percentage-wise, but that doesn't mean there's not lots of them out there.

    --
    Momentarily, the need for the construction of new light will no longer exist.
  7. Re:will it cause problems? by Korin43 · · Score: 2, Informative

    Well isn't that ironic.. People too paranoid to update are having issues with bugs.

  8. Disable HTTP 1.1 by planckscale · · Score: 3, Informative
    I had a Win2K box on our network who's Internet Explorer kept crashing when she visited websites with lots of stuff going on (Java and Flash). I read around and found a work-around from Microsoft. The workaround involved going into IE Options and unchecking "HTTP 1.1" MS Article ID: 923762:

    Internet Explorer 6 Service Pack 1 unexpectedly exits after you install the 918899 update

    Additionally they go on to say in this article: A new version of security update 918899 is currently in development and will be released to all Microsoft Internet Explorer 6 Service Pack 1 customers by August 22, 2006.

    This patch was NOT released today - they LIED! :-) Since that change, the crashes stopped at least but now that this is out I have much move incentive to upgrade our last few W2K machines up to WinXPSP2.

    --
    Namaste
  9. Re:Closed source strikes again by giorgosts · · Score: 2, Informative

    yeah but if your sole computer in the house was ubuntu, no dual-boot, or if you were not a command-line wizzard, you wouldn't find the solution. In xp there is system restore. In ubuntu you have to boot a liveCD and wait for an (unsupported) fix (downgrade actually) by the ubuntu community over the internet.

  10. Re:will it cause problems? by westlake · · Score: 2, Informative
    Not necessarily, my aunt is on dialup and until recently she'd been patching herself up on SP1 because downloading a 290MB service pack just wasn't feasible

    At the risk of sounding redundant:

    1 The 300 MB download is for system administrators and others who need the SP in all possible configurations.

    2 Windows Update downloads all necessary components in the background. This shouldn't be a problem even over a dial-up connection.

    3 Service Packs are available on CD, for a nominal S&H charge.

  11. Re:Sick of this crap (OT) by WuphonsReach · · Score: 2, Informative

    Mmm, that reminds me... it's time to update my Knoppix+NTFSClone image...

    --
    Wolde you bothe eate your cake, and have your cake?
  12. Re:Question by mvdwege · · Score: 2, Informative
    p>
    Last I recalled, sp2 for XP had been out long enough even most corporations' IT departments to have tested and OKed it by now.

    It's not quite that simple. If you have a corporate install of several tens of thousands PCs using the same base OS package, then the base package must be compatible with all applications that are to be deployed upon it. Now, XP SP2 breaks several applications, this is a known fact. Therefore, it may be more trouble rolling out SP2 on short notice instead of keeping up with hotfixes and using other measures (firewalls, anti-virus, IDS) to keep on top of security vulnerabilities in the SP1 base package.

    Corporate installs are thus more likely to be one or more Service Packs behind. This has been common practice since NT4 times.

    Mart
    --
    "I know I will be modded down for this": where's the option '-1, Asking for it'?
  13. Re:Closed source strikes again by makomk · · Score: 2, Informative

    Any *true* Gentoo user (especially one running unstable, where it happens much more often) would know that every so often, "emerge -uD world" refuses to run due to package conflicts, and you have to manually unmerge, remerge, downgrade and/or upgrade the right package(s) (in the right order) to get it working again...