Microsoft Flubs Patch, Putting Users At Risk

An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"

Why This is Different

[Aqua_boy17]

Yes, but this is a hole created by a patch to fix a hole. On the whole, different and somewhat amusing. Or it would be amusing if I didn't have to administer Windows systems. :P

Re:Why This is Different

[just_another_sean]

Or it would be amusing if I didn't have to administer Windows systems. :P

And that is exactly why I like to see it on the front page of /.

Of course I don't rely on /. alone for security news but as an Admin supporting MS products news like this does matter to me. The more sources of info I can get on problems with software the better. And being the /. junkie I am it is likely I may just get info on new flaws here first! :-)

Re:will it cause problems?

[baadger]

Not necessarily, my aunt is on dialup and until recently she'd been patching herself up on SP1 because downloading a 290MB service pack just wasn't feasible. The monthly updates themselves can sometimes be big of a download.

I recently did a full reinstall of her system (at my place on cable) from a MS cd (managing to maintain her OEM activation), SP2, Firefox, Opera and IE7-beta3 and she's been good for ages now.

The annoying thing is, even on dialup with sparse on-off connectivity and surfing it's remarkeably easy to get infected. Don't underestimate the number of people who *CAN'T* keep upto date.

Get rid of fixed patch date

[Joe+The+Dragon]

likey they rushed this patch to get it ready for the patch day and they did not fully test it. M$ will be better off with put the updates out when they are done not on a fixed time table.

8 for 1

[roger6106]

8 bugs have been replaced with 1 bug. That is an improvement unless the bugs it fixed were all minor bugs.

Re:will it cause problems?

[airjrdn]

You trust that site?

But VISTA is Coming...

[BoRegardless]

And Bill Gates has said this new OS is going to be the whing dinger of all time.

Meaning, the number of serious holes is going to be astonishing, because they are so sophisticated and well hidden that only the best hackers can find and exploit them without users and IT admins finding them.

Aaaaak

Forced Reboot = BAD

[Valacosa]

Here's an example for you:
I was once running an experiment for a prof. The computer controlling the experiment has a GPIB card, which is controlling several other devices in the room (PID temperature controller, Lock in amp, yada yada yada.) The software running the experiment was written in LabVIEW.

I'm in the middle of a nine-hour experiment when this dialog box pops up. "Your computer will restart in 5 minutes to apply updates."

Now, let's review. What have I done wrong?

• This isn't a server
• AFAIK there is no "LabVIEW" for Linux. I could have written all the GPIB software in C but then no one else would have the expertise to change it, plus getting the card to work in linux would probably be hell
• I'm not using IE
• Windows update is on? Oh, that's what I'm doing wrong.

Luckily my software is much better written, so I was able to discontinue and resume the experiment wihtout losing data. But still, is this the kind of OS that is intended for a production environment? "Who the hell do they think they are" indeed.

Re:Disable HTTP 1.1

[pe1chl]

Also note that the patch mentioned in KB923762, which is available only by calling Microsoft and explicitly asking for it, was compiled on August 4th!

So, they KNEW about this problem at the time they sent out 918899 to the world via Windows Update!
They already had the fix available, but they chose to neither include it in 918899 nor to withhold 918899 from release on August 8th.

It caused some damage at work. We had to ask for the KB923762 fix, which took 3 days to get (because we buy computers with Windows installed, so we cannot call Microsoft but have to go via Dell).
IMHO it is gross neglect by Microsoft to knowingly release a defective update for which a better version already is available.

Re:I will not criticize this

[gelfling]

See what I mean. All Hail the 'Soft.

Dupe

[The+Cisco+Kid]

Oh wait, its actually a new bug. Or wait, its just the same bug over and over.

Seriously, how is this news? Everyone with even half a clue (and certainly almost all /. readers) recognize that MS will repeatedly issues patches, patches to patches, and will never really fix anything. Anyone with any sense in the IT/Net field that STILL actually uses Internet Explorer except in a heavily restricted sandbox for testing websites that the driveling masses will use it to visit is either too ignorant or blindly loyal to care about security.

If for some reason /. really thinks this needs to be news, just add it as a permanent headline. In fact, heck, maybe it should get its own whole section 'Security update to MS software introduces new security hole'