Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Flubs Patch, Putting Users At Risk

Posted by ryuzaki0 on from the i'm-working-here dept.

An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"

13 of 209 comments (clear)

  1. will it cause problems? by joe+155 · · Score: 4, Interesting

    whilst this is no doubt a bit of a "d'oh" moment for MS I doubt it will be a serious problem for anyone. * For this to have any affect on you you need to have SP1 but have the latest update of security for IE 6, surely if anyone updated regularly and applied security updates they'd be using SP2 anyway...

    *If I'm wrong correct me, not being a windows user it's hard to remember what service pack is current

    --
    *''I can't believe it's not a hyperlink.''
    1. Re:will it cause problems? by Anonymous Coward · · Score: 1, Interesting

      Windows Update uses a resumable background transfer mechanism with a very low priority (BITS). She could have been downloading SP2 over the course of a month during the times that she was online without noticing.

      Now if only the antivirus companies would start using BITS for virus definitions, would make keeping those fuckers up to date so painless to dial-up users.

    2. Re:will it cause problems? by Anonymous Coward · · Score: 1, Interesting

      SP2 is 75 megabytes if you use the update service. The 290 megabyte version is the full thing for network admins. Why don't you be a nice guy and mail her the CD if something like this happens again.

      Don't underestimate the number of people who *CAN'T* keep upto date

      From the comment's I've read, apparently a lot of slashbots don't run SP2. I think this puts them on par with Aunt Tillie.

  2. Some systems affected here by lpangelrob · · Score: 4, Interesting

    Some clients accessing systems at the Chicago Board of Trade were rendered useless by this bug; the flaw essentially resulted in a crash on login. Didn't know until today that it was exploitable, though.

    The solution for us was simple: install Firefox on affected clients. Problem solved, users happy.

    --
    -Rob

    Biblical fiscal responsibility

    1. Re:Some systems affected here by lpangelrob · · Score: 2, Interesting

      Heh. I'm not even the systems administrator around here... it's more of a shared job.

      Firefox is used here sparingly (4 installs off the top of my head, out of 50+) precisely because it's untested. If people know how to install it (and have permissions, for that matter, though I don't recall if you need to be admin to install Firefox) we don't support it. But in this case, all I had to go on was a website that worked before in IE now wouldn't work with IE, but continued to work with Firefox.

      For limited installations, I point the start page towards whatever application they need to access, and if they want to use it beyond that, they can go for it. So far this has happened twice; yesterday with a PeopleSoft application at the Board, and once prior because AT&T's servers can't serve PDFs properly.

      --
      -Rob

      Biblical fiscal responsibility

  3. Re:Laughable by Apocalypse111 · · Score: 2, Interesting

    I bet that a lot of what they're talking about isn't so much "work" as having the automatic update option set to "on" by default, and most users not knowing or caring about it. And still, most users won't care about this issue either, as it too will be automatically fixed when the patch is released and downloaded by the updating service that they may not even aware they have running.

    I'm not saying this is a good or bad thing, I'm just saying.

    --
    There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
  4. *YAWN* by Conspiracy_Of_Doves · · Score: 4, Interesting

    Wake me up when there is a security risk that doesn't need to go through IE.

    --

    Technoli
  5. Re:Just Please... by Randseed · · Score: 4, Interesting
    Please don't automatically reboot my machines again when the patch's patch is installed. I have the custom options in MS Update to allow me to control install/reboot for the updates. Well, it ignored that this week and rebooted 2 of my machines for me.

    Then, I noticed that The Register had a couple of articles this week about the same thing happening to others.

    Just who in the hell does MS think they are?

    That's precisely the problem. I, and I assume countless other users, have the automatic update installation turned off because every damned time I go to install an update, I have to reboot the machine, and it annoys the hell out of me, FUBARing applications by stealing focus (or worse, not and not allowing me to abort it) until I do. On the machines that are up for weeks at a time, that means that the updates get installed in batches, not immediately, which is precisely what Microsoft seems to be trying to avoid. the key for Microsoft is going to be coming up with the ability to install updates without forcing a reboot. Then, and only then, will they have a very high level of compliance among systems that truly matter. (i.e., not Bob's dialup machine, but Steve's server he has hanging out on a DSL line 24/7/365).

  6. Re:When are we going to move these off the front p by Anonymous Coward · · Score: 1, Interesting

    Or they could just change the icon. Laugh! It's funny!

  7. Not Really So Different by ackthpt · · Score: 2, Interesting

    Yes, but this is a hole created by a patch to fix a hole. On the whole, different and somewhat amusing. Or it would be amusing if I didn't have to administer Windows systems. :P

    Actually this really isn't unique. There have been a few of these in the past. And only after some noticed this was happening, who knows how often it happened before people took notice of the fix busting other code than that fixed.

    I used to admin a mainframe and keep up on patches rigorously, as we had any number of weasels in the labs waiting for us to leave our guard down for 'arf a mo' One patch back then did indeed open a hole, but the vendor (DEC) was on top of it within days and overnighted a patch tape to fix it. Even then they advised us how to block any attempts while we waited for the patch tape.

    --

    A feeling of having made the same mistake before: Deja Foobar
  8. Re:Closed source strikes again by Keith+Russell · · Score: 2, Interesting

    You know, we've had three "patch regression" stories this month. Before the Ubuntu and Windows stories at hand, Mozilla had to turn around a quick point release for Firefox, to fix a regression that blocked the MMS protocol.

    Despite everybody's best efforts and practices, sometimes a regression bug reaches production. And while the grandparent comment was a bit snarky about it, I would hope that whoever down-modded that comment did so to rebuke the tone, not to deny or supress the underlying issue.

    --
    This sig intentionally left blank.
  9. Switch to battery by nstenz · · Score: 4, Interesting

    If you unplug the power cord and make the laptop go to battery power, it will give up applying the rest of the updates. You'll then have to apply them the next day when you shut down.

    I did that for about a week until I actually had enough time to sit there and watch it finish installing updates and shut down.

  10. Critical Mass by whyde · · Score: 2, Interesting

    IIRC, according to the Jargon File, Windows has reached critical mass.

    critical mass: n. Of a software product, describes a condition of the software such that fixing one bug introduces one plus epsilon bugs. (This malady has many causes: creeping featurism, ports to too many disparate environments, poor initial design, etc.) When software achieves critical mass, it can never be fixed; it can only be discarded and rewritten.

    Vista is their re-write, which is an admission of this situation.