Slashdot Mirror
Microsoft Patches 19 Flaws, 6 in Vista
Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"
Happened to me as well, which was ... confusing.
Then I adjusted my thinking to Microsoft's point of view and tried to figure it out.
Now that IE7 is patched, it's much more secure than Firefox could ever be! Changing IE7 back to default is much like a firewall, an ounce of prevention is worth a pound of cure eh? By trying to get us back using IE7 they're just trying to prevent all the malware from getting on our systems, much like most of the rest of the patches.
It's a bit screwy, but that's the best rationalization I could come up with, anyone got a better one?
Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.
Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.
What's purple and commutes? An Abelian grape.
Slashdot is CmdrTaco's blog site. It is biased by its very nature. It makes no claims to objectivity or to be a "true" news site. To put it another way, it's an opinion site by design.
But that's the problem. Had he not posted in that type of tone, he might not have gotten modded up. I've seen many good posts defending Microsoft products without flaming the opposition yet when they hit the 4 or 5 moderation marks, people keep trying to mod them down.
I'm sure even if you removed all of the modded up Funny posts (which often are stabs at MS but cloaked with humor) I'm sure you'd see a clear anti-MS bias in moderation. That is, you're more likely to get modded up if you choose to post anti-MS comments.
People here are also quick to mod up any frustration with MS products even when they're just flames, yet when you see the comments about frustrations for Apple or Linux, you often get responses to the person having frustrations showing good light for Apple/Linux/etc modded up, not the parent frustration.
Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)
In the case of the one bug that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)
Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.
Considering Vista has been out since November of last year, its security record so far as been extremely impressive.
On what? That IE7 was developed independently of Vista?
Of course it was developed independently. It was released long before Vista was.
They are correct in a sense.
While IE can be removed from Windows XP (I'm not sure about Vista) using XPlite, doing so breaks a lot of other things in Windows (help files etc). Trust me, I've tried it.
I can see the argument for it, although I'll disagree. When I say "Vista" I mean the kernel + the subsystems (graphics, audio, network etc) + the security layer (UAC, digital signatures). The internet browser bundled with the OS -- especially when it is made available for another couple of OSes, and the development team is not part of the Vista development team -- doesn't count as part of the OS.
Plus, you have the choice of browser. You do not have the choice of subsystem or kernel.
The help files are non-essential stuff, so you can technically use Vista or XP without ever seeing IE. I cannot say the same for the other things.
Are you sure Firefox is not actually the browser?
2 836828.html
http://www.zoliblog.com/blog/_archives/2007/3/26/
You can't seperate IE from windows. It will break the windows help system which uses the IE renderer. It will break apps that depend on the IE engine(about boxes use this a lot with HTML/ActiveX that hooks into application). Removing IE Engine from windows would be like removing konqueror(really the KHTML engine) from KDE.
Have you ever been to a turkish prison?
The vista patches are all just to disable the one-click activation hacks that are circulating.
I am government man, come from the government. The government has sent me. -- G.I.R.