Slashdot Mirror
Microsoft Rushes Internet Explorer Patch
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
Sorry...but, "huh?"
Tools-Windows update. Or it is updated automagically if you have auto updates turned on.
I did RTFA, but I still didn't understand that comment.
-JJS
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
If Microsoft had the same reputation that Mozilla did for their updates not screwing the pooch then maybe I would consider using that kind of auto-update feature.
Then again, I only use Firefox, and would never consider using IE. At one point do even common household users realize that IE is not the way to go?
No -- Firefox is at the disadvantage. If you're a single user running as administrator, its auto-update is great. However, the users (all running limited accounts) on our Windows/Samba network will have to wait until I install the new update manually because there is no built in mechanism for administrators to push out updates.
And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?
On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.
...because its browser doesn't have a built-in update mechanism like other browser makers
At first I thought, "this isn't right", but then I realized that IE updates along with the general Windows update, and not by itself. Perhaps this is because Microsoft so tightly binds IE to the operating system that it doesn't think of it as a separate product?
Proverbs 21:19
I wonder how many exploits will be found in IE before they are all gone. I mean, logically, there has to be some point in the future when IE7 is totally exploit free. To bad that the cycle of software replacements wont let that happen. Given enough time, IE7 and WinXP could be some of the toughest software in existence.
This is the best advice the experts have given in years.
Yeah, my karma sucks....but so do the mods.
Reality is, most IE users have no idea there is a flaw and no idea there is a patch. So the lack of in browswer auto download basically means that nothing has been achieved for "most" of their user base.
One thing I do notice about the less savvy users is that they do mostly trust windows update.
I record my sleeptalking
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Per application autoupdates are a horrendous pain. Each one has its own, completely idiosyncratic configuration mechanism, its own schedule, and its own behavior. A lot of them will run(but fail in various annoying ways) under limited user accounts, and they are utterly useless in an environment where firewalls or similar block application downloads on client machines.
I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.
Microsoft could not check whether mshtml.dll was actually in memory before they insisted on a reboot?
Enlightenment? It's just a flush in the pan.
Too bad the new Firefox update still gets 71 on the acid3 test. I was all excited to see if it went up with the latest patch. :(
Internet Explorer is at a disadvantage that is requires a system reboot in order to apply updates.
Yeah, MS has no way to update software on their operating sytstem.. oh wait... the amonia just wore off. They do. Somewhat like their regular security updates they release for IE.
If only they had a seperate update for every program.. with all that hassle.. maybe they could not be disadvantaged?
I've been amazed by the extent to which this issue has permeated the mainstream media - here in the UK it's been home page material for the BBC, The Guardian, The Times and a number of others.
One - this is really terrible PR for Microsoft. Two - this is really good news for the web as a whole (obviously not including anyone affected by the exploit), as anything that increases public awareness of security issues and alternative browsers has to be a good thing. I just hope it makes a difference.
IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?
IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.
However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...
That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.
Overclockers
Can we patch FPers?
Am I eval()? - http://www.monst3r.com.br
Most people aren't in your situation or that of your users. Most people are surfing the web on their personal computers, and so automatic updates will work just peachy for them.
Lets play battleship.....
IE7
Hit on a US Submarine!
So the day the zero day was announced slashdot complained there wasn't a patch and MS weren't going fast enough. Today slashdot is complaining that the patch was rushed.
Tomorrow Microsoft blamed for water being wet, pope being catholic and bears leaving poo in the woods.
yea and waiting 5 min for firefox to load because it updated again when you want to check something that takes 30 seconds isn't annoying as hell course most of the new shit in firefox 3 annoys me and just like microsoft i can't turn the fucking "features" off
all browsers suck this is a fact of life
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
I would never enable that feature on my PCs. The last thing I want Firefox to do is join the ranks of Flash, Java, Adobe Reader and iTunes with nagging auto-update services that always run in the background. Often the updates aren't even critical, I think many of those 'features' are pushed by marketing departments who want to plaster your desktop with as many of their logos as possible.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
The bad thing about IE not having the built in updater is that this patch required a freaking reboot for a browser patch!!
That is just stupid.
The great thing about this fiasco is that I was able to convince several people who had been un-willing to move to Firefox or Opera to now do so.
Thanks Microsoft!
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
What is that thing, another overpriced piece of proprietary bloatware? .spec file need not be more than a dozen lines to achieve this. Rpmbuild it, and voila, you've got a new package that you can push any number of ways. Just create a yum repository, again, quite a basic thing to do, and on the next update request it will be installed.
On RPM based Linux distribs, it's trivial to create an RPM package of any bunch of file you have. A simple
So what's preventing you from doing that with FF and WSUS? FF is almost entirely self-contained, no need for esoteric DLLs, you can basically just push the folder to your "Program Files" dir.
Comment removed based on user account deletion
Apple has resolved this issue. Now they try to install Safari in addition to Quicktime and Itunes.
There is not a 7 day lag time, at least on Vista. I got a notice of new updates Tuesday, ran it yesterday and immediately after installing those, it popped up with another, new update--the IE patch. I always get a notice the day any patches or updates are released.
I think Windows/IE's biggest problem is that they want to authenticate that the version the user has is legal. That's understandable for an anti-pirating measure, but what it ends up doing is leaving thousands of computers open to vunerabilities that they can then pass on to even legitimate users. And in particular, businesses, who don't use automated updates and where there is a delay in applying patches.
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
Mozilla has issued eight patches for its Firefox Web browser, three of which fix problems classified as critical.
Man, you really showed them.
... if it is running in a restricted userid?
now we need to go OSS in diesel cars
I think it has been said countless times. A reboot of IE is because IE is closely intgrated with the OS. When you have this IE's rendering engine is used for office and windows explorer and many other apps thats are not microsoft branded. The reboot assures that the file was fully unloaded from memory and patched. I am aginst firefoxes approach of start firefox install an update only becasue I thought we learned our lessen that sometimes a patch can break alot more than what was supposed to be fixed. Yes that came about becasue of Microsoft but I have had a few linx updates that I have had to roll out of becasue of an unknown bug. But with Microsoft's patch mangment I can choose which updates to apply and choose them all knowing the OS and a browser is patched in one swipe of the hand. If Firefox would get off there arses and develope a coporate patch mangmewnt system then more people might jump up and show favour for it. But as far as I am concerned, I am not going to pay for an msi and developing one after every 2 week release times of FF is a bigger pain. I know version 3 has not been plagued with many updates but when FF v2 came out they were patching every 2 or 3 weeks and this is not an acceptable patching method for coporate people. Even though I do write an msi many corps will not and throw FF out the door.
ironically the ad at the top of this page reads 'free ie7 download - google recommends upgrading to the new safer internet explorer 7 www.google.com/toolbar/ie7/
oh how i chuckle as i surf with opera under linux!
IE itself doesn't know it is out of date. Some other system is required to do that. This has been a perpetual problem for awhile now where a lot of software product out there depends on a "third party" to check for version status. If the "third party" malfunctions or is misconfiguration, the software doesn't update. Even if the software can't update it would be nice to notify the user there is a critical update to apply manually.
Firefox isn't perfect but one thing they do right is letting the user know when they use the software if an update is available. IE doesn't do this and probably can't due to the way it is tied into the OS and the way packaging works in Windows.
Reenactment costuming?
It appears you aren't familiar with one or more of cosplay, LARP, SCA, or Civil War I reenactment.
The Eloi have spoken.
If the software auto-updates, people cry out that their systems are phoning home! Privacy and security concerns are voiced.
Then the software doesn't auto-update and people cry the advantages of their systems phoning home!
You can't have it both ways!
Comment removed based on user account deletion
"The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool."
I dispute the basic premise that a wise man adapts himself to the world.
A wise man knows what things are possible to change and in a realistic time frame. A fool does not understand these things and thus fails to accomplish anything.
Actually, most of us experts are begging people to never again use IE.
Do you have ESP?
I prefer FireFox and Chrome... but, before we go ballyhoing the current patch, we should note that right now, at least for me, the FireFox update is busy banging on the patch site, and getting nothing. At least when Redmond rolls out a patch, they seem to make bandwidth available for it to actually be rolled out.
This is my sig.
Obviously this is statistically complete poo, but having a look at a couple of sites that I have Google analytics running on and IE is down consistently by about 5-10% with Firefox filling in the blanks.
As we all know browser stats are complete nonsense anyway, but change in relative market share after a hyped event like this one is still of interest.
It will take a while before these figures can be considered indicative, but maybe there is a change in the air.
Genesis 1:32 And God typed
The problem is if you roll out a patch to home user, then hackers have the blueprints on "How to exploit the corporate".
Its still totally retarded IMO, but MS is between a rock and a hard place on that one...look what happens when they don't give people what they want (Vista). This is what people who pay "want", ugh....
I Love how the main page for the KB article only has a Vista patch for users with SP2, when SP2 is still in Beta and has not been released to the public. You have to dig into another article to find the patch for SP1 systems.
How will this affect this interwebs underwater?
'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'
And why is that? Because by updating IE you are updating your operating system. The two use many of the same files (DLLs). And Microsoft WILL not push down an operating system update outside of its established system. That's why you must download the patches through the established system.
In summary it won't be done because Microsoft will not sacrifice any control over updates, even for critical issues like this.
But as long as people keep reacting to "ooh shiney!!!!1" new software releases from Microsoft, they'll never take the time to perfect existing ones.
Usually I get to pick what to update, then tell it not to nag about the ones I did not want. Today we updated IE (even though I don't use it) but I didn't want the XML patch yet because folks have been complaining about problems with it. Alas, the updater has continued nagging about that one for more than a day, despite being told not to, a number of times.
This is unusual.
..what a lot of prime quality PS the MS patch cycle is. The whole idea of the "regular" patch cycle is to lull you into a false sense of security so a corporate doesn't notice just how much crap needs patching per time - and a patch cycle also means a nice wide zero-day window unless the problem is so self evident that a blind mole with a candle can find it.
If they would have focused the Vista and MS Office efforts on f*cking up every usable interface so people would have to play hunt and seek again (with Internet based disclosure of their activities via the online help requests) they would have had the time to do it right for once. However, getting it "right" will never happen - by design.
Because who would want to buy an update then?
IE has been behind the curve in security, functionality, and reliability for l o n g t i m e! I don't think the distribution method for updates is the core issue. The core issue is that IE is an inferior browser. Let's just say it's the George W. Bush of browsers. The real solution is to stop using it altogether. Unfortunately, there are still many web apps out there that require it...
I don't like to read news about IE in Firefox.
Ohh.. I see what you did there. You dissed IE and Microsoft so it's not flamebait. /s
Experts have been advising users to stop using IE - full stop - for years now.
No, I be new here!
I got some bad grammar
yeah for Google Chrome!
Imagine there exists at least one serious vulnerability in Microsoft's Windows-family OSes. Imagine that at there exists at least one major adversary ready and willing to exploit such a vulnerability.
If you can imagine those two things, then you can imagine all of Microsoft's computers failing or being taken over at the same time. Right now I think that means about 90% of the computers in the world might potentially be affected by a single vulnerability. Several of the patches released this month seem to have that much coverage, since the underlying vulnerabilities spanned a number of Microsoft OSes.
In our highly networked and increasingly computer-dependent world, can you imagine how much economic damage that could cause? I really can't. At some point my imagination fails me.
Even if the odds are very small, how can we continue to live with that threat?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
IBM did a wonderful study years ago on the relative value of unit/coverage testing v. user-directed testing across diverse types of software such as Operating Systems, DataBase engines, etc. and one of the factoids I always remember from that study was that somewhere over half of the errors found in unit/coverage testing had a projected mean time to occurrence of several thousand years (held true regardless of the type of software).
Besides being a wonderful argument that coverage-based testing is a serious waste of money it also provides a good explanation of why it is incorrect to think that users will ever find all the vulnerabilities in IE7 let alone see all those user-discovered vulnerabilities get fixed even if Microsoft were willing to continue fixing IE7 bugs for the next 1000 years.
This is not the first time MS has advised its customers to use an alternate browser until IE could be patched. Why don't they just make the recommendation permanent?
The free browsers have no continuous support because each little plugin is cobbled together by people who move on to some other unrelated project when they are bored. Most of those browsers require the user to be a geeky retard, which is exactly as stupid as requiring every automoble driver to be a mechanic.
If any of those other browsers achieved user dominance as MicroSoft has done, then those browsers would become the primary target of hackers and their inadequacies would be exposed. Right now, they are only shielded from reality because they're NOT #1
Do you have any idea how freaking stupid you look when you accuse MicroSoft of something which none of the other browsers have to cope with to the same degree??? MicroSoft is the top target -- let's see how well the others cope when they garner as much nefarious attention!