Slashdot Mirror
Microsoft Rushes Internet Explorer Patch
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
Sorry...but, "huh?"
Tools-Windows update. Or it is updated automagically if you have auto updates turned on.
I did RTFA, but I still didn't understand that comment.
-JJS
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
If Microsoft had the same reputation that Mozilla did for their updates not screwing the pooch then maybe I would consider using that kind of auto-update feature.
Then again, I only use Firefox, and would never consider using IE. At one point do even common household users realize that IE is not the way to go?
No -- Firefox is at the disadvantage. If you're a single user running as administrator, its auto-update is great. However, the users (all running limited accounts) on our Windows/Samba network will have to wait until I install the new update manually because there is no built in mechanism for administrators to push out updates.
And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?
On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.
...because its browser doesn't have a built-in update mechanism like other browser makers
At first I thought, "this isn't right", but then I realized that IE updates along with the general Windows update, and not by itself. Perhaps this is because Microsoft so tightly binds IE to the operating system that it doesn't think of it as a separate product?
Proverbs 21:19
I wonder how many exploits will be found in IE before they are all gone. I mean, logically, there has to be some point in the future when IE7 is totally exploit free. To bad that the cycle of software replacements wont let that happen. Given enough time, IE7 and WinXP could be some of the toughest software in existence.
This is the best advice the experts have given in years.
Yeah, my karma sucks....but so do the mods.
Reality is, most IE users have no idea there is a flaw and no idea there is a patch. So the lack of in browswer auto download basically means that nothing has been achieved for "most" of their user base.
One thing I do notice about the less savvy users is that they do mostly trust windows update.
I record my sleeptalking
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Per application autoupdates are a horrendous pain. Each one has its own, completely idiosyncratic configuration mechanism, its own schedule, and its own behavior. A lot of them will run(but fail in various annoying ways) under limited user accounts, and they are utterly useless in an environment where firewalls or similar block application downloads on client machines.
I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.
Microsoft could not check whether mshtml.dll was actually in memory before they insisted on a reboot?
Enlightenment? It's just a flush in the pan.
Internet Explorer is at a disadvantage that is requires a system reboot in order to apply updates.
Yeah, MS has no way to update software on their operating sytstem.. oh wait... the amonia just wore off. They do. Somewhat like their regular security updates they release for IE.
If only they had a seperate update for every program.. with all that hassle.. maybe they could not be disadvantaged?
I've been amazed by the extent to which this issue has permeated the mainstream media - here in the UK it's been home page material for the BBC, The Guardian, The Times and a number of others.
One - this is really terrible PR for Microsoft. Two - this is really good news for the web as a whole (obviously not including anyone affected by the exploit), as anything that increases public awareness of security issues and alternative browsers has to be a good thing. I just hope it makes a difference.
IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?
IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.
However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...
That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.
Overclockers
Can we patch FPers?
Am I eval()? - http://www.monst3r.com.br
Most people aren't in your situation or that of your users. Most people are surfing the web on their personal computers, and so automatic updates will work just peachy for them.
Too bad the new Firefox update still gets 71 on the acid3 test. I was all excited to see if it went up with the latest patch. :(
I'm using the new Opera (unless you're a web dev, my company only allows IE6 or Opera). It supposedly aced the acid test and I've gotta tell you, /. sure works a lot better in Firefox.
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
I would never enable that feature on my PCs. The last thing I want Firefox to do is join the ranks of Flash, Java, Adobe Reader and iTunes with nagging auto-update services that always run in the background. Often the updates aren't even critical, I think many of those 'features' are pushed by marketing departments who want to plaster your desktop with as many of their logos as possible.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
The bad thing about IE not having the built in updater is that this patch required a freaking reboot for a browser patch!!
That is just stupid.
The great thing about this fiasco is that I was able to convince several people who had been un-willing to move to Firefox or Opera to now do so.
Thanks Microsoft!
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
What is that thing, another overpriced piece of proprietary bloatware? .spec file need not be more than a dozen lines to achieve this. Rpmbuild it, and voila, you've got a new package that you can push any number of ways. Just create a yum repository, again, quite a basic thing to do, and on the next update request it will be installed.
On RPM based Linux distribs, it's trivial to create an RPM package of any bunch of file you have. A simple
So what's preventing you from doing that with FF and WSUS? FF is almost entirely self-contained, no need for esoteric DLLs, you can basically just push the folder to your "Program Files" dir.
You must be new here.
Comment removed based on user account deletion
Apple has resolved this issue. Now they try to install Safari in addition to Quicktime and Itunes.
There is not a 7 day lag time, at least on Vista. I got a notice of new updates Tuesday, ran it yesterday and immediately after installing those, it popped up with another, new update--the IE patch. I always get a notice the day any patches or updates are released.
I think Windows/IE's biggest problem is that they want to authenticate that the version the user has is legal. That's understandable for an anti-pirating measure, but what it ends up doing is leaving thousands of computers open to vunerabilities that they can then pass on to even legitimate users. And in particular, businesses, who don't use automated updates and where there is a delay in applying patches.
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
Mozilla has issued eight patches for its Firefox Web browser, three of which fix problems classified as critical.
Man, you really showed them.
... if it is running in a restricted userid?
now we need to go OSS in diesel cars
Firefox 3.0.x is only open to security and stability updates at this point, so it's highly unlikely that you'll see any increases in its Acid3 score at this point (short of the test itself changing somehow). The recently-released 3.1b2 scores 93/100 (also unlikely to change before it goes final). There are also patches posted in Mozilla's Bugzilla tracker (currently either awaiting review or needing more work to be done) that when landed will get their score up to 97/100, probably for Firefox 3.2. The only part of Acid3 that they haven't yet addressed is SVG Fonts, and it seems that little has been done in that area so far.
Personally, I don't mind their approach of trying to make sure that the issues raised by Acid3 are fixed in a timely manner, but not rushing fixes before they're ready just to have a bigger number. And besides, as long as IE8 still only scores 12/100 (or 21/100 if you're willing to wait long enough), it's kind of a moot point. It seems to me that what's relevant isn't who hits 100/100 first, but who hits it last.
IE itself doesn't know it is out of date. Some other system is required to do that. This has been a perpetual problem for awhile now where a lot of software product out there depends on a "third party" to check for version status. If the "third party" malfunctions or is misconfiguration, the software doesn't update. Even if the software can't update it would be nice to notify the user there is a critical update to apply manually.
Firefox isn't perfect but one thing they do right is letting the user know when they use the software if an update is available. IE doesn't do this and probably can't due to the way it is tied into the OS and the way packaging works in Windows.
Reenactment costuming?
It appears you aren't familiar with one or more of cosplay, LARP, SCA, or Civil War I reenactment.
Comment removed based on user account deletion
Put that chair down, Steve.
Free Martian Whores!
"The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool."
I dispute the basic premise that a wise man adapts himself to the world.
A wise man knows what things are possible to change and in a realistic time frame. A fool does not understand these things and thus fails to accomplish anything.
Actually, most of us experts are begging people to never again use IE.
Do you have ESP?
I prefer FireFox and Chrome... but, before we go ballyhoing the current patch, we should note that right now, at least for me, the FireFox update is busy banging on the patch site, and getting nothing. At least when Redmond rolls out a patch, they seem to make bandwidth available for it to actually be rolled out.
This is my sig.
Obviously this is statistically complete poo, but having a look at a couple of sites that I have Google analytics running on and IE is down consistently by about 5-10% with Firefox filling in the blanks.
As we all know browser stats are complete nonsense anyway, but change in relative market share after a hyped event like this one is still of interest.
It will take a while before these figures can be considered indicative, but maybe there is a change in the air.
Genesis 1:32 And God typed
The problem is if you roll out a patch to home user, then hackers have the blueprints on "How to exploit the corporate".
Its still totally retarded IMO, but MS is between a rock and a hard place on that one...look what happens when they don't give people what they want (Vista). This is what people who pay "want", ugh....
IE has been behind the curve in security, functionality, and reliability for l o n g t i m e! I don't think the distribution method for updates is the core issue. The core issue is that IE is an inferior browser. Let's just say it's the George W. Bush of browsers. The real solution is to stop using it altogether. Unfortunately, there are still many web apps out there that require it...
This says a lot more about /. than it dooes about Opera.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
I don't like to read news about IE in Firefox.
Imagine there exists at least one serious vulnerability in Microsoft's Windows-family OSes. Imagine that at there exists at least one major adversary ready and willing to exploit such a vulnerability.
If you can imagine those two things, then you can imagine all of Microsoft's computers failing or being taken over at the same time. Right now I think that means about 90% of the computers in the world might potentially be affected by a single vulnerability. Several of the patches released this month seem to have that much coverage, since the underlying vulnerabilities spanned a number of Microsoft OSes.
In our highly networked and increasingly computer-dependent world, can you imagine how much economic damage that could cause? I really can't. At some point my imagination fails me.
Even if the odds are very small, how can we continue to live with that threat?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
This is not the first time MS has advised its customers to use an alternate browser until IE could be patched. Why don't they just make the recommendation permanent?