Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Ship Emergency IE Patch

Posted by kdawson on from the advanced-persistent-threat dept.

Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."

12 of 187 comments (clear)

  1. Enough is enough! by LostCluster · · Score: 5, Informative

    I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

    1. Re:Enough is enough! by dgatwood · · Score: 3, Informative

      No. Chrome frame is only active if a page specifically codes for it. Otherwise, it does nothing. An attack page would not typically include code for a workaround.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Enough is enough! by GF678 · · Score: 2, Informative

      I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

      I'm sure corporate users who have IE6 forced upon them will appreciate it if they try to view your site.

      I'm sure your response would be "well they can bring it up with their IT department and use it as a way to persuade the upgrade". Doesn't work like that in the real world, particularly if old IE6-only compatible web apps are still in use.

    3. Re:Enough is enough! by Runaway1956 · · Score: 2, Informative

      "If it ain't broke don't fix it"

      Correct. And, it's time to make the decision makers understand that it's broken. If it isn't broken enough to convince them, then LET'S BREAK IT MORE!!

      Most of the rest of what I read here today is just so much whining and sniveling, from one side or the other.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  2. Quoth the TFA by McBeer · · Score: 2, Informative

    targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser

    IE 6 hasn't been Microsoft's flagship browser for 4 years.

    --
    Hikery.net - The best hiking site ever. Made by yours truly.
    1. Re:Quoth the TFA by poetmatt · · Score: 2, Informative

      it does, however, share the same vuln with IE7 and IE8. So maybe it's more appropriate as "microsoft's web browser" (irrespective of version) is at fault.

    2. Re:Quoth the TFA by IshmaelDS · · Score: 2, Informative

      True IE 6 hasn't but if you read the microsoft bulletin it also says that IE 7 and 8 share the vulnerability. http://www.microsoft.com/technet/security/advisory/979352.mspx "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable."

      --
      letting an idiot know they are an idiot is not a game... it's a responsibility. - by Kristopeit, M. D. (1892582)
    3. Re:Quoth the TFA by thetoadwarrior · · Score: 2, Informative

      Because some companies have contracts with MS that have them on Win2k until (if I recall correctly) until the extended support is over which is this summer so MS can't really tell IE6 users to fuck off completely.

      I'm sure they could get out of the contract at an unnecessary cost. MS made this mess and unfortunately we're stuck with it for awhile longer. Hopefully once the extended support is over then companies will start dumping their old stuff and upgrading.

      In my opinion this shouldn't matter to most sites because they're not meant for business customers. It doesn't matter if Youtube, for instance, works on IE6 as far as I'm concerned. Anyone on IE6 for their home PC should be excluded until they get a real browser.

  3. Contribute to the death of IE 6 on your site... by MikeRT · · Score: 2, Informative

    Make it painfully clear to IE6 users what they're doing.

    My version, which is more educational for them.

  4. Re:IE is only good at one thing... by QuantumRiff · · Score: 2, Informative

    Shh, don't tell anyone...

    >wuauclt /detectnow

    Forces the update.exe agent to check.

    --

    What are we going to do tonight Brain?
  5. Re:'flagship webbrowser' by spuke4000 · · Score: 2, Informative

    Uhhh... yes the do (as of a few days ago): http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OfficialGmailBlog+(Gmail+Blog)

    --
    This post cannot be rebroadcast without the express written constent of Major League Baseball.
  6. "Emergency" reaction by burkmat · · Score: 2, Informative

    Wow, so that's... 4 days after full disclosure that they announce their response.

    "Could be here as soon as this weekend", which is still more than a week from the exploit being published. That's swell.
    Anyone else grateful MSFT doesn't run the fire department?