Microsoft Patches "Google Hack" Flaw In IE

An anonymous reader writes "As expected, Microsoft has issued an out-of-band security patch to address a remote code execution hole in Internet Explorer that was used in the recent Chinese attacks disclosed by Google. Ars Technica has all the download links you need."

Microsot

[SimonTheSoundMan]

Ugh, Microsoft! Get it right.

Re:Microsot

[GrosTuba]

Almost as craptacualr as the reserachers from the front page, who unfortunately got fixed in the meantime :)

Re:Microsot

[burkmat]

Perhaps we should stop bashing MS all the time, after all, where would the anti-virus industry be without them?

Re:Microsot

Slashdot just needs a spell checker.

Re:Microsot

[frosty_tsm]

Slashdot just needs a spell checker.

No... just Timmah!

Re:Microsot

[lousyd]

I thought it was a clever, subtle jab at MS. Like, they're sots. Tiny sots.

Re:Microsot

[draconx]

No, what slashdot needs are editors: people who read and correct errors in written works prior to publication.

Re:Microsot

Should have been Microsod, because they will always sod you.

Re:Microsot

[Alphathon]

Presumably catering to whatever OS is no. 1 without them having been in the picture. Windows is not targeted for viruses because it is insecure, but because it has had probably 70%+ of the market share for the last 10-15 years at least (I don't honestly know how long they've been on top. Heck I was born in 1988 and didn't get a computer in the house 'til 1999).

Re:Microsot

[Canazza]

That needs qualifying as #1 in the HOME market. There are many more servers running various brands of Unix and Linux out there than there are running IIS or Apache on a Windows box (though not an insignificant ammount).

Servers are naturally harder to get viruses or trojans onto them as they're generally not used to surf the web, and the only applications executed on them should be done by a responsible sysadmin - who should know better.

Windows is targeted as it is the #1 Home and Business OS, and as most people are clueless about how the technology actually works (running with admin privileges, surfing dodgy sites, falling for phishing scams, opening spam emails). A street magician or scam artist will only target those people who they see as a patsy. The obvious idiot. The lazy fool. Windows and IE attract them both, and they get burned for it.

Re:Microsot

[richardablitt]

In other words, Microsoft can't cope with having a near monopoly, so we need users to switch to Linux/BSD/Solaris in order to make malware creation more difficult?

Re:Microsot

[mpe]

Windows is targeted as it is the #1 Home and Business OS, and as most people are clueless about how the technology actually works (running with admin privileges, surfing dodgy sites, falling for phishing scams, opening spam emails).

A factor with the "running with admin privileges" is badly written software where the supported method is to have the user, rather than the program (or even part of the program) only having elevated privileges or change the permissions on whatever the program actually needs access to. Another thing Windows lacks is the concept of execute permissions and/or file systems which cannot contain executables. Even though parts of it are apparently derived from VAX/VMS which does have such permissions.
No doubt it is possible to emulate "setuid", "sudo", "noexec", etc in Windows. If you fully understand how to actually use it's complex security model. Just that plenty of Windows developers don't appear to even understand the concept of having a security model in the first place. Whereas with just about any other multi-user OS such understanding tends to be required for anything other than fairly simple software.

Quick turnaround!

This just goes to show that OSS is better because the fixes come out fas...

oh this was IE?

Oh...

I mean... this patch just goes to show the lax security and horrendous coding of IE!

(In all seriousness, it's actually quite nice to see the hole fixed and tested in such a quick time. I think MS actually deserves kudos for the quick turnaround and out-of-band release)

Re:Quick turnaround!

[EXTomar]

The cynic in me wonders iff this wasn't such a visible and highlighted Google highlighted would they bothered to push it sooner or even at all or even to let people know there is a problem. But yes it is good you can hold publicly traded company's feet to the fire by having a few countries denounce your product which is totally unlike OSS!

Re:Quick turnaround!

The cynic in me wonders iff this wasn't such a visible and highlighted Google highlighted would they bothered to push it sooner or even at all or even to let people know there is a problem

Could you repeat that? My gibberish-to-english translator is on smoke break, and I'm nowhere near as fluent as he...

Re:Quick turnaround!

[UnknowingFool]

No it goes to show how fast MS can release a patch (and out of their normal cycle) when face with a large amount of negative PR. Normal vulnerabilities usually have to wait til Patch Tuesday. But when Google announces that IE was to blame in a large number of attacks, both France and Germany advises their citizens not to use IE for a while, MS better patch it sooner than later.

Re:Quick turnaround!

[David+Gerard]

"Has anyone really been as far as decided to use even want to go look more like?"

Re:Quick turnaround!

[aztracker1]

Apparently some of the bugs were reported to MS back in September. So it really wasn't *that* fast.

Re:Quick turnaround!

[UnknowingFool]

It only proves my point. MS sat on the bugs for months and only released a patch after public disclosure by Google. How much longer would have they sat on them if it wasn't for the bad PR.

Re:Quick turnaround!

[Maxo-Texas]

Nothing quite like two national governments recommending against using your product to raise the priority of fixing the problem.

Re:Quick turnaround!

[cyber-vandal]

According to the BBC they've known about it since September. Back to the bashing as usual...

Re:Quick turnaround!

[Dishevel]

How much longer would have they sat on them if it wasn't for the bad PR.

Stupid question. Answer is of course "Forever!".

Re:Quick turnaround!

According to Computer World, Microsoft was notified about this bug last August.

Re:Quick turnaround!

[rtb61]

It was more likely the source of the exploit, the Government of China using the source code provided by M$ to attack users of M$ software, pretty much a double attack, one aimed at Google and the other aimed at M$. Ballmer is likely throwing around more furniture than just chairs at the moment, "Because you, Mr. Bill Gates, are a friend of China, I'm a friend of Microsoft," http://www.cbsnews.com/stories/2006/04/19/politics/main1510792.shtml?source=related_story, with friends like M$ and the government of China, who needs enemies.

Re:Quick turnaround!

[bstone]

>>Nothing quite like two national governments recommending against using your product to raise the priority of fixing the problem

Nothing like people actually switching browsers in droves because of the warnings to raise the priority of fixing it. Now that they've switched, what are the chances of those lost users switching back?

Re:Quick turnaround!

[AmberBlackCat]

Maybe it just shows how fast you can release a patch when you're not allowed to say "it's still beta" or "you can't complain because you're getting it free".

Re:Quick turnaround!

Unlike Firefox or Thunderbird, where I have to put up with awful and obvious bugs for years.

Re:Quick turnaround!

You've got to be kidding me. I've been further even more decided to use even go need to do look more as anyone can. Can you really be far even as decided half as much to use go wish for that? My guess is that when one really been far even as decided once to use even go want, it is then that he has really been far even as decided to use even go want to do look more like. It's just common sense.

Re:Quick turnaround!

[Malc]

You've got to wonder though if Google is using this to deflect attention from a problem at their end.

Re:Quick turnaround!

[Canazza]

well you can't complain, you're getting IE for free

Re:Quick turnaround!

yeah, it seems we'll have to wait till there's another high profile attack for a fix to the 16-bit VM bug ( http://www.neowin.net/news/windows-has-a-17-year-old-un-patched-vulnerability )

Re:Quick turnaround!

[mpe]

But when Google announces that IE was to blame in a large number of attacks, both France and Germany advises their citizens not to use IE for a while, MS better patch it sooner than later.

IIRC Australia also put out similar advice. Though it's probably bigger for France and Germany to agree :)

Re:Quick turnaround!

[mpe]

MS sat on the bugs for months and only released a patch after public disclosure by Google. How much longer would have they sat on them if it wasn't for the bad PR.

Was it Google or was it several countries, including to large EU members, putting out the message to avoid using the software. AFAIK national governments doing this kind of thing hasn't happened before.

Re:Quick turnaround!

[kiehlster]

I'm sorry, but does anyone have a SpamAssassin filter for this? http://yro.slashdot.org/article.pl?sid=04/01/14/0037231

Re:Quick turnaround!

[aztracker1]

I think the other shoe just dropped is what happened. Google proverbially bent over for China repeatedly, with some bad criticisms to discover that they are being attacked by China. They pushed all the cards out to the table. It's worth noting that other companies were also targets of the attacks in question.

Re:Quick turnaround!

well you can't complain, you're getting IE for free

Free Herpes! Get your Free Herpes! Red hot flaming Herpes right here!

WTF! FORCED SHUTDOWN

[indi0144]

It will force shutdown even if you don't check the box at the end of the installer. How can this be so wrong at so many levels.

Re:WTF! FORCED SHUTDOWN

[mrjohnson]

Rebooting to upgrade a browser is at least five levels of wrong!

Re:WTF! FORCED SHUTDOWN

[SimonTheSoundMan]

Wonder if it will take Skype down again with it too.

Re:WTF! FORCED SHUTDOWN

I tested a server and a desktop (Windows 2008 R2, Windows 7) and neither auto-rebooted from the Windows Update.

What are you talking about?

Re:WTF! FORCED SHUTDOWN

That's because it is not a normal browser-an application running under an OS.
MS IE is intimately intertwined with the OS, which is why the security holes are so severe !

The patch is to the OS, not the browser probably. (have not yet read the Ars article)

Re:WTF! FORCED SHUTDOWN

[indi0144]

You're right my forced reboot was on XP SP3 and IE8 via downloaded patch. I installed earlier in w2k SP4 IE6 via win update and it didn't forced shutdown so it's maybe .. random(tm), still, If you unchecked the box IT SHOULD NOT RESTART! thanks good I'm a beaten wife that know this kind of things happens, didn't lose anything unsaved.

hey Adobe, would you ever port your software to Linux?? : ( Not holding my breath.

Re:WTF! FORCED SHUTDOWN

[mrjohnson]

Ah, that's why... http://heartbeat.skype.com/

Re:WTF! FORCED SHUTDOWN

[Bengie]

I use Win7 and it installed then said it was done. No reboot or prompt/question to reboot.

Re:WTF! FORCED SHUTDOWN

[Bengie]

nvm. There was a different out of band critical update that didn't require a reboot. This one did need a reboot to take effect, but it didn't force it.

Re:WTF! FORCED SHUTDOWN

Unless the patch was to the Trident libraries, in which case I can understand. Trident is the rendering engine behind MSIE, and is in use by other programs even if MSIE isn't using it.

Re:WTF! FORCED SHUTDOWN

You say rebooting to upgrade a browser is wrong, while I do agree, Apple does it to Safari makes me reboot my mac just as IE does.

Re:WTF! FORCED SHUTDOWN

[mrjohnson]

Rebooting to upgrade a library because you can't replace an in-use file is 15 levels of wrong. :-)

Re:WTF! FORCED SHUTDOWN

[indi0144]

I should have recoded the update, oh wait, It would have fucked up the recording. I left unchecked the "restart now" because I was about to update firefox too but then "oh noes" Dreamweaver, uTorrent (I had to re-check something I was downloading aka KILL), Opera, photoshop and Windows Explorer just started to close at the same time AND THEY CLOSED FASTER than closing them up one by one, it was a forced shutdown. Why would I made up this?

I'm happy you didn't suffer the annoyances from "random Microsoft bug"(tm) : )

Re:WTF! FORCED SHUTDOWN

[socsoc]

My XP SP3 gave the dialog of restart now or later via Microsoft Update. So I chose later. Odd that directly getting the patch would be different.

Re:WTF! FORCED SHUTDOWN

[dmomo]

Which, most likely means it's a browser exploit, but the problem is much deeper. And why a browser's code has to go that deep? Beyond me.

Re:WTF! FORCED SHUTDOWN

[jpmorgan]

Better than the alternative, which is to potentially leave software running with a still vulnerable browser, and a user with a false sense of security because they 'just installed the patch.'

Allowing libraries to be modified on disk while in use is a solution to the upgrade problem which is simple, elegant, and terribly, terribly wrong.

Re:WTF! FORCED SHUTDOWN

Because in windows, shared libraries actually means shared. Other components use HTML rendering too and some of them load the library and disallow writes to the library. Hmm, I guess a technical explanation would just get in the way of MS bashing.

Heres a cookie ! Whos a good boy? Whos a good boy?

Re:WTF! FORCED SHUTDOWN

What's wrong with forcing a reboot because DLLs are in use by other processes? It's much better than the UNIX way that allows files to be replaced, yet running processes continue using the older version and are vulnerable until they're restarted. I've seen Debian update libraries in the past without restarting the dependent sshd, meaning the system remains seriously vulnerable for unwary admins. Don't be so complacent. How would it look if Windows worked the same way, and a user didn't restart their IE processes and ALL THE PROCESSES THAT EMBED IE'S RENDERING ENGINE, and they were then affected by the exploit after applying the patch? People around here and in the media in general would be slamming Microsoft even more.

Re:WTF! FORCED SHUTDOWN

[weicco]

Uh! I would love to "upgrade" in-use shared library files so that changes are reflected to loaded instances in every running process! My viruswormtrojan would rule the world!

Re:WTF! FORCED SHUTDOWN

[mpe]

Better than the alternative, which is to potentially leave software running with a still vulnerable browser, and a user with a false sense of security because they 'just installed the patch.'

The other alternative is to put up a message saying "These applications/services/etc need to be restarted".

Allowing libraries to be modified on disk while in use is a solution to the upgrade problem which is simple, elegant, and terribly, terribly wrong.

If the OS is sufficently "clever" the old version of the library need only exist until the last thing executing it's code stops doing so.

Re:WTF! FORCED SHUTDOWN

[mrjohnson]

Bah, on Linux and *every other OS besides Windows* I can upgrade my websever, test the configuration and restart just the process when I'm ready. I often do the upgrade work a few hours beforehand (when I'm awake) and reboot Apache during a slow period (usually late night).

On Windows you may have to first shutdown the webserver to upgrade, or reboot the entire server, causing a much longer outage than needed.

Or just look at the jar locking hacks Tomcat has to do because you can't replace an in-use jar. I've converted several developers from Windows because rebooting Tomcat all day long is so god awful.

Re:Of course...

[Pojut]

...this does not apply to Mac users, because Mac's don't suffer from drive-by downloads and other malware. My PPC G5 running Safari on Snow Leopard is rock-solid and secure.

I take it you haven't heard the news? Granted, it's much more secure...but not secure.

People think that Mac's are expensive, but the safety and security alone are reasons to justify the high price. The sleek, advanced looks are just the icing on the cake.

Uh...OSX is what is safe and secure...not Apple hardware. Install OSX onto a hackintosh and it will be just as secure as your overpriced "icing". Macs ARE expensive, and the low-cost of upgrading to Snow Leopard just proves that you are paying far too much for hardware, not the software that it utilizes.

Come on. If you are gonna fanboy for a single system, at least get your facts straight.

Re:Of course...

[LoudMusic]

No matter how much ass kissing you do, Steve will never give you free Apple products. So just stop.

Just a thought.

[burkmat]

Now, if I had that kind of exploit (along with the Windows source code) to play with, and the skills to individually target a specific Google machine, I'd sure as hell make sure to sneak my exploit into the soon-to-appear Microsoft patch site...

And honestly, so far the chinese have struck me as the competent types.

Re:Just a thought.

[phantomcircuit]

And honestly, so far the chinese have struck me as the competent types.

The several thousand failed attack attempts in my logs would care to disagree.

Re:Just a thought.

[burkmat]

Do you really think they'd keep it up if it wasn't successful to some extent? :)

Re:Just a thought.

If a million... no, if a billion monkeys doing random keystrokes go at it for a billion years then yes... eventually your server will go down...

Re:Just a thought.

[L4t3r4lu5]

You're just one of the folks who has some reasonable protection.

For every one of you (and me), there are five grannies with USB modems plugged straight into an unpatched XP SP2 computer. You and I are not the target.

Google has BACKED DOWN in China

[hackingbear]

This is a bit off-topic but I have nowhere else to post this. I have attempted to post the reports that Google has backed down in China and re-enabled search result filtering in Google.cn despite of the lack of REAL actions from the Chinese government in the last two days, but /. editors keep refusing to put this relevant in the headline. Right, how can we be critical of our new found American hero defending the precious "freedom" and fighting the evil China? How can a hero backing down to the evil China? Hero can't make fundamental principle error, or you are not allowed to know when it does. Can someone find a way to post this news report (which can be verified search "June 4" in google.cn and which I can't find any English language sources)?!

Re:Google has BACKED DOWN in China

Actually they haven't removed censorship yet. They would be talking with the Chinese government about a way to provide an uncensored search within the law.

"We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."

A new approach to China

So, we're still on hold as to if they will remove censorship.

Re:Google has BACKED DOWN in China

[elFisico]

Hmm, searching for "Tianamen" in images still gives you pictures of the student in front of the tank. Isn't this supposed to be censored as well?!

Re:Google has BACKED DOWN in China

[hackingbear]

As mentioned in my post and in /. front page last week, google has suspeneded the filtering after their announcement. Why re-enabled rather quietly? That part I have problem with. If they have stood up, why backed down? (And the Chinese government only made some general stanard statement, no real threat either. Why is that not mentioned in Western media?) all in all, I'm as disappointed by our media as by the CCP's.

Re:Google has BACKED DOWN in China

Calling China "evil" is childish, naive, narrow-minded, and stupid.

Re:Google has BACKED DOWN in China

[phantomcircuit]

Looks pretty un-censored to me. images:tiananmen square

Re:Google has BACKED DOWN in China

[Hurricane78]

Uum, you know that you can submit stories for the firehose. If it’s interesting (as in this case) it should quickly get voted to the top, and then get put the front page.

Re:Google has BACKED DOWN in China

[kramer2718]

Mod Parent Up!

Re:Google has BACKED DOWN in China

[rahvin112]

I probably shouldn't respond to this but Google did the right thing. Their employees would be jailed and maybe even executed if they refuse to follow chinese law while operating inside the country. It would be extremely foolish of them to disregard Chinese law while still operating inside the country because as I said it could even get some innocent employee killed. If they abandon the Chinese market and then still keep the results censored, then you have a complaint but until they pull out the Chinese government could do bad things to innocent people to punish the corporation.

Re:Google has BACKED DOWN in China

[drinkypoo]

Calling China "evil" is childish, naive, narrow-minded, and stupid.

As long as China is killing people for cheating on their taxes and harvesting their organs, then selling them on the world market, then they are evil. As long as they are imprisoning Christians for their religious beliefs, gang-raping them and sending them to work camps to make plastic gewgaws (like christmas lights) for sale in the US, they are evil. And as long as we buy them, we are also evil.

Why, oh why, have you not logged in? Could it be because you know your ideas are not worth the attachment of a name?

Re:Google has BACKED DOWN in China

AFAIK, Google never announced that they stopped censoring. So claiming that they "backed-down" is disingenuous. They've already made good on their threat by delaying the release of 2 phones pending talks with the government. Feel free to lambast them once they've concluded the talks and yet still censor results.

Re:Google has BACKED DOWN in China

[selven]

I don't think so.

English version: a few pretty colorful images, one broken bicycle image, 11 tank men.

Chinese version: 1 tank man, one broken bicycle image, 14 pretty pictures.

Looks censored to me, with one tank and one broken bicycle so it doesn't look whitewashed.

Re:Google has BACKED DOWN in China

[kramulous]

Yup. This poor bastard was never seen again.

Re:Google has BACKED DOWN in China

[Tanman]

I hate to say it, but everyone who thinks Google is going to stand up to losing that much profit (and China IS a land of opportunity for corporations) is fooling themselves. Google is not your friend. Google is a MARKETING COMPANY. They do data mining and advertising. I have no clue why everyone has such a glint in their eye when they think about them.

Google only published this attack as a method of negotiating with the Chinese. Nothing more.

Re:Google has BACKED DOWN in China

[gad_zuki!]

Doesnt really make a difference. The great Firewall of China inspects packets for certain words and spoofs a RST packet to break the connection and blocks that IP for x amount of time. I doubt the Chinese can actually see those results. I wouldnt be surprised if the results were IP based (if china IP then censor).

Re:Google has BACKED DOWN in China

The link in the article, even on the day it was posted on slashdot, talked about conflicting reports.

Current status @ 07:20 NZT, 02:20 Beijing time, 14-01-10: Still conflicting reports coming out. It could be that Google has already lifted its own censorship measures. Or it could be that the censorship measures are still up, but because of the intense interest generated (and click-thrus) on sensitive subjects, small holes in the wall are being publicised and magnified.

That was probably some over-enthusiastic blog. Google would have officially annouced it if it had lifted censorship. Last official status from Google is that they're talking to the Chinese.

I know people don't read articles here, but let's just hold our horses for an official announcement on Google's status. =)

Re:Google has BACKED DOWN in China

[hackingbear]

Try to search in Chinese http://images.google.cn/images?q=%E5%A4%A9%E5%AE%89%E9%97%A8%E5%B9%BF%E5%9C%BA&btnG=Google+%E6%90%9C%E7%B4%A2&gbv=2&hl=zh-CN&um=1&sa=2&start=0

Generally, the Chinese government does not censor most English contents but almost all Chinese contents.

Re:Google has BACKED DOWN in China

[hackingbear]

Thanks. I can try there

Re:Google has BACKED DOWN in China

[klui]

If you live in China but speak only English. Applicable to maybe 0.01% (pulled it out of my ass) of the population there.

Re:Google has BACKED DOWN in China

uh...did you try it in Chinese?

You do realize they don't speak English by default, don't you?

Re:Google has BACKED DOWN in China

[Tim+C]

That may not be google's doing; presumably the google.cn search is going to be favouring Chinese-language pages, while the google.com/.co.uk search will be favouring English-language ones.

As such, Google may just be reflecting the inherent bias in its source, rather than applying a bias of its own.

Re:Of course...

[Em+Emalb]

"0" "O" "0"

That's how I troll.

Shutdown IS the fix

[syousef]

It will force shutdown even if you don't check the box at the end of the installer. How can this be so wrong at so many levels.

You don't get it. Shutting down your computer IS the security fix. If you start it up again, you're back where you started - with Windows and IE.

Re:Shutdown IS the fix

[indi0144]

Actually you're correct, it restarted on my Mandriva install :)

Bus since I'm working in some designs I had to reboot to Windows. The forced shutdown it's more related to the patch you download, windows update does not force shutdown AFAIK.

Re:Shutdown IS the fix

[jisatsusha]

If you use Automatic Updates, and the updates it installs require a reboot, it'll show a 5 minute countdown, after which it'll forcefully reboot. If you happen to not be at the computer when it does, you can say goodbye to any unsaved work you might have had.

Re:Shutdown IS the fix

Why would you walk away from your pc for more than 5 minutes without saving anyhow. Comments like this just make me wanna scream dumbass.

Re:Shutdown IS the fix

As the other reply stated, you are a dumbass for not saving if leaving the computer to begin with. The other point is that you are also a liar because every document editor, Adobe CSS, etc., etc., (etc. programs) out there will auto-save on exit.

Re:Shutdown IS the fix

Lying asshole. Windows hasn't forced shutdowns for updates in a long time.

Re:Of course...

[indi0144]

So you finally show up your face!! Leave MySQL alone!!!!1 Grrr!!

What if IE could be uninstalled?

[davet2001]

Since I never use IE and never intend to, it's a shame that there's no uninstall option in XP.

Removing IE would save me bandwidth on all the patches and more importantly spare me the forced reboots.

I'd probably find that a lot of rendered local text would stop working without IE such as help pages, but I usually find google more effective than built in help these days any way.

Re:What if IE could be uninstalled?

[BitZtream]

Removing IE is easy, its a wrapper GUI around a browser engine. Delete iexplore.exe, there you deleted IE.

The rendering engine is in a shared DLL thats used by just about everything now days, even if the app doesn't use the renderer directly, the built in help system is HTML based and uses the shared library for its renderer.

Its also used by HTML style dialogs, which are basically dialogs that use HTML to define the layout rather than the old style dialog resources.

This isn't really different from any other modern OS which uses HTML all over the place. I can't think of any modern desktop OS that doesn't have massive dependancies on an HTML renderer.

Re:What if IE could be uninstalled?

You can use this website to uninstall IE completely: http://www.ubuntu.com/GetUbuntu/download

Re:What if IE could be uninstalled?

[WraithCube]

Troll? I know the parent missed the point of the GP that the operating system should not depend on an html rendering engine of a buggy browser, but is quite far from a troll. He brings up a good point. There are a lot of apps that for right or wrong use the IE rendering engine, including plenty of in house applications.

As far as removing IE goes, iexplorer.exe will get rid of the gui leaving just the engine behind it. However, removing an html rendering engine should not break an operating system. Years ago I mistakenly tried to forcibly remove the rest of the engine from windows xp and ended up with more errors and problems than I could figure out. It breaks windows explorer and if I remember correctly causes internet connection problems since connection properties are configured through IE.

Though I would have to call into question how much any modern OS depends on an HTML renderer. Correct me if I'm wrong, but I believe both KDE and GNOME would be able to operate with only minor lost functionality without an html rendering engine. I know khelp uses an html library (that oddly is not installed in opensuse by default). GTK+ and QT can both use webkit, but are in no way dependent on it.

Re:What if IE could be uninstalled?

Add or Remove Programs >> Add/Remove Windows Components >> uncheck IE >>click next

Re:What if IE could be uninstalled?

If you upgrade to Windows 7, you can uninstall MSIE. Go to Control Panel -> Programs and Features -> Change Features. Un-check Internet Explorer, click OK, and it will be uninstalled.

You cannot, however, remove the Trident rendering engine used by MSIE. That engine is used by other applications, such as Steam.

Re:What if IE could be uninstalled?

Troll? I know the parent missed the point of the GP that the operating system should not depend on an html rendering engine of a buggy browser, but is quite far from a troll. He brings up a good point. There are a lot of apps that for right or wrong use the IE rendering engine, including plenty of in house applications.

As far as removing IE goes, iexplorer.exe will get rid of the gui leaving just the engine behind it. However, removing an html rendering engine should not break an operating system. Years ago I mistakenly tried to forcibly remove the rest of the engine from windows xp and ended up with more errors and problems than I could figure out. It breaks windows explorer and if I remember correctly causes internet connection problems since connection properties are configured through IE.

Though I would have to call into question how much any modern OS depends on an HTML renderer. Correct me if I'm wrong, but I believe both KDE and GNOME would be able to operate with only minor lost functionality without an html rendering engine. I know khelp uses an html library (that oddly is not installed in opensuse by default). GTK+ and QT can both use webkit, but are in no way dependent on it.

I don't know if it counts as a modern OS in your book, but OSX is dependent on the Webkit rendering engine (from Safari) in the same way as Windows is dependent on its Gecko rendering engine (from IE)

Re:What if IE could be uninstalled?

I don't know if it counts as a modern OS in your book, but OSX is dependent on the Webkit rendering engine (from Safari) in the same way as Windows is dependent on its Gecko rendering engine (from IE)

hehe.. ment Trident, not Gecko, of course, neurons really misfiring for a second

Re:Of course...

[Pojut]

Yeah, but they were real gentle-like, so it wasn't too big of a deal :P

Re:Why not just disable it instead.

[Old+Flatulent+1]

here is a good way to disable IE and make sure that nothing can access it and all stupefied widows only morons will be forced to use the default browser you set up. There sure as heck would not have a clue as to why IE will not work.

Then remove the entries from the start menu and take all the icons off the desktop. Of course this is not practical with XP but will work just fine with vista and 7 as the updates are independent of the default browser. It will work if you control the updates in XP and only enable IE when a critical update happens.

Re:Quick turnaround! NOT!

[SpaceLifeForm]

Microsoft knew about it last September.

How did they pull it off though?

[Twillerror]

So IE has a buffer overrun. This wasn't something on port 135...so how did the Chineese get in.

Did it get in via a viewing of an email inside of Outlook?
Did some stupid user visit a bad site sent thru email?

The end user had to go to a site which then allowed a trojan to get install...is this what happened?

Re:Of course...

[e2d2]

Psh, you think your safe? Not as much as me. I don't even run a fucking computer. I'm transcribing this via telephone to a guy in Malaysia.

I came, I duped, I duped again

[goldaryn]

I know it's exam season Slashdot, but seriously - my lecturers would be proud:

Say what you are going to say
Microsoft To Ship Emergency IE Patch

Say it
Microsoft To Issue Emergency IE Patch

Say what you said
Microsoft Patches "Google Hack" Flaw In IE

Re:I came, I duped, I duped again

You must be doing powerpoint presentations too :)

abuse of moderation

[drinkypoo]

"Troll" does not mean "anything with which I disagree". It is trivial to find citations for the examples I give above. Try the China Aid Society first. Or read up on the Chinese Death Vans — they execute ten times more people per capita than the USA that they admit to and actually had vehicles created for the purpose. The condemned enter the vehicle, and they never leave — and their family is not permitted to see the body, which is considered extremely important by nearly all peoples on the planet. Organ supplies coming from China are all out of proportion.

Way to try to bury my opinion (on evil) and the facts (on China) at the same time, though.

Thanks Microsoft!

[FlyingBishop]

I just remembered I hadn't ran `sudo apt-get upgrade` for a month or two.

Not that there's much danger of me getting hacked, but that's a 100mb download. Just imagine how much crap I'd be downloading if you waited for patch Tuesday!

Re:Thanks Microsoft!

[smash]

If you'd last run windows update a month ago, less than that.

I thought that read "Patents"

So China will have to pay IE royalties next time.

Am I the only one...

...who read "Patents" instead of "Patches"?

*shudders*

Re:Quick turnaround! NOT!

[blackraven14250]

They also very likely had no intention of fixing the bug, and no tenative patch. Then, the moment they start getting a boatload of bad PR from Google and a couple governments, they have a patch out extremely fast. So yes, it does prove they could have an amazing turnaround, if they spent the resources for it.

"out-of-band"

[oldhack]

Ooooh, we all talk like com techs. Aren't we all so clever?

Re:Of course...

Ignoring the fact the PPC Macs do not run snow leopard which comes with intel only binaries....

PR Spin

[liam193]

Am I the only one who thinks the headline on this reads like common media spin? So basically Microsoft has a bug that happened to be used against Google and the headline reads like Google was doing some hacking. This only leaves me wondering how much did the Microsoft PR people paid to get that worded that way.

Re:PR Spin

[socsoc]

Probably a googol Internet dollars. At today's conversion rates, that's roughly a brazillion USD.

There's times you MAY use it not intending to

"Since I never use IE and never intend to" - by davet2001 (1550151) on Thursday January 21, @05:18PM (#30852740)

See my subject-line above, & realize, that SOME apps do not launch by "filetype associations" & FORCE a user into launching IE!

(Those apps should do it by your default browser file association, ala ShellExecute type API calls for instance in the Win32 API, which would INSTEAD summon the default webbrowser associated with webbrowser files like .html/.htm type file extensions etc. / et al):

An example thereof would be one like WinVulnScan:

Now, before I go anywhere pointing out that is "wrong" with it? Well, first of all - The author of it has the RIGHT IDEA in his application & by ALL MEANS!

HOWEVER, THE "PROBLEM":

He "forces" a user to use IE in it!

(As to that happening? Well - My guess is, is that he "hardcoded in" the actual std. commandline for IE into his app is why)...

Still - it's a decent app that helps secure your system though, by finding out what the latest patches are for your Windows NT-based OS' that your system lacks (easy to write one like it too pretty much, but, who has the time anymore (my days of shareware/freeware creation for instance, are LONG behind me now, & trust me: It's WORK, especially fielding users' requests & such)).

Fact is? Well - I've been thinking of writing that fellow (the dev of WinVulnScan) & running this idea by he... I just might @ that, now that I noted it here.

APK

P.S.=> Just pointing out an actual instance, with an application no less, that FORCES the use of IE on a user (albeit, not the BEST ONE probably, it was all I could come up with on "short-notice" is all)!

HOWEVER - There ARE other apps too, that do the same, mind you!

(Thank goodness though, the author of WinVulnScan only directs users to MS sites, which are MORE-OR-LESS, safer than others probably are (MS does get decent talent in coders (e.g.-> Dr. Mark Russinovich & Mr. Anders Heijelsberg as 2 examples thereof whom I respect a great deal for their accomplishments in this "art & science" of computing for example) & I expect their network tech/network administrator/network engineering staff is doubtless of EQUAL CALIBRE on that end also))... apk

Ars Technica

[Seriousity]

Ars Technica has all the download links you need

And here they are...

It could be worse...

[Antony-Kyre]

You could be one of those people who is stuck using XP SP1, so it won't install to begin with.

Re:It could be worse...

[Antony-Kyre]

But, I guess even if they are stuck with XP SP1, they could always just use another browser.

But, some people just love the feel of Internet Explorer 6. But to the best of my knowledge, there aren't any "I heart IE6" t-shirts available, so perhaps those people are few and far between.

Re:Of course...

[Dupple]

You can't run Snow Leopard on a G5. Intel only

Too bad..

You can write to an in-use file. Unless somebody opened the file and specifically set the flag that dis-allows that. Go lookup FILE_SHARE_DELETE / FILE_SHARE_WRITE

Although I guess its a mistake to use facts here. How would we bash Microsoft then?!

Re:Of course...

Psh, you think your safe? Not as much as me. I don't even run a fucking computer. I'm transcribing this via telephone to a guy in Malaysia.

Hello, McFly? Wiretap.

I call Shenanigans!

[Brett+Buck]

Snow Leopard will not run on a PPC. Nice try.

Re:Of course...

But a PPC G5 can not run snow leopard.. As it only works with intel..

Re:Why not just disable it instead.

[smash]

Unfortunately, in the real business world there is a metric fuck-tonne of web apps out there that are only supported on IE.

Rightly or wrongly, disabling IE for many industries is not an option.

Re:Of course...

[ChangeOnInstall]

...this does not apply to Mac users, because Mac's don't suffer from drive-by downloads and other malware. My PPC G5 running Safari on Snow Leopard is rock-solid and secure.

-1 Offtopic? Lay off this guy. He's probably tired and cranky after just having ported Snow Leopard to the PowerPC.

Can I get a copy?

File dates in Patch files.

[MadMaverick9]

The patch was released today - 21-Jan-2010.

So why do the files contained in "IE8-WindowsXP-KB978207-x86-ENU.exe" all have a date of "6-Jan-2010" or older?? The files contained in "IE8-WindowsServer2003-KB978207-x86-ENU.exe" are dated "22-Dec-2009" or older. Why?? And when the patch is installed, the files that are updated, like "mshtml.dll", have a date of "22-Dec-2009".

Wasn't the vulnerability, that this patch supposedly addresses, discovered (published) around 14-Jan-2010??

Anybody has an idea why there is a discrepancy??

Looks like Microsoft had the problem already fixed before it was even published. No??

Re:File dates in Patch files.

[Tim+C]

Well, perhaps the vulnerability had already been reported (or spotted internally) and MS had already started work on a patch for it.

With the holidays, time for QA, etc, file dates from late Dec and early Jan for a release today really doesn't seem out of the ordinary.

Re:Of course...

[L4t3r4lu5]

he low-cost of upgrading to Snow Leopard just proves that you are paying far too much for hardware, not the software that it utilizes.

Maybe the hardware is actually no more expensive than the hardware in any Windows PC, and you pay $600 for the original OS X license, and $50 for each service pack. You can't use OS X on anything but Apple hardware, so they can get away with selling Snow Leopard retail for a loss compared to paying through the nose for the version of the OS a Mac ships with.

Kind of puts "MS Tax to shame when you put it like that, doesn't it?

You must not have heard of "source addresses", eh?

Your IP address shows that you are in China? No? Then I'm thinking you don't see what the chinese see on google.cn.

DriverMax does the same (so you all know that too)

DriverMax by Innovative Solutions:

It's "in the same boat" as WinVulnScan above: IT TOO, 'forces' a user into using IE as its browser (for downloading the latest drivers & displaying them)...

(Again though - it's a program with ABSOLUTELY THE RIGHT IDEA IN MIND (for performance this time though, more than security really) - it finds the latest drivers for your Windows 2000/XP/Server 2003/Server 2008/VISTA/Windows 7 32 or 64-bit Operating Systems)

APK

Re:You must not have heard of "source addresses",

andy zebrowitz