Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches "Google Hack" Flaw In IE

Posted by timothy on from the you-saw-this-coming dept.

An anonymous reader writes "As expected, Microsoft has issued an out-of-band security patch to address a remote code execution hole in Internet Explorer that was used in the recent Chinese attacks disclosed by Google. Ars Technica has all the download links you need."

34 of 142 comments (clear)

  1. Microsot by SimonTheSoundMan · · Score: 5, Funny

    Ugh, Microsoft! Get it right.

    1. Re:Microsot by GrosTuba · · Score: 2, Funny

      Almost as craptacualr as the reserachers from the front page, who unfortunately got fixed in the meantime :)

      --
      Who needs a .sig anyway ?
    2. Re:Microsot by burkmat · · Score: 2, Funny

      Perhaps we should stop bashing MS all the time, after all, where would the anti-virus industry be without them?

    3. Re:Microsot by lousyd · · Score: 3, Funny

      I thought it was a clever, subtle jab at MS. Like, they're sots. Tiny sots.

      --
      If aspiration is a virtue, achievement cannot be a vice.
    4. Re:Microsot by draconx · · Score: 4, Insightful

      No, what slashdot needs are editors: people who read and correct errors in written works prior to publication.

    5. Re:Microsot by Canazza · · Score: 2, Interesting

      That needs qualifying as #1 in the HOME market. There are many more servers running various brands of Unix and Linux out there than there are running IIS or Apache on a Windows box (though not an insignificant ammount).

      Servers are naturally harder to get viruses or trojans onto them as they're generally not used to surf the web, and the only applications executed on them should be done by a responsible sysadmin - who should know better.

      Windows is targeted as it is the #1 Home and Business OS, and as most people are clueless about how the technology actually works (running with admin privileges, surfing dodgy sites, falling for phishing scams, opening spam emails). A street magician or scam artist will only target those people who they see as a patsy. The obvious idiot. The lazy fool. Windows and IE attract them both, and they get burned for it.

      --
      It pays to be obvious, especially if you have a reputation for being subtle.
  2. Quick turnaround! by Anonymous Coward · · Score: 5, Funny

    This just goes to show that OSS is better because the fixes come out fas...

    oh this was IE?

    Oh...

    I mean... this patch just goes to show the lax security and horrendous coding of IE!

    (In all seriousness, it's actually quite nice to see the hole fixed and tested in such a quick time. I think MS actually deserves kudos for the quick turnaround and out-of-band release)

    1. Re:Quick turnaround! by Anonymous Coward · · Score: 4, Funny

      The cynic in me wonders iff this wasn't such a visible and highlighted Google highlighted would they bothered to push it sooner or even at all or even to let people know there is a problem

      Could you repeat that? My gibberish-to-english translator is on smoke break, and I'm nowhere near as fluent as he...

    2. Re:Quick turnaround! by UnknowingFool · · Score: 4, Insightful

      No it goes to show how fast MS can release a patch (and out of their normal cycle) when face with a large amount of negative PR. Normal vulnerabilities usually have to wait til Patch Tuesday. But when Google announces that IE was to blame in a large number of attacks, both France and Germany advises their citizens not to use IE for a while, MS better patch it sooner than later.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    3. Re:Quick turnaround! by aztracker1 · · Score: 3, Informative

      Apparently some of the bugs were reported to MS back in September. So it really wasn't *that* fast.

      --
      Michael J. Ryan - tracker1.info
    4. Re:Quick turnaround! by UnknowingFool · · Score: 4, Insightful

      It only proves my point. MS sat on the bugs for months and only released a patch after public disclosure by Google. How much longer would have they sat on them if it wasn't for the bad PR.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    5. Re:Quick turnaround! by Dishevel · · Score: 3, Insightful

      How much longer would have they sat on them if it wasn't for the bad PR.

      Stupid question. Answer is of course "Forever!".

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    6. Re:Quick turnaround! by bstone · · Score: 2, Insightful

      >>Nothing quite like two national governments recommending against using your product to raise the priority of fixing the problem

      Nothing like people actually switching browsers in droves because of the warnings to raise the priority of fixing it. Now that they've switched, what are the chances of those lost users switching back?

    7. Re:Quick turnaround! by Canazza · · Score: 2, Insightful

      well you can't complain, you're getting IE for free

      --
      It pays to be obvious, especially if you have a reputation for being subtle.
  3. WTF! FORCED SHUTDOWN by indi0144 · · Score: 5, Informative

    It will force shutdown even if you don't check the box at the end of the installer. How can this be so wrong at so many levels.

    1. Re:WTF! FORCED SHUTDOWN by mrjohnson · · Score: 5, Insightful

      Rebooting to upgrade a browser is at least five levels of wrong!

    2. Re:WTF! FORCED SHUTDOWN by weicco · · Score: 2, Interesting

      Uh! I would love to "upgrade" in-use shared library files so that changes are reflected to loaded instances in every running process! My viruswormtrojan would rule the world!

      --
      You don't know what you don't know.
    3. Re:WTF! FORCED SHUTDOWN by mpe · · Score: 2, Informative

      Better than the alternative, which is to potentially leave software running with a still vulnerable browser, and a user with a false sense of security because they 'just installed the patch.'

      The other alternative is to put up a message saying "These applications/services/etc need to be restarted".

      Allowing libraries to be modified on disk while in use is a solution to the upgrade problem which is simple, elegant, and terribly, terribly wrong.

      If the OS is sufficently "clever" the old version of the library need only exist until the last thing executing it's code stops doing so.

  4. Re:Of course... by Pojut · · Score: 3, Insightful

    ...this does not apply to Mac users, because Mac's don't suffer from drive-by downloads and other malware. My PPC G5 running Safari on Snow Leopard is rock-solid and secure.

    I take it you haven't heard the news? Granted, it's much more secure...but not secure.

    People think that Mac's are expensive, but the safety and security alone are reasons to justify the high price. The sleek, advanced looks are just the icing on the cake.

    Uh...OSX is what is safe and secure...not Apple hardware. Install OSX onto a hackintosh and it will be just as secure as your overpriced "icing". Macs ARE expensive, and the low-cost of upgrading to Snow Leopard just proves that you are paying far too much for hardware, not the software that it utilizes.

    Come on. If you are gonna fanboy for a single system, at least get your facts straight.

    --
    Living With a Nerd
  5. Just a thought. by burkmat · · Score: 2, Interesting

    Now, if I had that kind of exploit (along with the Windows source code) to play with, and the skills to individually target a specific Google machine, I'd sure as hell make sure to sneak my exploit into the soon-to-appear Microsoft patch site...

    And honestly, so far the chinese have struck me as the competent types.

    1. Re:Just a thought. by phantomcircuit · · Score: 3, Interesting

      And honestly, so far the chinese have struck me as the competent types.

      The several thousand failed attack attempts in my logs would care to disagree.

  6. Google has BACKED DOWN in China by hackingbear · · Score: 2, Insightful

    This is a bit off-topic but I have nowhere else to post this. I have attempted to post the reports that Google has backed down in China and re-enabled search result filtering in Google.cn despite of the lack of REAL actions from the Chinese government in the last two days, but /. editors keep refusing to put this relevant in the headline. Right, how can we be critical of our new found American hero defending the precious "freedom" and fighting the evil China? How can a hero backing down to the evil China? Hero can't make fundamental principle error, or you are not allowed to know when it does. Can someone find a way to post this news report (which can be verified search "June 4" in google.cn and which I can't find any English language sources)?!

    1. Re:Google has BACKED DOWN in China by Anonymous Coward · · Score: 5, Informative

      Actually they haven't removed censorship yet. They would be talking with the Chinese government about a way to provide an uncensored search within the law.

      "We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."

      A new approach to China

      So, we're still on hold as to if they will remove censorship.

    2. Re:Google has BACKED DOWN in China by phantomcircuit · · Score: 4, Informative

      Looks pretty un-censored to me. images:tiananmen square

    3. Re:Google has BACKED DOWN in China by drinkypoo · · Score: 2, Insightful

      Calling China "evil" is childish, naive, narrow-minded, and stupid.

      As long as China is killing people for cheating on their taxes and harvesting their organs, then selling them on the world market, then they are evil. As long as they are imprisoning Christians for their religious beliefs, gang-raping them and sending them to work camps to make plastic gewgaws (like christmas lights) for sale in the US, they are evil. And as long as we buy them, we are also evil.

      Why, oh why, have you not logged in? Could it be because you know your ideas are not worth the attachment of a name?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Google has BACKED DOWN in China by kramulous · · Score: 2, Funny

      Yup. This poor bastard was never seen again.

      --
      .
  7. Shutdown IS the fix by syousef · · Score: 4, Funny

    It will force shutdown even if you don't check the box at the end of the installer. How can this be so wrong at so many levels.

    You don't get it. Shutting down your computer IS the security fix. If you start it up again, you're back where you started - with Windows and IE.

    --
    These posts express my own personal views, not those of my employer
  8. What if IE could be uninstalled? by davet2001 · · Score: 4, Interesting
    Since I never use IE and never intend to, it's a shame that there's no uninstall option in XP.

    Removing IE would save me bandwidth on all the patches and more importantly spare me the forced reboots.

    I'd probably find that a lot of rendered local text would stop working without IE such as help pages, but I usually find google more effective than built in help these days any way.

    1. Re:What if IE could be uninstalled? by BitZtream · · Score: 3, Insightful

      Removing IE is easy, its a wrapper GUI around a browser engine. Delete iexplore.exe, there you deleted IE.

      The rendering engine is in a shared DLL thats used by just about everything now days, even if the app doesn't use the renderer directly, the built in help system is HTML based and uses the shared library for its renderer.

      Its also used by HTML style dialogs, which are basically dialogs that use HTML to define the layout rather than the old style dialog resources.

      This isn't really different from any other modern OS which uses HTML all over the place. I can't think of any modern desktop OS that doesn't have massive dependancies on an HTML renderer.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:What if IE could be uninstalled? by WraithCube · · Score: 3, Interesting

      Troll? I know the parent missed the point of the GP that the operating system should not depend on an html rendering engine of a buggy browser, but is quite far from a troll. He brings up a good point. There are a lot of apps that for right or wrong use the IE rendering engine, including plenty of in house applications.

      As far as removing IE goes, iexplorer.exe will get rid of the gui leaving just the engine behind it. However, removing an html rendering engine should not break an operating system. Years ago I mistakenly tried to forcibly remove the rest of the engine from windows xp and ended up with more errors and problems than I could figure out. It breaks windows explorer and if I remember correctly causes internet connection problems since connection properties are configured through IE.

      Though I would have to call into question how much any modern OS depends on an HTML renderer. Correct me if I'm wrong, but I believe both KDE and GNOME would be able to operate with only minor lost functionality without an html rendering engine. I know khelp uses an html library (that oddly is not installed in opensuse by default). GTK+ and QT can both use webkit, but are in no way dependent on it.

  9. Re:Why not just disable it instead. by Old+Flatulent+1 · · Score: 2, Interesting
    here is a good way to disable IE and make sure that nothing can access it and all stupefied widows only morons will be forced to use the default browser you set up. There sure as heck would not have a clue as to why IE will not work.

    Then remove the entries from the start menu and take all the icons off the desktop. Of course this is not practical with XP but will work just fine with vista and 7 as the updates are independent of the default browser. It will work if you control the updates in XP and only enable IE when a critical update happens.

  10. "out-of-band" by oldhack · · Score: 2, Insightful

    Ooooh, we all talk like com techs. Aren't we all so clever?

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  11. It could be worse... by Antony-Kyre · · Score: 2, Interesting

    You could be one of those people who is stuck using XP SP1, so it won't install to begin with.

  12. I call Shenanigans! by Brett+Buck · · Score: 2, Insightful

    Snow Leopard will not run on a PPC. Nice try.