MS Issues Emergency IE Security Update

← Back to Stories (view on slashdot.org)

MS Issues Emergency IE Security Update

Posted by CmdrTaco on Tuesday March 30, 2010 @09:00AM from the press-the-panic-button dept.

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

114 comments

Min score:

Reason:

Sort:

Pwn2own strikes again by sxedog · 2010-03-30 09:06 · Score: 4, Informative

Amazing... that was only a week ago!

--
If it ain't broke, DON'T fix it.
1. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 09:21 · Score: 4, Insightful
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Pwn2own strikes again by steelfood · 2010-03-30 10:12 · Score: 2, Insightful
  
  Actually, your analogy would be asking everybody who used a browser to know how to code.
  On the other hand, it's a good for people idea to learn about the technology behind websites before browsing them. For example, knowing what javascript is, what flash is, what cookies are, what xml is and how it relates to web pages, etc. And they may want to know how to block or clear cookies and block javascript and clear cache.
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
3. Re:Pwn2own strikes again by evanbd · 2010-03-30 11:01 · Score: 1
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
4. Re:Pwn2own strikes again by Ollabelle · 2010-03-30 11:21 · Score: 0, Offtopic
  
  Oh come on now.
  What part of the story of the family in a decrepit Lexus with worn-out brakes doing acceleration overtime wasn't true? THAT's what got this Toyota-bashing story started. And even Toyoda himself admitted it - they got greedy and too big too fast.
  
  --
  Ibid.
5. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 12:16 · Score: 2, Insightful
  
  And that's certainly not too much to ask.
  It most definitely is. I don't need to understand Blu-ray encoding in order to watch a movie, I don't need to understand how WEP works (or doesn't) in order to connect to an access point, and I don't need to understand how GSM or SMS works in order to send a text message. I don't need to understand how the Playstation network operates in order to play online, I don't need to understand how HVAC works in order to cool my house, and I don't need to understand how an electrical coil heats up in order to toast bread. Users don't care about those things. Expecting a user to educate themselves about Javascript IS asking quite a bit (XML? really?).
  
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission.
  Are you under the expectation that all drivers on the road know all of those things? Not to pick on women, but stories from mechanics about women reporting problems with their cars are about as amusing as the clueless tech support calls we enjoy so much. The fact is that people do NOT know those things about driving, but you expect someone to educate themselves on XML before they go to MSN?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 12:17 · Score: 1
  
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
  If they're like a normal person, they learn from their mistakes and they don't do the same thing again.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
7. Re:Pwn2own strikes again by evanbd · 2010-03-30 12:35 · Score: 2, Insightful
  
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
  If they're like a normal person, they learn from their mistakes and they don't do the same thing again.
  Oddly, computers seem to be exempt from that. The same people get viruses, trojans, malware, etc, and keep downloading crap and failing to install updates, and it keeps happening. Most drivers seem to learn to change the oil after destroying an engine, but somehow computer users are different. Clearly there's plenty wrong with the software in the first place, but there's also something very odd about users who experience these problems and then both continue using the same problematic software and failing to learn from their mistakes.
8. Re:Pwn2own strikes again by smash · 2010-03-30 14:18 · Score: 1
  
  IE has its place in corporate networks. Like it or not, there is plenty of software that people use every day to GET THEIR JOB DONE that does not work in anything else. If patched and placed behind an appropriate filtering proxy/firewall IE security is manageable with security zones and group policy. Plenty of idiots run IE, and yes they get owned. Plenty of idiots run linux and get r00ted as well (I used to be one, before I knew shit from clay - i had a couple of boxes r00ted back in 1999).
  A competent admin can ensure IE is "safe enough" for corporate usage.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
9. Re:Pwn2own strikes again by b4dc0d3r · 2010-03-30 14:19 · Score: 1
  
  On one hand, the analogy was flawed and had to be corrected. On the other hand, the explanation was poorly done. A better explanation would be that people need to learn things about their browser in order to use it effectively. Like "too good to be true" probably means it's not true. Or there ain't no such thing as a free lunch. Common sense that says don't take unknown things from unknown people. That's what people forget - no other application has opened people up to identity theft just by operating it. Since a browser uses so many external files, it's the exception that no one thinks about.
  What's the penalty for not knowing? In the car analogy, safety of the people you might otherwise drive over, or yourself, should be the motivator. People drink and drive, they text and drive, they don't pay attention, or they aren't familiar with their vehicles. Most people do not fall in this category, a few do. The penalty is in a few cases someone successfully installs a spambot the user will never notice. In fewer cases the user's personal files get transferred, and some of those get used and credit card companies block cards due to suspicious activity and a few people lose money. If it were a big problem, we'd hear stories every night on the news, but it only comes up a few times a year.
  There's no incentive to learn because 1) it's rare and 2) learning is not a requirement, as it is in a driver's license test. This is where the "Internet driver's license" idea makes sense, until we realize how impractical it would be. Then we're back to the situation where people should learn, but don't, and it's only a problem for a few people a year.
10. Re:Pwn2own strikes again by perryizgr8 · 2010-03-30 14:54 · Score: 0, Offtopic
  
  woz is just another fucked-up guy. seriously, i don't have any respect for people who are unable to take credit for their own work.
  
  --
  Wealth is the gift that keeps on giving.
11. Re:Pwn2own strikes again by perryizgr8 · 2010-03-30 14:58 · Score: 1
  
  ie just needs to go. big companies are still holding fast to win xp. would you say that refusing to let go of a 10 year old software is justified? ie6 is also 10 year old i think.
  
  --
  Wealth is the gift that keeps on giving.
12. Re:Pwn2own strikes again by Tim+C · 2010-03-30 18:53 · Score: 1
  
  That's what people forget - no other application has opened people up to identity theft just by operating it.
  All the people who fell for 419 and similar scams by reading and replying to emails would beg to differ.
  
  --
  It's official. Most of you are morons.
13. Re:Pwn2own strikes again by Anonymous Coward · 2010-03-30 19:45 · Score: 0
  
  This is one of the most ridiculous posts I have ever read on Slashdot during my 10 or so years and the fact that you have been modded insightful just makes it more sad and obvious how out of touch many readers of this site are.
14. Re:Pwn2own strikes again by Spad · 2010-03-30 21:42 · Score: 1
  
  Because it doesn't usually cost them thousands to repair.
15. Re:Pwn2own strikes again by vegiVamp · 2010-03-30 21:51 · Score: 1
  
  The people who got 419ed didn't just operate their mail client (or browser, more likely), but actively responded, repeatedly, to an obviously too-good-to-be-true offer from someone they didn't know in a country they may not even have ever heard of, and then enacted one or more banking transactions to the same unknown factor.
  
  It's like I'm driving my car on the highway, and I suddenly decide to follow an arrow that says "Promised Land" and points into a dark, foggy gravel road that goes in the direction of where there clearly was a ravine a few hundred yards earlier.
  
  --
  What a depressingly stupid machine.
16. Re:Pwn2own strikes again by vegiVamp · 2010-03-30 21:53 · Score: 1
  
  I agree that there is stuff that doesn't work in anything else, but it can be argued that the stuff needs fixing, then.
  
  If my car were to work only on Belgian roads, I would be rather quick to either get it fixed or swap it for one that works on all roads.
  
  --
  What a depressingly stupid machine.
17. Re:Pwn2own strikes again by Anonymous Coward · 2010-03-30 23:20 · Score: 0
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  That's right. And if you don't know exactly what's going on inside that disk I/O driver, you shouldn't be allowed to keep permanent files.
18. Re:Pwn2own strikes again by drinkypoo · 2010-03-31 00:24 · Score: 1
  
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.
  I agree, but apparently no state in the USA does, especially not California. They'll give you a license anyway. Crap, by the time I had to take my driving test, you no longer even had to parallel park.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
19. Re:Pwn2own strikes again by mcgrew · 2010-03-31 01:20 · Score: 1
  
  The difference between cars and computers is, if you ruin your engine by not changing the oil, your mechanic will tell you "look, you have to check your oil regularly and change it on schedule or you're going to ruin the new one I just put in."
  If Mechanics were like the Geek Squad they'd tell you that having your engine blow up periodically is normal and expected. And taking a computer to Best Buy is what most people do.
  
  --
  Free Martian Whores!
20. Re:Pwn2own strikes again by hesaigo999ca · 2010-03-31 01:40 · Score: 1
  
  I agree to a certain extent with your comment, especially using a car as a main example to describe computer usage.... I wold never drive a car without having taken courses first, and even then, some people are such bad drivers, it is not because they own a car they pass the test to drive.
  As well i would also try to force them to realise more the conduct on the road as a blueprint for
  surfing the web...road signs need to know how to read them and use them to avoid traffic, or jams, or to know when to stop...using a mechanical stand point might not be fair on the situation...let's use headlights instead.
  Most people do need to know how to turn on their headlights if they are going to drive at night, each car has their own place for such a thing, some on the dashboard, some on the steering column, but most people know how to use them, and know to turn them on at night....unless they want a ticket from the cops.
  Likewise, people using browsers, should know about security, and how it applies to them, knowing that you are secure is different then knowing WHY you are secure. Also, if they are about to let their kids use the computer, how to control them from going on bad sites, etc....there are many ways to spin the analogy but in the end, I do agree that not because you own a computer that you know how to use one.
21. Re:Pwn2own strikes again by Anonymous Coward · 2010-03-31 01:44 · Score: 0
  
  It's more like this:
  You're driving along when you notice a sign. The sign reads "Highway this way" and points to a dirt road. People who do not think about why going towards a popular street would decrease the road quality (or who had an unlikely experience that suggested to them that this was quite possible) AND who were not familiar with the area may easily be fooled. Yes, people who fall for those schemes did something pretty stupid... but it's not that obvious.
22. Re:Pwn2own strikes again by thePowerOfGrayskull · 2010-03-31 02:33 · Score: 1
  
  n the other hand, it's a good for people idea to learn about the technology behind websites before browsing them.
  
  I agree it's a good idea - perhaps even foolish not to know this. At the same time, though, the purpose of computers for *most people* is to simplify life. It's not a learning experience, it's a tool to get things done - whether it's watching videos, email, news, blog-gossip, etc.
  From that perspective, which I agree that it is ultimately the user's responsibility, I can also understand how a typical user would be disinclined to go to any extra lengths to learn.
  I think the car comparison is not apt -- a better one would be something like a microwave. You just press the right buttons and it does its job. You might have to clean it once in a while, but doing so doesn't require you to understand any single part of how it does what it does.
23. Re:Pwn2own strikes again by smash · 2010-04-05 06:20 · Score: 1
  
  I rolled IE8 out at work without issue. We still need IE as there is shit written that uses ActiveX, etc and the migration cost is just too large. Having one admin spending 10-20 minutes a week approving critical updates and writing a competent group policy is far less costly.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
24. Re:Pwn2own strikes again by smash · 2010-04-05 06:21 · Score: 1
  
  Thing is if you deploy something else you've just doubled your browser maintenance, as IE is out there whether you like it or not. At least IE can be updated via WSUS and controlled via GP - Firefox/Chrome/Opera/etc can't.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I loaded this article yesterday with Opera by Orga · 2010-03-30 09:09 · Score: 0, Offtopic

That's just how fast it is.
1. Re:I loaded this article yesterday with Opera by Anonymous Coward · 2010-03-30 09:44 · Score: 0
  
  YEAAH - it might be offtopic but it's the damn truth.
2. Re:I loaded this article yesterday with Opera by perryizgr8 · 2010-03-30 15:02 · Score: 1
  
  it may be fast, but it sure SUCKS!
  
  --
  Wealth is the gift that keeps on giving.
Cnet link not really informative by Bearhouse · 2010-03-30 09:10 · Score: 4, Informative

Ms link here:
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx
No real sweat for IE8 on Win7...
1. Re:Cnet link not really informative by malloc · 2010-03-30 09:22 · Score: 4, Insightful
  
  To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "
  
  --
  ___________________ I want to be free()!
2. Re:Cnet link not really informative by natehoy · 2010-03-30 09:24 · Score: 3, Informative
  
  Actually, it is.
  This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.
  One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.
  Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
3. Re:Cnet link not really informative by amicusNYCL · 2010-03-30 09:25 · Score: 1
  
  No real sweat for IE8 on Win7...
  How do you figure? IE8 on Windows 7 still has this classified as a critical update. It's moderate for IE8 on Server 2003 and Server 2008.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
4. Re:Cnet link not really informative by WrongSizeGlass · 2010-03-30 09:32 · Score: 3, Informative
  
  Actually, IE 8 and Windows 7 are listed in that very link you posted.
  
  Internet Explorer 8:
  * Windows XP Service Pack 2 and Windows XP Service Pack 3
  * Windows XP Professional x64 Edition Service Pack 2
  * Windows Server 2003 Service Pack 2
  * Windows Server 2003 x64 Edition Service Pack 2
  * Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
  * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
  * Windows 7 for 32-bit Systems
  * Windows 7 for x64-based Systems
  * Windows Server 2008 R2 for x64-based Systems**
  * Windows Server 2008 R2 for Itanium-based Systems
5. Re:Cnet link not really informative by SilverEyes · 2010-03-30 09:46 · Score: 1
  
  Well, ... Windows 7 for 128-bit Systems isn't listed, so there!
  
  --
  Interesting.
6. Re:Cnet link not really informative by randallman · 2010-03-30 17:47 · Score: 1
  
  Yea. Except for the ones marked "Remote Code Execution" and "Critical". No sweat.
7. Re:Cnet link not really informative by Whatchamacallit · 2010-03-31 01:06 · Score: 1
  
  IE8 on Win7 (32bit/64bit) is just as vulnerable, re-read that bulletin!
  This emergency update includes the CanSecWest fixes where they 0wned a Win7 IE8 system in minutes! There were a hundred Microsoft employees at CanSecWest and they were left scratching their heads because they didn't understand the exploit right away. It was a sophisticated manipulation of realtime memory locations.
Better links here: by Anonymous Coward · 2010-03-30 09:20 · Score: 5, Funny

Link 1
Link 2
1. Re:Better links here: by Lunix+Nutcase · 2010-03-30 09:23 · Score: 1, Troll
  
  Firefox 3.6.2 addresses critical vulnerability
  Opera vunerability that the company denies is a vunerability
  You're better off running Chrome.
2. Re:Better links here: by Animaether · 2010-03-30 09:30 · Score: 1
  
  why even bother with those... just point people to http://www.browserchoice.eu/ (and tell them to ignore the IE one, I suppose)
3. Re:Better links here: by moteyalpha · 2010-03-30 09:32 · Score: 0, Offtopic
  
  Link 1 Link 2
  Why not just go all the way and get a real OS?
  And ceiling cat sayed: "Let there b lulz", n there wuz.
  Or even chrome
4. Re:Better links here: by Ron+Bennett · 2010-03-30 09:36 · Score: 3, Interesting
  
  Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.
  For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?
  Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.
5. Re:Better links here: by Enderandrew · 2010-03-30 09:38 · Score: 4, Insightful
  
  If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background
  I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.
  With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
6. Re:Better links here: by Smooth+and+Shiny · 2010-03-30 10:05 · Score: 1, Interesting
  
  There is AdBlock for Chrome as well. Seems to work fine on this end.
7. Re:Better links here: by FictionPimp · 2010-03-30 10:13 · Score: 1
  
  How else can they keep you safe?
8. Re:Better links here: by aztracker1 · 2010-03-30 10:25 · Score: 3, Informative
  
  Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.
  
  --
  Michael J. Ryan - tracker1.info
9. Re:Better links here: by smash · 2010-03-30 14:19 · Score: 1
  
  squid+squidguard. done.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
10. Re:Better links here: by perryizgr8 · 2010-03-30 15:05 · Score: 1
  
  chrome is great. i've been using it on ubuntu. but it gets sluggish after a day or two. firefox's performance is consistently slow, but it IS consistent. opera simply sucks. opera mobile on my e71, its the best browser on a smartphone. (i don't consider the iphone to be a smartphone cause it can't run >1 apps)
  
  --
  Wealth is the gift that keeps on giving.
11. Re:Better links here: by Paradigm_Complex · 2010-03-30 16:34 · Score: 1
  
  Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things.
  That's a non sequitur. Consider: The Firefox developers do not view disabling pop-unders as anywhere near as important as ensuring the browser is secure. The fact that the developers did not put the time and effort into disabling pop-unders does not mean they aren't able to keep Firefox secure.
  
  I'm not saying that Firefox is secure so much as that your reasoning is faulty. You could try to argue that the Firefox developers don't have care about end-user complaints, or something along those lines, with that anecdote. It's not, however, proof against Firefox being secure.
  
  --
  "A witty saying proves nothing." - Voltaire
12. Re:Better links here: by Jugalator · 2010-03-30 19:33 · Score: 1
  
  If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background
  Since Chrome 4.1, I just use the browser blacklist for the annoying domains to prevent running Javascript and plugins (= Flash).
  It instantly cleans at least two major newspapers here, as a whole lot of advertising is JS or Flash-based, or both. And makes them faster than I have ever seen too, as a bonus.
  Browser black/whitelists with forced includes/exceptions for js/plugins/images is in all OS editions of Chrome since the latest betas for the respective operating systems.
  I think I filed, or at least voted on, a bug that says these black/whitelists should do pattern matching though.
  
  --
  Beware: In C++, your friends can see your privates!
13. Re:Better links here: by Jugalator · 2010-03-30 19:35 · Score: 1
  
  If you set up Chrome to use a script-based whitelist, you essentially have a poor man's NoScript. It's then also easy to to unblock certain sites you come across, by using the rightmost omnibar icon that will show for all pages that have js blocked. (a scroll of paper with a cross mark)
  
  --
  Beware: In C++, your friends can see your privates!
14. Re:Better links here: by abigsmurf · 2010-03-30 20:02 · Score: 1
  
  I just wish Firefox wouldn't go crazy when you get a popunder and switch to a random open window. This bug has been around for years and it's pretty irritating. Why hasn't it been addressed yet?
15. Re:Better links here: by abigsmurf · 2010-03-30 20:04 · Score: 1
  
  The same Mozilla firefox that took a month to patch a publicly known exploit recently?
  
  If anything, Firefox is more vulnerable to exploits because of its lack of sandboxing features.
16. Re:Better links here: by Richard_at_work · 2010-03-30 22:37 · Score: 1
  
  I wish that a modal dialog window in one tab wouldn't block the entire browser - cannot switch tabs, cannot do anything other than acknowledge and dismiss the dialog window, which kind of fucks everything up when the modal dialog is caused by infinitely looping code :(
OS versus Browser by sunderland56 · 2010-03-30 09:26 · Score: 2, Informative

If this is an IE bug, why does it only affect some operating systems and not others?
If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?
Patch releases really need a "info for geeks" section.....
1. Re:OS versus Browser by blair1q · 2010-03-30 09:32 · Score: 1
  
  the less they say about some things, the fewer people make with the gefingerpoken in the sploit vat
  that doesn't help you with your security, it helps them with theirs
2. Re:OS versus Browser by ivonic · 2010-03-30 12:07 · Score: 2, Informative
  
  The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.
  Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some form of access), and then execute code to potentially gain 'control' of a system.
  This "remote code execution" usually isn't a hack that a script kiddie could run to gain access to your files, but often it's enough for hackers just to be able to redirect your browser (to fake online banking sites) or even just cause your PC to visit a site. Thousands of compromised PCs visiting a website a thousand times a second each is your basic DDoS attack.
  
  --
  Grand Theft Wiki
3. Re:OS versus Browser by bloodhawk · 2010-03-30 12:18 · Score: 1
  
  because depending on your OS versions there are built in mitigations that are not directly related to the browser such as DEP/NX ASLR and in the case of the Server OS the browser is locked down tight by default. And yes some of those same protections that windows provides for ie are also available to firefox. The net effect of the various protection mechanisms means a vulnerability has differing consequences depending of the OS version and Architecture (x86/x64).
How is "MS releases emergency patch" news? by Colin+Smith · 2010-03-30 09:41 · Score: 2, Insightful

This is normal. Expected. Everyday life for millions of Windows users.

--
Deleted
1. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-30 10:02 · Score: 2, Insightful
  
  Like other operating systems don't have patches?
2. Re:How is "MS releases emergency patch" news? by Anonymous Coward · 2010-03-30 12:11 · Score: 0
  
  And sadly even more common for firefox and linux users :(
3. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 14:25 · Score: 1
  
  what about emergency ones?
  in my experience these are VERY rare, except on Windows.
  
  --
  This seemed like a reasonable sig at the time.
4. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-30 14:34 · Score: 1
  
  Then your experience is so limited as to be nonexistent. Oracle, IBM, Sun(RIP) and nearly every other major software house on the planet has released some sort of emergency batch.
5. Re:How is "MS releases emergency patch" news? by techno-vampire · 2010-03-30 14:52 · Score: 1
  
  I won't say that no Linux distro or program ever releases an emergency patch, but when they do, most users don't know it's an emergency. Why? Because unlike Microsoft, they don't try to stick to a once-a-month release schedule for patches, so they don't have to make a special announcement or tell the world that it's an emergency; they just release it along with whatever other patches, updates or upgrades happen to be available at the moment.
  
  --
  Good, inexpensive web hosting
6. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 15:00 · Score: 1
  
  most people wont even know. i hate windows. but i have to agree, the updating is pretty seamless, and invisible to the user. ubuntu needs to learn.
  
  --
  Wealth is the gift that keeps on giving.
7. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 15:01 · Score: 1
  
  that's only because of ms' well-known agility, lol, others are just too slow/lazy.
  
  --
  Wealth is the gift that keeps on giving.
8. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 18:19 · Score: 1
  
  read it again. I didn't say emergency linux patches dont exist, I said they are rare. At least not as common as windows ones.
  
  --
  This seemed like a reasonable sig at the time.
9. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 18:20 · Score: 1
  
  apparently its not as "well-known" as you think.
  
  --
  This seemed like a reasonable sig at the time.
10. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-30 18:48 · Score: 1
  
  Like other operating systems don't have patches?
  Occasionally, but not every other Tuesday for the last 10 years or so, sapping the productivity of the entire corporate spectrum on a regular basis. And how many "emergency" patches has IE had already this year?
11. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 19:46 · Score: 1
  
  its called sarcasm.
  
  --
  Wealth is the gift that keeps on giving.
12. Re:How is "MS releases emergency patch" news? by vegiVamp · 2010-03-30 21:43 · Score: 1
  
  You mean, like the "Install security updates without confirmation" option that's in my two-versions-behind Ubuntu ? Oh, right, you mean the "reboot for nearly every patch" kind of seamless, yeah, you're right, that's missing from Ubuntu.
  
  --
  What a depressingly stupid machine.
13. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 00:41 · Score: 1
  
  You didn't limit your original post to just Linux now did you?
14. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 00:43 · Score: 1
  
  If only Microsoft made a product that allowed you to control what updates got sent to your systems. They could call it something like Windows Server Update Services. Oh! they do make such a thing http://en.wikipedia.org/wiki/Windows_Server_Update_Services
15. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-31 05:02 · Score: 1
  
  i don't know if i'm doing something wrong but on ubuntu 9.10, it pops up an ugly update list and waits for me to click update and enter my password. if there is a way to tell it to do so automatically please tell me, i'll be glad to hear it.
  
  --
  Wealth is the gift that keeps on giving.
16. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-31 06:03 · Score: 1
  
  Oh! they do make such a thing
  I wouldn't know about such things. I use a Mac.
17. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 06:16 · Score: 1
  
  Then why are you talking about things you don't know about as if you do?
18. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-31 14:59 · Score: 1
  
  Well I did say "in my experience" - but you weren't to know what that was...
  
  --
  This seemed like a reasonable sig at the time.
19. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-31 15:01 · Score: 1
  
  I had a feeling it was - but you just cant be 100% sure these days.
  
  --
  This seemed like a reasonable sig at the time.
20. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-31 19:34 · Score: 1
  
  You're making a leap there, pal. I didn't know about the patch management tool -- but I wasn't talking about it.
  As for the rest, I read the news. It's amazing what one can learn. There's a story about Microsoft security patches pretty regularly. The "Security Fix" column at the Washington Post is an excellent source of information, although just about every tech publication will front-page an article about a new MS patch because it's always an "emergency." Anyone with reasonable intelligence can see that stopping to patch every computer in every corporate environment is going to eat up some time. Multiply that by the sheer number of updates and it's a huge dent in our country's productivity.
  Which is why people are asking if "MS releases emergency patch" qualifies as news.
  You don't have to use Windows to be aware of this basic info, just like you won't have to watch American Idol to find out who the winner is. You'll know, whether you want to or not, whether you're interested or not.
21. Re:How is "MS releases emergency patch" news? by vegiVamp · 2010-03-31 20:31 · Score: 1
  
  The way you'd expect: right-click on the notification icon and click preferences.
  
  Well, on my 8.10, that is - I assume it won't have changed much.
  
  --
  What a depressingly stupid machine.
Opera troll fail by clang_jangle · 2010-03-30 09:47 · Score: 1

Opera vunerability that the company denies is a vunerability
Following that link, I see:

the vulnerability was confirmed in Opera 9.10
That's pretty old. I'm using Opera 10.10 (on FreeBSD) here...

--
Caveat Utilitor
1. Re:Opera troll fail by Lunix+Nutcase · 2010-03-30 10:23 · Score: 0, Troll
  
  So by this logic one should just ignore any exploits in IE6 just cause most people are using IE7 or 8?
2. Re:Opera troll fail by Anonymous Coward · 2010-03-30 11:05 · Score: 0
  
  Yes, actually. But unfortunately, in the wacky world of windos words like "obsolete" or "deprecated" have no meaning. Stay current FTW!
Emergency Patches? by FatalMuffin · 2010-03-30 09:56 · Score: 0, Troll

Its a good thing that MS has Windows update at their disposal. Whereas I use FIrefox, along with "most" (i'm guessing) users of /. At least there isn't a patch every other fortnight
1. Re:Emergency Patches? by mrsurb · 2010-03-30 12:33 · Score: 1, Interesting
  
  If only /. were populated by people using a minority operating system that had comprehensive package managers to take care of their updates.
My solution by stonewallred · 2010-03-30 09:58 · Score: 3, Funny

I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.
1. Re:My solution by Alien1024 · 2010-03-31 01:59 · Score: 1
  
  Very practical, but beware the consequences.
Re:Opera troll fail^2 by Anonymous Coward · 2010-03-30 10:01 · Score: 0

Current Opera release is now 10.51 (new JavaScript engine and "world's fastest browser" again).
The troll links to a blog post on softpedia.com that reads like a disgruntled user that thought he should have inside access to Opera devs about an issue with (as you pointed out) on an old version.
Perhaps he should have pointed a professional browser security evaluation site like Secunia.com where Opera has been the most frequently top-rated for quality of security and speed at fixing issues over the years. I'm sure he wished that he could have.
Re:Opera troll fail^2 by Lunix+Nutcase · 2010-03-30 10:12 · Score: 0, Troll

Perhaps he should have pointed a professional browser security evaluation site like Secunia.com

Okay. Here is the Secunia link about the same issue. That better for you?
Why am I seeing this crap? by Anonymous Coward · 2010-03-30 10:21 · Score: 0, Offtopic

Can someone with more slash-fu than me help me out there? This is marked -1 Troll, and I browse at 1. Why is this expanded out on my screen? I don't need to see some lonely 12 year old reject from 4chan's pathetic attempts at attention getting.
It's no big deal... by Anonymous Coward · 2010-03-30 10:27 · Score: 0

...the same way another strip of bandage is not a big deal to a mummy.
Mods? by Anonymous Coward · 2010-03-30 10:42 · Score: 0

Why is the pp modded Flamebait? IMO, It expresses a valid concern.
n/t by Anonymous Coward · 2010-03-30 11:40 · Score: 0

I was fully aware of the issue on Opera 9.1 way back when it was found. That's why I upgraded a long time ago. I have since upgraded several times as new versions have come out in the intervening couple of years. Opera's current version is 10.51
You are trying to create the false impression that Opera does not fix security issues because you found (or left) a blog post about one in an old version, which is rather disingenuous.
As I have referred to them for years, I am also aware of the fact that secunia.com documents such issues and I saw the reference to Secunia in the blog post that you linked.
The problem here is that my wording of my post was poorly thought out because I wanted to react quickly to your attempt to create and invalid impression. So you tried to turn my wording on me. Nice try.
So I'll try again.
Every browser has had and will continue to have security issues. But evaluation of said is not the binary situation that you are attempting to imply (browser X had a security issue in an old version, therefore it is as bad as any other).
Proper evaluation of a browser's security is product of metrics such as the following:
1) how many security issues are found in a release?
2) what is the severity of each?
3) how long does it take vendor fix them and make fixes available?
4) how many are currently unpatched?
Secunia has pretty consistently rated Opera as best in each category for several years. That's why it is difficult to criticize Opera and broadly point to Secunia's evaluations, which is what I was indirectly challenging you to do (as opposed to a blog post rant about a single issue).
Secunia has indicated with great regularity that, while not perfect, Opera is consistently pretty damned good.
Reboot???!! by jon_cooper · 2010-03-30 15:18 · Score: 3, Insightful

Why on earth do I have to reboot my system just to patch a web-browser????
Grrrrr!!!
And yes, that was a rhetorical question.
1. Re:Reboot???!! by imakemusic · 2010-03-31 00:26 · Score: 1
  
  And yes, that was a rhetorical question.
  Sure but is this?
  
  --
  Brain surgery - it's not rocket science!
2. Re:Reboot???!! by Anonymous Coward · 2010-03-31 01:50 · Score: 0
  
  And yes, that was a rhetorical question.
  
  Sure but is this?
  
  Why do you ask?
Introducing: Polymorphic Patch Engine Technology by symbolset · 2010-03-30 17:25 · Score: 1

We all know that one major problem with the Microsoft platform is that it's homogeneous. No matter how many times we hear the "ground up" reengineering story, we get these exploits that work vulnerabilities in a common code base. All of the platforms use the same code. All code has bugs, and one bug might grant entry, while two more might grant privilege escalation, and so once an exploit is found all the machines with that code base are pwned. The solution to this problem is deviously simple: do everything differently on every machine. No, I'm not talking about ASLR here, though that's a start.
Stop. I know the first reaction to that is "that's crazy talk". This is pretty revolutionary thinking. It's not possible to design a unique operating system for every user. It is however possible to avoid the complementary vulnerability trampoline by varying the ways that components implement various technologies.
Every action that a machine can perform can be done in various ways - various algorithms can be used to achieve the same result, and some algorithms are more efficient than others. As a part of development many of these ways are explored and until now all but one was discarded. Simply by retaining the discarded algorithms, exploring the variations permissible within the defined interface, and retaining each functional implementation as a heuristic option allows the system designer to thwart the advantage of the large static target. The varying algorithms can be distributed randomly across the installed base as polymorphic patches. As long as the variant algorithms are strictly conformant to the well-defined interfaces, and the interfaces are well designed, it works. The downside to this is that some algorithms are, let's face it - sub-optimal. The diversity of algorithms is an advantage here as a feedback mechanism will reveal optimizations that yield net losses due to secondary effects. This will winnow the dozens of algorithms to a few. Even with only a few performant options per algorithm given the vast number of subsystems in a desktop or server operating system, we'll not run out of permutations before the end of time.
When each subsystem might be any one of several implementations that achieve the same object, the monolithic cathedral of code with a universal backdoor is prevented. Patches can randomly rotate the heuristic until the exploitability of individual platforms is not predictable. Performance of an individual system will vary to a degree, but not necessarily so in net - the distribution of performant vs sub-optimal algorithms can be intelligently distributed so that they average out and one system doesn't have all sub-standard algorithms. Positive feedbacks can indicate exploited components and replace them in an evolutionary fashion before they can be combined synergistically into a chain of exploits that go from basic entry to system privilege. The feedback can also gauge the quality status of the code, and with proper tracking lead back to the outstanding developer for recognition (or the leakmaster for reassignment).
Oh, and no patenting this stuff you bastards! This comment is prior art (ok, I adapted the ideas from some 1980's AI research and Conway's Life - but you can't prove that. Regardless, you didn't invent this stuff and the patents are NOT YOURS).

--
Help stamp out iliturcy.
Noscript by Anonymous Coward · 2010-03-31 04:15 · Score: 0

Might want to try Noscript, it actually reduces overhead