MS Issues Emergency IE Security Update

← Back to Stories (view on slashdot.org)

MS Issues Emergency IE Security Update

Posted by CmdrTaco on Tuesday March 30, 2010 @09:00AM from the press-the-panic-button dept.

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

77 of 114 comments (clear)

Min score:

Reason:

Sort:

Pwn2own strikes again by sxedog · 2010-03-30 09:06 · Score: 4, Informative

Amazing... that was only a week ago!

--
If it ain't broke, DON'T fix it.
1. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 09:21 · Score: 4, Insightful
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Pwn2own strikes again by steelfood · 2010-03-30 10:12 · Score: 2, Insightful
  
  Actually, your analogy would be asking everybody who used a browser to know how to code.
  On the other hand, it's a good for people idea to learn about the technology behind websites before browsing them. For example, knowing what javascript is, what flash is, what cookies are, what xml is and how it relates to web pages, etc. And they may want to know how to block or clear cookies and block javascript and clear cache.
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
3. Re:Pwn2own strikes again by evanbd · 2010-03-30 11:01 · Score: 1
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
4. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 12:16 · Score: 2, Insightful
  
  And that's certainly not too much to ask.
  It most definitely is. I don't need to understand Blu-ray encoding in order to watch a movie, I don't need to understand how WEP works (or doesn't) in order to connect to an access point, and I don't need to understand how GSM or SMS works in order to send a text message. I don't need to understand how the Playstation network operates in order to play online, I don't need to understand how HVAC works in order to cool my house, and I don't need to understand how an electrical coil heats up in order to toast bread. Users don't care about those things. Expecting a user to educate themselves about Javascript IS asking quite a bit (XML? really?).
  
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission.
  Are you under the expectation that all drivers on the road know all of those things? Not to pick on women, but stories from mechanics about women reporting problems with their cars are about as amusing as the clueless tech support calls we enjoy so much. The fact is that people do NOT know those things about driving, but you expect someone to educate themselves on XML before they go to MSN?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
5. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 12:17 · Score: 1
  
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
  If they're like a normal person, they learn from their mistakes and they don't do the same thing again.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:Pwn2own strikes again by evanbd · 2010-03-30 12:35 · Score: 2, Insightful
  
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
  If they're like a normal person, they learn from their mistakes and they don't do the same thing again.
  Oddly, computers seem to be exempt from that. The same people get viruses, trojans, malware, etc, and keep downloading crap and failing to install updates, and it keeps happening. Most drivers seem to learn to change the oil after destroying an engine, but somehow computer users are different. Clearly there's plenty wrong with the software in the first place, but there's also something very odd about users who experience these problems and then both continue using the same problematic software and failing to learn from their mistakes.
7. Re:Pwn2own strikes again by smash · 2010-03-30 14:18 · Score: 1
  
  IE has its place in corporate networks. Like it or not, there is plenty of software that people use every day to GET THEIR JOB DONE that does not work in anything else. If patched and placed behind an appropriate filtering proxy/firewall IE security is manageable with security zones and group policy. Plenty of idiots run IE, and yes they get owned. Plenty of idiots run linux and get r00ted as well (I used to be one, before I knew shit from clay - i had a couple of boxes r00ted back in 1999).
  A competent admin can ensure IE is "safe enough" for corporate usage.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
8. Re:Pwn2own strikes again by b4dc0d3r · 2010-03-30 14:19 · Score: 1
  
  On one hand, the analogy was flawed and had to be corrected. On the other hand, the explanation was poorly done. A better explanation would be that people need to learn things about their browser in order to use it effectively. Like "too good to be true" probably means it's not true. Or there ain't no such thing as a free lunch. Common sense that says don't take unknown things from unknown people. That's what people forget - no other application has opened people up to identity theft just by operating it. Since a browser uses so many external files, it's the exception that no one thinks about.
  What's the penalty for not knowing? In the car analogy, safety of the people you might otherwise drive over, or yourself, should be the motivator. People drink and drive, they text and drive, they don't pay attention, or they aren't familiar with their vehicles. Most people do not fall in this category, a few do. The penalty is in a few cases someone successfully installs a spambot the user will never notice. In fewer cases the user's personal files get transferred, and some of those get used and credit card companies block cards due to suspicious activity and a few people lose money. If it were a big problem, we'd hear stories every night on the news, but it only comes up a few times a year.
  There's no incentive to learn because 1) it's rare and 2) learning is not a requirement, as it is in a driver's license test. This is where the "Internet driver's license" idea makes sense, until we realize how impractical it would be. Then we're back to the situation where people should learn, but don't, and it's only a problem for a few people a year.
9. Re:Pwn2own strikes again by perryizgr8 · 2010-03-30 14:58 · Score: 1
  
  ie just needs to go. big companies are still holding fast to win xp. would you say that refusing to let go of a 10 year old software is justified? ie6 is also 10 year old i think.
  
  --
  Wealth is the gift that keeps on giving.
10. Re:Pwn2own strikes again by Tim+C · 2010-03-30 18:53 · Score: 1
  
  That's what people forget - no other application has opened people up to identity theft just by operating it.
  All the people who fell for 419 and similar scams by reading and replying to emails would beg to differ.
  
  --
  It's official. Most of you are morons.
11. Re:Pwn2own strikes again by Spad · 2010-03-30 21:42 · Score: 1
  
  Because it doesn't usually cost them thousands to repair.
12. Re:Pwn2own strikes again by vegiVamp · 2010-03-30 21:51 · Score: 1
  
  The people who got 419ed didn't just operate their mail client (or browser, more likely), but actively responded, repeatedly, to an obviously too-good-to-be-true offer from someone they didn't know in a country they may not even have ever heard of, and then enacted one or more banking transactions to the same unknown factor.
  
  It's like I'm driving my car on the highway, and I suddenly decide to follow an arrow that says "Promised Land" and points into a dark, foggy gravel road that goes in the direction of where there clearly was a ravine a few hundred yards earlier.
  
  --
  What a depressingly stupid machine.
13. Re:Pwn2own strikes again by vegiVamp · 2010-03-30 21:53 · Score: 1
  
  I agree that there is stuff that doesn't work in anything else, but it can be argued that the stuff needs fixing, then.
  
  If my car were to work only on Belgian roads, I would be rather quick to either get it fixed or swap it for one that works on all roads.
  
  --
  What a depressingly stupid machine.
14. Re:Pwn2own strikes again by drinkypoo · 2010-03-31 00:24 · Score: 1
  
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.
  I agree, but apparently no state in the USA does, especially not California. They'll give you a license anyway. Crap, by the time I had to take my driving test, you no longer even had to parallel park.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
15. Re:Pwn2own strikes again by mcgrew · 2010-03-31 01:20 · Score: 1
  
  The difference between cars and computers is, if you ruin your engine by not changing the oil, your mechanic will tell you "look, you have to check your oil regularly and change it on schedule or you're going to ruin the new one I just put in."
  If Mechanics were like the Geek Squad they'd tell you that having your engine blow up periodically is normal and expected. And taking a computer to Best Buy is what most people do.
  
  --
  Free Martian Whores!
16. Re:Pwn2own strikes again by hesaigo999ca · 2010-03-31 01:40 · Score: 1
  
  I agree to a certain extent with your comment, especially using a car as a main example to describe computer usage.... I wold never drive a car without having taken courses first, and even then, some people are such bad drivers, it is not because they own a car they pass the test to drive.
  As well i would also try to force them to realise more the conduct on the road as a blueprint for
  surfing the web...road signs need to know how to read them and use them to avoid traffic, or jams, or to know when to stop...using a mechanical stand point might not be fair on the situation...let's use headlights instead.
  Most people do need to know how to turn on their headlights if they are going to drive at night, each car has their own place for such a thing, some on the dashboard, some on the steering column, but most people know how to use them, and know to turn them on at night....unless they want a ticket from the cops.
  Likewise, people using browsers, should know about security, and how it applies to them, knowing that you are secure is different then knowing WHY you are secure. Also, if they are about to let their kids use the computer, how to control them from going on bad sites, etc....there are many ways to spin the analogy but in the end, I do agree that not because you own a computer that you know how to use one.
17. Re:Pwn2own strikes again by thePowerOfGrayskull · 2010-03-31 02:33 · Score: 1
  
  n the other hand, it's a good for people idea to learn about the technology behind websites before browsing them.
  
  I agree it's a good idea - perhaps even foolish not to know this. At the same time, though, the purpose of computers for *most people* is to simplify life. It's not a learning experience, it's a tool to get things done - whether it's watching videos, email, news, blog-gossip, etc.
  From that perspective, which I agree that it is ultimately the user's responsibility, I can also understand how a typical user would be disinclined to go to any extra lengths to learn.
  I think the car comparison is not apt -- a better one would be something like a microwave. You just press the right buttons and it does its job. You might have to clean it once in a while, but doing so doesn't require you to understand any single part of how it does what it does.
18. Re:Pwn2own strikes again by smash · 2010-04-05 06:20 · Score: 1
  
  I rolled IE8 out at work without issue. We still need IE as there is shit written that uses ActiveX, etc and the migration cost is just too large. Having one admin spending 10-20 minutes a week approving critical updates and writing a competent group policy is far less costly.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
19. Re:Pwn2own strikes again by smash · 2010-04-05 06:21 · Score: 1
  
  Thing is if you deploy something else you've just doubled your browser maintenance, as IE is out there whether you like it or not. At least IE can be updated via WSUS and controlled via GP - Firefox/Chrome/Opera/etc can't.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Cnet link not really informative by Bearhouse · 2010-03-30 09:10 · Score: 4, Informative

Ms link here:
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx
No real sweat for IE8 on Win7...
1. Re:Cnet link not really informative by malloc · 2010-03-30 09:22 · Score: 4, Insightful
  
  To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "
  
  --
  ___________________ I want to be free()!
2. Re:Cnet link not really informative by natehoy · 2010-03-30 09:24 · Score: 3, Informative
  
  Actually, it is.
  This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.
  One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.
  Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
3. Re:Cnet link not really informative by amicusNYCL · 2010-03-30 09:25 · Score: 1
  
  No real sweat for IE8 on Win7...
  How do you figure? IE8 on Windows 7 still has this classified as a critical update. It's moderate for IE8 on Server 2003 and Server 2008.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
4. Re:Cnet link not really informative by WrongSizeGlass · 2010-03-30 09:32 · Score: 3, Informative
  
  Actually, IE 8 and Windows 7 are listed in that very link you posted.
  
  Internet Explorer 8:
  * Windows XP Service Pack 2 and Windows XP Service Pack 3
  * Windows XP Professional x64 Edition Service Pack 2
  * Windows Server 2003 Service Pack 2
  * Windows Server 2003 x64 Edition Service Pack 2
  * Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
  * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
  * Windows 7 for 32-bit Systems
  * Windows 7 for x64-based Systems
  * Windows Server 2008 R2 for x64-based Systems**
  * Windows Server 2008 R2 for Itanium-based Systems
5. Re:Cnet link not really informative by SilverEyes · 2010-03-30 09:46 · Score: 1
  
  Well, ... Windows 7 for 128-bit Systems isn't listed, so there!
  
  --
  Interesting.
6. Re:Cnet link not really informative by randallman · 2010-03-30 17:47 · Score: 1
  
  Yea. Except for the ones marked "Remote Code Execution" and "Critical". No sweat.
7. Re:Cnet link not really informative by Whatchamacallit · 2010-03-31 01:06 · Score: 1
  
  IE8 on Win7 (32bit/64bit) is just as vulnerable, re-read that bulletin!
  This emergency update includes the CanSecWest fixes where they 0wned a Win7 IE8 system in minutes! There were a hundred Microsoft employees at CanSecWest and they were left scratching their heads because they didn't understand the exploit right away. It was a sophisticated manipulation of realtime memory locations.
Better links here: by Anonymous Coward · 2010-03-30 09:20 · Score: 5, Funny

Link 1
Link 2
1. Re:Better links here: by Lunix+Nutcase · 2010-03-30 09:23 · Score: 1, Troll
  
  Firefox 3.6.2 addresses critical vulnerability
  Opera vunerability that the company denies is a vunerability
  You're better off running Chrome.
2. Re:Better links here: by Animaether · 2010-03-30 09:30 · Score: 1
  
  why even bother with those... just point people to http://www.browserchoice.eu/ (and tell them to ignore the IE one, I suppose)
3. Re:Better links here: by Ron+Bennett · 2010-03-30 09:36 · Score: 3, Interesting
  
  Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.
  For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?
  Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.
4. Re:Better links here: by Enderandrew · 2010-03-30 09:38 · Score: 4, Insightful
  
  If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background
  I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.
  With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
5. Re:Better links here: by Smooth+and+Shiny · 2010-03-30 10:05 · Score: 1, Interesting
  
  There is AdBlock for Chrome as well. Seems to work fine on this end.
6. Re:Better links here: by FictionPimp · 2010-03-30 10:13 · Score: 1
  
  How else can they keep you safe?
7. Re:Better links here: by aztracker1 · 2010-03-30 10:25 · Score: 3, Informative
  
  Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.
  
  --
  Michael J. Ryan - tracker1.info
8. Re:Better links here: by smash · 2010-03-30 14:19 · Score: 1
  
  squid+squidguard. done.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
9. Re:Better links here: by perryizgr8 · 2010-03-30 15:05 · Score: 1
  
  chrome is great. i've been using it on ubuntu. but it gets sluggish after a day or two. firefox's performance is consistently slow, but it IS consistent. opera simply sucks. opera mobile on my e71, its the best browser on a smartphone. (i don't consider the iphone to be a smartphone cause it can't run >1 apps)
  
  --
  Wealth is the gift that keeps on giving.
10. Re:Better links here: by Paradigm_Complex · 2010-03-30 16:34 · Score: 1
  
  Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things.
  That's a non sequitur. Consider: The Firefox developers do not view disabling pop-unders as anywhere near as important as ensuring the browser is secure. The fact that the developers did not put the time and effort into disabling pop-unders does not mean they aren't able to keep Firefox secure.
  
  I'm not saying that Firefox is secure so much as that your reasoning is faulty. You could try to argue that the Firefox developers don't have care about end-user complaints, or something along those lines, with that anecdote. It's not, however, proof against Firefox being secure.
  
  --
  "A witty saying proves nothing." - Voltaire
11. Re:Better links here: by Jugalator · 2010-03-30 19:33 · Score: 1
  
  If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background
  Since Chrome 4.1, I just use the browser blacklist for the annoying domains to prevent running Javascript and plugins (= Flash).
  It instantly cleans at least two major newspapers here, as a whole lot of advertising is JS or Flash-based, or both. And makes them faster than I have ever seen too, as a bonus.
  Browser black/whitelists with forced includes/exceptions for js/plugins/images is in all OS editions of Chrome since the latest betas for the respective operating systems.
  I think I filed, or at least voted on, a bug that says these black/whitelists should do pattern matching though.
  
  --
  Beware: In C++, your friends can see your privates!
12. Re:Better links here: by Jugalator · 2010-03-30 19:35 · Score: 1
  
  If you set up Chrome to use a script-based whitelist, you essentially have a poor man's NoScript. It's then also easy to to unblock certain sites you come across, by using the rightmost omnibar icon that will show for all pages that have js blocked. (a scroll of paper with a cross mark)
  
  --
  Beware: In C++, your friends can see your privates!
13. Re:Better links here: by abigsmurf · 2010-03-30 20:02 · Score: 1
  
  I just wish Firefox wouldn't go crazy when you get a popunder and switch to a random open window. This bug has been around for years and it's pretty irritating. Why hasn't it been addressed yet?
14. Re:Better links here: by abigsmurf · 2010-03-30 20:04 · Score: 1
  
  The same Mozilla firefox that took a month to patch a publicly known exploit recently?
  
  If anything, Firefox is more vulnerable to exploits because of its lack of sandboxing features.
15. Re:Better links here: by Richard_at_work · 2010-03-30 22:37 · Score: 1
  
  I wish that a modal dialog window in one tab wouldn't block the entire browser - cannot switch tabs, cannot do anything other than acknowledge and dismiss the dialog window, which kind of fucks everything up when the modal dialog is caused by infinitely looping code :(
OS versus Browser by sunderland56 · 2010-03-30 09:26 · Score: 2, Informative

If this is an IE bug, why does it only affect some operating systems and not others?
If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?
Patch releases really need a "info for geeks" section.....
1. Re:OS versus Browser by blair1q · 2010-03-30 09:32 · Score: 1
  
  the less they say about some things, the fewer people make with the gefingerpoken in the sploit vat
  that doesn't help you with your security, it helps them with theirs
2. Re:OS versus Browser by ivonic · 2010-03-30 12:07 · Score: 2, Informative
  
  The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.
  Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some form of access), and then execute code to potentially gain 'control' of a system.
  This "remote code execution" usually isn't a hack that a script kiddie could run to gain access to your files, but often it's enough for hackers just to be able to redirect your browser (to fake online banking sites) or even just cause your PC to visit a site. Thousands of compromised PCs visiting a website a thousand times a second each is your basic DDoS attack.
  
  --
  Grand Theft Wiki
3. Re:OS versus Browser by bloodhawk · 2010-03-30 12:18 · Score: 1
  
  because depending on your OS versions there are built in mitigations that are not directly related to the browser such as DEP/NX ASLR and in the case of the Server OS the browser is locked down tight by default. And yes some of those same protections that windows provides for ie are also available to firefox. The net effect of the various protection mechanisms means a vulnerability has differing consequences depending of the OS version and Architecture (x86/x64).
How is "MS releases emergency patch" news? by Colin+Smith · 2010-03-30 09:41 · Score: 2, Insightful

This is normal. Expected. Everyday life for millions of Windows users.

--
Deleted
1. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-30 10:02 · Score: 2, Insightful
  
  Like other operating systems don't have patches?
2. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 14:25 · Score: 1
  
  what about emergency ones?
  in my experience these are VERY rare, except on Windows.
  
  --
  This seemed like a reasonable sig at the time.
3. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-30 14:34 · Score: 1
  
  Then your experience is so limited as to be nonexistent. Oracle, IBM, Sun(RIP) and nearly every other major software house on the planet has released some sort of emergency batch.
4. Re:How is "MS releases emergency patch" news? by techno-vampire · 2010-03-30 14:52 · Score: 1
  
  I won't say that no Linux distro or program ever releases an emergency patch, but when they do, most users don't know it's an emergency. Why? Because unlike Microsoft, they don't try to stick to a once-a-month release schedule for patches, so they don't have to make a special announcement or tell the world that it's an emergency; they just release it along with whatever other patches, updates or upgrades happen to be available at the moment.
  
  --
  Good, inexpensive web hosting
5. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 15:00 · Score: 1
  
  most people wont even know. i hate windows. but i have to agree, the updating is pretty seamless, and invisible to the user. ubuntu needs to learn.
  
  --
  Wealth is the gift that keeps on giving.
6. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 15:01 · Score: 1
  
  that's only because of ms' well-known agility, lol, others are just too slow/lazy.
  
  --
  Wealth is the gift that keeps on giving.
7. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 18:19 · Score: 1
  
  read it again. I didn't say emergency linux patches dont exist, I said they are rare. At least not as common as windows ones.
  
  --
  This seemed like a reasonable sig at the time.
8. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-30 18:20 · Score: 1
  
  apparently its not as "well-known" as you think.
  
  --
  This seemed like a reasonable sig at the time.
9. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-30 18:48 · Score: 1
  
  Like other operating systems don't have patches?
  Occasionally, but not every other Tuesday for the last 10 years or so, sapping the productivity of the entire corporate spectrum on a regular basis. And how many "emergency" patches has IE had already this year?
10. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-30 19:46 · Score: 1
  
  its called sarcasm.
  
  --
  Wealth is the gift that keeps on giving.
11. Re:How is "MS releases emergency patch" news? by vegiVamp · 2010-03-30 21:43 · Score: 1
  
  You mean, like the "Install security updates without confirmation" option that's in my two-versions-behind Ubuntu ? Oh, right, you mean the "reboot for nearly every patch" kind of seamless, yeah, you're right, that's missing from Ubuntu.
  
  --
  What a depressingly stupid machine.
12. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 00:41 · Score: 1
  
  You didn't limit your original post to just Linux now did you?
13. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 00:43 · Score: 1
  
  If only Microsoft made a product that allowed you to control what updates got sent to your systems. They could call it something like Windows Server Update Services. Oh! they do make such a thing http://en.wikipedia.org/wiki/Windows_Server_Update_Services
14. Re:How is "MS releases emergency patch" news? by perryizgr8 · 2010-03-31 05:02 · Score: 1
  
  i don't know if i'm doing something wrong but on ubuntu 9.10, it pops up an ugly update list and waits for me to click update and enter my password. if there is a way to tell it to do so automatically please tell me, i'll be glad to hear it.
  
  --
  Wealth is the gift that keeps on giving.
15. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-31 06:03 · Score: 1
  
  Oh! they do make such a thing
  I wouldn't know about such things. I use a Mac.
16. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-31 06:16 · Score: 1
  
  Then why are you talking about things you don't know about as if you do?
17. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-31 14:59 · Score: 1
  
  Well I did say "in my experience" - but you weren't to know what that was...
  
  --
  This seemed like a reasonable sig at the time.
18. Re:How is "MS releases emergency patch" news? by dudpixel · 2010-03-31 15:01 · Score: 1
  
  I had a feeling it was - but you just cant be 100% sure these days.
  
  --
  This seemed like a reasonable sig at the time.
19. Re:How is "MS releases emergency patch" news? by MacWiz · 2010-03-31 19:34 · Score: 1
  
  You're making a leap there, pal. I didn't know about the patch management tool -- but I wasn't talking about it.
  As for the rest, I read the news. It's amazing what one can learn. There's a story about Microsoft security patches pretty regularly. The "Security Fix" column at the Washington Post is an excellent source of information, although just about every tech publication will front-page an article about a new MS patch because it's always an "emergency." Anyone with reasonable intelligence can see that stopping to patch every computer in every corporate environment is going to eat up some time. Multiply that by the sheer number of updates and it's a huge dent in our country's productivity.
  Which is why people are asking if "MS releases emergency patch" qualifies as news.
  You don't have to use Windows to be aware of this basic info, just like you won't have to watch American Idol to find out who the winner is. You'll know, whether you want to or not, whether you're interested or not.
20. Re:How is "MS releases emergency patch" news? by vegiVamp · 2010-03-31 20:31 · Score: 1
  
  The way you'd expect: right-click on the notification icon and click preferences.
  
  Well, on my 8.10, that is - I assume it won't have changed much.
  
  --
  What a depressingly stupid machine.
Opera troll fail by clang_jangle · 2010-03-30 09:47 · Score: 1

Opera vunerability that the company denies is a vunerability
Following that link, I see:

the vulnerability was confirmed in Opera 9.10
That's pretty old. I'm using Opera 10.10 (on FreeBSD) here...

--
Caveat Utilitor
My solution by stonewallred · 2010-03-30 09:58 · Score: 3, Funny

I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.
1. Re:My solution by Alien1024 · 2010-03-31 01:59 · Score: 1
  
  Very practical, but beware the consequences.
Re:Emergency Patches? by mrsurb · 2010-03-30 12:33 · Score: 1, Interesting

If only /. were populated by people using a minority operating system that had comprehensive package managers to take care of their updates.
Re:I loaded this article yesterday with Opera by perryizgr8 · 2010-03-30 15:02 · Score: 1

it may be fast, but it sure SUCKS!

--
Wealth is the gift that keeps on giving.
Reboot???!! by jon_cooper · 2010-03-30 15:18 · Score: 3, Insightful

Why on earth do I have to reboot my system just to patch a web-browser????
Grrrrr!!!
And yes, that was a rhetorical question.
1. Re:Reboot???!! by imakemusic · 2010-03-31 00:26 · Score: 1
  
  And yes, that was a rhetorical question.
  Sure but is this?
  
  --
  Brain surgery - it's not rocket science!
Introducing: Polymorphic Patch Engine Technology by symbolset · 2010-03-30 17:25 · Score: 1

We all know that one major problem with the Microsoft platform is that it's homogeneous. No matter how many times we hear the "ground up" reengineering story, we get these exploits that work vulnerabilities in a common code base. All of the platforms use the same code. All code has bugs, and one bug might grant entry, while two more might grant privilege escalation, and so once an exploit is found all the machines with that code base are pwned. The solution to this problem is deviously simple: do everything differently on every machine. No, I'm not talking about ASLR here, though that's a start.
Stop. I know the first reaction to that is "that's crazy talk". This is pretty revolutionary thinking. It's not possible to design a unique operating system for every user. It is however possible to avoid the complementary vulnerability trampoline by varying the ways that components implement various technologies.
Every action that a machine can perform can be done in various ways - various algorithms can be used to achieve the same result, and some algorithms are more efficient than others. As a part of development many of these ways are explored and until now all but one was discarded. Simply by retaining the discarded algorithms, exploring the variations permissible within the defined interface, and retaining each functional implementation as a heuristic option allows the system designer to thwart the advantage of the large static target. The varying algorithms can be distributed randomly across the installed base as polymorphic patches. As long as the variant algorithms are strictly conformant to the well-defined interfaces, and the interfaces are well designed, it works. The downside to this is that some algorithms are, let's face it - sub-optimal. The diversity of algorithms is an advantage here as a feedback mechanism will reveal optimizations that yield net losses due to secondary effects. This will winnow the dozens of algorithms to a few. Even with only a few performant options per algorithm given the vast number of subsystems in a desktop or server operating system, we'll not run out of permutations before the end of time.
When each subsystem might be any one of several implementations that achieve the same object, the monolithic cathedral of code with a universal backdoor is prevented. Patches can randomly rotate the heuristic until the exploitability of individual platforms is not predictable. Performance of an individual system will vary to a degree, but not necessarily so in net - the distribution of performant vs sub-optimal algorithms can be intelligently distributed so that they average out and one system doesn't have all sub-standard algorithms. Positive feedbacks can indicate exploited components and replace them in an evolutionary fashion before they can be combined synergistically into a chain of exploits that go from basic entry to system privilege. The feedback can also gauge the quality status of the code, and with proper tracking lead back to the outstanding developer for recognition (or the leakmaster for reassignment).
Oh, and no patenting this stuff you bastards! This comment is prior art (ok, I adapted the ideas from some 1980's AI research and Conway's Life - but you can't prove that. Regardless, you didn't invent this stuff and the patents are NOT YOURS).

--
Help stamp out iliturcy.