MS Issues Emergency IE Security Update

← Back to Stories (view on slashdot.org)

MS Issues Emergency IE Security Update

Posted by CmdrTaco on Tuesday March 30, 2010 @09:00AM from the press-the-panic-button dept.

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

19 of 114 comments (clear)

Min score:

Reason:

Sort:

Pwn2own strikes again by sxedog · 2010-03-30 09:06 · Score: 4, Informative

Amazing... that was only a week ago!

--
If it ain't broke, DON'T fix it.
1. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 09:21 · Score: 4, Insightful
  
  idiots who want to use what they don't understand deserve to get 0wned.
  Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Pwn2own strikes again by steelfood · 2010-03-30 10:12 · Score: 2, Insightful
  
  Actually, your analogy would be asking everybody who used a browser to know how to code.
  On the other hand, it's a good for people idea to learn about the technology behind websites before browsing them. For example, knowing what javascript is, what flash is, what cookies are, what xml is and how it relates to web pages, etc. And they may want to know how to block or clear cookies and block javascript and clear cache.
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
3. Re:Pwn2own strikes again by amicusNYCL · 2010-03-30 12:16 · Score: 2, Insightful
  
  And that's certainly not too much to ask.
  It most definitely is. I don't need to understand Blu-ray encoding in order to watch a movie, I don't need to understand how WEP works (or doesn't) in order to connect to an access point, and I don't need to understand how GSM or SMS works in order to send a text message. I don't need to understand how the Playstation network operates in order to play online, I don't need to understand how HVAC works in order to cool my house, and I don't need to understand how an electrical coil heats up in order to toast bread. Users don't care about those things. Expecting a user to educate themselves about Javascript IS asking quite a bit (XML? really?).
  
  And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission.
  Are you under the expectation that all drivers on the road know all of those things? Not to pick on women, but stories from mechanics about women reporting problems with their cars are about as amusing as the clueless tech support calls we enjoy so much. The fact is that people do NOT know those things about driving, but you expect someone to educate themselves on XML before they go to MSN?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
4. Re:Pwn2own strikes again by evanbd · 2010-03-30 12:35 · Score: 2, Insightful
  
  What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?
  If they're like a normal person, they learn from their mistakes and they don't do the same thing again.
  Oddly, computers seem to be exempt from that. The same people get viruses, trojans, malware, etc, and keep downloading crap and failing to install updates, and it keeps happening. Most drivers seem to learn to change the oil after destroying an engine, but somehow computer users are different. Clearly there's plenty wrong with the software in the first place, but there's also something very odd about users who experience these problems and then both continue using the same problematic software and failing to learn from their mistakes.
Cnet link not really informative by Bearhouse · 2010-03-30 09:10 · Score: 4, Informative

Ms link here:
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx
No real sweat for IE8 on Win7...
1. Re:Cnet link not really informative by malloc · 2010-03-30 09:22 · Score: 4, Insightful
  
  To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "
  
  --
  ___________________ I want to be free()!
2. Re:Cnet link not really informative by natehoy · 2010-03-30 09:24 · Score: 3, Informative
  
  Actually, it is.
  This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.
  One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.
  Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
3. Re:Cnet link not really informative by WrongSizeGlass · 2010-03-30 09:32 · Score: 3, Informative
  
  Actually, IE 8 and Windows 7 are listed in that very link you posted.
  
  Internet Explorer 8:
  * Windows XP Service Pack 2 and Windows XP Service Pack 3
  * Windows XP Professional x64 Edition Service Pack 2
  * Windows Server 2003 Service Pack 2
  * Windows Server 2003 x64 Edition Service Pack 2
  * Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
  * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
  * Windows 7 for 32-bit Systems
  * Windows 7 for x64-based Systems
  * Windows Server 2008 R2 for x64-based Systems**
  * Windows Server 2008 R2 for Itanium-based Systems
Better links here: by Anonymous Coward · 2010-03-30 09:20 · Score: 5, Funny

Link 1
Link 2
1. Re:Better links here: by Ron+Bennett · 2010-03-30 09:36 · Score: 3, Interesting
  
  Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.
  For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?
  Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.
2. Re:Better links here: by Enderandrew · 2010-03-30 09:38 · Score: 4, Insightful
  
  If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background
  I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.
  With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
3. Re:Better links here: by aztracker1 · 2010-03-30 10:25 · Score: 3, Informative
  
  Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.
  
  --
  Michael J. Ryan - tracker1.info
OS versus Browser by sunderland56 · 2010-03-30 09:26 · Score: 2, Informative

If this is an IE bug, why does it only affect some operating systems and not others?
If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?
Patch releases really need a "info for geeks" section.....
1. Re:OS versus Browser by ivonic · 2010-03-30 12:07 · Score: 2, Informative
  
  The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.
  Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some form of access), and then execute code to potentially gain 'control' of a system.
  This "remote code execution" usually isn't a hack that a script kiddie could run to gain access to your files, but often it's enough for hackers just to be able to redirect your browser (to fake online banking sites) or even just cause your PC to visit a site. Thousands of compromised PCs visiting a website a thousand times a second each is your basic DDoS attack.
  
  --
  Grand Theft Wiki
How is "MS releases emergency patch" news? by Colin+Smith · 2010-03-30 09:41 · Score: 2, Insightful

This is normal. Expected. Everyday life for millions of Windows users.

--
Deleted
1. Re:How is "MS releases emergency patch" news? by DAldredge · 2010-03-30 10:02 · Score: 2, Insightful
  
  Like other operating systems don't have patches?
My solution by stonewallred · 2010-03-30 09:58 · Score: 3, Funny

I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.
Reboot???!! by jon_cooper · 2010-03-30 15:18 · Score: 3, Insightful

Why on earth do I have to reboot my system just to patch a web-browser????
Grrrrr!!!
And yes, that was a rhetorical question.