Slashdot Mirror
Microsoft's Emergency Internet Explorer Patch Renders Some Lenovo Laptops Unbootable (betanews.com)
Earlier this month, Microsoft issued an emergency patch for Internet Explorer to fix a zero-day vulnerability in the web browser. The problem affects versions of Internet Explorer from 9 to 11 across multiple versions of Windows, but it seems that the patch has been causing problems for many people. Specifically, people with some Lenovo laptop have found that after installing the KB4467691 patch they are unable to start Windows, reports BetaNews.
"Here! Here's a badly needed security patch for a we browser. Oh - your computer won't boot even to the OS level? Sucks to be you." I've been MS-free for about 15 years now, migrated a bunch of friends and family to Linux and we just couldn't be happier.
Another demonstration of the fact, which Microsoft's execs testified to under oath, that IE hooks into the operating system in ways that other browsers do not. This makes security issues in IE more dangerous.
A bug in Chrome, or even randomly deleting Chrome files, doesn't make Windows unable to boot. No Firefox bug can ever make the system unbootable. Trying to fix IE makes the system unable to boot, because IE has its claws sunk into the operating system.
Therefore security issues in IE are more likely to affect the underlying operating system. Whenever I mention that on Slashdot, people agrue, saying I'm wrong. But here we see that trying to fix a security issue in IE makes the OS unbootable - IE security is tied into the OS. That's one more reason to avoid using Microsoft's browser.
"IE has its claws sunk into the operating system.
Therefore security issues in IE are more likely to affect the underlying operating system."
That seems correct to me. It seems that everywhere we look, we find that Microsoft is managed poorly.
If an OS stops booting because of a web browser then you know it's built on shit coding practices.
To be fair, we don't know what went wrong. As in, it's entirely possible that the patch itself was built incorrectly and includes files required for the operating system, incorrectly.
Also, someone down-stream indicated that MS' report indicates it involves SecureBoot, which I believe signs some things. It's possible an IE file was signed as required-to-never-change and just did, or something similar. I'm not fluent with SecureBoot, but my point is that folks are jumping to conclusions that aren't (yet) merited, dumb as the outcome is.
"Oh no... he found the
So according to https://support.microsoft.com/... it's:
1. Vendor-specific (Lenovo only) 2. Dependent on the amount of memory (systems with less than 8 GB of RAM are affected) 3. Somehow related to Secure Boot (disabling Secure Boot is listed as a workaround)
And all the trouble is caused by patching a web browser (however deeply integrated with the operating system)? What the hell?
I work with a lot of these companies and Lenovo is, in my experience (and opinion), the only consumer grade manufacturer that takes security issues seriously. I would not be surprised if Lenovo was the only manufacturer shipping Windows 10 systems with 4GB of RAM and Secure Boot enabled.
You're way off base here. What's the difference between Lenovo laptops and other laptops? OH YEAH. Preinstalled garbage software that run as services. That is obviously what broke. And trust me, from experience, I can assure you Lenovo's trash software is unstable, badly-designed garbage.
That's one bonus for Microsoft.
Historically, how it happened was in the early 1990s, before the web, Microsoft spent a ton of money building a really cool technology. The sudden rise of the web screwed up their plans and they had to scramble to try to salvage some of their investment.
They had something called OLE, Object Linking and Embedding. Basically it let you put one document inside another - a picture inside a spreadsheet, a song in a Word document. Microsoft spent lots of money and time building on this idea, it was their "big new thing", an OS (shell) and programming tools built around this concept. This next generation of OLE was called COM. Just before the release in Windows 95, something interesting happened.
As Microsoft was about to start the big PR blitz showing how not only could your Word documents contain pictures, but even your desktop could contain active programs, along came "IMG src". Even "TD IMG src" - you could have a table with an embedded picture with no proprietary Microsoft technology needed. Microsoft's "big new thing" was suddenly outdated as a overly complex, over-engineered mess just as it was released. Fuck! Literally their were a lot of Fun bombs at Microsoft when they saw the rise of HTML, with its simplicity.
So here's Microsoft with a billion dollars invested in a system for embedding pics in your documents and your desktop, suddenly not needed because HTML does documents with embedded pics and sounds so much simpler. What can Microsoft do to save their investment?
They route they chose was to rename COM to "ActiveX" and pitch it as a web technology. Internet Explorer became the most important ActiveX container. Instead of focusing on an Active Desktop, the sales pitch was to use this on the web, with ActiveX web pages. What was originally supposed to be done by the File Explorer shell now needed to be done by the browser, so the two projects merged to become Explorer. The desktop shell Explorer and the browser Explorer were the same code with a different wrapper.
Over time, the competitive issues you pointed out became more important.
Someone may point out "that was 20 years ago". Yes, it was. This post is a history lesson in how we got here.