Slashdot Log In
Microsoft Rushes Internet Explorer Patch
Posted by
CmdrTaco
on Thu Dec 18, 2008 09:34 AM
from the open-source-is-faster dept.
from the open-source-is-faster dept.
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
Related Stories
[+]
IT: Oops! Missed One Fix — Windows Attacks Under Way 292 comments
CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"
[+]
IT: Experts Say To Switch Browsers In Light of IE Vulnerability 455 comments
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Interesting... (Score:5, Insightful)
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
Re:Interesting... (Score:4, Informative)
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
Ubuntu and Mint, at least, check daily. In Ubuntu when there are security updates you see a red arrow in the notification area, when non-security updates are available you see a orange sun(?). Also, if you go to "System"->"Software Sources" and then the "Updates" tab you can set it to apply security updates automatically (this really should be default, IMHO).
I still think Ubuntu's update system rivals Windows and OS X as it not only updates the base OS and OS vendor applications, it updates everything on the system.
Parent
Re:Interesting... (Score:5, Insightful)
I went to microsoft.com support pages on purpose, with unpatched IE.
They spam Silverlight 2.x install on the pages instead of "update your Internet Explorer NOW!" in same fashion. I call it "spam", total spam I tell you. It is like whole page darkens before you can click anything and middle of page, there is "Install Silverlight Now!". Based on the hugeness of the security bug, I would cheer if they showed that IE warning in ALL MS sites including MSN. I saw MSN too, it has 1 liner "Download urgent Internet Explorer update". Of course it was blocked by "See your specific country page now!", another pop-in trick.
What kind of purpose will Silverlight 2 serve at Support pages to "enhance" my experience besides not being Adobe Flash?
Oh BTW, guess what XP SP3 installs. Flash Player 6. Yes, SIX. On the other hand, Apple updates all their customers Flash to secured 9.x version.
They really believed that buying Yahoo for 46 billion would fix that logical problem?
Parent
Ubuntu has update notification (Score:5, Informative)
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Parent
Wrong (Score:5, Informative)
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
Parent
Re: (Score:3, Funny)
You know, it's a little premature (and uncool) to refer to it as "Civil War I" until the second one actually starts. Give it a few years.
"Microsoft is at a disadvantage ... " (Score:5, Informative)
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
IE autoupdating.. (Score:4, Insightful)
Then again, I only use Firefox, and would never consider using IE. At one point do even common household users realize that IE is not the way to go?
Re:IE autoupdating.. (Score:5, Interesting)
Then again, I only use Firefox, and would never consider using IE.
It's harder to avoid than you seem to think. If you use Windows help to view .chm files, you're using IE. Usually they stay local, but many help files do include
links to web pages, and then you're out in the real world.
Parent
Firefox updated? (Score:5, Insightful)
And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?
On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.
Yes, but (Score:3, Interesting)
Most people aren't in your situation or that of your users. Most people are surfing the web on their personal computers, and so automatic updates will work just peachy for them.
Re:Firefox updated? (Score:5, Interesting)
You are right.
The strange thing is that some FF updates do get installed with XP's "Limited User" accounts but some just fail.
No rhyme, no reason.
For those that failed I had to log on with an Admin account and let the FF update install.
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
Parent
Re:Firefox updated? (Score:5, Insightful)
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
No, I don't want another mysterious service that runs in the background doing whatever it feels like without explicit approval.
Firefox for windows needs to start deploying the program as a regular .msi file (like most windows applications) so that all the existing application deployment tools will work. That will go a long way to boosting firefox among businesses & large organizations.
Parent
Dear God, No (Score:4, Insightful)
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
I would never enable that feature on my PCs. The last thing I want Firefox to do is join the ranks of Flash, Java, Adobe Reader and iTunes with nagging auto-update services that always run in the background. Often the updates aren't even critical, I think many of those 'features' are pushed by marketing departments who want to plaster your desktop with as many of their logos as possible.
Parent
Windows Update? (Score:3, Interesting)
Autoupdate is a ghastly bandaid (Score:5, Insightful)
I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.
Huh? (Score:5, Insightful)
IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?
IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.
However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...
That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.
Apple fixed that (Score:5, Funny)
Apple has resolved this issue. Now they try to install Safari in addition to Quicktime and Itunes.
Parent
Re: (Score:3, Insightful)
I work with thousands of client machines in my environment - I've had experience with SUS hosing things up, but it still mostly gets things right for the updates it manages. Letting programs hose things up on their own is no better than letting windows update hose them up. In fact, judging by the way things work in Linux, I'd say managing updates centrally makes everything play better together on average. This part of yo
Reboot? Why? (Score:4, Interesting)
That is just stupid.
The great thing about this fiasco is that I was able to convince several people who had been un-willing to move to Firefox or Opera to now do so.
Thanks Microsoft!
"Firefox issues eight patches" (Score:3, Informative)
Mozilla has issued eight patches for its Firefox Web browser, three of which fix problems classified as critical. [pcworld.com]
Man, you really showed them.
Re:"Firefox issues eight patches" (Score:5, Insightful)
Your comment shows ignorance.
When FF needs to install critical patches it restarts itself & conserves as much context as possible.
When windows needs to install critical patches it reboots the system & loses all context. Even if you delay the reboot to finish critical tasks the reminder that you need to reboot pops up periodically with reboot preselected. If you were performing an unrelated task & happen to hit enter at the wrong time the system reboots without saving your work possibly corrupting it.
I've seen it happen a few times & people do switch browsers after being burnt or seeing it happen to colleagues, but I suppose you'll just stick your fingers in your ears, close your eyes & mumble your prayers to the Redmond God to spare you...
Parent
How does Firefox update itself (Score:3, Interesting)
... if it is running in a restricted userid?
Re:IE updates (Score:5, Insightful)
Parent
Re:IE updates (Score:5, Funny)
Perhaps this is because Microsoft so tightly binds IE to the operating system
Not perhaps.
I believe the engineering term is "reap what you sow, bitches."
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Firefox updates upon the point of relaunch. There is no need to restart windows. Also it remembers the context of every session in every tab, so you can continue where you left off.
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
Until recently I worked in a mom and pop PC repair business. About 9 out of 10 systems I worked on were out of date, typically by a few months. I don't know for sure, but my guess is that users are switching auto-update off because can't be bothered with 'nag' messages from their software.
Granted, the machines I saw were generally dying, so it may not be a fair cross-section of home computer users. Still, the idea that 99% of home users should have new patches within a week flies in the face of what I saw every day.
Parent
Re: (Score:3, Insightful)
I'm not saying that the other guy is right, but when it comes down to it, neither of you really have much to go on. From my experience, if auto update is turned on to download and install automatically very rarely gets turned off
Re:Doesn't have a built in update mechanism? (Score:4, Insightful)
I have Firefox running on Vista, XP, 2000, 2003, Mac OS X, OpenSUSE, Mandriva, Ubuntu, and others. Firefox versions 2 and 3.
My experience is that the Auto Update mechanism in Firefox is flawed. A number of these PC's never trigger to be updated even if they are months behind. One of my Windows 2000 servers often takes about a week before it's auto updated.
Experience shows that it doesn't check for an update at every launch. And that sometimes it gets stuck, something gets corrupt, and not until you ask it to check will it check again.
Granted, this is much better than most software. However the update mechanism needs work.
Microsoft signs/encrypts and then checks the IE package signature. As much as a dog Microsoft, their update mechanism is one of the best.
Parent
Re: (Score:3, Insightful)
One annoying little feature of XP updates... You can choose to apply updates and shutdown, but you can't choose to apply updates and restart when you go to the shutdown menu. There are many times I'm heading to a meeting or whatever, and wouldn't mind it downloading, installing, and restarting, all ready for me when I come back. I don't want to come back and have to boot it up.
Re: (Score:3, Insightful)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
We're physically discontiguous and your solution, while what I would do (and have done) in single site or robust WAN environments, simply does not work with the tools I have at hand and the geographical barriers I have to hurdle.
So yeah, you pass the MCSE exam but fail the Real Life test. Not everything can be solved by dropping WSUS onto an underutilized server and defining
Re: (Score:3, Insightful)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
AD scales fine over a WAN if you have a DC at your satellite sites.
Re: (Score:3, Insightful)
Yeah, I'll just add a DC to each of the 400 students scattered to Hell and gone all over the state. When I say geographically separated, I don't mean we have a stretch between buildings, I mean we have counties between each student and the next.
I know the suggestions are a healthy mix of 'how I'd do it' and 'UR DOIN IT RONG', but I'm really one of those cases where the MS Way simply will not work, no matter how much or little I'd like it to.
Re: (Score:3, Informative)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
Please explain, WTF this has to do with the OP, other than you expressing a hard on for Active Directory?
If you think updates across sites must have Active Directory running over the WAN is required, you don't know crap about Active Directory.
Side Note: If you are having trouble using Active Directory on even a 56K Frame Relay, your network design is really messed up. Handing
Re: (Score:3, Informative)
You can use a GPO to force the computers to use Microsoft for updates. A GPO isn't going to be a big deal, even across a dial-up connection.
Though one of the main reasons for using WSUS is that you only have to download the updates ONCE from Microsoft, not once for each system, thus saving WAN bandwidth.
Re: (Score:3, Interesting)
It's fairly easy to check for yourself - compile int main() { getch(); }, run it, and see what you can do with executable. You will see that you cannot delete it, but you can rename it (and after you rename it, you can create a new file with the same name; you cannot do it before that).
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Weekly? The default is to check every day at 3am. If it's turned on and left at the default (like most people do with FireFox), they'll be notified this morning and able to install it right away.
Parent
Re: (Score:3, Informative)
Ubuntu disables Firefox's own auto-updater, instead all Firefox updates are pushed through Ubuntu's repositories so that they are kept in sync with the rest of the system.
Re:Doesn't have a built in update mechanism? (Score:4, Informative)
Just for clarification, this is only true for the version of Firefox you installed from Ubuntu's repositories. You can install the version provided by Mozilla and it should have it's own updater enabled.
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
Also, telling it you want to be notified of available updates (similar to Firefox's behaviour) is nowhere near as convenient as the way Firefox handles simply installing its own update and then restarting with your windows and tabs reopened to where you were last.
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
I'm more of a Linux man, but I know this is wrong. If you set auto updates to download and notify for installation, you can choose which updates to apply.
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
With Vista they've made it doubly annoying, as Windows Defender gets updates *all* the time. So if you've got it set to notify, you get a whole lot of nagging. If only you could pre-approve Windows Defender updates...
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
If the user isn't bright enough to read the patch list, then why are you trusting them to selectively patch the OS?
Set windows update to automatic and be done with it.
I have yet to run into an average user with a properly working computer who has had a problem with something pushed through Windows Update.
Parent
Re: (Score:3, Informative)
Yes you can. The auto update settings: 1. download and install everything. Or 2. download and tell me there are updates ready to be installed. Or 3. do not download but tell me there are updates.
With 2 or 3 you can pick the updates to install. You click on the update icon in the lower right on the task bar (unless you moved it to a different location). Choose custom install. Do not select express. Express will install everything. Custom will let you pick which ones to install. With 2 if you just shut down a
Re:Doesn't have a built in update mechanism? (Score:5, Funny)
doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone
Indeed, you can't have it automatically update a critical browser flaw, but say 'no' to the 1673rd revision of "Windows Genuine Advantage".
Parent
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Parent
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
One thing I do notice about the less savvy users is that they do mostly trust windows update.
On the other hand, what else could they trust ?
They have no idea how their computer works, certainly aren't interested in figuring it out, so they trust their vendor. Makes sense.
It's probably safer than they trusting random sources on the Web where they don't have the know how to separate the wheat from the chaff.
Ideally they should have an administrator taking care of this for them. But in the real world we all know this won't happen. Especially with home users.