MS Patch Train Leaves the Station 361
per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."
Before you gloat too much (Score:5, Informative)
http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml [us-cert.gov]
WSUS (Score:3, Informative)
Re:IE PNGs (Score:5, Informative)
http://blogs.msdn.com/dmassy/archive/2004/08/05/2
Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.
The smart developers call these bugs... features :)
The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.
Re:Reminds me of the JPG buffer overflow (Score:5, Informative)
As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...
Re:Sure glad I don't have to do this crap (Score:2, Informative)
You'd better go here [fedoralegacy.org] and install the Fedora updates (three in the last month)!
Re:IE PNGs (Score:5, Informative)
http://www.w3.org/Graphics/PNG/ [w3.org]
From the first paragraph:
"Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."
While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.
Re:Reminds me of the JPG buffer overflow (Score:5, Informative)
You probably meant the Finnish university of Oulu.
Re:Large size crash (Score:2, Informative)
The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.
Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.
Possible problem with this update (Score:3, Informative)
Video Problems caused by the Critical Update (Score:2, Informative)
Once you re-boot in a low resolution, you can then re-set the default resolution to something more acceptable (say, 1024 X 768 or something similar) and you're golden, but I have seen nothing in the press about this bug (that took me well over an hour to puzzle out on both affected computers).
My other systems are configured for SMS control, so patches aren't rolled out before testing, but these were set up to Auto Update (which Microsoft recommends for everyone, despite problems such as this). Otherwise, this could have been a major headache yesterday.
Re:Patches don't solve the problem on new installs (Score:4, Informative)
The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.
Re:Possible problem with this update (Score:3, Informative)
You will probably have to reduce the size of the system hive, using regedt32.
Could Not Start Because the Following File Is Missing or Corrupt: \Winnt\System32\Config\Systemced [microsoft.com]
Re:the problem isn't what it appears to be (Score:1, Informative)
SH
IE PNG Support (Score:2, Informative)
Dell support - MS Critical Update video issue (Score:2, Informative)
Re:Patches don't solve the problem on new installs (Score:3, Informative)
Re:IE PNGs (Score:2, Informative)
This page [entropymine.com] contains a PNG transparency test that comes in handy for figuring out exactly how IE handles different PNG types. It's theoretically useful for other browsers as well, of course, however I believe that all other modern graphical browsers now have full PNG support.