Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Windows Operating Systems Software Security

Patch Tuesday — IE7 Clean 75

Posted by kdawson from the patchwork-quilt dept.
jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."
This discussion has been archived. No new comments can be posted.

Patch Tuesday — IE7 Clean More

Patch Tuesday — IE7 Clean

Comments Filter:

  • IE7 really clean? (Score:5, Insightful)

    by jginspace ( 678908 ) <jginspace@[ ]oo.com ['yah' in gap]> on Wednesday December 13, 2006 @03:23AM (#17219766) Homepage Journal
    Would I be trolling here if I wondered out loud: Did Microsoft really not find and fix anything with IE7 during the last month that they considered worthy of pushing out with this latest bulletin? Consider that this is the first set of updates since IE7 was pushed out to the whole world and how the inclusion of a patch for IE7 would be met with a jaundiced 'business as usual'. I suppose Microsoft just can't win on this can they?

    • Re: (Score:1)

      by ComaVN ( 325750 )
      I predict a zero-day exploit for IE7 by tomorrow.
      *any* new piece of code has bugs, no matter how good the development team.
    • I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

      Depending on your WSUS server's settings, Outlook 2003 Junk Mail Filter updates (and likely IE7 phishing filter updates) may appear as "Critical Updates" despite not actually being security patches for %0-day_exploit_01%.

      • Re:clean != free of "critical" updates (Score:5, Insightful)

        by Osty ( 16825 ) on Wednesday December 13, 2006 @04:06AM (#17219954)

        I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

        Actually, IE7's anti-phishing technology is server-based. The judgement of a URL as "phish" or "non-phish" is done completely outside of your browser, outside of your own PC even, so there's no need for heuristic, signature, or filter updates to be pushed to users.

        • Re: (Score:1)

          by Keeper ( 56691 )
          They maintain a local whitelist of "sites that definately aren't phishing sites". However, I believe they update that via some sort of background mechanism in IE and not via WU.

        • Re:clean != free of "critical" updates (Score:4, Insightful)

          by rbochan ( 827946 ) on Wednesday December 13, 2006 @09:31AM (#17221800) Homepage
          So... every single web site you browse is monitored by a Microsoft server? Yipe. I bet DHS _loves_ that "feature". Can you turn it off?

          Even sounds a bit like spyware...

          [adds another layer to tinfoil hat]

          • Re:clean != free of "critical" updates (Score:5, Informative)

            by Sancho ( 17056 ) on Wednesday December 13, 2006 @11:25AM (#17223128) Homepage
            It asks you by default, and gives you the option to disable the feature when it does.
          • The URL is of course hashed before it's transmitted anywhere. So the only sites they can actually recognize are ones that exist in their database as phishing sites. Maybe not hugely comforting, but it's not like they're blasting your browsing behavior back to their servers in plaintext.

            Course that didn't stop me from turning it off anyway. I guess there are a lot of retards out there, but I'm not one.

          • Old news. You can turn the fishing filter off - in fact, when you first run IE7, it asks you if you want to turn it on.

            They don't track the computers the filter requests come from. It's certainly techically possible that they could, but conspiracy theories aside, they don't.

    • You're not alone in your speculation. Leave it to an MS troll to slant non-news away from a non-event.

      It is more that IE7 by default is put on the backburner in terms of any kind of update activity, simply because it has only been out a month. Doesn't mean it is clean, and certainly doesn't mean anything significant, by any means.

      I'm willing to give MS a month breather, but I'm not willing to give a pass to the clean story, at all.

    • IE7 not clean: Secunia shows 3 unpatched holes (Score:5, Interesting)

      by free2 ( 851653 ) on Wednesday December 13, 2006 @05:12AM (#17220232) Homepage
      IE7 is not clean: Secunia shows there are 3 unpatched holes:
      http://secunia.com/product/12366/?task=advisories_ 2006 [secunia.com]

      • Re: (Score:2)

        by cp.tar ( 871488 )

        So it appears that the new definition of 'clean' is "we haven't made any patches yet".

        Sounds like Stef Murky himself thought up this one...

      • There's a cross-window injection problem, which could let sleazebuckets.com (if you're viewing them at the same time as you visit your bank) place a popup on top of yourbank.com. This kind of problem is not new. On the one hand that means Microsoft really should have prevented it, on the other hand it means that it's already best practice to have nothing else open when visiting a sensitive site.

        There's an address bar integrity problem which "could allow phishing". Again, MS should have used their experience
    • Since MS has such a regular release schedule for updates, it makes sense that the virus writers have a schedule too - relase it the day after all the security checks. Expect a hole to be announced and exploited within the week.

      Or, I could be wrong and the numbers are too low to make it worth the effort. Or, just maybe, Microsoft actually did build a secure product....

  • But I installed Outlook Express 2 years ago? (Score:1, Interesting)

    by Anonymous Coward
    I uninstalled Outlook Express around 2 years ago using "Add/Remove Windows Components".

    However, Windows/Microsoft Update keeps applying patches for "Outlook Express".

    I'm sure that if I searched my drive for Outlook Express (or the correct search pattern), I would find that Windows never really uninstalled Outlooked Express. Lies lies lies!

    • Re: (Score:2, Informative)

      by phrasebook ( 740834 )
      Yeah, just the shortcuts are removed. Ditto Movie Maker, Messenger, Media Player, IE and probably others.
    • You don't have to search very far - just have a quick look-see in c:\progra~1

    • Re: (Score:2, Informative)

      by oliverthered ( 187439 )
      If you clicked uninstall and the application failed to uninstall all of it's components then I'd say you own those components compleatly.
      Please GPL Outlook Express for us.

      • Re: (Score:3, Funny)

        by cp.tar ( 871488 )

        You really want to bring down Open Source, don't you?

        There's a reason no-one has done that yet.

    • Re: (Score:2)

      by 0racle ( 667029 )
      What does it feel like to find out what everyone else knew? This is documented behavior.

  • Damn. (Score:3, Insightful)

    by sporkme ( 983186 ) * on Wednesday December 13, 2006 @03:36AM (#17219808) Homepage
    What a headline... I thought for a second there that they had recalled IE7.

    I assume that only security vulnerabilities will be patched in XP's IE7 until Vista is on the same update schedule as XP. These patches will be fashionably late and will only address the most severe issues with the browser, and that simple compatibility glitches will go unanswered. Once Vista is really rolling along there will be more consistency.

    • Re: (Score:1, Redundant)

      by sanyam_y ( 982945 )
      Does this really qualify to be a headline? To ensure that any news receives maximum hits, all that one needs to do is to include one or all of the following keywords: Microsoft, Gates, Ballmer, Vista and IE7.
  • How much have the network protocols changed since IE was released? And now in version 7 we actually have a program that can (supposedly) capably utilize the protocols? Hell. I guess this is news.

    TLF
  • The article text is not well-written. It makes mention of a "Sans," without bothering to identify what Sans is. I assume they don't mean the SANS Institute? Just rubbish, not at all well-edited.

  • clean (Score:5, Funny)

    by l3v1 ( 787564 ) on Wednesday December 13, 2006 @04:29AM (#17220052)
    It's good to know, that if they don't release patches, that means IE7 is clean from bugs. I got all comfy and calm now.
     
  • This may be projected as a compelling reason to upgrade your web browser at least !!

  • Alright everyone, show's over (Score:5, Insightful)

    by strider44 ( 650833 ) on Wednesday December 13, 2006 @04:54AM (#17220168)
    It's official, IE7 is clean. This shows that Microsoft have gotten all of the bugs and there will be no more patches, ever. Uninstall your virus and spyware scanners - they're not needed anymore.

    Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

    • Re: (Score:3, Interesting)

      by chrisbro ( 207935 )
      Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

      Yes. This thing had systems administrators running because of the forced upgrade and general wariness. Now that it's being proven that it won't wreak havoc on corporate systems, I figure some BOFHs will start to ponder a roll-out after blocking it. If it proves in the short-run to be more secure than IE6 (which isn't saying much, of course), they might jump on it.

      As much as /. (justifiably) trash

      • Re: (Score:2)

        by larkost ( 79011 )
        The reason the corporations have been blocking it is that it breaks many web apps, including ones based on some of the larger vendors' platforms (Oracle, SAP, etc...). At the university where I work they have blocked it because it breaks with our purchasing system.
        • Yeah, that was the second part of why we blocked it at work; to wait until it got tested out. We haven't noticed any problems with web apps, but then again, we don't run a lot of apps that require client-side plugins/programs, either. Only thing I've seen is some features of SharePoint will crap it out.

  • Pushed out? (Score:5, Informative)

    by pe1chl ( 90186 ) on Wednesday December 13, 2006 @05:03AM (#17220202)
    Version 7 is clean -- which is welcome news in this first update since the upgrade was pushed to the world last month.

    I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP. It is not even available as an optional package in Windows update.
    And I think it is the same in many other countries.

    • Re: (Score:3, Informative)

      by Tim C ( 15259 )
      Here in the UK, I was notified of it being available by Automatic Update at work on Monday. As I work in the web and we currently have no strategy for dealing with IE7*, I refused and set it not to remind me about it. I have heard of friends who have autoupdate set to download and install automatically who were surprised to find that they'd been upgraded, but that was recently, certainly not "last month".

      Still, assuming that everyone is in the same situation as you is hardly a uniquely American trait (altho

      • Re: (Score:2)

        by pe1chl ( 90186 )
        Last time I checked, it was not even available in Dutch. That may be one of the reasons it is not offered automatically here.
        Looking at the stats on the webserver at work, I see only 3% of MSIE 7 visitors. This means our visitors, which are mainly from the Netherlands, probably don't get this update pushed automatically.
        (MSIE 6 is at 78.7% and Windows XP at 68.1%)
    • There are only two things I hate: Those who are intolerant of other people's cultures, and the Dutch.

    • I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP.

      Silly you. Dutchistan is in a completely different world - there's an ocean between them.

    • Re: (Score:2)

      by Jonsey ( 593310 )
      Maybe it hasn't been pushed by WU/MU yet, but here's a link to the bits: http://www.microsoft.com/belux/nl/windows/ie/downl oads/default.mspx [microsoft.com]

      Enjoy?
  • In Capitalist West Microsoft declare IE clean.
    In Soviet Union Politburo declare Chernobyl clean.

    Enjoy the Zero Day parade, now with improved security.

  • 12/12/2006: Update for Internet Explorer 7 for Windows XP (KB928089).
    This update resolves a performance issue with the Phishing Filter.

  • Why oh why... (Score:5, Informative)

    by Splab ( 574204 ) on Wednesday December 13, 2006 @05:42AM (#17220344)
    does the autoupdater insist on nagging me every 15 minuttes about restarting???? It's so bloody annoying, I know you just updated some of my software, but I'm working so shut the f*** up!

    Anyways, you can ask it to bugger off by going to control panel -> administrative tools -> services, find automatic updates, right click and press stop, that will stop it from nagging you about restarting.
  • I have to say that if there was just one Microsoft product that needed patching, IE7 would most certaily be it. I've had numerous clients complain about the absolute incompetency of this browser to do what it is fundamentally made to do - view web pages. Even on my own system I encountered at least one complete crash of IE7 every..single..day that it was installed, not to mention the painfully slow performance of the product. Granted, I didn't do everything in my power to make it stable - was running on de
  • Secunia released a new tool last week. You can use this to verify that you have the latest secure versions of software installed, including MS updates. http://secunia.com/software_inspector/ [secunia.com]
  • The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ [sans.org] You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928 [sans.org]
  • Seems every exploit mentioned lately has been labeled 0-day. I guess they must have solved the problem of the [1-9][0-9]*-day exploits. Of course if we can limit the flaws to only a single day, it limits the time those nasty hackers have to break the systems! Right? What?
  • I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site.

    If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds.
    • "I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site. If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds."

      The SANS homepage changed shortly after the editors published this story. For the last few hours it's been the somewhat underwhelming account: "Microsoft Office 2004 (Mac OS X) update was a accident. (NEW)" .
  • When you install IE7 and Print emails received in html using outlook. There is a bug where the emails print in about a font of 1.
    http://www.microsoft.com/communities/newsgroups/en -us/default.aspx?dg=microsoft.public.outlook&tid=5 3028d9d-6499-4e5c-a928-71fd00e01da1&p=1 [microsoft.com]
    This sure seems like a problem. Maybe not critical but if they ladies in my office dont stop complaining about it then it might become critical.

  • IE is clean like that girl you know.. (Score:4, Funny)

    by kinglink ( 195330 ) on Wednesday December 13, 2006 @12:24PM (#17224076)
    You know the one who claims not to have caught an STD, but you've seen her around the free clinic a few times? You know the one. She has documents that say she has a clean bill of health but somehow you don't think there's a Doctor Fakopsky.

    Then of course you go out with her and the next day you know what falls off? We've all had that experience, haven't we?

    Oddly enough that sounds exactly like IE7. I'll stick with my hotter girlfriend, Firefox. It's true she might have "enhancements" and she might be a little "slower" but at least she's not sleeping around like IE.
  • So we have these vulnerabilities with Outlook Express, Internet Explorer, and other parts of the OS. I'm sure there are a bunch of people... ummm me... that are still using the now unsupported OS's of 98 and ME...

    Can Zone Alarm, router firewall, along with Ad-Aware, keep things more or less safe for ME, or is it really time to upgrade?
    • ME is horrible, you should upgrade to Windows 2000, Linux, or BSD right away. Or at least use Firefox/Thunderbird instead of IE/OE.

    • Re: (Score:2)

      by SEMW ( 967629 )
      Yes, you can still keep things reasonably safe; as long as you:
      • Have a virus scanner that scans all incoming and outgoing email *before* your email program gets at it (For example, AVG, which is free).
      • Have a firewall -- preferably a hardware firewall, but a good software one like Zonealarm will do at a pinch.
      • And most importantly -- don't use IE and OE. This isn't any bias on my part, only that any program you use that connects to the internet should be kept completely up to date. Since this is impossib

Slashdot Top Deals

Say "twenty-three-skiddoo" to logout.

Close