Microsoft Rushes Internet Explorer Patch 376
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
"Microsoft is at a disadvantage ... " (Score:5, Informative)
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
Ubuntu has update notification (Score:5, Informative)
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Firefox updates upon the point of relaunch. There is no need to restart windows. Also it remembers the context of every session in every tab, so you can continue where you left off.
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
Also, telling it you want to be notified of available updates (similar to Firefox's behaviour) is nowhere near as convenient as the way Firefox handles simply installing its own update and then restarting with your windows and tabs reopened to where you were last.
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
I'm more of a Linux man, but I know this is wrong. If you set auto updates to download and notify for installation, you can choose which updates to apply.
Re:Interesting... (Score:4, Informative)
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
Ubuntu and Mint, at least, check daily. In Ubuntu when there are security updates you see a red arrow in the notification area, when non-security updates are available you see a orange sun(?). Also, if you go to "System"->"Software Sources" and then the "Updates" tab you can set it to apply security updates automatically (this really should be default, IMHO).
I still think Ubuntu's update system rivals Windows and OS X as it not only updates the base OS and OS vendor applications, it updates everything on the system.
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Re:Doesn't have a built in update mechanism? (Score:1, Informative)
I'm more of a Linux man, but I know this is wrong. If you set auto updates to download and notify for installation, you can choose which updates to apply.
We are talking about auto-update. So no, you can't tell the system to auto-update IE, but don't touch MDAC or WGA or those mistranslated language packs.
Wrong (Score:5, Informative)
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
Re:Doesn't have a built in update mechanism? (Score:3, Informative)
Yes you can. The auto update settings: 1. download and install everything. Or 2. download and tell me there are updates ready to be installed. Or 3. do not download but tell me there are updates.
With 2 or 3 you can pick the updates to install. You click on the update icon in the lower right on the task bar (unless you moved it to a different location). Choose custom install. Do not select express. Express will install everything. Custom will let you pick which ones to install. With 2 if you just shut down and get the option: install updates and shutdown, all the updates at that time will be installed and the computer shuts down. Some of the updates (usually on vista) finish on the next power on. Yes you can choose which updates to install. But you have had to change it from the default (option 1) to do so.
"Firefox issues eight patches" (Score:3, Informative)
Mozilla has issued eight patches for its Firefox Web browser, three of which fix problems classified as critical. [pcworld.com]
Man, you really showed them.
Re:Doesn't have a built in update mechanism? (Score:1, Informative)
It checks while you browse. And downloads it. During the last session. Then prompts you at the start of the next session.
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Re:Doesn't have a built in update mechanism? (Score:3, Informative)
Ubuntu disables Firefox's own auto-updater, instead all Firefox updates are pushed through Ubuntu's repositories so that they are kept in sync with the rest of the system.
Re:Doesn't have a built in update mechanism? (Score:4, Informative)
Just for clarification, this is only true for the version of Firefox you installed from Ubuntu's repositories. You can install the version provided by Mozilla and it should have it's own updater enabled.
Re:Doesn't have a built in update mechanism? (Score:2, Informative)
Well, let's just say that the other day I found out my roommate was using version 1.5.
The inability to upgrade across major versions is one of the weaknesses in Firefox. I was hoping that that last 2.x patch would add a bar at the top telling people to download FF3 if not upgrading its update tool to handle the transition.
Another weakness (in both WU and FF) is that neither will ask the user to log in as admin and install updates. WU will just do it and reboot the computer in the middle of whatever you were doing (such as giving a presentation to potential clients using a laptop that had been off for a couple of weeks. No, the "Rebooting in 5 minutes" bar does not have a cancel button if you're not an administrator) unless there's a EULA to click, in which case it does jack shit (in the case of my mother's computer, which I have to remind her to log in as admin every once in a while to install any updates requiring her to click I Agree, then log back in as her unprivileged user before Teh Nasties take over her computer.
Re:Doesn't have a built in update mechanism? (Score:5, Informative)
Weekly? The default is to check every day at 3am. If it's turned on and left at the default (like most people do with FireFox), they'll be notified this morning and able to install it right away.
Re:Doesn't have a built in update mechanism? (Score:2, Informative)
Probably because it wasn't, and it wasn't for a VERY long time. It's only when the EU got serious about pushing for an IE-less Windows that MS suddenly started integrating the crap out of IE/Windows.
As recently as Windows 2000, you could have a fully functional machine with IE fully removed. MS would swear up and down that it wasn't possible, but folks all over did it every day.
With XP and onwards, MS used IE instead of the older Explorer cousin to render local folders and files. This was a gargantuan mistake in many opinions, mine included. It exposed myriad security holes in IE, most of which got patched, which is a net-good effect, but it also exposed a TON more attackable surface to the local filesystem.
Re:Doesn't have a built in update mechanism? (Score:3, Informative)
Re:Doesn't have a built in update mechanism? (Score:3, Informative)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
Please explain, WTF this has to do with the OP, other than you expressing a hard on for Active Directory?
If you think updates across sites must have Active Directory running over the WAN is required, you don't know crap about Active Directory.
Side Note: If you are having trouble using Active Directory on even a 56K Frame Relay, your network design is really messed up. Handing out a security credential token and policy is a few freaking KB.
Talk about failing real life experience... Holy Fek...
Re:Doesn't have a built in update mechanism? (Score:2, Informative)
Re:Doesn't have a built in update mechanism? (Score:3, Informative)
You can use a GPO to force the computers to use Microsoft for updates. A GPO isn't going to be a big deal, even across a dial-up connection.
Though one of the main reasons for using WSUS is that you only have to download the updates ONCE from Microsoft, not once for each system, thus saving WAN bandwidth.
Re:Doesn't have a built in update mechanism? (Score:2, Informative)
Linux versions use standard system update tools and internal firefox update can be deliberately turned off by packager.