Microsoft Rushes Internet Explorer Patch 376
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
Doesn't have a built in update mechanism? (Score:2, Insightful)
Sorry...but, "huh?"
Tools-Windows update. Or it is updated automagically if you have auto updates turned on.
I did RTFA, but I still didn't understand that comment.
-JJS
Interesting... (Score:5, Insightful)
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
IE autoupdating.. (Score:4, Insightful)
Then again, I only use Firefox, and would never consider using IE. At one point do even common household users realize that IE is not the way to go?
Firefox updated? (Score:5, Insightful)
And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?
On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.
Re:IE updates (Score:5, Insightful)
Autoupdate is a ghastly bandaid (Score:5, Insightful)
I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.
Re:Interesting... (Score:1, Insightful)
I can think of distros that check & prompt on your desktop.
Mandriva's had an Updates system tray utility for a while now.
Come to think of it, Linpus Linux Lite on the Acer Aspire One also auto-checks and prompts for software updates.
But does Windows/any OS have an option to prompt/auto patch at boot up, rather than after a user's actually logged in and known to be present?
These Novell Netware XP machines apply updates when we start work, not sure if it's before or after login, but having to reboot can be annoying if you've just got starting IM-ing hard to catch people
Huh? (Score:5, Insightful)
IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?
IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.
However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...
That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
Re:Firefox updated? (Score:5, Insightful)
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
No, I don't want another mysterious service that runs in the background doing whatever it feels like without explicit approval.
Firefox for windows needs to start deploying the program as a regular .msi file (like most windows applications) so that all the existing application deployment tools will work. That will go a long way to boosting firefox among businesses & large organizations.
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
With Vista they've made it doubly annoying, as Windows Defender gets updates *all* the time. So if you've got it set to notify, you get a whole lot of nagging. If only you could pre-approve Windows Defender updates...
Dear God, No (Score:4, Insightful)
FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.
I would never enable that feature on my PCs. The last thing I want Firefox to do is join the ranks of Flash, Java, Adobe Reader and iTunes with nagging auto-update services that always run in the background. Often the updates aren't even critical, I think many of those 'features' are pushed by marketing departments who want to plaster your desktop with as many of their logos as possible.
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
If the user isn't bright enough to read the patch list, then why are you trusting them to selectively patch the OS?
Set windows update to automatic and be done with it.
I have yet to run into an average user with a properly working computer who has had a problem with something pushed through Windows Update.
Re:Why not windows update? (Score:3, Insightful)
One thing I do notice about the less savvy users is that they do mostly trust windows update.
On the other hand, what else could they trust ?
They have no idea how their computer works, certainly aren't interested in figuring it out, so they trust their vendor. Makes sense.
It's probably safer than they trusting random sources on the Web where they don't have the know how to separate the wheat from the chaff.
Ideally they should have an administrator taking care of this for them. But in the real world we all know this won't happen. Especially with home users.
Re:Doesn't have a built in update mechanism? (Score:5, Insightful)
Until recently I worked in a mom and pop PC repair business. About 9 out of 10 systems I worked on were out of date, typically by a few months. I don't know for sure, but my guess is that users are switching auto-update off because can't be bothered with 'nag' messages from their software.
Granted, the machines I saw were generally dying, so it may not be a fair cross-section of home computer users. Still, the idea that 99% of home users should have new patches within a week flies in the face of what I saw every day.
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
I'm not saying that the other guy is right, but when it comes down to it, neither of you really have much to go on. From my experience, if auto update is turned on to download and install automatically very rarely gets turned off completely. One, for the most part, people who turn it off understand the system and either run updates manually themselves OR have it set to download and then they just install it whenever they see the little yellow shield icon. However, this doesn't apply to people who aren't constantly connected to the internet. If they're on dial-up, they can fall out of sync. I'm not sure of the percentage of people on dial-up, but it could be a problem.
Re:"Firefox issues eight patches" (Score:5, Insightful)
Your comment shows ignorance.
When FF needs to install critical patches it restarts itself & conserves as much context as possible.
When windows needs to install critical patches it reboots the system & loses all context. Even if you delay the reboot to finish critical tasks the reminder that you need to reboot pops up periodically with reboot preselected. If you were performing an unrelated task & happen to hit enter at the wrong time the system reboots without saving your work possibly corrupting it.
I've seen it happen a few times & people do switch browsers after being burnt or seeing it happen to colleagues, but I suppose you'll just stick your fingers in your ears, close your eyes & mumble your prayers to the Redmond God to spare you...
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
We're physically discontiguous and your solution, while what I would do (and have done) in single site or robust WAN environments, simply does not work with the tools I have at hand and the geographical barriers I have to hurdle.
So yeah, you pass the MCSE exam but fail the Real Life test. Not everything can be solved by dropping WSUS onto an underutilized server and defining a new policy object.
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.
AD scales fine over a WAN if you have a DC at your satellite sites.
Re:Interesting... (Score:5, Insightful)
I went to microsoft.com support pages on purpose, with unpatched IE.
They spam Silverlight 2.x install on the pages instead of "update your Internet Explorer NOW!" in same fashion. I call it "spam", total spam I tell you. It is like whole page darkens before you can click anything and middle of page, there is "Install Silverlight Now!". Based on the hugeness of the security bug, I would cheer if they showed that IE warning in ALL MS sites including MSN. I saw MSN too, it has 1 liner "Download urgent Internet Explorer update". Of course it was blocked by "See your specific country page now!", another pop-in trick.
What kind of purpose will Silverlight 2 serve at Support pages to "enhance" my experience besides not being Adobe Flash?
Oh BTW, guess what XP SP3 installs. Flash Player 6. Yes, SIX. On the other hand, Apple updates all their customers Flash to secured 9.x version.
They really believed that buying Yahoo for 46 billion would fix that logical problem?
Re:Doesn't have a built in update mechanism? (Score:4, Insightful)
I have Firefox running on Vista, XP, 2000, 2003, Mac OS X, OpenSUSE, Mandriva, Ubuntu, and others. Firefox versions 2 and 3.
My experience is that the Auto Update mechanism in Firefox is flawed. A number of these PC's never trigger to be updated even if they are months behind. One of my Windows 2000 servers often takes about a week before it's auto updated.
Experience shows that it doesn't check for an update at every launch. And that sometimes it gets stuck, something gets corrupt, and not until you ask it to check will it check again.
Granted, this is much better than most software. However the update mechanism needs work.
Microsoft signs/encrypts and then checks the IE package signature. As much as a dog Microsoft, their update mechanism is one of the best.
Re:Huh? (Score:3, Insightful)
I work with thousands of client machines in my environment - I've had experience with SUS hosing things up, but it still mostly gets things right for the updates it manages. Letting programs hose things up on their own is no better than letting windows update hose them up. In fact, judging by the way things work in Linux, I'd say managing updates centrally makes everything play better together on average. This part of your comment does not have any substance.
I disagree. The programs should be updated from an approved repository that has oversight. Letting every application developer out there decide what updates will be applied to machines they know nothing about is poor design. And I'm not running any god awful applications - I'm running Gentoo with VirtualBox for my Windows only management applications (check out the articles on my website). But my users do, and I do often consider many of them insane. Other IT folks who work in large environments they don't have complete authority over can sympathize I'm certain.
Windows Update could be improved by making it easy for application updates to be approved and deployed thru windows update, and then perhaps applications like Acrobat would get onboard. This would be similar to the way in which microsoft works very hard to make it easy to develop for the windows platform. The whole point of my post was to describe what Windows Update could be but isn't, because of choices MS has made. Next question.
I disagree. Updates should be managed centrally. This would directly alleviate issues of having numerous update services running constantly in the background, which is a solution application developers resort to because they have no realistic better option on the Windows platform.
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
Yeah, I'll just add a DC to each of the 400 students scattered to Hell and gone all over the state. When I say geographically separated, I don't mean we have a stretch between buildings, I mean we have counties between each student and the next.
I know the suggestions are a healthy mix of 'how I'd do it' and 'UR DOIN IT RONG', but I'm really one of those cases where the MS Way simply will not work, no matter how much or little I'd like it to.
Re:Doesn't have a built in update mechanism? (Score:2, Insightful)
Re:Doesn't have a built in update mechanism? (Score:3, Insightful)
One annoying little feature of XP updates... You can choose to apply updates and shutdown, but you can't choose to apply updates and restart when you go to the shutdown menu. There are many times I'm heading to a meeting or whatever, and wouldn't mind it downloading, installing, and restarting, all ready for me when I come back. I don't want to come back and have to boot it up.
Re:Doesn't have a built in update mechanism? (Score:2, Insightful)
Oh wait, replying to myself since I found it finally:
http://www.broadbandreports.com/forum/remark,14167743 [broadbandreports.com]
Now to try walking my mother through that over the phone...