Microsoft Rushes Internet Explorer Patch

drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"

Re:Interesting...

[Yvanhoe]

I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.

Windows Update?

[Farmer Pete]

I wonder how many exploits will be found in IE before they are all gone. I mean, logically, there has to be some point in the future when IE7 is totally exploit free. To bad that the cycle of software replacements wont let that happen. Given enough time, IE7 and WinXP could be some of the toughest software in existence.

"Experts Advising Users Not To Use IE"

[Skeetskeetskeet]

This is the best advice the experts have given in years.

Yes, but

[Reality Master 201]

Most people aren't in your situation or that of your users. Most people are surfing the web on their personal computers, and so automatic updates will work just peachy for them.

Re:Firefox updated?

[denis-The-menace]

You are right.
The strange thing is that some FF updates do get installed with XP's "Limited User" accounts but some just fail.
No rhyme, no reason.
For those that failed I had to log on with an Admin account and let the FF update install.

FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.

Re:IE autoupdating..

[djmurdoch]

Then again, I only use Firefox, and would never consider using IE.

It's harder to avoid than you seem to think. If you use Windows help to view .chm files, you're using IE. Usually they stay local, but many help files do include
links to web pages, and then you're out in the real world.

Re:Doesn't have a built in update mechanism?

[Anonymous Coward]

As Microsoft announced they will do Windows updates on Patch Tuesday, many people set Windows to check for updates once a month. They'd miss the updates until the next monthly schedule. As we've seen, if "experts" didn't advise people to stop using IE because of a specific flaw, this patch would have been released next month.

I like to think of this patch as a little present to administrators who wanted some overtime before Christmas.

While I don't have a lot of love for Microsoft, they got criticized by corporate types when they patched too frequently. They then get criticized for patching more frequently than once a month. Seems the only way out of that is to have the corporations use computers that load an OS on boot. It'd be cheaper and more secure anyway.

Reboot? Why?

[clintre]

The bad thing about IE not having the built in updater is that this patch required a freaking reboot for a browser patch!!

That is just stupid.

The great thing about this fiasco is that I was able to convince several people who had been un-willing to move to Firefox or Opera to now do so.

Thanks Microsoft!

How does Firefox update itself

[Skapare]

... if it is running in a restricted userid?

Re:Doesn't have a built in update mechanism?

[RMingin]

I work for a school district, cyber-schooling. Ours may not be a scientifically valid cross-section either, but I'd say 6/10 or more machines either have WUAU turned off (the more advanced kids) or they simply hit the 'go away' button and never reboot to apply updates.

If you have pending updates, suspend/resume at night, and never manually reboot, WUAU will NOT apply further updates till the pending ones go on. I've had machines 6 months and more out of date (coming in today with XP SP2) on a regular basis.

I think one of the key things here is that Windows seems to require a reboot for EVERY LITTLE PATCH, which is a problem with the way they've hyper-integrated the kernel, the IE engine, and the shell. If things weren't tied together so tightly, a lot less reboots would be needed, and I'd imagine fewer people would be clicking 'later, go away' on WUAU notifications.

Hell, *I* am guilty. My work laptop applied the IE7 rush fix this AM and I told Vista to stuff it for 4 hours. When it pops up after lunch I'll tell it to stuff it for 4 again. I'm not using IE at all (never unless I have to), so I know I'm not running in a compromised state, but I'm sure the great majority of the 'later' clickers both do not know what they are postponing and further WOULD NOT CARE.

Re:Doesn't have a built in update mechanism?

[shutdown -p now]

It's fairly easy to check for yourself - compile int main() { getch(); }, run it, and see what you can do with executable. You will see that you cannot delete it, but you can rename it (and after you rename it, you can create a new file with the same name; you cannot do it before that).