Forgot your password?
typodupeerror
Bug Internet Explorer Microsoft Security The Internet Technology

MS Issues Emergency IE Security Update 114

Posted by CmdrTaco
from the press-the-panic-button dept.
WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"
This discussion has been archived. No new comments can be posted.

MS Issues Emergency IE Security Update

Comments Filter:
  • by sxedog (824351) on Tuesday March 30, 2010 @05:06PM (#31677582)
    Amazing... that was only a week ago!
    • This is normal. Expected. Everyday life for millions of Windows users.
       

      • Re: (Score:3, Insightful)

        by DAldredge (2353)
        Like other operating systems don't have patches?
        • by dudpixel (1429789)

          what about emergency ones?

          in my experience these are VERY rare, except on Windows.

          • by DAldredge (2353)
            Then your experience is so limited as to be nonexistent. Oracle, IBM, Sun(RIP) and nearly every other major software house on the planet has released some sort of emergency batch.
            • I won't say that no Linux distro or program ever releases an emergency patch, but when they do, most users don't know it's an emergency. Why? Because unlike Microsoft, they don't try to stick to a once-a-month release schedule for patches, so they don't have to make a special announcement or tell the world that it's an emergency; they just release it along with whatever other patches, updates or upgrades happen to be available at the moment.
            • by dudpixel (1429789)

              read it again. I didn't say emergency linux patches dont exist, I said they are rare. At least not as common as windows ones.

          • that's only because of ms' well-known agility, lol, others are just too slow/lazy.
        • by MacWiz (665750)

          Like other operating systems don't have patches?

          Occasionally, but not every other Tuesday for the last 10 years or so, sapping the productivity of the entire corporate spectrum on a regular basis. And how many "emergency" patches has IE had already this year?

          • by DAldredge (2353)
            If only Microsoft made a product that allowed you to control what updates got sent to your systems.  They could call it something like Windows Server Update Services.

            Oh! they do make such a thing http://en.wikipedia.org/wiki/Windows_Server_Update_Services
            • by MacWiz (665750)

              Oh! they do make such a thing

              I wouldn't know about such things. I use a Mac.

              • by DAldredge (2353)
                Then why are you talking about things you don't know about as if you do?
                • by MacWiz (665750)

                  You're making a leap there, pal. I didn't know about the patch management tool -- but I wasn't talking about it.

                  As for the rest, I read the news. It's amazing what one can learn. There's a story about Microsoft security patches pretty regularly. The "Security Fix" column at the Washington Post is an excellent source of information, although just about every tech publication will front-page an article about a new MS patch because it's always an "emergency." Anyone with reasonable intelligence can see that st

      • most people wont even know. i hate windows. but i have to agree, the updating is pretty seamless, and invisible to the user. ubuntu needs to learn.
        • by vegiVamp (518171)
          You mean, like the "Install security updates without confirmation" option that's in my two-versions-behind Ubuntu ? Oh, right, you mean the "reboot for nearly every patch" kind of seamless, yeah, you're right, that's missing from Ubuntu.
          • i don't know if i'm doing something wrong but on ubuntu 9.10, it pops up an ugly update list and waits for me to click update and enter my password. if there is a way to tell it to do so automatically please tell me, i'll be glad to hear it.
            • by vegiVamp (518171)
              The way you'd expect: right-click on the notification icon and click preferences.

              Well, on my 8.10, that is - I assume it won't have changed much.
  • by Bearhouse (1034238) on Tuesday March 30, 2010 @05:10PM (#31677640)

    Ms link here:

    http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx [microsoft.com]

    No real sweat for IE8 on Win7...

    • by Anonymous Coward on Tuesday March 30, 2010 @05:20PM (#31677782)

      Link 1 [mozilla.com]
      Link 2 [opera.com]

        • by Ron Bennett (14590) on Tuesday March 30, 2010 @05:36PM (#31677996) Homepage

          Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.

          For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?

          Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.

          • Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things.

            That's a non sequitur. Consider: The Firefox developers do not view disabling pop-unders as anywhere near as important as ensuring the browser is secure. The fact that the developers did not put the time and effort into disabling pop-unders does not mean they aren't able to keep Firefox secure.

            I'm not saying that Firefox is secure so much as that your reasoning is faulty. You could try to argue that the Firefox developers don't have care about end-user complaints, or something along those lines, with

          • by abigsmurf (919188)
            I just wish Firefox wouldn't go crazy when you get a popunder and switch to a random open window. This bug has been around for years and it's pretty irritating. Why hasn't it been addressed yet?
            • I wish that a modal dialog window in one tab wouldn't block the entire browser - cannot switch tabs, cannot do anything other than acknowledge and dismiss the dialog window, which kind of fucks everything up when the modal dialog is caused by infinitely looping code :(
        • by Enderandrew (866215) <enderandrew@noSPam.gmail.com> on Tuesday March 30, 2010 @05:38PM (#31678024) Homepage Journal

          If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

          I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.

          With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.

          • Re: (Score:1, Interesting)

            There is AdBlock for Chrome as well. Seems to work fine on this end.
            • by aztracker1 (702135) on Tuesday March 30, 2010 @06:25PM (#31678668) Homepage
              Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.
              • by Jugalator (259273)

                If you set up Chrome to use a script-based whitelist, you essentially have a poor man's NoScript. It's then also easy to to unblock certain sites you come across, by using the rightmost omnibar icon that will show for all pages that have js blocked. (a scroll of paper with a cross mark)

          • by smash (1351)
            squid+squidguard. done.
          • by Jugalator (259273)

            If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

            Since Chrome 4.1, I just use the browser blacklist for the annoying domains to prevent running Javascript and plugins (= Flash).

            It instantly cleans at least two major newspapers here, as a whole lot of advertising is JS or Flash-based, or both. And makes them faster than I have ever seen too, as a bonus.

            Browser black/whitelists with forced includes/exceptions for js/plugins/images is in all OS editions of Chrome since the latest betas for the respective operating systems.

            I think I filed, or at least voted o

        • Opera vunerability that the company denies is a vunerability

          Following that link, I see:

          the vulnerability was confirmed in Opera 9.10

          That's pretty old. I'm using Opera 10.10 (on FreeBSD) here...

          • Re: (Score:1, Troll)

            So by this logic one should just ignore any exploits in IE6 just cause most people are using IE7 or 8?

        • chrome is great. i've been using it on ubuntu. but it gets sluggish after a day or two. firefox's performance is consistently slow, but it IS consistent. opera simply sucks. opera mobile on my e71, its the best browser on a smartphone. (i don't consider the iphone to be a smartphone cause it can't run >1 apps)
      • why even bother with those... just point people to http://www.browserchoice.eu/ [browserchoice.eu] (and tell them to ignore the IE one, I suppose)

      • Re: (Score:1, Offtopic)

        by moteyalpha (1228680)

        Link 1 [mozilla.com] Link 2 [opera.com]

        Why not just go all the way and get a real OS? [linux.org]
        And ceiling cat sayed: "Let there b lulz", n there wuz.
        Or even chrome [google.com]

      • by abigsmurf (919188)
        The same Mozilla firefox that took a month to patch a publicly known exploit recently?

        If anything, Firefox is more vulnerable to exploits because of its lack of sandboxing features.
    • by malloc (30902) on Tuesday March 30, 2010 @05:22PM (#31677814)

      To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "

    • by natehoy (1608657) on Tuesday March 30, 2010 @05:24PM (#31677848) Journal

      Actually, it is.

      This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.

      One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.

      Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".

    • No real sweat for IE8 on Win7...

      How do you figure? IE8 on Windows 7 still has this classified as a critical update. It's moderate for IE8 on Server 2003 and Server 2008.

    • by WrongSizeGlass (838941) on Tuesday March 30, 2010 @05:32PM (#31677962)
      Actually, IE 8 and Windows 7 are listed in that very link you posted.

      Internet Explorer 8:
      * Windows XP Service Pack 2 and Windows XP Service Pack 3
      * Windows XP Professional x64 Edition Service Pack 2
      * Windows Server 2003 Service Pack 2
      * Windows Server 2003 x64 Edition Service Pack 2
      * Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
      * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
      * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
      * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
      * Windows 7 for 32-bit Systems
      * Windows 7 for x64-based Systems
      * Windows Server 2008 R2 for x64-based Systems**
      * Windows Server 2008 R2 for Itanium-based Systems

    • Yea. Except for the ones marked "Remote Code Execution" and "Critical". No sweat.

    • IE8 on Win7 (32bit/64bit) is just as vulnerable, re-read that bulletin!

      This emergency update includes the CanSecWest fixes where they 0wned a Win7 IE8 system in minutes! There were a hundred Microsoft employees at CanSecWest and they were left scratching their heads because they didn't understand the exploit right away. It was a sophisticated manipulation of realtime memory locations.

  • OS versus Browser (Score:3, Informative)

    by sunderland56 (621843) on Tuesday March 30, 2010 @05:26PM (#31677880)

    If this is an IE bug, why does it only affect some operating systems and not others?

    If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?

    Patch releases really need a "info for geeks" section.....

    • by blair1q (305137)

      the less they say about some things, the fewer people make with the gefingerpoken in the sploit vat

      that doesn't help you with your security, it helps them with theirs

    • Re: (Score:2, Informative)

      by ivonic (972040)

      The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.

      Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some

    • by bloodhawk (813939)
      because depending on your OS versions there are built in mitigations that are not directly related to the browser such as DEP/NX ASLR and in the case of the Server OS the browser is locked down tight by default. And yes some of those same protections that windows provides for ie are also available to firefox. The net effect of the various protection mechanisms means a vulnerability has differing consequences depending of the OS version and Architecture (x86/x64).
  • My solution (Score:3, Funny)

    by stonewallred (1465497) on Tuesday March 30, 2010 @05:58PM (#31678316)
    I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.
  • Reboot???!! (Score:3, Insightful)

    by jon_cooper (746199) on Tuesday March 30, 2010 @11:18PM (#31682256)
    Why on earth do I have to reboot my system just to patch a web-browser????

    Grrrrr!!!

    And yes, that was a rhetorical question.

  • We all know that one major problem with the Microsoft platform is that it's homogeneous. No matter how many times we hear the "ground up" reengineering story, we get these exploits that work vulnerabilities in a common code base. All of the platforms use the same code. All code has bugs, and one bug might grant entry, while two more might grant privilege escalation, and so once an exploit is found all the machines with that code base are pwned. The solution to this problem is deviously simple: do everyth

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...