Patch Tuesday — IE7 Clean

jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."

IE7 really clean?

[jginspace]

Would I be trolling here if I wondered out loud: Did Microsoft really not find and fix anything with IE7 during the last month that they considered worthy of pushing out with this latest bulletin? Consider that this is the first set of updates since IE7 was pushed out to the whole world and how the inclusion of a patch for IE7 would be met with a jaundiced 'business as usual'. I suppose Microsoft just can't win on this can they?

Re:

[ComaVN]

I predict a zero-day exploit for IE7 by tomorrow.
*any* new piece of code has bugs, no matter how good the development team.

clean != free of "critical" updates

[Vandil X]

I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

Depending on your WSUS server's settings, Outlook 2003 Junk Mail Filter updates (and likely IE7 phishing filter updates) may appear as "Critical Updates" despite not actually being security patches for %0-day_exploit_01%.

Re:clean != free of "critical" updates

[Osty]

I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

Actually, IE7's anti-phishing technology is server-based. The judgement of a URL as "phish" or "non-phish" is done completely outside of your browser, outside of your own PC even, so there's no need for heuristic, signature, or filter updates to be pushed to users.

Re:

[Keeper]

They maintain a local whitelist of "sites that definately aren't phishing sites". However, I believe they update that via some sort of background mechanism in IE and not via WU.

Re:clean != free of "critical" updates

[rbochan]

So... every single web site you browse is monitored by a Microsoft server? Yipe. I bet DHS _loves_ that "feature". Can you turn it off?

Even sounds a bit like spyware...

[adds another layer to tinfoil hat]

Re:clean != free of "critical" updates

[Sancho]

It asks you by default, and gives you the option to disable the feature when it does.

Re:

[PsychicX]

The URL is of course hashed before it's transmitted anywhere. So the only sites they can actually recognize are ones that exist in their database as phishing sites. Maybe not hugely comforting, but it's not like they're blasting your browsing behavior back to their servers in plaintext.

Course that didn't stop me from turning it off anyway. I guess there are a lot of retards out there, but I'm not one.

Phishing Filter

[Z34107]

Old news. You can turn the fishing filter off - in fact, when you first run IE7, it asks you if you want to turn it on.

They don't track the computers the filter requests come from. It's certainly techically possible that they could, but conspiracy theories aside, they don't.

Re:

[djupedal]

You're not alone in your speculation. Leave it to an MS troll to slant non-news away from a non-event.

It is more that IE7 by default is put on the backburner in terms of any kind of update activity, simply because it has only been out a month. Doesn't mean it is clean, and certainly doesn't mean anything significant, by any means.

I'm willing to give MS a month breather, but I'm not willing to give a pass to the clean story, at all.

IE7 not clean: Secunia shows 3 unpatched holes

[free2]

IE7 is not clean: Secunia shows there are 3 unpatched holes:
http://secunia.com/product/12366/?task=advisories_ 2006 [secunia.com]

Re:

[cp.tar]

So it appears that the new definition of 'clean' is "we haven't made any patches yet".

Sounds like Stef Murky himself thought up this one...

All better than the days of drive-by downloads

[Beryllium Sphere(tm)]

There's a cross-window injection problem, which could let sleazebuckets.com (if you're viewing them at the same time as you visit your bank) place a popup on top of yourbank.com. This kind of problem is not new. On the one hand that means Microsoft really should have prevented it, on the other hand it means that it's already best practice to have nothing else open when visiting a sensitive site.

There's an address bar integrity problem which "could allow phishing". Again, MS should have used their experience

Day after is when the viruses come out now....

[Quevar]

Since MS has such a regular release schedule for updates, it makes sense that the virus writers have a schedule too - relase it the day after all the security checks. Expect a hole to be announced and exploited within the week.

Or, I could be wrong and the numbers are too low to make it worth the effort. Or, just maybe, Microsoft actually did build a secure product....

But I installed Outlook Express 2 years ago?

[Anonymous Coward]

I uninstalled Outlook Express around 2 years ago using "Add/Remove Windows Components".

However, Windows/Microsoft Update keeps applying patches for "Outlook Express".

I'm sure that if I searched my drive for Outlook Express (or the correct search pattern), I would find that Windows never really uninstalled Outlooked Express. Lies lies lies!

Re:

[phrasebook]

Yeah, just the shortcuts are removed. Ditto Movie Maker, Messenger, Media Player, IE and probably others.

Re:

[flyingfsck]

You don't have to search very far - just have a quick look-see in c:\progra~1

Re:

[oliverthered]

If you clicked uninstall and the application failed to uninstall all of it's components then I'd say you own those components compleatly.
Please GPL Outlook Express for us.

Re:

[cp.tar]

You really want to bring down Open Source, don't you?

There's a reason no-one has done that yet.

Re:

[0racle]

What does it feel like to find out what everyone else knew? This is documented behavior.

Damn.

[sporkme]

What a headline... I thought for a second there that they had recalled IE7.

I assume that only security vulnerabilities will be patched in XP's IE7 until Vista is on the same update schedule as XP. These patches will be fashionably late and will only address the most severe issues with the browser, and that simple compatibility glitches will go unanswered. Once Vista is really rolling along there will be more consistency.

Re:

[sanyam_y]

Does this really qualify to be a headline? To ensure that any news receives maximum hits, all that one needs to do is to include one or all of the following keywords: Microsoft, Gates, Ballmer, Vista and IE7.

Ahhhh

[The Living Fractal]

How much have the network protocols changed since IE was released? And now in version 7 we actually have a program that can (supposedly) capably utilize the protocols? Hell. I guess this is news.

TLF

Article Text Isn't Very Good Journalism

[MSTCrow5429]

The article text is not well-written. It makes mention of a "Sans," without bothering to identify what Sans is. I assume they don't mean the SANS Institute? Just rubbish, not at all well-edited.

Re:

[kanani]

i was going to tell you sans means without, but then i read TFA

clean

[l3v1]

It's good to know, that if they don't release patches, that means IE7 is clean from bugs. I got all comfy and calm now.
 

IE 7 Clean

[achten]

This may be projected as a compelling reason to upgrade your web browser at least !!

Alright everyone, show's over

[strider44]

It's official, IE7 is clean. This shows that Microsoft have gotten all of the bugs and there will be no more patches, ever. Uninstall your virus and spyware scanners - they're not needed anymore.

Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

Re:

[strider44]

Aside from that I never said anything about firefox and that the number of patches in no way corresponds to the number of bugs, firefox hasn't had any patches in the last two months since their last major release. This isn't special news.

Re:

[chrisbro]

Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

Yes. This thing had systems administrators running because of the forced upgrade and general wariness. Now that it's being proven that it won't wreak havoc on corporate systems, I figure some BOFHs will start to ponder a roll-out after blocking it. If it proves in the short-run to be more secure than IE6 (which isn't saying much, of course), they might jump on it.

As much as /. (justifiably) trash

Re:

[larkost]

The reason the corporations have been blocking it is that it breaks many web apps, including ones based on some of the larger vendors' platforms (Oracle, SAP, etc...). At the university where I work they have blocked it because it breaks with our purchasing system.

Re:

[chrisbro]

Yeah, that was the second part of why we blocked it at work; to wait until it got tested out. We haven't noticed any problems with web apps, but then again, we don't run a lot of apps that require client-side plugins/programs, either. Only thing I've seen is some features of SharePoint will crap it out.

Pushed out?

[pe1chl]

Version 7 is clean -- which is welcome news in this first update since the upgrade was pushed to the world last month.

I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP. It is not even available as an optional package in Windows update.
And I think it is the same in many other countries.

Re:

[jonwil]

Even if you are running Firefox or Opera or something else as your main web browser, upgrading to IE7 (if you are on a system where IE7 will run) still makes sense, if nothing else for all those applications that embed the IE widget which will get the benifits of all the bug fixes IE7 has. (although if said applications are known to fail with IE7 installed, thats a different matter)

Re:

[Tim C]

Here in the UK, I was notified of it being available by Automatic Update at work on Monday. As I work in the web and we currently have no strategy for dealing with IE7*, I refused and set it not to remind me about it. I have heard of friends who have autoupdate set to download and install automatically who were surprised to find that they'd been upgraded, but that was recently, certainly not "last month".

Still, assuming that everyone is in the same situation as you is hardly a uniquely American trait (altho

Re:

[pe1chl]

Last time I checked, it was not even available in Dutch. That may be one of the reasons it is not offered automatically here.
Looking at the stats on the webserver at work, I see only 3% of MSIE 7 visitors. This means our visitors, which are mainly from the Netherlands, probably don't get this update pushed automatically.
(MSIE 6 is at 78.7% and Windows XP at 68.1%)

Re:

[pe1chl]

Being interested in the US IT industry or US IT news is not the same as equating "the US" to "the world"...

Re:

[PsychicX]

There are only two things I hate: Those who are intolerant of other people's cultures, and the Dutch.

The World

[Z34107]

I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP.

Silly you. Dutchistan is in a completely different world - there's an ocean between them.

Re:

[Jonsey]

Maybe it hasn't been pushed by WU/MU yet, but here's a link to the bits: http://www.microsoft.com/belux/nl/windows/ie/downl oads/default.mspx [microsoft.com]

Enjoy?

Who owned you today?

[AHuxley]

In Capitalist West Microsoft declare IE clean.
In Soviet Union Politburo declare Chernobyl clean.

Enjoy the Zero Day parade, now with improved security.

There is a patch for IE7 available today.

[Rastignac]

12/12/2006: Update for Internet Explorer 7 for Windows XP (KB928089).
This update resolves a performance issue with the Phishing Filter.

Re:

[Keeper Of Keys]

Even as a pernickety web developer, I wouldn't call a CSS display bug a critical vulnerability.

Why oh why...

[Splab]

does the autoupdater insist on nagging me every 15 minuttes about restarting???? It's so bloody annoying, I know you just updated some of my software, but I'm working so shut the f*** up!

Anyways, you can ask it to bugger off by going to control panel -> administrative tools -> services, find automatic updates, right click and press stop, that will stop it from nagging you about restarting.

Re:

[RabidOverYou]

I've been doing it for a couple of years now. I have one program I have to RunAs administrator, and I logoff as user, login as admin for WindowsUpdate stuff. All in all, very smooth.

The most annoying thing is that you can't dblclick the tray clock to see the monthly calendar; it thinks you're changing the date, which is admin-only. Fixed in Vista.

Re:

[Anonymous Coward]

1. Run gpedit.msc
2. Click on Computer Configuration
3. Click on Windows Settings
4. Click on Security Settings
5. Click on Local Policies
6. Click on User Rights Assignment
7. Double click System Time
8. Add the user account in question

This news saddens me

[The_Revelation]

I have to say that if there was just one Microsoft product that needed patching, IE7 would most certaily be it. I've had numerous clients complain about the absolute incompetency of this browser to do what it is fundamentally made to do - view web pages. Even on my own system I encountered at least one complete crash of IE7 every..single..day that it was installed, not to mention the painfully slow performance of the product. Granted, I didn't do everything in my power to make it stable - was running on de

Handy tool - Check for insecure software

[mmbokaj]

Secunia released a new tool last week. You can use this to verify that you have the latest secure versions of software installed, including MS updates. http://secunia.com/software_inspector/ [secunia.com]

Sans = SANS Internet Storm Center

[brotherash]

The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ [sans.org] You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928 [sans.org]

When did every exploit become 0-day?

[LordOfTheNoobs]

Seems every exploit mentioned lately has been labeled 0-day. I guess they must have solved the problem of the [1-9][0-9]*-day exploits. Of course if we can limit the flaws to only a single day, it limits the time those nasty hackers have to break the systems! Right? What?

SANS "recommends" the Offline Update tool?

[Morinaga]

I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site.

If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds.

Re:

[jginspace]

"I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site. If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds."

The SANS homepage changed shortly after the editors published this story. For the last few hours it's been the somewhat underwhelming account: "Microsoft Office 2004 (Mac OS X) update was a accident. (NEW)" .

What about the Micro Print in Outlook Problem?

[jeepville]

When you install IE7 and Print emails received in html using outlook. There is a bug where the emails print in about a font of 1.
http://www.microsoft.com/communities/newsgroups/en -us/default.aspx?dg=microsoft.public.outlook&tid=5 3028d9d-6499-4e5c-a928-71fd00e01da1&p=1 [microsoft.com]
This sure seems like a problem. Maybe not critical but if they ladies in my office dont stop complaining about it then it might become critical.

IE is clean like that girl you know..

[kinglink]

You know the one who claims not to have caught an STD, but you've seen her around the free clinic a few times? You know the one. She has documents that say she has a clean bill of health but somehow you don't think there's a Doctor Fakopsky.

Then of course you go out with her and the next day you know what falls off? We've all had that experience, haven't we?

Oddly enough that sounds exactly like IE7. I'll stick with my hotter girlfriend, Firefox. It's true she might have "enhancements" and she might be a little "slower" but at least she's not sleeping around like IE.

Windows 98 and ME out in the cold

[BeerCur]

So we have these vulnerabilities with Outlook Express, Internet Explorer, and other parts of the OS. I'm sure there are a bunch of people... ummm me... that are still using the now unsupported OS's of 98 and ME...

Can Zone Alarm, router firewall, along with Ad-Aware, keep things more or less safe for ME, or is it really time to upgrade?

Re:

[assassinator42]

ME is horrible, you should upgrade to Windows 2000, Linux, or BSD right away. Or at least use Firefox/Thunderbird instead of IE/OE.

Re:

[SEMW]

Yes, you can still keep things reasonably safe; as long as you:

• Have a virus scanner that scans all incoming and outgoing email *before* your email program gets at it (For example, AVG, which is free).
• Have a firewall -- preferably a hardware firewall, but a good software one like Zonealarm will do at a pinch.
• And most importantly -- don't use IE and OE. This isn't any bias on my part, only that any program you use that connects to the internet should be kept completely up to date. Since this is impossib

Re:

[BeerCur]

Thanks, for the information / advice.