Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Releases Critical IE Patch

Posted by CmdrTaco on Wed Apr 12, 2006 10:38 AM
from the but-i-thought-all-patches-were-critical dept.
Security Operating Systems Software Windows
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Releases Critical IE Patch 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • The Exploit (Score:5, Informative)

    by eldavojohn (898314) * <my/.username@@@gmail.com> on Wednesday April 12 2006, @10:40AM (#15114011) Homepage Journal
    The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it [milw0rm.com] (dated 03.22.2006).

    And here's Microsoft's acknowledgement [microsoft.com] of the exploit (dated 03.23.2006).

    And here's an "expert" saying that releasing the above exploit is irresponsible [sys-con.com] (dated 03.24.2006).

    It is now 04.12.2006 and a patch is out to correct it.

    *checks his watch*

    Not bad, but your response time could use some imporvement.
    • It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.

      • Schedule Over Security? (Score:5, Interesting)

        by eldavojohn (898314) * <my/.username@@@gmail.com> on Wednesday April 12 2006, @10:52AM (#15114112) Homepage Journal
        They do this so that every patch on the release board gets the full testing cycle it deserves.
        Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

        The following excerpt is alarming [washingtonpost.com]:
        Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.
        I wasn't aware a cycle constituted 135 days.
        Microsoft rarely releases patches off-schedule now.
        That's interesting.

        I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.

        • Re:Schedule Over Security? (Score:5, Interesting)

          by Tim C (15259) on Wednesday April 12 2006, @10:59AM (#15114183)
          Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

          No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".

          I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.

          Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

          • Re:Schedule Over Security? (Score:5, Interesting)

            by bunratty (545641) on Wednesday April 12 2006, @11:03AM (#15114220)
            Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?
            • They haven't figured out how to do what? What does making it available ASAP instead of on a schedule that their major corporate customers have strongly requested have to do with "number and caliber of computer science researchers" at Microsoft.

              Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

              I generally don't like Windows the product or many of MS current and prio

              • Re:Schedule Over Security? (Score:4, Insightful)

                by Slime-dogg (120473) on Wednesday April 12 2006, @12:08PM (#15114714) Journal

                There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.

            • Re:Schedule Over Security? (Score:5, Insightful)

              by boskone (234014) on Wednesday April 12 2006, @11:14AM (#15114308)
              yes...

              many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
              • However, if information about an exploit is publicly available there is no reason to not get a patch ASAP to those who want that.
                • Actually, that's not true. A patch for a vulnerability often provides a great deal more infomration about the vulnerability than the original exploit, particularly becouse it provides malicious people with code pattern samples which might expose other exploitable code. In that regard, Microsoft's response or providing a workaround to block the attack and then providing a correct and fully tested patch later is better then providing a half-baked patch.

              • Re:Schedule Over Security? (Score:4, Interesting)

                by MarkByers (770551) on Wednesday April 12 2006, @11:56AM (#15114611) Homepage Journal
                many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

                If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.

                It's just a poor excuse for being slow to patch.

            • Re:Schedule Over Security? (Score:4, Informative)

              by rbochan (827946) on Wednesday April 12 2006, @12:14PM (#15114756) Homepage
              ...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

              There, fixed that for you.

          • Re:Schedule Over Security? (Score:4, Insightful)

            by DrXym (126579) on Wednesday April 12 2006, @11:20AM (#15114353)
            Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

            There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.

            I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.

          • Re:Schedule Over Security? (Score:4, Insightful)

            by BeanThere (28381) on Wednesday April 12 2006, @03:40PM (#15116267)

            Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

            Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"

            Stop the FUD, thanks.

    • Re:The Exploit (Score:5, Insightful)

      by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Wednesday April 12 2006, @10:55AM (#15114140) Journal

      Not bad, but your response time could use some imporvement.

      From TFA: Microsoft Corp. has released its security software patches for April...

      Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...

      • Re:The Exploit (Score:4, Interesting)

        by darkonc (47285) <stephen_samuel.bcgreen@com> on Wednesday April 12 2006, @04:30PM (#15116742) Homepage Journal
        It's not that Microsoft waited until the patch was 'perfect' to release it. It's that somebody in marketing determined that it's hurting their public image to be releasing 'critical security releases' 2-3times per week/month/day (depending on how bad the week/month/day is). Instead, they're now releasing patches on a fixed monthly schedule no matter when the fix is ready.

        This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.

        In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.

    • Considering the Windows Help system was exploitable for 7 years [msversus.org] I'd say they're improving, although they still are usually too slow. Today there's no way to know how long they're aware of any bug. They may know about an exploit for years and just never publicly notify anyone. Or they may not know until a few days before they acknowledge it. Being a closed system that they work under (both software and business) we'll never really know.
      • Being a closed system that they work under (both software and business) we'll never really know.

        And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.

  • ActiveX, Java and Flash controls may be impacted (Score:5, Informative)

    by Dynamoo (527749) * on Wednesday April 12 2006, @10:40AM (#15114016) Homepage
    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

    This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

  • Dammed if they do, dammed if they do not.. (Score:5, Insightful)

    by Tominva1045 (587712) on Wednesday April 12 2006, @10:45AM (#15114046)


    If they don't update their products people will comment on how much they suck.

    If they do update them people will claim instability due to the number of patches.

    It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.

    You decide.
    • Most open source projects of equivalent size get patched in 24 hours. Do they have more money? no. Do they have more resources? According to Microsoft, thats another no.

      So how is it that programmers working for free developing a product for free can patch fatser than a multimillion dollar company with hundreds of highly paid developers?

      That's the ongoing question.
      • Like- what? that has to be compatible with every pc configuration, with every software configuration, quite literally, known to man.

        1st, what OSP is on par for raw bytes & complexity... to the windows OS?
        2nd- which of that subset get's patches in 24 hours
        3rd- how often do these "right out the door" patches cause loss of functionality, for a subset of users, as (my line one above) every system configuration possibility was considered in the patch, that is still just works?

        it's kinda herculean if you th
        • Maybe because the Opensource developer is not responsible if the patch / update breaks something else?

          Legally, neither is Microsoft. Read your EULA.

          And in most cases nothing else interacts with or depends on his / their code?

          Yeah, nothing interacts with or depends on sendmail, or glibc, or the Linux kernel...

    • If they don't update their products people will comment on how much they suck.
      If they do update them people will claim instability due to the number of patches.
      It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
      You decide.

      I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

      I hate the fact that I have to download patches frequently, which are massive files a

      • Re:The Bob Damn them. (Score:4, Insightful)

        by sremick (91371) on Wednesday April 12 2006, @12:17PM (#15114781) Homepage
        "I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

        I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."

        Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.

        Your choice.
    • All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.
    • If they don't update their products people will comment on how much they suck. If they do update them people will claim instability due to the number of patches. It's a matter of perception.

      No, it's a matter of quality. If the product had been built properly in the first place this vicious cycle would never have been born. However, it was not built that way. You pay now or you pay later - but you do pay, and later always costs more.

  • Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?

    I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.

    Ah well, I only use Windows for gaming anyway.
  • Firefox users point and laugh...

      • Re:Meanwhile... (Score:4, Insightful)

        by dextromulous (627459) on Wednesday April 12 2006, @11:10AM (#15114270) Homepage
        It's not leaked memory. See Here [slashdot.org] for details. There is a difference between leaked memory (memory that is completely lost because it will never be deallocated,) and caching (which is what firefox does.)

        Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF! [mozillazine.org]
      • And Opera users laugh at both...

  • Why can't we all have portage (Score:3, Interesting)

    by BoredWolf (965951) <jakew.white@gmail.com> on Wednesday April 12 2006, @10:58AM (#15114172) Journal
    Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.

  • A fix was released long ago (Score:5, Funny)

    by Jugalator (259273) on Wednesday April 12 2006, @11:13AM (#15114298) Journal
    Download here [browser.org]

    OK, OK, so I wanted to be different from those "get Firefox" jokes!
  • Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D
  • I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.

    What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?

  • The article's titles doesn't do it justice (Score:4, Informative)

    by suv4x4 (956391) on Wednesday April 12 2006, @11:30AM (#15114418)
    The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.

  • Source (Score:2, Informative)

    by Goodgerster (904325)
    Downloadable immediately from here [getfirefox.com].
  • This is "News for Nerds. Stuff that Matters."; a serious IE exploit seems to fit neither category.

    • Re:I DLed them this AM. A question... (Score:5, Insightful)

      by gregarican (694358) on Wednesday April 12 2006, @10:53AM (#15114126) Homepage
      Probably. There are many hidden places in Windows where the default browser might not be Firefox. For example, if you use Microsoft Lookout and have mail message format set as HTML perhaps. Or certain other apps might launch IE when displaying HTML content too. To play it safe I would download and install the patch.
      • Don't forget all the proprietary apps out there that use the IE ActiveX plugin!
      • There are many hidden places in Windows where the default browser might not be Firefox.

        Essentially almost any Windows app that displays HTML and isn't either Firefox, Mozilla, Opera or Thunderbird is most likely using mshtml.dll and so is likely to be vulnerable to the exploit.

        Bottom line is that any Windows user should download and apply every IE update whether they use IE or not, as simply not using IE does not guarantee safety.

    • Re:Why? (Score:3, Insightful)

      by geobeck (924637)

      Why the hell is anyone still using IE?

      Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.

      Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of cours

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.