Patch Tuesday — IE7 Clean

jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."

IE7 really clean?

Would I be trolling here if I wondered out loud: Did Microsoft really not find and fix anything with IE7 during the last month that they considered worthy of pushing out with this latest bulletin? Consider that this is the first set of updates since IE7 was pushed out to the whole world and how the inclusion of a patch for IE7 would be met with a jaundiced 'business as usual'. I suppose Microsoft just can't win on this can they?

Re:clean != free of "critical" updates

I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

Actually, IE7's anti-phishing technology is server-based. The judgement of a URL as "phish" or "non-phish" is done completely outside of your browser, outside of your own PC even, so there's no need for heuristic, signature, or filter updates to be pushed to users.

Re:clean != free of "critical" updates

So... every single web site you browse is monitored by a Microsoft server? Yipe. I bet DHS _loves_ that "feature". Can you turn it off?

Even sounds a bit like spyware...

[adds another layer to tinfoil hat]

Re:clean != free of "critical" updates

It asks you by default, and gives you the option to disable the feature when it does.

IE7 not clean: Secunia shows 3 unpatched holes

IE7 is not clean: Secunia shows there are 3 unpatched holes:
http://secunia.com/product/12366/?task=advisories_ 2006 [secunia.com]

But I installed Outlook Express 2 years ago?

I uninstalled Outlook Express around 2 years ago using "Add/Remove Windows Components".

However, Windows/Microsoft Update keeps applying patches for "Outlook Express".

I'm sure that if I searched my drive for Outlook Express (or the correct search pattern), I would find that Windows never really uninstalled Outlooked Express. Lies lies lies!

Damn.

What a headline... I thought for a second there that they had recalled IE7.

I assume that only security vulnerabilities will be patched in XP's IE7 until Vista is on the same update schedule as XP. These patches will be fashionably late and will only address the most severe issues with the browser, and that simple compatibility glitches will go unanswered. Once Vista is really rolling along there will be more consistency.

Ahhhh

How much have the network protocols changed since IE was released? And now in version 7 we actually have a program that can (supposedly) capably utilize the protocols? Hell. I guess this is news.

TLF

Article Text Isn't Very Good Journalism

The article text is not well-written. It makes mention of a "Sans," without bothering to identify what Sans is. I assume they don't mean the SANS Institute? Just rubbish, not at all well-edited.

clean

It's good to know, that if they don't release patches, that means IE7 is clean from bugs. I got all comfy and calm now.
 

IE 7 Clean

This may be projected as a compelling reason to upgrade your web browser at least !!

Alright everyone, show's over

It's official, IE7 is clean. This shows that Microsoft have gotten all of the bugs and there will be no more patches, ever. Uninstall your virus and spyware scanners - they're not needed anymore.

Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

Pushed out?

Version 7 is clean -- which is welcome news in this first update since the upgrade was pushed to the world last month.

I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP. It is not even available as an optional package in Windows update.
And I think it is the same in many other countries.

Who owned you today?

In Capitalist West Microsoft declare IE clean.
In Soviet Union Politburo declare Chernobyl clean.

Enjoy the Zero Day parade, now with improved security.

There is a patch for IE7 available today.

12/12/2006: Update for Internet Explorer 7 for Windows XP (KB928089).
This update resolves a performance issue with the Phishing Filter.

Why oh why...

does the autoupdater insist on nagging me every 15 minuttes about restarting???? It's so bloody annoying, I know you just updated some of my software, but I'm working so shut the f*** up!

Anyways, you can ask it to bugger off by going to control panel -> administrative tools -> services, find automatic updates, right click and press stop, that will stop it from nagging you about restarting.

This news saddens me

I have to say that if there was just one Microsoft product that needed patching, IE7 would most certaily be it. I've had numerous clients complain about the absolute incompetency of this browser to do what it is fundamentally made to do - view web pages. Even on my own system I encountered at least one complete crash of IE7 every..single..day that it was installed, not to mention the painfully slow performance of the product. Granted, I didn't do everything in my power to make it stable - was running on default settings when I knew very well I could turn these off and run with the bare minimum of settings - but just the hastle of going to HP web sites and having the content blocked as potentially malicious code or the way the program can't render slashdot comments properly, or most web sites for that matter. urgh. It may be secure, but it doesn't do what I would expect a web browser to do - browse the web. And the browser tab functionality lacked the one feature I have come to expect from tabbed browsing - for the browser to remember what pages I was looking at, so that every time it crashed I didn't have to work out what I was up to. I know this is a big bitch session about the obvious shortcommings of IE7, but come on!! how can you release such an obviously flawed product and neglect to update it a month after its release? On a side note - since removing IE7 from my machine my notebook will now successfully hybernate again. Coincidence?

Handy tool - Check for insecure software

Secunia released a new tool last week. You can use this to verify that you have the latest secure versions of software installed, including MS updates. http://secunia.com/software_inspector/ [secunia.com]

Sans = SANS Internet Storm Center

The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ [sans.org] You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928 [sans.org]

When did every exploit become 0-day?

Seems every exploit mentioned lately has been labeled 0-day. I guess they must have solved the problem of the [1-9][0-9]*-day exploits. Of course if we can limit the flaws to only a single day, it limits the time those nasty hackers have to break the systems! Right? What?

SANS "recommends" the Offline Update tool?

I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site.

If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds.

What about the Micro Print in Outlook Problem?

When you install IE7 and Print emails received in html using outlook. There is a bug where the emails print in about a font of 1.
http://www.microsoft.com/communities/newsgroups/en -us/default.aspx?dg=microsoft.public.outlook&tid=5 3028d9d-6499-4e5c-a928-71fd00e01da1&p=1 [microsoft.com]
This sure seems like a problem. Maybe not critical but if they ladies in my office dont stop complaining about it then it might become critical.

IE is clean like that girl you know..

You know the one who claims not to have caught an STD, but you've seen her around the free clinic a few times? You know the one. She has documents that say she has a clean bill of health but somehow you don't think there's a Doctor Fakopsky.

Then of course you go out with her and the next day you know what falls off? We've all had that experience, haven't we?

Oddly enough that sounds exactly like IE7. I'll stick with my hotter girlfriend, Firefox. It's true she might have "enhancements" and she might be a little "slower" but at least she's not sleeping around like IE.

Windows 98 and ME out in the cold

So we have these vulnerabilities with Outlook Express, Internet Explorer, and other parts of the OS. I'm sure there are a bunch of people... ummm me... that are still using the now unsupported OS's of 98 and ME...

Can Zone Alarm, router firewall, along with Ad-Aware, keep things more or less safe for ME, or is it really time to upgrade?

Re:IE7 was a rewrite

Even as a pernickety web developer, I wouldn't call a CSS display bug a critical vulnerability.