Microsoft to Issue Out-of-Cycle Patch for IE

rsw writes "Microsoft will be breaking their normal patch cycle and issuing a patch for the Download.Ject attack (a.k.a. Scob). They claim that the forthcoming patch will be a "long-term solution to the core vulnerability" exploited by Scob." Note that this does not mean that they are replacing IE with FireFox.

The mounting pressure

[Mz6]

Seems as though all of the exploits coming out against IE has finally got to them. I've counted about 5+ just from the Full Disclosure and BugTraq mailing lists in the past few weeks. All of them different in nature of thier attacks.

Firefox

[FortKnox]

Note that this does not mean that they are replacing IE with FireFox.

Good, cause firefox has render problems on slashdot all the time (where as IE doesn't). I don't think its firefox, either, cause it doesn't happen on any other site I go to.

Does anyone use IE anymore?

[AngryScot]

and if they do why?

I mannaged to get my work to use fireFox after showing them a /. thread about it

I've migrated ove...

[Ratchet]

...the most finiky of users, my Mom, to Firefox without her even knowing it. Now if Dad would stop playing Solitaire long enough for me to get at his computer then I'd de-IE him as well.

Re:Firefox

[Billobob]

It could have something to do with the fact that Slashdot doesn't exactly use standards-friendly HTML...

Is there something wrong with me?

[Klar]

shhh, don't tell anyone, but I'm still using IE6.. I dunno, I'm just so used to using it, and it seems to work well for me. I haven't had any virus or security problems(that I know of).. I always want to try firefox after reading posts about its power, but man.. IE is just so..so.. easy.

Re:Firefox

[hattig]

I think it is a problem with Firefox. I've noticed that it happens a lot on table layout pages, especially large ones. Livejournal can have the same problem.

Basically it guesses widths of table cells/columns at some stage, then sticks with them as more of the page loads, and doesn't compensate for the new contents, which may include more tables, which will then overflow other elements on the page. Well, it is something like that. I think it could be solved by merely re-formatting the page after it has fully loaded ... although the simple Resize Font trick fixes everything anyway (ctrl+mousewheel)

My organization just dumped IE for Firefox

[gearmonger]

"long-term solution" hee hee ha ha *snort* [coke comes out nose] riiiight.

Rightly or not, that Homeland Defense notice got some peeps in senior management a little spooked and asked our IT department to start making Firefox the default browser on all new systems they set up for employees.

As a long-time Mozilla and Firefox user, I couldn't be happier. Whether it's the right reason or not, I couldn't care -- at least there's a hint at the IE domination trend slowing down a bit, and that is good for consumers.

Re:Firefox is not the answer.

[mbourgon]

"more than 90% of the Internet users out there aren't aware or concerned with IE vulnerabilities."

That's odd. At least every week I have someone mention some new spyware or popup they run into, and how do I deal with it. Many of them are now quite happily running Mozilla or Firefox.

And the problem with viewing people's sites isn't my problem, it's the site's. If it doesn't work, I go elsewhere. And my bank's site works just fine with Moz.

IE vs Mozzy

[Anonymous Coward]

Microsoft may have won the browser-war in the late 1990's but at what cost???

Mozilla/Netscape as of the last couple of years made fantastic progress and is definately now the better browser in both functionality, security and last but not least mozilla looks better to me and renders websites better too...

M$FT should just throw in the towel on IE and reduce its function to Windows Update and able to download Mozilla/Netscape, (just make it a ftp downloader tool)

Re:Firefox

[hattig]

What is sad is the multitudes of fixed HTML examples that Slashdot readers keep coming up with, but still haven't been used even though I remember some of them being done a year ago!

Re:Does anyone use IE anymore?

[syates21]

Please feel free to demonstrate how FireFox can seamlessly (and securely) used a user's workstation credentials to authenticate to a web server without requiring a username/password as IE does with Windows Integrated Authentication.

That is one of the larger issues that cannot be solved by just tweaking some HTML to make it more compliant. It's also a big deal from a user experience standpoint in the corporate intranet world.

Re:Is there something wrong with me?

[Anonymous Coward]

ever saw slashdot's user agents stats? around 78% of all visitors use MSIE. and that's not cause of the faked user agent string because slashdot doesn't use fucked up stat generator software.

Re:Does anyone use IE anymore?

[Unnngh!]

If you look at most large websites that get lots of hits from the random public (i.e. yahoo, etc.), I think you will find that their browser stats show 90-99% of people using IE. Several years ago the place I worked at was at the 99% mark with IE so we simply stopped worrying about Netscape compliance, etc.

Those numbers may have changed some since '99 but even back then Netscape was supposed to be "big". It just wasn't big enough for us to care.

Best Quote From Story

[CHaN_316]

"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience." - Microsoft group product manager for Internet Explorer

Yes they should have this powerful secure browser .... funny funny. Maybe they're talking about FireFox 1.0.

I simply HAD to switch to Firefox.

[gpinzone]

It just got too scary for me when my whole PC got infested with spyware. It's true that I didn't have IE patched to the abosulte latest version. However, there's exploits coming out all the time and the time to patch is way too long. I'm glad I did switch and I doubt I'd go back. Firefox's popup filter does everything better than IE with the google toolbar. Adblock is the best comprimise (so far) for simplicity and effective ad blocking.

I admit that the features in SP2 sound promising, but I'm already too comfortable with Firefox.

Avoid IE

[UMhydrogen]

The problem with security does in fact lie within Internet Explorer or many of the Office products. Most of the worms these days either take advantage of 1) Internet Explorer or 2) Outlook or Outlook Express. It should be Microsoft's duty to patch these holes as soon as their brought to our attention. It is nice to finally see Microsoft take a strong stance and release an out-of-turn patch.

This should not surprise you though. As seen by the eventual release of Window XP SP2 you will see a new version of Windows that represents Microsofts new focus on security. Their goal is to make people aware that there are security risks and they must make an active effort to keep their computers up to date and patched. Windows Update will take a more active role and SP2 will include a Virus Program "checker" to make sure you are running some sort of virus protection.

While many of you say that 90% of the Internet Explorer users aren't aware of the security problems, it is microsofts goal to make this aware. I wouldn't be surprised to see the number of unaware users quickly diminish. With all the news about the viruses and exploits, people can't be that dumb to just ignore them. While people may not do something now, when SP2 comes out I have reason to believe that people will begin to realize that they need to keep their computers patched.

Upgrading to Firefox is also a start. While it blocks most of the ActiveX scripts which get exploited, it also provides many additional features, including popup blocking and more.

It would also be nice to see Antivirus or firewall companies taking a more active role in advertising. Firewall programs like Kerio Personal Firewall monitor existing applications and notify the user when an application is trying to be replaced (for example during an upgrade). These firwalls prevent ad-ware and other programs from being installed without the user knowing (for example my roommate had "My Horroscope" somehow installed on her computer without her knowing, meanwhile Kerio blocked it from being installed on my computer).

We're starting to see an age where more people are aware and more companies are making people aware of the security risks of not keeping an up-to-date computer.

Re:Wow

[Anonymous Coward]

But didn't MS say it's the patches that cause the exploits?

Plus the patch won't be ready till NEXT week.
Normally MS doesn't PR their minor patchs. Maybe their Service Packs, but i don't really know.
So, how much of this PR stunt has to do with what Home Land (in)Security had to say about IE?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Firefox

[Anonymous Coward]

Not being funny but sites don't have to generate standards compliant HTML perfectly to work.

It depends on what the actual faults are.

Most of the ones picked up on slash are extra tags in <table> statements which firefox should ignore if it doesn't understand, and the borked URLs that the lameness filter in slashdot makes screwing up the GET variables in them.

Neither of these should cause a browser to break on rendering.

Sure slash *should* generate standards compliant HTML, but just fixing the things that crop up on validator.w3.org isn't going to fix the problems in firefox that are fairly obviously bugs (since the fix is just to resize text up then back down as mentioned in a post somewhere in this thread).

Re:Do people care?

[Anonymous Coward]

Here's what I do;

1. Install Firefox.
2. Ask the person what web sites they visit often.
3. Put the sites in a set of bookmarks and use that set as the 'home page'.
4. Show them.
5. Ask if they want to use Firefox by default.

So far, I've had 3/4 switch. Pop-up blocking, better security, ... all are mentioned in passing and seal the deal, though the tabbed multi-site 'home page' is the winner for some reason.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Remove need for patching...by removing IE.

[Bachus9000]

With Nlite [msfn.org] you can even remove the IE rendering engine. Of course, some things in Windows won't work afterward, but that shouldn't be surprising considering how hard MS has worked to make IE impossible to remove. Take note that Nlite is still very much beta software and has plenty of bugs that need to be worked out, but all-in-all it is a very nice program. Currently it requires the .net framework 1.1, but the author is currently working on a C++ version. I suggest anyone who uses Windows 2000/XP/2003 check it out.

Re:Wow

[HumorousFounder]

I think something to remember here is that IE integrates into a lot of their products so I think a better way of describing the process would be Identify the problem, design a fix, make the fix, test the fix, fix the fix, test the fix, fix the fix, test the fix, deploy the fix, hope that they didn't rush the fix out too quickly and break other peoples software. Weeks not Days or Months (well mabye months on occasion)