Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Uber-patch for Internet Explorer 590

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."
This discussion has been archived. No new comments can be posted.

Uber-patch for Internet Explorer

Comments Filter:
  • Uber Patch (Score:4, Funny)

    by IgnorantKnucklehead ( 324494 ) on Friday December 14, 2001 @03:33PM (#2705499) Homepage Journal
    What does the "uber patch" do, install Mozilla?
    • by Negadecimal ( 78403 ) on Friday December 14, 2001 @03:35PM (#2705515)
      Or better, Magic Lantern.

      It'd be the perfect trojan horse... MS gets leniency from the DOJ in exchange for some...favors.
      • Even weirder... (Score:5, Interesting)

        by oGMo ( 379 ) on Friday December 14, 2001 @03:50PM (#2705573)

        What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....

        ...naw. ;-)

      • Oh, come ON. (Score:2, Informative)

        by corky6921 ( 240602 )
        The news article [excite.com] about Magic Lantern, which you apparently failed to read when it was posted to Slashdot [slashdot.org], contains the following text:

        "When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: 'Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process.'" (my emphasis)

        So unless the FBI has gotten a court order against the 84.8% of web surfers [internet.com] who use Internet Explorer, this is pure FUD.

        Sheesh.
      • In MS we trust. (Score:3, Interesting)

        by doodleboy ( 263186 )
        I would just like to say at the outset that I am not a raving nut. But I have puzzled at the unusually close relationship between Microsoft and the Bush administration. And consider the following disclaimer from the End User License Agreement (EULA) at passport.com:

        .NET Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to:

        . . . d. Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.


        With the recent terrorist activities and the sweeping new anti-terrorist legislation, any "exigent circumstances" could be said to be met as a matter of course. So what guarantees do we have that MS and the gov't doesn't have a secret agreement in place to continuously sift and profile all the data (OUR data) that the .Net databases will surely contain? And is there a person on the planet who believes that MS wouldn't use its users privacy as a bargaining chip to extract a favourable deal from the gov't? (Not that they ever had any respect for it before, of course.)
    • how long this patch was developed. Suddenly when the hole is "announced" wammo! a patch in 3 days. Maybe Microsoft doesn't want to reduce it's "features"
      • or maybe the announcement was part of Microsoft's PR plan to get everyone to download this "uber-patch." Or maybe slashdoters (myself included) are just paranoid nerds that haven't been diong "stuff that matters" in too long.
  • Hmm. (Score:3, Informative)

    by Shaman ( 1148 ) <shaman@[ ].net ['kos' in gap]> on Friday December 14, 2001 @03:33PM (#2705501) Homepage
    I thought this was the bug that couldn't be fixed because it was worked so deep into the OS.
    • tee hee (Score:5, Insightful)

      by Frac ( 27516 ) on Friday December 14, 2001 @04:01PM (#2705619)
      Michael exaggerated this exploit beyond belief [slashdot.org]:

      If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

      Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

      In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

      Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.
      • Re:tee hee (Score:5, Insightful)

        by DeadMeat (TM) ( 233768 ) on Friday December 14, 2001 @04:42PM (#2705839) Homepage
        Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?
        Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

        So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

  • by Mike Schiraldi ( 18296 ) on Friday December 14, 2001 @03:34PM (#2705510) Homepage Journal
    Boy, Microsoft sucks. This patch doesn't even address future, yet-to-be-discovered vulnerabilities.
  • Could you have been any LESS enthusiastic about that blurb? What, have your hopes for "armageddon courtesy of your pals at Microsoft" been obliterated? Sorry to hear it.

    Anyway, this is a really good indication on the part of MS...perhaps an indicator of more initiative on these problems in the future. I definitely think that this is the type of thing that they need to continue if they wish to salvage their reputation at all...
    • by FortKnox ( 169099 ) on Friday December 14, 2001 @03:55PM (#2705590) Homepage Journal
      I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!

      IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX [slashdot.org] systems that still isn't patched? Why aren't you going off on that?)

      Remember when you had to purchase Netscape, but IE was free?

      Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?

      You guys need to be less Open Source/Anti-Microsoft Zealotous.

      I'd post anonymously to preserve karma, but the authors already know my IP (see sig).
      • You better check your info again bud.... It is patched. at least Sun and IBM.

        Besides, anyone not using ssh rather than telnet and rlogin is not very worried about security anyway.
      • If IE is "the best browser out there", then how do you explain the BILLIONS and BILLIONS of dollars in lost productivity every year due to spreading of MICROSOFT-BORNE VIRII?

        Well?
        • Outlook is most of them. And I never claimed that Outlook is a great email program. Not to mention the hundreds of clueless users that open any attachments sent to them.

          And if I was to create a browser virus, I'd target the most used browser, and the browser that the "clueless-mother-type" users use.

          That isn't an insult to IE, but for computer/internet learners, IE is the browser they learn on.

          If linux was the biggest OS and Mozilla the largest browser, I think you'd find more Virii in linux and mozilla.

          Target the many, target the weak (users). That's what virus writers do.
      • Remember when you had to purchase Netscape, but IE was free?

        No, I was a student back then. How is this relevant anyway? (Remember when IE TOTALLY SUCKED?) So MS had deeper pockets than Netscape. So what? How much do you have to pay for mozilla?

        Mozilla MAY -become- better, but it isn't, yet.

        For me it is. For everyone else, who cares?

        The bias on /. is VERY old news.

      • "IE is the best browser out there. Check ANY review. " Maybe it's just my opnion, but I the opera http://www.opera.com is better. It's faster and in my experience far more stable on NT and in 2000. Most reviews to date ignore or are unaware of opera's existence. Give it a try. I do however agree with your overall point, people to need be a little less biased on slashdot. Just dont step too far pointing it out with dubious statements like the above as it will only result in the people your talking to ignoring you as ignorant. Though I'm not sure they won't simply because they disagree. The line between troll and zealot is kind blurry.
      • No brainer... (Score:3, Insightful)

        by sterno ( 16320 )
        How many gaping security holes has Mozilla had?

        The BEST is all in how you measure it, non?

        Although realisitcally this isn't so much a flaw in IE, rather it is a flaw in the tight integration of IE and windows. How many of the major Microsoft security problems it the last couple of years can be directly tied to the integrations between the operating system and the applications? Frankly I can't think of many that aren't directly attributable to that.

        It all boils down to the usual sacrifice of security for convenience. A computer in a 6 foot thick block of concrete at the bottom of the ocean is very secure and nearly unusable. Microsoft has chosen to focus more on convenience and their security must pay the corresponding price.
        • I was just a CS undergrad at UC Berkeley. The year was '96. Netscape dominated the market. Eric Brewer (founder of Inktomi) and his group of grad students continually found security flaws in Netscape. They received a lot of press. Netscape looked bad.

          It's no different with IE now. It's possible that Mozilla really is less flawed than IE, but I guar-an-tee that if it had 85% of the market, we'd be hearing about security problems all the time. I'm not a MS apologist, I just want to shed some light.
      • by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Friday December 14, 2001 @04:38PM (#2705818) Homepage
        IE is the best browser out there.

        Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

        • Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
        • Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
        • Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
        • Cookie management on a per-site basis
        • Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
        • Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
        • Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
        • FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

        Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software


      • I actually really do like mozilla more than IE now. Mozilla basically supports everything IE does, now, and has some extra nice features like tabs.

        I agree with you about the anti-microsoft stuff. I hate microsoft too, but I think it's just wishful thinking on the part of slashdot kids that Microsoft software is automatically insecure and Linux/UNIX is automatically secure. I recall many recent high-profile vulnerabilities in linux software, for instance, and to get rooted through those I didn't need to browse to some hacker's site -- just sit back and let them do all the work.

        Personally, I think as MS moves to .NET and higher-level, safe languages like C#, they are going to be the ones laughing at us. I wish it wasn't so...
      • IE the Best? (Score:2, Informative)

        by zelyan ( 222028 )
        I'm not a Karma Whore, as my karma will immediately show, so please don't think I'm saying this just for the points. I'm not convinced that IE is the best out there.

        For years I used Netscape and loved it, up through about 4.0 (4.5-7 are bad, bad, bad). I even used 4.7 for a long time, before finally deciding that I just couldn't live with the shitty rendering, slow reaction time, and general bugginess. So I tried IE, just to see how bad it was.

        And it was amazingly fast, clean, and surprisingly not crashy, considering it was Microsoft's. Slowly, I started to accept that IE was the best browser out there. And I used IE, and netscape actually disappeared from my computer.

        Sure, I tried Mozilla, and Netscape 6.0 and 6.1. Quite honestly, they're crap. They're slow, not particularly stable, and ugly. But mostly they're just slow, fucking slow. It's not just loading the program, it's also in large part that I open a page and Mozilla takes about three times as long to render as IE.

        But when I read that security page the other day, I found a new program to try. So I tried it: Opera. I last used Opera on a mac a couple of years ago, when it was small, shitty, buggy, and lacking features, like security. So I wasn't really expecting anything.

        Opera is fucking brilliant. It's fast--it's actually faster both to load and to render pages than IE. It gets rid of a lot of the useless shit that IE throws up--like dialogs to go from secure to insecure. It has security, it has a full feature set (at least, all the stuff I use, like plugins and java and working pages). It lets me use the keyboard more than IE.

        And the best part: it lets me block out pop-up windows. You have no idea how amazing a feeling it is to go to a site that throws pop-ups at me like mad and watch them, well, not load. No idea until you try it. It even pretends to be IE for pages that require IE.

        I have had one page fail to load correctly--a credit card account page. But considering it loads wrong half the time in IE, it's not too bad. Still, I'm keeping IE around (and patched it) in case I find something glaringly wrong with Opera, but until that time, I'm happy with this.

        Oh, did I mention it sits in _half_ the memory footprint of IE, and about a third of Mozilla?

        Check it out. Opera [opera.com]. It's not Open Source, but then again, if we're talking about IE, we're talking about windows, so...

        Jeff

        • Sure, I tried Mozilla, and Netscape 6.0 and 6.1. Quite honestly, they're crap. They're slow, not particularly stable, and ugly.

          Now.. which chrome is ugly? Calling a completely skinnable browser ugly doesn't make sense.. sorry.

          And, Mozilla reports less crashes than netscape 4.x ever had - so they are actually an improvement above Netscape even when you used it.

          As far as speed, I'm not sure what you are doing wrong but it is very quick. I use Mozilla extensively and exclusively and it is exceptionally fast. As far as your memory foot print comment, you realize you can't accurately guage IE's memory foot print? It's threaded into the shell, too.

          Mozilla still has a way to go, but anyone who thinks it's slow, ugly, and unstable obviously hasn't used it recently. Or ever, feel free to prove me wrong - but it runs as fast (faster than IE on another box of the same specs) as I could want it to.
  • by Fatal0E ( 230910 ) on Friday December 14, 2001 @03:36PM (#2705525)


    Just when I thought that I knew the difference between a Service Pack, Security Rollup Patch and a cumulative Hot Fix they go and release a Security Bulletin like this one.

    • by Chundra ( 189402 ) on Friday December 14, 2001 @04:05PM (#2705641)
      Ok it's easy:

      Service Packs are the small, 6-8oz cups with the foil tops. They usually contain yogurt or pudding.

      Rollup Patches are dried fruit puree attached to thin plastic wrap. You tear the fruit substance off the plastic before eating.

      Hot Fixes are the things you remove from the plastic bag and put in the microwave. They usually consist of some sort of bread substance with a meaty and/or cheesy filling.

      Hope that clears things up.
  • by Rev.LoveJoy ( 136856 ) on Friday December 14, 2001 @03:38PM (#2705540) Homepage Journal
    This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

    For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

    1). It takes too much time to keep up on MS software patches.

    AND

    2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

    Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

    Cheers,
    -- RLJ

    • by michaela ( 31955 ) on Friday December 14, 2001 @04:01PM (#2705623) Homepage
      I have found two solutions around this (although I agree about SMS pricing).

      1. Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.
      2. Install VNC server on the user stations and set it to run at bootup. Then you can do nearly any administration task short of recovering from a complete blowout without leaving your desk. Do it after hours and you can reboot the machines right away. Or, use parts of #1 with a logout script instead to reboot the machine the next time they log out.
      • Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.

        The patch that blew up this approach for us was MS01-50. It had two critical patches to apply at the same time, and the system tried to apply both at once, when you needed a reboot for each. Guess who was "volunteered" to re-patch the machines.

        *sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.

        • by Anonymous Coward on Friday December 14, 2001 @04:39PM (#2705824)
          *sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.


          Not so fast, buster. First we need you to change the toner cartridge on the LJ4 up on third floor.

          hup-hup to it, now, IT boy. The girls in the secretary pool don't call you 'sysadmin' (while smirking) for nothing.
      • 2 good ideas! The login scripting does fall down occassionally (as with respect to what the earlier respondant had to say - I have been in that boat as well).

        I have been pining to get VNC (or just about any remote desktop app) on the clients for some time. My one concern here is that I don't know much about VNC's security implications. I think I'll do some reading...

        Cheers,
        -- RLJ

        Offtopic - I find it interesting that the flames are by anon cowards and do not contain supporting materials. Hmmmm ... :-)

    • by Anonymous Coward
      So I guess you've never heard of installation or SMS servers that make an installation of this nature possible at the click of a single button from any workstation in the company? Microsoft had them out years ago. Currently Windows Update and Dynamic Update can be pointed to intranet servers. Active Directory, MSI, or WMI can "push" installations automatically from centralized locations as well, again at the click of a button and without interrupting the user. Maybe you need to start researching solutions for this problem instead of complaining about them to slashdot?

      Walk to individual machines. Hah, that's so 80s.
    • Patching occurs on all software that is well maintained. I would be very upset if all companies did not patch software. I agree that updating a system can be a nightmare but without it trouble will soon follow. No matter what the OS/application is a progressive series of steps is important to making a mature product. Many open source products get their strength from the fact that work is not only always being done but that end users in theory receive a better product threw a testing process. Patching may not be a pretty name and Microsoft has a way of making anything feel dirty but it is a good step even if a company I don't support takes it.

      Oh yeah just my opinion I could very well be wrong.
    • Why not just replace your home page with a trojan that runs the patch?

      If you want to prioritize who gets patched first, you can send the patch as an email to everyone and warm them not to run it. The ones you need to worry most about will be the first patched...
  • For IE 5.5 users (Score:4, Informative)

    by The Bungi ( 221687 ) <thebungi@gmail.com> on Friday December 14, 2001 @03:39PM (#2705545) Homepage
    This does not appear to be a service pack, and the target builds listed for the hotfix are only IE 5.5 SP2 and 6, so you'll need to head here [microsoft.com] to get yer SP and then install the hotfix (get directly to it from here [microsoft.com]).

    It seems unlikely that the SP2 for 5.5 includes this as of right now, although it will eventually (I know sometimes I'll download an SP and take a few days to actually install it). Check your versions before you plunge your box into browser hell =)
  • Download URLs (Score:5, Informative)

    by nstrom ( 152310 ) on Friday December 14, 2001 @03:39PM (#2705546)
    Here's the direct download URLs, so you don't have to wade through MS's crufty site:

    for IE6:
    http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe [microsoft.com]
    for IE5.5:
    http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe [microsoft.com]

    These updates have not yet appeared on Windows Update [microsoft.com].
    • by Cy Guy ( 56083 ) on Friday December 14, 2001 @04:13PM (#2705689) Homepage Journal
      for IE5.5 for IE5.5: [microsoft.com]
      http://download.microsoft.com/download/ie55sp2/s ec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe


      Note, that is for IE 5.5 SP2 if you have SP1, or plain vanilla 5.5, you will first have to upgrade, so you may want to wait till a full release with the patches is available. SP2 is 17MB download.

      Anyone know what the equivalent version is if you have the AOL version of IE? (not that I do) but you can imagine AOL will be slowed to a crawl if every single user must get an upgrade first to SP2 or IE6, then get this patch. When - oh - when will AOL finally become browser neutral or go entirely to Netscape/Mozilla?
      • Ok, for us crusty corporate types that have IE 5sp2, are we vunerable to these security bugs? My company uses mozilla that has been tweaked for our browser, but they are on windows machines. I still haven't got a IE free windows machine without crashing it. And upgrading these 2500 client machines will cost a chunk of change and time for our small IT department. This sucks we work hard to keep MS from costing money, but still sell to thier customers.
    • Re:Download URLs (Score:3, Interesting)

      by ZzeusS ( 206483 )
      And why the hell have they not rolled it into windowsupdate? I could tell my users:

      Check windowsupdate.

      or.

      Go to this huge MS address. Then go here, or here. Then download and run this.
  • by imuffin ( 196159 ) on Friday December 14, 2001 @03:40PM (#2705552)
    I find it very annoying to try to install Microsoft patches. I work in a place where I am responsible for several windows installations. When I install a M$ OS, in order to patch it, i have to:

    1. Start IE (click through internet connection wizard)
    2. Open the windows update website
    3. Download an activeX application to determine what updates I need
    4. Download and install the updates (often, more than 5!) one at a time, rebooting in between each one!

    It's so much easier to swivel my chair around to my redhat box and do a simple 'up2date -i'.

    I wonder if there's any particular reason why Microsoft makes it so difficult? Do they actually like their security holes?
    • Its because of the way windows works. It wo't let you overwrite a .exe or .dll that is in use, and since IE is so tied into the OS itself, most of the IE components are in use all the time. Therefore you have to reboot in otder for the update to take effect. When rebooted, it copies the file sover while in protected mode, before IE loads.

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Friday December 14, 2001 @04:39PM (#2705823)
      Comment removed based on user account deletion
    • Do they actually like their security holes?

      In a word, yes.
      If you think this is a troll, take this little test...
      You have just found out that Your Favorite Operating System, which you run on Your Computer, has a vulnerability which you consider important enough to do something about.
      Do you:

      Locate and apply the appropriate patches for Your Favorite Operating System, and make whatever other changes are necessary to mitigate the situation.

      Learn more about Your Favorite Operating System so that you'll be even better able to assess these threats and prevent vulnerabilities in the future.

      Lose interest, and just continue running Your Favorite Operating System, vulnerabilities and all, and go back to reading Slashdot, surfing the web, etc.

      Get fed-up, say "This is the last straw!" and abandon Your Favorite Operating System, replacing it (and all of the applications, data files, and procedures which depend upon it) with Some Other Operating System which you may have heard about.

      We can all see ourselves or think of others who would react in any (or perhaps all) of the first three ways, all ow which favor the incumbent. I can't think of anyone who would respond similarly to the last, which is the only one which would topple the status quo. With the exception of a few individuals who are charged with setting the strategic computing direction for large organizations, (that is, in a position to dictate what other people will run on their computers) security holes tend to reinforce the market position of the incumbent. And the harder it is to fix, the more time your customers spend with your product (increasing your mindshare) and the less likely it is that the hole will be patched, meaning you'll have another chance in the future to grab their attention again...

      So, if you're charged with selecting a strategy to promote your operating system, your obvious tactics are:

      Focus your energies on those few people who set the computing direction for major corporations.

      (IFF you are the incumbent) Don't worry about security, because as long as you have a majority share of the market any security hole will only increase your mindshare. And mindshare is what it's all about.

      Want to know how to apply this to Free Software, Open Source, and Linux?

      Code, if you can. (and can do it well)

      Document, if you can. (and can do it well)

      Report bugs, if you can. (and can do it well)

      But most importantly, Use it.
      By just using the software, you create a habitat for the evolution of the software. If something works well, praise it. If something sucks, say so. The habitat for evolution is the key to success for both proprietary and free software. The key advantage that free software has over proprietary software lies in:

      the ability to try to be all things to all people. Most of these will fail, but the ones that don't will be spot on.

      the knowledge that no one is going to get fired or lose their job for producing something that no one wants. That's an incredibly liberating feeling for a software designer.

      If Microsoft appears to be getting stronger, it's only because they're retreating back onto their own territory.

  • They already applied their uber-patch to the DOJ and it *worked*!
  • 100s of beautiful security fixes... and 3 ugly ones.
    • For those that didn't get this, (and correct me if I am wrong), but this is a reference from a strip club (well, now it's just a topless bar i think, but I haven't been there in several years). Their slogan reads something like "The Deja Vu: 100 pretty girls, and 3 ugly ones."

      I know they have one in SpoCompton (aka Spo-Angeles aka Spokane).

      Since I bet there are a large number of /.'ers who have never been to a strip club, I thought I would point this out.
  • by lblack ( 124294 ) on Friday December 14, 2001 @03:45PM (#2705560)
    Consumers (not just slashdot ubergeeks) will have to sit up and take notice at this one, I think. It's getting a bit more coverage / product placement, and isn't being couched in esoteric terms (MS has a tendency of releasing patches that have descriptions which underplay the effects of not patching, or else are so laden with jargon that the layman cannot quite process them). It really is an "uber patch", and it really is MS saying, "We've been releasing insecure software for awhile. In fact, we're still doing so, as evidenced by the three bugs that you don't even know about that we're patching. Please install this patch or else you're screwed."

    I think consumers can weather something like, "Apply this patch in order to ensure that your copy of internet explorer appropriately identifies content header types and reconciles them with dialogue saving and automated execution routines." because it just looks so *foreign*. Approached from a non-computing background, it looks like something very small and unlikely to affect anyone. This patch, though, looks a bit more like "Oops. Our browser sucks for security. Install immediately."

    Hopefully this will draw peoples attention to:

    1) The importance of frequent patching
    2) The lack of security in MSIE
    3) The problems associated with bundling a browser into core OS functionality (bit more unlikely).

    Of course, the spin is still there, but:

    Who should read this bulletin: Customers using Microsoft® Internet Explorer.

    Impact of vulnerability: Run code of attacker's choice.

    Maximum Severity Rating: Critical

    Recommendation: Customers using IE should install the patch immediately.

    Affected Software:

    Microsoft Internet Explorer 5.5
    Microsoft Internet Explorer 6.0


    ...is still pretty cut & dry. Anyone with even half a brain should realize that if a gaping hole in a consumer product existed through *2* releases (like having a 2000 and a 2001 Honda both explode in flames under appropriate conditions), that product may not be the best built out there.

    Right?

    Of course, I'd be much more pleased if people were being notified via a big ol' link on msn.com, and through a mail from the beloved "Hotmail Staff". What, are they scared of leveraging a monopoly to insure the security of their users?

    -l
  • Only 5.5 and 6.0? (Score:5, Interesting)

    by Anonymous Coward on Friday December 14, 2001 @03:50PM (#2705572)

    I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .




    Content-Type: audio/x-wav; name="sample.exe"
    Content-Transfer-Encoding: base64


    I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.



    Microsoft said that only 6.0 was affected?



    Or is this something different than what they have supposedly patched?

    • Microsoft said that only 6.0 was affected?

      No, they said they were only supplying a patch for 6.0 and 5.5SP2. Everyone else has to upgrade before they can apply the patch.

  • How to uninstall

    Uninstall is not available
  • Off Timing (Score:2, Informative)

    by perdida ( 251676 )
    I wouldn't install any Uber-Patch in this day and age of Microsoft vertical integrated software/Magic Lantern/Ashcroft.

    A cheer for code you can verify yourself before you trust it to secure your computer for you.


  • by PacketMaster ( 65250 ) on Friday December 14, 2001 @04:00PM (#2705612) Homepage
    It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.
  • by saintlupus ( 227599 ) on Friday December 14, 2001 @04:04PM (#2705636)
    Well, it's certainly a good thing that there are so many people looking at the source to produce a patch...

    er....

    Never mind.

    --saint
  • by Captain_Frisk ( 248297 ) <captain_friskNO@SPAMbootless.org> on Friday December 14, 2001 @04:13PM (#2705686) Homepage
    Seriously guys calm down.

    Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

    They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

    • by fumble ( 128295 ) on Friday December 14, 2001 @04:23PM (#2705738) Homepage

      ... is there anything they could do that would appease this croud?

      I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

      • Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ...

        I'd wonder what the hell he was up to and look for another door!

        Gee... you hit on a pretty good analogy there.

  • by fumble ( 128295 ) on Friday December 14, 2001 @04:15PM (#2705696) Homepage

    Warning: mild flamebait.

    Remember Michael's over-the-top misinformed rant about this 3 days ago [slashdot.org]?

    ... they refuse to provide any information about when a patch might be made available, if ever.

    I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

    • by Anonymous Coward
      Michael was right. Microsoft refused to release any information about when a patch would be available until a patch was made available.

      What's the problem?

      More sensationalism courtesy of fumble (you dropped the ball).
    • by oGMo ( 379 ) on Friday December 14, 2001 @05:25PM (#2706029)

      Flamebait is typically written to elicit strong emotional response and name-calling from the target audience... this falls under the "troll" category which gives a more subtle feeling of disturbance, saying something usually inaccurate or incorrect in a seemingly reasonable manner to generate lots of "discussion". Let's go point-by-point:

      Remember Michael's over-the-top misinformed rant about this 3 days ago?

      Seeing as michael's story was neither misinformation nor an over-the-top rant (read the story), this plays on the popular opinion that slashdot gets a lot of stuff wrong all the time, as well as our obvious anti-Microsoft bias, to pretend that it was in fact an over-the-top misinformed rant.

      ... they refuse to provide any information about when a patch might be made available, if ever.
      I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago.

      Did they provide information about when a patch was available? At the time, they did not, so this is hardly misinformation. Whether they release a patch today or three months from now, "no information" is still "no information".

      Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

      Correct me if I'm wrong, but I believe "M$" is childish name calling. "If it agrees with me, it's opinion, otherwise it's bias": This just about sums it up. There is nothing wrong with bias; there is no way to avoid it, claiming something is unbiased is a great indication that something is trying to be intentionally misleading. I read slashdot because the bias mostly agrees with my own. Perhaps your time would be better spent looking for a more agreeable forum, instead of trolling on this one.

  • Great (Score:4, Funny)

    by El_Smack ( 267329 ) on Friday December 14, 2001 @04:20PM (#2705726)
    Now Microsoft will get Slahdotted. One more reason for them to hate us. *sigh*

  • by Pinball Wizard ( 161942 ) on Friday December 14, 2001 @04:39PM (#2705827) Homepage Journal
    Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.


    By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.


    Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.


    You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

  • by Sludge ( 1234 ) <slashdot@@@tossed...org> on Friday December 14, 2001 @04:47PM (#2705864) Homepage
    I've been thinking about this for a long time, and it's time I asked my peers at slashdot- Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT? I'm going to state what seems obvious to me:
    • Company designs nice website with features that are only supported with IE.
    • Company realises that Netscape market share is too high to do these cool things, so they downgrade their website. Animosity is felt towards the browser not developed for (in my experience this goes both ways)
    • Company waits a year and a half, and ends up re-evaluating their Netscape support position based on their current USER_AGENT stats showing 95% IE clients.
    • Company switches webpage to use proprietary and non standard technologies, locking us alternative software people out of another website.

    By this logic, which I feel is a common path for businesses to take, using Internet Explorer and letting webmasters know that you do will harm our freedom to choose our client software in the future.

    I don't understand why no one else has come forward and stated that they feel this way. For this reason, I refuse to use the software except in situations where it's seriously inconvenient to do otherwise.

    I don't mean to be alarmist. If the web is only accessible from IE, a project will be started to supply a proxy for other browsers which interprets the data from the web server and converts it to nice, standardized HTML. This could get kludgy, and is the worst case scenario I see.

    • Don't be immoral (Score:2, Interesting)

      by Weasel Boy ( 13855 )

      For all the reasons that you state, I:

      • do not write web pages that work only in IE or Netscape. If your page doesn't work in Lynx, it doesn't work.
      • do not falsify my USER_AGENT. When I'm using iCab [www.icab.de], your server sees iCab.
      • do not use Internet Explorer at all. If your page doesn't work in iCab, Opera, or Netscape, then I don't need to do business with you.
    • by istartedi ( 132515 ) on Friday December 14, 2001 @07:37PM (#2706519) Journal

      Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT?

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings] "User Agent"="Mozilla/Church Lady 3.01"

      Would that make you morally superior?

  • Strangely, it actually seems to be faster. I can't say I've ever had that experience when upgrading a Microsoft product. Could just be that new code smell going to my head though...

  • Hey, I just tried updating my system through Windows Update. I wasn't prompted for anything, and I haven't updated my NT 4 box for about a week. Does this mean that I already got the patch a week ago, or has Microsoft not put it on Windows Update yet?

    If it's just not in Windows Update, shame on MS. That is the only place I go for updates. I don't waste my time wading through all of the other crap on MS's website.

    /me strokes debian woody..
  • by Jettra ( 529165 ) on Friday December 14, 2001 @05:30PM (#2706052) Homepage
    In the spirit of legal debate over the meaning of the specific usage of words, what is meant by 'known'?

    Since Microsoft anounced it's policy of attempting to keep the lid on the security holes that exist within it's software, I would assume that 'known' means ones that they are willing to reveal to us.

    So the word 'all' preceeding 'known' has no meaning since Microsoft itself admits to witholding the true extent of the damage its software can do to your system through security holes.

    I consider this another decietful marketing attempt to make consumers feel safe about their products despite their worse than poor track record. They may not be outright lying, but there planting the seeds for others to do it for them. How many sysadmins will now send out an email saying that "IE will be free from all security bugs by installing this patch"? Of course that is a lie.

  • by I-man ( 95468 ) on Friday December 14, 2001 @05:40PM (#2706095)
    Interesting. After installing this patch, I typed in some garbage to the address bar to make sure it was still seeing my proxy (which should display a custom no-such-address page).

    What happened? That bloody search-from-the-address-bar thingy had turned itself on. Oh well, I say, just go to Options -> Advanced -> Do Not Search From The Address Bar. I do this, type in "asdfa sdfsdfsa dfwer" (note the spaces) and POW: search-from-the-address-bar turns itself back on.

    Much the same thing happens if you change the option and then restart IE.

    WTF?

  • Won't even install! (Score:4, Interesting)

    by GeckoX ( 259575 ) on Friday December 14, 2001 @05:55PM (#2706176)
    Cute!

    Tried installing the 6.0 UberPatch on 2 separate boxes now, both running W2kPro sp2 with IE 6.0 installed with VS.NET beta2.

    (IE v. 6.00.2462.0000 to be exact)

    The installation quits with an error telling me I must have IE 6.0 to install.

    Also seen as mentioned above similar effect on 5.x versions other than 5.5 with that version install.
    Leaves me not exactly feeling warm and fuzzy about whether the actual patch will really patch the holes it's supposed to or not!
    • by Kevinb ( 138146 )
      (IE v. 6.00.2462.0000 to be exact)

      2462 is not the final release build of IE 6. I think that's IE 6 beta 2, or maybe the "public preview" that went out before XP shipped.

      The shipping version of IE 6 is 6.0.2600.0. If you go to Windows Update [microsoft.com] you should be able to install it, and then after you do that install the patch.

  • by djaxl ( 543958 )
    Check out http://www.guninski.com/browsers.html [guninski.com].

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...