Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Internet Explorer Sony The Internet

Microsoft Patches Fix IE, Sony Flaws 174

An anonymous reader writes "Microsoft issued two security updates today, one of which fixes at least four flaws in its Internet Explorer browser, including one for which an exploit was released over Thanksgiving that is now being used by a handful of porn sites to install spyware, etc. According to Washingtonpost.com, the IE patch also removes a component left behind by a patch from Sony BMG designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
This discussion has been archived. No new comments can be posted.

Microsoft Patches Fix IE, Sony Flaws

Comments Filter:
  • two wrongs (Score:5, Funny)

    by caffeinemessiah ( 918089 ) on Tuesday December 13, 2005 @06:21PM (#14251711) Journal
    Wow...Microsoft cleaning up after Sony? It's like oil companies issuing nicotine patches to clean up after tobacco companies. The big fight this winter is evil vs. evil. Wooo!
    • Funny, M$ is doing something _right_ for once.
      turning over a new leaf for new years resolution early?
      -nB
      • Funny, M$ is doing something _right_ for once.

        Well, I've been enjoying playing games on my M$ box for years now, so unless I've totally overlooked a whole Linux-gaming world, then that can't be the 1st thing they've done right. Yes, M$ sucks for servers, browsing, anything needing security, etc... but I need a M$ box if I want to enjoy any games at home.

        Sorry, but this needs to be ranted about, because I could be done with M$ forever if only the last piece of the puzzle was taken care of... and that's gamin
        • Re:two wrongs (Score:3, Informative)

          by Trashman ( 3003 )
          Why hasn't the open source community developed a strong gaming environment for *nix yet?!


          Long Story short: Nivdia and ATI's are the roadblocks in this area. They're linux drivers are half-assed and they will not release information for their their graphics cards so that a an open source driver can be written.
          • That makes sense if you *must* use an open source driver. What's wrong with a commercial one that does the job as expected?

            The reason there is not a strong gaming community for *nix is because there aren't enough games. There aren't enough games because there isn't a strong gaming community. Catch 22.
            • What's wrong with a commercial one that does the job as expected?

              They're linux drivers are half-assed

              Please pay more attention so we can avoid this useless posting in the future.

            • Re:two wrongs (Score:2, Informative)

              by Trashman ( 3003 )

              What's wrong with a commercial one that does the job as expected?

              IMO, there's nothing is wrong with a closed commercial driver as long as the people writing the drivers didn't make it so you need to jump through hoops to get it installed. And then not fix bugs and not implement some basic features in the drivers.

              The reason there is not a strong gaming community for *nix is because there aren't enough games. There aren't enough games because there isn't a strong gaming community. Catch 22.

              I would say tha

            • The problem is that the closed source proprietary drivers put forth by ATi and (to a lesser extent) nVidia SUCK. They're horrible, both the drivers and the install tools for them. I don't have an nvidia card, but ATi's install program hoses your xorg.conf file every time, and if you use a text editor to set it up instead (not something Joe Q. User should be expected to do), the drivers are buggy at best and unusable at worst.
          • Re:two wrongs (Score:2, Interesting)

            by Anonymous Coward
            They're linux drivers are half-assed and they will not release information for their their graphics cards so that a an open source driver can be written.

            So they're keeping the ball in their own court. BFD. The drivers work just fine. I've been using both since the days they came out. They fucking work, and they work JUST the same as the Windows drivers do (and yes, ATI is a bitch in that area, extrapolate that, you whore). They're not flawless, nothing is. But they work as expected. If it weren't for
    • by TCQuad ( 537187 )
      The big fight this winter is evil vs. evil.

      Never choose the lesser of two evils because that's the one that will lose.
    • by Anonymous Coward on Tuesday December 13, 2005 @07:12PM (#14252104)
      You know the world is going crazy when the best golfer is black, the best rapper is white, Google fixes MS's flaws, and MS fixes Sony's flaw.
      • and add "the tallest player in the NBA is chinese?" and "The French want{ed} war" and "three of the companies on the Nasdaq base chunks of profit on free software"
    • "Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."

      So according to these researchers, one could logically assume that it is indeed not as much of Microsoft's fault for lots of viruses and spyware people have been getting over the last year or so, but more of Sony's fault for bad DRM software opening holes in people's browsers?

      It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally
      • by ozmanjusri ( 601766 ) <aussie_bob@ho[ ]il.com ['tma' in gap]> on Tuesday December 13, 2005 @10:47PM (#14253218) Journal
        It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally holding water.

        It has always been true, just not helpful. Sony's rootkit is not functionally different from Hacker Defender or any other '3rd party' rootkit. A product which works in the lab, but not in the field is still a failure.
        • Saying that "Windows is fine" is almost irresponsible. A straight plain windows install with no other software and no internet connection is not fine. Windows still crashes easily... I could go on and on about it, but before someone replies with a counter argument, let me just say that if my computer reboots and I don't expect it to, that either means my UPS ran out of juice during a blackout, or else I just cooked some component on my motherboard, and its safe to say that neither of those happen too often,
  • by Anonymous Coward
    you know, the one which stops the Zonk slashdot article exploit in my /. browser. How do I remove that shit? Permanently...
    • by Anonymous Coward
      gut reaction is troll, then I scroll down the front page almost all articles posted by this guy are flamebait or corportae shil. CmdrTaco fairs not much better, infact ScuttleMonkey seemes to be the only one posting anything other than Slashvertisements and Flamebait. Perhaps a new poll, which Slashdot Editor is less of a tool.
      • I actually like Taco's posts best because he adds commentary to the end of the submitter's blurb that makes it look like he actually reads slashdot. When I read Taco's journal I get the feeling that he is a slashdotter... where the other editors just seem like slashdot is their day job. (Actually michael used to know what's going on but I haven't seen him around lately.)

        Yes, I know Taco started the site and is user #1. It's nice to know that he still cares after such a long time.
    • by Kelson ( 129150 ) * on Tuesday December 13, 2005 @06:33PM (#14251837) Homepage Journal
      Open Slashdot->Preferences, then go to the "Homepage" tab, then look under "Customize Stories on the Homepage"

      You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)

      There's only one problem, though: This patch requires you to register with Slashdot. One wonders how responsible it is to require personal information (I hear they actually want a username and a password! At least you can use a throw-away email address) in order to use this valuable functionality.
  • by Eli Gottlieb ( 917758 ) <.moc.liamg. .ta. .beilttogile.> on Tuesday December 13, 2005 @06:23PM (#14251725) Homepage Journal
    Microsoft taking responsibility for their own faults and Sony's? I wonder what's up in their boardroom nowadays. Or there could be pigs flying somewhere, I don't know.
  • I don't mind Microsoft, but I don't think they need any help in leaving their systems vulnerable. I don't agree with Sony's DRM bullshit, and I do believe that they need to be smacked like a little bitch for including their 'anti-piracy' crap. I just want to listen to MUSIC, not get more annoying software installed on my computer that does absolutely nothing other than piss me off to a greater extent than XP rebooting my computer for no reason. Thanks guys, can't wait for the PS3..Is it going to have soft
    • by PsychicX ( 866028 ) on Tuesday December 13, 2005 @06:35PM (#14251846)
      You'll be glad to know that, due to the PS3's extensive Wifi capabilities, Sony will be able to install copy protection on every computer in your house the moment the PS3 is powered up. Sony plans to include Linux and OSX exploits for those of you who try to be clever about it. The installed software will cause any computer to crash immediately [wired.com], which Sony hails as a great technological breakthrough since their last technology, which could only destroy OSX but not Windows or Linux. And as for what happens if you try to copy a Blu-Ray disc...let's just say it's not so much "managed" copy as it is "melted" copy.
  • Ever hear of QA?
  • Sony (Score:5, Informative)

    by Anonymous Coward on Tuesday December 13, 2005 @06:24PM (#14251749)
    Re the Sony spyware saga, it's also worth checking out Ed Felten's latest article [freedom-to-tinker.com] on XCP's eviller twin, Suncomm Mediamax. Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.
    • Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.

      Now that the cat is out of the bag, any company making a CD or DVD may try this.

      As a consumer I just ceased purchasing all media with software on it, this includes USB anything and CD, DVD. I will resume purchases when I see "DRM Free" labels on them. I would suggest everyone do the same. If enough people do, the industry will recoil.

  • ahhhh... (Score:4, Funny)

    by Anonymous Coward on Tuesday December 13, 2005 @06:27PM (#14251774)
    Now I can go to porn sites again without having to worry...
  • by Anonymous Coward on Tuesday December 13, 2005 @06:27PM (#14251777)
    If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.

    If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus

    And normal computer users, they don't patch so it really does matter
    • by oGMo ( 379 ) on Tuesday December 13, 2005 @07:00PM (#14252029)
      If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.

      If Microsoft released patches right away and didn't have a history of patches that broke everything and introduced more holes... people would complain less.

    • by VGR ( 467274 ) on Tuesday December 13, 2005 @07:21PM (#14252162)
      Gosh, it's almost as if the real complaint of administrators and slashdotters is that Microsoft is putting out a lot of badly written software.

      Perhaps a corollary of the complaint is that Microsoft seems to have enough money that they could afford some QA on their code. Considering their exploits result in crippling the economy [cnn.com], a little responsibility doesn't seem like a lot to ask.

      No one can write software that's 100% bug free, but they could get a lot closer to 100% than this.

    • It seems to me that Microsoft should release patches ASAP.

      If the system administrators don't like installing and testing the patches that often, they can accumulate patches and install them all at once according to their own internal corporate five-year update/patch/test cycle.

      Let's see...
      • Microsoft doesn't get criticized for not releasing patches
      • People who need security patches right now will get them
      • People who would like to apply security patches on a five year cycle are free to do so
  • Strange (Score:4, Interesting)

    by Anonymous Coward on Tuesday December 13, 2005 @06:28PM (#14251787)
    This is the first update in ages that requires a reboot, is the Sony rootkit that destructive?
    • Re:Strange (Score:5, Informative)

      by DavidRawling ( 864446 ) on Tuesday December 13, 2005 @06:33PM (#14251838)

      Pretty much. It installs poorly coded filters on the CD drives - if installed in the middle of an IO you could get a blue screen. Mark discussed this in detail.

      Much safer to remove during reboot otherwise you'd hear screams of, "The patch BSOD'd my computer!"

      • Re:Strange (Score:5, Informative)

        by Tim C ( 15259 ) on Tuesday December 13, 2005 @07:32PM (#14252232)
        It's not just that, it messes with the kernel's systables. At unregister time, it puts things back the way they should be, but it anything else had yielded after grabbing an affected address but before completing the call, *boom* BSOD.

        (All from memory of reports here, don't shoot me if the terminology is wrong)
  • by patcito ( 932676 ) on Tuesday December 13, 2005 @06:49PM (#14251939)
    This is just a good occasion for MS to say "hey look how Sony software suck so much we need to clean the mess for them".
    After the HD DVD delay and the xbox failure in Japan, MS needed to do some anti sony PR to make it up in their little war against Sony.
  • Sony can fix this for good:

    apt-get remove media-max

  • by Korbeau ( 913903 ) on Tuesday December 13, 2005 @06:59PM (#14252020)
    This came along with the Automatic Update bundle today:

    "Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service. After you install this item, you may have to restart your computer."

    Sweet irony. At least that's refreshing from the attacker that could compromise my computer - I'm really tired of this guy.

    How come I *may* have to restart my computer - haven't you tried it on one of your box beforehand or do you really have no clue?
  • Darn it! (Score:5, Funny)

    by Guppy06 ( 410832 ) on Tuesday December 13, 2005 @07:01PM (#14252031)
    It's yet another article that totally forgets about the upcoming Nintendo Revolution!

    Oh, wait... this is a different Microsoft vs. Sony hissy fit?
  • Blu Ray (Score:5, Insightful)

    by jmichaelg ( 148257 ) on Tuesday December 13, 2005 @07:18PM (#14252140) Journal
    Will people remember this farce and say thanks but no thanks to Blu-Ray because they're not sure what the drivers will do to their computer? And if you can't trust Sony's Blu-Ray drivers, who's to say the HD-DVD drivers will be any safer?

    It would be ironic if somebody at Sony who was worried about selling a few copies of a country-western CD ended up jeopardizing a billion dollar market.
  • by mixonic ( 186166 ) on Tuesday December 13, 2005 @07:43PM (#14252301) Homepage
    Neat!

    So, since MS is keeping Sony from installing their "DRM" spy^H^H^Hsoftware, you can say they are circumventing Sony's DRM software, PLAINLY against the DMCA. The only question is.....who do we cheer for when evil sues evil over evil with evil laws?

    -mix
    • I don't know, but i'll be damned if that wouldn't be fun to watch... the whole DMCA thing is a bomb waiting to go off, specially when it comes to issues like this between major companies. Me? I can't wait for it to happen.

          Or maybe they'll just make some agreement that benefits both parties and be done with it, but hey, i can dream :)
    • Doesn't apply, since MS isn't the end user, and I'm sure it's covered by their agreement with Sony.

      I mean, Mediamax was certified by Microsoft, I'd be surprised if there wasn't correspondence between the two before the Rootkit was imprinted on those CDs. Or at least a thorough review by Sony BMG legal.
    • Tee hee. As if anybody can imagine that sony is gonna sue M$ for a dmca violation? I sure as heck can't even imagine it. But then my imagination seems to have taken a vacation after 71 years, in favor of my version of common sense.

      This whole fiasco SHOULD have sony backed into the far corner of their cage, with their tail tucked so firmly in its a very effective chastity belt.

      Funny part is, all those cd's marked copy protected? Wally World hasn't pulled a single title off their music racks, nosiree bub.
  • Does anyone know about any lawsuits or class-actions against Sony. It seems to me that to install trojaned rootkit on a machine, then apologize while at the same time issueing a patch which causes other security vulnerabilities would show obvious malicious intent.
  • by Kelson ( 129150 ) * on Tuesday December 13, 2005 @08:22PM (#14252542) Homepage Journal
    An article about Microsoft and Sony has been up for 2 hours and only has 75 comments?

    This has got to be a first.
  • I'd just like to point out the fact that Microsoft fixing a 6 month old problem was newsworthy...

    And, the gratuitous open-source post:
    There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.
    • Lots of people using the last bit of their vacation time to supplement their holiday time. Can't expect high posting on slashdot when so many aren't at work, now can we?
  • who gets the bill (Score:3, Insightful)

    by tehwebguy ( 860335 ) on Tuesday December 13, 2005 @08:50PM (#14252682) Homepage
    i wonder if microsoft will invoice sony for this..
  • Odd problems (Score:3, Interesting)

    by bruns ( 75399 ) <[moc.tibm2] [ta] [snurb]> on Tuesday December 13, 2005 @08:52PM (#14252691) Homepage
    Did anyone else with XP Home SP2 notice that the IE update does some really weird stuff with IE's ability to open up pages?

    Like, best way to explain it, you can launch IE and it will go to your home page, however, when you type a URL in the address bar it opens up a new window as if you pressed ctrl-n and typed it in there?

    Also rears its ugly head if you have another browser set as default. Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?

    I've seen this behavior on two XP Home machines, while a third was perfectly fine (all running SP2)
    • by springbox ( 853816 ) on Tuesday December 13, 2005 @11:20PM (#14253347)
      Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?

      Sounds like the security fix I've been hoping for a while

      • Heh. Good point :-)

        However, I did field a call from one of my users who only uses IE (trust me, I tried to change them over to firefox or opera, but that was a wasted effort), so I'd really like to figure out what got broke exactly.
    • Anyone else who's having this problem, please e-mail me. I'm working with a XP Home engineer to investigate the issue. They are just as curious about the problem as I am (and seem genuinely interested in getting it resolved).
    • Ahhh, got a temp fix that people can use to solve the issue until MS figures out what is the cause exactly.

      From my blog [sosdg.org]:

      With help and ideas from an MS guy, I've managed to narrow down the bug which is causing the issue.

      The version of browseui.dll (6.0.2900.2802) from the 905915 update is the culprit.

      If you disable WFP, reboot with the recovery console, and replace it with browseui.dll (6.0.2900.2753 from previous update, probably 896688 IIRC), then reboot again, behavior will return back to no
  • by multipartmixed ( 163409 ) on Tuesday December 13, 2005 @09:30PM (#14252859) Homepage
    > Researchers found that the Sony patch changed settings in IE so
    > that any Web site could install software on those machines."

    Wait. So, Sony is setting IE back to its default security settings?

    That hardly seems newsworthy.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...