Microsoft Releases Critical IE Patch 172
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs.
"
The Exploit (Score:5, Informative)
And here's Microsoft's acknowledgement [microsoft.com] of the exploit (dated 03.23.2006).
And here's an "expert" saying that releasing the above exploit is irresponsible [sys-con.com] (dated 03.24.2006).
It is now 04.12.2006 and a patch is out to correct it.
*checks his watch*
Not bad, but your response time could use some imporvement.
Re:The Exploit (Score:3, Informative)
Schedule Over Security? (Score:5, Interesting)
The following excerpt is alarming [washingtonpost.com]: I wasn't aware a cycle constituted 135 days. That's interesting.
I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
Re:Schedule Over Security? (Score:5, Interesting)
No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".
I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.
Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.
Re:Schedule Over Security? (Score:5, Interesting)
Re:Schedule Over Security? (Score:2, Informative)
Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.
I generally don't like Windows the product or many of MS current and prio
Re:Schedule Over Security? (Score:4, Insightful)
There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.
Re:Schedule Over Security? (Score:2)
Do the testers come in only on certain days of the month? What technical reason is there for delaying patches until a certain day of the month for all users? Why not make the patches available as soon as they're tested for those who want them, and delay them until a monthly rollout for those who want a monthly ro
Re:Schedule Over Security? (Score:5, Insightful)
many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
Re:Schedule Over Security? (Score:2, Insightful)
Re:Schedule Over Security? (Score:2, Interesting)
Re:Schedule Over Security? (Score:4, Interesting)
If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.
It's just a poor excuse for being slow to patch.
Re:Schedule Over Security? (Score:2)
Re:Schedule Over Security? (Score:2)
Actually you've just made an argument for releasing sooner: If the bugs in the patches are caught sooner (because of the 'patch early adopters'), then the corporates will be protected against those exploits because they won't have installed the patches yet and the new improved patch will be out in time for their update schedule.
Re:Schedule Over Security? (Score:4, Informative)
There, fixed that for you.
Re:Schedule Over Security? (Score:4, Insightful)
There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.
I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.
Re:Schedule Over Security? (Score:2)
Re:Schedule Over Security? (Score:1, Insightful)
I call BS on that one. It takes me five minutes to apply a patch to a test machine, and after a suitable test period it takes me another five minutes to walk into the server room, log in to the WSUS server, and approve an update.
If I want to
Re:Schedule Over Security? (Score:1)
I work in an IT department. I know of no techie that looks forward to the next round of 'patches`. In fact most/all of them hold off on installing for fear of breaking something.
This could have been written by the MS publicity bureau.
Blame the corporations for the patch cycle and
blame the competitors for MS failing to se
Re:Schedule Over Security? (Score:1)
Blame microsoft a second time for designing their operating system to be such a nuisance to patch.
Adarn
Re:Schedule Over Security? (Score:2)
Re:Schedule Over Security? (Score:4, Insightful)
Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.
Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"
Stop the FUD, thanks.
Re:Schedule Over Security? (Score:2)
I personally prefer updates to be delivered the day they are available and tested.
The concept of a release date means nothing here anyway. Say the next scheduled patch day is tomorrow. Say you come up with a fix today. Do you release it tomorrow? I w
Re:Schedule Over Security? (Score:2)
not to be an MS fan boi here, but just stop and think for a minute. MS has literaly hundreds of versions of their OSes. All the different language versions. There are well documented examples [joelonsoftware.com] (ctrl-f for "polish") of specific bugs for specific language versions
There's a *lot* of testing that needs done for a windows fix
Re:The Exploit (Score:5, Insightful)
Not bad, but your response time could use some imporvement.
From TFA: Microsoft Corp. has released its security software patches for April...
Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...
Re:The Exploit (Score:1, Offtopic)
Re:The Exploit (Score:2)
Re:The Exploit (Score:2)
This patch should come with a big red label: "WARNING: BALLMER VOMIT!"
Apparently levity now rates an "Offtopic"; will someone mod the parent of this reply up a bit?
Re:The Exploit (Score:4, Interesting)
This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.
In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.
Concerning date formats (Score:1)
Re:The Exploit (Score:1)
Re:The Exploit (Score:3, Insightful)
Re:The Exploit (Score:2, Insightful)
And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.
Re:The Exploit (Score:3, Interesting)
ActiveX, Java and Flash controls may be impacted (Score:5, Informative)
This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.
Re:ActiveX, Java and Flash controls may be impacte (Score:2, Funny)
>
>This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.
So for the
Re:ActiveX, Java and Flash controls may be impacte (Score:1)
They have bundled it WITH the security rollup.
Re:ActiveX, Java and Flash controls may be impacte (Score:5, Informative)
Amusingly, this behavior can be disabled with either a patch or a registry change. [microsoft.com]
Didn't work for me. (Score:2)
Also, note that it mentioned Java with ActiveX.
Re:ActiveX, Java and Flash controls may be impacte (Score:1)
To solve the issues with Flash, check out my sig. It's free.
Re:ActiveX, Java and Flash controls may be impacte (Score:2)
That's good. I just updated from SP2 to SP4 & had to deal with >30 SP4 specific patches.
Is it possible that (for Win2k at least) staying a bit behind in the service pack game could afford you a bit of protection?
Either the exploit is going effect only the latest SP, or MS is going to write a patch for all versions. In the first case, you can ignore the exploit and go about your way and in the second case, you weren't any safer than the up-to-date people.
Though, if
not an automatic FlashBlocker (Score:2)
Unfortunately, this won't act as an automatic FlashBlocker. It disables _interacting_ with the ActiveX component until it's activated. So all those lovely ads will still load and play automatically; you just won't be able to click on, say, movie volume or playback controls until you've authorized it. Basically the worst of both models, really. Sucks to be IE. *shrug*
Dammed if they do, dammed if they do not.. (Score:5, Insightful)
If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
Re:Dammed if they do, dammed if they do not.. (Score:2)
So how is it that programmers working for free developing a product for free can patch fatser than a multimillion dollar company with hundreds of highly paid developers?
That's the ongoing question.
open source projects of equivalant size? (Score:2)
1st, what OSP is on par for raw bytes & complexity... to the windows OS?
2nd- which of that subset get's patches in 24 hours
3rd- how often do these "right out the door" patches cause loss of functionality, for a subset of users, as (my line one above) every system configuration possibility was considered in the patch, that is still just works?
it's kinda herculean if you th
Re:open source projects of equivalant size? (Score:1)
And I'm supposed to give them money, why exactly?
not in 24 hours, no (Score:2)
how much do you pay for OS updates?
Re:open source projects of equivalant size? (Score:2)
1. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM,etc etc. The list goes on and on
2. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM, etc etc. They were even recently recognized for it in a government research document stated that 24 hours was an average and that they even get patched faster on some systems.
3. According to the same government document, hardly ever. Pathces on open source projects general reduce
Let's check (Score:2)
the download for sendmail is 1.89 MB
postgres is 22mb
these are single purpose- using system calls- apps..
they aren't OS's (except for linux) and do any of those come close to 1.5 gigabytes of code/apps/parts?
re read my list of challenge requirements for #1.. what OSP is on par for raw bytes & complexity... to the windows OS?
I can't vett "linux" as there is no "one linux" to compare against.- and none of them come 'core' with
Re:Let's check (Score:2)
Now if you want to say the projects are not equivalet due to the lines of code used, thats just plain stupid. Good code take fewer lines whereas bad code can go on forever and ever.
Every engineer knows that to build a better mousetrap, you don't make it more complex... you simplify.
Linux and those open
Perhaps we'll never agree (Score:2)
yes, microsoft code is likely bloated and inefficient
But the featureset, and functionality- is a order of magnitude or more complex than "SENDMAIL"
the simple fact (I see) is that -a patch for a microsoft OS, with all the variables it can affect- is a much greater undertaking- with
greater needs for getting it right the first time- than for most any other software available..
Re:Dammed if they do, dammed if they do not.. (Score:3, Insightful)
Legally, neither is Microsoft. Read your EULA.
And in most cases nothing else interacts with or depends on his / their code?
Yeah, nothing interacts with or depends on sendmail, or glibc, or the Linux kernel...
The Bob Damn them. (Score:2, Interesting)
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.
I hate the fact that I have to download patches frequently, which are massive files a
Re:The Bob Damn them. (Score:4, Insightful)
I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."
Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.
Your choice.
Re:The Bob Damn them. (Score:2)
Re:The Bob Damn them. (Score:2)
I work with Windows at my own job. But I don't pretend that I'm "forced". I chose my job based upon pay, location, etc. I choose to put up with the headaches as a balance taking everything else into account. But no one is holding a gun to my head.
Like I said before... you don
Re:The Bob Damn them. (Score:2)
Microsoft releases most patches on the second Tuesday of each month.
The patches are generally small (under 1 MB) and can be automatically downloaded in the background. Let the program do its job and install when you are ready.
How much longer is this going to be NEWS? (Score:3, Interesting)
Re:How much longer is this going to be NEWS? (Score:5, Insightful)
Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.
Re:How much longer is this going to be NEWS? (Score:1)
Re:Dammed if they do, dammed if they do not.. (Score:2)
No, it's a matter of quality. If the product had been built properly in the first place this vicious cycle would never have been born. However, it was not built that way. You pay now or you pay later - but you do pay, and later always costs more.
Re:Dammed if they do, dammed if they do not.. (Score:2)
It's not news that IE is full of more security holes than a DHS project. Microsoft have had years to sort this mess out.
Have they?
No. We still have multiple grave remotely-exploitable security holes in IE every year.
That's why people complain.
Ongoing updates are not an indication of "true support". Nor are they an indication of hating Microsoft (although I admit, I find your l
They damned themselves in 1997... (Score:2)
Every new OS release since them has been an opportunity for them to step back from the brink and turn IE into just another application. Not only have they not turned back, but they have run faster and faster with every step.
I wish them joy of their damnation, their salvation is in no-
Third - Party Patches (Score:2, Insightful)
I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.
Ah well, I only use Windows for gaming anyway.
gmail invite (Score:2)
Meanwhile... (Score:2, Funny)
Re:Meanwhile... (Score:4, Insightful)
Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF! [mozillazine.org]
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Re:You mean, IE users point and laugh (Score:2)
Gee, I wonder where they got that idea [mozdev.org]?
Why can't we all have portage (Score:3, Interesting)
Re:Why can't we all have portage (Score:1)
My question about TFA is (Score:1)
My other question is when does M$ release the patch that changes activation codes to valid credit card numbers. ?? I guess they could do a rural version that uses the modem to call a 1 - 900 - xxx xxxx
A fix was released long ago (Score:5, Funny)
OK, OK, so I wanted to be different from those "get Firefox" jokes!
Name change proposal (Score:5, Funny)
Re:Name change proposal (Score:1)
Shcheduled updates seem counter-intuitive (Score:4, Insightful)
What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
Re:Shcheduled updates seem counter-intuitive (Score:2)
I don't think there's logic to it; as you point out, the patches should come out when they're ready. If IT departments want a monthly schedule for patches, they should set one themselves. Why do they have to have Microsoft do it? Nobody's forcing them to install patches right away.
Re:Shcheduled updates seem counter-intuitive (Score:2)
Re:Shcheduled updates seem counter-intuitive (Score:2)
Re:Shcheduled updates seem counter-intuitive (Score:2)
Most of them can go to places like this to get the exploit. And if it is here, its been floating around the underground or IRC for a lot longer.
Releasing the patch sooner will protect more people. Holding off makes no sense. Once its patched no one can use it.
Re:Shcheduled updates seem counter-intuitive (Score:2)
Damn
Re:Shcheduled updates seem counter-intuitive (Score:2)
http://www.microsoft.com/windowsserversystem/updat eservices/default.mspx [microsoft.com]
This way everyone gets what they want. Home users can be protected immediately, for corporate users using WSUS, they get to maintain their status quo. This would even be better for some corporate users who would like to patch quicker.
The article's titles doesn't do it justice (Score:4, Informative)
Re:The article's titles doesn't do it justice (Score:2)
Mind you, MS released four other Security Bulletins today, two of which are remote code execution / rated 'critical' bugs. One's in Windows Explorer, the other's in MSDAC, some data access middleware crap that's also remotely exploitable.
Source (Score:2, Informative)
A ay to fix IE?? (Score:1)
I don't get it (Score:2)
Grammar! (Score:2)
Argh:
No, no, no. The fact that "hacker" isn't the correct term to use here anyway nonwithstanding [1], people have been installing unauthorised software on PCs by exploiting this problem, NOT the other way around.
1. Feel free to whine that the general public does use the word "hacker" that way if you want to, but this is Slashdot, and I think we can expect a somewhat higher standard here.
Re:Grammar! (Score:2)
Funniest thing I've read all week. Thanks for that!
How does Apple compare? (Score:2)
Re:"Hackers" (Score:1)
Re:I DLed them this AM. A question... (Score:5, Insightful)
Re:I DLed them this AM. A question... (Score:3, Informative)
Re:I DLed them this AM. A question... (Score:2)
Essentially almost any Windows app that displays HTML and isn't either Firefox, Mozilla, Opera or Thunderbird is most likely using mshtml.dll and so is likely to be vulnerable to the exploit.
Bottom line is that any Windows user should download and apply every IE update whether they use IE or not, as simply not using IE does not guarantee safety.
Re:I DLed them this AM. A question... (Score:2)
Very true, I found one of these today, itnerestingly enough in Flash itself. It indicated there was an update available, and the link to describe the details of the update opened up IE despite FF being my default on this machine. Talk about a security hole, an unsecure app, opening an unsecure broswer, all w/o checking user prefs on the machine or even alerting the user to the action before it is taken. Brilliant! (I kn
Re:I DLed them this AM. A question... (Score:2)
Re:Why? (Score:3, Insightful)
Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.
Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of cours
Re:Why? (Score:2, Informative)
I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.
Re:Yawn (Score:2, Funny)