Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

Microsoft Re-Re-Releases IE Patch 77

uniquebydegrees writes, "InfoWorld reports that on Tuesday Microsoft quietly released the second update for MS06-042. This is the cumulative patch for IE that actually introduced a new security hole into systems that applied the update. Microsoft re-released the patch back in August, but it now turns out that the updated patch had yet another vulnerability similar to the first, once again discovered by folks at eEye Digital Security. As with the previous hole, it concerned the handling of long URLs from web sites using HTTP 1.1 with compression."
This discussion has been archived. No new comments can be posted.

Microsoft Re-Re-Releases IE Patch

Comments Filter:
  • Bugger! (Score:3, Interesting)

    by ackthpt ( 218170 ) * on Tuesday September 12, 2006 @04:57PM (#16092316) Homepage Journal

    I just spent 4 hours downloading and installing patches over the weekend and now I've got more...

    I'm just glad I don't use IE, that's all.

    i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...

    • by Tackhead ( 54550 )
      > i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...

      DIR C:\PROGRA~1\OUTLOO~1

      Son of a bitch. They're back on my box too. I remember how many hoops I had to jump through to delete them when I first set up this box. Now they're back, but the old batch file that wiped the multiple copies of the .DL_ files in \I386 as well as the copies in the DLLCACHE directory no longer works. WTF?

      • maybe because the files are now "protected" system files (the point is to make sure that Windows itself doesn't get borked but...) i would port the batch file to bash and then do the run from a Live CD (make sure you have ntfs write support)
        • by RKBA ( 622932 )
          That's why I also install a second maintenance version of Windows 2000; ie, so that I can delete "protected" and "in use", etc, Windows system files easily. It also makes it very easy to make backup copies of the Windows registry directory.
      • Re:Bugger! (Score:4, Funny)

        by this great guy ( 922511 ) on Tuesday September 12, 2006 @08:16PM (#16093330)
        DIR C:\PROGRA~1\OUTLOO~1

        Remind me of an old joke...
        Windows 95: comes with built-in support for long filena~1.

    • I just spent 4 hours downloading and installing patches over the weekend and now I've got more...

      I'm just glad I don't use IE, that's all.

      I'm glad I don't use your ISP. It doesn't take me long to download the updates. No longer than it takes to download a Firefox update, which didn't get nearly as harsh a reaction even though they've also released quick fixes to regression patches. I didn't have to download any Outlook updates o

  • by celardore ( 844933 ) on Tuesday September 12, 2006 @04:59PM (#16092331)
    Th-th-th-that's all folks!
  • Te marketing blitz begins. Worlds most secure browse... WHAT?? The patched patched we patched and pacted again only to have to patch the patch we patched needs patched. Save it for Vista Serice Pack 5!!
    • Foofoobar: > Save it for Vista Serice Pack 5!! You won't have to save long. I think Vista has got to be the first product release that will have over 6 "service packs" ready for it before the shrink wrap went on the GA.
      • I am very glad they are cracking down on third party security software in Vista since Microsoft obviously have such a great security model we should have full confidence in. In all seriousness though, I wonder how many more people will start getting router-type devices between their computer and net connection, filtering content, connections and data, all because of this action. Looking forward to va-va-va-vista!
    • I don't think Microsoft claims that IE 5.01 is currently the world's most secure browser. This bug that they are patching with the re-rerelease doesn't exist in IE on XP SP2, Server SP1 or in IE7 (including Vista), so the claims that things got more secure starting with XP SP2 again seem pretty reasonable.
  • by Anonymous Coward

    I choo-choo-choose to install it.

  • Microsoft Re-Re-Releases IE Patch

    Maybe Microsoft just need to release a new operating system to fix the IE bugs for good. I heard Apple has a good operating system.
    • It might be easier if they just integrated the gecko rendering engine from Firefox into Windows, instead of using IE.
      • Bad idea. Gecko isn't perfect...Security holes are found and fixed every week.

        If you replace Microsoft's HTML rendering code with Gecko, you won't have done any better than change the set of bugs. At worst, you've created a target for crackers whose codebase is shared across many operating systems, and not just those sold by Microsoft.

        So junk intended for Windows will, at best, cause crashes and misbehavior in Firefox, Galeon, etc. on Linux. At the worst, it could start showing up on your filesystem anywh
  • Since . . . (Score:5, Informative)

    by OverlordQ ( 264228 ) on Tuesday September 12, 2006 @05:10PM (#16092404) Journal
    Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.

    MS06-042 is the Security Bulletin.
    KB918899 is the KB id w/ Patch.
    • by cp.tar ( 871488 )
      Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.

      Neither can they, it appears. That's why they had to release it all over again.
      Twice.

      • by Fred_A ( 10934 )
        They remembered what their moms used to say : "Practice makes perfect".

        Come on Microsoft, you're getting there, a few more and we'll be done (switching a few more people) !
    • ... CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY...

      It's no surprise he can't tell the difference. In this case, the patch is the vulnerability.

      Besides, making a mistake while complaining about Microsoft isn't on the same scale as Microsoft releasing a series of bad patches. Did the GP's mistake result in any botnets? More importantly, the GP's mistake doesn't make Microsoft's mistake any less harmful.

  • Huh (Score:3, Funny)

    by theophylline ( 1002093 ) on Tuesday September 12, 2006 @05:13PM (#16092423)
    I downloaded the IE patch a while ago and it works great. It's called Firefox.
  • by Koragnar ( 780289 ) on Tuesday September 12, 2006 @05:15PM (#16092429)
    When did George Lukas join Microsoft?
  • 1. Remove all shortcuts to IE
    2. Install Firefox and/or Opera (I like both, Opera for email, Firefox for everything else)
    3. ...
    4. Profit!
    • Unfortunately, IE is still used in Outlook, Outlook Express, and Windows Help, among other places. While your fix is good enough for most cases, vulnerabilities can often be exploited in other programs that use the IE controls to render HTML.
      • That's why I didn't remove it, just the shortcuts. Since I don't use such programs/controls/etc, such worries never occur.
      • I never understood using Outlook. In the first place, I can't figure out how to get my yahoo mail to go there (can't figure out how to get my school mail to go to Evolution either). In the second place, how much harder is it to log in to yahoo.com mail than to double click on Outlook? You have to connect to the internet anyway. Third, webmail is available from anywhere, even from the web browser on a cell phone--why even bother with Outlook (or Evolution--unless it's for the calendar which I love--or Th
        • God knows I'd never suggest using Outlook, and Evolution really isn't ready for prime time, but I use Thunderbird (and Eudora before that) because I want my mail on my machine, not on the web. I have mailing lists dating back to 1994 I use for research, and if my net connection goes down (as it does out here in the boonies), I can still search my archives.
  • by Software ( 179033 ) on Tuesday September 12, 2006 @05:30PM (#16092508) Journal
    It's nice to know that they're re-fixing the security hole, but how about fixing the browser crashes? From http://support.microsoft.com/kb/923996/ [microsoft.com] :
    When you visit a Web page that uses a custom pop-up object, Microsoft Internet Explorer 6 closes unexpectedly and generates an error in the Mshtml.dll file. This problem occurs after you install security update 918899 on a Windows XP Service Pack 2 (SP2)-based or a Windows Server 2003 Service Pack 1 (SP1)-based computer. A hotfix is available if you are severely affected by this problem. Otherwise, we recommend that you wait for the next cumulative security update for Internet Explorer.
  • Third-party security software, no one in their right (or even severly handicapped) mind would think such. Thank you for reconfirming my suspicions MS.
  • Related to compressed long URLs? Wasn't there a report about some compressed folders with sizes near multiples of 4K gets last chunk padded with 0xD? or something like that? At what point code reuse becomes bug reuse?
  • by Jett ( 135113 )
    Does it still break Siebel?
  • There are people who still haven't upgraded to XP SP2 or 2003 SP1 ?

    Microsoft shouldn't waste time patching/supporting these older browser versions.
    • Microsoft shouldn't waste time patching/supporting these older browser versions.

      While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image. (Note to ACs: Perfect place to reply with "Can MS's image get any worse? LOLROFLMCBOFL!") For example, say you're playing an old-school game on the PC. Oh noes! It doesn't work. Why not? Well, the company's website says that only the FAQ pages for that game are still up, because they stopped giving specifi

      • I would agree that they should support old versions but at this point is there any reason for the home user not to upgrade to SP2? With the exception of buisness apps everything should be compliant by now.
      • by Z34107 ( 925136 )

        While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image.

        They can create a "new stuff" patch for the old stuff, or people could just use the patch they already have. XP SP2 is free.

        • no, it isn't free. not if it breaks dependencies and makes important software unuseable. the user has fallen into a proprietary software trap. what happens if the manufacturer of a software you use has gone out of business and sp2 breaks the software on your computer? if the software zou use(d) also saves information in a proprietary format, sp2 is suddenly enormously expensive.
  • Of course, the political correctness gestapo will not allow me to explain more.
  • Bugs Bunny: And so, having re-redisposed of the monster, exit our hero through the front door, stage right.
  • I've been on e_Eye's mailing list for awhile ever since I downloaded Retina. The message they sent regarding this patch release is as follows, "The re-release of MS06-042 comes as a result of eEye Digital Security finding yet another security vulnerability in the original MS06-042 patch. For those of you keeping score, it is now MS06-042: 0 and eEye Research: 2." Classic!
  • With so many engineers, you'd think they'd have a few to spare whom they could assign to writing unit tests. Microsoft seems to push these releases out after an all hands call to "try it out" rather than any comprehensive testing.
  • You would think by now they would have replaced the QA department or partner up with another security firm that can double check update before it goes out the door.

Economists state their GNP growth projections to the nearest tenth of a percentage point to prove they have a sense of humor. -- Edgar R. Fiedler

Working...