IE Patch To Fix 57 Vulnerabilities

Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."

Why would the Java exploits be related?

[thue]

IE10 bundles Flash, so I guess the flash bugfixes can be related.

But IE does not bundle Java - why would the IE bugfixes be related to the Java bugfixes?

Re:

[kthreadd]

It's doing just fine according to some benchmarks.

http://techcrunch.com/2012/11/06/report-internet-explorer-10-is-the-fastest-browser-on-windows-chrome-19-wins-on-mac/ [techcrunch.com]

Re:

[colfer]

The Mozilla plugin check tool can be used in any browser, and reports Flash on IE10 on Win8 is still "outdated": https://www.mozilla.org/en-US/plugincheck/ [mozilla.org]
But the tool can be inaccurate for some browsers. At this time it does show Flash on Chrome as up-to-date. Chrome also bundles its own Flash. Firefox shows as OK too, after you update. If you try to update Flash in IE10 you get a notice that Flash is bundled, but it also says you can install it if you really want to.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sbditto85]

Why is this down voted?!? as a web developer I wish IE 6 would disappear into a deep dark recess and never come out! For the site I develop we stopped supporting it ages ago and instead post a banner that basically says "HEY! STOP IT! Upgrade or get a different browser you ninnys" ... something like that if I remember right.

Re:

[Billly Gates]

Why is this down voted?!? as a web developer I wish IE 6 would disappear into a deep dark recess and never come out! For the site I develop we stopped supporting it ages ago and instead post a banner that basically says "HEY! STOP IT! Upgrade or get a different browser you ninnys" ... something like that if I remember right.

It pretty much has. Not even microsoft's website works properly in it anymore and if MS abandons it you can consider it effectively dead for all but specialized internal apps.

With VMWare and Citrix as well as WIndows Server 2003 you can virtualize and run your crappy app inside a modern browser. There is no good business case to use it on a desktop anymore as it is in the realms of legacy x3270 terminal programs now. May it RIP.

That is why it is modded down.The last place I seen it used was in 2011 on a de

Seriusly?

[Anonymous Coward]

"Microsoft is advising users to stick with other browsers until Tuesday"

Ok everybody! go and install Firefox or Chrome!

Re:Seriusly?

[jones_supa]

There seems to be a mistake in the summary. The ZDNet article says "With this in mind, users are advised to switch to another browser for the next few days until the updates are released." That seems like ZD's own recommendation, I couldn't find that from the MS security bulletins.

Re:

[mwvdlee]

I was surprised at reading that in TF(UBAR)S as well; the only reason I can imagine for MS saying that is if they were planning to drop IE altogether... somewhat unlikely.

Re:

[Snowhare]

I think MS may have revised the tech note after ZDNet wrote their story. It was offline for a little while after the story came out, and then came back again.

Re:

[LVSlushdat]

I advise all my clients who are *still* on windows to stay the hell away from IE period.. Firefox/Chrome/Opera are FAR superior to the "swiss-cheese" security environment of MS's turd browser.. So that I'm not *completely* negative, they have come a long ways with what I've seen of IE10, but they make up for that win with the abortion they call Unity/Windows 8.. I'm sure Metro is just fine on a tablet, but on a desktop with keyboard/mouse??? They HAD to be smoking some serious shit...

Re:

[smash]

This. People running IE don't WANT to be running IE. Managing the security problems is just a lot easier than replacing apps that break, dealing with no central policy management or update management, etc.

Re:

[smash]

Firefox, Chrome and Opera have their own issues. Firefox has issues with multiple levels of proxy chaining in certain environments. IE security can be managed via filtering proxies, security zones, UAC, etc. Incompatibility between other browser and business apps often can not.

Microsoft is advising users to stick with other..

[ark1]

browsers. Where did you got this information? MS bulletin does not state that and I doubt MS would ever make such recommendation no matter how serious the bug was.

Re:Microsoft is advising users to stick with other

[djmurdoch]

The submitter got it by misreading the ZDnet article. It was the author of that article (Zack Whittaker) who made the recommendation, not MS.

Re: Microsoft is advising users to stick with othe

[Anonymous Coward]

"The submitter got it by misreading the ZDnet article. It was the author of that article (Zack Whittaker) who made the recommendation, not MS."

Just as well timothy picked it up in editing. Oh, wait...

Re:

[tgd]

"The submitter got it by misreading the ZDnet article. It was the author of that article (Zack Whittaker) who made the recommendation, not MS."

Just as well timothy picked it up in editing. Oh, wait...

Its a Microsoft story -- what is Slashdot going to pick? A summary of an article that communicates the total non-news of a Patch Tuesday, or a hyped-up Anti-Microsoft article that excites their target audience into high levels of self-congratulatory mental masturbation?

Re:

[Runaway1956]

"excites their target audience into high levels of self-congratulatory mental masturbation?"

Mental? Why would you throw such an extraneous word into that statement?

'Scuse me, I gotta get strokin'!

Re:

[tgd]

"excites their target audience into high levels of self-congratulatory mental masturbation?"

Mental? Why would you throw such an extraneous word into that statement?

'Scuse me, I gotta get strokin'!

Well, I'm assuming its hard to franticly reply on Slashdot in one window, and surf 4chan in another, with one hand occupied.

Re:

[fibonacci8]

Do not tempt Rule 34.

Someone got on their case

[eksith]

The fact that IE6 is being patched means someone dropped a NS bomb on them (National Security) which is a sure fire way to motivate companies to keep their software secure. I know it's not the favorite company here, but they fought (sometimes dirty) to get where they are. They made it and have to deal with the "now what?" phase. Software monocultures suck no matter who's culture it is.

What I found really interesting is that bulletins 7-9 and 11 are for escalation of privilege whereas the rest are for remote code execution. Which means, it may not have helped much to be logged in as an unprivileged user anyway.

Re:

[__aaltlg1547]

Software monocultures suck no matter who's culture it is.

You mean whose. Hope this helps

Re:

[Runaway1956]

I saw that. I thought, "Hey, I could be a grammar nazi here." Then, I thought, "Yeah, but why be a douche?" Then, I found your post. So, yeah . . . whatever . . .

Re:

[eksith]

I don't know about confirmation bias, but I've hidden scores so I can focus more on the crux of the message vs. catering to some perceived acceptance. You should try it too so you won't be needlessly aggravated over a number in a database.

And the IE6 support until 2014 makes my argument still valid I.E. A large percentage still uses it, which makes every vulnerable user potentially drafted into a bot army. And botnets, last I checked, are still considered a threat to NS.

Re:Someone got on their case

[Ralish]

The fact that IE6 is being patched means someone dropped a NS bomb on them (National Security)...

It's being patched because IE6 shipped with Windows XP and MS guarantees they will support the version of IE that was shipped with a given release of Windows for the support lifetime of that Windows release. Windows XP is supported into 2014, so Internet Explorer 6 on Windows XP is as well. This is not a secret.

Re:

[smash]

In other words, blame all the "you'll prise XP from my cold dead hands" blow-hards.

Excellent summary!

[YrWrstNtmr]

...57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled.
and
No word on whether IE 10 will be included as part of the 57 updates.

Did you even read what you wrote?

Re:

[rjr162]

Re-read.. part of the updates are patches, including patches for IE 10, BUT its not known if one of the updates is the actual upgrade to IE 10 its self... was that so hard to understand? (I realize it could have been worded it a bit better, but it's still not hard to figure out)

Re:

[YrWrstNtmr]

I get it. But as you say, it could have been worded a bit better.

Re:

[jones_supa]

I wonder if you did not read it.

IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates.

It's talking about IE 10 being released for Windows 7.

We don't need no stinking...

[Chordonblue]

Patches, you say? What about SP2 for Win 7? Other than making us move to Win 8, is there a good reason why I should have to d/l 250+ MB on a clean install? A roll up for .NET 4 would be in order as well...

Re:

[aa_trna_syn]

Definitely. Would be even better after this next Patch Tuesday. Don't see it happening, though.

ZDNet = Garbage

[Anonymous Coward]

They are 12 vulnerabilities and 57 patches across all their operating systems. 2 are critical.

Microsoft Dynamics is a POS

[tepples]

Not being able to actually uninstall your POS

Even Microsoft admits [microsoft.com] that its software is a POS.

But seriously, I've rescued several failed Windows PCs by replacing the OS with Ubuntu. Retraining casual users from Windows to Xubuntu isn't as hard as some people claim.

Re:

[s7uar7]

"Hey tepples, I've just bought an iPhone but can't get iTunes to install on that PC of mine that you fixed. Could you come round and take a look please? I'm also having problems getting Netflix to work; could you take a look at that too, please? "

Re:

[gQuigs]

Yea.. I tell them what the pros and cons are before I give them a PC (with Ubuntu or Windows). Do iPhones really still need software installed on the PC? I thought they finally got better than that?

For Netflix I would say: there is currently a way to play Netflix but it is not supported by Netflix officially and I wouldn't depend on it as your only way to play Netflix.

http://www.omgubuntu.co.uk/2012/11/how-to-use-netflix-on-ubuntu [omgubuntu.co.uk]

Re:

[jones_supa]

But seriously, I've rescued several failed Windows PCs by replacing the OS with Ubuntu. Retraining casual users from Windows to Xubuntu isn't as hard as some people claim.

I still don't like the idea of shoving Linux down the throats of clueless people when their PC breaks. What if they need to use Office, play some random game, use a new piece of hardware, or if the system upgrade leaves the computer in an unbootable state. They will be less likely to get fucked under Windows in such cases.

Such a user can re-buy Windows

[tepples]

What if they need to use Office, play some random game, use a new piece of hardware

Such a user can buy a copy of Windows to replace the copy on the restore disc or restore partition that he admits having lost. When deciding whether to install Windows or Xubuntu for a family member, I make sure to ask what applications the user most commonly uses, and then I weigh that against whether or not the user has the install media and certificate of authenticity for a supported Windows operating system handy. And by "supported" I mean both whether or not the operating system is compatible with the

Re:

[jones_supa]

Such a user can buy a copy of Windows to replace the copy on the restore disc or restore partition that he admits having lost. When deciding whether to install Windows or Xubuntu for a family member, I make sure to ask what applications the user most commonly uses, and then I weigh that against whether or not the user has the install media and certificate of authenticity for a supported Windows operating system handy. And by "supported" I mean both whether or not the operating system is compatible with the hardware and how long until the announced end of life. For example, I'd consider Windows XP unsupported because security updates will end in 14 months.

Just install Windows 7 from a Digital River image and use Daz Loader. Illegal but practical. Ethically this should be fine as the user most likely paid the Windows tax when he bought the computer.

or if the system upgrade leaves the computer in an unbootable state

How is this less likely to happen in an upgrade from Windows XP to Windows Vista, from Windows Vista to Windows 7, or from Windows 7 to Windows 8, than in an upgrade from (say) Ubuntu 10.04 to Ubuntu 12.04?

I meant applying the everyday updates, not a major version upgrade.

Re:

[tepples]

I meant applying the everyday updates, not a major version upgrade.

I've never had (the GUI equivalent of sudo sh -c 'apt-get update; apt-get upgrade; reboot' cause boot failure in over four years.

Re:

[jones_supa]

Ok, maybe it actually isn't that bad than what I thought.

Re:

[tepples]

Have you ever actually performed a larger update of Ubuntu?

You mean like 9.10 to 10.04 to 10.10 to 11.04 to 11.10 to 12.04 on my laptop, or 8.04 to 10.04 on my web development workstation at work? Those went fairly smoothly, with a few (solvable) hardware-related issues that were not much bigger than the typical issues after a major Service Pack on Windows.

Re:

[geminidomino]

I never bothered going from version to version since way back when they said the best approach was a wipe and reinstall.

I can say this though: Ubuntu's attitude as of Precises still seems to be "Fuck you if you're going from LTS to LTS."

Re:

[geminidomino]

All of which is absolutely useless if you consider that the most common use case for LTS is for servers, and "wipe and reinstall" means a lot more downtime than would be necessary if the upgrade process wasn't utterly braindead.

Re:

[Runaway1956]

You can't exactly "uninstall" the browser, but you can remove it from the installation media, thereby preventing it's installation. But, you knew that, right?

http://www.nliteos.com/ [nliteos.com]

It's been years since I used this, but it worked great back then!

exciting

[hraponssi]

First Oracle releases patches for 50 Java vulnerabilities, now Microsoft does better with 57 for IE. Who will be the first to go over 60 in the competition?

In any case, it seems we are doomed as far as security on the Internet goes. Kinda depressing.

Re:

[jones_supa]

Who knows, maybe they are just paying attention to security and actually fixing their shit.

Re:

[bruce_the_loon]

He's obviously got 107 zero-day attack vectors all lined up for a Valentine's Day massacre and Oracle patched away most of them and MS is gonna kill the rest come Tuesday.

Re:

[Osgeld]

so it still performs just as well as when it was released?

Re:

[Billly Gates]

You are wrong Osgeld. You need to see IE in action [youtube.com].

Editorial standards are for lamers

[Ralish]

At least, I assume that is the prevailing attitude on Slashdot these days? Let's see:

IE Patch to Fix 57 Vulnerabilities
No, as per the linked Security Bulletin Advance Notification [microsoft.com] a total of 57 vulnerabilities are being fixed across Windows, Internet Explorer, Office & the .NET Framework. There are not 57 vulnerabilities exclusively in Internet Explorer as the title suggests. We can likely further expect certain vulnerabilities to only be applicable to certain versions of Internet Explorer once the full details are available.

Microsoft is advising users to stick with other browsers until Tuesday
Source?

...when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled.
No, as noted above, the vulnerabilities are across a variety of products. Further, 13 "patches" (aka. updates or bulletins if you prefer) are being released as multiple vulnerabilities are often patched in a single update. As per the linked bulletin, there are two bulletin's being released for Internet Explorer, which would typically result in two updates for Internet Explorer for a given Windows installation. Of course, there'll be many different updates released for different versions of IE and architectures (ie. 32-bit/64-bit/etc...) but a given Windows installation shouldn't have more than two applicable to it.

No word on whether IE 10 will be included as part of the 57 updates.
Apart from the explicit reference to Internet Explorer 10 being affected by at least some of these vulnerabilities in the linked MS Advance Notification? Have you tried reading the very articles you post? I'm reliably informed it helps comprehension.

Are the editors trying to set a new record for inaccuracies within a small paragraph of text?

Microsoft advising what?

[gtirloni]

"Microsoft is advising users to stick with other browsers until Tuesday"

I see.

Microsoft reminds me of the food company Heinz now

[acid_andy]

57 Varieties - of vulnerability!