Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Security The Internet IT

Microsoft's Emergency Internet Explorer Patch Renders Some Lenovo Laptops Unbootable (betanews.com) 165

Earlier this month, Microsoft issued an emergency patch for Internet Explorer to fix a zero-day vulnerability in the web browser. The problem affects versions of Internet Explorer from 9 to 11 across multiple versions of Windows, but it seems that the patch has been causing problems for many people. Specifically, people with some Lenovo laptop have found that after installing the KB4467691 patch they are unable to start Windows, reports BetaNews.
This discussion has been archived. No new comments can be posted.

Microsoft's Emergency Internet Explorer Patch Renders Some Lenovo Laptops Unbootable

Comments Filter:
  • WTF (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 25, 2018 @05:35PM (#57858912)

    If an OS stops booting because of a web browser then you know it's built on shit coding practices.

    • by raymorris ( 2726007 ) on Tuesday December 25, 2018 @05:44PM (#57858942) Journal

      Another demonstration of the fact, which Microsoft's execs testified to under oath, that IE hooks into the operating system in ways that other browsers do not. This makes security issues in IE more dangerous.

      A bug in Chrome, or even randomly deleting Chrome files, doesn't make Windows unable to boot. No Firefox bug can ever make the system unbootable. Trying to fix IE makes the system unable to boot, because IE has its claws sunk into the operating system.

      Therefore security issues in IE are more likely to affect the underlying operating system. Whenever I mention that on Slashdot, people agrue, saying I'm wrong. But here we see that trying to fix a security issue in IE makes the OS unbootable - IE security is tied into the OS. That's one more reason to avoid using Microsoft's browser.

      • by Futurepower(R) ( 558542 ) on Tuesday December 25, 2018 @06:26PM (#57859052) Homepage
        "IE has its claws sunk into the operating system.

        Therefore security issues in IE are more likely to affect the underlying operating system."


        That seems correct to me. It seems that everywhere we look, we find that Microsoft is managed poorly.
        • Re: (Score:3, Funny)

          It seems that everywhere we look, we find that Microsoft is managed poorly.

          You check the bottom line?

        • by Anonymous Coward on Tuesday December 25, 2018 @08:20PM (#57859440)

          I disagree. It's more likely that some Lenovo crapware had it's hooks into Windows AND IE and when Microsoft fixed the issue, the Lenovo crapware broke the system. Let's not forget Superfish....

          https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident

          • by tlhIngan ( 30335 )

            I disagree. It's more likely that some Lenovo crapware had it's hooks into Windows AND IE and when Microsoft fixed the issue, the Lenovo crapware broke the system. Let's not forget Superfish....

            https://en.wikipedia.org/wiki/... [wikipedia.org]

            While not likely to be superfish, this problem has been seen in the wild. I recall we had a bunch of Lenovo machines that were unbootable beyond a certain release of Windows 10 and it was one of the Lenovo "Platform Manager" software things causing it. Uninstalling it made it all wor

      • I agrue with you.

      • Because when MS said that shit during their anti-trust trial, people didn't believe them.

        People thought they just added some hooks that didn't do anything, so that they could say it. They didn't think they really believed it was a good idea, or that they were going to not only do it for real but still be doing it twenty years later.

      • by Anonymous Coward

        Another less known side of the story of IE considered being necessary was there was a *ton* of business/enterprise software that just embedded IE as a general text editor and/or display window. Getting rid of this would downright cause that software to crash because its running on windows, and windows always has IE. Can you imagine some businesses getting a forced update that removed IE and then business ground to a halt? oh right, windows does that anyway.

      • That's one more reason to avoid using Microsoft's browser.

        I'm not disagreeing with you, but HOW does one "avoid using Microsoft's browser?"

        TFS doesn't say that actually USING IE smoked the OS. The UPDATE did.

        Before this incident, I would have been one of the jerks pointing out to you that MSFT was, by litigation, forced to decouple IE from the OS.

        You're right and I was wrong.

        Thanks.

        • by micheas ( 231635 )
          Install, FreeBSD, a Linux distro like Ubuntu or RedHat, or convert the machine into a Hackintosh are a few ways to not use IE.

          There is a headless version of Windows Server that should allow you to run windows apps without IE, although IIRC, Quickbooks server relies on IE for remote connections, so your mileage may vary as to how viable headless windows is for running server applications.

      • by rtb61 ( 674572 ) on Tuesday December 25, 2018 @07:05PM (#57859186) Homepage

        The sick reason why this is so. They built elements of internet explorer into the OS so that firefox and chrome would appear to load and run slower than internet explorer because elements of internet explorer are already running in windows. This was like delayed start for service in windows, ohh, look windows loads faster but whoops, it won't run apps tied to those services that have not started yet but M$ can brag how fast the windows GUI boots even though you can not run apps, until delayed start services have started.

        • by raymorris ( 2726007 ) on Tuesday December 25, 2018 @07:34PM (#57859310) Journal

          That's one bonus for Microsoft.

          Historically, how it happened was in the early 1990s, before the web, Microsoft spent a ton of money building a really cool technology. The sudden rise of the web screwed up their plans and they had to scramble to try to salvage some of their investment.

          They had something called OLE, Object Linking and Embedding. Basically it let you put one document inside another - a picture inside a spreadsheet, a song in a Word document. Microsoft spent lots of money and time building on this idea, it was their "big new thing", an OS (shell) and programming tools built around this concept. This next generation of OLE was called COM. Just before the release in Windows 95, something interesting happened.

          As Microsoft was about to start the big PR blitz showing how not only could your Word documents contain pictures, but even your desktop could contain active programs, along came "IMG src". Even "TD IMG src" - you could have a table with an embedded picture with no proprietary Microsoft technology needed. Microsoft's "big new thing" was suddenly outdated as a overly complex, over-engineered mess just as it was released. Fuck! Literally their were a lot of Fun bombs at Microsoft when they saw the rise of HTML, with its simplicity.

          So here's Microsoft with a billion dollars invested in a system for embedding pics in your documents and your desktop, suddenly not needed because HTML does documents with embedded pics and sounds so much simpler. What can Microsoft do to save their investment?

          They route they chose was to rename COM to "ActiveX" and pitch it as a web technology. Internet Explorer became the most important ActiveX container. Instead of focusing on an Active Desktop, the sales pitch was to use this on the web, with ActiveX web pages. What was originally supposed to be done by the File Explorer shell now needed to be done by the browser, so the two projects merged to become Explorer. The desktop shell Explorer and the browser Explorer were the same code with a different wrapper.

          Over time, the competitive issues you pointed out became more important.

          Someone may point out "that was 20 years ago". Yes, it was. This post is a history lesson in how we got here.

          • by TheRealMindChild ( 743925 ) on Tuesday December 25, 2018 @08:59PM (#57859526) Homepage Journal
            Just before the release in Windows 95, something interesting happened.

            Your timeline is skewed. Active Desktop took place in Windows 98 with IE4. Then you go with

            So here's Microsoft with a billion dollars invested in a system for embedding pics in your documents and your desktop, suddenly not needed because HTML does documents with embedded pics and sounds so much simpler. What can Microsoft do to save their investment? They route they chose was to rename COM to "ActiveX" and pitch it as a web technology.

            That isn't what ActiveX is at all. It was an extension of COM to allow scriptability to the system. IDispatch. COM objects could now be usable in a type indifferent scripting language. They shoehorned this into the web, but it was and is a very large part of the Windows Explorer Shell. A common platform. Something Linux still struggles with.
            • by raymorris ( 2726007 ) on Tuesday December 25, 2018 @10:40PM (#57859754) Journal

              Here's an article that Microsoft added to MSDN in 1995.
              The second half of the article covers iDispatch, a style of COM interface.
              https://web.archive.org/web/20... [archive.org]

              Here's the 1996 Microsoft announcement officially announcing the ActiveX name and their strategy for presenting it as a web technology, in which they say "ActiveX controls (formerly COM components)". The Microsodt announcement says thousands of COM/ActiveX components were already available, but could now be used in the web browser (IE 3.0).
              According to Microsoft's announcement, ActiveX controls" were formerly called "COM components". According to their announcement, many companies had already been making them, as "COM" for desktop software, prior to IE 3.0 supporting them and the change to the ActiveX branding.

              One reason I remember this so clearly is that I was one of the people making COM components at the time it was rebranded ActiveX. I know I didn't have to change my software in order to make my existing COM components, including a styleable linear "slider" control I designed, into ActiveX components - the only change was the branding.

              You are correct that Active Desktop was September 1997.

            • by Solandri ( 704621 ) on Wednesday December 26, 2018 @12:58AM (#57860130)

              Your timeline is skewed. Active Desktop took place in Windows 98 with IE4. Then you go with

              He left out the greater context in which this was happening. Netscape was the dominant browser from 1993-1998 [wikipedia.org]. You had to pay to buy Netscape during this time, just like buying Photoshop or Office. IE wasn't included as part of Win95, and as a standalone product it wasn't very successful.

              Gates didn't believe in the Internet. Microsoft had bet on the CompuServe/GEnie/AOL model of global networking - where people paid to dialup to portals set up and controlled by one company. MSNBC was originally Microsoft's (and NBC's joint) foray into this model. That's right, you initially had to subscribe to MSNBC in order to view its content. As a result, Windows was late getting a TCP/IP stack (necessary for Internet) built in (it was included with Win95). Microsoft was very much a follower on everything happening on the Internet, like the web (which became big in 1994). Microsoft couldn't stomach the idea of someone else controlling the web, so they went for the jugular. They included IE for free with Win98, thus choking off Netscape's revenue stream. What Microsoft had done to Stacker was still fresh in everyone's minds. (Stac came up with the idea of disk compression. When Microsoft was unable to come to a licensing agreement with Stac, they built their own version and included it for free with MS-DOS, thus killing off the sale-ability of Stac's product.)

              Bundling IE with Win98 for free would of course would raise the same legal issues the Stacker case raised - whether Microsoft should be allowed to use profits from DOS/Windows to subsidize development of products which competed with existing products which ran on DOS/Windows. There was a possibility a court would order Microsoft to unbundle IE and sell it separately in competition with Netscape. So to stave off that possibility, they did everything they could to tie IE as deeply as they could within Windows. That way they could honestly argue in court that it was impossible to unbundle IE from Windows.

              And that deep embedding to prevent a court from thwarting their ploy to kill off Netscape is why an IE patch today can make Windows unbootable.

              The COM and ActiveX stuff is relevant because Microsoft realized that if the world moved from DOS/Windows apps to generic web-based apps which could run on any OS as long as it had a compliant browser, nobody would pay for DOS/Windows anymore. So they set out to take control of web-based apps with ActiveX. (As it turned out, the performance hit for running a web-based app was big enough that it didn't really become competitive with native OSes until the mid-2000s, about the time Flash and Java came into their own.)

          • by rtb61 ( 674572 ) on Wednesday December 26, 2018 @12:18AM (#57860014) Homepage

            What is mind boggling is why they were so stubborn to change course and made themselves become increasingly more unpopular as they tried to force the ideas they wanted on everyone who did not want it. Really lost their customer focus and become unreliable suppliers. I liked all things M$ once, no longer, they seem not to be able to correct their mistakes and take on a greater customer focus. Instead, locked into forcing what they want on their customers but then they are not the only tech company to fall into exactly the same hole and just keep digging and digging as fast as they can, same crap warranties, same marketing lies, same dodging responsibility for major failures and same attitude to change, only when it is too late to work, only once they are forced.

            • What is mind boggling is why they were so stubborn to change course and made themselves become increasingly more unpopular as they tried to force the ideas they wanted on everyone who did not want it. Really lost their customer focus and become unreliable suppliers

              Because it has worked for Microsoft.

              The question is: why do people accept the shit that Microsoft shovels their way?

        • This was like delayed start for service in windows, ohh, look windows loads faster but whoops, it won't run apps tied to those services that have not started yet but M$ can brag how fast the windows GUI boots even though you can not run apps, until delayed start services have started.

          Good. Not all apps depend on all services. There's no reason why e.g. Word should not run just because Windows doesn't have the network card up and running. Sequential booting is a relic of the 90s and we're all glad to be rid of it.

      • They made it hook in in response to the Netscape trial for Microsoft's competitive practices with marketing Internet Explorer. Netscape was trying to get the result of forcing Microsoft to remove the browser from the OS so they would compete on an even field. Bill Gates ordered them to make it where that couldn't be done. Microsoft had already made this argument in court but Netscape was able to prove they were lying. This led to Windows Millennium that they backported this "feature* to Windows 98.

      • That's one more reason to avoid using Microsoft's browser.

        That's one more reason to avoid using Microsoft's operating system, too.

      • No Firefox bug can ever make the system unbootable.

        Isn't Mozilla still installing that Maintenance Service with admin privileges?

      • While you're not wrong, you're not right either. The interaction between IE and Windows does mean that they are likely in some cases to share some code that could cause bugs or security issues to propagate between them.

        It does however not mean that every security bug in IE is a Windows bug. It also doesn't mean that fixing bugs in IE automatically has an affect on the OS.

        And given that this only affects Lenovo laptops what's the bet that this bug didn't affect Windows in the slightest, but rather Lenovo shi

        • > It does however not mean that every security bug in IE is a Windows bug.

          Right, every week when there's another IE bug you don't know whether it provides the attacker access to exploit the kernel or system shell. Some do, some don't.

          Contrast a Firefox bug. That's going to affect Firefox. Never the operating system.

          • Some do, some don't.

            My point exactly.

            Contrast a Firefox bug. That's going to affect Firefox. Never the operating system.

            That depends entirely on what privileges you use to run Firefox. You are also abusing the timeline. Firefox was by far the last browser to implement sandboxed environments which means prior to Firefox 55 every arbitrary code execution CVE could affect any part of the system with the privileges of the local user which almost universally means the system is now no longer yours.

            Don't get me wrong, integration is bad, but not integrating doesn't make it magically safe.

      • by Hodr ( 219920 )

        This didn't happen to the overwhelming majority of computers that received the patch, it happened to a specific subset. So it didn't brick the OS it bricked some vendor that did non-standard things to the OS.

        And your argument that an OS shouldn't have deep browser hooks is ridiculous, unless you don't believe Chrome OS or FireFox OS are valid OS'.

        Code re-use is a good thing. If a modern browser includes 2/3rds of the things necessary for an entire OS, why not make it the basis of an entire OS (obviously Go

        • > Your argument that an OS shouldn't have deep browser hooks is ridiculous, unless you don't believe Chrome OS or FireFox OS are valid OS'. ..
          > obviously Google and Firefox thought this was a good idea).

          Just so I understand, your argument is that ChromeOS and FirefoxOS are the best operating systems, and every operating system should try to be like FirefoxOS, because it worked so well?

    • Re:WTF (Score:4, Insightful)

      by Rosco P. Coltrane ( 209368 ) on Tuesday December 25, 2018 @06:05PM (#57859000)

      Well, while I agree Microsoft probably weaved bits of IE deep into the OS go gain unfair advantages over competing browsers, the issue in question might also run deeper than the browser. For instance, they might have modified or extended a kernel API call to truly secure whatever runs on top of the kernel. So they might have patched the browser and the kernel to fix the issue, and fucked up the kernel bit of the patch.

      The real issue is that Microsoft views their users are computer idiots (with some reason) and bundles OS and application layer diffs in one single patch, and you don't really know what a Microsoft patch does or modifies.

      • by no-body ( 127863 )
        Looks to me also that on bootup the OS calls home maybe to check for updates, but what else is going on during that process maybe a black box. In any case, it seems to take it's time on bootup with disk defragged... Possibly unplugging the network cable before turning it on seems to make it quicker, but this can be imagination....
      • The real issue is that Microsoft views their users are computer idiots

        Considering this only happens to Lenovo laptops can you really blame them?

    • Re:WTF (Score:5, Insightful)

      by ShanghaiBill ( 739463 ) on Tuesday December 25, 2018 @06:13PM (#57859020)

      If an OS stops booting because of a web browser then you know it's built on shit coding practices.

      That depends on your objectives. If you want a system to be secure and robust, then it is shitty practice. If you want to maximize profit based on customer lock-in to a complex integrated monolithic system, it is good practice.

      Microsoft made $110B in profit during the last fiscal year. That is up 14% on a year earlier, and a record high.

      • " If you want to maximize profit based on customer lock-in to a complex integrated monolithic system, it is good practice."

        That is long-term abuse. Eventually markets find ways to navigate around abuse. Maybe ReactOS? [reactos.org]

        Run Windows programs under Linux? How to run Windows software in Linux: Everything you need to know [pcworld.com]. (March 23, 2015)

        A later story: How to Run Windows Programs on Linux? [mashtips.com] (August 10, 2018)
        • Eventually markets find ways to navigate around abuse.

          Microsoft has been around for 43 years. They are making record revenues and profits. "Eventually" can be a long time.

        • by tepples ( 727027 )

          That is long-term abuse. Eventually markets find ways to navigate around abuse. [...] Run Windows programs under Linux? How to run Windows software in Linux: Everything you need to know

          Summary of Chris Hoffman's article:

          1. Wine
          2. Virtual machines
          3. Dual-booting

          Two methods mentioned in this article require a Windows license, which continues the same sort of abuse. All three continue the alleged abuses of Intel and AMD because they won't work on ARM computers, such as a Raspberry Pi or Pinebook.

      • It sounds good, but what is actually locked in by it? You can't use the browser on other platforms anyway, so having OS hooks doesn't do shit to assist lock-in.

        If you're so attached to one browser that you've locked yourself to it, that affects you the same regardless of how it is implemented.

    • by Anonymous Coward

      If an OS stops booting because of a web browser then you know it's built on shit coding practices.

      This update is exceptionally bizarre. The description:

      "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

      The security update addresses the vulnerability by modifying how the scripting eng

    • Re:WTF (Score:4, Interesting)

      by PsychoSlashDot ( 207849 ) on Tuesday December 25, 2018 @07:01PM (#57859174)

      If an OS stops booting because of a web browser then you know it's built on shit coding practices.

      To be fair, we don't know what went wrong. As in, it's entirely possible that the patch itself was built incorrectly and includes files required for the operating system, incorrectly.

      Also, someone down-stream indicated that MS' report indicates it involves SecureBoot, which I believe signs some things. It's possible an IE file was signed as required-to-never-change and just did, or something similar. I'm not fluent with SecureBoot, but my point is that folks are jumping to conclusions that aren't (yet) merited, dumb as the outcome is.

    • Re:WTF (Score:5, Interesting)

      by slashmydots ( 2189826 ) on Tuesday December 25, 2018 @07:14PM (#57859224)
      You're way off base here. What's the difference between Lenovo laptops and other laptops? OH YEAH. Preinstalled garbage software that run as services. That is obviously what broke. And trust me, from experience, I can assure you Lenovo's trash software is unstable, badly-designed garbage.
    • Perhaps Microsoft is " fixing " more than what they say they are.

      The real question is, while they say they are doing X, what else are they doing under the hood that they don't bother to say anything about.

  • by Anonymous Coward on Tuesday December 25, 2018 @05:36PM (#57858914)

    Stating a device is not bootable is far different than stating that an operating system is not bootable. The headline alone implies that a Windows update bricked laptops, which isn't true at all.

  • by b0s0z0ku ( 752509 ) on Tuesday December 25, 2018 @05:39PM (#57858926)
    Remove Windows, install real OS. Problem solved.
    • by Anonymous Coward

      You'll have to disable secure boot...oh wait that's the fix for this whole thing. So just disable it and Windows boots again.

    • Which real OS are you talking about? I hope not Linux since the last time we got a story like this it was the latest Linux kernel making Lenovo laptops unbootable due to a UEFI bug.

  • Typical MS QA (Score:3, Interesting)

    by GerryGilmore ( 663905 ) on Tuesday December 25, 2018 @05:41PM (#57858930)
    "Here! Here's a badly needed security patch for a we browser. Oh - your computer won't boot even to the OS level? Sucks to be you." I've been MS-free for about 15 years now, migrated a bunch of friends and family to Linux and we just couldn't be happier.
    • by antdude ( 79039 )

      What QA? MS got rid of its QA years ago!

    • The fact that an IE patch made Lenovo and only Lenovo laptops unbootable says more about Lenovo than about Microsoft.

      I mean sure MS's Quality control would be a running joke if they ever got it running, but give credit where credit is due. This isn't the first time Lenovo laptops became unbootable for some irrelevant OS update. Remember when a Linux kernel update actually managed to properly brick Lenovo devices? I do.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Tuesday December 25, 2018 @05:44PM (#57858938) Homepage

    I could understand if a patch to MS-IE were to make IE not work with some hardware configuration ... but why should this stop a machine from booting ? This was a security issue ... it appears that MS has code spanning user & kernel space and, what should be, a user space fix is partly in the kernel. Presumably this is to try to squeeze a bit of performance, but all that it does is to produce fragile systems.

    Separation of different code modules that do different things is one of the really basic concepts in programming, it appears that this does not happen at MS. Why not ? What on earth are these guys smoking ? (Cue the MS apologists who will burble some sorts of excuse.)

    • by rsilvergun ( 571051 ) on Tuesday December 25, 2018 @05:55PM (#57858968)
      so they could skirt around European anti-trust rules that said they couldn't bundle a competitive product with an unrelated product (since that would be an abuse of their defacto OS monopoly). This way they could go to the EU and say "See, it's not that we're bundling IE with Windows in order to leverage our monopoly and break open Internet standards, it's just every so crucial to our OS". Worked too. The downside is everytime IE breaks it takes everything with it.

      Take a bad engineering decision by Microsoft and you'll almost always fine evil, and not incompetence, at the heart of it.
    • by KingMotley ( 944240 ) on Tuesday December 25, 2018 @06:42PM (#57859100) Journal

      From what I understand, the issue is that some lenovo laptops were configured with 4GB of ram, and secure boot enabled. Unfortunately the IE fix triggered a bug in the secure boot code where it couldn't validate the entirety of the windows executables. It had really nothing to do with the IE fix other than it made the executable larger than before. Any change to any executable would have triggered the same effect.

      But that is just what I've heard with very little actual technical information. For example the issue didn't affect lenovo laptops with 8GB of RAM or more, or had secure boot disabled. Likely there is a third piece missing that has some custom lenovo driver or BIOS issue that is also "buggy".

    • Lenovo decided separation of functionality was something that only Linux users needed and decided to depend on IE in order for the OS to boot.

  • It seems to me that Microsoft's top management is utterly incompetent.

    Microsoft: No one is managing well? [slashdot.org]
    • Why? Because Lenovo firmware is a shitshow that broke with the November security update which would also be installed by the cumulative update in this emergency release for IE?

      • That theory seems reasonable to me.

        Lenovo Laptops Common Problems [zoorepairs.com.au]

        1009 Lenovo Consumer Reviews and Complaints [consumeraffairs.com] Quote: "Let me begin by saying I will never buy anything from Lenovo ever again. The only reason I bother to write this review is so that Lenovo can hopefully address some of the many problems within the company, which might help other customers avoid the same ordeal that I have experienced."

        However, it seems reasonable that Microsoft would try all updates with commonly-sold hardware befo
        • However, it seems reasonable that Microsoft would try all updates with commonly-sold hardware before releasing the updates.

          Bahahhahahaha

          But I'm not one to not provide references to hysterical laughter:
          https://www.windowscentral.com... [windowscentral.com]
          https://www.digitaltrends.com/... [digitaltrends.com]

          While I give MS a pass for not testing their updates on Lenovo devices, afterall there's a shitton of custom stuff out there, they deserve to rot in hell for not testing their own.

  • then again you could get the same level of security by repeatedly hitting it with a sledge hammer.
  • by arcctgx ( 607542 ) on Tuesday December 25, 2018 @06:40PM (#57859086)

    So according to https://support.microsoft.com/... [microsoft.com] it's:

    1. Vendor-specific (Lenovo only)
    2. Dependent on the amount of memory (systems with less than 8 GB of RAM are affected)
    3. Somehow related to Secure Boot (disabling Secure Boot is listed as a workaround)

    And all the trouble is caused by patching a web browser (however deeply integrated with the operating system)? What the hell?

    • by jittles ( 1613415 ) on Tuesday December 25, 2018 @07:06PM (#57859194)

      So according to https://support.microsoft.com/... [microsoft.com] it's:

      1. Vendor-specific (Lenovo only) 2. Dependent on the amount of memory (systems with less than 8 GB of RAM are affected) 3. Somehow related to Secure Boot (disabling Secure Boot is listed as a workaround)

      And all the trouble is caused by patching a web browser (however deeply integrated with the operating system)? What the hell?

      I work with a lot of these companies and Lenovo is, in my experience (and opinion), the only consumer grade manufacturer that takes security issues seriously. I would not be surprised if Lenovo was the only manufacturer shipping Windows 10 systems with 4GB of RAM and Secure Boot enabled.

      • I would not be surprised if Lenovo was the only manufacturer shipping Windows 10 systems with 4GB of RAM and Secure Boot enabled.

        Part of Microsoft "Designed for Windows" certification requires OEMs to ship their windows computers with Secure Boot enabled by default, and a switch for disabling it to be present in the BIOS.

        Be surprised. Be very surprised.

        Posted from a computer with 4GB of RAM and Secure Boot on which boots just fine.

        Now while Lenovo may be the only company to "take security seriously" they are also the only company who couldn't code a Hello World example without including some system breaking bug. A company that has be

        • I would not be surprised if Lenovo was the only manufacturer shipping Windows 10 systems with 4GB of RAM and Secure Boot enabled.

          Part of Microsoft "Designed for Windows" certification requires OEMs to ship their windows computers with Secure Boot enabled by default, and a switch for disabling it to be present in the BIOS.

          Ah, yes. I forgot that has been a requirement since Windows 8. My relationship with Lenovo does not deal with Windows requirements.

          Now while Lenovo may be the only company to "take security seriously" they are also the only company who couldn't code a Hello World example without including some system breaking bug. A company that has been in trouble with Microsoft updates before, who embedded firmware in their devices which called home, and a company where enabling Thunderbolt while running Linux caused their computer to be bricked (very secure a computer that can't even get to the BIOS screen), or installing Linux Kernel 4.13 caused the Lenovo BIOS to become read only (also great for security).

          Fuck Lenovo and their piece of shit software / firmware.

          I don’t ever see Lenovo code, I supply code to them for a hardware component that exists on most desktops, tablets, phones, laptops, and servers. If I deliver insecure code then Lenovo asks for patches for far more generations than any other manufacturer*. They license the code, though, so I can’t tell what they do with it after they get the fix. I don’t o

    • i don't have much experience in this, but in theory what it could be happening is:

      1) there's an out ot bounds bug or buffer overflow in IE
      2) the exact portion of the memory being addressed contains code used by Lenovo
      3) Disabling secure boot may disable that code, thus making the problem not reproducible any more.

  • by AndyKron ( 937105 ) on Tuesday December 25, 2018 @06:49PM (#57859120)
    More than two decades after releasing IE they're still patching it and still not getting it right.
  • They make a path that borks a whole system.

  • It is nice to get yet further proof that you guys remain as reliable in your behavior as ever.
  • by Daltorak ( 122403 ) on Tuesday December 25, 2018 @08:29PM (#57859472)

    I know it's fun and exciting to blame a web browser hotfix for a booting problem..... especially when it's Internet Explorer, right? But..... ahhh, shit, hate to spoil the fun, but this is just another case of "journalists" not doing the bare minimum of reading before shitting out another article they'll get paid $10 for.

    This booting problem with Lenovo laptops has existed for a month and a half -- it was introduced in the November 2018 cumulative security update. It even says so right there in the patch notes! But because these "journalists" don't know how to read anymore, we end up with Slashdot articles like this one that don't have the correct information in them.

    All Windows patches are now cumulative, so sure, if you apply the IE hotfix to a machine that is three months behind in updates, then you can hit this problem. But it's not the IE part that's causing it.

  • I don't understand the complaints about this. IE is now secure on the computers that cannot boot.
  • Thank goodness I don't ever use Explorer.

  • One mitigation that I saw listed was removing access to jscript.dll until the system in question could be patched. That makes me wonder if Lenovo built something using a scripting engine included with the OS, then had it yanked out.
  • Lenovo isn't exactly trustworthy. They've packed spyware and rootkits into their products before, and probably still are. What do you want to bet that these laptops aren't booting because Lenovo is doing something naughty?
  • Why does installing a patch to an application require a reboot? Why does installing a patch to an application render the OS unable to boot? Is the Windows architecture as as bad as it appears to be?
    • No, just people's understating of it is problematic. None of anything related to IE requires a reboot or causes this problem. However Windows patches are cumulative, so if you haven't updated in a while this "IE Patch" will give you the Nov 18 security update which includes OS level changes, kernel level changes (requiring reboot), and also happens to be the patch that cause this problem.

      • When I patch IE, a reboot is required. Trying to say that I do not have to reboot because I patched IE is typical Microsoft cheerleader response. IE was patched and a reboot was required. Please do not tell me what I saw with my own eyes did not happen. I have also updated other apps which required a reboot. Only on Windows. On FreeBSD, I update apps all the time and all I have to do is restart the app. No reboot is required.

        .

        So I ask again, what is wrong with the Windows architecture that require

        • When I patch IE, a reboot is required.

          How do you patch IE without a applying a cumulative update? The only way I know is WSUS and when you push IE specific patches out they install just fine and simply ask for a courtesy reboot at the end.

          If you're not managing an enterprise machine with WSUS then you're not applying an IE patch.

          So I ask again, what is wrong with the Windows architecture that requires reboots for app updates?

          I repeat: Your understanding of what is going on.

  • First reaction: HA! Microsoft is at it agan.

    Second reaction: Wait, did you say Lenovo laptops? Those guys who would brick your motherboard [reddit.com] if you turned on Thunderbolt assist in _their_ BIOS? OK, maybe it's not Microsoft's fault this time.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...