Forgot your password?
typodupeerror

Microsoft Releases Critical IE Patch 172

Posted by CmdrTaco
from the but-i-thought-all-patches-were-critical dept.
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "
This discussion has been archived. No new comments can be posted.

Microsoft Releases Critical IE Patch

Comments Filter:
  • The Exploit (Score:5, Informative)

    by eldavojohn (898314) * <eldavojohn.gmail@com> on Wednesday April 12, 2006 @11:40AM (#15114011) Journal
    The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it [milw0rm.com] (dated 03.22.2006).

    And here's Microsoft's acknowledgement [microsoft.com] of the exploit (dated 03.23.2006).

    And here's an "expert" saying that releasing the above exploit is irresponsible [sys-con.com] (dated 03.24.2006).

    It is now 04.12.2006 and a patch is out to correct it.

    *checks his watch*

    Not bad, but your response time could use some imporvement.
    • Re:The Exploit (Score:3, Informative)

      by Ravatar (891374)
      It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.
      • by eldavojohn (898314) * <eldavojohn.gmail@com> on Wednesday April 12, 2006 @11:52AM (#15114112) Journal
        They do this so that every patch on the release board gets the full testing cycle it deserves.
        Imagine you are Microsoft. This means you have nearly unlimited resources and a consumer base of astronomical proportions. I would imagine that a testing cycle could be accelerated for something as small as patches by a adequately equipped largely staffed team of people who's sole job is to know IE inside and out and study it daily.

        The following excerpt is alarming [washingtonpost.com]:
        Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.
        I wasn't aware a cycle constituted 135 days.
        Microsoft rarely releases patches off-schedule now.
        That's interesting.

        I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security. I shall take note of that.
        • by Tim C (15259) on Wednesday April 12, 2006 @11:59AM (#15114183)
          Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

          No, MS doesn't always release patches as quickly as they could, but in this particular case it certainly looks as though they got it out at the earliest opportunity, where this is defined as "as quickly as the largest proportion of their customer base allows them to".

          I'm surprised to discover that a business to which I have paid loads of money values a schedule over my security.

          Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.
          • by bunratty (545641) on Wednesday April 12, 2006 @12:03PM (#15114220)
            Couldn't they at least make the patch available ASAP to those who want it ASAP, and roll it out in a monthly patch cycle for those who want a monthly patch cycle? For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased security, it's strange that they somehow haven't figured out how to do this. Is there some issue I'm not understanding?
            • They haven't figured out how to do what? What does making it available ASAP instead of on a schedule that their major corporate customers have strongly requested have to do with "number and caliber of computer science researchers" at Microsoft.

              Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

              I generally don't like Windows the product or many of MS current and prio
              • by Slime-dogg (120473) on Wednesday April 12, 2006 @01:08PM (#15114714) Journal

                There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.

              • Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

                Do the testers come in only on certain days of the month? What technical reason is there for delaying patches until a certain day of the month for all users? Why not make the patches available as soon as they're tested for those who want them, and delay them until a monthly rollout for those who want a monthly ro

            • by boskone (234014) on Wednesday April 12, 2006 @12:14PM (#15114308)
              yes...

              many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
              • However, if information about an exploit is publicly available there is no reason to not get a patch ASAP to those who want that.
                • Actually, that's not true. A patch for a vulnerability often provides a great deal more infomration about the vulnerability than the original exploit, particularly becouse it provides malicious people with code pattern samples which might expose other exploitable code. In that regard, Microsoft's response or providing a workaround to block the attack and then providing a correct and fully tested patch later is better then providing a half-baked patch.
              • by MarkByers (770551) on Wednesday April 12, 2006 @12:56PM (#15114611) Homepage Journal
                many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.

                If there is already an exploit in the wild (with freely available source code) I really don't see how releasing a patch earlier for home users makes it *easier* to exploit.

                It's just a poor excuse for being slow to patch.
                • It sounds like you're just looking for a poor excuse to bash their patching cycle. There is no perfect solution in this scenario, and they're pandering to the wishes of the majority of their customers.
              • Actually you've just made an argument for releasing sooner: If the bugs in the patches are caught sooner (because of the 'patch early adopters'), then the corporates will be protected against those exploits because they won't have installed the patches yet and the new improved patch will be out in time for their update schedule.

            • by rbochan (827946) on Wednesday April 12, 2006 @01:14PM (#15114756) Homepage
              ...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

              There, fixed that for you.

          • by DrXym (126579) on Wednesday April 12, 2006 @12:20PM (#15114353)
            Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

            There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.

            I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.

          • Unfortunately Microsoft does listen to its customers, and its biggest (and loudest) customers are corporate IT departments. Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

            I call BS on that one. It takes me five minutes to apply a patch to a test machine, and after a suitable test period it takes me another five minutes to walk into the server room, log in to the WSUS server, and approve an update.

            If I want to

          • "corporate IT departments .. have specifically demanded that patches be released on a regular schedule"

            I work in an IT department. I know of no techie that looks forward to the next round of 'patches`. In fact most/all of them hold off on installing for fear of breaking something.

            "blame the corporations for bringing that pressure to bear in the first place."

            This could have been written by the MS publicity bureau.
            Blame the corporations for the patch cycle and
            blame the competitors for MS failing to se

          • >Blame MS for bowing to pressure from their customers; blame the corporations for bringing that pressure to bear in the first place.

                    Blame microsoft a second time for designing their operating system to be such a nuisance to patch.

            Adarn
          • That depends, I see when exploit code was released into the wild and Microsoft acknowledged it. But how long before that was microsoft made aware of the problem and refused to acknowledge before the developer got frustrated enough to release the code?
          • by BeanThere (28381) on Wednesday April 12, 2006 @04:40PM (#15116267)

            Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.

            Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"

            Stop the FUD, thanks.

          • Nobody forces you to install patches. If you don't want to install an out of schedule patch, then don't. It's not like they're twisting your arm. Run your software update app once a month or set it to only check monthly or on whatever schedule you'd like.

            I personally prefer updates to be delivered the day they are available and tested.

            The concept of a release date means nothing here anyway. Say the next scheduled patch day is tomorrow. Say you come up with a fix today. Do you release it tomorrow? I w
        • not to be an MS fan boi here, but just stop and think for a minute. MS has literaly hundreds of versions of their OSes. All the different language versions. There are well documented examples [joelonsoftware.com] (ctrl-f for "polish") of specific bugs for specific language versions

          There's a *lot* of testing that needs done for a windows fix

    • Re:The Exploit (Score:5, Insightful)

      by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Wednesday April 12, 2006 @11:55AM (#15114140) Journal

      Not bad, but your response time could use some imporvement.

      From TFA: Microsoft Corp. has released its security software patches for April...

      Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...

      • Re:The Exploit (Score:1, Offtopic)

        by NecroPuppy (222648)
        We use only the finest monthly patches, dew picked and flow from Redmond, cleansed in the finest quality review process, lightly killed, and sealed in a succulent, Swiss, quintuple-smooth, treble-milk chocolate update, and lovingly frosted with reboots.
        • That's as may be - it's still a patch.
        • We use only the finest monthly patches, dew picked and flow from Redmond, cleansed in the finest quality review process, lightly killed, and sealed in a succulent, Swiss, quintuple-smooth, treble-milk chocolate update, and lovingly frosted with reboots.

          This patch should come with a big red label: "WARNING: BALLMER VOMIT!"

          Apparently levity now rates an "Offtopic"; will someone mod the parent of this reply up a bit?

      • Re:The Exploit (Score:4, Interesting)

        by darkonc (47285) <`moc.neergcb' `ta' `leumas_nehpets'> on Wednesday April 12, 2006 @05:30PM (#15116742) Homepage Journal
        It's not that Microsoft waited until the patch was 'perfect' to release it. It's that somebody in marketing determined that it's hurting their public image to be releasing 'critical security releases' 2-3times per week/month/day (depending on how bad the week/month/day is). Instead, they're now releasing patches on a fixed monthly schedule no matter when the fix is ready.

        This makes things easier on the marketing people who don't have to deal with complaints about security patches coming out far too often, but it also means that customers can be exposed to serious (effectively 'zero-day')exploits for up to a month at a time before MS's monthly release kicks in.

        In time, we're going to see hackers 'releasing' their exploits on the Wednesday after patch-day to maximize how many machines they can exploit before the next MS 'patch day'.` It's a stupid way of 'serving your customer'.

    • There was a great post [slashdot.org] about it.
    • The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it
      Good link. Thanks. Anyone knows what it does? All the code comment says is "Impact: Remote System Access", and it's hard to read the bulk data.
    • Re:The Exploit (Score:3, Insightful)

      by truthsearch (249536)
      Considering the Windows Help system was exploitable for 7 years [msversus.org] I'd say they're improving, although they still are usually too slow. Today there's no way to know how long they're aware of any bug. They may know about an exploit for years and just never publicly notify anyone. Or they may not know until a few days before they acknowledge it. Being a closed system that they work under (both software and business) we'll never really know.
      • Re:The Exploit (Score:2, Insightful)

        Being a closed system that they work under (both software and business) we'll never really know.

        And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.
        • Re:The Exploit (Score:3, Interesting)

          by bunratty (545641)
          Brilliant idea: just look at the date the bug was opened. I know, I can't believe I figured it out on my own either! ;-)
  • by Dynamoo (527749) * on Wednesday April 12, 2006 @11:40AM (#15114016) Homepage
    Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

    This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

    • > Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article with a summary of the changes, along with some links elswhere.
      >
      >This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

      So for the

    • Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

      Amusingly, this behavior can be disabled with either a patch or a registry change. [microsoft.com]
      • I use Siebel products, and it didn't fix my issues. IE still continued to freeze. Had to remove KB912812 update and reboot. :(

        Also, note that it mentioned Java with ActiveX.
    • "Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate."

      To solve the issues with Flash, check out my sig. It's free.
    • This won't affect IE6 on Windows 2000

      That's good. I just updated from SP2 to SP4 & had to deal with >30 SP4 specific patches.

      Is it possible that (for Win2k at least) staying a bit behind in the service pack game could afford you a bit of protection?

      Either the exploit is going effect only the latest SP, or MS is going to write a patch for all versions. In the first case, you can ignore the exploit and go about your way and in the second case, you weren't any safer than the up-to-date people.

      Though, if
  • by Tominva1045 (587712) on Wednesday April 12, 2006 @11:45AM (#15114046)


    If they don't update their products people will comment on how much they suck.

    If they do update them people will claim instability due to the number of patches.

    It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.

    You decide.
    • Most open source projects of equivalent size get patched in 24 hours. Do they have more money? no. Do they have more resources? According to Microsoft, thats another no.

      So how is it that programmers working for free developing a product for free can patch fatser than a multimillion dollar company with hundreds of highly paid developers?

      That's the ongoing question.
      • Like- what? that has to be compatible with every pc configuration, with every software configuration, quite literally, known to man.

        1st, what OSP is on par for raw bytes & complexity... to the windows OS?
        2nd- which of that subset get's patches in 24 hours
        3rd- how often do these "right out the door" patches cause loss of functionality, for a subset of users, as (my line one above) every system configuration possibility was considered in the patch, that is still just works?

        it's kinda herculean if you th
        • So these highly paid developers have developed something that they can't support.

          And I'm supposed to give them money, why exactly?
        • Below are the answers to your obviously rhetorical question...

          1. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM,etc etc. The list goes on and on
          2. Apache, Linux, MySQL, Postgres, Sendmail, OpenExchange, SugarCRM, etc etc. They were even recently recognized for it in a government research document stated that 24 hours was an average and that they even get patched faster on some systems.
          3. According to the same government document, hardly ever. Pathces on open source projects general reduce
          • the windows installer for apache is 4.2 mb I can't actually determine it's size-
            the download for sendmail is 1.89 MB
            postgres is 22mb
            these are single purpose- using system calls- apps..
            they aren't OS's (except for linux) and do any of those come close to 1.5 gigabytes of code/apps/parts?

            re read my list of challenge requirements for #1.. what OSP is on par for raw bytes & complexity... to the windows OS?

            I can't vett "linux" as there is no "one linux" to compare against.- and none of them come 'core' with
            • These projects have been in use for longer than Microsofts products, are bundled with ALL Linux distros making most Linux distros have equivalent functionallity and even exceeding functionality in some cases.

              Now if you want to say the projects are not equivalet due to the lines of code used, thats just plain stupid. Good code take fewer lines whereas bad code can go on forever and ever.

              Every engineer knows that to build a better mousetrap, you don't make it more complex... you simplify.

              Linux and those open
              • Yes, I consider the total size of the codebase to be patched a consideration.
                yes, microsoft code is likely bloated and inefficient
                But the featureset, and functionality- is a order of magnitude or more complex than "SENDMAIL"

                the simple fact (I see) is that -a patch for a microsoft OS, with all the variables it can affect- is a much greater undertaking- with
                greater needs for getting it right the first time- than for most any other software available..
    • The Bob Damn them. (Score:2, Interesting)

      by ackthpt (218170) *
      If they don't update their products people will comment on how much they suck.
      If they do update them people will claim instability due to the number of patches.
      It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
      You decide.

      I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

      I hate the fact that I have to download patches frequently, which are massive files a

      • by sremick (91371) on Wednesday April 12, 2006 @01:17PM (#15114781)
        "I hate the fact I have to purchase anti-viral software even though I exercise great care in what I download, install, execute, etc.

        I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."


        Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.

        Your choice.
        • tell that to your boss when he asks you why you don't wanna use the same OS as everyone else at work..
          • Since slavery is illegal in most countries, I'm pretty sure you chose your job as well. If you don't like it, find a new job. Otherwise, it still comes down to your own choice. There are plenty of places looking for Mac/Linux/BSD geeks.

            I work with Windows at my own job. But I don't pretend that I'm "forced". I chose my job based upon pay, location, etc. I choose to put up with the headaches as a balance taking everything else into account. But no one is holding a gun to my head.

            Like I said before... you don
      • I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours.

        Microsoft releases most patches on the second Tuesday of each month.

        The patches are generally small (under 1 MB) and can be automatically downloaded in the background. Let the program do its job and install when you are ready.

    • All software companies fix bugs all the time. Why do we have to have a story every time a bug is fixed in IE or Firefox...? It boggles the mind.
    • If they don't update their products people will comment on how much they suck. If they do update them people will claim instability due to the number of patches. It's a matter of perception.

      No, it's a matter of quality. If the product had been built properly in the first place this vicious cycle would never have been born. However, it was not built that way. You pay now or you pay later - but you do pay, and later always costs more.

    • People are not complaining about the patches, they are complaining about the bugs. The unending stream of horribly horribly bad bugs.

      It's not news that IE is full of more security holes than a DHS project. Microsoft have had years to sort this mess out.

      Have they?

      No. We still have multiple grave remotely-exploitable security holes in IE every year.

      That's why people complain.

      Ongoing updates are not an indication of "true support". Nor are they an indication of hating Microsoft (although I admit, I find your l
    • They shipped Active Desktop, which is where they started integrating IE (or rather, the HTML control that's almost the whole of IE) so deeply into the OS that it couldn't be disabled or removed without heroic measures, in 1997.

      Every new OS release since them has been an opportunity for them to step back from the brink and turn IE into just another application. Not only have they not turned back, but they have run faster and faster with every step.

      I wish them joy of their damnation, their salvation is in no-
  • by Kijori (897770)
    Does anyone know whether this patch will 'play nice' with the third party patches that've been available for a while?

    I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.

    Ah well, I only use Windows for gaming anyway.
  • Firefox users point and laugh...
  • by BoredWolf (965951) <jakew.white@gmail.com> on Wednesday April 12, 2006 @11:58AM (#15114172) Journal
    Would it not be better for MS to release individual patches as they are deemed (and I use this word loosely) stable? I can understand the reasoning behind a monthly update, but so many individual users are set for auto-updates. Also, businesses could then install the patches they deem necessary, while avoiding or reverting from patches which cause problems on their networks. This method would prevent the 1-month window (or longer in the case of Service Packs) that hackers have for exploiting a known vulnerability.
    • I agree, but this is part of Microsoft's Business strategy. To one point, it actually helps. I admin quite a few Win2K3 servers, and having all the patches on one day, allows me to go about patching once a month, as opposed to every few days. Just my $0.02
  • At what point do the authors of this information just do a search and replace on the last news release for the last patch (last Month, Week Yesterday, 5 minutes ago ...) TFA kind'a looks like a filled out form ...

    My other question is when does M$ release the patch that changes activation codes to valid credit card numbers. ?? I guess they could do a rural version that uses the modem to call a 1 - 900 - xxx xxxx
  • by Jugalator (259273) on Wednesday April 12, 2006 @12:13PM (#15114298) Journal
    Download here [browser.org]

    OK, OK, so I wanted to be different from those "get Firefox" jokes!
  • Let's rename "Internet Explorer" to "Apache Browser". After all, it's becoming "A patchy" browser! :D
  • I understand that MS releases patches on a scheduled, monthly basis because lots of corporate IT departments demanded it (to make their jobs easier). I understand that; there's at least some logic to it.

    What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
  • by suv4x4 (956391) on Wednesday April 12, 2006 @12:30PM (#15114418)
    The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.
    • Top be precise, the IE patch (MS06-013 [microsoft.com], in fact) fixes ten security bugs, but only eight of them allow remote code execution.

      Mind you, MS released four other Security Bulletins today, two of which are remote code execution / rated 'critical' bugs. One's in Windows Explorer, the other's in MSDAC, some data access middleware crap that's also remotely exploitable.

  • Source (Score:2, Informative)

    by Goodgerster (904325)
    Downloadable immediately from here [getfirefox.com].
  • You mean they finally released an uninstaller???
  • This is "News for Nerds. Stuff that Matters."; a serious IE exploit seems to fit neither category.
  • Argh:

    "Hackers had been exploiting this problem by installing unauthorized software on PCs."

    No, no, no. The fact that "hacker" isn't the correct term to use here anyway nonwithstanding [1], people have been installing unauthorised software on PCs by exploiting this problem, NOT the other way around.

    1. Feel free to whine that the general public does use the word "hacker" that way if you want to, but this is Slashdot, and I think we can expect a somewhat higher standard here.

    • but this is Slashdot, and I think we can expect a somewhat higher standard here.

      Funniest thing I've read all week. Thanks for that!

  • I hear a lot of noise about MS patches and "Patch Tuesday" curse words, but no one has much to say about Apple's patch schedule. Now I realize there are a lot less security updates from Apple, but that's another debate for another thread. What do people think of Apple's timeliness in the release of security updates? Have they been known to drag their feet on releasing, or maybe are they showing some hustle?

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...