Microsoft Releases Critical IE Patch 172
Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs.
"
Dammed if they do, dammed if they do not.. (Score:5, Insightful)
If they don't update their products people will comment on how much they suck.
If they do update them people will claim instability due to the number of patches.
It's a matter of perception. Some people see ongoing updates as true support. Others simply hate anything Microsoft.
You decide.
Third - Party Patches (Score:2, Insightful)
I've been recommending them to anyone that was worried about the vulnerabilies - I wish Microsoft would support them, it's very difficult to convince people that the fact that Microsoft doesn't recommend them is because it's bad PR to be seen having to be helped out, and not that the code is full of viruses that destroy your PC.
Ah well, I only use Windows for gaming anyway.
Re:I DLed them this AM. A question... (Score:5, Insightful)
Re:The Exploit (Score:5, Insightful)
Not bad, but your response time could use some imporvement.
From TFA: Microsoft Corp. has released its security software patches for April...
Microsoft has adopted the policy of "no patch before its time." These patches must be left on the vine, to ripen in the sun, until they are full of succulent flavor that brings out the best in an OS... sorry... anyway, it didn't matter how important the exploit was or that it was compromising machines left and right and letting the botnetters have a field day, Microsoft was in no rush. And you have to admit, that 3 weeks is not bad compared to some exploits which seem to be out there for months before anything is done. Now if Oracle could get their patch time down to three weeks...
Re:How much longer is this going to be NEWS? (Score:5, Insightful)
Because Slashdorks like ourselves keep reading them and posting comments. You can bet if people stopped reading & commenting, the editors would stop posting these stories.
Re:Meanwhile... (Score:4, Insightful)
Seriously though, if it is using 1.5gb of memory, you probably have it to spare, otherwise it wouldn't be using it. If this is still unacceptable, you can TURN IT OFF! [mozillazine.org]
Re:Schedule Over Security? (Score:5, Insightful)
many exploits are made by examining the patch, so in most cases, it's better if everyone gets the patch at the same time (crackers and legitimate users) rather than the crackers getting it ahead of business users.
Re:Dammed if they do, dammed if they do not.. (Score:3, Insightful)
Legally, neither is Microsoft. Read your EULA.
And in most cases nothing else interacts with or depends on his / their code?
Yeah, nothing interacts with or depends on sendmail, or glibc, or the Linux kernel...
Re:Schedule Over Security? (Score:4, Insightful)
There are probably a few issues to consider here. Whether a corporate wants a scheduled regular service you can sure as hell bet they want the option to receive critical patches as soon as humanly possible. They'll wait for the other things, but critical patches should be available out of band. Secondly, there would be nothing to stop MS releasing the hotfix in the meantime via Windows Update since most corporates don't use it anyway.
I think its extremely poor that MS takes so long to fix such an obvious problem. It's more reason if any were needed that a closed source product is no guarantee that it will be any more secure or better supported than an open source one.
Re:The Exploit (Score:3, Insightful)
Shcheduled updates seem counter-intuitive (Score:4, Insightful)
What I don't get is why everone else in the world has to have their system unprotected for an extra couple of weeks. Why can't MS release the patches when they are "stable" and let the IT departments schedule their own updates as frequently or infrequently as they see fit? And further, is scheduling really *that* much more important than security for large companies?
Re:Schedule Over Security? (Score:1, Insightful)
I call BS on that one. It takes me five minutes to apply a patch to a test machine, and after a suitable test period it takes me another five minutes to walk into the server room, log in to the WSUS server, and approve an update.
If I want to deploy an update off-schedule, it doesn't take a lot of time to do so. And if I don't want to deploy it off-schedule, it can just sit there on WSUS until Patch Tuesday comes around.
Microsoft's patch schedule has nothing to do with its customers' demands, any more than Norton's ridiculous virus update schedule. Saying that they're doing it to satisfy customer requirements is like the sign at Safeway that says "For your convenience, please leave heavy items in the cart." My convenience, my ass. It's because the 16-year-old, 90-pound checkout girl can't lift the 5-gallon water jug I'm buying.
Don't tell me you're doing something for my sake when I know you're doing it for your own business reasons.
Re:Schedule Over Security? (Score:2, Insightful)
Re:Why? (Score:3, Insightful)
Unfortunately, it's because of corporate inertia. Take my company, for example. I'm the IT department (no, that's not a typo) for a small Canadian company that is owned by a large European company. I've removed the big 'e' from everyone's desktop, installed Firefox, and told everyone to use it.
Unfortunately, we have a couple of applications we can only use through a centrally-administered terminal server environment. That environment includes IE. And of course the corporate IT guys can't replace Internet Exploiter because "It's a corporate standard," meaning the CIO is a manager, not a tech, and won't let them install "unlicensed" software. ("How can it be properly licensed if we don't pay for it?" ... "Free software is never free for business use!", etc.)
Re:Schedule Over Security? (Score:4, Insightful)
There is still no legitemate reason for them not to make a patch available as soon as they finish it. They can include the patch into their scheduled cycle, but they can also then cater to the early adopters, and those who don't want vulnerable systems laying around.
Re:The Exploit (Score:2, Insightful)
And yet Mozilla/Firefox keeps security bugs off of the public bugs list until they are fixed, so you don't know how long Mozilla devs know about security bugs before fixing them either.
Re:The Bob Damn them. (Score:4, Insightful)
I hate the fact that I have to download patches frequently, which are massive files and I'm still on a dial-up so they can take hours."
Actually, you don't. Because you don't "have to" run Windows. Seriously. I'm not trying to be a prick, but to emphasize that somewhere along the line, the user (you) is choosing to run Windows, so you are choosing to take on all these burdens in the process. You can rid yourself of them simply by choosing any of the other growingly-popular OSes out there. Yes it'd be work. Yes the transition might incurr costs. Yes you might have to switch apps, convert data, retrain. But you are choosing to do it or not do it, regardless. You can choose the one-time painful conversion, or choose to remain in the eternal servitude to the pains of your status quo.
Your choice.
Re:Schedule Over Security? (Score:4, Insightful)
Those customers have specifically demanded that patches be released on a regular schedule, to ease their own testing and rollout procedures.
Why, are those customers forced to install it as soon as Microsoft releases it? If they wanted to install it later, they are unable to do so? What's stopping them from waiting? That would not only give them the choice, but give them longer to test the patches first. Yeah I can just picture those alleged customers now: "Hey Microsoft, please give us less choice and greater delays, in fact we demand you do so"
Stop the FUD, thanks.