Microsoft Flubs Patch, Putting Users At Risk

An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"

Why This is Different

[Aqua_boy17]

Yes, but this is a hole created by a patch to fix a hole. On the whole, different and somewhat amusing. Or it would be amusing if I didn't have to administer Windows systems. :P

Re:will it cause problems?

[baadger]

Not necessarily, my aunt is on dialup and until recently she'd been patching herself up on SP1 because downloading a 290MB service pack just wasn't feasible. The monthly updates themselves can sometimes be big of a download.

I recently did a full reinstall of her system (at my place on cable) from a MS cd (managing to maintain her OEM activation), SP2, Firefox, Opera and IE7-beta3 and she's been good for ages now.

The annoying thing is, even on dialup with sparse on-off connectivity and surfing it's remarkeably easy to get infected. Don't underestimate the number of people who *CAN'T* keep upto date.

Get rid of fixed patch date

[Joe The Dragon]

likey they rushed this patch to get it ready for the patch day and they did not fully test it. M$ will be better off with put the updates out when they are done not on a fixed time table.

Re:Why This is Different

[just_another_sean]

Or it would be amusing if I didn't have to administer Windows systems. :P

And that is exactly why I like to see it on the front page of /.

Of course I don't rely on /. alone for security news but as an Admin supporting MS products news like this does matter to me. The more sources of info I can get on problems with software the better. And being the /. junkie I am it is likely I may just get info on new flaws here first! :-)

8 for 1

[roger6106]

8 bugs have been replaced with 1 bug. That is an improvement unless the bugs it fixed were all minor bugs.

Let's see if I got this right...

[repruhsent]

...Microsoft has a security problem, which most people will acknowledge is a constant thing. They release patches, which everyone will acknowledge happens pretty much monthly. There's a story on the /. front page complaining about how they botched the patch.

Ubuntu has a problem today, which basically renders machines inoperable that update their X software today. Ubuntu doesn't have as many security problems as Microsoft (for a lot of reasons, I imagine, but I'm tend to think it's because of the much smaller installation base). Heck, this issue doesn't even affect security - which isn't quite as important as functionality (seriously; the number of exploits for this Microsoft problem will be small, and the number of Ubuntu users locked out of their machines is probably something like 60%, given the small numbers of their user base).

Given all of this information, there is no front page story on the Ubuntu fuck up of today. Biased? Of course. Unexpected? Definitely not; this is Slashdot; News for Nerds, Stuff that Matters, assuming you use Linux. Everyone else need not apply.

Re:will it cause problems?

[airjrdn]

You trust that site?

Re:will it cause problems?

[Anonymous Coward]

>IE7-beta3 and she's been good for ages now.

No shes not. IE7 has patched & unpatched vulnerabilities. Why are you putting beta software on there anyway?

But VISTA is Coming...

[BoRegardless]

And Bill Gates has said this new OS is going to be the whing dinger of all time.

Meaning, the number of serious holes is going to be astonishing, because they are so sophisticated and well hidden that only the best hackers can find and exploit them without users and IT admins finding them.

Aaaaak

Breaks Siebel too

[Anonymous Coward]

Siebel is totally FUBAR due to this patch and the stupid "compatability" patch to fix it is broken and won't install on any machine. Why the fuck do people write IE-only applications and why the fuck does MS release broken patches all the time? It's like they don't even bother beta testing them. Now we are stuck with the choice of either a vital piece of software being down or a giant gaping security hole - thanks Microsoft!

Re:Closed source strikes again

[Anonymous Coward]

The other difference is that Slashdot readers think that Linux and Ubuntu can do no wrong, hence no story here on the Ubuntu fiasco (which left users stuck at a command prompt. For typical Ubuntu users, this is a very big deal).

Forced Reboot = BAD

[Valacosa]

Here's an example for you:
I was once running an experiment for a prof. The computer controlling the experiment has a GPIB card, which is controlling several other devices in the room (PID temperature controller, Lock in amp, yada yada yada.) The software running the experiment was written in LabVIEW.

I'm in the middle of a nine-hour experiment when this dialog box pops up. "Your computer will restart in 5 minutes to apply updates."

Now, let's review. What have I done wrong?

• This isn't a server
• AFAIK there is no "LabVIEW" for Linux. I could have written all the GPIB software in C but then no one else would have the expertise to change it, plus getting the card to work in linux would probably be hell
• I'm not using IE
• Windows update is on? Oh, that's what I'm doing wrong.

Luckily my software is much better written, so I was able to discontinue and resume the experiment wihtout losing data. But still, is this the kind of OS that is intended for a production environment? "Who the hell do they think they are" indeed.

Re:Disable HTTP 1.1

[pe1chl]

Also note that the patch mentioned in KB923762, which is available only by calling Microsoft and explicitly asking for it, was compiled on August 4th!

So, they KNEW about this problem at the time they sent out 918899 to the world via Windows Update!
They already had the fix available, but they chose to neither include it in 918899 nor to withhold 918899 from release on August 8th.

It caused some damage at work. We had to ask for the KB923762 fix, which took 3 days to get (because we buy computers with Windows installed, so we cannot call Microsoft but have to go via Dell).
IMHO it is gross neglect by Microsoft to knowingly release a defective update for which a better version already is available.

Re:I will not criticize this

[gelfling]

See what I mean. All Hail the 'Soft.

Dupe

[The Cisco Kid]

Oh wait, its actually a new bug. Or wait, its just the same bug over and over.

Seriously, how is this news? Everyone with even half a clue (and certainly almost all /. readers) recognize that MS will repeatedly issues patches, patches to patches, and will never really fix anything. Anyone with any sense in the IT/Net field that STILL actually uses Internet Explorer except in a heavily restricted sandbox for testing websites that the driveling masses will use it to visit is either too ignorant or blindly loyal to care about security.

If for some reason /. really thinks this needs to be news, just add it as a permanent headline. In fact, heck, maybe it should get its own whole section 'Security update to MS software introduces new security hole'