Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Microsoft

MSIE Uber-patch Of The Month 371

Posted by jamie from the windstorm-'97 dept.
mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.
This discussion has been archived. No new comments can be posted.

MSIE Uber-patch Of The Month More

MSIE Uber-patch Of The Month

Comments Filter:

  • Like clockwork. (Score:5, Funny)

    by saintlupus ( 227599 ) on Thursday May 16, 2002 @12:52PM (#3531318)
    Microsoft released another security patch for Internet Explorer

    Is it Thursday already?

    --saint
    • One wonders when Microsoft releasing patches was considered news. Then again this is a pretty major one. It'll be news when they learn that writing software with security in mind to start with is cheaper than not and then constantly patching things. The image of a leaky sieve comes to mind!
    • Just downloaded the patch. After download, a
      security info gets displayed, and it says that
      the patch was signed 24.04.02 21:04 ... not
      really sure what to think about that, but there
      is nothing really important on the box anyway.

  • So basically... (Score:5, Funny)

    by Indras ( 515472 ) on Thursday May 16, 2002 @12:53PM (#3531338)
    Saying you're trying to fix all the holes in IE is like saying you mean to turn a sieve into a bowl.

    Seriously, it seems they are finally turning around and trying to make their products more reliable. They've come a long way since Win95 (or WinME... ::shudder::).
  • luckily several other competing browsers have much less patches that have to be applied.

    netscape - doesnt have any holes - it crashes before anyone have time to exploit them.
    mozilla - its not called holes, its a feature until further notice.
    opera - pages download quick, dont they? then stfu.

  • It Breaks Javascript (Score:2, Informative)

    by inetd ( 21373 )
    According to NTBUGTRAQ it breaks certain javascript

    http://www.ntbugtraq.com/default.asp?pid=36&sid= 1& A2=ind0205&L=ntbugtraq&F=P&S=&P=2859

  • Breaks some Javascript (Score:5, Informative)

    by DaDigz ( 533977 ) on Thursday May 16, 2002 @12:57PM (#3531389)
    Just posted to the NTBugTraq list is a message noting that it breaks some Javascript.

    The example code that fails with the patch is here [ntbugtraq.com].

  • you know - with this many patches, IE is moving from the realm of science fiction to high fashion!
  • This is the big patch [slashdot.org] that really should be fixed.
    It is the one that makes it dangerous to push the Back Button [bucknell.edu]

  • C'mon, guys... (Score:4, Informative)

    by bricriu ( 184334 ) on Thursday May 16, 2002 @12:59PM (#3531413) Homepage
    the page you link to HAS the vulnerabilities fixed LISTED.

    And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cri tical/Q321232/default.asp [microsoft.com])

    • Re:C'mon, guys... (Score:5, Informative)

      by gclef ( 96311 ) on Thursday May 16, 2002 @01:31PM (#3531727)
      Yes, but the patch doesn't actually *do* what it claims. Therein lies the problem. There has been a steady stream of messages to various security lists today about how this patch does not actually fix many of the issues that it claims to fix, and breaks other stuff in the process. see http://jscript.dk/unpatched/ for the present list of unpatched IE problems, and some commentary on this patch.

  • Why is this news? (Score:2, Insightful)

    by oever ( 233119 )
    It worries me that a patch can be news. Microsoft really has people waiting in anxiety for a new patch to fix (and add some new) security holes.

    Brr. I hate monopolies.

    I going to write a letter like the Peruvian one to my government right now!
  • What about this?

    Netscape [netscape.com] isn't secure [greymagic.com] either. A well written web page can read and capture local files.

    Micro$oft, although they write their fair share, isn't the only company that writes bad code.
    • I agree. We tested the Netscape/Mozilla vulnerability and it work on Linux systems also. I submitted the link to Slashdot and the story was REJECTED.

      If this had been an MS vulnerability with a working exploit, it would have been posted here in a second --and would have generated 800 MS-bashing comments.

      Slashdot has been good entertainment over the years, but I pity anyone who PAYS for a site that is so slanted it can't see beyond it's navel.

      (Guess how this post will be mod'd ;-)
      • I agree. We tested the Netscape/Mozilla vulnerability and it work on Linux systems also. I submitted the link to Slashdot and the story was REJECTED.

        (Guess how this post will be mod'd ;-)

        It will most likely be modded down, and probably for good reason. Your submission was rejected because Slashdot covered the hole in NS/Mozilla in this Slashback [slashdot.org].

        Just because your submission was rejected does not mean the story didn't make it on the site.

        Please, if you are going to post something negative, at least get your facts straight first. Also, FYI, the Mozilla vulnerability was fixed within 24 hours, and does not affect 1.0RC2+.
  • ...doing NOTHING BUT addressing security issues as part of their new security focus.

    Do you suppose they need to do more?

  • Ironically... (Score:2, Interesting)

    by clevershark ( 130296 )
    The "Windows Update" icon on my taskbar failed to retrieve the patch last night, I had to manually go to the Windows update site and download it. I only discovered this when I started wondering why my VAIO was getting so damn warm, and why the fan hadn't stopped in several hours...

    And then they "recommend" that you go for automatic updating. Typical.
  • I'm glad to see them stepping up to patch this stuff. Really. I'm not being sarcastic. A lot of people use IE, and we shouldn't jsut curse our grandmothers and mothers to using a flawed browser. I really salute them for taking the security stance a little more seriously.

    Of course, I say this even though my mother got Mandrake 8.2 for Mother's Day.

  • I wish things were always so easy... (Score:5, Insightful)

    by pubjames ( 468013 ) on Thursday May 16, 2002 @01:10PM (#3531521)
    Warning! Positive comments about Microsoft ahead...

    I have Windows XP on my desktop and RedHat on my public server.

    I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.

    I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.
    • You should be running FreeBSD for a better *NIX experience... there's nothing like a cvsup to fix all that ails you, even if you haven't changed anything in a month.

      For me, I ran into rpm hell and all kinds of crap with r00that. BSD is where the real experience comes from. Few bugs and better code.

    • Re:I wish things were always so easy... (Score:5, Informative)

      by SirThomas ( 6833 ) on Thursday May 16, 2002 @01:25PM (#3531668) Homepage
      Um, RedHat comes with an auto-updater 'up2date'.

      You just need to register your machine and it can automatically update your machine for you.

      Some may complain that it is a 'for pay' service but you do get one system for FREE.

      Check rhn.redhat.com [redhat.com] for more details.
      • You get one system - one install. I made the mistake of registering my box after installation and then did a full reload from zero several times because I was trying to learn the process and didn't know better at the time. I couldn't register that machine again.

        Not exactly a newbie-friendly feature. I'm still pissed at RedHat for that one.
        • Well, while I will agree that it's not terribly newbie-friendly, it's not impossible to circumvent. First of all, the local box should allow you to register the machine without a problem, but you won't be able to update your software. All you do is log into the rhn site rnh.redhat.com [redhat.com], click on "entitlements", change the old registration's entitlement to "none", and the new one to "basic". Then run up2date -u and you should be set.

    • Re:I wish things were always so easy... (Score:4, Interesting)

      by 4of12 ( 97621 ) on Thursday May 16, 2002 @01:27PM (#3531689) Homepage Journal

      But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.

      I don't run XP (though my bro-in-law does, hates it, is going back to Win2K, a good move IMHO), but some feature like what you describe would be nice if they're properly balanced and thought out.

      I'd like the ability to assess what the patches are needed, what they are supposed to do, and ideally be able to see the source code before I patch my servers.

      The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.

      Rather, let me decide and then it's my fault if I download a worm.

      One of the nice things about Linux in general is that it exposes its guts to you and lets you make as many decisions as you want about what to do with it and how to modify it. If you want to shoot yourself in the foot or shoot for the moon in a new way that works for you, then by all means go for it. Linux distributions won't be so arrogant as to presume that "they know better what's good for you".

      You can see where it's difficult to judge the proper tradeoffs between ease and convenience on one hand, and security on the other hand. All those Outlook attachments have been more than sufficient evidence of how easily such judgement can be in error.

      • Rather, let me decide and then it's my fault if I download a worm
        What's nice about XP is that you do have the choice with auto-update. In fact, you have several choices. I'll list them:

        1. Download the updates automatically and notify me when they are ready to be installed.
        2. Notify me before downloading any updates and notify me again before installing them on my computer.
        3. Turn off automatic updating. I want to update my computer manually.

        I, being a lazy bastard, choose option 1, then hit the snooze button for a few days before installing... it's the only time I ever have to reboot!
      • The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.

        Rather, let me decide and then it's my fault if I download a worm.

        You know what I hate? Dialogs that are designed to shift blame to the user if the program makes bad decision. "This code is signed and looks safe. Are you sure you want to run it?" (Use a sandbox!) "It was my fault I lost my mail because I clicked 'yes' when it said my Inbox was corrupted and wanted to know whether it should rebuild the indexes." (Don't ask the user confusing technical questions!)

        Having the user verify each security patch does little to protect against patchworms, and it prevents patches from being distributed while the admin is sleeping. I would not be happy if a Code Red-like worm broke into my computer while the patch system waited for my permission to install a critical security patch.

        Including a verification dialog would make it seem to me that the system was designed insecurely -- insecurely enough that the author decided he needed to be able to blame me for clicking "Yes" when the crypto-based verification breaks.

    • Debian (Score:4, Informative)

      by nuggz ( 69912 ) on Thursday May 16, 2002 @01:34PM (#3531759) Homepage
      Come on, they exist.
      upgrading with apt is easy, and not much work.
      *BSD also have their update tools, and some other posters mentioned Redhat tools.

      These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.
    • I'm pretty sure the latest version of RedHat does. It even has a desktop applet under Gnome which takes care of reminding you to run the program.

    • Re:I wish things were always so easy... (Score:5, Funny)

      by Mike Schiraldi ( 18296 ) on Thursday May 16, 2002 @01:41PM (#3531821) Homepage Journal
      That's not Windows Update; i own your box and have been busy setting it up the way i like it.
    • Red Hat 7.3 flashes a little update icon when there are updates available. Click the icon and then cycle through the Next buttons and you are patched.

    • How to autoupdate RedHat (Score:3, Insightful)

      by daves ( 23318 )
      it is a bit of a pain in the butt having to apply patches to my RedHat server each month

      Try AutoUpdate [univie.ac.at]. It does a good job keeping RedHat up to date.
    • Until someone hacks yours (or your ISPs) DNS server, and adds a line to the hosts file that points windows update to their box. Then you're running their code with full trust... automatically.

      While you're at it, I'm offering a service where I'll monitor your checking account and pay your bills automatically each month for you. Please forward me your Credit card number and a copy of your drivers license and social security card at your convenience.

      • Until someone hacks yours (or your ISPs) DNS server, and adds a line to the hosts file that points kernel.org (for example) to their box. Then you're downloading and using their pathes and code with full trust... (not automatically, but hardcores probably download the latest and greatest quite often, and I doubt that they verify each line of code).

        If you claim that you are immune to this because you only use IP addresses or go directly to the root DNS servers, then you deserve to use linux. Please stay in your moms basement updating your software and save the rest of the world from the horrors of encountering freaks like you.

        MS uses certificates to verify that the patches are in fact from them. I'm not sure if there is any mechanism in place for linux kernel updates. You just gotta trust that kernel.org and the mirrors point to where they should be.
    • Mandrake comes with an automatic updater. It looks at your system, then at available patches (Youj can specify security, bug-fixes and/or regular patches.) it then gives you a list of available upgrades. You can easily select all of them or just the ones you want. It will download the patches and install them for you.

      And Mandrake has been doing this a lot longer than Microsoft.
    • You say:
      • I hate Microsoft. They're bastards.
      • I have Windows XP on my desktop.
      Either you are lying on one of these counts or you are too stupid to recognize that running Windows XP on your desktop is in direct support of Microsoft being bastards whether you paid for it or not.

      -Erik
      • I believe Thom Yorke said it best in Fitter, Happier:

        "an empowered & informed member of society (pragmatism not idealism)"

        Erik, man, it's not stupidity. It's pragmatism. It's what you need to have a nice house in the suburbs and a Ford Explorer (Eddie Bauer Edition).

        It's very possible to hate Microsoft and still run XP on your desktop, and there really doesn't have to be much in the way of cognitive dissonance.

        Look at one of the Palestinian kids on the TV news. The one holding a "kill Americans" poster. What's on his ass? Levi's Jeans. What's on his head? A Yankees cap.

        People don't have to lie or be stupid to both hate Microsoft and run XP.

        (However I run XP and quite like Microsoft. Then again, I always looked up to Andrew Carnige and the DuPonts, and Vanderbilts.)
    • I believe you could do something similar with apt-get and a crontab. :) Put the Debian security server in your sources.list, and have apt-get upgrade your packages from it on a daily/weekly/monthly/whatever basis. There may be a downside to doing this, I honestly have never tried it - but I can't think of any reason off the top of my head why it wouldn't work.
    • It's not exactly automatic when you still have to close all your apps and reboot your PC. :-(
    • Have you tried Debian Linux? aptget your updates, just one command!

  • Excellent!!! (Score:2, Funny)

    by eyegor ( 148503 )

    With this patch, IE will finally be perfect and I can sleep in peace knowing that Big Bill® is watching over me.

  • Out of laziness, but lately I am not patching IE or any of the other known vulnerabilities on the software I have installed, unless the vulnerability is really dangerous: It comes to a point, that simply, I don't care anymore.

    You might say that this is against me, not to patch my software, and you are right, but I am tired.

    I think the security model used by MS and others (well, assuming this is a security model) is not valid anymore, I cannot go patching my software every morning after booting the computer!!
    • I cannot go patching my software every morning after booting the computer!!

      thats one of the things that Windows does rather seamlessly though. I booted to it this morning to take care of a few things, and a little reminder notice popped up in the toolbar saying "a update is available"... all i did was click "Yes" and it was installed, it told me i had to restart to finish the update, and i ignored that part...once i finally do restart my computer it will be fully installed. This process took me a grand total of about 1 second of my time.

      There are plenty of valid complaints about MS, but this is one of those cases where they are doing something right.

  • Microsoft is getting smart (Score:5, Insightful)

    by mikosullivan ( 320993 ) <miko AT idocs DOT com> on Thursday May 16, 2002 @01:20PM (#3531614)
    The increased pace of security patches from MS may indicate that they're finally serious about security. If so, the OSS movement needs to be wary. Windows lack-of-security has always been a major harping point for the OSS movement. Yes, I'm glad for the windows-users of the world that their OS is getting better, but those of us who preach OSS to our colleagues and friends need to be aware that a major talking point may be going away. If MS really has decided that Security Counts, they've got pretty deep pockets to do something about it. Sun and IBM have both proven that the closed-source system can in fact produce pretty secure operating systems.

    Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.

    • MS is rich because.... (Score:4, Informative)

      by Steveftoth ( 78419 ) on Thursday May 16, 2002 @01:38PM (#3531800) Homepage
      they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
      They are finally making the software robust and not crash 20 times a day.
      They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
      They are finally making it a good product.

      What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.

    • In the most optimistic light, Microsoft might be becoming better at fixing bugs. That is good for them and their poor users. But no matter what they do, they are still going to sell word processors that have a macro language powerful enough enough to read/write external files and execute foreign code. They are still going to ship a web browser that downloads binary code from webpages and executes it. Right now, they're just fixing some bugs in how the browser makes the decision about when its ok to do that. They still haven't (and never will) eliminated the glaring stupidity of the "feature" in the first place -- a "feature" that even the dimmest and most inexperienced programmers would instantly know should not be implemented. And they can never address the real security concerns without massive compatability breaks with established legacy -- which would destroy all the reasons for using their products in the first place.

      You're wise to caution against being smug, but look at what they're shovelling: Microsoft products suck intentionally. The bonus suckage due to bugs is just an extra. Take away the bonus suckage and they'll still be mediocre.

  • Windows Update fatally crashes my system each time I go to download all the 'critical updates' my system needs. Which means that I'm unable to actually patch my boxen, unless I maybe reinstall the operating system, which would make me lose all my application settings/components and be forced to reinstall them, etc, etc.

    One central source, one update system. One critical point of failure. One of the many problems that come with having one operating system to rule them all and in the darkness find them...

    Boy, do I hope nobody tries to r00t my 98 box. After plugging in my shiny new cable modem it probably looks real attractive now.

    • My laptop came with XP on it - the first time I connected to the internet it downloaded updates (I was on a pretty fast network and didn't notice it happening) - next thing I knew, the thing rebooted and I couldn't search for local files anymore. And it ran slow as ass. So I uninstalled the patches, which is kind of nice that it lets you do (of course it doesn't tell you which patch does what, just gives you the number in the knowledge base). Anyway, the point is that even after uninstalling all those patches, I couldn't search for *local* files unless I was connected to a network of some kind. Go windows update. That's why you don't want some program downloading/installing automagically for you.
    • Actually you can download the updates manually if you wish; they're on their website somewhere or other. This is a supported patch technique.
    • > Boy, do I hope nobody tries to r00t my 98 box. After plugging in my shiny new cable modem it probably looks real attractive now.

      I'll take that bet -- what services is your 98 box running? Let's look at the currently-popular remote Winbloze exploits:

      Code Red: Requires unpatched IIS running. Most vulnerabilities are from W2K/NT install CDs that activate IIS upon installation. 98SE doesn't "give" you IIS. No problem.

      That remote device ident bug that was shipped out-of-the-box: Are you running Win2K/XP? No, this is Win9x, which doesn't support the feature out-of-the-box. No problem.

      All the outleak bugs: Are you using Outbreak as your mail client? No? Good! No problem.

      All the IE bugs: Are you using IE as your browser? No? Good! No problem.

      All the Netscape/Mozilla bugs: Are you regularly surfing untrustworthy sites with Javashit enabled? Don't Do That, Then. (Rarely a problem on any Windows config.)

      OK, you might get bit by an obscure bug like downloading a JPG that exploits a buffer overrun in some version of Nutscrape, but that's pushing it.

      Bottom line - a Win9x box with a fresh install doesn't do enough to make it easily-r00table.

      Win98SE is no longer the "new hot thing" in operating systems, so relatively few cr4x0rz are designing new exploits for it.

      If I had to choose a Microsoft operating system for an always-on net.connection for home use, I'd go with 98SE, install Netscape for web browsing, a third-party mail client from the days before HTML mail (gotta avoid the IE rendering engine), spend a day downloading/installing the DiVX codec and Windoze Media Player 6.2, and some basic MP3 utilities, and voila.

      For bonus points, after installation, verify that File/Print sharing is still off, set the OS to display all file extensions and full path names, put some ad-blocking in the HOSTS file, install Junkbuster, and maybe a "personal firewall" to block incoming traffic to port 80, 137, etc... and throw in a copy of AdAware as an early warning system. If the user's clueless, maybe some antivirus software. (Remember, we're not using a remotely-exploitable mail client, so the user has to be pretty clueless to get r00ted.)

      Such a box does everything the home user wants (movies, music, web, email) and has very few remote exploits even without the "defensive" software addon.

      Granted, because it's Win9x, everything runs as root, so it's not protected from internal error (like dumbasses running untrusted executables), but it's pretty secure against external threats.

      Over 1-year timeframe, and given the prototypical "enclued, but lazy, home user" who can't be bothered to suck a 60M "Windows Update" every weekend through his 28.8K dialup, (or risk his system's stability even if he can be bothered to download everything), I'd bet this 98SE box stands up better over a 1-year timeframe in the wild than a Win2K or XP install.

      What I've said isn't revolutionary -- it's just the old rule of "Don't run services you don't need. If you subsequently find you do need them, turn them on later." Is there any valid reason a "home Linux user" should default to turning on an FTP server, BIND, a web server, and Sendmail? Hell, no. There's no reason for a generic home user to have services listening on any of these ports.

      For install-time r00t holes, the difference is that most Linux distros have realized this, and aren't turning this crap on at install-time. Most Windoze distros haven't.

      For run-time r00t holes, the biggest hole is that everyone uses IE's DLL to render HTML, even when the application (email, USENET, MP3 player) doesn't really need to render web content. It's so easy to hook into IE that most apps "just do it", and thus a hole in the engine exposes dozens of apps to exploits, not just the web browser.

  • bugtraq (Score:3, Interesting)

    by NastyGnat ( 515785 ) on Thursday May 16, 2002 @01:22PM (#3531633)
    speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.

    Date: Thu, 16 May 2002 12:32:17 -0500
    Subject: MS02-023 Patch Breaks JAVASCRIPT
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
    case) breaks the following Javascript code. This code works in IE versions
    *not* patched with Q321232 but fails to execute on IE6 which has been
    patched. I don't have IE 5 or below so I don't know if they broke those
    versions as well.
    Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
    The original message should be in the bugtraq archive by now ;)
  • Acording to an article [google.com] (which seem to be missing now so use google) on ZDNet Windows 2000 shipped with 63,000 known issues/bugs. I also heard that Windows 95 shipped with around 5000 known bugs. The point being that this proves that Microsoft has a very good QA department but they choose to ship things on time/on budget rather then fixing any possible security flaws.

    It makes me wonder just how many known bugs IE shipped with and how many of those known bugs are just now being fixed in the latest patch.

    • Not to rain on your parade, but my guess is that by the time Mozilla 1.0 [mozilla.org] ships, they won't have fixed the 15,000 outstanding confirmed bugs listed in Bugzilla [mozilla.org].

      Point is always that software has flaws. QA is more of a triage than anything. The stuff that's critical will get fixed so the product can ship. Other stuff will get fixed when the opportunity arises (or enough people demand it). Most large software projects generally have these issues. Fact is, software will never be 100% bug free. You'll always find bugs, but you'll guess generally that some of them shouldn't be encountered by too many people if they're obscure enough. That's the call you have to make. Otherwise, software will NEVER ship.

      • Re:63,000 Bugs in Windows 2000 (Score:4, Interesting)

        by White Roses ( 211207 ) on Thursday May 16, 2002 @02:13PM (#3532072)
        Moz does have a lot of bugs. IE does, too. So do Mac OS X, OpenSSH, Linux, Apache, Windows, Solaris, HP-UX and IRIX.

        The problem, to my mind, is the relative number of serious security-compromising bugs in each of those, and the speed with which patches are made available.

        Microsoft seems to put out software with a lot more serious security holes and then lets them sit out there forever and a day before a patch is made available.

        Sure, users have a responsibility to patch their systems and to keep up with security and other issues. But let's say the average user can handle 5 issues a month (which may be a little high). That wouldn't even get you close to closing all the serious holes in MS products. It'll close a much higher percentage of serious holes in other systems, however.

        That's my gripe: MS sroftware is so buggy that keeping up with the holes is a full time job. I don't even think a full time sysadmin would want to spend all his time patching Outlook, much less Joe Average.

        Every piece of software has bugs and security holes. Microsoft's numbers are just too disproportionately high for me to tolerate.

    • Re:63,000 Bugs in Windows 2000 (Score:5, Insightful)

      by Elias Israel ( 182882 ) <eli@promanage-inc.com> on Thursday May 16, 2002 @01:53PM (#3531913)

      This statistic was often trotted out, but I'm afraid it doesn't mean what most folks think it means.

      Win2K went out with 63,000 open issues not because the software was flawed, but because it was thoroughly tested.

      Now, don't get me wrong: thoroughly tested is not the same thing as good, though lots of testing is sure nice.

      (Secondarily, the larger number of defects also reflects the relatively larger code base of Windows. Again, don't get me wrong: more code is not necessarily better, either, but it leaves more room for defects.)

      But the point is, as IBM determined something like four decades ago, the difference between software with a lot of known defects and software without a lot of known defects is not the defect rate: it's the thoroughness of the testing.

      All software has defects. The question is whether anyone has gone looking for them.

  • Hey Slashdot Crowd (Score:2, Insightful)

    by newt_sd ( 443682 )
    This reliance of yours on free (as in Microsoft IE) software is disturbing :) If you don't like the way a company supports a product that is given to you then don't use it. Its one thing to complain about Microsoft's pay for product line but geesh IE is free. On a side note bashing a company/product is not a sport its a complicated event that takes planning and research, think about that next time you post.
  • I think this represents a big change in MS's aproach to security.
    Now if only theyd fix the winnuke bug.
    I remember one guy in the office wanted me try and break his
    über secure win2k box with software firewall.
    I winnuked his ass and he cloudn't even move his mouse.
    There was no way he could filter it out as the bug is in the TCP/IP stack i think.

    Yes I understand this is lame but he asked for it :)

  • how to get them (MSFT) to make patches that work (Score:3, Funny)

    by Jucius Maximus ( 229128 ) on Thursday May 16, 2002 @01:30PM (#3531714) Journal
    1. Take the vulnerabilities that have been sitting around for ages and choose one that you want them to get fixed.

    2. Choose a cool marketing name for the hole, like "achilles' hole" or such. Make it fancy.

    3. Call the news agencies. Once there is a fancy marketing name, they will jump on it and create public hysteria. Remember "Code Red" ? It was just like any other worm attack except that it had a cool name for the media blew it way out of proportion.

    4. Watch the patches roll in.

    5. Lather, rinse, repeat. Every six weeks should do it. The public should see a pattern sooner or later.

  • What the patches fixed (for the lazy) (Score:4, Informative)

    by aardwolf64 ( 160070 ) on Thursday May 16, 2002 @01:35PM (#3531777) Homepage
    http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-023.asp

    For those that are SO lazy that you can't click on the link:

    Technical description:

    This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:

    • A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run in the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
    • An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user's system. Further, it requires that the intended file contain a single, parcicular ASCII character.
    • An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
    • A zone spoofing vulnerability that could allow a web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
    • Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file's Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.


    Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.

  • for fucks sake.. (Score:2, Interesting)

    by DraKKon ( 7117 )
    At least M$ is fixing problems, maybe not as fast as the oss companies/people, but christ.. None of you guys bash redhat, suse and the like when they release an update for an app that can give you root. I know in the /. eyes M$ is the root of all evil, but you know what, best item/app/os for the job.

    I don't care if its a mac/ms/*nix/*BSD or what, but if it gets the job done, relatively well and fast, I will use it.

    For programming, i don't care if its VB/C/Glade/Perl/Python whatever.. whatever suits the job best. And yes, sometimes, if not MOST of the time, it's a MS solution (for me at least, YMMV).

    And for the record, win win98 installation, which I just reinstalled everything ( 2 days worth of installs and hundreds of reboots ) is showing the same symptoms of the problem for the reinstall, which I'm assuming came from windows-update. So no, I'm not living in a perfect world. At the moment, I'm cursing Billy boys name, but I'm still using Win98 for most of development work and 2 linux machines as servers, since, like I said, best solution for the problem.

    So flame away, you /. hypocrites, bring this post to a -1.
  • While everyone is harping on Internet Explorer problems, I have to openly (pun intended) ask this question: how will we see bug and/or security fixes for Mozilla 1.0 when that is released very soon? Will it be in the form of patch files? Or do we have to download the whole browser all over again?
    • As far as I can tell Mozilla has only had that one javascript security bug. It was fixed the same day, and released as a nightly build.

      You'll almost certainly have to download the whole browser. It would be too hard to deal with people upgrading from all the nightly builds and the 3 week milestones, etc.

      This is not really a problem because, Mozilla is aimed at developers. Users are supposed to use Netscape or other Mozilla based browsers.

      For Linux users, it would be up to the Linux distro to provide patches like that if they wished. But none of them will either. Too much work for no money.

      • For Linux users, it would be up to the Linux distro to provide patches like that if they wished. But none of them will either. Too much work for no money

        On my Source Mage [sourcemage.org] system I simply run a 'sorcery update' before going to bed, and any new versions of packages are downloaded, compiled, and upgraded accordingly. All dependent packages are recompiled as needed, such that all are optomized and compiled against the most current rev. Downloading and compiling mozilla may be time consuming, but if I'm asleep while its happening who really cares?

        On my Gentoo [gentoo.org] system I do an 'emerge rsync' followed by an 'emerge --update system --pretend' (to first see what it is going to do), then if I like what is going to happen, the same command again without the --pretend to actually do the update, followed by an 'emerge --update world --pretend' and, once again if I like what is going to happen, an 'emerge --update world'. If I don't want to upgrade everything (not as safe to do under Gentoo as Source Mage) I simply do an 'emerge --update [package-name]', such as 'emerge --update mozilla' before going to sleep.

        In either case, the next morning I wake up with the most current security patches (if any) and newest stable versions of all the Free Software out there, including Mozilla.

        I had Mozilla rc2 running within 24 hours of its release, fully compiled and optimized for my machine. No waiting on Red Hat, Suse, or, God forbid, Debian to get around to pushing their versions out. (Though in defense of Debian they do push SECURITY fixes out very fast ... its just the snazzy new versions of things that take a lifetime before you see them ... e.g. "Stop asking me when X 4.2 debs will be out, it will be months!" as one of the developers posted, a day or two after 4.2 had been released by the XFree group, and was already up and running on my Source Mage and Gentoo boxes.

  • Browser wars (Score:4, Insightful)

    by Jungle guy ( 567570 ) <brunolmailbox-generico&yahoo,com,br> on Thursday May 16, 2002 @02:15PM (#3532089) Journal
    These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
    Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.

  • What I found interesting... (Score:3, Insightful)

    by gosand ( 234100 ) on Thursday May 16, 2002 @02:31PM (#3532174)
    Was that in the post to Bugtraq, the author mentioned his URL http://jscript.dk/unpatched/. I checked it out, and he also lists bugs in Netscape/Mozilla. So he isn't just a MS basher, as some would have you believe. Of course, he also said that one of them was fixed within 24 hours.

    Just because someone bashed MS, that doesn't mean that they are being unreasonable.

  • the MS link to the detailed info about the patch is 'unavail' (ms slashdotted? *grin*) as is the link from the windowsupdate site. What is available follows (I hope you enjoy this as much as I did):

    System Requirements: This update applies to Internet Explorer 5.5 Service Pack 2.

    How to use: Restart your computer to complete the installation.

    How to uninstall    : Uninstall is not available.

  • I ran Windows Update last night and downloaded this patch for my Win2k system. I logged into my regular user account and all I get is my backgrond screen - no icons, no start menu, etc. I was able to do CTRL-ALT-DELETE to start the task manager and therefore Mozilla, which I'm using now to post this message.

    I tried the same method described above to start IE and Windows Explorer. Both failed. I read the TechNet bulletin referred to in other posts. It looks like MS updated the code that support something they're calling a "local resource file". Correct me if I'm worng, but doesn't MS use "local resource files" to handle the desktop in Win2k?

    BTW, the only positive outcome is that my memory usage has dropped form 135 MB to about 80 MB. Besides my desktop, among the missing applications are my AntiVirus program and firewall.

    Finally, I get the same symptom when I try to use the Administrator account. I don't know how I'm going to back out the patch if I can't run the Control Panel Applet without IE/Windows Explorer.

    Any pointers would be appreciated. Good thing I have a Linux box and/or Mozilla to fall back on.

  • MS (in)security and /. MS bashing (Score:5, Insightful)

    by theolein ( 316044 ) on Thursday May 16, 2002 @03:49PM (#3532593) Journal
    I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.

    This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.

    I *want* to read extremely critical news here on /. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.

    /. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.
  • I just went to WindowsUpdate to update IE. The installation of the security patch caused my computer to crash. No kidding.

    I go back to the site to try again, but it says I have the patch already. The question is, did it finish installing before it crashed?

  • So how do I go about updating 20+ Win2k machines at a client site running all different version of IE?

    There has to be an easier way than running around to each machine applying a patch every month.

Slashdot Top Deals

Thus spake the master programmer: "Time for you to leave." -- Geoffrey James, "The Tao of Programming"

Close