Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Microsoft Notes Critical Security Holes in Windows, Office 634

Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
This discussion has been archived. No new comments can be posted.

Microsoft Notes Critical Security Holes in Windows, Office

Comments Filter:
  • by jerkychew ( 80913 ) on Friday August 23, 2002 @10:19AM (#4126051) Homepage
    It's sad that, when I saw that the patch was released, the first thing I thought was, "I hope the EULA won't force me to accept automatic installs from now on."

    I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants. There's something wrong with that.
    • Since you can't analyze the patches yourself I think this point is moot. I mean wouldn't they insert nasty code in a update rather than tell you what it is. If you update using non opensource patches then you are already giving the carte blanche IMO.
      • by EnVisiCrypt ( 178985 ) <groovetheorist@hotmail. c o m> on Friday August 23, 2002 @10:50AM (#4126279)
        People who actually examine the patches on their Open Source O.S. raise your hands.

        Linus put your hand down.

        Seriously, we should be pushing for accountability, not a world were everybody's grandma has to learn C++ just to make sure that the big bad software company hasn't installed a trojan horse.

        When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?

        I know that you probably change your own oil. It's an example.
        • Speaking of moot points, I'll use one now.

          Linux appreciation/zealotry is about ideals. It's not that we necessarily want to look at the components, but just that we have the option to do it if we are so truly paranoid.

          That said, I agree with you anyway.
        • by Oztun ( 111934 ) on Friday August 23, 2002 @11:03AM (#4126373)
          I'm sure some people raised there hands. Now if those people found a hole some would share it with the rest of us. Get it yet?

          Oh and I work on my own car and go through source code in my spare time so your points don't work much on me. I don't trust M$ nor mechanics.

          BTW a friend works at Jiffy Lube and always has interesting stories on how the boss makes him take suckers to the cleaners.
        • by Mirk ( 184717 ) <`slashdot' `at' `miketaylor.org.uk'> on Friday August 23, 2002 @11:05AM (#4126385) Homepage
          People who actually examine the patches on their Open Source O.S. raise your hands.

          Linus put your hand down.

          First off, this is funny! :-)

          But it does kinda miss the point, as no doubt many people will be quick to explain. (Don't you think ``You missed the point'' should be the Official Slashdot Motto? :-)

          The point is that if a patch is open source, and if only 1% of the 10,000 people who install it bother to read through, then that's still 100 pairs of eyeballs that will spot any funny business. So, crucially, the other 99% (and yes, I admit to falling into the 9,900 here more often than not) also benefit from the code's openness.

          Summary: I don't want it open so I can look at it; I want it open so Linus can look at it for me and tell me if there's anything wrong with it! :-)

          ObDisclaimer: no, I'm not really a degenerate freeloader. Usually I am in the 99% that doesn't read the code. But every often - say 1% of the time - I will read it. See also my open source Net::Z3950 module at perl.z3950.org [z3950.org] before you dare question my Free Software credentials. Infidel! :-)

        • I use debian, which has a distributed system of people who approve patches, typically separate from the OSS projects that produce the patches. I'm not going to say Debian is the perfect system (a patch may be integrated without really looking at it, or a server may be hacked and malicious code uploaded), but it is good enough that I don't really feel I have to worry about it.

          Then again, I don't worry too much about MS on the malicious code side. I won't install a patch the first day it comes out and will watch for installer's reactions (with debian I'll install and if I'm havign a new problem I'll check debian boards about the patch). I am, however, getting more and more upset on the EULA side. For a product that is supposed to be free, I.E. sure asks for a lot.
        • by dillon_rinker ( 17944 ) on Friday August 23, 2002 @11:20AM (#4126512) Homepage
          Hey, those of you who actually operate a printing press raise your hands.

          See? There's only about three of them. There's no point in freedom of the press if only three people use it.

          Ok, now everyone who's been arrested this week raise your hands.

          Only a couple dozen out of a couple hundred thousand? Ok, no point in rights for the accused, then.

          Next up, let's see how many of you are black. Only about ten percent? Well, what's the point in those equal protection and non-discrimination clauses? Most people don't need them.
        • by krasni_bor ( 261801 ) on Friday August 23, 2002 @11:27AM (#4126569)
          When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?

          No, because I could sue my mechanic for breaking my car. I can't sue Microsoft for breaking my computer.
    • by Dudio ( 529949 ) on Friday August 23, 2002 @10:37AM (#4126191)
      Maybe it's just me, but I fail to see a single mention of the EULA, much less a statement that it changes when you apply this patch. Even when installing, the only dialog presented to the user is the "Do you want to install this update?" box. I'm as concerned as the next guy about Microsoft's propensity to sneak in unannounced EULA changes and automatic updates without telling you, but let's not point fingers where there's nothing to see.
    • I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants.

      But by leaving your system insecure, you're giving every h4X0r on the planet carte blanche to install whatever they want on your machine. I'm afraid you're stuck between a rock and a hard place.

      • Aha, that gives me an idea. I'm going to hack into Windows servers and install patches. That's the best way to REALLY screw them! Instead of propogating worms, I'll propogate MS. That's just evil. Mwuhahahaha.
    • It's official! (Score:2, Informative)

      by r_barchetta ( 398431 )

      Microsoft are now worse than script kiddies. That's some statement.

      You know, you could run (1, [redhat.com] 2, [mandrakelinux.com] 3, [suse.com] 4, [debian.org] 5 [slackware.com]) something [openbsd.org] other [freebsd.org] than [apple.com] windows.

      Just a thought.

    • ...is a minor who can click "Accept" for you. I'm not completely au fait with the legal ins and outs, but essentially, minors are not bound by contracts they make (at least, not in any country I've heard of) and can stick the finger to Microsoft (or whoever) whenever they want.
    • by NoData ( 9132 ) <_NoData_NO@SPAMyahoo.com> on Friday August 23, 2002 @10:58AM (#4126342)
      Would somebody please post a link that explicitly says this patch allows arbitrary automatic installation of future patches by MS?

      On my Win2K machine, Windows Update provides a list of updates I have yet to install. One of these is Windows Automatic Updating (June 2002). The info text for this update reads:

      Windows Automatic Updating, June 2002

      This Windows feature notifies you when critical updates are available for your computer. This feature replaces Critical Update Notification if it is already installed. Critical Update Notification will no longer offer critical updates. Download now to receive notifications of critical Windows updates.

      System Requirements

      This update applies to Windows 2000 Service Pack 2 (SP2).

      How to use

      To set your preferences for automatic updating, follow these steps:
      Click Start, click Settings, and then click Control Panel.
      Double-click Automatic Updates.
      Select the notification method you prefer.

      How to uninstall

      Uninstall is not available.

      However, I have always consistently unselected this item to preven its intallation. I want to know definitively if the latest cummulative security patch somehow end-runs this, or deprecates Window Automatic Updating in lieu of some new updating scheme.

      Definitively, not speculatively.

      • by xant ( 99438 ) on Friday August 23, 2002 @11:27AM (#4126567) Homepage
        Since I needed to install SP3 (corporate environment), I took the time to read their articles about automatic updating, specifically re: turning that crap off. It's quite easy.

        In win2k:

        Start > Settings > Control Panel > Administrative Tools > Services. Doubleclick the item "Automatic Updates." Pick Startup Type "Manual" or "Disabled" (I think the difference is Disabled means you have to be an administrator to turn it back on). Click OK. You may have to hit the "stop" button at the top of the Services window to actually stop the instance currently running, but it won't ever start again.

        Ahh, my computer is free from evil once again.
    • by lithron ( 88998 ) <(moc.liamg) (ta) (norhtil)> on Friday August 23, 2002 @11:14AM (#4126462) Journal
      If your first thought was to quesiton the vendor (Microsoft) you probably need to switch vendors. Trust is a rather important thing (at least in the industry I'm in).

      On another topic, do you really believe MS is going to install software willy-nilly on a couple hundred thousand computers without the owners consent? The backlash from that sort of thing could easily put them out of business.

      This whole elitest attitude everyone has needs to go.
    • by Sycraft-fu ( 314770 ) on Friday August 23, 2002 @11:20AM (#4126509)
      Some of you people are far worse than any big company when it comes to putting out misinformation and FUD.

      There is a real simple solution to automatic updating if you don't like it: TURN IT OFF! I know this may be a huge supprise but if you actually bother to LEARN about Windows you'll find that it does offer options. Just go to the services control panel and disable automatic updating. Bingo, your computer will only then get updates when you manually check for them. There is then no way to remotely restart or reenable this service without an administrator password on that computer.

      The reason MS has language in their EULA about their automatic updating is to cover thier own ass. The thing is, sometimes their updates will cause problems on a given system, despite their best efforts to stop that from happening. For example, they had a 3com net driver update that for wahtever reason caused a system with Tiny Personal Firewall installed on it to BSOD on boot. The problem was related to TPF 2.0.15 (that version was not tested on XP by Tiny Software), as systems without it were not affected. Well, if this update got pushed out automatically to systems and people failed to check what they were installing before doing so, it could cause problems. The EULA is a CYA measure for situations like that.

      Please, before you shoot your mouth off about Windows try LEARNING about it first. You would ask that other learn about Linux before passing judgement, do the same yourself for Windows.
      • It's not FUD (Score:4, Insightful)

        by Jerf ( 17166 ) on Friday August 23, 2002 @11:59AM (#4126829) Journal
        In reference to the SP2/SP3 EULA michegas, it's not FUD, because reading the EULA indicates that it does not say word one about you agreeing to automatic updates through the already existing Windows Update mechanism. It does not have any provisions about allowing you to bypass the mechanism.

        Microsoft simply reserves the right to update your system, period. In fact, as I read it, blocking an update that Microsoft wants to put on your system (with or without Windows Update) would be a breach of contract, as, like I said, there are no provisions in the EULA for users blocking the updates.

        This can't be said enough: The EULA described a superset of the Windows Update mechanism. If they decide to force something onto your system, you will have no recourse after agreeing to the EULA.

        It's not FUD; that clause allows Microsoft to take control of the computer, while theoretically not allowing you any recourse. I for one don't care to turn that power over to anybody, especially as they haven't even made mealy-mouthed promises not to abuse it. It's just there, and they can do whatever they want with it, whenever they want, and not violate the license.

        I will say this: I'm sure that if they only wanted to cover their ass with regards to the Windows Update mechanism (something you already agreed to anyhow by leaving it clicked), they would have written something more limited.
      • mod points are like cops - never there when you need them, always there when you don't.
    • Please be sure to read the EULA before installing the patch. So... What's the alternative to accepting their EULA? Simply having a vulnerable system?
  • Moderate severity (Score:5, Interesting)

    by Conare ( 442798 ) on Friday August 23, 2002 @10:19AM (#4126053) Journal
    I love the way one of them (TSAC Control) is marked moderate severity even though it allows the attacker to run arbitrary code. I'd call that critical. Does that make me an alarmist?
    • by PhilHibbs ( 4537 )
      If it's a theoretical possibility, and is very difficult to exploit, then that would justify lowering the severity.
      • Re:Moderate severity (Score:3, Informative)

        by kzinti ( 9651 )
        It would be more helpful if Microsoft were to state these "severities" in terms that many companies use when doing risk analysis: to quote both a likelihood and an impact - or, as they're sometimes called, probability and consequences. If the TSAC control exploit is difficult to pull off, then the probability is low, but if it allows the attacker to run arbitrary code, then the consequences are high.

        But when was Microsoft ever concerned about its customers fully understanding its security problems?

        • Re:Moderate severity (Score:3, Interesting)

          by spongman ( 182339 )
          since it started posting the security bulletins [microsoft.com]. the 'impact' seems to be quite clearly stated here:
          Impact of vulnerability: Run code of the attacker's choice

          Maximum Severity Rating: Moderate


          • Administrators of web sites hosting the TSAC ActiveX control should install the new control immediately.
          • Users should apply the latest cumulative patch for Internet Explorer (at this writing, the latest patch is provided in Microsoft Security Bulletin Microsoft Security Bulletin MS02-047).
          Affected Software:
          • Microsoft Terminal Services Advanced Client (TSAC) ActiveX control, which can be installed on any Windows system.
  • Great! (Score:5, Funny)

    by RhetoricalQuestion ( 213393 ) on Friday August 23, 2002 @10:19AM (#4126054) Homepage

    Arbitrary commands run by strangers if I don't,
    Arbitrary commards run by Microsoft if I do.

    If only more sites complied with standards, I could dismiss MS entirely for Opera.

    • Re:Great! (Score:5, Funny)

      by gosand ( 234100 ) on Friday August 23, 2002 @10:35AM (#4126169)
      Arbitrary commands run by strangers if I don't,
      Arbitrary commards run by Microsoft if I do.

      You know, I think I would rather trust the strangers.

      • Re:Great! (Score:3, Insightful)

        by Consul ( 119169 )
        You know, I think I would rather trust the strangers.

        I believe the phrase is, "Better the Devil you know."

        This means Microsoft, sorry to say. Of course, I use Mozilla exclusively on a Mac and a Linux machine. No Windows boxes for me at all.
    • Re:Great! (Score:2, Insightful)

      by MeNeXT ( 200840 )
      If you dismiss MS for Opera more sites would comply with standards.

    • Re:Great! (Score:2, Informative)

      by thesolo ( 131008 )
      If only more sites complied with standards, I could dismiss MS entirely for Opera.

      Have you tried out Mozilla lately? The quirks mode in Mozilla renders bad HTML just as well as IE does, IMHO. Ever since Mozilla .99, I have not had a reason to use IE again, and I suspect I won't for quite some time.
    • I find that Mozilla works sufficiently well that I never use Internet Explorer. The only site that I know of that demands MSIE is the MS site. Now it's certainly true that we may patronize different sites, I've never been willing to give a site that demanded MSIE much of a chance to prove itself worth visiting, but I haven't found myself very restricted. Well over 97% of the sites I visit cause no problems for Mozilla, and most of those were encountered before Mozilla 0.9.5, when I would switch to Netscape 4.x to handle them. I think I may once have visited a site that required MSIE, and which I was willing to use it on. Unfortunately, it didn't like the version that I had installed, and I wasn't willing to upgrade. These days, I usually don't even have it on the machine that I'm using.
  • by geoffeg ( 15786 ) <geoffeg@@@sloth...org> on Friday August 23, 2002 @10:21AM (#4126065) Homepage
    Windows Update (windowsupdate.microsoft.com) has a description of this security patch, the last line of which reads:

    Download now to continue keeping your computer secure.

    So apparently my computer is allready secure and there is no need to download the patch then!

    Silly Microsoft.

    • Download now to continue keeping your computer secure.
      Microsoft's idea of security. It's really just as secure after the download and patch as it was before ;) I stopped messing with patches a couple of years ago, and am probably much safer than anyone who is almost current.
  • by Tyreth ( 523822 ) on Friday August 23, 2002 @10:22AM (#4126073)
    As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
    Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.

    A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
    • by Anonymous Coward
      ever hear of group policy? why apply patches manually?
    • Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000.

      If you don't like constantly having to patch MS Office, then don't use it. There are plenty of alternatives, including WordPerfect [corel.com] Office Suite, which is what I use.
    • by MrResistor ( 120588 ) <peterahoff.gmail@com> on Friday August 23, 2002 @11:40AM (#4126673) Homepage
      Don't do it! (Install Linux for them, I mean) Your support calls will dry up!

      I installed a Linux fileserver at a company I used to work at, and when I was laid off we agreed that they would call on me if they ever had a problem with the server and we would "work something out". I haven't recieved a single call, and it's been over 6 months! When I run into my former coworkers at the store and such I ask them how the servers doing and they always say "Great, we haven't had a single problem".

      If you depend on support calls to make your living, the last thing you want to do is install Linux!

      • Dude, if you really want support you just make a perl script to disable something minor every now and then within... say every 2-3 months.

        Since you schedule it with cron, you can make sure it doesn't happen on your vacation. Some would say this is dishonest, but then again some would say "So is installing NT on purpose".
  • by iamsure ( 66666 ) on Friday August 23, 2002 @10:23AM (#4126076) Homepage
    For the quickfixes listed on the url, there is no EULA to install them.
  • No EULA (Score:5, Informative)

    by Mr_Silver ( 213637 ) on Friday August 23, 2002 @10:23AM (#4126081)
    Please be sure to read the EULA before installing the patch.

    I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".

    For now, my PC is safe from Microsoft forced modifications (relativily speaking)

    • It must be one of their new EULA's. The ones that say "By clicking 'I agree', you agree to agree to all future EULA's".
    • Re:No EULA (Score:3, Insightful)

      by debaere ( 94918 )
      I noticed the same thing. The question is, does the lack of oppurtunity to view the EULA negate it?

  • SSL Cert. (Score:4, Informative)

    by zmalone ( 542264 ) <wzm AT pylae DOT com> on Friday August 23, 2002 @10:25AM (#4126101) Homepage
    Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
  • SSL? (Score:4, Interesting)

    by giminy ( 94188 ) on Friday August 23, 2002 @10:27AM (#4126109) Homepage Journal
    Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....

  • And even on 2000/XP (Score:4, Interesting)

    by Flower ( 31351 ) on Friday August 23, 2002 @10:27AM (#4126110) Homepage
    You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.
    • by catfood ( 40112 ) on Friday August 23, 2002 @10:32AM (#4126152) Homepage
      The browser is an integral part of the operating system!
    • Truly ironic (Score:5, Interesting)

      by Codex The Sloth ( 93427 ) on Friday August 23, 2002 @10:54AM (#4126307)
      Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.
  • by Kredal ( 566494 ) on Friday August 23, 2002 @10:29AM (#4126126) Homepage Journal
    If someone with the corporate edition key for XP Pro installed SP1, would they be able to apply this patch as well? I thought the SP1 would lock out all further updates?
  • by Lxy ( 80823 )

    Just for kicks, I signed up for Microsoft security bulletins. I get hoards of e-mail every week, as new vulnerabilites are continually found in each of their products. Being an IE administrator it's important to subscribe to this stuff.

    New IE patches come out about every 2 months. This patch is not all that big of a deal. All the fixed issues had workarounds, and a lot of it could be prevented by using a good proxy server.

    The fact that Slashdot immediately jumps all over Microsoft for this is ludicrous. Get a life.
    • And Linux is any better [slashdot.org]?
    • Actually, its a good thing. I patched when I saw the notice here and theregister.co.uk.... I am not an admin, but I don't like my work box slagged when I jack into a hotel network. When something big hits or a roleup is out there, I grab it. Consider postings that make it here a moderated -- better go get this -- patch.

      This goes double for the linux side. I see patches for stuff I may or may not have installed. I hate to say it, but I have two linux boxes I know exactly what is in there - an MP3 player for my car and home. Everything else I am at the mercy of Sun, RedHat, and SUSE's installer. I trim, but don't really know what is bundled.. The OpenSSH thing was a big wakeup call for me to check the bloody MD5 hashes - not just install from a mirror.
    • > Being an IE administrator

      Is that a joke? IE administrator? I just love the idea that a browser needs administration (and I don't care how many users you have, it's no excuse).
      IE administrator... Good grief. Soon we'll have keyboards admins and mouse keepers...

  • One interesting IE security resource happens to be PivX Solutions' "Unpatched IE Security Holes [pivx.com]." Extensive information about many of the vulnerabilities addressed by this patch was available there months ago.

    My original title (which was edited by michael for purposes of clarity, I'm assuming) failed to mention Office; the CNN story and Microsoft TechNet article didn't seem to coincide. However, it's entirely possible that a few shared components may be vulnerable. ;)
  • by Yaruar ( 125933 ) on Friday August 23, 2002 @10:38AM (#4126195)
    I'm tempted to send a warning to my Boss the following warning.

    "Beware gophur attack in coming days.
    Tunnels created by gophur may break windows.
    Advise careful monitoring of the handler."

    To see if he goes all Caddyshack on me.

    I need more old protocols coming back purely to be used for my amusement.
  • Overly Critical? (Score:2, Informative)

    by Jugomugo ( 219955 )
    Yeah it sucks that there are problems with the security of the software. It seems a little dumb to hear everyone bitch and moan about this patch or that patch. The main reason that MSFT has so much publicity is because they are such a large corporation. There are security holes in all sorts of software but I don't see it bitched about here very often. There's just as many holes in one product to the next. Just depends on how many people are trying to find them. I would think you would rather find the holes quickly and fixed quickly than have it open for a year because not that many people are using the hole.

    Just my $.02

  • Some questions:

    Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?

    This is an honest question that I'm wondering about. I agree with the people who also wonder why Microsoft flaws get so much attention from /. and Linux/Solaris/Apple/etc flaws get next to none. To those that say "Because there aren't any worthwhile reporting on." I say "Read more." The recommended patch cluster from Sun has lots of interesting reading.

    There seem to be _alot_ of alternatives for almost everything. How many of those alternatives are used by more than the developers of those alternatives? By more than the friends/family of the developers? For my part, I don't have the money right now to get a second machine and my current Windows machine is used primarily for games. However, when I get the money, I will be running something other than Microsoft products where possible. My browser of choice right now is Mozilla. But there are sites that require me to use I.E. much to my disappointment. What are the technically savvy people doing to help their companies move away from Microsoft and what alternatives are they proposing? [And no 'Linux' isn't a good answer. What distro of Linux?]

    Personally, I'm glad Microsoft changed their EULA to say that it gives them the right to run whatever they want on your computer. It gave me a wakeup call to read the EULAs more carefully. Occasionally, I turn down the EULA and don't use the product. Are other people finding that they are reading EULAs more carefully and actually turning them down more?


    • Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?

      The real reason?

      Because 90% of businesses who use MS products believe deep down that there are no alternatives.

      For some of them, they are deeply locked into MS products - mostly those in the vertical markets who rely on one piece of software.

      For the remainder of people - those who just do simple computing tasks - they are of course 100% wrong, and great alternatives do exisit.
  • by dnaumov ( 453672 )
    MSFT announces security patches.
    Film at 11.

    RedHat and Mandrake announce security patches.
    Film at 12.
  • Really. I'm glad they are doing this. Glad they are taking some active measures to improve their security. If everyone who has a windows machine actually performs the update, we'll have a safer world of computing :)

    If they don't pshaw the other holes that other people find and admit their seriousness now, I'll actually have one less reason to hate them.
  • Good News! (Score:2, Funny)

    by Rune69 ( 244519 )
    I sent the link to the article to all my Windoze-using friends and relatives.

    In the same e-mail, I sent a link to RedHat.

    Hopefully, my family will finally switch to an OS that actually works.

    Thanks Microsoft, for helping me make my family realize how much your software sucks -- couldn't have done it without you! *smiles*

  • the BBC covers this too [bbc.co.uk]

    from the bottom of the BBC article:

    "But one of the really disturbing things is that people don't patch their software," he said, urging users to download the latest updates from Microsoft's Windows Update site.
    ...the disturbing thing is the USERS???
  • by Snowgen ( 586732 ) on Friday August 23, 2002 @11:18AM (#4126496) Homepage

    My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.

    What does that tell us about .NET?

    I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.

    Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.

  • by ellem ( 147712 ) <.ellem52. .at. .gmail.com.> on Friday August 23, 2002 @11:23AM (#4126542) Homepage Journal
    Hell, my 3 year old son gets it OK?

    (While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")

  • by daveaitel ( 598781 ) on Friday August 23, 2002 @11:34AM (#4126624) Homepage Journal
    Running a fully patched SQL Server or Exchange 2000 (a full time job in itself), check out: http://www.immunitysec.com/vulnerabilities/ [immunitysec.com] :>


  • by Animats ( 122034 ) on Friday August 23, 2002 @12:56PM (#4127332) Homepage
    Does this EULA have the infamous "we have the right to turn off functionality and delete files" clause that Microsoft has been putting in EULAs lately, in preparation for extra-aggressive digital rights management?
  • by Eric Damron ( 553630 ) on Friday August 23, 2002 @01:38PM (#4127672)
    I wonder if Microsoft's EULA could be considered a form of coercion? Look at it this way:
    Microsoft creates a flawed piece of software. They sell it to millions of unsuspecting victims under one EULA.

    Then, they release patches for flaws that are serious enough to destroy a business if left uncorrected. They tell the victims: ?Agree to this new EULA that takes away many of your rights or we won't fix our software!?

An elephant is a mouse with an operating system.