Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MSIE Security Worsens: Patch Bungled

jamie posted more than 13 years ago | from the NOT-April-Fool dept.

Microsoft 288

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

cancel ×

288 comments

Re:Why should I care about security anyway? (1)

Anonymous Coward | more than 13 years ago | (#319562)

Steal your identity and thus steal money from your bank accounts, create alter egos assuming your name. Use your e-mail address for devious deeds. There all kinds of ways that a wide open computer can be used to devious ends. I suggest that you start paying attention, before becoming a victim. Not to mention it sucks when a virus hits a dumbasses computer with Outlook and clogs bandwidth by replicating itself by sending itself to e-mail addresses across the network.

Mozilla (1)

Anonymous Coward | more than 13 years ago | (#319563)

If you like browsers with sluggish menus and dialog windows, then yes. It is usable. Barely.

I use IE at work and Linux Netscape 4.6 at home on a similar hardware (same P-III + 128 MB memory). Netscape 4 is OK, but every time I've tried the latest Mozilla, it feels like my computer has suddenly lost half of its MHz. You get used to it if you use Mozilla for a longer time, but if you constantly switch from IE to Mozilla, it really bothers you.

Re:$1 (2)

Anonymous Coward | more than 13 years ago | (#319565)

you forget that no one that uses windows even cares. The typical person using windows knows nothing of updates or even installing anything. If their computer does fuck up or completely crash, they just see it as a normal occurence and take it to the computer shop as if it were a car getting a oil change.

Re:Seriously... (2)

Anonymous Coward | more than 13 years ago | (#319566)

I'm not sure its a fair point to say "anyone who can't keep a windows box up for more than a day is a moron". I thought MS products where supposed to be easy to use? And instability is not attributable to the users. The fact is the users shouldn't be able to crash a system at all. That's considered a bug in real operating systems and generally fixed promptly.

As for how annoying it is to have to reboot the OS for a relatively simple application patch to be installed, you've never run anything else have you? You can replace the bloody C library and devices drivers in Linux without rebooting, let along a simple browser patch.

As for it not mattering, you've also never had to support 500 desktops have you? So is it really any wonder MS don't get such good press. Would you be so defensive if your weekend was spent patching 500 corporate desktops due to someone elses fsck up? I didn't think so.

Go back to playing games and thinking you know what you are talking about.

Biased (4)

Anonymous Coward | more than 13 years ago | (#319568)

You guys sound like nobody ever finds any holes in Linux.

BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Slashdot
News for Linux. Stuff that's biased.

Re:Slightly O/T (2)

stephend (1735) | more than 13 years ago | (#319576)

It's the same problem with all commercial software: they have to pretend that their software is perfect.

If they have to distribute patches for *anything* they are saying that they made a mistake. That's like admitting liability, and what would an insurance company say about that?

Microsoft has tried to cover it up by including enhancements (service packs) and making it automatic (Windows update) but we all know these don't work properly either.

I recommend you read Neal Stephensons "In the begining... [amazon.com] " as he talks about all of this in much more detail.

Com'on (3)

Repvblic (4658) | more than 13 years ago | (#319579)

No one honestly expects any microsoft product to be secure. It's the virus attacks that wipe out your system that keep it running so well, since we all know that after 6 months all versions of windows need to be re-installed or they stop running correctly.

Re:Overstating Things (2)

GypC (7592) | more than 13 years ago | (#319582)

What did they spell out clearly? That the patch may not work and you may still be vulnerable to exploits? Really? Sounds unusually honest.

...blow your byte limit, wipe your drive... (4)

leonbrooks (8043) | more than 13 years ago | (#319586)

If people get access to my PC, why should I worry?

...borrow your credit card details, passwords to any/all accounts you access through the machine, use your machine to break others (thus dropping you in the pooh en passant), post emails and the like in your name, yadda yadda yadda.

Trust me, it's not a good idea.

Re:no security model (1)

whydna (9312) | more than 13 years ago | (#319588)

> IE 5.5 i mean come on, ...

Doesn't this problem affect 5.0.x also?? I though I remember hearing that.

-Andy

Overstating Things (5)

augustz (18082) | more than 13 years ago | (#319597)

"despite all claims to the contrary from Microsoft"

For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

Re:Oh shit..... (1)

Black Parrot (19622) | more than 13 years ago | (#319599)

> Wasn't that bug an April fools? Now Im *really* in trouble ;D

The exploit was an AF Joke, but the bug in the fix wasn't.

--

Re:Biased (2)

Black Parrot (19622) | more than 13 years ago | (#319600)

> You guys sound like nobody ever finds any holes in Linux.

> BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Woo-hoo! How many Windows holes have been discovered since the BIND hole was?

--

Re:Seriously... (1)

bogado (25959) | more than 13 years ago | (#319601)

Well I realy don't know for the others but I do it. Because if more people stoped using this piece of s*** software maybe we would have access to more hardware drivers or video players. I realy don't care if we don't have MS word or excel, but I would realy like to be able to play quick time and some other file formats that people put on the web. I would realy love to be able to use my F**** scaner without rebooting.

Everyone seems to use windows, besides the fact the most of the people know that it dosen't work. And because of this fact alone I can't use my linux for some tasks, and this p*** me off.
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabbit hole goes"

Re:Seriously... (2)

Platinum Dragon (34829) | more than 13 years ago | (#319604)

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products, claiming that they're the most worthless piece of shit software company on the planet?

Probably because a lot of us have watched Windows crap out for no discernible reason, under loads and uses that Linux and the *BSDs regularly chew up and spit out. I've watched both the cruddy 9x series, and the slightly more stable NT 4 collapse for bizarre reasons. Watching a DVD shouldn't cause a lockup. The OS shouldn't need a reboot every once in a while to "speed it back up." As for NT, watching someone nearly snap because an out-of-nowhere crash wiped out the video they'd been editing is *not* fun. I guess one could argue that NT 4 wasn't made for video editing...but then, why where these rather expensive machines purchased, and why did the company that sold them choose NT as the platform?

It's that inability to handle regular, everyday use without very careful shepherding that drove me - DROVE ME - to install Linux in the first place.

Incidents like this do not help. It's good that Microsoft mentioned in the initial patch summary that people who got a "this patch is not necessary" message needed to install it anyway - but then, that message shouldn't have popped up in the first place.

Too much crap wasting too much of my time. That's why I stay away from MS software whenever possible.

Sweet Mozilla, (1)

QuantumG (50515) | more than 13 years ago | (#319625)

if only you didn't occasionally refuse to scroll the screen with the cursor keys, I'd make you my wife.

Re:Slightly O/T (1)

QuantumG (50515) | more than 13 years ago | (#319626)

wow, I thought they were inticing people to upgrade their software by constantly crashing.

Re:$1 (1)

QuantumG (50515) | more than 13 years ago | (#319627)

not even, many many examples have been made. Microsoft is never to blame. It's those evil hackers! You gots to think about it the other way. Consider attacking Microsoft's internal network. Just make it impossible to get any work done. Strangle hold.

Re:Why should I care about security anyway? (1)

QuantumG (50515) | more than 13 years ago | (#319628)

hack places, get the cops to trace them to your computer who dont think twice about impounding it for a year.

Re:slashdotters rejoice!! (1)

QuantumG (50515) | more than 13 years ago | (#319629)

IE is a damn good product. It's hard to believe it's a Microsoft one until shit like this happens.

Re:Gender? (1)

QuantumG (50515) | more than 13 years ago | (#319630)

did you post this on the last article about this or are you just so unoriginal as to get a redundant when you're already on score 0?

Re:Slightly O/T (2)

QuantumG (50515) | more than 13 years ago | (#319632)

dare I say that their software is crap and their windows update program exemplifies that (I've used that word twice today).

Re:If Netscape would just get off their ass (2)

QuantumG (50515) | more than 13 years ago | (#319633)

there are many little things that piss me off, and some of them I have to blame on X I must admit.

Re:What's the difference from a patch? (2)

QuantumG (50515) | more than 13 years ago | (#319634)

You say you got a real solution, we'd all like to see the plan.

Re:Who do you want to sue today? (2)

QuantumG (50515) | more than 13 years ago | (#319635)

bingo. Now say goodbye to your lawyer and put the cell phone down. You have no legal recourse.. what you can do is not buy the crap (pirate it, run linux, I dont care) and go hang out at your local software selling shop (what do they call them anyways) and tell people not to buy it. "Hey pal, what ya doing?" "I'm buying this copy of winMe" "Oh no, you want this mandrake cd." "no I dont, get away from me you freak" "ok ok, here's a burned copy of me, and just incase you change your mind it's double sided, linux on the back". Now that is activism.

Re:If Netscape would just get off their ass (3)

QuantumG (50515) | more than 13 years ago | (#319640)

downloaded the lastest mozilla build? No, of course not, you're opinion is completely based on last month's releases. Shit, I'm almost tempted to actually submit a patch or three, it's getting that good.

Re:April FOOLS!@! (3)

QuantumG (50515) | more than 13 years ago | (#319641)

do you think all them kids who used to type in CAPS back in the day are all lawyers now? It would explain a lot.

Re:erk... (2)

mattcasters (67972) | more than 13 years ago | (#319652)

The major difference between Win32 and Linux is that Linux has a good security model. Regardless of how bad Gnome/KDE-scripting, the possible damage is going to be limited to the users files.
Even with the worst possible scripting installed in terms of security, it still would be very difficult to gain root access.

Now the same can be said about Windows NT/2K but it's soo much easier to give yourself admin rights on these platforms isn't it? I wonder how many people like to work without it. The lack of an su command kind of takes the fun away...

Cheers,

Matt

Re:erk... (3)

mattcasters (67972) | more than 13 years ago | (#319653)

You're probably right in the end. I've been a unix sysadmin for a long time and I still have diffuculty adapting to the idea of only one person using one computer. (I think that the trend for the future will be different though.)

As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

- Fragmented use of software: people don't just use outlook & IE, they use a long list of different softwares and distributions. Fortunately, the competition between KDE & Gnome is still going strong, and there will always be different distributions people can use.

- The speed of development. By the time someone developed a concept virus, the mail-client wil have had 3 revisions of it's code base. As an example, KDE is releasing code at an amasing pace.

To finish, I don't really NEED a full blown attack, but it sure is fun to watch at times. ;-)

just my 2 -cents.

Matt

Re:erk... (1)

manly (69244) | more than 13 years ago | (#319655)

I think what's really ridiculous is that M$ has given their typical short shrift to what is potentially a major security nightmare "in the wild". Sure, they did issue a patch in a timely manner, but they absolved any support for all of their browsers that are not either version 5.01 or version 5.5 (with the exception of 5.01 SP2 which is unaffected).

It's unlikely enough for the typical home user to go to windowsupdate.microsoft.com or monitor Mickeysoft's security bulletins.. But when a patch claims that your software does not need the security patch, then the chances that a common user would then go out of their way to download a full browser and reapply the patch are quite remote.

It also makes you wonder how the problem is already fixed in IE 5.01 SP2, but not in their latest flagship version 5.5 SP1. Sure, software is complex and obscure bugs like this may actually come and go without notice, but do they really care about exposure to their customers until a white hat tips them off?

No wonder I couldn't install it... (2)

antdude (79039) | more than 13 years ago | (#319660)

I was wondering why I couldn't install the security fix for Windows 95 laptop with Internet Explorer v5.01.

Is there a way to force the install without upgrading to v5.5? Microsoft needs to fix this! :(

Paraniod? (2)

friode (79255) | more than 13 years ago | (#319662)

Maybe this is just my paranoia speaking, but who else thinks this was deliberate? Now don't get me wrong, I'm not saying that it was a deliberate security hole, but the release notes for that patch said that basically that they hadn't tested for the security hole on earlier versions of IE than 5.01.

Now, it's changed to "the patch doesn't work for earlier versions, you should download the latest version so the patch will work". Where do they say that the hole actually existed on earlier versions of IE? And why doesn't it affect 5.01 SP2? Why the hell wouldn't 5.5 include whatever code was in 5.01 SP2?

I've got a better idea. Install Opera, or better yet, Linux.

*BANG* -- my wife! (1)

barneyfoo (80862) | more than 13 years ago | (#319663)

I love mozilla, and yes that intermittent scrolling seems to be a problem (it even shows up in galeon).

Why not make marriage plans for the future. Mozy baby is only at 0.8.1, and I imagine she'll be oh-so-near perfect by 1.0.

Re: erk... (1)

barneyfoo (80862) | more than 13 years ago | (#319664)

Im not sure about KDE, but you should have no fears about these IE-type security issues cropping up in gnome. GNOME is being designed fromt eh ground up to avoid the very things microsoft calls "features" but are really just inviting back doors.

But will IE use slacken? (3)

}{avoc (90632) | more than 13 years ago | (#319677)

Sure, IE / OE, MS's webserver, etc. have all shown great flaws in the ways of security, but let's focus on IE for the moment.

First I want to get a few things out of the way. IE is good for browsing, but not for security. It opens fast, renders fast, has great support for CSS and includes many MS-only features (like customized scroll bar color on websites). Sure, this is really screwing over standards, but hey, It's MS. Your average user runs Windows, which is so conviently bundled with a copy of IE. Also, with something that runs fast and apparently well, your average user wouldn't want to upgrade, much less learn a whole new program if they're newbies. Plus, think about the chance that an average user would even HEAR about this! Very poor.

Sure, IE has huge problems with security, but because it's bundled, and so many people learn how to use a computer with IE (and IE integration into the OS), Netscape, Mozilla, and Opera (heaven forbit lynx gets used more) don't have much of a chance to break into the market. This is the problem.

For the people that read /., most of us will either continue using Netscape / Mozilla / etc, or we will consider switching, but then patch up and continue using IE. We would worry about the security. Your average user would see the patch, install it, and be more motivated to use IE ("they fix thier problems!")

So how can we get this to change? Make a huge chonologically ordered list of MS's security problems? Sure, but how would we get your average user to see it, much les pay attention to it. Even if we got copmuter retailers to install Netscape with every computer, would the average user want to wait longer for it to load, or not have as many pages compatable with it, or have a browser with a different UI style than their OS?

So what do we do?
Any ideas?

-Dan
I'm not reading what I wrote, and I just woke up, so please, excuse my ignorance.

Re:Seriously... (2)

Temporal (96070) | more than 13 years ago | (#319679)

Oh... the old "I know this post will be modded down" trick. By some bug in the moderation system, you get modded up if you say that. *sigh*

I am no Linux zealot (see sig). I am posting this from Win2k right now. I use Debian Linux, Win2k, and MacOSX on a regular basis, and I like them all about the same.

I have to disagree with your post, however. Not only is it blatantly insulting, but it is insulting people for reasons that are beyond their control. Riddle me this: My roommate has a fresh Win98SE install on his system. If he leaves it on for more that 12 hours or so, he finds that Deus Ex gets really really choppy. Reboot and the problem is solved. Is that his fault? No, it is a combination of driver problems and a not-so-well-written OS.

Win2k is great. I have no qualms with it. Win9x is NOT. Just out of curiosity, which might your system be? Oh, and BTW, 4 days is not an impressive uptime.

I agree with your main point -- that the Linux zealots are out of control around here. However, you don't have to be a GOD DAMNED ASSHOLE to express that point.

Oh, I almost forgot. Yeah, I bet this post will be modded down because... um... moderators are stupid or something. Right? Right? So if you mod this down, you are stupid. Really. Trust me. wink wink, nudge nudge.

------

Your firewall avails you nought (5)

dingbat_hp (98241) | more than 13 years ago | (#319683)

What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

Mailers just shouldn't trust incoming email.

erk... (4)

bencc99 (100555) | more than 13 years ago | (#319685)

This is really starting to get ridiculous. I suspect it would be far less of a problem were IE (and it's renderer/scripting) and the other parts of windows scripting not so heavily integrated into the shell - at least people would have some kind of control.

What's more worrying is that the increasing integration of things like KDE and Gnome are heading the same way. Admittedly the problems won't be around for so long, but as the number of unclued linux users goes up I suspect things may only start to get worse...

$1 (1)

sPaKr (116314) | more than 13 years ago | (#319693)

1 dollar to first script kiddie that figures out how to squeeze a nice backoriface installer into a 'ILoveYou' variant. I think MS wont fix anything until their back is against the wall. It used to be that full discloser would scare a company enough to plug the bugs, I guess with MS its not only going to take an example, but rather a worst case app to drive home the point.

Re:erk... (1)

demus (116346) | more than 13 years ago | (#319694)

It's the "format c:" type of things that are really bothersome. On a reasonably set up Unix, if one user has all his files deleted, that doesn't mean that everyone else suffers for it too.

Of course the friendly cracker can gain a lot other useful info to get root access by reading all the nice globally readable files on a Linux machine.

Just because you're paranoid doesn't mean they're not after you.

Re:If Netscape would just get off their ass (1)

demus (116346) | more than 13 years ago | (#319695)

I use Galeon, which uses Gecko for rendering and fast and stable, and doesn't fuck the layout much, so it's definately getting there.

Mozilla is also becoming nice and fast actually. Surprising really, taking into account it's size. So there is hope.

Slightly O/T (4)

MonkeyMagic (118319) | more than 13 years ago | (#319698)

It's quite interesting how the average computer user is unused to patching applications for security concerns/product upgrades. Most people won't apply this patch regardless of any problems the installation may or may not cause. It's just not something they are aware of - they have never really been told (by the software houses) that the product must be upgraded. When I first became interested in the unix world it was quite a shock to see the rapidity with which everyone spread the word about a major bug or (minor) security issue. This information doesn't filter down to average users, and they don't go looking for it (I find most www.linuxrules.org or www.macrulez.com websites as boring as hell so god knows how most people would find them).

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone and not try to hide the whole process incase someone thinks their software is crap.


DILBERT: But what about my poem?

Re:no security model (1)

DrSkwid (118965) | more than 13 years ago | (#319699)

I meant having 5.1 (or rather 5.00.3315.1000!)and 5.5 as parallel released products and then service packs for them both.

There's no real explanation of the difference except corporate conservatism in moving to 5.5 but if they are the same product ....


.oO0Oo.

Re:erk... (1)

DrSkwid (118965) | more than 13 years ago | (#319700)

you are joking?
IE & the shell is nothing to do with it. It's the ActiveX security model. It's about getting IE to execute malicious code. Nothing to do with the shell.
.oO0Oo.

Re:slashdotters rejoice!! (1)

DrSkwid (118965) | more than 13 years ago | (#319701)

i belive it's called first to market not marketing
.oO0Oo.

no security model (2)

DrSkwid (118965) | more than 13 years ago | (#319703)

well this is probably how /. ers would expect MS to go. With the usual MS model of release and then service pack the old one while working n the new.

IE 5.5 i mean come on, everyone knows it's not going to work until at least service pack 2 or three.

MS Security is a bit of a joke. I onlyhope my firewall will help me most of the time. Any day I sit down I expect to have been owned.

There shouldn't be any market niche for Virus checkers!
.oO0Oo.

Re:If Netscape would just get off their ass (5)

DrSkwid (118965) | more than 13 years ago | (#319704)

hehe I see this kind of comment :

Poster A : Mozilla sucks
Poster B : You should see last night's build - awesome

one month later

A : Mozilla sucks
Poster B : You should download last night's build

and so the treadmill continues

.oO0Oo.

Opera (2)

smallstepforman (121366) | more than 13 years ago | (#319706)

One word - Opera.

Seriously, if you haven't tried Opera, now is a perfect time. It ships on multiple platforms (BeOS, Win32, Linux... even Epoc ?), is HTLM4 compliant, fits in under 2 Mb, has tons of useful features to ease navigation/zooming/filtering. I've even registered it, it really is **that good**(TM).

Re:*BANG* -- my wife! (1)

markbthomas (123470) | more than 13 years ago | (#319707)

> Mozy baby is only at 0.8.1, and I imagine she'll be oh-so-near perfect by 1.0.

Which will be in 2010 or so. I'd like a usable browser NOW, thanks.

Moz is usable now. By 1.0 it should be pretty darn good.

Besides, I'm convinced that any decent web browser would reduce to the Halting Problem.

huh? (1)

Otis_INF (130595) | more than 13 years ago | (#319710)

Yeah I got the same remark that I didn't need the patch. Perhaps this comes from the fact that my Outlook and Outlook express are both using 'Restricted Zone' as default zone for all mail and news, thus all mail and news are threatened as if it comes from a site in that restricted zone, and all security settings are set to 'max' for that zone, i.e.: no script nor activeX component will be started.

I also dunno how to 'upgrade' my IE, since I already run 5.5 sp1, the latest released version.
--

Re:huh? (2)

Otis_INF (130595) | more than 13 years ago | (#319711)

I have the english version of 5.5 sp1. I'll check if I got the wrong patch (still stupid to release 2 files though :(, why not 1 patch) The files are no problem, but upgrading or re-installing IE on a machine that already has 5.5 sp1 is not possible.

Thanks, I'll check for that other 'patch'
--

Re:If Netscape would just get off their ass (1)

jeremyp (130771) | more than 13 years ago | (#319712)

If Opera had the functionality of IE5, it would probably also have some of the security holes.

The reason M$ has all these problems is:

a) they have decided to build in all these nice features, like HTML rendering of e-mail and atttachments opening automatically when double clicked. They didn't do all this stuff through spite, they actually wanted to make an interface that was easy to use

b) lots of people use their products, which makes them the top target for a cracker. What's the point of writing a virus that's only going to affect a few Unix geeks?

Re:huh? (2)

ion++ (134665) | more than 13 years ago | (#319713)

The other day when i upgraded work's few windows machines, i found out that there are 2 patches, with the same name, of different size. One works for IE5.01 sp1, the other for IE5.5 sp1. And ONLY the english version.

So, not only do you need the patch, you also need to upgrade to a newer, and switch to an english version.

Further more, if you already run IE5.5 in a non-english version, you're fucked. And if you dont have 62MB free on drive C: you are fucked too.

Dear microsoft, it's great you make it so EASY to be a sysadmin, and apply patches. NOT!


ion++

Re:What's the difference from a patch? (1)

Kaa42 (137049) | more than 13 years ago | (#319715)

Oh come on there was nothing in his post saying he has a solution, even less the solution.

The whole "can't complain unless you have a better idea" reasoning is just silly.

Driven by market, not Quality (1)

HerrGlock (141750) | more than 13 years ago | (#319716)

That is one of the things you get when your product is driven by the market. Upgrade, got to push new product, even if it is not quite ready for market. People will decide they need the newest and latest and upgrade. Sales flat? Push an upgrade. Everybody knows that they have to get service patches so they won't mind if the service patch comes out before the actual release of the product (as in WIN2K) so there is no real PR harm in pushing a product that is not ready for the masses. Debian may be slower to market, but their stuff is darn sure ready to be distributed when it gets there.

On a paranoid note about MS: It makes one wonder whether MS would distribute something knowing darn well it had security holes just to get 'something new' on the market.

DanH
Cav Pilot's Reference Page [cavalrypilot.com]

One more bug... (3)

rsteele19 (150541) | more than 13 years ago | (#319721)

Ok, so they've found one more bug... how many more could there be? I mean seriously, IE's gotta be close to perfect now!

Oh shit..... (1)

Smuffe (152444) | more than 13 years ago | (#319723)

Wasn't that bug an April fools? Now Im *really* in trouble ;D
/Smuffe

Class Action Suit May Be Pending (1)

PingXao (153057) | more than 13 years ago | (#319724)

I was affected ("effected" - for all the lusers) by this flaw in MSIE. Who's with me?

Re:Slightly O/T (1)

shippo (166521) | more than 13 years ago | (#319729)

It suprising how few end users bother to install patches, even if told by their vendor that the patch must be installed.

One OS we resold included a must install patch on a floppy disk with the normal distribution CD, together with a note detailing the fix. The note was difficult to miss, being placed in the same envelope as the CD-ROM, and printed with large red type. The fix bumped up the minor revision number of the softeware, to make it easy to discover that the fix hadn't been applied. We still took support calls from customers who hadn't installed the fix, even though it would only cause a system outage of 10 minutes or so.

Some people are just stupid.

Service Pack 2 for Patch 1452 for IE 5.5 (2)

heytal (173090) | more than 13 years ago | (#319731)

So now we need to have service packs for patches too.. ;-)

Re:erk... (1)

sydb (176695) | more than 13 years ago | (#319733)

Who cares if you can get root access?

If an attacker gets root access, they can wipe not only your user files but all your files

Granted the system files are not secrets and are easy to recreate. But if you've got backups then it's much easier and faster to restore your home directory than it is to rebuild the machine.

So, for someone with backups, yes, loss of user files hurts, but loss of everything is going to hurt a whole lot more.

Worse still, if an attacker has root, they can do a lot more damage covertly than just wiping files. They could be snooping your local network, if you have one. They could be silently changing your system files so that you don't notice that they've set up a cron job to email your password and shadow files to them every week. Or whatever the Win32 equivalent is. These things are easier to do silently as root than as a user; as root you can modify log files and so on, modify the ps executable so no-one knows you are there, etc. etc.

Don't give out root!

Re:If Netscape would just get off their ass (1)

nagora (177841) | more than 13 years ago | (#319734)

But I was SOOO disappointed with it that i had sworn off mozilla..

Same here, I've used Linux-Opera for a couple of months now and it's very good.

TWW

We need government regulation (1)

Teflon Coating (177969) | more than 13 years ago | (#319735)

If a regular product fails the government recalls the product. Why don't we do this for software? Probably if they started regulating it there would be more software holes discovered, just as products today are tested by the government. The only way to have a safe product is to have the government interven and help us because we can't do it alone

Re:erk... (1)

YKnot (181580) | more than 13 years ago | (#319736)

Who cares if you can get root access? An intruder doesn't need access to root on your system to get the oh-so-valuable OS files. They can be downloaded for free from the net at redhat.com, suse.com or whereever. User files is exactly where it hurts! The only reason Linux has yet to see some really nasty widespread attack is "professional courtesy": Script kiddies don't attack the Leet OS (tm). Are the proof of concept virii not enough to make you believe? Do you really NEED a full blown attack?

Re:erk... (1)

YKnot (181580) | more than 13 years ago | (#319737)

That's completely beside the point. Does it take a root attack to make you not trust a compromised system? If a Windows-user gets attacked, how many users' files are affected? If a Unix-user gets attacked, how many users' files are affected? How is it different that the worm/virus has to attack the next user's files via email because the direct route is blocked on unix? How many real users does your home linux box know anyway? Are you sure?

Re:If Netscape would just get off their ass (2)

YKnot (181580) | more than 13 years ago | (#319738)

Oh shut up. Will there be a version any time soon that is "officially it, the must download version"? If so, tell us about it, so everybody can finally download it and give this browser its place in the history of a competition won by MS. No more "the current release is just great" please. It isn't. The last one wasn't when you said it was and the one before wasn't either. I am willing to wait for good software, but I won't take any more bullshit about how great the development versions are already and how ueber-great the final thing will be. Don't tell me I should help the project then. The world is not all webbrowsers. Now mod me down.

Re:IE used by other programs (1)

tomknight (190939) | more than 13 years ago | (#319747)

Oops, I meant IE5.01sp2.

Tom.

Re:If Netscape would just get off their ass (1)

tomknight (190939) | more than 13 years ago | (#319748)

Oh so true....

These are exactly the comments that have appeared at every stage of the Netscape release cycle, no, not just then, but in every discussion (it seems) on the relative merits of different browsers.

This is why I use Opera.... it works, dammit! It's not as feature-rich as IE5, but that's true in two senses! Seriously, if Opera had the functionality of IE5, it would be truly lovely. Even without, it's the browser for me.

Tom.

(Yes, I guess this is off-topic)

IE used by other programs (3)

tomknight (190939) | more than 13 years ago | (#319753)

Okay, I thought, I'll have to sort my PC out, so I'll upgrade to IE5.02. I only have IE on there because InstallShield for Windows Installer requires IE4 or above to work. I have no problem with this, reusing components is a good thing, right?

Well, that's all fine, until installing IE5.02 shafts the software I use to earn money. As it happens, I only wasted a morning sorting this problem. I hardly minded this, as I was suffering an immense hangover from my stag days and nights, and couldn't cope with anything demanding.

Still, if I had a deadline, I would have been mightily pissed off!

Tom.

Re:Not on windowsupdate (4)

tomknight (190939) | more than 13 years ago | (#319754)

This is why I subscribe to the Microsoft security notification service (http://www.microsoft.com/technet/security/notify. asp [microsoft.com] ), not to mention NTBugTraq (http://ntbugtraq.ntadvice.com/default.asp?pid=31& sid=1#020 [ntadvice.com] ). As a sys admin (among other things), I've found these two lists damn useful. They give more information than the average user needs, but if you're tech-savvy, and interested about what's going on, they're useful lists to be on.

Tom.

In fairness to Microsoft (5)

phaze3000 (204500) | more than 13 years ago | (#319761)

This was on the original bulletin:

Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

--

Why should I care about security anyway? (1)

91degrees (207121) | more than 13 years ago | (#319767)

You can't deny that IE is the best browser, simply because it can access all the sites without crashing, deciding that it can't display the site because of broken tables, or just freezing while it makes sense of javascript.

So when using the best, you have to live with the disadvantages that that gives you. Who really cares about security? If I get a virus, then I'll have to reinstall the OS, but I have to do that once a month or so anyway. If people get access to my PC, why should I worry? What are they going to do? Use my modem to launch a DOS attack? Look at my email from my mum? Ooh, I'm frightened.

Re:You know its bad... (1)

wadetemp (217315) | more than 13 years ago | (#319773)

Well, IE 6 is only a beta, so you can't expect that kind of support anyway.

LP?? (1)

smaughster (227985) | more than 13 years ago | (#319782)

Last post???

Ermz, sorry, subject is Micro$oft, prolly 2k replies to follow.

What's the difference from a patch? (1)

FastT (229526) | more than 13 years ago | (#319783)

And just what's the difference between this and downloading an IE patch? Mozilla is FUBAR--poor architectural choices have made it nearly impossible to fix in any reasonable amount of time without a high cruft factor.

Re:Slightly O/T (1)

FastT (229526) | more than 13 years ago | (#319784)

I believe Microsoft has actually done a good job with this. First, Windows includes a prominently placed "Windows Update" menu item, which most users will click on just by accident often enough to be useful. Second, they're training users to update the OS by including "cool" updates like Microsoft Messenger and Media Player alongside more mundane updates. Finally, one of the most prominent updates is the Critical Update Notification program, which should help even non-proactive users get the base updates they really need. Hopefully, all this handholding will rub off enough for people to begin to realize that software needs to be maintained regularly, like changing the oil in your car.

Re:Not on windowsupdate (2)

Vollernurd (232458) | more than 13 years ago | (#319788)

If you read their security bulletins, the order goes something like this:

  1. 'Issue' gets posted to the security site as a bulletin;
  2. Patch is available as a download from the bulletin, or from other parts of the MS Security site [microsoft.com] ;
  3. Eventually, it gets bundled to the Windows Update site.

Because patches require additional packaging and set-up for the Windows Update site, they are delayed by about a week, depending on dependencies.
---
Vollernurd.

Re:Seriously... (1)

zencode (234108) | more than 13 years ago | (#319789)

i just purchased a new mootherboard and chip, which of course required installing windows again.

once the os was installed, i popped in the included cd and installed the lan, direct x 7 and sound drivers and it had to reboot no less than 8 times. i was speechless. and we're not even talking an interactive "would you like to restart your system now" prompt, it just *did* it.

My .02,

Who do you want to sue today? (1)

Codeala (235477) | more than 13 years ago | (#319790)

Nowadays, everyone is suing everyone else so how come M$ can still get away with crappy software? Now, some of you may say "IE and Outlook are free, so what are you gonna do?". Wait a minute! Didn't M$ paid some serious $$$ to a bunch of lawyers last year to provide, in court, that IE is an essential and inseparable part of the Windows Operating System? IE is bolted to Win98 and up, and there is no option to NOT install, right? And you did pay for your OS, right?

So basically someone is forcing you to buy faulty software, and no one is suing? Imagine you brought a car with door locks that only work 50% of the time. If it was stolen, it is the fault of the thief AND the manufacturer.

But then again I am sure you already "sign" away all your rights (and your soul) in the Windows EULA (sp?).

====

Re:Seriously... (1)

ffsnjb (238634) | more than 13 years ago | (#319793)

If you looked at the link in the post header, its for my webserver, which runs FreeBSD. Why? because it's the best for the job.

Re:Seriously... (1)

ffsnjb (238634) | more than 13 years ago | (#319794)

Oh, and yes, I did spend the weekend upgrading a shitload of desktops for the IE patch. I get paid to do it. And fuck games, they waste my time even more than Slashdot.

Re:Seriously... (1)

ffsnjb (238634) | more than 13 years ago | (#319795)

this machine is running 98SE with ie 5.5 sp1 and all the related security patches. My other windows machine is running 98se with IE removed. (98Lite) The other 2 machines in my room run FreeBSD. Fun.

Seriously... (2)

ffsnjb (238634) | more than 13 years ago | (#319796)

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products, claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron. Sure, you have to reboot to patch and install software, but who the hell cares?

This System Has Been On For 4days 4hrs 55mins 23secs ---Oh, it's been JUST about that long since the latest IE patch was released and installed. Come on, get a damn clue and jump off that damn bandwagon.

No, I'm not a troll, but guess where you'll be reading this in half an hour... -1 I bet.

You know its bad... (2)

NoCashValue (244702) | more than 13 years ago | (#319801)

when even M$ doesn't recognise its Beta version of IE6 and tells you that you don't need the patch. Wankers.

Re:Seriously... (1)

raymondlowe (257081) | more than 13 years ago | (#319817)

Quite so, I use WinNT4.0 workstation in an office environment and we have machines that have not rebooted in months. We even have machines that have been in a single dial-up RAS session for weeks. Not for any fancy technical reason but just because a user did it from home and it worked (phone calls are free here).

I regularly undock my office laptop, send it into sleep mode - take it home, plug it into my home LAN - type "ipconfig/renew" to get a new IP address (served off the Linux DHCP server) and work from home. Then I unplug and go back into my office, type ipconfig/renew and get an ip address.. And continue working. I do this for weeks sometimes without even logging out let alone rebooting.

Windows, at least NT, can be perfectly stable.

R.

Re:i didn't believe it (1)

Isaac Sorge (264323) | more than 13 years ago | (#319821)

He's talking about if this was a Linux security thing, not a new kernel release. - Isaac

April FOOLS!@! (1)

deran9ed (300694) | more than 13 years ago | (#319824)

See Microsoft played the biggest joke on everyone yet. They knew so many people would run out and download the fixes for MS' issues, so MS decided to take it to next level by issuing a `fix` which was really an April Fools joke... Read on...

MacroShaft Security Bulletin (MS99-054)

Patch Available for "Microsoft Advisory" Vulnerability
Originally Posted: December 15, 1999

Summary
Macroshaft has resolved the problems stemming from the spammage being spewed by Microsoft Advisories. It seems that MS is such a crappy and backwards product scores of exploits and crashes plague this system. While we at Macroshaft do not condone the use of Microsoft trash, we do pray daily for the users of this plague and beg of God's forgiveness for their lack of knowledge.

Issue
Too many to list on a file without buying a 47gigabyte RAID5 storage system. Microsoft dedicated an BSD server with OC192 bandwidth to support the millions of luzers worldwide who receive Microtrash advisories on a daily basis. Actually we didn't know where to begin on this issue so we laughed all the way to the bathroom to wipe our noses from the water that erupted after the episode.

Affected Software Versions
  • Microsoft * (note the *boolean* symbol)


Patch Availability
The vulnerability is eliminated by downloading one of the following.
  • http://www.openbsd.org
  • http://www.freebsd.org
  • http://www.netbsd.org
  • http://www.qnx.com
  • http://www.slackware.com
  • http://www.redhat.com

Frequently Asked Questions:
  • http://rtfm.mit.edu
Macroshaft Knowledge Base
  • http://microsoft-knwledge.is.a.joke.org

AntiOffline re-introduces chick of the week
  • http://www.antioffline.com/newflix/


Obtaining Support on this Issue
This is a fully supported patch available for download at: http://yew.must.be.j0wking.or.something.com

Acknowledgments
Gill Bates of Macroshaft.org

Revisions
THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE THEFT OF YOUR CAR AND OR ITS AUDIO EQUIPMENT. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS AFFILIATES CARE ABOUT ANYTHING YOU SAY OR DO. NOR DO WE CARE ABOUT ANY THREATS YOU MAKE TO US BOTH LEGALLY AND PERSONALLY. MACROSHAFT AND ITS AFFILIATES WILL SIMPLY FLY TO YOUR TOWN AND KICK YOUR JIBRONIE ASS AND SLEEP WITH YOUR GIRLFRIEND AND HER SISTER AND MOTHER IF NECCESSARY. MACROSHAFT DENIES AND WILL CONTINUE TO DENY THAT WE SUPPORT THE GROUP KNOWN AS HACKING FOR SWEDISH CHICKS, HACKING FOR GIRLIES, AND UNITED LONE GUNMEN. INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF THE MACROSHAFT CORPORATION OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR EVEN TAKE US SERIOUS ALL YOUR PATCHES ARE BELONG TO US

(c) sil@antioffline 1999 - 2001 Macroshaft
Corporation. All rights stolen anyway.

you dont wanna know (1)

deran9ed (300694) | more than 13 years ago | (#319825)

funny you should ask... I posted Diary of an AOL user here last week (www.antioffline.com/hackers2001.html) and its funny as all hell to think people can be so dumb... Well anyways I had made another spoof recently which said Hackers stole codes to launch nukes and stuff... (antioffline.com/news/0-1003-200-5222484.html) and posted it with an obfuscated URL... I had people emailing me saying "If you know who they are, you should be a responsible citizen and turn them in", as well as a slew of *.gov and *.mil sites which were there shortly after I posted the original... Now I know it can be trivial to deal with spoofing articles like that, but clearly I would have hoped the copyright would have given it away... ©1995-2001 CN3T Networks, Inc. (Cumshot News Network) No dice some people are just... dumb

best foot forward (4)

deran9ed (300694) | more than 13 years ago | (#319826)

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products,

First off its not ALL of the Linux zealots and in fact I've noticed the majority who get caught up in that (OS name calling) mix, tend to be newer users of Linux who could barely chop up source on their own often jumping on irc channels or mailing lists with the shittiest questions.

claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

Actually I don't think its the most worthless piece of shit OS on the market by any means, in fact I think MS has strategically placed itself on the markets for reasons like Ease of Use, familiarity, since OS's like Linux, NSD, etc., are almost impossible for Mary Joe Homemaker, and Sally Secretary to handle, however its bullshit to think anyone can keep a Windows machine up all day is a moron. E.g. there's been plenty of times I've seen Windows go bonkers for no reason especially Windows2000k with all the patches to date for the machine.

Last year when I was tinkering with codes on a DoS paper I wrote [antioffline.com] , I slightly modified my code to connect to a non open TCP port on my Windows laptop and it still crashed it for no reason. (FYI code is here [antioffline.com] ) The OS did a great job of crashing from time to time when it wasn't online, no one touched it, just pooped out on its own.

Sure, you have to reboot to patch and install software, but who the hell cares?

I would care if I oversaw a network of 1,000 boxes which needed patch upgrades every week, only to be restarted. Think about it for a quick second as I outlined in the funny Microsoft Kills [antioffline.com] paper, 1,000 servers multiplied by about 3 minutes downtime, then you've got lost time spent and I don't think any administrator be it Microsoft or any other company is going to be kind enough to say "Hey don't worry I'll patch these on my own time, no need to pay me." Fuck no that shit costs money after a while.

Come on, get a damn clue and jump off that damn bandwagon.

I find it funny seeing OS wars go on when in reality 95% or more depend on Windows in some shape form or fashion, last time I checked accounting was looking for Excel files, secretaries were saving *.doc files... Sure Linux advocates have the right to moan its their choice, just sit back and get a kick out of it, I do.

Re:Who do you want to sue today? (1)

dachshund (300733) | more than 13 years ago | (#319827)

But then again I am sure you already "sign" away all your rights (and your soul) in the Windows EULA (sp?).

That depends on the damage. I'm not sure how the EULA would stand up if a bunch of major corporations suffered multi-million dollar losses because of MS's negligence. Being that they essentially have a monopoly on the business OS market, one might be able to argue that the EULA should not apply. Or perhaps somebody not bound by the EULA will find grounds to sue.

Re:If Netscape would just get off their ass (3)

Rogerborg (306625) | more than 13 years ago | (#319828)

the next month or so while this would still be a big deal

That may be wishful thinking. Most corporate IT departments are already in the "all your soul are belong to Microsoft" category, and this is just another in a long, long list of screwups that they've already shown that they'll tolerate. My own employer doesn't bother putting out advisories or upgrading desktops any more. And how many personal users will even find out about this, much less care? If it doesn't hit the mainstream media, it's purely a geek issue.

Re:If Netscape would just get off their ass (1)

MxTxL (307166) | more than 13 years ago | (#319829)

I'm almost tempted to actually submit a patch or three, it's getting that good.

Is that right? It's true, i'm basing that statement on the recent big release. But I was SOOO disappointed with it that i had sworn off mozilla... well, at least until they would get their act together, i'm glad to hear you say that they did that sooner than i would have ever expected.

If Netscape would just get off their ass (3)

MxTxL (307166) | more than 13 years ago | (#319831)

This is a wonderful opportunity for Netscape to release something that doesn't suck. And by being the least sucky browser, recapture some of the market.

Of course, I don't honestly think they HAVE the resources or ability to make their browser suck less than IE, especially within just the next month or so while this would still be a big deal. But it would be neat.

Not on windowsupdate (5)

AaaL (309902) | more than 13 years ago | (#319833)

Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$

Patch of patch of patch? (1)

mystery_boy_x (322417) | more than 13 years ago | (#319841)

So my computer isn't safe after all. Everyone in the company got this update by email recently, and sure enough, I got that message. I'm using ie5.

Now i'm afraid ... If I upgrade to 5.5, what if it breaks my system? I have so much MS garbage on my system as part of my work, what if the update is not compatible with something??

Upgrading to install a patch, and then another patch, is a patch of a patch of a patch?? If something goes wrong with this one, will it be a patch of a patch of a patch of a patch??

Bill Gates has a noose around my neck....

--

Re:no security model (2)

no names left!!! (323949) | more than 13 years ago | (#319842)

coloured scrollbars from stylesheets - thats one difference between IE 5.0 and 5.5 - the only ive come across really

Re:Opera (1)

resprung (410576) | more than 13 years ago | (#319844)

Yep.

Re:no security model (2)

SRF (412927) | more than 13 years ago | (#319846)

"MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2." (Jamie orig. post)

http://slashdot.org/article.pl?sid=01/03/30/041325 2&mode=thread

Re:If Netscape would just get off their ass (1)

p_code (414206) | more than 13 years ago | (#319847)

Dont forget that Netscape==AOL
Has anyone seen the mozilla milestone build they are trying to push as Netscape 6?

Re:IE used by other programs (1)

p_code (414206) | more than 13 years ago | (#319848)

Theres a component in Visual Basic 6 called the "Web Browser Control". It's a visual component that is little more than an implementation of the IE renderer that is yours to program. Any program that references this OCX will not install unless IE is installed, AND it has to be IE of a certain version or higher if I remember.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...