Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE Download.Ject Exploit Fixed

simoniker posted more than 10 years ago | from the round-and-round dept.

Security 421

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

cancel ×

421 comments

Sorry! There are no comments related to the filter you selected.

FYI (4, Informative)

arieswind (789699) | more than 10 years ago | (#9593706)

This configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems improves system resiliency to protect against the Download.Ject attack.

In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers.

Please note that this isnt a fix, it is only a configuration change to help defend against the problem and nullify the threat from the known places it is spreading from. No doubt that within a short time, whoever is behind the virus will find other places to have the virus attack from. This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

Re:FYI (0, Troll)

jadenyk (764614) | more than 10 years ago | (#9593751)

This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

You mean "this will help for now, please wait until we discontinue the product or come out with another version."

Re:FYI (5, Informative)

Anonymous Coward | more than 10 years ago | (#9593763)

Nope:

Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)
Adodb.stream provides a method for reading and writing files on a hard drive.

Quick Info
File Name:
Windows-KB870669-x86-ENU.exe

Download Size:
104 KB

Date Published:
7/2/2004

Version:
870669

Overview
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.


It has nothing to do with known threats.

MOD PARENT UP. (0)

Anonymous Coward | more than 10 years ago | (#9593899)

Granparent poster obviously didn't even read the MSFT posting.

Re:MOD PARENT UP. (0)

Anonymous Coward | more than 10 years ago | (#9593987)

thats why it says right on the press release, which will protect customers against the immediate reported threats, right?

Re:MOD PARENT UP. (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9594022)

The first poster made it seem like it will only protect against threats that MSFT knows about. This patch seems to prevent IE from writing/read to/from the disk via scripts.

Re:FYI (5, Insightful)

quadra23 (786171) | more than 10 years ago | (#9593784)

This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.

Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).

Re:FYI (0)

Anonymous Coward | more than 10 years ago | (#9593786)

here's another article about it

http://story.news.yahoo.com/news?tmpl=story&cid= 56 2&ncid=738&e=10&u=/ap/20040702/ap_on_hi_te/microso ft_security

Re:FYI (0)

Anonymous Coward | more than 10 years ago | (#9593814)

"Internet service providers and law enforcement, working together with Microsoft, identified the origination point of the attack -- a Web server located in Russia -- and shut it down on Thursday, June 24, 2004."

I Suspected As Much (1)

ackthpt (218170) | more than 10 years ago | (#9593884)

E Download.Ject Exploit Fixed

After years of seeing the tricksy titles of spam for installing worms, I've skeptical enough of anything which claims to be a fix, even when it really comes from the product company. This is the 'Executive Band-Aid', meant to trick decision makers into a false sense of security.

"There, see? They've fixed it already. Nothing to worry about."

fix slashdot's broken moderation system (0, Troll)

ccdconfig (785399) | more than 10 years ago | (#9593713)

learn more at anti-slash.org jihadi_31337

NOT an actual fix (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9593715)

It's a "configuration change" to work around the problems that are still there. Many users won't do what they recommend (ie high security) because it'll be inconvenient or "hard."

Re:NOT an actual fix (2)

Scorchsta (793014) | more than 10 years ago | (#9593753)

That seems to be a typical Microsoft thing to do. It's temporary until they implement some tracking code into the fix.

Re:NOT an actual fix (3, Interesting)

Lehk228 (705449) | more than 10 years ago | (#9593838)

when you set high security you cannot even use windows update, and putting windows update into trusted sites does not work right

Re:NOT an actual fix (0)

Anonymous Coward | more than 10 years ago | (#9593929)

putting windows update into trusted sites does not work right
So says you. It works fine from here that way (Windows Server 2003).

It can be. (1)

Benanov (583592) | more than 10 years ago | (#9594004)

You may have to put multiple sites into the trusted sites. Add: http://v4.windowsupdate.microsoft.com Add: http://windowsupdate.microsoft.com WU works fine for me.

That reminds me... (5, Funny)

DaHat (247651) | more than 10 years ago | (#9593732)

That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation! Sure, you could throw in an extra DRM patch here or there... but I don't care, I'm lazy!

Um (3, Informative)

Anonymous Coward | more than 10 years ago | (#9593750)

You can have Automatic Update download and even install things on Windows XP.

Re:Um (4, Informative)

Zed2K (313037) | more than 10 years ago | (#9593811)

You can make it completely automatic on 2000 also.

Re:Um (1, Insightful)

ViolentGreen (704134) | more than 10 years ago | (#9593839)

You can have Automatic Update download and even install things on Windows XP.

While this is great for most home users, a lot of people (including myself) do not do this. I want to know exactly what is being put on my system. I don't need the Euro conversion utility. I don't need windows media player 9. Right now there are 8-10 things that it has wanted to install for over a year that I refuse to put on.

Re:Um (4, Informative)

sid crimson (46823) | more than 10 years ago | (#9593954)


I don't need the Euro conversion utility. I don't need windows media player 9.


Autoupdate only installs "critical" patches. WM9 and the Euro tool are not such updates.

-sid

Re:Um (1, Redundant)

Sexy Commando (612371) | more than 10 years ago | (#9593958)

FYI, The items you mentioned are not in the Critical Updates section, which means they can only be installed manually.

And you can always check the installation hisory on the Windows Update website, that is, if this can satisfy your desire to "know exactly what is being put on my system."

If not, many people prefer glueing their eyeballs to the monitors to read every single compiler outputs from Gentoo emerges.

Re:Um (2, Informative)

TheSHAD0W (258774) | more than 10 years ago | (#9593968)

You can set Automatic Update to ask whether you want the updates installed or not. Right-click My Computer, Properties, Automatic Updates tab, check "Keep my computer up to date", and select "Notify me before downloading any updates". (Note that this is for XP; there's a similar setting for 2K. Not sure about 98/ME.)

Re:Um (1)

DaHat (247651) | more than 10 years ago | (#9593847)

Bah! That assumes I ever got around to installing XP (which I haven't).

I'm a 2000 fan myself... maybe one of these days I should install a SP or two to get the auto update features a later ones brought.

In all seriousness I should say that I use Windows Update religiously and do not have the auto update feature running (I despise it)

Re:That reminds me... (1)

Eu4ria (110578) | more than 10 years ago | (#9593788)

But as soon as a patch comes out that is autoinstalled on systema and breaks something there will be even bigger complaints. Installing of patches should be the system administrators job or the owner and if you dont know what you are doing then you should be reading and finding out about these things. I know most ppl wont/dont do this but as more and more problems like this emerge ppl will have to become more security savvy.

Re:That reminds me... (4, Interesting)

WoodstockJeff (568111) | more than 10 years ago | (#9593826)

I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server. Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Re:That reminds me... (1)

Dizzle (781717) | more than 10 years ago | (#9593857)

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Shouldn't that read "I, for one, do NOT welcome our mandatory auto-patching overlords"?

Re:That reminds me... (1)

WoodstockJeff (568111) | more than 10 years ago | (#9593902)

No, I try not to indulge in tired, worn-out phrases, like "tired, worn-out"... B-)

Re:That reminds me... (1)

LoadWB (592248) | more than 10 years ago | (#9593886)

Several hours to roll-back a patch, as opposed to a day or better of complete down time because the system was ravaged by a virus or worm, then spread to other computers on the network.

Choose your battles; it's the lesser of two evils.

Re:That reminds me... (1)

Zapman (2662) | more than 10 years ago | (#9593994)

"Several hours to roll-back a patch, as opposed to a day or better of complete down time because the system was ravaged by a virus or worm, then spread to other computers on the network. Choose your battles; it's the lesser of two evils."

I completely disagree. With proper measures, it can be done.

MS will never have a true 'forced patch upgrade' in 'thou shalt' terms. Enterprises will run away screaming. There are reasons you have development, and test environments for serious pieces of enterprise infrastructure (and exchange would qualify). Roll the patches to dev, then test. Pound on them for a while. See what happens, then apply it to production.

We all know that exchange bare on the internet is a bad idea. It can be done, and it can be done moderatly securly, but a border gateway is almost a requirement. [1]

If you have a reasonable antivirus product infront of exchange, you'll be able to run it unpatched for a the few hours you need to test a true, critical patch.

[1] For a great product, hit www.ciphertrust.com. Their 'ironmail' product is awesome. Great anti-spam, wonderful anti-virus, good content filtering, OWA proxy for webmail. Email appliance. We use it at work, and are blocking 180,000 spam messages/week for 1700 mailboxes.

Re:That reminds me... (1)

Embedded2004 (789698) | more than 10 years ago | (#9593829)

Do not know if your joking or actually being serious. But having microsoft automatically install things is probably not a good idea. I definitely would never run windows update when I am in the process of doing something important. A couple of times it has broken many apps. One time, probably the worst one, was one update which broke my video card drivers. Luckily I have a triple monitors, so my two ati video cards still worked, I managed to boot, and get newer nVidia drivers which worked after the MS update. Had I only had a single display setup, I would of been screwed.

Re:That reminds me... (1)

Nurseman (161297) | more than 10 years ago | (#9593865)

I want automatic and forceful patch downloading and installation!

Are you serious about wanting forced, automatic downloading ? Do you REALLY want to give Microsoft full control to change things without your permission ? What happens when you log on and MS "Fixed" IE by not letting Mozilla/FF load ? How about "fixing" MS Office, by blocking Open Office ? I am not a tinfoil hatter, or and MS hater, but I like to decide what/when gets updated on my machine. As an example, I have an old, DRM free version of Media Player. It trys to auto update itself after every use. It fact it defaults to "We will automagically update you in 15 seconds UNLESS you click here". No Thank You.

Re:That reminds me... (2, Interesting)

blindbat (189141) | more than 10 years ago | (#9593881)

I was helping a fellow (via phone) repair his Windows installation that had a couple of viruses (at least), blaster and another worm. He even has the auto download of updates running so he thought he would be safe.

Problem: he is a dial up user and is never connected long enough at home to keep his system current.

So Windows will have to hi-jack the internet connection in order to get the downloads or half-knowlegdable users like this guy will still be victims.

Hehe (0)

Punboy (737239) | more than 10 years ago | (#9593747)

Looks like the governments statement got MS to get off their lazy butts and fix something.

Re:Hehe (0)

Anonymous Coward | more than 10 years ago | (#9593785)

Looks like the governments statement got MS to get off their lazy butts and fix something.

Really? I thought it was the home page story on Slashdot... I mean, the most recent one...

One down, ??? to go (2, Informative)

rjune (123157) | more than 10 years ago | (#9593748)

For the others, Microsoft has provided customers with prescriptive guidance to help mitigate those issues.

Got it, but.. (4, Insightful)

Dynamoo (527749) | more than 10 years ago | (#9593754)

Got it, but in the meantime I switched to Mozilla Firefox [mozilla.org] and I honestly don't see any reason to go back to IE apart from a handful of aggressively IE-only sites.

Re:Got it, but.. (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9593808)

Sadly you are Slashbotting. Three of the five sites that I visit most frequently do NOT render correctly with Firefox. Each and everytime I visit Slashdot I have to refresh to get the leftbar to stop entroaching on the main story blurbs. Everytime I visit the other sites I must change font sizes. Each site I visit looks different than it was intended to look on IE and thus I cannot read some text and some text is so large that it is uncomfortable.

We won't even get into the fact that my online banking instantaneously loads on IE yet takes several /MINUTES/ to load in Firefox.

Re:Got it, but.. (1, Funny)

drkhwk (41862) | more than 10 years ago | (#9593863)

We won't even get into the fact that my online banking instantaneously loads on IE yet takes several /MINUTES/ to load in Firefox.

Then you should switch banks, not browsers.

Re:Got it, but.. (0)

Anonymous Coward | more than 10 years ago | (#9593872)

Typical, dumb, Slashbotting response. The world does not revolve around a browser preference. Get real tinfoil boy.

Re:Got it, but.. (3, Insightful)

Lehk228 (705449) | more than 10 years ago | (#9593873)

troll? are you using .7?

Re:Got it, but.. (0)

Anonymous Coward | more than 10 years ago | (#9593944)

I have tried every single version of Firefox to come out. They are all terrible. I am not trolling regardless of what the Slashbotters believe.

Re:Got it, but.. (0, Troll)

no reason to be here (218628) | more than 10 years ago | (#9593915)

Dear Troll,

I am using firefox right now. Just as fast and responsive as IE (if not moreso) with my several banking sites and loads /., as well as every other site i go to just fine. So, in conclusion, STFU!

Love,
the rest of us that know how to use a computer

P.S. Log in next time

Re:Got it, but.. (1)

jumpingfred (244629) | more than 10 years ago | (#9594003)

You know that firefox 0.9.1 does not render /. as well as ie. Firefox which I am using often has the posts overlap the links on the left of the page.

Re:Got it, but.. (1)

MisanthropicProgram (763655) | more than 10 years ago | (#9594007)

No, I don't think you're a Troll. It sounds like you're using an older version of Firefox. Try getting a newer one at Firfox's site [mozilla.org]
As far as your back is concerned, they may actually be using something that does expose some sort of problem with Firefox. There may be some things to note. Like - Is it an ASP site? (It may have nothing do with it.)

Lastly, don't let some people discourage you from using Firefox with their condescending attitude. I for one like having new users join the fray :-)

Re:Got it, but.. (1)

Sargondai (25502) | more than 10 years ago | (#9593918)

You mean like Windows Update?

:)

Get the fix early here. (2, Funny)

Saeed al-Sahaf (665390) | more than 10 years ago | (#9593757)

The press statement says that it'll hit Windows Update later today...

O get the fix early, HERE. [mozilla.org]

Re:Get the fix early here. (0, Redundant)

nizo (81281) | more than 10 years ago | (#9593816)

I would have posted this before you did, but ironically firefox died on me for the first time in months. Doh! (Then again, I am running an older version, time to upgrade!)

Re:Get the fix early here. (0)

Anonymous Coward | more than 10 years ago | (#9593818)

Do you happen to know how to run Windows Update on Linux? ;)

Re:Get the fix early here. (1)

buchan232 (655996) | more than 10 years ago | (#9593948)

Its already Showing in Windows update. I just finished installing and updating a new machine half an hour ago. Then just went back to discover one more update!!!! Ever notice it takes longer to update than it does to actually install?

Just got my WindowsUpdate popup a minute ago (1)

ramk13 (570633) | more than 10 years ago | (#9593767)

Just got my WindowsUpdate popup a minute ago. No restart. Yay!

What's still frustrating is the amount of time between the identification of a vulnerability and the time a real patch is released. A real patch, not just some KB article telling you to edit the registry.

Obvious link missing (2, Funny)

nizo (81281) | more than 10 years ago | (#9593769)

Fix can be downloaded here [mozilla.org] .

In Other News... (5, Funny)

Snagle (644973) | more than 10 years ago | (#9593770)

The Department Of Homeland Security said it is safe to go back to using Internet Explorer as your main browser...for about 10 minutes, when the next exploit will be released.

Re:In Other News... (4, Interesting)

chris_mahan (256577) | more than 10 years ago | (#9593882)

I notice that MS releases a "fix" of some sort when DoHS says: use another browser.

Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on .NET?

I wonder.

Somebody probably lit the proverbial fire under their bums this morning.

(They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.

Re:In Other News... (1)

WindBourne (631190) | more than 10 years ago | (#9593887)

While you meant this to be funny, the sad thing is that Homeland went to MS and has been with it since its inception. By doing so, they proved that "Security is job 1" is not true. Now they are saying to stop using MSIE, but nothing about SQL server, IIS, Exchange, or outlook, of which the vast majority of cracks come from.

It is this very reason why I am so opposed to the patriot act. It gave to Homeland and to DOJ most of the same capabilities as NSA and CIA had together. NSA/CIA are far less political than either DOJ or Homeland.

Re:In Other News... (1)

johnnyb (4816) | more than 10 years ago | (#9594019)

"the sad thing is that Homeland went to MS and has been with it since its inception. By doing so, they proved that "Security is job 1" is not true."

Kind of. It actually proved that it is difficult to function as a government. You see, as a government, you CANNOT just have biased opinions, even if those biases are based in experience. It has to run on fact, or at least what qualifies as fact.

The "fact" is that Windows has much better government certification than Linux. We know that government certifications mean jack squat, but a government person, even if they know that, can't really act on it for procurement purposes. There are other factors, such as price and service.

Without these controls, it is pretty easy to get some people in key positions and simply control government with a mafia outfit. These controls prevent that, but they mean that government cannot make use of the best asset when making decisions - people.

Now, I do think that Microsoft should have been phased out when declared a monopoly maintained by illegal tactics. But other than that, government does not have good decision-making capability, because it has no competition.

Which is why conservatives want limitted government.

Re:In Other News... (1)

argent (18001) | more than 10 years ago | (#9593956)

If CERT was doing their job right, they would have recommended against using IE back in the mid-'90s when Microsoft first created the basic design flaw that this is just the latest instance of.

That's when I banned IE and Outlook at work. Did wonders for our security, and made me look really good when other groups and companies got hammered by Melissa and her zombie children.

The Vulnerability (5, Funny)

lousyd (459028) | more than 10 years ago | (#9593776)

the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

So, the vulnerability will hit Windows Update later today? How do they know? (Other than the fact that Microsoft is running security at the Windows Update site, of course.)

All right!!! (5, Funny)

k4_pacific (736911) | more than 10 years ago | (#9593777)

That means all the sys-admins will have to work late on a Friday night making sure its installed.

Excellent timing.

Re:All right!!! (1)

colonslashslash (762464) | more than 10 years ago | (#9593810)

Yes. Those poor MCSE's.

/me sheds a tear

Re:All right!!! (0)

Anonymous Coward | more than 10 years ago | (#9593840)

I'm a SysAdmin, but I won't be staying late. Macs and OSX all around. Hooray!

Re:All right!!! (1)

thedillybar (677116) | more than 10 years ago | (#9593844)

>That means all the sys-admins will have to work late on a Friday night making sure its installed.

The update is already available and I've already pushed it out to all of my machines without issue.

Re:All right!!! (1)

Deathlizard (115856) | more than 10 years ago | (#9593845)

Not me.

After Blaster I said Screw that and built an Software Update Server on our network here. All I had to do was forcibly sync it, approve the update and away it goes.

All I have to do is wait, and check the logs (using suslogvewer) on monday to make sure that they updated.

Re:All right!!! (1)

ch-chuck (9622) | more than 10 years ago | (#9593971)

built an Software Update Server

Leave it to Msft to sell yet another server license just to patch bugs. I seriously admire their ability to consistently turn defects into revenue streams.

suggested moderation: -1 troll

Re:All right!!! (1)

LoadWB (592248) | more than 10 years ago | (#9593976)

::nods in agreement with you and thedillybar::

All of my client sites running 2000 or better have SUS running, along with a script which auto-approves updates. I've never had a problem.

Even though the update is due to push out tonight, I pushed the registry changes out today with group policies. On systems (still, though I'm pushing them to update) running NT Server, a login script and a .reg file does the trick quit nicely.

In the end, it takes much less time to roll-back a bad patch than it does to clean a system or entire network raped, ravaged, and left for dead by a virus or worm. Both of which are, unfortunately, part of the game we play and, fortunately, what we get paid to do -- REGARDLESS of your operating system.

Re:All right!!! (1)

sevensharpnine (231974) | more than 10 years ago | (#9593853)

Nope--I can't update machines until I know a patch is out. This sys-admin is covering his ears and humming showtunes until 4 p.m. Lalalalaaala...

Re:All right!!! (0)

Anonymous Coward | more than 10 years ago | (#9594017)

All it does is change Internet Security Zone settings. Something you could have done years ago like I did.
Enough is Enough get your patch here.
https://netfiles.uiuc.edu/ehowes/www/resour ce6.htm

I'm Not A Religious Person But... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9593781)

I'd recommend a little prayer before every time you click on a link in Internet Explorer.

Re:I'm A Religious Person and... (0, Offtopic)

Duhavid (677874) | more than 10 years ago | (#9593898)

IE will teach you religion.

Patch mirrors (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9593791)

Here is the patch to fix the IE browser vulnerability under windows.

http://ftp.mozilla.org/pub/mozilla.org/firefox/r el eases/0.9.1/FirefoxSetup-0.9.1.exe

Loaded terminology... (5, Insightful)

Anonymous Coward | more than 10 years ago | (#9593800)

"Late last month"

vs.

"A week or so ago"

I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

Re:Loaded terminology... (1)

brilinux (255400) | more than 10 years ago | (#9593921)

"Late last month"

vs.

"A week or so ago"


May I remind you that this is July 2, making "late last month" "three days ago". While in the computer world that may be a long time, in real life, that is less than a week. Of course, if I used Windows regularly, I would want those fixes as soon as possible anyway.

Re:Loaded terminology... (0)

Anonymous Coward | more than 10 years ago | (#9593998)

Maybe you didn't get it. The difference is "late last month" sounds longer ago than "a week ago", regardless of the time of month. Would you say you watched cartoons last weekend or late last month?

Would you talk about your date on Tuesday night as "three days ago" or "late last month"? Haha... That was a trick question -- this is Slashdot.

Re:Loaded terminology... (1)

pipingguy (566974) | more than 10 years ago | (#9593983)


I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

To steal an oft-used cliche of the "Linux fanboys":

You must be new here.

Oh, and I figgered I'd not be a looser and mispell something just two make it offishul:Nataly Portman.

Re:Loaded terminology... (1)

RAMMS+EIN (578166) | more than 10 years ago | (#9593997)

Wasn't the vulnerability something like 10 months old? Or is that another one? If it's another one, does that mean the 10 month old one still goes unpatched?

I don't know the answers myself, because I have given up caring about MSIE security holes. The thing _is_ a security hole.

I have a feeling (1, Redundant)

Punboy (737239) | more than 10 years ago | (#9593821)

that MS doesnt care about security, only publicity. They don't care until it affects their marketshare, THEN they fix it.

Everyone switch to Linux! Then MS will fix Windows!

Re:I have a feeling (2, Insightful)

Mishkin (729185) | more than 10 years ago | (#9593939)

Well take a look here [asp.net] and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.
I am sure you are all aware that windows is a fairly large OS that is designed to be easy to use for novices but allow Power Users to do their thing as well. I think it accomplishes that fairly well. They provide automatic updates to every computer now (if you are not too lazy to turn it on). I realize that this option is turned off by default but this is more because of the people (*cough* slashdotters *cough*) that say that MS will somehow steal all their secrets if you let them install updates automatically. I think MS does a good job updating system.


Also, if I see one more reply to an IE article with the line "Download the patch here [mozilla.com] " rated as "Funny", I will kill myself.

Yup...I got it... (1)

JarrodMJ (740789) | more than 10 years ago | (#9593830)

and sync'd my SUS server for the LAN here...no problems so far.....

What about ActiveX? (4, Informative)

jZnat (793348) | more than 10 years ago | (#9593834)

They might've found one way to prevent the auto-download, but there are still plenty of ways to force a download using ActiveX. Even with that, there are still a few ways to run them too; methods that are still unknown to most assholes trying to get you to buy their pills that give you bigger penis-breasts-ego-wallet-spyware-car-wife-mom-WMDs .

tool late (0, Redundant)

eclectus (209883) | more than 10 years ago | (#9593841)

too late. I've already switched [slashdot.org]

late last month means (4, Insightful)

Zed2K (313037) | more than 10 years ago | (#9593842)

Late last month actually means June 25th. Which by my count was only 1 week ago. But it wouldn't be a bash microsoft topic without a little twisting and manipulation.

Why Ject? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9593849)

Why is it called Ject? Is the virus writer or the AV firm some kind of closet Final Fantasy X fan? Seriously? Why Ject?

dont worry M$, Mozilla already fixed this for you (-1, Redundant)

Indy1 (99447) | more than 10 years ago | (#9593856)

in fact, they were so nice, they fixed all the other security issues in IE too, and even included some nice extras like popup blocking and tabbed browsing. And the best thing of all, they fixed it for free, so you dont even need to pay them for all their hard work.

48 Hours (0, Insightful)

Anonymous Coward | more than 10 years ago | (#9593859)

Riiiiiiiight....

I think my brain just exploded. (2, Funny)

Ira Sponsible (713467) | more than 10 years ago | (#9593860)

This is completely incomprehensible. I'm using Mozilla Dangerphoenix, and ms let me get the download with no hassles at all. Of course it's not one of their usual updates, but I still find it hard to believe that they haven't broken the link for non-IE browsers like they do for the rest of their site. Unless the "Configuration Change" is really just an extension to "fix" my Mozilla Pornopony to behave just like IE. DAMN YOU MICROSOFT, WHEN CAN I TRUST YOU!!!

Enough! (1)

RedA$$edMonkey (688732) | more than 10 years ago | (#9593874)

Of the 6 comments rated above 3, 3 of them are jokes about switching to Mozilla/Firefox. Anyone know what redundant means? /gripe.

Now that I have your attention, to save some time here:

In soviet russia windows updates you!
All your updates are belong to us!
I use you insensitive clods!

Coming soon... (5, Funny)

sleighb0y (141660) | more than 10 years ago | (#9593876)

Download.Ject.A
Download.Ject.B
Download.Ject.C
Download.Ject.D..............

Now available on Windows Update (0)

Anonymous Coward | more than 10 years ago | (#9593905)

'nuff said

Where is the notice? (1)

Danathar (267989) | more than 10 years ago | (#9593916)

Can somebody point me to where the ACTUAL official notice from US-CERT is that recommends NOT using IE? I would love to forward it to the head of my agency, but forwarding a link to slashdot is not going to hack it.

I looked on the US-CERT website but could not find it.

thanks

Re:Where is the notice? (0)

Anonymous Coward | more than 10 years ago | (#9594016)

Here ya go:

http://networks.org/?src=cert:713878

IE Features (5, Insightful)

johnhennessy (94737) | more than 10 years ago | (#9593925)

What use are IEs extra features if they have to be turned off by default.

ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.

Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.

I can hear the support conversations already -
"Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."

Does anyone else find this mildly insane ?

it took them a freaking MONTH for this?! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9593927)

OMFG it took MS a whole freaking MONTH for this temporary work-around (which isn't even a fix) and will be useless within minutes of its release?!? I have a better idea, you can get a REAL fix that WORKS from Here [mozilla.ord]

Simply because.. (0, Troll)

LoganTeamX (738778) | more than 10 years ago | (#9593932)

If you're still running IE, you're still running around with your pants around your ankles. Firefox - it's all you need. And Thunderbird kicks OE and Outlook in the teeth.

Microsoft released a fix a long time ago (5, Informative)

Sheepdot (211478) | more than 10 years ago | (#9593962)

Ever wondered how IE exploits get a whole executable to your computer?

Wonder no more. 11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change [microsoft.com] . The problem that MS has isn't that they are incompetent, it's that they insist on leaving default features that are used by 1% of administrators like myself.

98% of spyware released since January 2004 can be avoided with the above registry fix. If you think that statistic is outrageous, I challenge you to find one piece of malware installed without using ADODB.Stream in one way, shape, or form. Be forewarned, I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

Remember "48 Hours"??? (0)

maggeth (793549) | more than 10 years ago | (#9593963)

Riiiight...

IE Weapons License (0, Offtopic)

Compholio (770966) | more than 10 years ago | (#9593964)

In other news, the US House of Representatives has changed the language in a bill requiring Pentium 4 class processors to have a weapons license. Instead of Pentium 4s requiring a weapons license "Microsoft Internet Explorer" will now require a weapons license.

For those of you that missed it:
Does A Pentium 4 Need A Weapons License? [slashdot.org]

Yippee! (5, Interesting)

callipygian-showsyst (631222) | more than 10 years ago | (#9593965)

Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird [robert.to] ) Microsoft did act pretty fast here. It was less than a week, wasn't it?

And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

Re:Yippee! (1)

nyekulturniy (413420) | more than 10 years ago | (#9593995)

But I did switch to Mozilla and as soon as I can ditch IE 6 from my XP box (burned in) I'm never going back to MS.

Link to the REAL fix (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9593979)

OMFG it took MS a whole freaking MONTH for this temporary work-around (which isn't even a fix) and will be useless within minutes of its release?!? I have a better idea, you can get a REAL fix that WORKS from Here [mozilla.org] and maybe in the meantime I'll learn to spell or at least type! ;)

Name this genius: (0)

Anonymous Coward | more than 10 years ago | (#9594024)

"There's an old saying in Tennessee.. I know it's in Texas, it's probably in Tennessee that says, fool me once, shame on...shame on you. It fool me. We can't get fooled again."

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>