Feeds

back to article Microsoft flings out emergency patch for Iatest gaping IE hole

Microsoft has announced plans to release an out-of-band patch today tackling a critical zero-day hole in Internet Explorer. The update will almost certainly tackle an unpatched remote-code execution flaw in earlier versions of IE (detailed in Microsoft Security Advisory 2794220) that has become the target of hacker attacks since …

COMMENTS

This topic is closed for new posts.
Thumb Up

Not such a pain!

Patches outside the regular Patch Tuesday update are a pain for administrators and Redmond has done a good job in cutting down their frequency over the last three or four years. Microsoft has been battle-hardened from years of combating Windows bugs and its security practices have become an example to the rest of the industry. Some also argue that it encourages hackers to divert their attention away from Redmond and towards exploiting vulnerabilities in third-party software, most particularly Java and Adobe applications.

They may be a pain, but getting infected is a bigger one for me. I welcome them with open arms.

8
1
Silver badge
Meh

An

A patch to patch the patched patch.

I feel safer now.

1
1

Re: An

Well surely you feel safer seeing as the patch that patched the patch that patched the previous patch that also patched the previous patch should be better than all the previous ones.

What do you want them to do? Patch it once with a bad patch then ignore it no matter what?

0
0
FAIL

"IE 9 has been available since March 2011"

If you're running vista or above, many corporate environments still have large collections of XP (occasionally older) machines.

7
0
Silver badge

And that is becoming Microsoft's albatross. Even people I know who like Internet Explorer are getting annoyed that their perfectly usable XP machines are vulnerable like this.

Corporate policy is currently an absolute ban on Internet Explorer for internet surfing (lots of intranet stuff is, of course, IE only). Microsoft is going to continue to haemorrhage market share as a result of this and encourage suits to use their I-Pads even more: IE dropped around 20 % last year and Safari gained 10 %. Getting those users back is going to be difficult.

5
2

This post has been deleted by a moderator

Silver badge

Re: Yet another Microsoft Security FAIL.

All browsers have vulnerabilities and all vulnerabilities can be used to compromise systems. However, at least other browsers can be reliably uninstalled from a machine.

8
0
Anonymous Coward

Re: Yet another Microsoft Security FAIL.

Eadon - IE is sandboxed, and it is outside of the kernel. If Firefox, Chrome or Opera are compromised, assuming any sandboxing present is also compromised, they can still operate in the user context in which they are being run, just like IE. Now that may mean that software can or can't be installed or system settings changed, depending upon the user's rights, but it does still mean that there is full access to the user's files, which can still be corrupted or held to ransom, should remotely installed malware allow that.

4
2
Bronze badge
Meh

Re: Yet another Microsoft Security FAIL.

Eadon, I always admire the way you capitalise the word 'fail' It never fails to make me pay more attention.

2
1
Anonymous Coward

Re: Yet another Microsoft Security FAIL.

yup. if you could just point us to the flawless software that never needs a patch I'll point you to cloud-cuckooland.

Meanwhile, Microsoft for all their faults support their software as effectively as they can and for why I don't know get slagged off for it.

2
0
Bronze badge

IE sandbox

according to Microsoft it:

Affected Software: Microsoft Windows, Internet Explorer

Restart Requirement: Requires restart

IF MS got that right and they really want to restart the whole system, so it is a "sandbox" embedded in the system problem?

Say, neither Firefox, nor Chrome(ium) nor any other browser would require the system restart after they update themselves. Be it Windows, Linux, *BSD, Android or Plan 9.

0
0
Unhappy

Unfortunately,

there are *still* large companies - and I can, but won;t, name two of them (no names, because the info comes from a friend who's under an NDA on this!) whose IT departments have their heads so deeply buried in the sand that they still require all their desktops to run IE7.

The problem lies not, unusually, with the users in these cases, but with the IT Honchos who are still living in the 70s, and who think a VAX may well be the cutting edge in corporate computing!

Still, hats off to MS for this patch, it's nice to see them taking this seriously.

3
3
Silver badge
Unhappy

Re: Unfortunately,

You can only name two? I'd wager that around 50% of the FTSE is still XP/IE7, not to do with Head Honchos living in the past, more to do with the fact rolling out to Win 7 is a helluvan outlay, and that the corporate environment will be littered with web interfaces accumulated over the years that only support IE7.

4
0
Anonymous Coward

Re: Unfortunately,

IE7 ha! I can name several major oil companies where they'd love to be able to upgrade to IE7.

3
0
Anonymous Coward

Re: Unfortunately,

> Still, hats off to MS for this patch, it's nice to see them taking this seriously.

Of course it is - just as it would be to see any manufacturer of cardboard doors regularly providing new locks.

4
1

This post has been deleted by a moderator

Anonymous Coward

Re: Unfortunately,

@Eadon - Yes, just like Linux, lots of stuff is regularly updated, therefore the original code must all be rubbish.

Except it's not, for either Windows or Linux.

4
0

Re: Unfortunately,

Upgrade to IE7? I can name a number of utility companies which still rely on MS DOS and dial up modems...

0
0
Silver badge
Joke

Re: Unfortunately,

<Yorkshire accent>

MS-DOS? Posh bastards! We would give our right arm to be able to use MS-DOS, we would!!

We are forced to run old CP/M machines (the very lucky bastards get CP/M 68K!!)

We have to compile our browsers, then store them on 42 floppy disks, and like it!!

</Yorkshire accent>

1
0
Silver badge
Joke

Re: Unfortunately,

"Compile... Compile ! " - eeh, we used t'dream about compilers. We had t'make do wi' hand-assembling - wi'out hands !

2
0
Silver badge
Joke

Re: Unfortunately,

And the problem with kids today is that if you tell em they don't believe a word you are saying!

1
0
Silver badge

Re: Unfortunately,

Thanks for the laughs Michael. Not entirely a joke on my part as a I really did hand-assemble my first software on a Science of Cambridge Mk14 with the hideous NS SC/MP instruction set/arch

0
0
Mushroom

Neatly attacks the corporate/government assets

Thankfully IE's usage is dying on its backside, my logs are showing it at 24% and falling each month.

The problem is that big corporates and governments still use IE because of their standard builds, based upon Win XP and glacial slow update cycles. These environments rarely allow modern browsers, so IE usage on these estates will be 100%. This is a gift for the bad guys who can exploit IE with impunity. Once Microsoft patches this hole, it just leaves the rest of the IE sieve to patch.

It's really a failure of the IT department governance. But they're driven by policy, which is developed by the organisation which is run by people who've no idea what IT is... Such a sad state of affairs.

1
1
Silver badge

Re: Neatly attacks the corporate/government assets

To be fair I think that most corporates have already migrated or are in the process of migrating to Windows 7 but depending on when they got the system images this still means IE 8 in many cases. Moving to IE 9 is as much trouble as installing Firefox LTS which is why an increasing number of corporates are doing the latter. Individuals seem to be going for Chrome.

I'd be interested to know how your 24 % breaks down. My 30 % is about evenly split between IE 8 and IE 9 with IE 7, 6 and 10 fighting it out for the wooden spoon. As IE 10 is still Windows 8 only this is hardly surprising but yet another obstacle that MS has unnecessarily put in its path.

0
0
Boffin

Re: Neatly attacks the corporate/government assets

Checking for the last two weeks (busy site), the top 5 browsers:

Chrome - 33%

Internet Explorer - 25%

Safari - 21%

Firefox - 13%

Android Browser - 7%

IE's 25% breaks down to

IE9 - 60%

IE8 - 28%

IE7 - 7%

IE10 - 2.6%

IE6 - 0.98%

0
0
FAIL

XP users at risk

I try to avoid using IE as much as possible, sadly there are still one or two sites out there that don't work properly unless viewed in IE.

Also Microsoft took the (purely commercial?) decision not to make IE 9 and above compatible with Windows XP - the only one of the major browser makers to ostracise this OS which is still on around 40% of the world's PCs.

I still run XP on my laptop because there seems little point 'upgrading' the OS when I'd have to reinstall everything and the 'upgrade' would want more resources.

As someone who develops websites I really wish IE would just crawl away and die, would make my life a whole lot simpler.

0
0

One Would Think...

That by now, 99.99 percent of these "gaping holes" would have been fixed, and we would not need to have a patch Tue every single month. But if people keep converting over to tablets, we will fix that problem, eventually. Except for my organization, which has given me a Win 8 desktop with a touch screen. Which sits back against the wall, and seldom gets touched. DUH.

0
0

I totally gave up using Windows due to viruses

I got tired of Microsoft viruses, scams and malware so I installed a really cool 3D Linux operating system called Robolinux.

It took me only 5 minutes to install it.

Now I can surf the web until I am blue in the face and I can't get a virus.

1
0
FAIL

Is this a legit patch? SSL failure here

Is it just me or is there something funny about the authenticity of this page. Other SSL on microsoft.com are signed by a different CA and don't have this problem.

https://technet.microsoft.com/en-us/security/bulletin/ms13-008

I get "unknown CA".

0
0
WTF?

Why does patching IE need a reboot?

I just tried the patch on one of my test machines and was surprised to find that it demands a reboot after applying. WTF does a browser patch need a reboot?

I am now trying to schedule my Windows, Adobe and Avast updates together as the reboot cost on a lot of machines is just too expensive.

The quality of Microsoft coding is more than suspect. Win8's quality will not be any better with the pressure of keeping up with Apple, Android and Linux. With both Arm and X86 platforms to support simultaneously I suspect that the quality problem is going to be much worse in the future.

At least the Linux systems rarely need a reboot :-)) I need a strong coffee.

1
0
Anonymous Coward

Triple fail for MS

1) Force IE-specific features in IE6 (IT departments fail here too, by using them!), then let users fend for themselves when these proved a liability

2) No IE9 in XP => again then let users fend for themselves when IE6 proved a liability

3) Reboot to patch a stupid browser. Wtf?

1
0
This topic is closed for new posts.