back to article Patch Tuesday: And EVERY version of IE needs fixing AGAIN

June's Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer. The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions of …

COMMENTS

This topic is closed for new posts.
Silver badge
Windows

IE patches

Plus ça change...

2
2
Silver badge

So...

....what would you prefer? MS to not patch bugs?

And this isn't an MS-specific issue, look at all the Java patches of late.

My GNU/Linux system gets updates every other day - although the repository system (when folks bother to package their wares correctly) makes this process much easier when compared to the random, slap-dash, every application needs its own update mechanism, approach on Windows or OS X.

This reminds me, must really look into Puppet/Chef/Salt/Something to keep all the systems up to date in a oner.

23
0
Linux

Re: So...

Yesh, so does mine, but if you're going to throw that one out, how many of them are security patches? And how many of those are serious and not just Free Software Paranoia (long may it live)

When, e.g., was the last time KDE had a security advisory? Or its browser Konqueror? (or Rekonq). It issues monthly updates, not the same as security issues. I can't remember the last time openSUSE issued a "FFS update this"

5
1
Anonymous Coward

Re: So...

Eadon's not posted yet?

EADON FAIL

12
3
Bronze badge

Re: So...

Sorry my I did read that in the voice of Mongo from Blazing Saddles and thought it might be a quote :-

"Eadon's not posted yet,

EADON FAIL,

Eadon Sad".

3
0
Silver badge
Meh

Re: So...

....what would you prefer? MS to not patch bugs?

Not at all- just wondering how the older versions in particular managed to work in the first place, as they musy have been about 10% good code and 90% bugs.

Just another regular occurrence. like Halley's comet coming around, although that may stop one day.

2
4

Re: So...

Well Suse itself posted this security vulnerability in May - https://www.suse.com/support/update/announcement/2013/suse-su-20130819-1.html

They just don't get publicised as much. I think it's safe to say that every system has vulnerabilities in it and it's going to be a never ending battle to fix them!

5
2

This post has been deleted by its author

Anonymous Coward

Re: So...

I don't know when KDE last had a vulnerability (I'm a gnome user), but they did nearly lose all their source code a couple of months ago, because they thought that replication was backup! The only thing that saved them was having taken a node offline the previous day. ie: Luck saved them.

It's all about where you look for your problems - sure the code may be secure, but if it's custody is so badly handled that a corrupting replication node can destroy the entire codebase, that's still as insecure as you can get.

People have to look in the right place for the problems that they should be seeing, not the ones they want to see, or think they may see.

2
0
Anonymous Coward

Re: So...

".....And how many of those are serious and not just Free Software Paranoia (long may it live)"

1 second of searching. 1st Hit

05 June 2013, 10:41

http://www.h-online.com/open/news/item/Security-update-for-Chrome-27-1882885.html

Please note the patforms affected.

You see, if you lump in Broswer + OS = Fail, the we must do the same for other browsers on onther platforms.

Personally I don't give a shit about the platform or the browser ( I run several), but I do give a shit about unpatched software.

4
1

Re: So...

I can't remember any time my OpenBSD server needed a security patch.

1
8
FAIL

Ahhhh...@ Shagbag...better get busy...or look for a new job...

...'cause there are a shit-load of SECURITY PATCHES waiting for your OpenBSD server.

http://openbsd.org/security.html

6
1
Bronze badge
Linux

@AC, I beg to differ

1 second of searching. 1st Hit

how many seconds do you need to search to see a tasty remote code execution being already exploited in the wild? Hint: closed source.

BTW, did you notice this ...eight high and medium severity holes saw nearly $10,000 being paid out. Is MS willing to pay for every or most discovered vulnerability. I don't think so.

0
0
Anonymous Coward

Re: @AC, I beg to differ

Or to put it another way: Google pay other people to find their bugs for them, because they can't be arsed.

Yes, I know it's not that simple, but there is more than one way to look at this: Google staff may well leave security to a back seat because they're outsourcing their own bug fixing.

0
1
Bronze badge

Re: @AC, I beg to differ

Google pay other people to find their bugs for them...

Google pay other people if they find their bugs. #now fixed

I don't know why you choose to look at this fact from this strange angle? Most vulnerabilities found with MS products are done by non-MS people, more so when those are being exploited in the wild (Compare this to when exploits are being published).

In my view, we-don't-owe-anything-to-anyone attitude is of atavistic, very peculiar MS feature. Another possible explanation is the fear to go bankrupt.

1
0
Gold badge
Meh

I thought some of those versions were *complete* re-writes from the ground up.

So either a) A faulty software design was re-implemented and perpetuated the vulnerability.

b) Some coder did a copy and paste job on development.

But b could never happen. Do we not have the word of the Turkey Dancer himself on the matter?

3
2

Re: I thought some of those versions were *complete* re-writes from the ground up.

Complete re-write doesn't imply they won't re-use existing interfaces for communication between components or externally - so they can become susceptible in the same manner.

Take for instance the way software communicates with the certificate store - it may differ between versions but the base interaction is the same - and therefore potentially open to the same attacks across versions.

4
0
Anonymous Coward

Re: I thought some of those versions were *complete* re-writes from the ground up.

As someone who specifies software for a living, I'm getting pretty tired of saying this, but:

If you specify a code module or interface to do X, Y and Z, then hand the spec to a codemonkey, the chances are that any codemonkey will implement that code in a different way, but it will do the same job. If it turns out that Z is incorrect and causes a problem because, for instance, it's a datastream that you didn't specify should be encrypted, the problem resides in your spec and no amount of re-coding from the ground up will fix it.

It's therefore entirely likely that they have re-coded from the ground up and retained problems which are in the spec rather than the code.

0
0
Silver badge

Re: I thought some of those versions were *complete* re-writes from the ground up.

You forgot C) which actually even more troublesome than A) and B) although in order of probability from high to low it is probably B, A, C:

The rewrite introduced a whole new set of vulnerabilities.

1
0
Silver badge

@AC 12-Jun-2013 12:05 GMT

Good point. I'll make that D) and rerank their order as B, D, A, C.

0
0
Bronze badge

Reboot required

These patches wouldn't be half as annoying if Windows could update files that are currently in use. Mac OS X achieves this, most of the time. Having to close my dozens of applications with their carefully-positioned windows is a significant pain point.

2
2
Happy

Re: Reboot required

And now OSX re-opens and repositions all your open windows for you when you restart, which is nice.

At least I don't seem to have to re-install windows itself on a regular basis any more - is why I stopped bothering to "personalize my windows experience" (sic) so long ago; re-instating all those icons, backgrounds, cursors, alerts, favourites etc just became TOO tedious.

1
0
Silver badge
Headmaster

Re: Reboot required

"Windows can't update important files and services while the system is using them. Save any open files, and then restart the computer"

Shouldn't that be "whilst" not "while"

Ahhhhh windows patch reboots - just as well they don't market windows as a server... Wait a minute!

2
2

Re: Reboot required

I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s. When did they all stop doing it? Was it just because Windows didn't do it, so everyone else stopped bothering?

Or has my failing memory failed again?

0
0

Re: Reboot required

net stop wuauserv

0
0
Silver badge

Re: Reboot required

"I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s"

I'm pretty sure my Sunos box did that too..

0
0
Joke

NSA Backdoors need updating

PRISM 2.0 bitches!

2
0
Bronze badge

Of course Chrome regularly gets patches - but silently so the majority of people have no idea it is getting updates... but let's bash IE because they're more public and structured.

Where's Eadon to stick the irrelevant boot in?!?

3
1
Anonymous Coward

Chrome patches don't need a reboot...

1
0
Silver badge

no, they just require an application restart

But since they happen in the background and don't take effect until you restart Chrome.

2
0
Silver badge

Re: no, they just require an application restart

Yes because Chrome is engineered how any sane person would do a web browser as userland with a clean separation between the OS networking code. (Chrome is actually engineered very slick with the sandboxes and such) IE is getting that way these days I believe, but in the early IE days the marketing droids at MS thought it would be a great idea to embed browser code deep in the OS itself. Some of the IE fixes therefore result in OS files changing and thus a reboot.

1
0

This post has been deleted by a moderator

Happy

There he is!

Eadon,

We've been waiting for you to post with baited breath. Thankyou my day is now complete.

6
1
Anonymous Coward

Re: There he is!

It took him 2 hours though. He must have been busy building his own cloud infrastructure this morning

4
1
Anonymous Coward

Yeah, no other systems have any form of active data execution withing datafiles, none at all.

2
2
Happy

Re: There he is!

...or doing all his MS patching...for the MS machines he pretends he doesn't have, naturally.

3
2
FAIL

Re: There he is!

"It took him 2 hours though. He must have been busy building his own cloud infrastructure this morning"

PUNCTUALITY FAIL

4
1
Anonymous Coward

Mostly correct!

Actually Adobe too did the same thing with PDF reader. Anyway I'm with you on this matter. From the engineering point of view, the concept of allowing a document to trash your system is plain idiotic so I will retain only the capital fail without sticking it to Microsoft.

2
0
Anonymous Coward

You know what? If I have a service that can't tolerate downtime, scheduled or not, I put it into a cluster. That way when I have a hardware failure or need to upgrade the hardware, or the software, I can remove a cluster node, carry out the work on it, reboot it and re-introduce it to the cluster. The goes for UNIX, Linux and Windows, anyone who doesn't do this is cavalier with their SLAs, anyone who has up-time requirements and doesn't use clusters in this day and age doesn't really care.

0
0
Bronze badge
Joke

Re: There he is!

You may nave been eating worms, but most of were been waiting impatiently.

0
0
Trollface

Re: There he is!

His mum wouldn't let him use the computer until he had finished tidying his room.

3
1
WTF?

"Yeah, no other systems have any form of active data execution withing datafiles, none at all."

So the fact another developer fails means Microsoft doesn't? I'm not following your logic.

0
0

Surely the important question is...

After it's been patched, will it still have the lowest power consumption?

And how many otters/polar bears/giant redwoods will be burned in the patching process?

4
0
Anonymous Coward

It's just criminal...

...that Gates and Microsucks aren't held accountable for selling totally insecure and defective products.

6
9
Bronze badge

Or to spin it positively

Isn't it great to see that the original IE was so extendable, they've managed to maintain it as the single code-base for all future revisions.

More seriously, I always query patches that just apply to single versions where the feature was there in both prior and later versions. If you knew you had to re-write something for the next release, then you probably were aware of the flaws in the prior version.

2
0
This topic is closed for new posts.

Forums