back to article Serious IE and Windows flaws left to fester

Microsoft won't fix vulnerabilities in the latest versions of Internet Explorer or Windows during its regularly scheduled patch release on Tuesday, meaning users will have to wait at least another month to get updates that correct the security risks. The software maker on Thursday said January's Patch Tuesday will include a …

COMMENTS

This topic is closed for new posts.
  1. 46Bit
    Thumb Up

    Another way of looking at the title

    Call me cynical, but is it just coincidence the title could be interpreted as the flaws *being* Windows and Internet Exploder?

  2. Anonymous Coward
    Anonymous Coward

    Woah...

    They still patch Windows 2000?

    1. Pigeon

      Thank dog they patch w 2000

      It must mean M$ is serving it's clients. I run Solaris 8, and still patch it. If I decide to move to v 10, I'm sure it will need new hardware and subsequent repurchase of third party software licenses. This is what we pay for when we buy the O/S isn't it?

    2. Ken Hagan Gold badge

      Re: They still patch Windows 2000?

      Windows 2000 doesn't finally drop off the radar until June this year. (I saw the exact date somewhere on the MS site the other day but can't remember the details.)

    3. Chika
      Badgers

      Yes.

      It's still on extended support, but that is finished in July. See http://support.microsoft.com/ph/1131

  3. Inachu
    Flame

    PDF hijack

    Users do not have to open the pdf files the site that is infected forces the computer to open the file remotely without any user interaction.

    I had to format and reimage the pc and tell people to stop going to these infected political pundit websites.

  4. Alan W. Rateliff, II
    Paris Hilton

    Is this forgivable??

    "The flaw, which resides in the OSes' SMB, or server message block, can be triggered remotely by sending malformed traffic that specifies incoming packets that are smaller or larger than they actually are."

    In the year 2010, is this truly forgivable?

    Paris, truly....

    1. Ken Hagan Gold badge

      Re: Is this forgivable?

      Probably not, but I'll offer the following in mitigation: Only a complete numpty would run SMB on any network open to untrusted traffic. MS should be embarrassed by the flaw, but there's worse out there.

      1. Tim Bates
        Stop

        And then?

        Only a numpty would allos SMB/CIFS to internet, but most numpties allow it for their entire LAN.... Which means just one laptop has to come in from a numpty's home LAN, and the entire business LAN is screwed....

        I learned that lesson last year when our LAN at work got hit by Conficker - and no, it wasn't a laptop that caused it but a government department supplied computer that got infected by the government WAN where they had their standard firewall config allowing ALL computers to access SMB/CIFS. I was not ammused!

        Within about 10 minutes of finding that problem, I switched all our computers to only allow access to SMB from our local servers (which aren't Windows boxes).

  5. heyrick Silver badge
    WTF?

    Riiiiiight...

    Way to go to promote your new products, Microsoft. Leave Win7 customers in preference to Win2000 which is, what, older than XP?!?

    "incoming packets that are smaller or larger than they actually are."

    Microsoft! What, is your code now being written by entry-level CS students, I meant WTF?

    "Microsoft's Jerry Bryant said the company is still working on a fix for the SMB flaw and is not aware of any in-the-wild attacks that target the weakness."

    Tick tock tick tock...

  6. Anonymous Coward
    WTF?

    I'm not a huge fan of Microsoft...

    but surely it's not a fault in the browser?

    Isn't it the fault of twats who can't build a secure web site?

    1. Ken Hagan Gold badge

      fault in the browser?

      Since the victim of the attack is the person running the browser, I'd say it is a fault in the browser. Software should not expose the person running the software. Ideally it shouldn't expose anyone else either, but the primary "duty of care" is to the person running it.

    2. Anonymous Coward
      FAIL

      RTFA

      Microsoft's XSS filter introduces vulnerabilities into sites that *have* been securely coded.

  7. Neal 5

    Dan,

    Again, I'm kind of upset that the finger of blame always gets pointed at IE for being the bad boy, you have no mention of Firefox being at all responsible for any thing to do with xss attacks, and don't share any knowledge of it when you get it. So for the benfit of others,

    http://labs.securitycompass.com/index.php/exploit-me/xss-me/xss-me-faq/

    Now this is offered up as a security testing option, however it needs only a complete numpty to not see other potential options with, especially given the name. And for all of those who think the problem resides entirely with IE, can now add Firefox to your exemption lists, I'm sure with a bit of help/research from your friend Google, you could find any security testing intergration tool for any browser of choice, or perhaps Google will offfer up a tailor made exploit for your site, if you're just using templates on your site, in which case don't worry about xss, that'll be the least of your problems.

  8. Neal 5

    This is good Dan,no?

    It allows you to continue your crusade. I am at least pleased that the real issue actually did get a one line by word at the bottom of your article, although by implication, I have absolutely no idea how an Adobe update can be attached to the real issue of the Microsoft flaws not being fixed, perhaps Microsoft should try even harder to fix everyone eles problems.

    I also note that Microsoft have not fixed the Symantecc bug yet either. Why is this company Microsoft allowed to exist, such incompetence is beyond belief.

  9. Doug Glass
    Go

    You're The Tail ...

    ... trying to wag the dog folks. Live with it or move to another platform. Oh I forget. The usual carping then you just live with it. Some people's children .......

  10. Tom 7

    @heyrick

    The coding errors will be in W7 etc too if they use SMB. The work by the SAMBA group to get Linux sharing with Wx seemed to me to reveal one thing: MS dont have a clue how their OS is put together any more - you can bet any W7 or higher code is more or less ripped straight from older versions and will reveal the same flaws - and some new ones too!

    BR excuses wont do: The wrong type of website.....

  11. viet 1
    FAIL

    SMB again ?

    I can't believe it. Since its inception this protocol has been the worst protocol to work with, the least reliable, and MS will to impose it is dumbfounding. On 10baseT ethernet, there was a (very) small advantage to run smb instead of TCP/IP, but since, it should have been put out of its misery long ago.

    1. Anonymous Coward
      IT Angle

      underreg

      SMB is not an alternative to TCP/IP, it's an application layer protocol which typically runs on top of TCP/IP. What were you trying to say, because you've not managed to say it?

      1. gollux
        WTF?

        I think he means...

        NETBEUI or NETBIOS or some such other...

This topic is closed for new posts.

Other stories you might like