Every single Internet Explorer at risk of drive-by hacks until Patch Tuesday Microsoft has lined up a bumper Patch Tuesday this month to snap shut a backbreaking 57 security vulnerabilities in its products. Five of the 12 software updates addressing the gaping holes will tackle critical flaws that allow miscreants to execute code remotely on vulnerable systems. In all, the soon-to-be-patched …
Oh no! That means every single installation of Windows where I let my users use Internet Explorer as their browser will have to be taken offline.
Oh. Already did that. About 10 years ago. Hell, I have user-agent checking on the proxy that filters the net and IE flags an alert (sadly, so do some old versions of Office and ancient applications that like to use IE as a "plug-in" to get their web access - nothing much lost by blocking of them also, though).
If you're still using IE, you really should have sorted out whatever-problem it was that kept you on it AT LEAST 10 years ago. You can say that all your ActiveX and backend software or whatever "requires" IE, but that doesn't mean you still shouldn't have sorted that problem - by moving to a system that DOESN'T need it.
It does concern me. That people still are deploying / using IE 10 concerns me greatly. It doesn't affect me directly, however, but that doesn't mean that I a) have no opinion on a public forum on the issue, b) can't express that opinion and c) can't discuss the problem with others.
I commented on a Wii U page the other day but don't own one. Is that forbidden too?
You are entirely entitled to your opinion. But your opinion is IE is that its shit and you have no problem to discuss (you don't use IE so have no problems).
You can comment on whatever you wish, as my I and the other commentards do but bleating about how bad IE is and that you don't use it and that others are foolish for doing so is self imposed snobbery and the likes of you and Eadon contribute (in this instance) little, other than to bash MS/IE.
as a consumer of corporate IT services, I don't have a say in the broken software selection process that causes horrible things like Ultipro or other internet-explorer only webservices to be foisted upon me. I suspect that IT frequently doesn't get much say either-- some bean counters get wowed by salespeople and they are the ones who get to choose the payroll system (for example). Bean counters who don't give a crap about corporate security or browser compatibility.
Here at the bottom of the foodchain, there's not a lot of choice. If I want to get on with my real job, the easiest thing is to use IE for anything on our intranet, and since it's already fired up, might as well use it for the internet too. It doesn't make me happy, but it's better than fucking around with some combination of firefox, chrome, and opera and hoping I can find one that is compatible with each of our services with enough cursing, plugins, and modification of settings.
I guess you don't check all your software properly then - and havn't realised that current versions of Internet Explorer have far FEWER security vulnerabilities than other commonly used browsers like Chrome or Safari? We have nearly eliminated such vulnerable third party browsers from our environment and have far less effort patching each month to complete because of it. Any IE issues are easily patched via WSUS / SCCM.
That's partially true, as each browser has it's own small drama theatre when it comes to vulnerability and compatibility. It quite often simple depends on which side of the fence(s) you're parked when it comes to a corporate environment.
Still... It's stupid to simply compare IE as it is now to the unmitigated frustration it delivered 10 years ago. Then again, 10 years ago Netscape wasn't a rose garden either...
In fairness, Sharepoint allows for versioning of the documents, and a slightly better access control model than a normal Windows share.
Not that you couldn't achieve the same sorts of goals with other solutions, but Sharepoint does them, and does integrate with the rest of Microsoft's applications - which is rather the idea: you need Sharepoint if you use Office, and if you use Sharepoint you really should use IE, and if you use IE you may as well use IIS, and if you use IIS....
Has anyone tried using LibreOffice 4 with Sharepoint yet?
I'd be interested to know the result.
But yes, Sharepoint is a nasty piece of work - it encourages the use of MS word doc format with embedded visio and excel for the storage of useful information. Pre-2010 it habitually ate documents like a spy with a secret on a bit of paper.
If you're going to do distributed web authoring with versioning, do a wiki. Don't faff around trying to make Office a web thing.
But, some of us actually enjoy watching those WindblowZE (l)users suffer when their chosen platform has another security hole revealed. I almost consider it sport.
Case in point, a receptionist at one of my doctor's office did some web browsing with Internet ExploDer, and got nailed with a 'drive-by'. She may have been less likely to have been 'pwned' if she was using Firefox. For certain, she would NOT have been had if she was browsing the net with Linux.
I have said this before, and it bears repeating, WindblowZE is like a billboard compared to Linux which is more like a STOP sign. If you are trying to hit a target, which one would be easier to hit, the bill board, or the stop sign.
I rest my case. On the sole count of inadequately protecting its users from the nasties, Windows is GUILTY AS CHARGED!
For Windows 9, make the browser (which won't be called Internet Explorer no doubt) and application and not parasitically linked to the operating system, like it should have been since the end of Windows 98 a few years ago. Give the users a real choice, that is if you opt to not have it, none of its elements remain even in the registry.
Whereas open source browsers do have security issues, I would contend they are sorted out more efficiently ie quicker. Just remember that IE is just a piece of free bundled software with support from its vendor related to what you paid for it.
I should start off by saying I completely agree with you.
However, MS have chosen to render some stuff as HTML/XML etc even for "non internet" stuff, so they've got the engine down in the OS as it is, even if you don't use IE as a browser. So while I advocate the complete and utter removal of IE as well, I can - almost - sympathise with MS for not removing it completely for technical reasons.
However, given the MS programming base, the complete removal of the IE engine should not be a difficult task, FFS. Afterall, they built in in there didn't they, so in classic Haynes process "Removal is the reverse of installation" should be a simple procedure.
"But that will leave you without any web browser!" some shills may scream...err, yes, that would generally be the idea. When your engine is full of holes, I want it's complete and utter destruction when I remove it ta v. much.
"MS have chosen to render some stuff as HTML/XML etc even for "non internet" stuff"
That's just the tip of the iceberg. MSHTML has a published API and squillions of third party apps have depended upon it for at least a decade. Microsoft own use of the library is probably less than 1% of that. MS simply don't have the option of removing it, any more than you could decide to remove the C runtime library from Linux and recode the kernel to use a replacement of your own design.
That's not to let Microsoft off the hook though. Having decided to offer a standard HTML engine, they have to code it to deal with untrusted content in a secure fashion. At least 99% of HTML is from untrusted sources (web pages), so if the engine isn't utterly paranoid then it isn't fit for purpose.
I'm guessing most of the coders at MS would agree. Unfortunately, the legal eagles won't agree. See, decades ago MS insisted in an anti-trust case that IE wasn't an App, it was a critical part of the OS. And the court bought that fraudulent argument and left them off the anti-trust hook. But now, if they EVER admit it IS an app... Well, let's just say there aren't many things that would bankrupt both MS and Bill Gates, but that's one of them that could.
MS manage to patch the OS, IE, Office and other software using one mechanism, which is handy. Every other application I use on Windows seems to have its own update checking mechanism.. and the same appears to be true on OSX (unless you buy through appstore).
How do you (generally) speaking get updates on Linux systems? Does your package manager do it, or do apps monitor themselves or is it all down to the administrator to keep on to of these things?
This is assuming you get OS patches and updates in the same way as Windows/OSX, which seems pretty likely... even Linux has bugs!
I haven't yet met a distro of Linux that doesn't include a command that will automatically update EVERYTHING to the latest stable version. Even Slackware has slackpkg now (and that was THE FIRST Linux distro ever and is generally regarded as being only slightly behind Debian in terms of using up-to-date software). And when I say everything, I mean EVERYTHING from firefox to plugins to libraries to kernels to drivers. That's the beauty of aptitude and similar systems - it is literally that easy and if you want, they'll do it on a schedule for you. And it won't trash your OS or make it so you can't revert back easily (Windows Restore you say? Good luck doing that from unbootable computers like I've sometimes struggled to do, and even in the command-line environment of a rescue boot, you still aren't guaranteed to get back where you were).
And I've not YET had a single stable Linux update that broke something I used, even when I have some horrendously complex configurations and interdependencies (I'm sure they did somewhere, but I've never seen one), but I've had Windows Updates disabled on many machines because they would just blue-screen X% of the computers at random and require a rebuild if you just let them apply everything they want.
And, as you point out, Windows doesn't update Firefox and all the other programs and NOR DOES WINDOWS PROVIDE THAT FUNCTIONALITY. If the OS doesn't have a package management paradigm in it, then of course each app will end up bundling its own. But on Ubuntu, say, or Slackware, or Fedora, do you think that Flash installs its own cron job to check updates and bug you like mad if they are 0.0.1 versions out of date? No. Because it provides functionality to do that in a proper, centrally-configured way, and such junk wouldn't be allowed in.
Linux updating, and aptitude especially, is one of the things that Linux gets SO right that it's really hard to argue against it. Hell, I logged onto a 4-year-old netbook today to install a program I'd written for demonstrating at an open day. The program needed SDL and about 10 other libraries installed in order to run and the netbook was running Karmic Koala (which is technically obsolete now). A couple of clicks in the package manager, it ran off and downloaded 100Mb of necessary dependencies and libraries, and then it all "just worked". Those machines were basically bare-metal and it just discovered and installed 100Mb of random software that was necessary, downloaded it (with appropriate permission), installed it all in the right places, and did so in about five minutes.
Yet, on Windows, I still have games that take 20+ minutes to install .NET Framework, DirectX etc. libraries that ALREADY EXIST ON THAT MACHINE, in identical versions, but it just takes that long to check and find out, and usually involves downloading a pseudo-installer that downloads a real installer, that runs an MSI, that manually checks dependencies by trawling through filesystems, then downloads missing parts, and THEN starts all over again for the next bit of software. And, in the end, you still aren't guaranteed that you installed hotfix X needed to make it work properly (just had a piece of large, expensive Windows MIS software that needed a particular Windows hotfix installed, a particular version of NET Framework 1, and a particular version of NET Framework 2, etc. and at no point provided any hint that that was what was missing or where to get it from!).
@Lee Dowling - I've had two things broken by Linux updates (Centos/Fedora based linuxes)
Arduino development environment was broken by an update to GCC, it took ages for the Arduino guys to persuade the GCC guys that the problem was with their update and they should fix it. It then took a further ages for the fix to make it from unstables to stables to part of the OS. Happy, I was not.
Pound proxy was killed by modifications to some libraries removing functionality that was required by Pound, I don't know if it's working again.
I just dipped my toes in the Linux water a few months ago (Mint 12 running as a Hyper-V VM)
- Installed NoMachine NX free client to get the full-screen experience. Had to do some config file editing, but that's OK, it taught me some rudiments
- Upgrade to Mint 14 broke it.
- Trawled around for a fix and eventually got one (manually downgrade some component called Cairo)
- Next maintenance update to Mint 14 broke it again.
I kinda like Mint, impressed with the user-friendliness, installation ease, seems like a big step forward from a couple of years back. As for the update-breaks, maybe I was just really really unlucky.....
....but claims that Linux updates just work, and never break anything year on year strike me as "evangelist at work".
@dgharmon - I totally agree, and I'd add - don't even bother doing inplace upgrades between versions of any OS, I've had Windows and Linux (Ubuntu) machines break when doing this. The good thing with a clean install is that you demonstrate you know how to migrate a service from one OS install to another, which is more than half way towards a DR type recovery.
I do quite like the MS VSS snaps which allow you to rollback driver installs and OS updates, should you require. (Other snapshots are available)
Using FreeBSD, I build everything from source. I can easily download the latest STABLE branch, compile the userland and the kernel at 'idle priority', and install them, whilst the machine is live. A simple reboot then reboots the machine into its new OS.
Occasionally you might get some shared library version missing during the install phase, but from install to reboot only takes a few minutes anyway, so I generally get away with it.
Remember when multi core processors were first introduced? All the PR spin went on about how you could look at a website whilst burning a cd (etc.)....
Hello? On an OS with a *proper* scheduling system, this was possible already.
As for updating third party ports, you usually use "port_upgrade" or similar that keeps track of all changes to over 11,000 third party software packages.
I do quite like the MS VSS snaps which allow you to rollback driver installs and OS updates, should you require.
On Linux this is not necessary, you got one kernel. When a kernel gets updated, the old one is not discarded, so if it appears to be broken reboot to the latest stable kernel.
You might have heard about ksplice, I suppose. Anyways,
But that's a cute little unix toy you have there ....
Sic:
The OpenVMS.org websites are for system administrators, developers, database administrators and technical managers, offering recent industry news, events, links, etc. related to HP's OpenVMS operating system running on the VAX, AlphaServer and Integrity platforms.
From the http header of http://openvms.org/
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-Patch
I don't use snapshotting, my anonymous friend, I don't need to. However, LVM logical volume management) offers even more than that.
That is not what you need when encounter a buggy driver. All of them are contained in the kernel or associated with it. So it's much more simple just to rollback to the latest stable kernel, I know this is not feasible for a proprietary system and a rocket science really.
@Eulampios - So basically you don't do enterprise IT or any form of highly available IT, it's always good to know where other commentators stand in the industry.
I've worked in storage/backup for about 15 years, since snapshots have been available to any system I've worked on, they've been used, be those systems UNIX, Linux or Windows, be those snapshots hardware or software driven. If you'd looked up a little, you'd see that I had just posted a comment about updating a Linux box (mythbuntu) and that the MySQL server was unbound from the external IP address and re-bound to loopback. Not a particularly big problem for me to solve, but time consuming and annoying. However, if this machine had been running a production service, I would have used some sort of snapshot, probably hardware based as there isn't anything native. Reverting to the snapshot would have resolved the problem much more quickly.
Updates of software or to database schemas etc have a habit of going wrong, not all the time, but usually when you need them most, saying that you don't need snapshots because Linux doesn't go wrong, invites serious consequences when it inevitably does go wrong.
You tell me how to upgrade databases. Snapshotting is possible on Linux as I told through, for example, LVM. There is also an emerging fs -- btrfs. You can even go with zfs but not in the kernel. I do regular backups of most important things. Say, dumping databases.
As far as your MySQL update issue was concerned, you apply your Windows logic, mon ami, despite all your regalia. All you needed was config files. Just like in the discussed case, if you ever tell any Linux, *BSD admin that you use snapshots in case a driver update gets awry, he or she 'll take it as a joke.
With databases, you do it with special tools (mine is PostgreSQL with pg_upgradecluster etc) or/and by dumping and restoring entire databases.
So you have to roll back everything and reboot -
You just suggested me to rollback your entire system to some previous snapshot with everything on the fylesystem, now I hear some "hybrid kernel" faiy tales again. FYI, for modular architecture most of the drivers are loadable modules, that can be loaded and unloaded, as the term suggests. In that case you can always install a different driver against the headers of the current kernel if you wish so.
Tell me please, why does an awesome hybrid Windows kernel need a reboot when it installs a printer driver on Vista? (not sure about Win7/8) Why would need a reboot with pretty much any MS update/patch?
That's not exactly true though is it - you also have to have the right version of the kernel on the boot loader filesystem. And if something goes wrong, its a lot of painful text editing and commands to go restore your old version.
Whereas on windows, you just select Last Known Good Configuration, or boot into System Restore mode and roll back to the last snapshot - a lot more user friendly and faster - with no having to look up commands how to fix it like on Linux - which can be a bit tricky with a machine that doesn't boot....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
