back to article Patch Tuesday: And EVERY version of IE needs fixing AGAIN

June's Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer. The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions …

COMMENTS

This topic is closed for new posts.
  1. hplasm
    Windows

    IE patches

    Plus ça change...

  2. The BigYin

    So...

    ....what would you prefer? MS to not patch bugs?

    And this isn't an MS-specific issue, look at all the Java patches of late.

    My GNU/Linux system gets updates every other day - although the repository system (when folks bother to package their wares correctly) makes this process much easier when compared to the random, slap-dash, every application needs its own update mechanism, approach on Windows or OS X.

    This reminds me, must really look into Puppet/Chef/Salt/Something to keep all the systems up to date in a oner.

    1. gerryg
      Linux

      Re: So...

      Yesh, so does mine, but if you're going to throw that one out, how many of them are security patches? And how many of those are serious and not just Free Software Paranoia (long may it live)

      When, e.g., was the last time KDE had a security advisory? Or its browser Konqueror? (or Rekonq). It issues monthly updates, not the same as security issues. I can't remember the last time openSUSE issued a "FFS update this"

      1. MatthewSt

        Re: So...

        Well Suse itself posted this security vulnerability in May - https://www.suse.com/support/update/announcement/2013/suse-su-20130819-1.html

        They just don't get publicised as much. I think it's safe to say that every system has vulnerabilities in it and it's going to be a never ending battle to fix them!

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: So...

        I don't know when KDE last had a vulnerability (I'm a gnome user), but they did nearly lose all their source code a couple of months ago, because they thought that replication was backup! The only thing that saved them was having taken a node offline the previous day. ie: Luck saved them.

        It's all about where you look for your problems - sure the code may be secure, but if it's custody is so badly handled that a corrupting replication node can destroy the entire codebase, that's still as insecure as you can get.

        People have to look in the right place for the problems that they should be seeing, not the ones they want to see, or think they may see.

      4. Anonymous Coward
        Anonymous Coward

        Re: So...

        ".....And how many of those are serious and not just Free Software Paranoia (long may it live)"

        1 second of searching. 1st Hit

        05 June 2013, 10:41

        http://www.h-online.com/open/news/item/Security-update-for-Chrome-27-1882885.html

        Please note the patforms affected.

        You see, if you lump in Broswer + OS = Fail, the we must do the same for other browsers on onther platforms.

        Personally I don't give a shit about the platform or the browser ( I run several), but I do give a shit about unpatched software.

        1. eulampios
          Linux

          @AC, I beg to differ

          1 second of searching. 1st Hit

          how many seconds do you need to search to see a tasty remote code execution being already exploited in the wild? Hint: closed source.

          BTW, did you notice this ...eight high and medium severity holes saw nearly $10,000 being paid out. Is MS willing to pay for every or most discovered vulnerability. I don't think so.

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC, I beg to differ

            Or to put it another way: Google pay other people to find their bugs for them, because they can't be arsed.

            Yes, I know it's not that simple, but there is more than one way to look at this: Google staff may well leave security to a back seat because they're outsourcing their own bug fixing.

            1. eulampios

              Re: @AC, I beg to differ

              Google pay other people to find their bugs for them...

              Google pay other people if they find their bugs. #now fixed

              I don't know why you choose to look at this fact from this strange angle? Most vulnerabilities found with MS products are done by non-MS people, more so when those are being exploited in the wild (Compare this to when exploits are being published).

              In my view, we-don't-owe-anything-to-anyone attitude is of atavistic, very peculiar MS feature. Another possible explanation is the fear to go bankrupt.

    2. Anonymous Coward
      Anonymous Coward

      Re: So...

      Eadon's not posted yet?

      EADON FAIL

      1. Spoonsinger

        Re: So...

        Sorry my I did read that in the voice of Mongo from Blazing Saddles and thought it might be a quote :-

        "Eadon's not posted yet,

        EADON FAIL,

        Eadon Sad".

    3. hplasm
      Meh

      Re: So...

      ....what would you prefer? MS to not patch bugs?

      Not at all- just wondering how the older versions in particular managed to work in the first place, as they musy have been about 10% good code and 90% bugs.

      Just another regular occurrence. like Halley's comet coming around, although that may stop one day.

    4. Shagbag

      Re: So...

      I can't remember any time my OpenBSD server needed a security patch.

      1. Anonymous Coward
        FAIL

        Ahhhh...@ Shagbag...better get busy...or look for a new job...

        ...'cause there are a shit-load of SECURITY PATCHES waiting for your OpenBSD server.

        http://openbsd.org/security.html

  3. John Smith 19 Gold badge
    Meh

    I thought some of those versions were *complete* re-writes from the ground up.

    So either a) A faulty software design was re-implemented and perpetuated the vulnerability.

    b) Some coder did a copy and paste job on development.

    But b could never happen. Do we not have the word of the Turkey Dancer himself on the matter?

    1. Anonymous Coward
      Anonymous Coward

      Re: I thought some of those versions were *complete* re-writes from the ground up.

      Complete re-write doesn't imply they won't re-use existing interfaces for communication between components or externally - so they can become susceptible in the same manner.

      Take for instance the way software communicates with the certificate store - it may differ between versions but the base interaction is the same - and therefore potentially open to the same attacks across versions.

    2. Anonymous Coward
      Anonymous Coward

      Re: I thought some of those versions were *complete* re-writes from the ground up.

      As someone who specifies software for a living, I'm getting pretty tired of saying this, but:

      If you specify a code module or interface to do X, Y and Z, then hand the spec to a codemonkey, the chances are that any codemonkey will implement that code in a different way, but it will do the same job. If it turns out that Z is incorrect and causes a problem because, for instance, it's a datastream that you didn't specify should be encrypted, the problem resides in your spec and no amount of re-coding from the ground up will fix it.

      It's therefore entirely likely that they have re-coded from the ground up and retained problems which are in the spec rather than the code.

      1. Tom 13

        @AC 12-Jun-2013 12:05 GMT

        Good point. I'll make that D) and rerank their order as B, D, A, C.

    3. Tom 13

      Re: I thought some of those versions were *complete* re-writes from the ground up.

      You forgot C) which actually even more troublesome than A) and B) although in order of probability from high to low it is probably B, A, C:

      The rewrite introduced a whole new set of vulnerabilities.

  4. Buzzword

    Reboot required

    These patches wouldn't be half as annoying if Windows could update files that are currently in use. Mac OS X achieves this, most of the time. Having to close my dozens of applications with their carefully-positioned windows is a significant pain point.

    1. Lallabalalla
      Happy

      Re: Reboot required

      And now OSX re-opens and repositions all your open windows for you when you restart, which is nice.

      At least I don't seem to have to re-install windows itself on a regular basis any more - is why I stopped bothering to "personalize my windows experience" (sic) so long ago; re-instating all those icons, backgrounds, cursors, alerts, favourites etc just became TOO tedious.

      1. PC Paul

        Re: Reboot required

        I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s. When did they all stop doing it? Was it just because Windows didn't do it, so everyone else stopped bothering?

        Or has my failing memory failed again?

        1. Jamie Jones Silver badge

          Re: Reboot required

          "I'm sure I remember my Solaris and HP Unix machines reopening my windows when I restarted back in the 1990s"

          I'm pretty sure my Sunos box did that too..

    2. Jamie Jones Silver badge
      Headmaster

      Re: Reboot required

      "Windows can't update important files and services while the system is using them. Save any open files, and then restart the computer"

      Shouldn't that be "whilst" not "while"

      Ahhhhh windows patch reboots - just as well they don't market windows as a server... Wait a minute!

    3. Anonymous Coward 15

      Re: Reboot required

      net stop wuauserv

  5. LinkOfHyrule
    Joke

    NSA Backdoors need updating

    PRISM 2.0 bitches!

  6. Vince

    Of course Chrome regularly gets patches - but silently so the majority of people have no idea it is getting updates... but let's bash IE because they're more public and structured.

    Where's Eadon to stick the irrelevant boot in?!?

    1. Anonymous Coward
      Anonymous Coward

      Chrome patches don't need a reboot...

      1. Anonymous Coward
        Anonymous Coward

        no, they just require an application restart

        But since they happen in the background and don't take effect until you restart Chrome.

        1. asdf

          Re: no, they just require an application restart

          Yes because Chrome is engineered how any sane person would do a web browser as userland with a clean separation between the OS networking code. (Chrome is actually engineered very slick with the sandboxes and such) IE is getting that way these days I believe, but in the early IE days the marketing droids at MS thought it would be a great idea to embed browser code deep in the OS itself. Some of the IE fixes therefore result in OS files changing and thus a reboot.

  7. Neil Charles

    Surely the important question is...

    After it's been patched, will it still have the lowest power consumption?

    And how many otters/polar bears/giant redwoods will be burned in the patching process?

  8. Anonymous Coward
    Anonymous Coward

    It's just criminal...

    ...that Gates and Microsucks aren't held accountable for selling totally insecure and defective products.

  9. goldcd

    Or to spin it positively

    Isn't it great to see that the original IE was so extendable, they've managed to maintain it as the single code-base for all future revisions.

    More seriously, I always query patches that just apply to single versions where the feature was there in both prior and later versions. If you knew you had to re-write something for the next release, then you probably were aware of the flaws in the prior version.

This topic is closed for new posts.

Other stories you might like