Microsoft released a patch for Internet Explorer designed to close three critical holes in the browser, including one that paved the way for the Download.Ject Trojan horse.
Microsoft patches three critical browser flaws
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Wow. It’s about time. I’ve learned to use Mozilla Firefox anyways.
Actually, I use Firefox too, but still the windows update service annoyed me with this new patch.
And as for people still using IE: we had a Mac with MacLink+, my father didn’t know any better until we got a PC, and now he doesn’t want to use anything but Internet Explorer and MS Office. He’d even rather use a pirated copy of a Microsoft product than a better working free alternative, or for that matter a legal, more recent version of the same application…
Mozilla, Firefox, Opera, KDE Konqueror, Gnome Epiphany. The first three of course run on Windows as well as Linux so there are good alternatives to using IE for Windows users.
If only people would realize that sometimes, some of us HAVE to use IE sometimes, especially for corporate intranets and such.
http://www.nd.edu/~jsmith30/xul/test/spoof.html worries me intensely
directhex
simple dont use computer or internet browser and you wont be worried intensely any more hehe
I went to windows update but this patch isn’t there. Is anyone getting the same?
I am not going to patch it unless it is there.
What are the odds that this will not get fixed and that the FireFox team will deny that it can happen for months upon months if not years in order to secure it’s market share and boost it’s stock holders confidence in their product ??
— “What are the odds that this will not get fixed and that the FireFox team will deny that it can happen for months upon months if not years in order to secure it’s market share and boost it’s stock holders confidence in their product ??”
What? Boost market share? Stock holders? What stock???
Im I missing a joke here or somthing? You can’t be serious.
Lets not forget they are getting their share of vunerabilities. Its still more secure than IE and sure gets tons less, but lets not fool ourselves into thinking FireFox is full proof. Why just recently wasnt their an update for some security problem that they put off fixing when they could have closed it earlier…
At least Firefox and Mozilla-like browsers are abstracted from the OS. IE is a critical component of Windows! It is built into the OS! In other words, a security flaw in IE6, for example, is a security flaw in Windows Server 2003!
IE6 is capable of grinding your Windows server to a halt. Wait, let me explain. A security update to IE6 more often than not means you have reboot your Windows operating system for the changes to take effect. Ugh…there you go…security!
A question to Unix users(well except OS X users). When was the last time you had to reboot your system because of a security update to your favorite web browser, or an update to any other application for that matter?
No, I am not trolling these are hard cold facts.
IE6 is capable of grinding your Windows server to a halt. Wait, let me explain. A security update to IE6 more often than not means you have reboot your Windows operating system for the changes to take effect. Ugh…there you go…security!
A question to Unix users(well except OS X users). When was the last time you had to reboot your system because of a security update to your favorite web browser, or an update to any other application for that matter?
When was the last time you used a web browser on a server?
“At least Firefox and Mozilla-like browsers are abstracted from the OS. IE is a critical component of Windows! It is built into the OS! In other words, a security flaw in IE6, for example, is a security flaw in Windows Server 2003!
”
Yes I agree with you for most of your paragraph and true a browser being seperated from an os should be a good thing. However, lets think about this for a moment, if a browser is more closely tied to something else does that make it less secure? Case in point, it sounds like your argument makes Konqueror more insecure than Mozilla ;-). If you agree with me on that then I have nothing to say but if you try to make an excuse for konqueror ill laugh(and yes i know konqueror isnt a component of the os, but it still does the same damn thing almost XD).
Basically if something is tied to the OS (i.e. using IE for a file manager then it shouldnt be less secure , i.e. look at konqueror)
Yea i meant to post that as myself but i forgot I didnt have the name saved in this browser… Dont try to think I was posting anonymous on purpose…
When was the last time you used a web browser on a server?
The problem we’ve run into is that our sysadmins were outsourced to IBM. Consequently, they insist on updating every server, including IE patches, in order to be “compliant” or they can refuse to admin the server. Stupid? Yes. But, also reality.
If only people would realize that sometimes, some of us HAVE to use IE sometimes, especially for corporate intranets and such.
You might be able to fool some sites with a tool like User Agent Switcher that can trick those sites into thinking you’re using IE. However, some sites still refuse to function properly.
The problem we’ve run into is that our sysadmins were outsourced to IBM. Consequently, they insist on updating every server, including IE patches, in order to be “compliant” or they can refuse to admin the server. Stupid? Yes. But, also reality.
Yeah I understand but I believe most servers are administrated by their owners. In that case, IE6 updates can wait until other critical fixes comes out because you should not use a browser on a server.
yes that worries me very much as well
“Basically if something is tied to the OS (i.e. using IE for a file manager then it shouldnt be less secure , i.e. look at konqueror)”
There is adifferent konqueror just look like all in one , where in fact every thing you do in konqueror is done by a different appliction .
“Yes you are. He was being ironic.”
Not to be a jerk, but he was actually being sarcastic.
There is adifferent konqueror just look like all in one , where in fact every thing you do in konqueror is done by a different appliction .
Aren’t those addons loaded in the same memory space?
Firefox is equally vulnerable and you see as the firefox gets popular, you see more vulnerabilities coming forward. The latest spoofing problem is almost like 4 years old and the mozilla team marked the bug confidential and never fixed it.
Its one of the scary bug, because i always trust a website by clicking the security key icon on the status bar and trust that, well it seems with “firefox” now i can’t even trust that.
Back to IE…unless someone tells me IE is equally vulnerable or firefox is fixed.
Do you by chance have the Service Pack 2 Release Candidate 2 installed?
“(…) because you should not use a browser on a server.”
Isn’t there something wrong with Windows then? I mean, does it seem reasonable to you that an unprivileged local user can crash the machine with IE? And isn’t there something called “terminal services” or something like that, with which users can log in remotely (and use IE)?
IMHO a good server OS should be bullet-proof. No single user should, by default, be able to disturb other users.
>Its one of the scary bug, because i always trust a website by
>clicking the security key icon on the status bar and trust
>that, well it seems with “firefox” now i can’t even trust
> that.
>Back to IE…unless someone tells me IE is equally vulnerable
> or firefox is fixed.
Please do not be so stupid, its just memicing https and ssl you can always look at the URL if it not sas https and the ssl certificate is not allright you MUST not trust it.
Its not hte same as in IE where webpages can ACTUALLY install programs/trojan/virusses etc on your PC.
Go read the bug in firefox database. They can get full control of the window and they can spoof anything and fake anything in the whole window.
Damn you zealots.
And next time, please learn to behave and talk nicely or else don’t reply to my posts.
Thanks
-Wolf
When was the last time you used a web browser on a server?
What does that have to do with the flaws in question? Except IE6 isn’t part of Windows Server 2003, whether or not I use a web browser on a server is irrelevant.
If there is a security hole that people can exploit in IE6, then consequently, there is a security whole in all Windows operating systems using IE6. Whether not you use IE6 doesn’t change the fact that you have to plug the security hole in a component so ingrained into the OS.
Konqueror and Mozilla aren’t a critical component of Linux. They are several layers above the kernel and the OS. They are abstracted. IE6 is deeply rooted into the OS. Last I heard you could make all sorts of priviledged system calls in Windows via IE6, Outlook, Active X and VB.
No I have a fresh install of the OS from IBM recovery CDs for my thinkpad.
The problem we’ve run into is that our sysadmins were outsourced to IBM. Consequently, they insist on updating every server, including IE patches, in order to be “compliant” or they can refuse to admin the server. Stupid? Yes. But, also reality.
You should be lucky you don’t have Red Hat Linux servers instead.
With sysadmins applying all Red Hat patches they would not have time to do anything else. Red Hat posts impressive list of patches every month, and for this year, almost once a month, they also post “kernel security patches.” Kernel patches require server reboot, right?
So, if someone claims he/she has 6 months of Red Hat Linux uptime- it means 5-6 batches of critical Linux kernel patches were not applied.
“IE6 is capable of grinding your Windows server to a halt. Wait, let me explain. A security update to IE6 more often than not means you have reboot your Windows operating system for the changes to take effect. Ugh…there you go…security!”
It’s not normally the monumental problem to reboot a server that many make it out to be. Nearly all networks have periods of inactivity, regardless of size or mission.
On larger networks there are far more than one server handling the traffic. With that in mind a two minute reboot is a non-issue. On most small networks it can easily be scheduled into non-critical hours; here again a non-issue.
This “reboot thing” sure gets a lot of press time considering how minor the annoyance of the reboot itself.
I’m not saying it’s a great thing to restart your server because of a patch, it’s not. To MS’s credit they are getting a lot less demanding about system restarts than they were in the NT days.
With redhat the patches greatly depend on parts of the distro that is installed. Meaning redhat relesed a patch for the purple-monkey-diswasher 7.1c-25 but if you do not have it installed the patch is not needed. Alot of companies take there DB server offline overnight to do month end processing and install the patch at that time. From the end user and customer point of view they do not know the system went down unless something went wrong.
Companies I have worked for normaly do this.
DB server(s)Down for 1 – 4 hours/Up but with redused or slower function for the duration of the month end. In both cases sometimes a 5 or 10 min reboot needed.
Application server(s) – Down from midnight to six am or slower
reponse from the severs for the duration of the month end.In both cases sometimes a 5 or 10 min reboot needed.
Web server(s) – Stayes up. Only when a update is needed a back up service is started on another server.
Email server(s) – Stayes up. Very rarely needs updating once implimented correctly. With windwows the email servers can be brought to its neas very quickly
redhat and suse killed this problem with our users not having to be told over and over not to be so mindless.
As you see this does not effect the staff at the companies as they are not at work at the time or the customer.
With Windows XP/2003 parts of IE get loaded with the system.
So you may be using mozilla but are still hit by some odd bug in IE. It still makes me wonder why the offending *.dll
can not be killed then reloaded if it is IE patch. Even explorer sometimes dies and reloads its self
Apologies for my incorrect spelling of Windows this was not intensional.
Isn’t there something wrong with Windows then? I mean, does it seem reasonable to you that an unprivileged local user can crash the machine with IE? And isn’t there something called “terminal services” or something like that, with which users can log in remotely (and use IE)?
A unpriviledged user should not log directly on the server as he should not have physical access to it.
Of course, fixing IE6 is a priority when you are running Terminal Services, Citrix or any software like that. Then again, only an handful of enterprises are running TS…
By server, I mean file servers, print servers, web servers, mail servers, domain controllers… Servers where users are accessing services, not application servers that users can mess with. Sorry if that wasn’t clear enough.
IMHO a good server OS should be bullet-proof. No single user should, by default, be able to disturb other users.
Agree but shit can and will happen on any server. It just seem to happen more often on some configurations…
What does that have to do with the flaws in question? Except IE6 isn’t part of Windows Server 2003, whether or not I use a web browser on a server is irrelevant.
Then why do you bitch that a IE6 flaw “is capable of grinding your Windows server to a halt”?
If there is a security hole that people can exploit in IE6, then consequently, there is a security whole in all Windows operating systems using IE6. Whether not you use IE6 doesn’t change the fact that you have to plug the security hole in a component so ingrained into the OS.
My point is that paching IE6 should be the least of your worries if you have proprely secured your Windows server. You should definitely patch these holes but you can wait until a critical fix that is directly affecting your server is available.
Anyway, what’s the fuss with high uptimes? Even my Linux servers at home don’t have an high uptime because I patch them as soon as possible. I provide SSH access and kernel patches are obviously requiring a reboot.
>Go read the bug in firefox database. They can get full
>control of the window and they can spoof anything and fake
>anything in the whole window.
It up there for more then 2 years i know the bug.
Its not possible to fake https and fake ssl.
True its somewhat vage and could be dangerous but then again
what could they actually do that is dangerous for the os or its user?
>And next time, please learn to behave and talk nicely or
>else don’t reply to my posts.
You are right, I appologize…
“>Go read the bug in firefox database. They can get full
>control of the window and they can spoof anything and fake
>anything in the whole window. ”
That’s incorrect. Look at your options. You can disable almost all control Javascript has, and limit it basically to CSS checking (all it’s good for IMO anyway). This is a social engineering method, not a hack. If this is a hack, e-mail is a giant vulnerability.
Actually, the trend is moving towards micro-rebooting, which means you only reboot the affected piece and not the entire system.
I have found FreeBSD very comfortable in this aspect, because if I need to change workgroup settings in SAMBA, for example, I don’t need to reboot (I’ve always wondered what is so tied to SMB in windows that changing workgroup settings or machine names requires a reboot). In fact I rarely need to reboot this computer because of an enhancement, mostly because nearly every piece is independent of the other (and that doesn’t mean all pieces are unrelated, in fact most pieces must work together).
And waiting for windows to reboot is really boring…