homepage Welcome to WebmasterWorld Guest from 54.205.144.54
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Microsoft Prepares "Out of Band" Patch for Internet Explorer
encyclo




msg:4063813
 8:47 pm on Jan 19, 2010 (gmt 0)

The Microsoft Security Response Center - Security Advisory 979352 Going out of Band [blogs.technet.com]

We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability. (...) Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

 

tedster




msg:4064010
 4:10 am on Jan 20, 2010 (gmt 0)

That's what I expected five days ago [webmasterworld.com]. At least they are now getting the picture, even if it is after being publicly slapped by both Germany and France.

OK, Redmond, you've now accepted your action point. So where's the patch?

encyclo




msg:4064187
 1:20 pm on Jan 20, 2010 (gmt 0)

For Microsoft, the "escalating threat environment" mentioned in my first quote is the threat to their image, not the actual hole in their browser. :) I assume they don't actually have a patch currently, so they're simply making noise and promises in an attempt to reassure.

johnnie




msg:4064230
 2:35 pm on Jan 20, 2010 (gmt 0)

This question may sound stupid, but could anybody clarify what "out of band" really means in this context? my English is good, but apparently I missed that one ;)

encyclo




msg:4064250
 2:55 pm on Jan 20, 2010 (gmt 0)

"Out of band" is Microsoft-speak for releasing a patch on a day other than the monthly "Patch Tuesday" - MS usually releases all patches on a strict schedule so that system administrators can plan ahead. Out of band is the exception.

weeks




msg:4064294
 3:41 pm on Jan 20, 2010 (gmt 0)

Our friends at SANS have a touch more. Not good news:
In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation.

[isc.sans.org...]


bwnbwn




msg:4064510
 8:26 pm on Jan 20, 2010 (gmt 0)

if you restart your machine the download is available if your set up for automatic mine has updated the new patch.

Hugene




msg:4064542
 9:16 pm on Jan 20, 2010 (gmt 0)

confusion about what customers can do to protect themselves

PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.

weeks




msg:4064567
 10:06 pm on Jan 20, 2010 (gmt 0)

PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.

Amen. But, we need to realize how difficult dropping IE would be for so many large firm's intranets? A lot of these jack-leg systems were built assuming IE was IT. Then folks (everyone from clerks to VPs) go home and want to see the same browser they use at their jobs.

It's one of the few cases in the internet biz where major, sustainable benefits did actually fall to the early mover.

encyclo




msg:4064679
 2:05 am on Jan 21, 2010 (gmt 0)

Microsoft Security Bulletin Advance Notification for January 2010 [microsoft.com]

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.

This patch should start rolling out via the usual update mechanisms from 10am PST on January 21st. The update will require a restart.

My biggest concern? This patch has certainly been rushed. Has it been tested properly?

Robert Charlton




msg:4065920
 8:21 pm on Jan 22, 2010 (gmt 0)

My biggest concern? This patch has certainly been rushed. Has it been tested properly?

That's come to be my concern with any software I install on my machine... more so with a patch having this particular history.

Any early adopters with feedback on this patch before I install it? ;)

KenB




msg:4065959
 9:53 pm on Jan 22, 2010 (gmt 0)

My computer running IE6 got hit by this patch today. I installed the update and nothing blew up, but then again we use Firefox so this update was more of a covering bases thing. My machine with IE7 has not been offered an update yet.

encyclo




msg:4066080
 1:56 am on Jan 23, 2010 (gmt 0)

This patch has certainly been rushed.

OK, I'll take it all back, because MS knew of Aurora exploit four months before Google attacks [theregister.co.uk]:

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. (...) BugSec's bulletin states that it reported the bug to the software giant on 26 August.

So MS has had months to prepare their patch. Of course, this means that "my biggest concern" is not the patch quality, but the five months that MS sat on their hands before being forced into releasing a solution, only due to the pressure of bad publicity.

Google-haters might suggest that Google's timing also served to discredit IE security compared to Chrome. I mean, Google probably knew the patch was ready and expected in February, so why not hurt MS by jumping the gun on an IE zero-day? I'll let others flesh out the conspiracy theory ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved