Welcome to WebmasterWorld Guest from 54.158.166.6

Forum Moderators: incrediBILL

Message Too Old, No Replies

Microsoft Prepares "Out of Band" Patch for Internet Explorer

   
8:47 pm on Jan 19, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The Microsoft Security Response Center - Security Advisory 979352 Going out of Band [blogs.technet.com]

We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability. (...) Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
4:10 am on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That's what I expected five days ago [webmasterworld.com]. At least they are now getting the picture, even if it is after being publicly slapped by both Germany and France.

OK, Redmond, you've now accepted your action point. So where's the patch?

1:20 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



For Microsoft, the "escalating threat environment" mentioned in my first quote is the threat to their image, not the actual hole in their browser. :) I assume they don't actually have a patch currently, so they're simply making noise and promises in an attempt to reassure.
2:35 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This question may sound stupid, but could anybody clarify what "out of band" really means in this context? my English is good, but apparently I missed that one ;)
2:55 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



"Out of band" is Microsoft-speak for releasing a patch on a day other than the monthly "Patch Tuesday" - MS usually releases all patches on a strict schedule so that system administrators can plan ahead. Out of band is the exception.
3:41 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Our friends at SANS have a touch more. Not good news:
In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation.

[isc.sans.org...]

8:26 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 5+ Year Member



if you restart your machine the download is available if your set up for automatic mine has updated the new patch.
9:16 pm on Jan 20, 2010 (gmt 0)

10+ Year Member



confusion about what customers can do to protect themselves

PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.

10:06 pm on Jan 20, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.

Amen. But, we need to realize how difficult dropping IE would be for so many large firm's intranets? A lot of these jack-leg systems were built assuming IE was IT. Then folks (everyone from clerks to VPs) go home and want to see the same browser they use at their jobs.

It's one of the few cases in the internet biz where major, sustainable benefits did actually fall to the early mover.

2:05 am on Jan 21, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Microsoft Security Bulletin Advance Notification for January 2010 [microsoft.com]

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.

This patch should start rolling out via the usual update mechanisms from 10am PST on January 21st. The update will require a restart.

My biggest concern? This patch has certainly been rushed. Has it been tested properly?

8:21 pm on Jan 22, 2010 (gmt 0)

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



My biggest concern? This patch has certainly been rushed. Has it been tested properly?

That's come to be my concern with any software I install on my machine... more so with a patch having this particular history.

Any early adopters with feedback on this patch before I install it? ;)

9:53 pm on Jan 22, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



My computer running IE6 got hit by this patch today. I installed the update and nothing blew up, but then again we use Firefox so this update was more of a covering bases thing. My machine with IE7 has not been offered an update yet.
1:56 am on Jan 23, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



This patch has certainly been rushed.

OK, I'll take it all back, because MS knew of Aurora exploit four months before Google attacks [theregister.co.uk]:

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. (...) BugSec's bulletin states that it reported the bug to the software giant on 26 August.

So MS has had months to prepare their patch. Of course, this means that "my biggest concern" is not the patch quality, but the five months that MS sat on their hands before being forced into releasing a solution, only due to the pressure of bad publicity.

Google-haters might suggest that Google's timing also served to discredit IE security compared to Chrome. I mean, Google probably knew the patch was ready and expected in February, so why not hurt MS by jumping the gun on an IE zero-day? I'll let others flesh out the conspiracy theory ;)