Skip to comments.
Microsoft Recalls Botched Browser Security Patch
Security Focus ^
| Feb 11 2002 12:15AM PT
| Brian McWilliams
Posted on 02/11/2002 7:36:04 AM PST by Dominic Harr
Microsoft Recalls Botched Browser Security Patch
Package was to fix 'all known security flaws in Internet Explorer.'
By Brian McWilliams, Newsbytes
Feb 11 2002 12:15AM PT
A collection of long-awaited security patches designed to plug several critical holes in Internet Explorer was yanked from Microsoft's site Thursday after the company found problems with the fix.
Approximately two hours after the cumulative patch for IE was loaded to the company's Windows Update site Thursday, Microsoft "discovered an error and halted the distribution process in order to conduct further testing," according to a Microsoft representative.
The company did not say how many people downloaded the patch, which was designated a "critical update."
The error resulted from the software "package" used to bundle the patch code for distribution. The files within the package were fine, and users who installed the fix do not need to take any action, the spokesperson said.
Microsoft's Windows Update site early Thursday carried an announcement of the cumulative patch, which was said to correct "all known security flaws in Internet Explorer."
The vulnerability database maintained by SecurityFocus currently lists at least nine security flaws in IE that have not been resolved by Microsoft.
Tests of the patch downloaded by Newsbytes Thursday showed that the fix failed to plug several known IE security issues.
The patch, which was assigned Update Version Q316059, appeared to correct a serious flaw publicized Jan. 1 by security consultant Georgi Guninski and referred to as the GetObject file disclosure vulnerability.
Unpatched, the GetObject flaw could be used by a malicious Web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code, said Guninski, who classified it as high risk.
The known bugs not fixed by the botched patch include two discovered by a security researcher who uses the nickname ThePull. Those bugs could allow a malicious site to steal a victim's browser cookies and launch programs on the victim's computer, he said.
A demonstration of how the IE cookie-stealing flaw could be used to hijack a person's MSN Messenger chat account was posted Friday on the Bugtraq security mailing list.
Microsoft said it will conduct further testing and release the final cumulative patch and accompanying security bulletin "shortly."
Security experts have expressed frustration with the slow pace at which Microsoft has responded to the latest reports of IE flaws.
"If there's a security bug, they need to fix it right away - unless their goal is to look like they're not releasing a lot of patches," said Marc Maiffret, chief hacking officer for Eeye Digital Security, a Windows security software firm.
For its part, Microsoft has criticized the way that some security researchers handled the discovery of the IE flaws.
When ThePull published an advisory and demonstrations of the bugs on Jan. 7, Microsoft refused to comment on the report, except to complain that its publication may put Microsoft customers at risk and cause "needless" confusion and apprehension.
"Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk," said the company in a statement last month.
But David Ahmad, editor of SecurityFocus' Bugtraq mailing list, said Microsoft's unwillingness to acknowledge and openly discuss the flaws was disturbing.
"They're going a step beyond not crediting the discoverers of flaws. Now they're pretending that the vulnerabilities and the researchers who found them don't exist at all," said Ahmad.
The company's recall of the IE security patch follows the announcement by Chairman Bill Gates last month of a new corporate strategy, dubbed "Trustworthy Computing." Microsoft has resolved to treat security as a top priority, even ahead of developing new product features, Gates said.
A list of some of the pending security holes in IE is at http://jscript.dk/unpatched/ .
Microsoft's security home page is at http://www.microsoft.com/security/ .
Reported by Newsbytes, http://www.newsbytes.com .
TOPICS: News/Current Events
KEYWORDS: computersecurityin; microsoft; techindex
Navigation: use the links below to view more comments.
first 1-20, 21-33 next last
The vulnerability database maintained by SecurityFocus currently lists at least nine security flaws in IE that have not been resolved by Microsoft. Security experts have expressed frustration with the slow pace at which Microsoft has responded to the latest reports of IE flaws.
"They're going a step beyond not crediting the discoverers of flaws. Now they're pretending that the vulnerabilities and the researchers who found them don't exist at all," said Ahmad.
The company's recall of the IE security patch follows the announcement by Chairman Bill Gates last month of a new corporate strategy, dubbed "Trustworthy Computing." Microsoft has resolved to treat security as a top priority, even ahead of developing new product features, Gates said.
I suggest we don't jump on MS about this.
I'd just like to ask that ya'll don't come down on MS too hard. They've just begun trying to fix this kind of problem. Clearly they have a long way to go, but I'm hopeful this kind of nonsense is going to be stopped by Mr. Gates.
This is news because of MS's big 'Trustworthy Computing' PR initiative.
This suggests that behind the PR, very little has changed in the company's approach.
But it's still early. Mr. Gates has just begun to impress upon his people to stop this kind of nonsense. As we see here on FR, the rank and file MS folks don't seem to agree yet with Mr. Gates and the rest of us about MS's security problems.
To: tech_index
All your security flaws are belong to us.
To: Dominic Harr
Weird, I hadn't even heard about the cumulative patch yet.
Hopefully they will get the installation problems fixed and ready to go soon.
To: oc-flyfish
Weird, I hadn't even heard about the cumulative patch yet. I had heard they were working on it, but missed that it was to be released last week.
People have been complaining for a while that the patch didn't address all the known holes.
Mr. Gates needs to crack down on these fools. They did most of this work pre-'Trustworty Computing' memo, so maybe they just didn't get the hint?
To: Dominic Harr
Well, in my opinion, if they keep to this policy of security by obscurity, by trying to keep security flaws under wraps, they will lose even more credibility than they already have.
So far, it looks like that's part of their plan. If there's a hole, they'll cover it up, in the hopes that it will not become public knowledge.
5
posted on
02/11/2002 7:49:19 AM PST
by
B Knotts
To: Dominic Harr
Coincidentally I just did a full Windows 2000 reinstall over the weekend, missing the botched patch by two days.
I'm more and more tempted to check out WineX for my Windows application needs and just dump Win2K altogether for Linux.
6
posted on
02/11/2002 7:52:16 AM PST
by
Dimensio
To: bwteim; Sabertooth
Check this out.
To: Dimensio
I've done some WineX experimentation recently, and it's a mixed bag. WineX, for those who don't know, is
Transgaming's (supposedly temporary) fork of the
WINE project. It adds a lot of DirectX stuff to WINE.
I was able to install and run Baldur's Gate under WineX. Quicken 99 works mostly, but the autofill feature horks it, usability-wise. FS2000 was a no-go. It installed, but will not run.
Fortunately for me, I don't really need to run any Windows programs, so it's no big deal. For others, WINE and WineX are getting there; it's now just about to the point where you basically see if what you need to use will run.
8
posted on
02/11/2002 7:59:48 AM PST
by
B Knotts
To: Dominic Harr
I'd just like to ask that ya'll don't come down on MS too hard. Why sure. I promise to be no harder on Ms than MS has been on anyone who threatens their empire of low quality products. I promise to be no more vicious and domineering than Gates has been to anyone who threatens ghis empire built on technotheft and fraud. No problem.
What is your position as MS anyway?
9
posted on
02/11/2002 8:00:36 AM PST
by
Seruzawa
To: B Knotts
So far, it looks like that's part of their plan. If there's a hole, they'll cover it up, in the hopes that it will not become public knowledge. But do remember, Mr. Gates just began his 'initiative'. He now has to convince his troops to completely change their approach, and that he's serious.
There will be more gaffes before the MS workers start to take this 'Trustworthy computing' thing seriously. Some people will have to lose their jobs. This will be a learning experience for the MS people, who don't at this point really know what 'security' would even mean.
To: CheneyChick
To: Dominic Harr
As soon as the patch came out I called Microsoft telling them the patch had problems. They generally blew me off until I finally got a real technical person to help me out. After spending half an hour on the phone with this guy the issue was finally resolved. At least they finally figured it out.
To: UberVernunft
They generally blew me off until I finally got a real technical person to help me out. Yes, this is the kind of thing I'd expect to get someone fired . . . I assume that's going to happen here.
To: Dominic Harr
I know the security initiative is new, but I'm afraid that they actually think that they are enhancing security by refusing to talk about vulnerabilities.
14
posted on
02/11/2002 8:03:47 AM PST
by
B Knotts
To: Dominic Harr
Hmmmmm...our local news babe (radio) last week reported that Microsoft's Bill Gates told ALL programmers to STOP PRODUCING CODE for ONE MONTH and concentrate on SECURITY. Do ya think they might be starting to "get it?"
To: Dominic Harr
Nah. They'll just move the responsible party into marketing.
16
posted on
02/11/2002 8:04:57 AM PST
by
B Knotts
To: Seruzawa
What is your position as MS anyway? Actually, I'm one of the most vocal critics of MS here on FR. I'm just trying to give them a chance on this.
I think it'll take Mr. Gates some time to turn the ship. I do think he's serious about doing so, personally.
To: B Knotts
I know the security initiative is new, but I'm afraid that they actually think that they are enhancing security by refusing to talk about vulnerabilities. That is their past M.O., for certain. But I have to hope that this won't be the 'new' way . . .
To: goodnesswins
Do ya think they might be starting to "get it?" I hope so. But I do think people will have to get axed before anyone takes this seriously. That's how it works in the companies I've worked at.
I assume this embarrassment will get someone fired.
To: Dominic Harr
This is just plain embarrassing and incompetence!
Navigation: use the links below to view more comments.
first 1-20, 21-33 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
