On deck from MS: Four 'important' patches but nothing for IE

On deck from MS: Four 'important' patches but nothing for IE

Summary: Next Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals.

SHARE:

4 ‘important’ patches but nothing for IENext Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals.

According to the company's advance notice for July's Patch Tuesday, all four bulletins will be rated "important," meaning that these flaws could be exploited to result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

All supported versions of Windows are affected by these bulletins, including the newest Windows Vista and Windows Server 2008 operating systems.

[ SEE: Exploit code released for unpatched IE 7 vulnerability ]

However, if you're an Internet Explorer user, you can't be happy that Microsoft is leaving you on hold for another month without a cumulative IE update.

There are several known -- and publicly discussed -- code execution flaws haunting the world's most widely used browser.  These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat.

There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!

* Image source: Jeff Wilcox's Flickr photostream (Creative Commons 2.0).

Topics: Browser, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Am I correct that uninstalling Safari mitigates the problem?

    I realize it isn't a fix but am I correct in believing that for the time being, removing Safari effectively closes off the only known attack vector that can utilize this vulnerability? If so, it simply reinforces my policy to ban all Apple software from my network.

    Oh, and if I can use this moment to put in a plug for Firefox 3, I'll do it. This browser really rocks. :)
    NonZealot
    • You've got to be kidding.

      Unbelievable, the Microsoft zealot is off on it's wild
      tangent again.
      Hey, since when did you begin to adore FOSS software?

      Last I recalled you were in Balmers corner telling the world
      that FOSS was a cancer to the world & that FOSS was
      infringing on over 200+ Microsoft IP's. You truly are
      unbelievable.

      If anything zealot I & the world are still awaiting to see
      what these violated IP's are?
      Intellihence
    • I'm sure getting rid of IE would mitigate the problem as well.

      But that is hardly a solution. The solution is that MS needs
      to fix their bugs promptly, as does Apple and Linux. I agree
      with you though, that Firefox 3 is a great browser. It's right
      up there with Safari on the Mac ;-).
      A Grain of Salt
      • Agreed

        [i]The solution is that MS needs to fix their bugs promptly, as does Apple and Linux.[/i]

        Agreed.

        [i]It's right up there with Safari on the Mac[/i]

        You've got guts, I'll give you that. I'm too chicken to run the only OS that got hacked within 2 minutes at the PWN2OWN contest. :)
        NonZealot
        • You know as well as I do...

          that the same flaw could have been used to bring down
          the Vista machine. It's just that the MacBook Air was a
          better prize. In the same way, the flaw that brought down
          the Vista machine could have been used to bring down the
          Linux Machine. It's just that the Vista machine must have
          seemed like a better prize. Remember, each flaw could
          only be used once.

          And anyway, the only time I have heard of a Mac being
          exploited is in a competition, and only after the rules have
          been relaxed. That's not to say it hasn't or won't ever
          happen in the wild. I'm relatively comfortable though.
          Thanks for your concern though :-)
          A Grain of Salt
          • No. Not at all

            The flaw that took out the Mac was 100% pure Apple. Apple coding on an Apple platform. Safari at its best.

            They didn't find a flaw in MS software to exploit. They had to wait until the rules were relaxed yet again, and went after Flash.
            That flaw could have brought down any platform, but the team was more familiar with Windows (I seem to remember they had done some contract work with MS).\

            Nice FUD though.
            mdemuth
    • No, you are not correct.

      Safari has been patched, but the IE hole is still there.
      Uninstalling IE mitigates the problem. Oh, right, you can't do
      that.
      msalzberg
  • RE: On deck from MS: Four 'important' patches but nothing for IE

    "There are several known ??? and publicly discussed ??? code
    execution flaws haunting the world???s most widely used
    browser. These include the Safari-to-IE bug reported by
    Aviv Raff, the cross-domain zero-day affecting IE 6, the
    cross-site scripting bug reported by Roel Schouwenberg,
    the print table of links issue, and the serious iFrame
    hijacking flaw discussed by Sirdarckat.

    There really is no excuse for the delay in patching the
    Safari-to-IE code execution flaw. It was reported to
    Microsoft since 2006."

    Apple has patched Safari for Windows already with Safari
    version 3.1.2

    Now big the question is when is Microsoft going to fix
    their end of the Safari to IE code execution flaw?

    That as well as the other flaws affecting Internet Explorer.

    Bigger question is, will Internet Explorer be available only
    for Vista?

    Apple may have it's problems, but never has Apple taken
    this long to fix flaws.
    Before anyone gets me started, let us not forget about the
    .ani flaw (fiasco) that hadn't been fixed in over a year.

    Okay boys , jump in ,,,
    Intellihence
    • Jump in?

      Sure - here you go:
      http://blogs.zdnet.com/security/?p=1433
      Confused by religion
      • I didn't know the iPhone was around in '06. (nt).

        nt
        A Grain of Salt
        • Quicktime

          Nothing more should have to be said regarding that lovely piece of programming crap.

          No one is claiming Microsoft is perfect, but you know what they say about those who live in glass houses.
          laura.b
  • Interesting Browser Fact

    "Firefox users were far and away the most likely to use the latest version, with an overwhelming 83.3 percent running an updated browser on any given day. However, despite Firefox's single click integrate auto-update functionality, 16.7 percent of Firefox users still continue to access the Web with an outdated version of the browser, researchers said. The study also revealed that the majority of Safari users (65.3) percent were likely to use the latest version of the browser between December 2007 and June 2008, after Safari version 3 became available. Meanwhile, Microsoft's Internet Explorer users ranked last in terms of safe browsing. Between January 2007 and June 2008, less than half of IE users ??? 47.6 percent ??? were running the most secure browser version during the same time period."

    Source here:

    http://www.crn.com/security/208802248

    Of course the MS Zealots will downplay the obvious...IE is a piece of junk.
    itanalyst2
    • Better choices.

      I just replaced XP Home on my daughter's Acer notebook this holiday weekend. I used the Linux Mint rev. 5.

      It went great, installation was a snap and I just gave her the login and password when she came home. That was that. She's playing YouTube, music and can watch DVD's. She installed the Gnome gaming package from the Mint website.

      She had Found000 through Found176 files from XP on her hard drive and it was crashing all the time. It just was not reliable. I have the XP restore disks I made back in 2006, but this works great. I believe the RC used in this distro and Ubuntu has the same MD5 hash as the Firefox 3, so it's the same program. It will update through the package manager if it needs to anyway.
      Joe.Smetona
    • this proves only that Firefox users tend to be Geeks

      and so are much more likely to be on top of things. Also tons of older enterprise app's only work with IE6 so this explains a large # of IE6 users. IE7 with Vista is fairly secure but is clearly going to be targeted more often by the criminal enterprises that write malware than FF or Opera simply because its installed on all Windows PC's.
      tech_walker
      • I've used FF since 1.0 and before with beta releases.

        When you upgrade to IE-7, you get a lot more than you bargained for. MS builds a a lot of extra "enhancements" into their browser upgrades. And yes, they are not liked by many. So, many choose not to upgrade.

        Firefox is more uniform and being open source, there is no spyware to be found.

        MS really can do anything they wish to gather information from you for their online advertising escapades, through their EULA.

        Firefox 3 is really nice and I've installed some plug-ons to make it even better:

        Fancy Numbered Tabs
        Greasemonkey (for forcing Google apps to go https://)
        JavaScript Options
        McAfee Site Advisor
        NoScript
        Stylish (allows yellow address bar for https://)
        Joe.Smetona
  • RE: On deck from MS: Four 'important' patches but nothing for IE

    I've tried to install the latest patches from Microsoft 3 times and every time I install and reboot my system, I lose my connection to the LAN and the internet. Microsoft won't even answer my e-mail without paying them $59!...and they wonder why Vista is not selling...
    ralphb1
    • Common problem with Microsoft.

      It's very interesting how MS avoids taking any ownership of problems. They maximize their profit by avoiding work others (like Linux and Apple) take for granted.

      They don't take ownership of the drivers necessary for program operation but rather blame the vendors. Linux and Apple update their drivers internally and Apple provides the hardware also. Apple is expensive, but I never met a dissatisfied Apple owner.

      MS charges for the MSCE certification, which then creates people able to solve their problems at no cost to them.

      MS is a lean, mean, charging machine.

      Try Linux Mint 5 on a second computer to compare how different things can be.
      Joe.Smetona