1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Microsoft releases out-of-cycle patch for IE flaw

Discussion in 'Article Discussion' started by Gareth Halfacree, 18 Sep 2013.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
  2. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    I don't get it, they've found vulnerabilities, provided solutions and this is somehow a bad thing?

    Slow news day?
     
  3. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    I would argue this doesn't damage there public image, its good to know they are releasing security related patches as they become aware of them. Although they then go onto to shoot them selves in the foot by not making it available via WU, a system designed to make sure peoples systems are kept up to date.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
    I'd beseech you to read the article before making comments like that. If that's too much to ask, allow me to summarise:

    • Microsoft did not discover the flaw; an independent researcher published it to the CVE.
    • Microsoft is not releasing the patch through Windows Update, leaving those who are not alerted to it through articles like this unprotected until at least next Patch Tuesday in October.
    • Further to the above: the flaw is being actively exploited in the wild.
    • The 'solution' is a workaround, and simply disables the flawed MSHTML shim - which means anything relying on said shim will break.
    • Which is exactly what Microsoft did back in January, when yet another remote code execution vulnerability was found in the MSHTML shim.
    • The targeted attacks in-the-wild so far only look for IE8 and IE9, but the flaw exists from IE6-11 - a massive swathe of vulnerable users.

    So, no, not a slow news day - but a very important story.
     
    Last edited: 18 Sep 2013
  5. liratheal

    liratheal Sharing is Caring

    Joined:
    20 Nov 2005
    Posts:
    12,847
    Likes Received:
    1,942
    I don't really use IE, but installed anyway.
     
  6. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    Gareth, read my comments before making comments like that.
     
  7. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
    Oh, but I do. Every time. Even though I can predict their content with 99% accuracy simply from knowing what I wrote in the article...
     
  8. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    Is that right? Well try the balanced approach next time and not the "usual" anti-Microsoft reporting you somehow always seem to portray.

    Maybe then, you may get comments about the article and not your bias.
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
    My bias? Wow. Perhaps if you weren't so blind to Microsoft's various failings, everyone who doesn't act like it's the second coming wouldn't appear biased to your eyes.

    I'd dig out all the stories I've written about the good things Microsoft has done, but let's face it: you're just trolling to waste my time. Get a new schtick, dude - your pro-Microsoft fanboyism got old a long time ago.
     
  10. SuicideNeil

    SuicideNeil What's a Dremel?

    Joined:
    17 Aug 2009
    Posts:
    5,983
    Likes Received:
    345
  11. forum_user

    forum_user forum_title

    Joined:
    4 Jan 2012
    Posts:
    511
    Likes Received:
    3
  12. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    Not at all, we all expect more from Bit-tech and it's unbias reporting. Something clearly forgotten by some.
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
  14. SchizoFrog

    SchizoFrog What's a Dremel?

    Joined:
    5 May 2009
    Posts:
    1,574
    Likes Received:
    8
    OK, here are my opinions on this article and the comments above:

    Critical articles and opinions are to be expected from anything as big as Microsoft, the larger you get the bigger the target you become. Often negative articles and comments about such 'big' things are not always a bad thing though as they can highlight often glossed over failings and help identify issues to be rectified. I have no problem with this, I have major problems with articles and comments that say nothing more than 'MS is ****, use something else'.

    I am a bit confused by this article though. Not this article itself but why it was even written and deemed worthy as a news point. So I am not a serious OS or Network Admin geek so I may not understand it's importance, but then that should have been explained in the article if it was such, but to my understanding there are nearly always flaws, back doors and 'in-the-wild' vulnerabilities with products such as Windows. It has always been the case and most likely always will be. So why was this particular flaw deemed to be different and important enough to warrant it's own individual story?

    As for comments responses... I think Gareth has had a bad day, he doesn't normally bicker like a little girl. However, it is highly annoying and frustrating when news stories and articles only seemed to be followed by the relevant admins for a couple of days or even only a few hours leaving questions to go unanswered from readers in the comments sections. The MOST important thing about a website is the interaction between forum members and the site's admins, I think that is often forgotten in these articles. and too much time is spent elsewhere.

    As for a 'slow news day' comment, I have to agree some what. I mean really, how many of this site's readers do you really think will bother with this story? I only came here because I thought it was a continuation of the 'patch Tuesday' article a few days ago and then I read the comments.
    I have to be honest as I have often felt like commenting about the articles that appear on Bit-Tech these days but usually end up deleting said comment rather than posting. There is not enough of the old school articles that made Custom PC and Bit-Tech (once it changed names) great. There are far too many of the same articles and reviews, how many reviews do you want to do of very similar cases, fan controllers and almost identical SSD's? Not to mention the so called 'game reviews'. I loved this site and the mag when it was about hardware and what you can do with it. Not how to waste time being anything but constructive. There are dedicated game review websites and magazines for that, it gets worse when most of the games reviewed are sub-par, budget releases or mobile app games. This is not what I come here for and I think the stats prove that others feel the same. Just look at the comment numbers on articles and count how many comments there are these days. The large amount fail to even get double figures and I remember when articles used to hit hundreds of comments.

    Anyway, I've had my rant and said my piece. Take it as you will but it was meant as polite and constructive criticism.
     
  15. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
    Two reasons: one, that the flaw is being actively exploited in targeted attacks, something Microsoft has admitted while downplaying the number as being 'limited;' two, that the patch is not being pushed out automatically, meaning that those with IE installed will be vulnerable to said attacks until the proper update is released unless they read an article like mine and run Microsoft's Fix It as liratheal did in the comments upthread.

    The flaw, for clarity, is what's known as a zero-day vulnerability. This means the bad guys know about it - as evidenced by the ongoing attacks targeting the flaw - but there is no patch yet released. The workaround is a 'fix' for now, but needs manually installing - something Microsoft isn't going out of its way to inform its customers about. Hence the need for news articles like the above: they get the word out. Don't use IE? You may still need the patch, as it's embedded in the OS pretty deeply - and even if you don't use IE, the chances are good you know someone who does and can pass the message on.

    No, but I do have a very limited capacity for dealing with fanboys who accuse me of bias with absolutely no justification.
    And it was, indeed taken as such - and I thank you for taking the time to make the post.
     
  16. Fracture

    Fracture What's a Dremel?

    Joined:
    10 Jun 2013
    Posts:
    30
    Likes Received:
    0
    I think your logic is a little flawed here... Just because you read an article that you found didn't really relate or interest you doesn't automatically deem it irrelevant to every single other user on these forums. This is a website for both PC enthusiasts and professionals alike. Its PC related news... How is it irrelevant?

    I think the comments were handled pretty well by Gareth. Its rare to find such a level-headed, fact filled and accurate response to a forum user who is clearly trolling and didn't even bother to read the article.
     
  17. Nexxo

    Nexxo * Prefab Sprout – The King of Rock 'n' Roll

    Joined:
    23 Oct 2001
    Posts:
    34,731
    Likes Received:
    2,210
    I agree. Being accused of bias every time you publish some useful information just because it does not paint some company in a glorious light gets tiring pretty soon.

    I mean, FFS. These are just brands. I'll stick up for Windows 8 and even own a Windows Phone, but it's not like Microsoft is my mother or something. It's not as if Microsoft, Apple or Google care about us beyond making us buy their stuff. Fanboiism is the most asinine behaviour ever. It's the forum equivalent of people having punch-ups on the football pitch over which club they support.

    If you don't think that the article is relevant to you, them don't read it and move on. Other people may find it very important. Another reminder that you are not the centre of the universe.
     
  18. SchizoFrog

    SchizoFrog What's a Dremel?

    Joined:
    5 May 2009
    Posts:
    1,574
    Likes Received:
    8
    I just want to defend my comment and opinion about the importance of the original article in response to the latest comments about being 'the centre of the Universe'.

    I never suggested that articles should be tailored for my own personal tastes and even mentioned that I may not understand the importance of the subject matter. However, I haven't seen widespread news articles or alerts about this particular threat and wondered why it merited an article of it's own. Just because it is a zero-day threat, out-in-the-wild and being exploited I still don't see it to be a big enough issue of importance. Some people and systems may and will fall victim to this I agree but why is it so different from so many other vulnerabilities? Many of which are also zero-day, out-in-the-wild and being continuously exploited but they don't all get reported in articles like this one. So once again I was wondering why this one stood out and to me, it still doesn't stand out, not warrant a news article of this manner. You only have to look at the comments above, or the lack of to get some idea of how interested people were in reading and discussing this subject. I happen to think that maybe time and effort could have been better spent elsewhere.
    I also happen to think that those people who run this website and the magazine may just be interested in other people's opinions about what they do and do not find interesting reading from time to time, as if they didn't they would soon find themselves writing articles that no one read and thus they would soon be out of a job.
    It's only my opinion and you are welcome to agree or not as you will. However, should my comments further annoy you then might I suggest you take your own advice and 'move on'? Other people may well be agreeing with my comments too you know.
     
  19. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,090
    Likes Received:
    6,639
    This appears to be the root of your confusion: there aren't "many [vulnerabilities] which are also zero-day, out-in-the-wild and being continuously exploited." If there were, nobody would be using Windows for very long.

    There are, realistically, three classes of dangerous vulnerabilities: the ones we don't know about, the ones we do know about, and the ones we've fixed. The former is the most dangerous, yet the least widespread: a small portion of ne'er-do-wells know about it and actively exploit it, but they need to keep that knowledge private lest the software company get wind of it and fix the bug. The middle category, into which this flaw fits, is arguably less dangerous but more widespread: the software company knows about it and is working on a fix, but for now the majority of users are vulnerable and, unlike the former category, it's guaranteed that all ne'er-do-wells know at least of its existence and will be actively attempting to use it to exploit targets. The latter, meanwhile, becomes a race against time: if a patch is released, the pool of exploitable targets becomes ever-smaller - although never totally disappears, thanks to users doing inadvisable things like ignoring Windows Update or using outdated versions of the software for which no patch was ever released.

    You can't easily write about the vulnerabilities that we don't know about, which means you're left writing about the vulnerabilities we do know about. The biggest issue, then, is the ones that are not yet patched - as with this vulnerability. It leaves customers at-risk, and in the case of this particular vulnerability it's a serious risk: simply visiting a website in any version of IE, or loading an HTML page in various other applications which use the IE engine to render said content, is enough for an attacker to exploit the vulnerability and take total control of your computer. You can protect against this by applying the Fix It patch - but only if you know it exists, which, as I've said upthread, is where the import of this story comes into play.

    As far as I'm aware - and please, do feel free to correct me on this if there's something I've missed - there are no other known but unpatched vulnerabilities in any version of Windows or IE that are as serious as this one; if there were, I would have written about those, too.

    Does that help to explain things at all?
     
  20. Nexxo

    Nexxo * Prefab Sprout – The King of Rock 'n' Roll

    Joined:
    23 Oct 2001
    Posts:
    34,731
    Likes Received:
    2,210
    Reader feedback is important, but only useful if it is constructive. Saying: "Why are you even publishing this? I don't see how this is important" does not tell the Bit-Tech editor anything of what you do find important and would like to read more of. Telling people what not to do does not tell them what to do instead.

    Meanwhile this thread has had 485 views, so apparently someone is taking an interest.

    As an aside, you have no problem telling Gareth that he bickers like a little girl, but obviously you do not take comments about your post in the same casual spirit. :p If you dish it out, you have to be able to take it too.
     

Share This Page