microsoft
Report a problem

Microsoft preps emergency IE patch for Wednesday release

Chaks   on 17 December 2008 - 05:30 · 31 comments & 8182 views

Advertisement (Why?)
Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).

The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system. Microsoft will provide patches to users of Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Unknown
User name: Chaks
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 31 additional comments
(2 replies) #1 Airlink on 17 Dec 2008 - 06:31
Ohs noes. A critical IE patch released out-of-cycle. How ever will I cope?

:hugs Firefox:

*Note: The preceding comment is sarcastic for comedic effect. Reader discretion is advised.
#1.1 Chaks on 17 Dec 2008 - 06:38
Airlink said,
*Note: The preceding comment is sarcastic for comedic effect. Reader discretion is advised.


Ohs noes
#1.2 Krome on 17 Dec 2008 - 08:30
lol
(2 replies) #2 ]SK[ on 17 Dec 2008 - 06:49
Agh, more servers to reboot again. Is this critical if you don't even use IE on the machine?
#2.1 TRC on 17 Dec 2008 - 06:53
I would think probably, since many other programs rely on the affected file. I would certainly install it just to be safe.
#2.2 mocax on 17 Dec 2008 - 07:10
You can probably wait for your next scheduled maintenance.

But you never when your system administrator decides to visit chinese pron sites after office hours.
(3 replies) #3 Exosphere on 17 Dec 2008 - 09:15
If you're an average user, and you visited Neowin for the first time this week, it must of been very confusing to read of the IE exploit with suggestions to migrate to Firefox ASAP, and then to see Firefox named most vulnerable Windows application.
#3.1 Vezineth on 17 Dec 2008 - 09:26
Thats what went through my head earlier. Humorously ironic though.
#3.2 Chaks on 17 Dec 2008 - 09:40
Vezineth said,
Thats what went through my head earlier. Humorously ironic though.


Firefox being most vulnerable windows application was a 'report' but the IE exploit was a 'bug' in IE browser. That said, it never meant IE is most vulnerable or a bad browser. And Microsoft has already prepared a patch for the IE exploit.
#3.3 Glendi on 17 Dec 2008 - 13:16
Chaks said,
Firefox being most vulnerable windows application was a 'report' but the IE exploit was a 'bug' in IE browser. That said, it never meant IE is most vulnerable or a bad browser. And Microsoft has already prepared a patch for the IE exploit.


Don't worry, they will put IE in the list when it applies the patch... I guess it will fill the required number of applied patches for the list.
(1 reply) #4 andy2004 on 17 Dec 2008 - 10:19
was on the news this morning. I wish the media would stop hyping this and spreading fud. It would be better to disclose the microsoft advisory and tell people what the workaround is rather than panic. Anyone see the I.T. crowd when April broke the internet after being hit by Douglas ? well this is similar mass hysteria to that.
#4.1 +techbeck on 17 Dec 2008 - 14:32
andy2004 said,
was on the news this morning. I wish the media would stop hyping this and spreading fud. It would be better to disclose the microsoft advisory and tell people what the workaround is rather than panic. Anyone see the I.T. crowd when April broke the internet after being hit by Douglas ? well this is similar mass hysteria to that.


I dont worry about patches unless its a Service Pack. Individual updates/fixes always work fine...at least they do for me.
(2 replies) #5 cork1958 on 17 Dec 2008 - 10:25
Yeah, baby!!

MS rulez!!
NOT!!

I will DEFINITELY wait a bit before installing it anyway. With MS cranking out a patch this fast, it almost HAS to screw something else up. Could not possibly have tested it very well.
#5.1 /- Razorfold on 17 Dec 2008 - 12:33
cork1958 said,
Yeah, baby!!

MS rulez!!
NOT!!

I will DEFINITELY wait a bit before installing it anyway. With MS cranking out a patch this fast, it almost HAS to screw something else up. Could not possibly have tested it very well.


A patch delivered through Windows update usually goes through a good amount of testing. If its just a patch on the microsoft download site, then it may or may not have gone through sufficient testing.
#5.2 +warwagon on 18 Dec 2008 - 16:31
/- Razorfold said,
cork1958 said,
Yeah, baby!!

MS rulez!!
NOT!!

I will DEFINITELY wait a bit before installing it anyway. With MS cranking out a patch this fast, it almost HAS to screw something else up. Could not possibly have tested it very well.



Thats cool. I just hope your using firefox.
(2 replies) #6 kpt on 17 Dec 2008 - 14:02
Firefox fixed many security holes yesterday with version 3.0.5.
#6.1 RealFduch on 17 Dec 2008 - 14:51
But the Fox Cultists told me Firefox has no security holes! Did they lie to me?
If mozilla releazed the fixes for MANY holes... does that mean that some of that holes were exposed for a prolonged time interval?
#6.2 +techbeck on 17 Dec 2008 - 14:54
RealFduch said,
But the Fox Cultists told me Firefox has no security holes! Did they lie to me?
If mozilla releazed the fixes for MANY holes... does that mean that some of that holes were exposed for a prolonged time interval?


You have to realize that a lot of software has holes in it that people are unaware of. No software is 100% hole free. Why there are always update and patches for all software. So i am betting there are some undiscovered issues with windows, osx, FF, IE....you name it
(2 replies) #7 boho on 17 Dec 2008 - 14:33
We got hit by a worm 10 days ago. I wondered how it got onto the network! Thanks for nothing Microsoft, for keeping this quiet.

csrsc.exe the executable adding a service "Windows Spooler" (an old piece of "virus code") that looks for credit card details. It makes the box unstable, Antivirus software tricked into not reporting the program, when memory resident. Obviously any malware can be used once the vulnerability has been exploited.

Why do sites like this only give the vaguest of details. The baddies know what is going on, us good guys are left in the dark. Main Stream Media has been bought and paid for, sites like this should do better.

Last edited by boho on 17 Dec 2008 - 15:10
#7.1 JonathanMarston on 17 Dec 2008 - 15:04
My brother just got a flood of viruses on his PC from security holes in an out of date Java run-time - it could be that, or maybe Flash or Quicktime - they've have had several exploitable holes and Chrome has had some big ones too. These are just some possibilities...it's hard to say, really.

Of course, if you're running Vista 64-bit with UAC and DEP enabled none of those exploits work...
#7.2 GreyWolfSC on 17 Dec 2008 - 15:38
JonathanMarston said,
My brother just got a flood of viruses on his PC from security holes in an out of date Java run-time - it could be that, or maybe Flash or Quicktime - they've have had several exploitable holes and Chrome has had some big ones too. These are just some possibilities...it's hard to say, really.

Of course, if you're running Vista 64-bit with UAC and DEP enabled none of those exploits work...


The flaw was reported about a week ago, how could they have warned you about it 10+ days ago? And according to Symantec (source) you could have gotten that from their products' vulnerabilities as well! Don't operate a "network" if you don't know how to maintain it and keep it secure.
#8 PeterUK on 17 Dec 2008 - 18:47
#9 GreyWolfSC on 17 Dec 2008 - 22:57
Got it from WU. Firefox also just auto-updated to 3.0.5.
(2 replies) #10 FrozenEclipse on 18 Dec 2008 - 05:33
I have IE8 RC1, but the update still showed up in WU as for IE7. Does that make any difference?
#10.1 Relativity_17 on 18 Dec 2008 - 05:54
FrozenEclipse said,
I have IE8 RC1, but the update still showed up in WU as for IE7. Does that make any difference?


I got two updates, one for IE7, and another for IE8 beta 2.

Congrats to Microsoft; I hope this paves the way for rapid-response updates. Having a predictable update schedule is just another vulnerability in and of itself.
#10.2 osm0sis on 18 Dec 2008 - 09:01
yeah it makes sense to receive one for beta 2 but not RC1 since the "partner build" info said you would have to manually update to the public RC/final, so I presume you'd have to manually apply the patch. The question is - is there a patch for the RC1? Any legit testers know?

Edit:

Updated IE8 Partner Build: version 8.0.6001.18344. This build contains the fix to MSRC MS08-078.

Last edited by osm0sis on 18 Dec 2008 - 09:18
(3 replies) #11 cork1958 on 18 Dec 2008 - 14:34
Just checked windows update on wifes computer with IE6/SP3. No updates available?
Link above posted by PeterUK has it for IE6.

What's up with that?
#11.1 PeterUK on 18 Dec 2008 - 17:16
They want you to move to IE7 :shifty:
#11.2 cork1958 on 18 Dec 2008 - 17:49
PeterUK said,
They want you to move to IE7 :shifty:


Installed it from the link you posted. Asked for me to restart. Did it. Don't notice a thing.

No problems at my bank site as I see the post below is inquiring about.
#11.3 Peffram on 20 Dec 2008 - 01:09
Thx for your reply "cork1958"... Apparently my bank was having some problems (Other kind, not related with the update I was talking about) but right now I'm able to use their service again.

Cheers
#12 Peffram on 18 Dec 2008 - 16:33
I've just notice that I can not use my online bank service after the installation of this update. I'd like to know if it's only me or it's a major problem caused by the patch. BTW I'm free of spyware, troyans and so on.

Thx and Cheers

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net